Merge branch 'main' of github.com:mongodb-js/mongodb-mcp-server into chore/MCP-242-validate-pre-filter-fields

Author: gagik

.github/workflows/code-health-fork.yml

@@ -35,6 +35,9 @@ jobs:
         run: npm ci
       - name: Run tests
         run: npm test
+        env:
+          SKIP_ATLAS_TESTS: "true"
+          SKIP_ATLAS_LOCAL_TESTS: "true"
       - name: Upload test results
         if: always() && matrix.os == 'ubuntu-latest'
         uses: actions/upload-artifact@v4

.gitignore

@@ -13,3 +13,5 @@ tests/tmp
 coverage
 # Generated assets by accuracy runs
 .accuracy
+
+.DS_Store

CONTRIBUTING.md

@@ -76,6 +76,10 @@ npm test -- path/to/test/file.test.ts
 npm test -- path/to/directory
 ```
 
+#### Accuracy Tests and colima
+
+If you use [colima](https://github.com/abiosoft/colima) to run Docker on Mac, you will need to apply [additional configuration](https://node.testcontainers.org/supported-container-runtimes/#colima) to ensure the accuracy tests run correctly.
+
 ## Troubleshooting
 
 ### Restart Server
@@ -143,31 +147,28 @@ When adding new tools to the MCP server:
 
 ## Release Process
 
-Our release process is automated using GitHub Actions workflows:
-
-### Version Bumping
+To release a new version of the MCP server, follow these steps:
 
-1. To create a new version, go to the GitHub repository Actions tab
-2. Select the "Version Bump" workflow
-3. Click "Run workflow" and choose one of the following options:
+1. Ensure there is a Jira _Release_ ticket in the [`MCP` project](https://jira.mongodb.org/projects/MCP) for the new release and move it to _In Progress_.
+2. Verify that the Jira tickets you expect to be released are correctly mapped to the expected Release version. Add any additional required documentation to the release ticket.
+3. To create a new version, go to the GitHub repository Actions tab and run the "Prepare Release" workflow with one of the following options:
    - `patch` (e.g., 1.0.0 → 1.0.1) for backward-compatible bug fixes
    - `minor` (e.g., 1.0.0 → 1.1.0) for backward-compatible new features
    - `major` (e.g., 1.0.0 → 2.0.0) for breaking changes
    - A specific version number (e.g., `1.2.3`)
-4. This creates a pull request with the version change
-5. Once approved and merged, the version is updated
-
-### Automatic Publishing
-
-When a version bump is merged to the main branch:
-
-1. The "Publish" workflow automatically runs
-2. It checks if the version already exists as a git tag
-3. If the version is new, it:
-   - Builds the package
-   - Publishes to NPM
-   - Creates a git tag for the version
-   - Creates a GitHub release with auto-generated release notes
+   - **Pre-release versions**: To create a pre-release, enter the version suffixed by `-prerelease.{n}` where `n` is the pre-release number (e.g., `1.1.0-prerelease.1`, `1.1.0-prerelease.2`). Pre-releases are release candidates that provide early access to new features before they are promoted to stable.
+
+   > **Note**: Stable releases are published under the `latest` tag on NPM and are intended for production use. Pre-release versions are published under the `prerelease` tag and serve as release candidates for early access and feedback before being released as stable versions.
+
+4. This creates a pull request with the version change.
+5. Merge this pull request if all looks correct. This will trigger the "Publish" workflow which will publish it to **NPM**, **Docker** and the **MCP Registry**.
+6. Verify that the new version is published correctly by checking:
+   - NPM: https://www.npmjs.com/package/mongodb-mcp-server
+   - Docker: https://hub.docker.com/r/mongodb/mongodb-mcp-server
+   - MCP Registry: `curl "https://registry.modelcontextprotocol.io/v0.1/servers/io.github.mongodb-js%2Fmongodb-mcp-server/versions/latest"`
