mcp-dataverse 0.4.5 → 0.5.0

package/CAPABILITIES.md

@@ -1,8 +1,8 @@
 # MCP Dataverse Server — Complete Capabilities Reference
 
-> **Version**: 0.4.5 | **API Version**: Dataverse Web API v9.2 | **Transport**: stdio · HTTP/SSE
+> **Version**: 0.4.6 | **API Version**: Dataverse Web API v9.2 | **Transport**: stdio · HTTP/SSE
 
-67 tools across 25 categories for full Dataverse lifecycle: schema, CRUD, FetchXML, solutions, plugins, audit, files, users, teams, RBAC, attribute management, environment variables, workflows, and more.
+73 tools across 25 categories for full Dataverse lifecycle: schema, CRUD, FetchXML, solutions, plugins, audit, files, users, teams, RBAC, attribute management, environment variables, workflows, and more.
 
 ---
 
@@ -10,19 +10,19 @@
 
 - [Quick Start](#quick-start)
 - [Architecture Overview](#architecture-overview)
-- [Tool Reference (63 tools)](#tool-reference-63-tools)
+- [Tool Reference (73 tools)](#tool-reference-73-tools)
   - [1. Auth (1)](#1-auth-1-tool)
-  - [2. Metadata (8)](#2-metadata-8-tools)
+  - [2. Metadata (9)](#2-metadata-9-tools)
   - [3. Query (3)](#3-query-3-tools)
-  - [4. CRUD (5)](#4-crud-5-tools)
-  - [5. Relations (2)](#5-relations-2-tools)
+  - [4. CRUD (6)](#4-crud-6-tools)
+  - [5. Relations (4)](#5-relations-4-tools)
   - [6. Actions & Functions (6)](#6-actions--functions-6-tools)
   - [7. Batch (1)](#7-batch-1-tool)
   - [8. Change Tracking (1)](#8-change-tracking-1-tool)
-  - [9. Solutions (3)](#9-solutions-3-tools)
+  - [9. Solutions (2)](#9-solutions-2-tools)
   - [10. Impersonation (1)](#10-impersonation-1-tool)
-  - [11. Customization (3)](#11-customization-3-tools)
-  - [12. Environment (2)](#12-environment-2-tools)
+  - [11. Customization (4)](#11-customization-4-tools)
+  - [12. Environment (4)](#12-environment-4-tools)
   - [13. Trace (2)](#13-trace-2-tools)
   - [14. Search (1)](#14-search-1-tool)
   - [15. Audit (1)](#15-audit-1-tool)
@@ -31,10 +31,10 @@
   - [18. Users (2)](#18-users-2-tools)
   - [19. Views (1)](#19-views-1-tool)
   - [20. Files (2)](#20-files-2-tools)
-  - [21. Org (1)](#21-org-1-tool)
-  - [22. RBAC (3)](#22-rbac-3-tools)
-  - [23. Workflows (2)](#23-workflows-2-tools)
-  - [24. Assistance (4)](#24-assistance-4-tools)
+  - [21. Org (2)](#21-org-2-tools)
+  - [22. RBAC (7)](#22-rbac-7-tools)
+  - [23. Workflows (4)](#23-workflows-4-tools)
+  - [24. Assistance (2)](#24-assistance-2-tools)
   - [25. Attributes (4)](#25-attributes-4-tools)
 - [Error Handling & Retry Behavior](#error-handling--retry-behavior)
 - [Security](#security)
@@ -95,32 +95,32 @@ Server communicates over **stdio** (MCP SDK `StdioServerTransport`). Connect fro
 
 ```mermaid
 graph LR
-    MCP["MCP Dataverse Server<br/><i>67 tools · 25 categories</i>"]
+    MCP["MCP Dataverse Server<br/><i>73 tools · 25 categories</i>"]
 
     MCP --> AUTH["🔑 Auth (1)"]
-    MCP --> META["📋 Metadata (8)"]
+    MCP --> META["📋 Metadata (9)"]
     MCP --> QUERY["🔍 Query (3)"]
     MCP --> CRUD["✏️ CRUD (6)"]
-    MCP --> REL["🔗 Relations (2)"]
+    MCP --> REL["🔗 Relations (4)"]
     MCP --> ACT["⚡ Actions & Functions (6)"]
     MCP --> BATCH["📦 Batch (1)"]
     MCP --> TRACK["🔄 Change Tracking (1)"]
-    MCP --> SOL["🧩 Solutions (3)"]
+    MCP --> SOL["🧩 Solutions (2)"]
     MCP --> IMP["👤 Impersonation (1)"]
-    MCP --> CUST["🔧 Customization (3)"]
-    MCP --> ENV["⚙️ Environment (3)"]
+    MCP --> CUST["🔧 Customization (4)"]
+    MCP --> ENV["⚙️ Environment (4)"]
     MCP --> TRACE["🔎 Trace (2)"]
     MCP --> SRCH["🔍 Search (1)"]
     MCP --> AUDIT["📜 Audit (1)"]
     MCP --> QUAL["✅ Quality (1)"]
     MCP --> NOTE["📝 Annotations (2)"]
     MCP --> USR["👥 Users (2)"]
-    MCP --> RBAC["🛡️ RBAC (3)"]
+    MCP --> RBAC["🛡️ RBAC (7)"]
     MCP --> VIEWS["👁️ Views (1)"]
     MCP --> FILES["📁 Files (2)"]
     MCP --> ORG["🏢 Org (2)"]
-    MCP --> WF["⚙️ Workflows (2)"]
-    MCP --> ASSIST["🤖 Assistance (4)"]
+    MCP --> WF["⚙️ Workflows (4)"]
+    MCP --> ASSIST["🤖 Assistance (2)"]
     MCP --> ATTR["🏗️ Attributes (4)"]
 ```
 
@@ -128,7 +128,7 @@ All tool handlers validate inputs with **Zod** before calling the `DataverseAdva
 
 ---
 
-## Tool Reference (67 tools)
+## Tool Reference (73 tools)
 
 ### 1. Auth (1 tool)
 
@@ -140,7 +140,7 @@ Returns the current authenticated user context (userId, businessUnitId, organiza
 
 ---
 
-### 2. Metadata (8 tools)
+### 2. Metadata (9 tools)
 
 #### `dataverse_list_tables`
 
@@ -279,7 +279,7 @@ Retrieves ALL matching records by auto-following `@odata.nextLink` pages. Use wh
 
 ---
 
-### 4. CRUD (5 tools)
+### 4. CRUD (6 tools)
 
 #### `dataverse_get`
 
@@ -360,7 +360,22 @@ Create-or-update via an alternate key (no GUID needed). Returns `"created"` or `
 
 ---
 
-### 5. Relations (2 tools)
+#### `dataverse_assign`
+
+Assigns a Dataverse record to a different user or team owner. Sets the `ownerid` lookup field using OData bind syntax.
+
+| Parameter       | Type                   | Req | Notes                   |
+| --------------- | ---------------------- | --- | ----------------------- |
+| `entitySetName` | `string`               | ✓   | OData entity set name   |
+| `id`            | `string (UUID)`        | ✓   | Record GUID to reassign |
+| `ownerType`     | `"systemuser"\|"team"` | ✓   | Target owner type       |
+| `ownerId`       | `string (UUID)`        | ✓   | GUID of user or team    |
+
+> "Reassign account a1b2c3d4 to user u1v2w3x4"
+
+---
+
+### 5. Relations (4 tools)
 
 #### `dataverse_associate`
 
@@ -520,7 +535,7 @@ Delta-query for incremental sync. Pass `deltaToken: null` for initial snapshot;
 
 ---
 
-### 9. Solutions (3 tools)
+### 9. Solutions (2 tools)
 
 #### `dataverse_list_solutions`
 
@@ -597,7 +612,7 @@ Executes any other tool on behalf of a different Dataverse user by injecting `MS
 
 ---
 
-### 11. Customization (3 tools)
+### 11. Customization (4 tools)
 
 #### `dataverse_list_custom_actions`
 
@@ -657,7 +672,7 @@ Activates or deactivates a classic Dataverse workflow (statecode/statuscode upda
 
 ---
 
-### 12. Environment (2 tools)
+### 12. Environment (4 tools)
 
 #### `dataverse_get_environment_variable`
 
@@ -694,6 +709,24 @@ Sets or updates an environment variable's current value (creates or updates the
 
 ---
 
+#### `dataverse_create_environment_variable`
+
+Creates a new Dataverse environment variable definition and sets its initial value. Use when the variable does not yet exist.
+
+| Parameter      | Type                                     | Req | Notes                                                   |
+| -------------- | ---------------------------------------- | --- | ------------------------------------------------------- |
+| `schemaName`   | `string`                                 | ✓   | Schema name (publisher prefix required, e.g. `new_MyVar`) |
+| `displayName`  | `string`                                 | ✓   | Human-readable label                                    |
+| `type`         | `"String"\|"Integer"\|"Boolean"\|"JSON"` | ✓   | Variable data type                                      |
+| `value`        | `string`                                 | ✓   | Initial value                                           |
+| `description`  | `string`                                 | —   | Optional description                                    |
+| `defaultValue` | `string`                                 | —   | Optional default value                                  |
+| `confirm`      | `true`                                   | ✓   | Explicit confirmation required                          |
+
+> "Create environment variable new_MaxRetries of type Integer with value 3"
+
+---
+
 ### 13. Trace (2 tools)
 
 #### `dataverse_get_plugin_trace_logs`
@@ -977,7 +1010,7 @@ Lists Dataverse teams (owner teams and access teams) within one or all business
 
 ---
 
-### 22. RBAC (3 tools)
+### 22. RBAC (7 tools)
 
 #### `dataverse_list_roles`
 
@@ -1025,7 +1058,21 @@ Removes a security role from a system user.
 
