Merge pull request #13 from timelfrink/feature/read-only-mode

Author: garc33

README.md

@@ -393,6 +393,7 @@ The server requires configuration in the VSCode MCP settings file. Here's a samp
   - `BITBUCKET_TOKEN`: Personal access token
   - `BITBUCKET_USERNAME` and `BITBUCKET_PASSWORD`: Basic authentication credentials
 - `BITBUCKET_DEFAULT_PROJECT` (optional): Default project key to use when not specified in tool calls
+- `BITBUCKET_READ_ONLY` (optional): Set to `true` to enable read-only mode
 
 **Note**: With the new optional project support, you can now:
 
@@ -401,6 +402,35 @@ The server requires configuration in the VSCode MCP settings file. Here's a samp
 - Use `list_repositories` to browse repositories across projects
 - Override the default project by specifying the `project` parameter in any tool call
 
+### Read-Only Mode
+
+The server supports a read-only mode for deployments where you want to prevent any modifications to your Bitbucket repositories. When enabled, only safe, non-modifying operations are available.
+
+**To enable read-only mode**: Set the environment variable `BITBUCKET_READ_ONLY=true`
+
+**Available tools in read-only mode:**
+- `list_projects` - Browse and list projects
+- `list_repositories` - Browse and list repositories  
+- `get_pull_request` - View pull request details
+- `get_diff` - View code changes and diffs
+- `get_reviews` - View review history and status
+- `get_activities` - View pull request timeline
+- `get_comments` - View pull request comments
+- `search` - Search code and files across repositories
+- `get_file_content` - Read file contents
+- `browse_repository` - Browse repository structure
+
+**Disabled tools in read-only mode:**
+- `create_pull_request` - Creating new pull requests
+- `merge_pull_request` - Merging pull requests
+- `decline_pull_request` - Declining pull requests  
+- `add_comment` - Adding comments to pull requests
+
+**Behavior:**
+- When `BITBUCKET_READ_ONLY` is not set or set to any value other than `true`, all tools function normally (backward compatible)
+- When `BITBUCKET_READ_ONLY=true`, write operations are filtered out and will return an error if called
+- This is perfect for production deployments, CI/CD integration, or any scenario where you need safe, read-only Bitbucket access
+
 ## Logging
 
 The server logs all operations to `bitbucket.log` using Winston for debugging and monitoring purposes.

src/index.ts

@@ -30,6 +30,7 @@ interface BitbucketConfig {
   username?: string;
   password?: string;
   defaultProject?: string;
+  readOnly?: boolean;
 }
 
 interface RepositoryParams {
@@ -106,7 +107,8 @@ class BitbucketServer {
       token: process.env.BITBUCKET_TOKEN,
       username: process.env.BITBUCKET_USERNAME,
       password: process.env.BITBUCKET_PASSWORD,
-      defaultProject: process.env.BITBUCKET_DEFAULT_PROJECT
+      defaultProject: process.env.BITBUCKET_DEFAULT_PROJECT,
+      readOnly: process.env.BITBUCKET_READ_ONLY === 'true'
     };
 
     if (!this.config.baseUrl) {
@@ -147,6 +149,8 @@ class BitbucketServer {
   }
 
   private setupToolHandlers() {
+    const readOnlyTools = ['list_projects', 'list_repositories', 'get_pull_request', 'get_diff', 'get_reviews', 'get_activities', 'get_comments', 'search', 'get_file_content', 'browse_repository'];
+    
     this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
       tools: [
         {
@@ -358,14 +362,22 @@ class BitbucketServer {
             required: ['repository']
           }
         }
-      ]
+      ].filter(tool => !this.config.readOnly || readOnlyTools.includes(tool.name))
     }));
 
     this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
       try {
         logger.info(`Called tool: ${request.params.name}`, { arguments: request.params.arguments });
         const args = request.params.arguments ?? {};
 
+        // Check if tool is allowed in read-only mode
+        if (this.config.readOnly && !readOnlyTools.includes(request.params.name)) {
+          throw new McpError(
+            ErrorCode.MethodNotFound,
+            `Tool ${request.params.name} is not available in read-only mode`
+          );
+        }
+
         // Helper function to get project with fallback to default
         const getProject = (providedProject?: string): string => {
           const project = providedProject || this.config.defaultProject;