+7. Close the Jira ticket for the release.
+8. Go to the [Releases](https://jira.mongodb.org/projects/MCP?selectedItem=com.atlassian.jira.jira-projects-plugin%3Arelease-page&status=released-unreleased) section the and rename the `vNext` to the new version number and mark it as Released. Create a new `vNext` for the next release.
+9. Post an update in the `#mongodb-mcp` Slack channel.
 
 ### Code Quality
 

README.md

@@ -0,0 +1,79 @@
+# Deploy MongoDB MCP Server on Azure Container Apps
+
+## Overview
+
+This directory contains an Azure Bicep template (`bicep/main.bicep`) and supporting parameter files for deploying the infrastructure required to run the MongoDB MCP (Model Context Protocol) server. Use this guide to prepare prerequisites, select the appropriate parameter file, and run the deployment end-to-end.
+
+## Prerequisites
+
+- Azure CLI (2.55.0 or later) installed and signed in (`az login`).
+- Azure subscription with permissions to deploy the required resources.
+- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:latest).
+
+## Parameter Files
+
+Two sample parameter files are provided to help you tailor deployments:
+
+- `bicep/params.json`: Baseline configuration that deploys the MongoDB MCP server with authentication disabled or using default settings. Use this when testing in development environments or when external authentication is not required.
+- `bicep/paramsWithAuthEnabled.json`: Extends the baseline deployment and enables Microsoft Entra ID (Azure AD) authentication using managed identity and client application IDs. Use this when you want the server protected with Azure AD authentication via managed identity.
+
+> **Tip:** Update the image reference, secrets, networking, and any other environment-specific values in the chosen parameter file before deployment.
+
+## Deploy the Bicep Template
+
+1. **Set common variables (PowerShell example):**
+
+   ```powershell
+   $location = "eastus"
+   $resourceGroup = "mongodb-mcp-demo-rg"
+   $templateFile = "bicep/main.bicep"
+   $parameterFile = "bicep/params.json"            # or bicep/paramsWithAuthEnabled.json
+   ```
+
+2. **Create the resource group (if it does not exist):**
+
+   ```powershell
+   az group create --name $resourceGroup --location $location
+   ```
+
+3. **Validate the deployment (optional but recommended):**
+
+   ```powershell
+   az deployment group what-if \
+      --resource-group $resourceGroup \
+      --template-file $templateFile \
+      --parameters @$parameterFile
+   ```
+
+4. **Run the deployment:**
+
+   ```powershell
+   az deployment group create \
+      --resource-group $resourceGroup \
+      --template-file $templateFile \
+      --parameters @$parameterFile
+   ```
+
+5. **Monitor outputs:** Review the deployment outputs and logs for connection endpoints, credential references, or other values needed to complete integration.
+
+## Post-Deployment Checklist
+
+- After the Azure Container Apps deployment completes, access the MCP server by visiting the application’s public endpoint with /mcp appended. Example: https://[CONTAINER_APP_NAME].<region>.azurecontainerapps.io/mcp.
+
+## Updating the Deployment
+
+To apply changes:
+
+1. Update the parameter file or `main.bicep` as needed.
+2. Re-run the `az deployment group create` command with the same resource group.
+3. Use `az deployment group what-if` to preview differences before applying them.
+
+## Cleanup
+
+Remove the deployed resources when no longer needed:
+
+```powershell
+az group delete --name $resourceGroup --yes --no-wait
+```
+
+> **Reminder:** Deleting the resource group removes all resources inside it. Ensure any persistent data or backups are retained elsewhere before running the cleanup command.