 ---
 
-### 23. Workflows (2 tools)
+#### `dataverse_assign_role_to_team`
+
+Assigns a security role to a Dataverse team. All team members inherit the role permissions.
+
+| Parameter | Type            | Req | Notes                          |
+| --------- | --------------- | --- | ------------------------------ |
+| `teamId`  | `string (UUID)` | ✓   | Team GUID                      |
+| `roleId`  | `string (UUID)` | ✓   | Security role GUID             |
+| `confirm` | `true`          | ✓   | Explicit confirmation required |
+
+> "Assign role r1s2t3u4 to team t1e2a3m4"
+
+---
+
+### 23. Workflows (4 tools)
 
 #### `dataverse_list_workflows`
 
@@ -1053,7 +1100,7 @@ Retrieves a single workflow definition by ID, including its trigger, steps, and
 
 ---
 
-### 24. Assistance (4 tools)
+### 24. Assistance (2 tools)
 
 #### `dataverse_suggest_tools`
 
@@ -1105,6 +1152,18 @@ Lists connection references used in solutions (Power Automate connectors).
 
 ---
 
+#### `dataverse_list_tool_tags`
+
+Lists all available tool tags with the number of tools in each category. Use this to discover what kinds of operations are available before calling `dataverse_suggest_tools`.
+
+| Parameter | Type | Req | Notes         |
+| --------- | ---- | --- | ------------- |
+| —         | —    | —   | No parameters |
+
+> "What categories of tools are available in this MCP server?"
+
+---
+
 ### 25. Attributes (4 tools)
 
 Attribute tools manage **column-level schema** in Dataverse tables. All write operations require `confirm: true` and auto-publish the entity definition by default.
@@ -1301,4 +1360,4 @@ Certain tools include an `errorCategory` field in the error text when the failur
 
 ---
 
-_This document reflects the MCP Dataverse server codebase as of v0.4.0 — 67 tools across 25 categories._
+_This document reflects the MCP Dataverse server codebase as of v0.4.6 — 73 tools across 25 categories._

package/README.md

@@ -6,7 +6,7 @@
 
 **The most complete MCP server for Microsoft Dataverse.**
 
-67 tools · 4 resources · 10 guided workflows · Zero config auth
+73 tools · 4 resources · 10 guided workflows · Three auth modes
 
 [![npm](https://img.shields.io/npm/v/mcp-dataverse)](https://www.npmjs.com/package/mcp-dataverse)
 [![npm downloads](https://img.shields.io/npm/dm/mcp-dataverse)](https://www.npmjs.com/package/mcp-dataverse)
@@ -25,7 +25,7 @@
 
 AI agents hallucinate schema, guess column names, and build broken OData queries. This server gives them **real-time access** to your Dataverse environment — schema, records, metadata, solutions — through the [Model Context Protocol](https://modelcontextprotocol.io).
 
-- **No Azure AD app registration** — device code flow, zero pre-configuration
+- **Three auth modes** — device code (local), client credentials (CI/CD), managed identity (Azure-hosted)
 - **Works with any MCP client** — VS Code, Claude, Cursor, Windsurf, Gemini, Codex CLI
 - **Atomic tools** — each tool does one thing well; the AI picks the right one
 - **Structured outputs** — every response returns `{summary, data, suggestions}`
@@ -48,31 +48,45 @@ The interactive wizard configures your environment, registers the server in VS C
 
 ## Authentication
 
-**No PAC CLI, no app registration, no client secret.** Uses Microsoft's device code flow (MSAL):
+Three modes — choose based on where the server runs:
 
-1. **First tool call** → a sign-in code appears in the MCP Output panel (`View → Output → MCP`)
-2. Open `https://microsoft.com/devicelogin` → enter the code → sign in with your work account
-3. **Done.** Token is cached encrypted — all future starts are silent
+| Mode | When to use |
+|:-----|:------------|
+| **Device Code** (default) | Local development — interactive Microsoft login, token cached on disk |
+| **Client Credentials** | Unattended: CI/CD, Docker, Azure services — `authMethod: "client-credentials"` + App Registration |
+| **Managed Identity** | Azure-hosted (App Service, Container Apps) — zero secrets, `authMethod: "managed-identity"` |
 
-Re-authenticate after ~90 days of inactivity: `npx mcp-dataverse-auth`
+**Device code quick start:** authentication triggers on the first tool call.
+
+1. Open `View → Output → MCP` — a sign-in code appears
+2. Go to `https://microsoft.com/devicelogin`, enter the code, sign in with your work account
+3. Token is cached encrypted — all future starts are silent
+
+For client credentials and managed identity setup, see [Authentication docs](https://codeurali.github.io/mcp-dataverse/authentication).
 
 ---
 
 ## Capabilities
 
-| Category                | Count | Description                                                    |
+| Category | Count | Description |
 | ----------------------- | ----- | -------------------------------------------------------------- |
-| **Metadata**            | 8     | Tables, schema, relationships, option sets, entity keys        |
-| **Query**               | 3     | OData, FetchXML, paginated retrieval                           |
-| **CRUD**                | 6     | Get, create, update, delete, upsert, assign                    |
-| **Actions & Functions** | 6     | Bound/unbound Dataverse actions and functions                  |
-| **Batch**               | 1     | Up to 1000 operations atomically                               |
-| **Solutions**           | 3     | List solutions, components, publish customizations             |
-| **Search**              | 1     | Full-text Relevance Search                                     |
-| **Users & Teams**       | 3     | Users, roles, teams                                            |
-| **Files**               | 2     | Upload/download file and image columns                         |
-| **+ more**              | …     | Audit, trace logs, delta tracking, impersonation, annotations… |
-| **Assistance**          | 4     | Tool router, workflow guide                                    |
+| **Metadata** | 9 | Tables, schema, relationships, option sets, entity keys |
+| **Query** | 3 | OData, FetchXML, paginated retrieval |
+| **CRUD** | 6 | Get, create, update, delete, upsert, assign |
+| **Relations** | 4 | Associate, associate bulk, disassociate, query associations |
+| **Actions & Functions** | 6 | Bound/unbound Dataverse actions and functions |
+| **Batch** | 1 | Up to 1000 operations atomically |
+| **Solutions** | 2 | Publish customizations, create sitemap |
+| **Search** | 1 | Full-text Relevance Search |
+| **Users & Teams** | 4 | Users, roles, teams, role assignment |
+| **RBAC** | 7 | Role privileges: list, assign, remove, add, replace, get, team |
+| **Files** | 2 | Upload/download file and image columns |
+| **Audit & Trace** | 3 | Audit log, plugin trace logs, workflow trace logs |
+| **Annotations** | 2 | Notes and file attachments |
+| **Customization** | 4 | Custom actions, plugins, env variables, connection references |
+| **Attributes** | 5 | Create, update, delete columns; lookup and multi-select types |
+| **Assistance** | 2 | Tool router, tool tags |
+| **+ more** | … | Delta sync, impersonation, views, business units, duplicate detection |
 
 [→ Full Capabilities Reference](https://codeurali.github.io/mcp-dataverse/capabilities)
 
@@ -126,7 +140,8 @@ MCP Dataverse is designed to be comprehensive, but most AI models work best with
 | Version | Feature | Status |
 | ------- | ------- | ------ |
 | **v0.4** | HTTP transport + attribute management + schema consistency | ✅ Released |
-| **v0.5** | Enterprise auth (Client Credentials, Managed Identity) + MCP Prompts | 🔴 Planned |
+| **v0.5** | Enterprise auth (Client Credentials, Managed Identity, Entra JWT) | ✅ Released |
+| **v0.6** | MCP Prompts + ERD generator + API snippet generator | 🔜 Planned |
 
