diff --git a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceCollectionExtensions.cs b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceCollectionExtensions.cs index 47fc2db6e8..36c5702a6a 100644 --- a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceCollectionExtensions.cs +++ b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceCollectionExtensions.cs @@ -48,7 +48,7 @@ public static IServiceCollection AddAzureMcpServer(this IServiceCollection servi { Namespace = serviceStartOptions.Namespace, ReadOnly = serviceStartOptions.ReadOnly ?? false, - InsecureDisableElicitation = serviceStartOptions.InsecureDisableElicitation, + DangerouslyDisableElicitation = serviceStartOptions.DangerouslyDisableElicitation, Tool = serviceStartOptions.Tool, }; @@ -142,7 +142,7 @@ public static IServiceCollection AddAzureMcpServer(this IServiceCollection servi var utilityToolLoaderOptions = new ToolLoaderOptions( Namespace: Discovery.DiscoveryConstants.UtilityNamespaces, ReadOnly: defaultToolLoaderOptions.ReadOnly, - InsecureDisableElicitation: defaultToolLoaderOptions.InsecureDisableElicitation, + DangerouslyDisableElicitation: defaultToolLoaderOptions.DangerouslyDisableElicitation, Tool: defaultToolLoaderOptions.Tool ); diff --git a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs index 1b93932300..457282fec2 100644 --- a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs +++ b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs @@ -81,7 +81,7 @@ protected override void RegisterOptions(Command command) command.Options.Add(ServiceOptionDefinitions.ReadOnly); command.Options.Add(ServiceOptionDefinitions.Debug); command.Options.Add(ServiceOptionDefinitions.DangerouslyDisableHttpIncomingAuth); - command.Options.Add(ServiceOptionDefinitions.InsecureDisableElicitation); + command.Options.Add(ServiceOptionDefinitions.DangerouslyDisableElicitation); command.Options.Add(ServiceOptionDefinitions.OutgoingAuthStrategy); command.Options.Add(ServiceOptionDefinitions.DangerouslyWriteSupportLogsToDir); command.Validators.Add(commandResult => @@ -158,7 +158,7 @@ protected override ServiceStartOptions BindOptions(ParseResult parseResult) ReadOnly = parseResult.GetValueOrDefault(ServiceOptionDefinitions.ReadOnly.Name), Debug = parseResult.GetValueOrDefault(ServiceOptionDefinitions.Debug.Name), DangerouslyDisableHttpIncomingAuth = parseResult.GetValueOrDefault(ServiceOptionDefinitions.DangerouslyDisableHttpIncomingAuth.Name), - InsecureDisableElicitation = parseResult.GetValueOrDefault(ServiceOptionDefinitions.InsecureDisableElicitation.Name), + DangerouslyDisableElicitation = parseResult.GetValueOrDefault(ServiceOptionDefinitions.DangerouslyDisableElicitation.Name), OutgoingAuthStrategy = outgoingAuthStrategy, SupportLoggingFolder = parseResult.GetValueOrDefault(ServiceOptionDefinitions.DangerouslyWriteSupportLogsToDir.Name) }; @@ -217,7 +217,7 @@ internal static void LogStartTelemetry(ITelemetryService telemetryService, Servi activity.SetTag(TagName.Transport, options.Transport); activity.SetTag(TagName.ServerMode, options.Mode); activity.SetTag(TagName.IsReadOnly, options.ReadOnly); - activity.SetTag(TagName.InsecureDisableElicitation, options.InsecureDisableElicitation); + activity.SetTag(TagName.DangerouslyDisableElicitation, options.DangerouslyDisableElicitation); activity.SetTag(TagName.DangerouslyDisableHttpIncomingAuth, options.DangerouslyDisableHttpIncomingAuth); activity.SetTag(TagName.IsDebug, options.Debug); diff --git a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/BaseToolLoader.cs b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/BaseToolLoader.cs index 30faaec4bf..e2dbaa6ef8 100644 --- a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/BaseToolLoader.cs +++ b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/BaseToolLoader.cs @@ -157,7 +157,7 @@ protected McpClientOptions CreateClientOptions(McpServer server) /// /// The request context containing the MCP server. /// The name of the tool being invoked. - /// Whether elicitation has been disabled via insecure option. + /// Whether elicitation has been disabled via dangerous option. /// Logger instance for recording elicitation events. /// Cancellation token for the operation. /// @@ -167,14 +167,14 @@ protected McpClientOptions CreateClientOptions(McpServer server) protected static async Task HandleSecretElicitationAsync( RequestContext request, string toolName, - bool insecureDisableElicitation, + bool dangerouslyDisableElicitation, ILogger logger, CancellationToken cancellationToken) { - // Check if elicitation is disabled by insecure option - if (insecureDisableElicitation) + // Check if elicitation is disabled by dangerous option + if (dangerouslyDisableElicitation) { - logger.LogWarning("Tool '{Tool}' handles sensitive data but elicitation is disabled via --insecure-disable-elicitation. Proceeding without user consent (INSECURE).", toolName); + logger.LogWarning("Tool '{Tool}' handles sensitive data but elicitation is disabled via --dangerously-disable-elicitation. Proceeding without user consent.", toolName); return