Merge branch 'main' into telemetry-2

Author: blva

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+*          @mongodb-js/mcp-server-developers
+**/atlas   @blva @fmenezes
+**/mongodb @nirinchev @gagik

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/code_health.yaml

@@ -5,35 +5,13 @@ on:
     branches:
       - main
   pull_request:
-jobs:
-  check-style:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: package.json
-          cache: "npm"
-      - name: Install dependencies
-        run: npm ci
-      - name: Run style check
-        run: npm run check
 
-  check-generate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: package.json
-          cache: "npm"
-      - name: Install dependencies
-        run: npm ci
-      - run: npm run generate
+permissions: {}
 
+jobs:
   run-tests:
+    name: Run MongoDB tests
+    if: github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -59,6 +37,8 @@ jobs:
           path: coverage/lcov.info
 
   run-atlas-tests:
+    name: Run Atlas tests
+    if: github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
@@ -81,10 +61,12 @@ jobs:
         with:
           name: atlas-test-results
           path: coverage/lcov.info
+
   coverage:
+    name: Run MongoDB tests
+    if: always() && github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     needs: [run-tests, run-atlas-tests]
-    if: always()
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4

.github/workflows/code_health_fork.yaml

@@ -0,0 +1,106 @@
+---
+name: Code Health (fork)
+on:
+  pull_request_target:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  run-tests:
+    name: Run MongoDB tests
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run tests
+        run: npm test
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-results
+          path: coverage/lcov.info
+
+  run-atlas-tests:
+    name: Run Atlas tests
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run tests
+        env:
+          MDB_MCP_API_CLIENT_ID: ${{ secrets.TEST_ATLAS_CLIENT_ID }}
+          MDB_MCP_API_CLIENT_SECRET: ${{ secrets.TEST_ATLAS_CLIENT_SECRET }}
+          MDB_MCP_API_BASE_URL: ${{ vars.TEST_ATLAS_BASE_URL }}
+        run: npm test -- --testPathIgnorePatterns "tests/integration/tools/mongodb" --testPathIgnorePatterns "tests/integration/[^/]+\.ts"
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: atlas-test-results
+          path: coverage/lcov.info
+
+  coverage:
+    name: Report Coverage
+    if: always() && github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    needs: [run-tests, run-atlas-tests]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Download test results
+        uses: actions/download-artifact@v4
+        with:
+          name: test-results
+          path: coverage/mongodb
+      - name: Download atlas test results
+        uses: actions/download-artifact@v4
+        with:
+          name: atlas-test-results
+          path: coverage/atlas
+      - name: Merge coverage reports
+        run: |
+          npx -y [email protected] "coverage/*/lcov.info" "coverage/lcov.info"
+      - name: Coveralls GitHub Action
+        uses: coverallsapp/[email protected]
+        with:
+          file: coverage/lcov.info
+          git-branch: ${{ github.head_ref || github.ref_name }}
+          git-commit: ${{ github.event.pull_request.head.sha || github.sha }}
+
+  merge-dependabot-pr:
+    name: Merge Dependabot PR
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
+    needs:
+      - coverage
+    steps:
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/codeql.yml

@@ -0,0 +1,34 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "35 4 * * 4"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - actions
+          - javascript-typescript
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/lint.yml

@@ -0,0 +1,37 @@
+---
+name: Lint
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions: {}
+
+jobs:
+  check-style:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run style check
+        run: npm run check
+
+  check-generate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - run: npm run generate

.github/workflows/prepare_release.yaml

@@ -10,6 +10,8 @@ on:
         required: true
         default: "patch"
 
+permissions: {}
+
 jobs:
   create-pr:
     runs-on: ubuntu-latest

.github/workflows/publish.yaml

@@ -4,11 +4,11 @@ on:
   push:
     branches:
       - main
-permissions:
-  contents: write
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       VERSION_EXISTS: ${{ steps.check-version.outputs.VERSION_EXISTS }}
       VERSION: ${{ steps.get-version.outputs.VERSION }}
@@ -45,7 +45,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     environment: Production
-    needs: check
+    permissions:
+      contents: write
+    needs:
+      - check
     if: needs.check.outputs.VERSION_EXISTS == 'false'
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1

.prettierrc.json

@@ -27,7 +27,7 @@
       }
     },
     {
-      "files": "*.yaml",
+      "files": ["*.yaml", "*.yml"],
       "options": {
         "tabWidth": 2,
         "printWidth": 80

README.md

@@ -150,6 +150,7 @@ The MongoDB MCP Server can be configured using multiple methods, with the follow
 | `connectionString` | MongoDB connection string for direct database connections (optional users may choose to inform it on every tool call) |
 | `logPath`          | Folder to store logs                                                                                                  |
 | `disabledTools`    | An array of tool names, operation types, and/or categories of tools that will be disabled.                            |
+| `readOnly`         | When set to true, only allows read and metadata operation types, disabling create/update/delete operations            |
 
 #### `logPath`
 
@@ -181,6 +182,19 @@ Operation types:
 - `read` - Tools that read resources, such as find, aggregate, list clusters, etc.
 - `metadata` - Tools that read metadata, such as list databases, list collections, collection schema, etc.
 
+#### Read-Only Mode
+
+The `readOnly` configuration option allows you to restrict the MCP server to only use tools with "read" and "metadata" operation types. When enabled, all tools that have "create", "update" or "delete" operation types will not be registered with the server.
+
+This is useful for scenarios where you want to provide access to MongoDB data for analysis without allowing any modifications to the data or infrastructure.
+
+You can enable read-only mode using:
+
+- **Environment variable**: `export MDB_MCP_READ_ONLY=true`
+- **Command-line argument**: `--readOnly`
+
+When read-only mode is active, you'll see a message in the server logs indicating which tools were prevented from registering due to this restriction.
+
 ### Atlas API Access
 
 To use the Atlas API tools, you'll need to create a service account in MongoDB Atlas:
@@ -221,6 +235,7 @@ export MDB_MCP_API_CLIENT_SECRET="your-atlas-client-secret"
 export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:[email protected]/myDatabase"
 
 export MDB_MCP_LOG_PATH="/path/to/logs"
+
 ```
 
 #### Command-Line Arguments