 [→ Full Roadmap](https://codeurali.github.io/mcp-dataverse/roadmap)
 

package/dist/auth-provider.factory-IVYKBXVY.js

@@ -0,0 +1 @@
+import{a}from"./chunk-M5UROAVJ.js";import"./chunk-RYRO3QPE.js";import"./chunk-KJ3HM2VM.js";export{a as createAuthProvider};

package/dist/chunk-FSM3J3WD.js

@@ -0,0 +1,35 @@
+var y=class extends Error{constructor(e,n,s,r,i={}){super(e);this.status=n;this.data=s;this.code=r;this.responseHeaders=i;this.name="HttpError"}},R=class{baseURL;timeoutMs;defaultHeaders;tokenProvider;constructor(t){this.baseURL=t.baseURL.endsWith("/")?t.baseURL:t.baseURL+"/",this.timeoutMs=t.timeout??3e4,this.defaultHeaders={...t.headers},this.tokenProvider=t.tokenProvider??void 0}async get(t,e){return this.request("GET",t,void 0,e)}async post(t,e,n){return this.request("POST",t,e,n)}async patch(t,e,n){return this.request("PATCH",t,e,n)}async put(t,e,n){return this.request("PUT",t,e,n)}async delete(t,e){return this.request("DELETE",t,void 0,e)}resolveUrl(t){if(!t.startsWith("http"))return this.baseURL+t;let e=new URL(t),n=new URL(this.baseURL);if(e.origin!==n.origin)throw new y(`SSRF protection: request to '${e.origin}' blocked; only '${n.origin}' is permitted`,0,void 0,"SSRF_BLOCKED");return t}async request(t,e,n,s){let r=this.resolveUrl(e),i={...this.defaultHeaders,...s?.headers};this.tokenProvider&&(i.Authorization=`Bearer ${await this.tokenProvider()}`);let c=s?.timeoutMs??this.timeoutMs,u=new AbortController,a=setTimeout(()=>u.abort(),c);try{let o={method:t,headers:i,signal:u.signal};n!==void 0&&(o.body=typeof n=="string"?n:JSON.stringify(n));let d=await fetch(r,o),p={};if(d.headers.forEach((g,f)=>{p[f]=g}),!d.ok){let g=await d.text(),f;try{f=JSON.parse(g)}catch{f=g||void 0}throw new y(`Request failed with status ${d.status}`,d.status,f,void 0,p)}let m;if(s?.responseType==="text")m=await d.text();else{let g=await d.text();m=g?JSON.parse(g):{}}return{data:m,status:d.status,headers:p}}catch(o){throw o instanceof y?o:o instanceof DOMException&&o.name==="AbortError"?new y("Request timed out",0,void 0,"ECONNABORTED"):o}finally{clearTimeout(a)}}};function O(h){let t=h.indexOf(`\r
+\r
+`),e=h.indexOf(`
+
+`);return t!==-1&&(e===-1||t<=e)?t+4:e!==-1?e+2:-1}function v(h,t){let e=[],n=h.split(`--${t}`);for(let s of n){let r=s.trim();if(!r||r==="--")continue;let i=O(s);if(i===-1)continue;let c=s.slice(i),u=O(c);if(u===-1)continue;let o=(c.trimStart().split(/\r?\n/)[0]??"").match(/^HTTP\/\d+\.\d+\s+(\d{3})/),d=o?parseInt(o[1],10):0,p=d>=200&&d<300,m=c.slice(u).trim();if(!m){e.push(p?null:{error:"Empty response body",status:d});continue}try{let g=JSON.parse(m);e.push(p?g:{error:g,status:d})}catch{e.push({error:m,status:d})}}return e}function l(h){return h.replace(/'/g,"''")}var P="9.2",x={opportunities:"opportunityid",territories:"territoryid",categories:"categoryid",activityparties:"activitypartyid",activitymimeattachments:"activitymimeattachmentid",queues:"queueid",queueitems:"queueitemid"},$=class{http;authProvider;maxRetries;constructor(t,e=3,n=3e4){this.authProvider=t,this.maxRetries=e,this.http=new R({baseURL:`${t.environmentUrl}/api/data/v${P}/`,timeout:n,headers:{"OData-MaxVersion":"4.0","OData-Version":"4.0",Accept:"application/json","Content-Type":"application/json; charset=utf-8"},tokenProvider:()=>t.getToken()})}async requestWithRetry(t,e=0){try{return await t()}catch(n){if(n instanceof y){if(n.status===401&&e===0)return this.authProvider.invalidateToken(),this.requestWithRetry(t,e+1);if([429,503,504].includes(n.status)&&e<this.maxRetries){let r=n.responseHeaders["retry-after"],i=r?parseInt(r,10)*1e3:Math.pow(2,e)*1e3;return await new Promise(c=>setTimeout(c,i)),this.requestWithRetry(t,e+1)}if(n.status===400){let r=n.data?.error?.code;if(r==="0x80071151"&&e<5){let u=Math.pow(2,e)*5e3;return await new Promise(a=>setTimeout(a,u)),this.requestWithRetry(t,e+1)}let i=n.data?.error?.message?.toLowerCase()??"";if((r==="0x80044181"||i.includes("publish")&&(i.includes("already")||i.includes("in progress")||i.includes("another user")))&&e<4)return await new Promise(u=>setTimeout(u,3e4)),this.requestWithRetry(t,e+1)}}throw this.formatError(n)}}formatError(t){if(t instanceof y){let e=t.data?.error;return e?.code==="0x80060888"?new Error(`Dataverse error 0x80060888: The Web API endpoint does not exist in this organization. This means the action/function name is wrong OR the entity set name is incorrect \u2014 NOT necessarily a permissions error. Original message: ${e.message??""}. Tip: verify action names via $metadata or use dataverse_resolve_entity_name for entity names.`):e?new Error(`Dataverse error ${e.code??""}: ${e.message??"Unknown error"}`):t.code==="ECONNABORTED"?new Error("Request timed out. Check your Dataverse environment URL."):t}return t instanceof Error?t:new Error(String(t))}async whoAmI(){return this.requestWithRetry(async()=>{let t=await this.http.get("WhoAmI"),{UserId:e,BusinessUnitId:n,OrganizationId:s}=t.data,r="";try{r=(await this.http.get(`organizations(${s})?$select=name`)).data.name??""}catch{r=""}let i=this.authProvider.environmentUrl;return{UserId:e,BusinessUnitId:n,OrganizationId:s,OrganizationName:r,EnvironmentUrl:i}})}async listTables(t=!1){let s=["$select=LogicalName,SchemaName,DisplayName,EntitySetName,PrimaryIdAttribute,PrimaryNameAttribute,IsCustomEntity",t?"$filter=IsCustomEntity eq true":""].filter(Boolean).join("&");return this.requestWithRetry(()=>this.http.get(`EntityDefinitions?${s}`).then(r=>r.data.value))}async getTableMetadata(t,e=!0){let n=e?"$expand=Attributes":"",s=`EntityDefinitions(LogicalName='${l(t)}')${n?"?"+n:""}`;return this.requestWithRetry(()=>this.http.get(s).then(r=>r.data))}async fetchAllPagesOData(t){let e=[],n=t;for(;n;){let s=await this.requestWithRetry(()=>this.http.get(n).then(r=>r.data));e.push(...s.value??[]),n=s["@odata.nextLink"]}return e}async getRelationships(t){let e=l(t),[n,s,r]=await Promise.all([this.fetchAllPagesOData(`EntityDefinitions(LogicalName='${e}')/OneToManyRelationships`),this.fetchAllPagesOData(`EntityDefinitions(LogicalName='${e}')/ManyToOneRelationships`),this.fetchAllPagesOData(`EntityDefinitions(LogicalName='${e}')/ManyToManyRelationships`)]);return[...n,...s,...r]}async query(t,e={}){let n=c=>encodeURIComponent(c).replace(/%28/g,"(").replace(/%29/g,")").replace(/%2C/g,",").replace(/%27/g,"'").replace(/%40/g,"@"),s=[];e.select?.length&&s.push(`$select=${e.select.join(",")}`),e.filter&&s.push(`$filter=${n(e.filter)}`),e.orderby&&s.push(`$orderby=${n(e.orderby)}`),e.top&&s.push(`$top=${e.top}`),e.expand&&s.push(`$expand=${e.expand}`),e.count&&s.push("$count=true"),e.apply&&s.push(`$apply=${n(e.apply)}`);let r=`${t}${s.length?"?"+s.join("&"):""}`,i=e.formattedValues?{headers:{Prefer:'odata.include-annotations="OData.Community.Display.V1.FormattedValue"'}}:void 0;return this.requestWithRetry(()=>this.http.get(r,i).then(c=>c.data))}async executeFetchXml(t,e,n){let s=encodeURIComponent(e),r=n?{headers:{Prefer:'odata.include-annotations="OData.Community.Display.V1.FormattedValue"'}}:void 0;return this.requestWithRetry(()=>this.http.get(`${t}?fetchXml=${s}`,r).then(i=>i.data))}async getRecord(t,e,n,s){let r=[];n?.length&&r.push(`$select=${n.join(",")}`),s&&r.push(`$expand=${s}`);let i=r.length?`?${r.join("&")}`:"";return this.requestWithRetry(async()=>{let c=await this.http.get(`${t}(${e})${i}`,{headers:{Prefer:'odata.include-annotations="*"'}}),u=c.headers["odata-etag"]??c.data["@odata.etag"]??null;return{record:c.data,etag:u}})}async createRecord(t,e){return this.requestWithRetry(async()=>{let n=await this.http.post(t,e,{headers:{Prefer:"return=representation"}}),r=n.headers["odata-entityid"]?.match(/\(([^)]+)\)/)?.[1];if(r)return r;let i=n.data,c=i["@odata.id"]?.match(/\(([^)]+)\)/)?.[1];if(c)return c;let u=x[t]??t.replace(/s$/,"")+"id",a=i[u];return a||(n.headers.location?.match(/\(([^)]+)\)/)?.[1]??"")})}async updateRecord(t,e,n,s){await this.requestWithRetry(()=>this.http.patch(`${t}(${e})`,n,{headers:{"If-Match":s??"*"}}))}async deleteRecord(t,e){await this.requestWithRetry(()=>this.http.delete(`${t}(${e})`))}async upsertRecord(t,e,n,s,r="upsert",i){return this.requestWithRetry(async()=>{let c=i?`${t}(${i})`:`${t}(${l(e)}='${l(n)}')`,u={Prefer:"return=representation"};r==="createOnly"&&(u["If-None-Match"]="*"),r==="updateOnly"&&(u["If-Match"]="*");try{let a=await this.http.put(c,s,{headers:u}),o=a.status===201?"created":"updated",p=a.headers["odata-entityid"]?.match(/\(([^)]+)\)/)?.[1],m=a.data,g=x[t]??t.replace(/s$/,"")+"id",f=p??m?.[g]??n;return{operation:o,id:f}}catch(a){if(a instanceof y&&a.status===412){if(r==="createOnly")throw new Error("Record already exists");if(r==="updateOnly")throw new Error("Record not found")}throw a}})}async associate(t,e,n,s,r){let i=`${this.authProvider.environmentUrl}/api/data/v${P}/${s}(${r})`;await this.requestWithRetry(()=>this.http.post(`${t}(${e})/${n}/$ref`,{"@odata.id":i}))}async disassociate(t,e,n,s,r){let i=s?`?$id=${this.authProvider.environmentUrl}/api/data/v${P}/${r??t}(${s})`:"";await this.requestWithRetry(()=>this.http.delete(`${t}(${e})/${n}/$ref${i}`))}};var w=class extends ${async executeAction(t,e={}){return this.requestWithRetry(()=>this.http.post(t,e).then(n=>n.data))}async executeFunction(t,e={}){let n=[],s=[],r=/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;Object.entries(e).forEach(([u,a])=>{if(typeof a=="object"&&a!==null){let o=`@${u}`;s.push(`${l(u)}=${o}`),n.push(`${o}=${encodeURIComponent(JSON.stringify(a))}`)}else typeof a=="string"&&r.test(a)?s.push(`${l(u)}=${a}`):typeof a=="string"?s.push(`${l(u)}='${l(a)}'`):s.push(`${l(u)}=${String(a)}`)});let i=s.length?`${t}(${s.join(",")})`:`${t}()`,c=n.length?`${i}?${n.join("&")}`:i;return this.requestWithRetry(()=>this.http.get(c).then(u=>u.data))}async search(t){let n=`${this.http.baseURL.replace(/\/api\/data\/v[\d.]+\/?$/,"")}/api/search/v2.0/query`;return this.requestWithRetry(()=>this.http.post(n,t).then(s=>s.data))}async executeBoundAction(t,e,n,s={}){return this.requestWithRetry(()=>this.http.post(`${t}(${e})/Microsoft.Dynamics.CRM.