deploy/azure/README.md

@@ -0,0 +1,212 @@
+@description('Name of the Container Apps Environment. Leave blank to create a new one.')
+param containerAppEnvName string = ''
+
+@description('Location of resources')
+param location string = resourceGroup().location
+
+@description('Name of the Container App')
+param containerAppName string = 'mongo-mcp-server-app'
+
+@description('Docker image to deploy')
+param containerImage string = 'mongodb/mongodb-mcp-server:latest'
+
+@description('Container CPU (vCPU) as string. Allowed: 0.25 - 2.0 in 0.25 increments')
+@allowed([
+  '0.25'
+  '0.5'
+  '0.75'
+  '1.0'
+  '1.25'
+  '1.5'
+  '1.75'
+  '2.0'
+])
+param containerCpu string = '1.0'
+
+// Convert CPU string to number (Bicep lacks float type; json() parses to number)
+var containerCpuNumber = json(containerCpu)
+
+@description('Container Memory (GB)')
+@allowed([
+  '0.5Gi'
+  '1Gi'
+  '2Gi'
+  '4Gi'
+])
+param containerMemory string = '2Gi'
+
+@description('Container App Environment Variables')
+param appEnvironmentVars object = {
+  MDB_MCP_READ_ONLY: 'true' // set to 'false' to enable write operations
+  MDB_MCP_HTTP_PORT: '8080'
+  MDB_MCP_HTTP_HOST: '::'
+  MDB_MCP_TRANSPORT: 'http'
+  MDB_MCP_LOGGERS: 'disk,mcp,stderr'
+  MDB_MCP_LOG_PATH: '/tmp/mongodb-mcp'
+}
+
+@description('Authentication mode toggle for the Container App. NOAUTH disables platform auth; MicrosoftMIBasedAuth enables Azure AD auth and enforces 401 for unauthenticated requests.')
+@allowed([
+  'NOAUTH'
+  'MicrosoftMIBasedAuth'
+])
+param authMode string = 'NOAUTH'
+
+@description('Azure AD Application (client) ID used when authMode is MicrosoftMIBasedAuth. Leave blank for NOAUTH.')
+param authClientId string = ''
+
+@description('Issuer URL (OpenID issuer) when authMode is MicrosoftMIBasedAuth. Example: https://login.microsoftonline.com/<tenant-id>/v2.0 or https://sts.windows.net/<tenant-id>/v2.0')
+param authIssuerUrl string = ''
+
+@description('Azure AD Tenant ID (GUID) used when authMode is MicrosoftMIBasedAuth. Provided separately to avoid hard-coded cloud endpoints in template logic.')
+param authTenantId string = ''
+
+@description('Optional array of allowed client application IDs. If empty, all applications are allowed (not recommended).')
+param authAllowedClientApps array = []
+
+@secure()
+@description('MongoDB Connection String')
+param mdbConnectionString string
+
+// Create Container App Environment if not provided
+resource containerAppEnv 'Microsoft.App/managedEnvironments@2024-02-02-preview' = if (empty(containerAppEnvName)) {
+  name: 'mcp-env-${uniqueString(resourceGroup().id)}'
+  location: location
+  properties: {}
+}
+
+// Get the Container App Environment resource ID (either existing or newly created)
+var envResourceId = empty(containerAppEnvName) 
+  ? containerAppEnv.id 
+  : resourceId('Microsoft.App/managedEnvironments', containerAppEnvName)
+
+// Build environment variables array
+var envVarsArray = [
+  for item in items(appEnvironmentVars): {
+    name: item.key
+    value: string(item.value)
+  }
+]
+
+// Additional environment variables injected when MicrosoftMIBasedAuth is enabled (merged after user-provided vars so user can override if desired)
+var authEnvVars = authMode == 'MicrosoftMIBasedAuth'
+  ? concat([
+      {
+        name: 'MDB_MCP_HTTP_AUTH_MODE'
+        value: 'azure-managed-identity'
+      }
+      {
+        // Tenant ID of the Azure AD tenant
+        name: 'MDB_MCP_AZURE_MANAGED_IDENTITY_TENANT_ID'
+        value: authTenantId
+      }
+      {
+        // Client ID of the Azure AD App representing your container app
+        name: 'MDB_MCP_AZURE_MANAGED_IDENTITY_CLIENT_ID'
+        value: authClientId
+      }
