Merge branch 'main' into dependabot/npm_and_yarn/npm_and_yarn-6ea9762674

Author: alexmt

.github/workflows/release.yml

@@ -5,6 +5,10 @@ on:
     types:
       - published
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   release:
     if: startsWith(github.ref, 'refs/tags/v')
@@ -29,4 +33,4 @@ jobs:
           echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
           VERSION=${GITHUB_REF#refs/tags/v}
           npm version $VERSION --no-git-tag-version
-          npm publish --access public
+          npm publish --provenance --access public

.gitignore

@@ -140,3 +140,6 @@ dist
 
 # ide
 .idea/
+
+# claude code
+CLAUDE.md

README.md

@@ -39,6 +39,26 @@ Akuity is the enterprise company for Argo and Kargo, and provides the essential
 - **Complete Argo CD API Integration**: Provides comprehensive access to Argo CD resources and operations
 - **AI Assistant Ready**: Pre-configured tools for AI assistants to interact with Argo CD in natural language
 
+## Available Tools
+
+The server provides the following ArgoCD management tools:
+
+### Application Management
+- `list_applications`: List and filter all applications
+- `get_application`: Get detailed information about a specific application
+- `create_application`: Create a new application
+- `update_application`: Update an existing application
+- `delete_application`: Delete an application
+- `sync_application`: Trigger a sync operation on an application
+
+### Resource Management
+- `get_application_resource_tree`: Get the resource tree for a specific application
+- `get_application_managed_resources`: Get managed resources for a specific application
+- `get_application_workload_logs`: Get logs for application workloads (Pods, Deployments, etc.)
+- `get_resource_events`: Get events for resources managed by an application
+- `get_resource_actions`: Get available actions for resources
+- `run_resource_action`: Run an action on a resource
+
 ## Installation
 
 ### Prerequisites
@@ -129,25 +149,21 @@ This disables TLS certificate validation for Node.js when connecting to Argo CD
 
 > **Warning**: Disabling SSL verification reduces security. Use this setting only in development environments or when you understand the security implications.
 
-## Available Tools
-
-The server provides the following ArgoCD management tools:
 
-### Application Management
-- `list_applications`: List and filter all applications
-- `get_application`: Get detailed information about a specific application
-- `create_application`: Create a new application
-- `update_application`: Update an existing application
-- `delete_application`: Delete an application
-- `sync_application`: Trigger a sync operation on an application
+### Read Only Mode
 
-### Resource Management
-- `get_application_resource_tree`: Get the resource tree for a specific application
-- `get_application_managed_resources`: Get managed resources for a specific application
-- `get_application_workload_logs`: Get logs for application workloads (Pods, Deployments, etc.)
-- `get_resource_events`: Get events for resources managed by an application
-- `get_resource_actions`: Get available actions for resources
-- `run_resource_action`: Run an action on a resource
+If you want to run the MCP Server in a ReadOnly mode to avoid resource or application modification, you should set the environment variable:
+```
+"MCP_READ_ONLY": "true"
+```
+This will disable the following tools:
+- `create_application`
+- `update_application`
+- `delete_application`
+- `sync_application`
+- `run_resource_action`
+
+By default, all the tools will be available.
 
 ## For Development
 

src/argocd/client.ts

@@ -72,9 +72,21 @@ export class ArgoCDClient {
     return body;
   }
 
-  public async getApplicationManagedResources(applicationName: string) {
+  public async getApplicationManagedResources(
+    applicationName: string,
+    filters?: {
+      namespace?: string;
+      name?: string;
+      version?: string;
+      group?: string;
+      kind?: string;
+      appNamespace?: string;
+      project?: string;
+    }
+  ) {
     const { body } = await this.client.get<{ items: V1alpha1ResourceDiff[] }>(
-      `/api/v1/applications/${applicationName}/managed-resources`
+      `/api/v1/applications/${applicationName}/managed-resources`,
+      filters
     );
     return body;
   }

src/server/server.ts

@@ -25,6 +25,12 @@ export class Server extends McpServer {
     });
     this.argocdClient = new ArgoCDClient(serverInfo.argocdBaseUrl, serverInfo.argocdApiToken);
 