${n}`,s).then(r=>r.data))}};var b=class extends w{async listDependencies(t,e){return this.requestWithRetry(()=>this.http.get(`RetrieveDependenciesForDelete(ComponentType=${t},ObjectId=${e})`).then(n=>n.data.value))}async listTableDependencies(t,e){let n={0:"Workflow",1:"Dialog",2:"BusinessRule",3:"Action",4:"BusinessProcessFlow",5:"Flow"},s={0:"Draft",1:"Active",2:"Inactive"},i=(await this.requestWithRetry(()=>this.http.get(`workflows?$filter=primaryentity eq '${l(t)}' and statecode ne 2&$select=name,workflowid,statecode,category,triggeroncreate,triggerondelete,triggeronupdateattributelist`).then(o=>o.data))).value.map(o=>{let d=[];return o.triggeroncreate&&d.push("Create"),o.triggerondelete&&d.push("Delete"),o.triggeronupdateattributelist&&d.push("Update"),{componentType:n[o.category]??`Category${o.category}`,name:o.name,id:o.workflowid,state:s[o.statecode]??`State${o.statecode}`,triggerEvent:d.length?d.join(","):null,solutionName:null}}),c=e?.length?i.filter(o=>e.includes(o.componentType)):i,a=e?.some(o=>o==="Plugin"||o==="CustomAPI")?"Plugin and CustomAPI types require additional SDK message queries and are not yet implemented. Results show Workflow/BusinessRule/Flow/Action dependencies only.":null;return{tableName:t,dependencies:c,count:c.length,warning:a}}async listGlobalOptionSets(){return this.requestWithRetry(()=>this.http.get("GlobalOptionSetDefinitions").then(t=>t.data.value))}async getOptionSet(t){return this.requestWithRetry(()=>this.http.get(`GlobalOptionSetDefinitions(Name='${l(t)}')`).then(e=>e.data))}async getAttributeOptionSet(t,e){let n=["PicklistAttributeMetadata","MultiSelectPicklistAttributeMetadata","StatusAttributeMetadata","StateAttributeMetadata"];for(let s of n)try{let r=`EntityDefinitions(LogicalName='${l(t)}')/Attributes(LogicalName='${l(e)}')/Microsoft.Dynamics.CRM.${s}?$select=LogicalName,DisplayName&$expand=OptionSet`,a=((await this.requestWithRetry(()=>this.http.get(r).then(o=>o.data))).OptionSet?.Options??[]).map(o=>({label:o.Label?.UserLocalizedLabel?.Label??"",value:o.Value}));return{entityLogicalName:t,attributeLogicalName:e,attributeType:s.replace("AttributeMetadata",""),options:a}}catch{continue}throw new Error(`Attribute '${e}' on entity '${t}' is not a Picklist, MultiSelectPicklist, Status, or State attribute, or does not exist.`)}async getEntityKeys(t){return this.requestWithRetry(async()=>(await this.http.get(`EntityDefinitions(LogicalName='${l(t)}')/Keys?$select=SchemaName,LogicalName,KeyAttributes,IsCustomizable,EntityKeyIndexStatus`)).data.value.map(n=>({schemaName:n.SchemaName,logicalName:n.LogicalName,keyAttributes:n.KeyAttributes,isCustomizable:n.IsCustomizable?.Value??!1,indexStatus:n.EntityKeyIndexStatus})))}async updateEntityDefinition(t,e){await this.requestWithRetry(()=>this.http.patch(`EntityDefinitions(LogicalName='${l(t)}')`,e,{headers:{"MSCRM.MergeLabels":"true"}}))}async createAttribute(t,e){return this.requestWithRetry(async()=>(await this.http.post(`EntityDefinitions(LogicalName='${l(t)}')/Attributes`,e,{headers:{Prefer:"return=representation"}})).data.MetadataId??"")}async updateAttribute(t,e,n){await this.requestWithRetry(()=>this.http.put(`EntityDefinitions(LogicalName='${l(t)}')/Attributes(LogicalName='${l(e)}')`,n,{headers:{"MSCRM.MergeLabels":"true"}}))}async deleteAttribute(t,e){await this.requestWithRetry(()=>this.http.delete(`EntityDefinitions(LogicalName='${l(t)}')/Attributes(LogicalName='${l(e)}')`))}async createRelationship(t){return this.requestWithRetry(async()=>(await this.http.post("RelationshipDefinitions",t)).headers["odata-entityid"]?.match(/\(([^)]+)\)$/)?.[1]??"")}};var T=class extends b{async batchExecute(t,e=!1){let n=`batch_${Date.now()}`,s="";if(e){let i=`changeset_${Date.now()+1}`,c=t.filter(a=>a.method==="GET"),u=t.filter(a=>a.method!=="GET");for(let a of c)s+=`--${n}\r
+`,s+=`Content-Type: application/http\r
+`,s+=`Content-Transfer-Encoding: binary\r
+\r
+`,s+=`${a.method} ${this.http.baseURL}${a.url} HTTP/1.1\r
+`,s+=`Accept: application/json\r
+\r
+`;if(u.length>0){s+=`--${n}\r
+`,s+=`Content-Type: multipart/mixed; boundary=${i}\r
+\r
+`;let a=1;for(let o of u)s+=`--${i}\r
+`,s+=`Content-Type: application/http\r
+`,s+=`Content-Transfer-Encoding: binary\r
+`,s+=`Content-ID: ${o.contentId??a++}\r
+\r
+`,s+=`${o.method} ${this.http.baseURL}${o.url} HTTP/1.1\r
+`,s+=`Content-Type: application/json\r
+\r
+`,o.body&&(s+=JSON.stringify(o.body)),s+=`\r
+`;s+=`--${i}--\r
+`}}else t.forEach(i=>{s+=`--${n}\r
+`,s+=`Content-Type: application/http\r
+`,s+=`Content-Transfer-Encoding: binary\r
+\r
+`,s+=`${i.method} ${this.http.baseURL}${i.url} HTTP/1.1\r
+`,s+=`Content-Type: application/json\r
+\r
+`,i.body&&(s+=JSON.stringify(i.body)),s+=`\r
+`});s+=`--${n}--`;let r=await this.requestWithRetry(()=>this.http.post("$batch",s,{headers:{"Content-Type":`multipart/mixed;boundary=${n}`},responseType:"text"}));try{let c=(r.headers["content-type"]??"").match(/boundary=(?:"([^"]+)"|([^;"\s]+))/),u=c?.[1]??c?.[2];return u?v(r.data,u):(process.stderr.write(`[batchExecute] No multipart boundary in response Content-Type; returning raw data.
+`),[r.data])}catch(i){return process.stderr.write(`[batchExecute] Failed to parse multipart response; returning raw data. ${String(i)}
+`),[r.data]}}};var E={1:"Entity",2:"Attribute",3:"Relationship",9:"OptionSet",29:"Workflow",61:"SystemForm",71:"SiteMap",90:"PluginAssembly",92:"PluginType",97:"WebResource",95:"ServiceEndpoint",79:"ConnectionRole"};function k(h){return h.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&apos;")}var q=class extends T{async executeBoundFunction(t,e,n,s={}){let r=[],i=[];Object.entries(s).forEach(([o,d])=>{if(typeof d=="object"&&d!==null){let p=`@${o}`;i.push(`${l(o)}=${p}`),r.push(`${p}=${encodeURIComponent(JSON.stringify(d))}`)}else typeof d=="string"?i.push(`${l(o)}='${l(d)}'`):i.push(`${l(o)}=${String(d)}`)});let c=i.join(","),u=`${t}(${e})/Microsoft.Dynamics.CRM.${n}(${c})`,a=r.length?`${u}?${r.join("&")}`:u;return this.requestWithRetry(()=>this.http.get(a).then(o=>o.data))}async queryWithPaging(t,e={}){let n=Math.min(e.maxTotal??5e3,5e4),s=[],r=0,i={};e.select!==void 0&&(i.select=e.select),e.filter!==void 0&&(i.filter=e.filter),e.orderby!==void 0&&(i.orderby=e.orderby),e.expand!==void 0&&(i.expand=e.expand);let c=await this.query(t,i);for(s.push(...c.value),r++;c["@odata.nextLink"]&&s.length<n;){let a=c["@odata.nextLink"];c=await this.requestWithRetry(()=>this.http.get(a).then(o=>o.data)),s.push(...c.value),r++}let u=s.slice(0,n);return{records:u,totalRetrieved:u.length,pageCount:r}}async getChangedRecords(t,e,n){let s,r={};if(e===null){let p=n?.length?`?$select=${n.join(",")}`:"";s=`${t}${p}`,r.Prefer="odata.track-changes"}else{let p=n?.length?`&$select=${n.join(",")}`:"";s=`${t}?$deltatoken=${e}${p}`}let i=await this.requestWithRetry(()=>this.http.get(s,{headers:r}).then(p=>p.data)),c=i.value??[],u=[],a=[];for(let p of c)if("@removed"in p){let m=String(p["@id"]??""),g=m.match(/\(([^)]+)\)$/);a.push({id:g?g[1]:m})}else u.push(p);let o=i["@odata.deltaLink"],d=null;if(o){let p=o.match(/\$deltatoken=([^&]+)/);d=p?decodeURIComponent(p[1]):null}return{newAndModified:u,deleted:a,nextDeltaToken:d}}async getSolutionComponents(t,e,n=200){return this.requestWithRetry(async()=>{let r=(await this.http.get(`solutions?$filter=uniquename eq '${l(t)}'&$select=solutionid,uniquename,friendlyname,version&$top=1`)).data.value;if(!r.length)throw new Error(`Solution '${t}' not found`);let i=r[0],c=i.solutionid,u=`_solutionid_value eq ${c}`;e!==void 0&&(u+=` and componenttype eq ${e}`);let o=(await this.http.get(`solutioncomponents?$filter=${u}&$select=componenttype,objectid&$top=${n}&$orderby=componenttype`)).data.value.map(d=>({componentType:d.componenttype,componentTypeName:E[d.componenttype]??`Type${d.componenttype}`,objectId:d.objectid}));return{solutionName:i.uniquename,solutionId:c,friendlyName:i.friendlyname,version:i.version,components:o,count:o.length}})}async publishCustomizations(t){return this.requestWithRetry(async()=>{if(!(t&&((t.entities?.length??0)>0||(t.webResources?.length??0)>0||(t.optionSets?.length??0)>0)))return await this.http.post("PublishAllXml",{},{timeoutMs:12e4}),{published:!0,message:"All customizations published successfully"};let n="<importexportxml>";return t.entities?.length&&(n+="<entities>"+t.entities.map(s=>`<entity>${k(s)}</entity>`).join("")+"</entities>"),t.webResources?.length&&(n+="<webresources>"+t.webResources.map(s=>`<webresource>${k(s)}</webresource>`).join("")+"</webresources>"),t.optionSets?.length&&(n+="<optionsets>"+t.optionSets.map(s=>`<optionset>${k(s)}</optionset>`).join("")+"</optionsets>"),n+="</importexportxml>",await this.http.post("PublishXml",{ParameterXml:n},{timeoutMs:12e4}),{published:!0,message:"Selected customizations published successfully"}})}async listDataverseWorkflows(t){return this.requestWithRetry(async()=>{let e=[];t.category!==void 0&&e.push(`category eq ${t.category}`),t.nameContains&&e.push(`contains(name,'${l(t.nameContains)}')`);let n=`workflows?$select=workflowid,name,description,category,statecode,statuscode,type,modifiedon&$orderby=name asc&$top=${t.top??50}`;return e.length>0&&(n+=`&$filter=${e.join(" and ")}`),(await this.http.get(n)).data.value??[]})}async getDataverseWorkflow(t){return this.requestWithRetry(()=>this.http.get(`workflows(${t})?$select=workflowid,name,description,category,statecode,statuscode,type,modifiedon`).then(e=>e.data))}async executeFetchXmlAllPages(t,e){let n=[],s=1,r;do{let i=e;s>1&&(i=i.replace(/<fetch\b([^>]*)>/i,(o,d)=>{let p=d.replace(/\s+page="[^"]*"/g,"").replace(/\s+paging-cookie="[^"]*"/g,""),m=r?` paging-cookie="${r.replace(/"/g,"&quot;").replace(/'/g,"&apos;")}"`:"";return`<fetch${p} page="${s}"${m}>`}));let c=await this.executeFetchXml(t,i),u=c.value??[];n.push(...u);let a=c["@Microsoft.Dynamics.CRM.fetchxmlpagingcookie"];if(!a||u.length===0)break;try{let d=decodeURIComponent(decodeURIComponent(String(a))).match(/pagingcookie="([^"]+)"/);r=d?d[1]:void 0}catch{r=String(a)}if(!r||(s++,s>100))break}while(!0);return n}};export{l as a,q as b};