+    ], length(authAllowedClientApps) > 0 ? [
+      {
+        // Comma-separated list of allowed Client App IDs for access
+        // (only listed Client Apps are allowed if client apps specified)
+        name: 'MDB_MCP_AZURE_MANAGED_IDENTITY_ALLOWED_APP_IDS'
+        value: join(authAllowedClientApps, ',')
+      }
+    ] : [])
+  : [
+      {
+        name: 'MDB_MCP_HTTP_AUTH_MODE'
+        value: 'none'
+      }
+    ]
+
+// Deploy Container App
+resource containerApp 'Microsoft.App/containerApps@2024-02-02-preview' = {
+  name: containerAppName
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    managedEnvironmentId: envResourceId
+    configuration: {
+      ingress: {
+        external: true
+        targetPort: int(appEnvironmentVars.MDB_MCP_HTTP_PORT)
+        transport: 'auto'
+      }
+      secrets: [
+        {
+          name: 'mdb-mcp-connection-string'
+          value: mdbConnectionString
+        }
+      ]
+    }
+    template: {
+      containers: [
+        {
+          name: 'mcpserver'
+          image: containerImage
+          resources: {
+            cpu: containerCpuNumber
+            memory: containerMemory
+          }
+          env: concat(
+            envVarsArray,
+            authEnvVars,
+            [
+              {
+                name: 'MDB_MCP_CONNECTION_STRING'
+                secretRef: 'mdb-mcp-connection-string'
+              }
+            ]
+          )
+        }
+      ]
+      scale: {
+        minReplicas: 1
+        maxReplicas: 1
+        rules: [] // disables autoscaling
+      }
+    }
+  }
+}
+
+// Container App Authentication (child resource) - only deployed when MicrosoftMIBasedAuth selected
+resource containerAppAuth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = if (authMode == 'MicrosoftMIBasedAuth') {
+  name: 'current'
+  parent: containerApp
+  properties: {
+    platform: {
+      enabled: true
+      // runtimeVersion optional
+    }
+    globalValidation: {
+      unauthenticatedClientAction: 'Return401'
+      redirectToProvider: 'azureActiveDirectory'
+    }
+    identityProviders: {
+      azureActiveDirectory: {
+        enabled: true
+        registration: {
+          clientId: authClientId
+          openIdIssuer: authIssuerUrl
+        }
+        validation: {
+          allowedAudiences: [
+            authClientId
+          ]
+          // defaultAuthorizationPolicy allows restriction to specific client applications
+          defaultAuthorizationPolicy: length(authAllowedClientApps) > 0 ? {
+            allowedApplications: authAllowedClientApps
+          } : null
+          jwtClaimChecks: length(authAllowedClientApps) > 0 ? {
+            allowedClientApplications: authAllowedClientApps
+          } : null
+        }
+      }
+    }
+  }
+}
+
+output containerAppUrl string = containerApp.properties.configuration.ingress.fqdn

deploy/azure/bicep/main.bicep

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "containerAppEnvName": { "value": "container-app-env" },
+    "containerAppName": { "value": "mongo-mcp-server-app-without-auth" },
+    "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" },
+    "containerCpu": { "value": "1.0" },
+    "containerMemory": { "value": "2Gi" },
+    "appEnvironmentVars": {
+      "value": {
+        "MDB_MCP_READ_ONLY": "false",
+        "MDB_MCP_HTTP_PORT": "8080",
+        "MDB_MCP_HTTP_HOST": "::",
+        "MDB_MCP_TRANSPORT": "http",
+        "MDB_MCP_LOGGERS": "disk,mcp,stderr",
+        "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp",
+        "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many"
+      }
+    },
+    "authMode": { "value": "NOAUTH" },
+    "mdbConnectionString": { "value": "<MONGODB_CONNECTION_STRING>" }
+  }
+}