+    const isReadOnly =
+      String(process.env.MCP_READ_ONLY ?? '')
+        .trim()
+        .toLowerCase() === 'true';
+
+    // Always register read/query tools
     this.addJsonOutputTool(
       'list_applications',
       'list_applications returns list of applications',
@@ -45,35 +51,6 @@ export class Server extends McpServer {
       { applicationName: z.string() },
       async ({ applicationName }) => await this.argocdClient.getApplication(applicationName)
     );
-    this.addJsonOutputTool(
-      'create_application',
-      'create_application creates application',
-      { application: ApplicationSchema },
-      async ({ application }) =>
-        await this.argocdClient.createApplication(application as V1alpha1Application)
-    );
-    this.addJsonOutputTool(
-      'update_application',
-      'update_application updates application',
-      { applicationName: z.string(), application: ApplicationSchema },
-      async ({ applicationName, application }) =>
-        await this.argocdClient.updateApplication(
-          applicationName,
-          application as V1alpha1Application
-        )
-    );
-    this.addJsonOutputTool(
-      'delete_application',
-      'delete_application deletes application',
-      { applicationName: z.string() },
-      async ({ applicationName }) => await this.argocdClient.deleteApplication(applicationName)
-    );
-    this.addJsonOutputTool(
-      'sync_application',
-      'sync_application syncs application',
-      { applicationName: z.string() },
-      async ({ applicationName }) => await this.argocdClient.syncApplication(applicationName)
-    );
     this.addJsonOutputTool(
       'get_application_resource_tree',
       'get_application_resource_tree returns resource tree for application by application name',
@@ -83,10 +60,37 @@ export class Server extends McpServer {
     );
     this.addJsonOutputTool(
       'get_application_managed_resources',
-      'get_application_managed_resources returns managed resources for application by application name',
-      { applicationName: z.string() },
-      async ({ applicationName }) =>
-        await this.argocdClient.getApplicationManagedResources(applicationName)
+      'get_application_managed_resources returns managed resources for application by application name with optional filtering. Use filters to avoid token limits with large applications. Examples: kind="ConfigMap" for config maps only, namespace="production" for specific namespace, or combine multiple filters.',
+      {
+        applicationName: z.string(),
+        kind: z
+          .string()
+          .optional()
+          .describe(
+            'Filter by Kubernetes resource kind (e.g., "ConfigMap", "Secret", "Deployment")'
+          ),
+        namespace: z.string().optional().describe('Filter by Kubernetes namespace'),
+        name: z.string().optional().describe('Filter by resource name'),
+        version: z.string().optional().describe('Filter by resource API version'),
+        group: z.string().optional().describe('Filter by API group'),
+        appNamespace: z.string().optional().describe('Filter by Argo CD application namespace'),
+        project: z.string().optional().describe('Filter by Argo CD project')
+      },
+      async ({ applicationName, kind, namespace, name, version, group, appNamespace, project }) => {
+        const filters = {
+          ...(kind && { kind }),
+          ...(namespace && { namespace }),
+          ...(name && { name }),
+          ...(version && { version }),
+          ...(group && { group }),
+          ...(appNamespace && { appNamespace }),
+          ...(project && { project })
+        };
+        return await this.argocdClient.getApplicationManagedResources(
+          applicationName,
+          Object.keys(filters).length > 0 ? filters : undefined
+        );
+      }
     );
     this.addJsonOutputTool(
       'get_application_workload_logs',
@@ -149,23 +153,56 @@ export class Server extends McpServer {
           resourceRef as V1alpha1ResourceResult
         )
     );
-    this.addJsonOutputTool(
-      'run_resource_action',
-      'run_resource_action runs an action on a resource',
-      {
-        applicationName: z.string(),
-        applicationNamespace: ApplicationNamespaceSchema,
-        resourceRef: ResourceRefSchema,
-        action: z.string()
-      },
-      async ({ applicationName, applicationNamespace, resourceRef, action }) =>
-        await this.argocdClient.runResourceAction(
-          applicationName,
-          applicationNamespace,
-          resourceRef as V1alpha1ResourceResult,
-          action
-        )
-    );
+
+    // Only register modification tools if not in read-only mode
+    if (!isReadOnly) {
+      this.addJsonOutputTool(
+        'create_application',
+        'create_application creates application',
+        { application: ApplicationSchema },
+        async ({ application }) =>
+          await this.argocdClient.createApplication(application as V1alpha1Application)
+      );
+      this.addJsonOutputTool(
+        'update_application',
+        'update_application updates application',
+        { applicationName: z.string(), application: ApplicationSchema },
+        async ({ applicationName, application }) =>
+          await this.argocdClient.updateApplication(
+            applicationName,
+            application as V1alpha1Application
+          )
+      );
+      this.addJsonOutputTool(
+        'delete_application',
+        'delete_application deletes application',
+        { applicationName: z.string() },
+        async ({ applicationName }) => await this.argocdClient.deleteApplication(applicationName)
+      );
+      this.addJsonOutputTool(
+        'sync_application',
+        'sync_application syncs application',
+        { applicationName: z.string() },
+        async ({ applicationName }) => await this.argocdClient.syncApplication(applicationName)
+      );
+      this.addJsonOutputTool(
+        'run_resource_action',
+        'run_resource_action runs an action on a resource',
+        {
+          applicationName: z.string(),
+          applicationNamespace: ApplicationNamespaceSchema,
+          resourceRef: ResourceRefSchema,
+          action: z.string()
+        },
+        async ({ applicationName, applicationNamespace, resourceRef, action }) =>
+          await this.argocdClient.runResourceAction(
+            applicationName,
+            applicationNamespace,
+            resourceRef as V1alpha1ResourceResult,
+            action
+          )
+      );
+    }
   }
 
   private addJsonOutputTool<Args extends ZodRawShape, T>(