package/dist/chunk-KJ3HM2VM.js

@@ -0,0 +1 @@
+import{createCipheriv as c,createDecipheriv as a,createHash as g,randomBytes as p}from"crypto";function i(){let e=[process.env.COMPUTERNAME??process.env.HOSTNAME??"",process.env.USERNAME??process.env.USER??"","mcp-dataverse-cache-v1"].join(".");return g("sha256").update(e).digest()}function d(e){let t=i(),s=p(16),r=c("aes-256-gcm",t,s),o=Buffer.concat([r.update(e,"utf-8"),r.final()]),n={v:1,iv:s.toString("hex"),tag:r.getAuthTag().toString("hex"),d:o.toString("hex")};return JSON.stringify(n)}function u(e){let t=JSON.parse(e);if(t.v!==1)throw new Error("Unknown encrypted-blob format version");let s=Buffer.from(t.iv,"hex"),r=Buffer.from(t.tag,"hex"),o=Buffer.from(t.d,"hex"),n=a("aes-256-gcm",i(),s);return n.setAuthTag(r),n.update(o).toString("utf-8")+n.final("utf-8")}function v(e){try{let t=JSON.parse(e);return t.v===1&&typeof t.iv=="string"&&typeof t.tag=="string"&&typeof t.d=="string"}catch{return!1}}export{d as a,u as b,v as c};

package/dist/chunk-M5UROAVJ.js

@@ -0,0 +1,4 @@
+import{a as o}from"./chunk-RYRO3QPE.js";import{ConfidentialClientApplication as c}from"@azure/msal-node";var r=class{environmentUrl;cca;scopes;cachedToken=null;tokenExpiresAt=0;pendingAuth=null;constructor(e,t,i,s){this.environmentUrl=e.replace(/\/$/,""),this.scopes=[`${this.environmentUrl}/.default`],this.cca=new c({auth:{clientId:i,authority:`https://login.microsoftonline.com/${t}`,clientSecret:s}})}async getToken(){let e=Date.now();return this.cachedToken!==null&&this.tokenExpiresAt>e+6e4?this.cachedToken:this.pendingAuth!==null?this.pendingAuth:(this.pendingAuth=this.acquireToken().finally(()=>{this.pendingAuth=null}),this.pendingAuth)}invalidateToken(){this.cachedToken=null,this.tokenExpiresAt=0}async isAuthenticated(){try{return await this.getToken(),!0}catch{return!1}}async acquireToken(){let e;try{e=await this.cca.acquireTokenByClientCredential({scopes:this.scopes})}catch(t){let i=t instanceof Error?t.message:String(t);throw new Error(`Client credentials token acquisition failed: ${i}
+Verify that tenantId, clientId, and clientSecret are correct and that the app registration has been granted access to Dataverse.`)}if(!e?.accessToken)throw new Error("Client credentials flow returned no access token. Ensure the app registration has the Dataverse Application User configured.");return this.cachedToken=e.accessToken,this.tokenExpiresAt=e.expiresOn?e.expiresOn.getTime():Date.now()+36e5,this.cachedToken}};import{ManagedIdentityApplication as h}from"@azure/msal-node";var a=class{environmentUrl;mia;resource;cachedToken=null;tokenExpiresAt=0;pendingAuth=null;constructor(e,t){this.environmentUrl=e.replace(/\/$/,"");let{protocol:i,hostname:s}=new URL(this.environmentUrl);this.resource=`${i}//${s}`,this.mia=new h(t?{managedIdentityIdParams:{userAssignedClientId:t}}:{})}async getToken(){let e=Date.now();return this.cachedToken!==null&&this.tokenExpiresAt>e+6e4?this.cachedToken:this.pendingAuth!==null?this.pendingAuth:(this.pendingAuth=this.acquireToken().finally(()=>{this.pendingAuth=null}),this.pendingAuth)}invalidateToken(){this.cachedToken=null,this.tokenExpiresAt=0}async isAuthenticated(){try{return await this.getToken(),!0}catch{return!1}}async acquireToken(){let e;try{e=await this.mia.acquireToken({resource:this.resource})}catch(t){let i=t instanceof Error?t.message:String(t);throw new Error(`Managed Identity token acquisition failed: ${i}
+This method only works on Azure-hosted environments (App Service, Container Apps, VMs, AKS).
+Ensure the managed identity has been assigned an Application User role in Dataverse.`)}if(!e?.accessToken)throw new Error("Managed Identity flow returned no access token. Verify that the managed identity has been added as a Dataverse Application User.");return this.cachedToken=e.accessToken,this.tokenExpiresAt=e.expiresOn?e.expiresOn.getTime():Date.now()+36e5,this.cachedToken}};function A(n){switch(n.authMethod){case"client-credentials":return new r(n.environmentUrl,n.tenantId,n.clientId,n.clientSecret);case"managed-identity":return new a(n.environmentUrl,n.managedIdentityClientId);case"device-code":default:return new o(n.environmentUrl)}}export{A as a};

package/dist/chunk-OQ46VPYS.js

@@ -0,0 +1,3 @@
+import{b as p,c as I}from"./chunk-KJ3HM2VM.js";import{readFileSync as C,existsSync as v}from"fs";import{join as g}from"path";import{homedir as S}from"os";import{z as t}from"zod";var h=t.object({environmentUrl:t.string().url("Must be a valid Dataverse environment URL").refine(n=>n.startsWith("https://"),{message:"Dataverse environment URL must use HTTPS"}).refine(n=>{try{return new URL(n).hostname.toLowerCase().endsWith(".dynamics.com")}catch{return!1}},{message:"environmentUrl must be a *.dynamics.com host"}),requestTimeoutMs:t.number().positive().default(3e4),maxRetries:t.number().min(0).max(10).default(3),authMethod:t.enum(["device-code","client-credentials","managed-identity"]).default("device-code"),tenantId:t.string().min(1).optional(),clientId:t.string().min(1).optional(),clientSecret:t.string().min(1).optional(),managedIdentityClientId:t.string().min(1).optional()}).superRefine((n,s)=>{n.authMethod==="client-credentials"&&(n.tenantId||s.addIssue({code:t.ZodIssueCode.custom,path:["tenantId"],message:"tenantId is required when authMethod is 'client-credentials'"}),n.clientId||s.addIssue({code:t.ZodIssueCode.custom,path:["clientId"],message:"clientId is required when authMethod is 'client-credentials'"}),n.clientSecret||s.addIssue({code:t.ZodIssueCode.custom,path:["clientSecret"],message:"clientSecret is required when authMethod is 'client-credentials'. Prefer AZURE_CLIENT_SECRET env var over storing it in config.json."}))});var E="config.json";function w(){let n=g(S(),".mcp-dataverse",E),s=process.env.MCP_CONFIG_PATH??(v(n)?n:g(process.cwd(),E)),e={};if(v(s)){let i=C(s,"utf-8");try{e=JSON.parse(i)}catch{throw new Error(`Invalid JSON in ${s}. Check for syntax errors (trailing commas, missing quotes).`)}}let o=process.env.DATAVERSE_ENV_URL??process.env.environmentUrl;o&&(e.environmentUrl=o);let c=process.env.REQUEST_TIMEOUT_MS??process.env.requestTimeoutMs;c&&(e.requestTimeoutMs=Number(c));let a=process.env.MAX_RETRIES??process.env.maxRetries;a&&(e.maxRetries=Number(a));let d=process.env.AUTH_METHOD??process.env.authMethod;d&&(e.authMethod=d);let m=process.env.AZURE_TENANT_ID??process.env.tenantId;m&&(e.tenantId=m);let l=process.env.AZURE_CLIENT_ID??process.env.clientId;l&&(e.clientId=l);let u=process.env.AZURE_CLIENT_SECRET??process.env.clientSecret;if(u)e.clientSecret=u;else if(typeof e.clientSecret=="string"&&I(e.clientSecret))try{e.clientSecret=p(e.clientSecret)}catch{throw new Error("Failed to decrypt clientSecret from config.json. The config may have been created on a different machine or user account. Re-run 'npx mcp-dataverse install' or set AZURE_CLIENT_SECRET env var.")}let f=process.env.AZURE_MANAGED_IDENTITY_CLIENT_ID??process.env.managedIdentityClientId;f&&(e.managedIdentityClientId=f);let r=h.safeParse(e);if(!r.success)throw new Error(`Invalid configuration:
+${r.error.issues.map(i=>`  - ${i.path.join(".")}: ${i.message}`).join(`
+`)}`);return r.data}export{w as a};

package/dist/chunk-RYRO3QPE.js

@@ -0,0 +1,29 @@
+import{a as o,b as a}from"./chunk-KJ3HM2VM.js";import{PublicClientApplication as u}from"@azure/msal-node";import{existsSync as p,mkdirSync as d,readFileSync as m,writeFileSync as f}from"fs";import{homedir as w}from"os";import{join as l}from"path";import{exec as y}from"child_process";import{platform as c}from"process";function v(n){let t=c==="win32"?`echo|set /p="${n}"| clip`:c==="darwin"?`printf '%s' '${n}' | pbcopy`:`printf '%s' '${n}' | xclip -selection clipboard 2>/dev/null || printf '%s' '${n}' | xsel --clipboard 2>/dev/null`;y(t,()=>{})}var g="1950a258-227b-4e31-a9cf-717495945fc2",h=l(w(),".mcp-dataverse"),r=l(h,"msal-cache.json"),C=300*1e3;function k(){return{beforeCacheAccess:async n=>{if(p(r))try{let t=m(r,"utf-8"),e;try{e=a(t)}catch{e=t}n.tokenCache.deserialize(e)}catch{}},afterCacheAccess:async n=>{n.cacheHasChanged&&(d(h,{recursive:!0}),f(r,o(n.tokenCache.serialize()),{encoding:"utf-8",mode:384}))}}}var s=class{environmentUrl;pca;cachedToken=null;tokenExpiresAt=0;pendingAuth=null;constructor(t){this.environmentUrl=t.replace(/\/$/,""),this.pca=new u({auth:{clientId:g,authority:"https://login.microsoftonline.com/common"},cache:{cachePlugin:k()}})}async getToken(){let t=Date.now();return this.cachedToken!==null&&this.tokenExpiresAt>t+6e4?this.cachedToken:this.pendingAuth!==null?this.pendingAuth:(this.pendingAuth=this.refreshToken().finally(()=>{this.pendingAuth=null}),this.pendingAuth)}invalidateToken(){this.cachedToken=null,this.tokenExpiresAt=0}async isAuthenticated(){try{return await this.getToken(),!0}catch{return!1}}async setupViaDeviceCode(){await this.runDeviceCodeFlow()}async refreshToken(){if((await this.pca.getAllAccounts()).length===0){process.stderr.write(`
+[mcp-dataverse] First-time authentication required.
+Environment: ${this.environmentUrl}
+Open the URL below in your browser to sign in.
+
+`);try{return await this.runDeviceCodeFlow(),await this.acquireSilently()}catch(e){let i=e instanceof Error?e.message:String(e);throw new Error(`Authentication setup failed: ${i}
+
+You can also authenticate manually:
+  npx mcp-dataverse-auth ${this.environmentUrl}
+Then restart the MCP server in VS Code.`)}}try{return await this.acquireSilently()}catch{process.stderr.write(`
+[mcp-dataverse] Session expired \u2014 re-authenticating.
+Open the URL below in your browser to sign in again.
+
+`);try{return await this.runDeviceCodeFlow(),await this.acquireSilently()}catch(e){this.cachedToken=null;let i=e instanceof Error?e.message:String(e);throw new Error(`Re-authentication failed: ${i}
+
+To authenticate manually:
+  npx mcp-dataverse-auth ${this.environmentUrl}
+Then restart the MCP server in VS Code.`)}}}async acquireSilently(){let t=await this.pca.getAllAccounts();if(t.length===0)throw new Error("No account found in cache after authentication.");let e=await this.pca.acquireTokenSilent({scopes:[`${this.environmentUrl}/.default`],account:t[0]});if(!e?.accessToken)throw new Error("Token acquisition returned an empty access token.");return this.cacheResult(e),e.accessToken}async runDeviceCodeFlow(){let t=await Promise.race([this.pca.acquireTokenByDeviceCode({scopes:[`${this.environmentUrl}/.default`],deviceCodeCallback:e=>{v(e.userCode),process.stderr.write(`
+[mcp-dataverse] Sign in required
+
+  1. Open ${e.verificationUri} in your browser
+     (use the browser profile linked to your Power Platform account)
+  2. Paste the code: ${e.userCode}  (already copied to your clipboard)
+  3. Sign in with your work account
+
+`)}}),new Promise((e,i)=>setTimeout(()=>i(new Error("Authentication timed out after 5 minutes. Please try again.")),C))]);t&&(this.cacheResult(t),process.stderr.write(`
+[mcp-dataverse] Authenticated \u2713  Token cached \u2014 no sign-in needed next time.
+
+`))}cacheResult(t){this.cachedToken=t.accessToken,this.tokenExpiresAt=t.expiresOn?.getTime()??Date.now()+3300*1e3}};export{s as a};

package/dist/config.loader-YZJ7QTCV.js

@@ -0,0 +1 @@
+import{a}from"./chunk-OQ46VPYS.js";import"./chunk-KJ3HM2VM.js";export{a as loadConfig};

package/dist/dataverse-client-advanced-EASNSX3M.js

@@ -0,0 +1 @@
+import{b as a}from"./chunk-FSM3J3WD.js";export{a as DataverseAdvancedClient};

package/dist/doctor.js

@@ -1,3 +1,3 @@
 #!/usr/bin/env node
-async function f(){let t=e=>process.stdout.write(e+`
-`),o=e=>t(`  \u2705 ${e}`),n=e=>t(`  \u274C ${e}`);t(""),t("\u{1F3E5} mcp-dataverse doctor"),t("\u2500".repeat(50)),t("");let r=!0;t("\u{1F4CB} Environment");let c=process.version;parseInt(c.slice(1).split(".")[0],10)>=20?o(`Node.js ${c}`):(n(`Node.js ${c} \u2014 requires v20+`),r=!1),t(""),t("\u2699\uFE0F  Configuration");try{let{loadConfig:e}=await import("./config.loader-VTIKUDN7.js"),s=e();o(`Environment URL: ${s.environmentUrl}`),o(`Timeout: ${s.requestTimeoutMs}ms, Retries: ${s.maxRetries}`)}catch(e){let s=e instanceof Error?e.message:String(e);n(`Configuration error: ${s}`),r=!1,t(""),t(r?"\u2705 All checks passed!":"\u274C Some checks failed."),process.exit(r?0:1)}t(""),t("\u{1F511} Authentication");try{let{loadConfig:e}=await import("./config.loader-VTIKUDN7.js"),s=e(),{createAuthProvider:l}=await import("./auth-provider.factory-MSMLSOX3.js"),i=await l(s).getToken();i?(o("Token acquired successfully"),i.split(".").length===3&&o("Valid JWT token format")):(n("No token returned"),r=!1)}catch(e){let s=e instanceof Error?e.message:String(e);n(`Auth failed: ${s}`),r=!1}t(""),t("\u{1F310} Dataverse API");try{let{loadConfig:e}=await import("./config.loader-VTIKUDN7.js"),s=e(),{createAuthProvider:l}=await import("./auth-provider.factory-MSMLSOX3.js"),{DataverseAdvancedClient:m}=await import("./dataverse-client-advanced-ZG4OPCGR.js"),i=l(s),a=await new m(i,s.maxRetries,s.requestTimeoutMs).whoAmI();o(`Organization: ${a.OrganizationName||"N/A"}`),o(`User ID: ${a.UserId||"N/A"}`),o(`Business Unit: ${a.BusinessUnitId||"N/A"}`),o(`Environment: ${a.EnvironmentUrl||s.environmentUrl}`)}catch(e){let s=e instanceof Error?e.message:String(e);n(`API call failed: ${s}`),r=!1}t(""),t("\u2500".repeat(50)),t(r?"\u2705 All checks passed! Your mcp-dataverse setup is healthy.":"\u274C Some checks failed. Review the errors above."),t(""),process.exit(r?0:1)}export{f as runDoctor};
+async function f(){let n=e=>process.stdout.write(e+`
+`),s=e=>n(`  \u2705 ${e}`),o=e=>n(`  \u274C ${e}`);n(""),n("\u{1F3E5} mcp-dataverse doctor"),n("\u2500".repeat(50)),n("");let i=!0;n("\u{1F4CB} Environment");let c=process.version;parseInt(c.slice(1).split(".")[0],10)>=20?s(`Node.js ${c}`):(o(`Node.js ${c} \u2014 requires v20+`),i=!1),n(""),n("\u2699\uFE0F  Configuration");try{let{loadConfig:e}=await import("./config.loader-YZJ7QTCV.js"),t=e();s(`Environment URL: ${t.environmentUrl}`),s(`Auth method: ${t.authMethod??"device-code"}`),s(`Timeout: ${t.requestTimeoutMs}ms, Retries: ${t.maxRetries}`)}catch(e){let t=e instanceof Error?e.message:String(e);o(`Configuration error: ${t}`),i=!1,n(""),n(i?"\u2705 All checks passed!":"\u274C Some checks failed."),process.exit(i?0:1)}n(""),n("\u{1F511} Authentication");try{let{loadConfig:e}=await import("./config.loader-YZJ7QTCV.js"),t=e(),r=t.authMethod??"device-code";s(`Auth method: ${r}`),r==="client-credentials"?(s(`Tenant ID : ${t.tenantId}`),s(`Client ID : ${t.clientId}`),t.clientSecret&&!process.env.AZURE_CLIENT_SECRET&&!process.env.clientSecret?n("  \u26A0\uFE0F  clientSecret is stored in config file \u2014 prefer AZURE_CLIENT_SECRET env var for production"):s("Client Secret: supplied via env var")):r==="managed-identity"&&(t.managedIdentityClientId?s(`Identity type: user-assigned (clientId: ${t.managedIdentityClientId})`):s("Identity type: system-assigned"));let{createAuthProvider:d}=await import("./auth-provider.factory-IVYKBXVY.js"),l=await d(t).getToken();l?(s("Token acquired successfully"),l.split(".").length===3&&s("Valid JWT token format")):(o("No token returned"),i=!1)}catch(e){let t=e instanceof Error?e.message:String(e);o(`Auth failed: ${t}`),i=!1}n(""),n("\u{1F310} Dataverse API");try{let{loadConfig:e}=await import("./config.loader-YZJ7QTCV.js"),t=e(),{createAuthProvider:r}=await import("./auth-provider.factory-IVYKBXVY.js"),{DataverseAdvancedClient:d}=await import("./dataverse-client-advanced-EASNSX3M.js"),m=r(t),a=await new d(m,t.maxRetries,t.requestTimeoutMs).whoAmI();s(`Organization: ${a.OrganizationName||"N/A"}`),s(`User ID: ${a.UserId||"N/A"}`),s(`Business Unit: ${a.BusinessUnitId||"N/A"}`),s(`Environment: ${a.EnvironmentUrl||t.environmentUrl}`)}catch(e){let t=e instanceof Error?e.message:String(e);o(`API call failed: ${t}`),i=!1}n(""),n("\u2500".repeat(50)),n(i?"\u2705 All checks passed! Your mcp-dataverse setup is healthy.":"\u274C Some checks failed. Review the errors above."),n(""),process.exit(i?0:1)}export{f as runDoctor};

package/dist/entra-jwt-validator-DABIEBOV.js

@@ -0,0 +1,2 @@
+import{createRemoteJWKSet as g,jwtVerify as m}from"jose";function J(d){let{tenantId:s,audience:l,requiredScope:r}=d,u=`https://login.microsoftonline.com/${s}/v2.0`,f=new URL(`https://login.microsoftonline.com/${s}/discovery/v2.0/keys`),p=g(f,{cooldownDuration:3e4,cacheMaxAge:10*6e4});return async function(a){let i;try{i=(await m(a,p,{issuer:u,audience:l,algorithms:["RS256"],clockTolerance:30})).payload}catch(n){let o=n instanceof Error?n.message:String(n);try{let c=a.split(".");if(c.length===3){let t=JSON.parse(Buffer.from(c[1],"base64url").toString("utf8"));process.stderr.write(`[entra-jwt] validation failed: ${o} | aud=${JSON.stringify(t.aud)} iss=${t.iss} scp="${t.scp}" ver=${t.ver}
+`)}}catch{}throw new Error(`Entra JWT validation failed: ${o}`)}if(r){let n=i.scp??"";if(!n.split(" ").includes(r))throw new Error(`Required scope '${r}' not present in token scp claim ('${n}')`)}let e=i;return{oid:e.oid??"",upn:e.upn??e.preferred_username??"",name:e.name??""}}}export{J as createEntraJwtValidator};

package/dist/http-server.js

@@ -1,4 +1,8 @@
-import{createServer as S}from"http";import{timingSafeEqual as u,createHmac as m,randomUUID as v}from"crypto";import{StreamableHTTPServerTransport as w}from"@modelcontextprotocol/sdk/server/streamableHttp.js";function g(a,r){try{let i=Buffer.from("mcp-token-verify-constant"),c=m("sha256",i).update(a).digest(),d=m("sha256",i).update(r).digest();return u(c,d)}catch{return!1}}async function O(a,r,i,c){let d=process.env.MCP_HTTP_JSON_RESPONSE!=="false",l=process.env.MCP_HTTP_SECRET??process.env.BEARER_TOKEN,h=process.env.MCP_HTTP_CORS_ORIGIN??"*",n=new Map,p=S(async(s,e)=>{if(e.setHeader("Access-Control-Allow-Origin",h),e.setHeader("Access-Control-Allow-Methods","GET, POST, DELETE, OPTIONS"),e.setHeader("Access-Control-Allow-Headers","Content-Type, mcp-session-id, Authorization"),s.method==="OPTIONS"){e.writeHead(204),e.end();return}let T=new URL(s.url??"/",`http://localhost:${r}`);if(T.pathname==="/health"&&s.method==="GET"){e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify({status:"ok",version:i,tools:c}));return}if(T.pathname==="/mcp"){if(l){let o=s.headers.authorization??"",t=o.startsWith("Bearer ")?o.slice(7):"";if(!g(t,l)){e.writeHead(401,{"Content-Type":"application/json","WWW-Authenticate":'Bearer realm="MCP Dataverse"'}),e.end(JSON.stringify({error:"Unauthorized"}));return}}try{let o=s.headers["mcp-session-id"];if(o){let t=n.get(o);if(!t){e.writeHead(404,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Session not found. Please reinitialize."}));return}await t.handleRequest(s,e)}else{if(s.method!=="POST"){e.writeHead(400,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"mcp-session-id header required for GET and DELETE"}));return}let t=new w({sessionIdGenerator:()=>v(),enableJsonResponse:d});t.sessionId&&(n.set(t.sessionId,t),t.onclose=()=>{t.sessionId&&n.delete(t.sessionId)}),await a().connect(t),await t.handleRequest(s,e),t.sessionId&&(n.has(t.sessionId)||(n.set(t.sessionId,t),t.onclose=()=>{t.sessionId&&n.delete(t.sessionId)}))}}catch(o){process.stderr.write(`[http-server] Unhandled error: ${String(o)}
-`),e.headersSent||(e.writeHead(500,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Internal server error"})))}return}e.writeHead(404,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Not found"}))});await new Promise(s=>{p.listen(r,()=>{process.stderr.write(`MCP Dataverse HTTP server listening on http://localhost:${r}/mcp
-`),s()})});let f=async()=>{process.stderr.write(`Shutting down HTTP server...
-`);for(let s of n.values())await s.close();p.close(),process.exit(0)};process.on("SIGINT",f),process.on("SIGTERM",f),await new Promise(s=>{p.on("close",s)})}export{O as startHttpTransport};
+import{createServer as N}from"http";import{timingSafeEqual as y,createHmac as S,randomUUID as C}from"crypto";import{StreamableHTTPServerTransport as _}from"@modelcontextprotocol/sdk/server/streamableHttp.js";function A(p,a){try{let d=Buffer.from("mcp-token-verify-constant"),l=S("sha256",d).update(p).digest(),u=S("sha256",d).update(a).digest();return y(l,u)}catch{return!1}}async function U(p,a,d,l){let u=process.env.MCP_HTTP_JSON_RESPONSE!=="false",h=process.env.MCP_HTTP_SECRET??process.env.BEARER_TOKEN,E=process.env.MCP_HTTP_CORS_ORIGIN??"*",s=process.env.ENTRA_TENANT_ID&&process.env.ENTRA_CLIENT_ID?{tenantId:process.env.ENTRA_TENANT_ID,clientId:process.env.ENTRA_CLIENT_ID,audience:process.env.ENTRA_AUDIENCE??`api://${process.env.ENTRA_CLIENT_ID}`,requiredScope:process.env.ENTRA_REQUIRED_SCOPE}:null,T=null;if(s){let{createEntraJwtValidator:n}=await import("./entra-jwt-validator-DABIEBOV.js");T=n(s),process.stderr.write(`[http-server] Auth mode: entra-jwt (tenant=${s.tenantId}, audience=${s.audience})
+`)}else process.stderr.write(h?`[http-server] Auth mode: static bearer token
+`:`[http-server] WARNING: No auth configured \u2014 all /mcp requests accepted
+`);let w=(process.env.MCP_PUBLIC_URL??`http://localhost:${a}`).replace(/\/$/,""),o=new Map,m=N(async(n,e)=>{if(e.setHeader("Access-Control-Allow-Origin",E),e.setHeader("Access-Control-Allow-Methods","GET, POST, DELETE, OPTIONS"),e.setHeader("Access-Control-Allow-Headers","Content-Type, mcp-session-id, Authorization"),n.method==="OPTIONS"){e.writeHead(204),e.end();return}let f=new URL(n.url??"/",`http://localhost:${a}`);if(f.pathname==="/health"&&n.method==="GET"){e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify({status:"ok",version:d,tools:l}));return}if(f.pathname==="/.well-known/oauth-protected-resource"&&n.method==="GET"){let c=s?.tenantId??"";e.writeHead(200,{"Content-Type":"application/json","Cache-Control":"max-age=3600"});let i=s?.clientId??"";e.end(JSON.stringify({resource:`${w}/mcp`,authorization_servers:c?[`https://login.microsoftonline.com/${c}/v2.0`]:[],bearer_methods_supported:["header"],scopes_supported:i?[`api://${i}/DataverseAccess`]:[],resource_documentation:"https://github.com/aileron-split/mcp-dataverse"}));return}if(f.pathname==="/mcp"){let c=n.headers.authorization??"",i=c.startsWith("Bearer ")?c.slice(7):"",g=`${w}/.well-known/oauth-protected-resource`,v=s?`Bearer resource_metadata="${g}", realm="MCP Dataverse"`:'Bearer realm="MCP Dataverse"';if(T){if(!i){e.writeHead(401,{"Content-Type":"application/json","WWW-Authenticate":v}),e.end(JSON.stringify({error:"Unauthorized"}));return}try{await T(i)}catch(r){let t=r instanceof Error?r.message:String(r);process.stderr.write(`[http-server] JWT rejected: ${t}
+`),e.writeHead(401,{"Content-Type":"application/json","WWW-Authenticate":v}),e.end(JSON.stringify({error:"Unauthorized"}));return}}else if(h&&!A(i,h)){e.writeHead(401,{"Content-Type":"application/json","WWW-Authenticate":v}),e.end(JSON.stringify({error:"Unauthorized"}));return}try{let r=n.headers["mcp-session-id"];if(r){let t=o.get(r);if(!t){e.writeHead(404,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Session not found. Please reinitialize."}));return}await t.handleRequest(n,e)}else{if(n.method!=="POST"){e.writeHead(400,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"mcp-session-id header required for GET and DELETE"}));return}let t=new _({sessionIdGenerator:()=>C(),enableJsonResponse:u});t.sessionId&&(o.set(t.sessionId,t),t.onclose=()=>{t.sessionId&&o.delete(t.sessionId)}),await p().connect(t),await t.handleRequest(n,e),t.sessionId&&(o.has(t.sessionId)||(o.set(t.sessionId,t),t.onclose=()=>{t.sessionId&&o.delete(t.sessionId)}))}}catch(r){process.stderr.write(`[http-server] Unhandled error: ${String(r)}
+`),e.headersSent||(e.writeHead(500,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Internal server error"})))}return}e.writeHead(404,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Not found"}))});await new Promise(n=>{m.listen(a,"0.0.0.0",()=>{process.stderr.write(`MCP Dataverse HTTP server listening on http://0.0.0.0:${a}/mcp
+`),n()})});let I=async()=>{process.stderr.write(`Shutting down HTTP server...
+`);for(let n of o.values())await n.close();m.close(),process.exit(0)};process.on("SIGINT",I),process.on("SIGTERM",I),await new Promise(n=>{m.on("close",n)})}export{U as startHttpTransport};