null; } diff --git a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoader.cs b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoader.cs index 38b54182ad..7a40cb6c0d 100644 --- a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoader.cs +++ b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoader.cs @@ -158,7 +158,7 @@ public override async ValueTask CallToolHandler(RequestContext InvokeChildToolAsync( var elicitationResult = await HandleSecretElicitationAsync( request, $"{namespaceName} {command}", - _options.Value.InsecureDisableElicitation, + _options.Value.DangerouslyDisableElicitation, _logger, cancellationToken); diff --git a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/ToolLoaderOptions.cs b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/ToolLoaderOptions.cs index dfaeb17856..349d36c1db 100644 --- a/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/ToolLoaderOptions.cs +++ b/core/Azure.Mcp.Core/src/Areas/Server/Commands/ToolLoading/ToolLoaderOptions.cs @@ -9,6 +9,6 @@ namespace Azure.Mcp.Core.Areas.Server.Commands.ToolLoading; /// /// The namespaces to filter commands by. If null or empty, all commands will be included. /// Whether the tool loader should operate in read-only mode. When true, only tools marked as read-only will be exposed. -/// Whether elicitation is disabled (insecure mode). When true, elicitation will always be treated as accepted. +/// Whether elicitation is disabled (dangerous mode). When true, elicitation will always be treated as accepted. /// The specific tool names to filter by. When specified, only these tools will be exposed. -public sealed record ToolLoaderOptions(string[]? Namespace = null, bool ReadOnly = false, bool InsecureDisableElicitation = false, string[]? Tool = null); +public sealed record ToolLoaderOptions(string[]? Namespace = null, bool ReadOnly = false, bool DangerouslyDisableElicitation = false, string[]? Tool = null); diff --git a/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceOptionDefinitions.cs b/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceOptionDefinitions.cs index 0cb4a951e1..9c927ea99e 100644 --- a/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceOptionDefinitions.cs +++ b/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceOptionDefinitions.cs @@ -12,7 +12,7 @@ public static class ServiceOptionDefinitions public const string ReadOnlyName = "read-only"; public const string DebugName = "debug"; public const string DangerouslyDisableHttpIncomingAuthName = "dangerously-disable-http-incoming-auth"; - public const string InsecureDisableElicitationName = "insecure-disable-elicitation"; + public const string DangerouslyDisableElicitationName = "dangerously-disable-elicitation"; public const string OutgoingAuthStrategyName = "outgoing-auth-strategy"; public const string DangerouslyWriteSupportLogsToDirName = "dangerously-write-support-logs-to-dir"; @@ -77,8 +77,8 @@ public static class ServiceOptionDefinitions DefaultValueFactory = _ => false }; - public static readonly Option InsecureDisableElicitation = new( - $"--{InsecureDisableElicitationName}") + public static readonly Option DangerouslyDisableElicitation = new( + $"--{DangerouslyDisableElicitationName}") { Required = false, Description = "Disable elicitation (user confirmation) before allowing high risk commands to run, such as returning Secrets (passwords) from KeyVault.", diff --git a/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs b/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs index dd3c6256f3..4a47361e81 100644 --- a/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs +++ b/core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs @@ -60,11 +60,11 @@ public class ServiceStartOptions public bool DangerouslyDisableHttpIncomingAuth { get; set; } = false; /// - /// Gets or sets whether elicitation (user confirmation for high-risk operations like accessing secrets) is disabled (insecure mode). + /// Gets or sets whether elicitation (user confirmation for high-risk operations like accessing secrets) is disabled (dangerous mode). /// When true, elicitation will always be treated as accepted without user confirmation. /// - [JsonPropertyName("insecureDisableElicitation")] - public bool InsecureDisableElicitation { get; set; } = false; + [JsonPropertyName("dangerouslyDisableElicitation")] + public bool DangerouslyDisableElicitation { get; set; } = false; /// /// Gets or sets the outgoing authentication strategy for Azure service requests. diff --git a/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoaderTests.cs b/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoaderTests.cs index 38c6149390..c4ff70f9dc 100644 --- a/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoaderTests.cs +++ b/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/Commands/ToolLoading/CommandFactoryToolLoaderTests.cs @@ -648,10 +648,10 @@ public async Task CallToolHandler_WithNonSecretTool_DoesNotTriggerElicitation() } [Fact] - public async Task CallToolHandler_WithSecretTool_WhenInsecureDisableElicitationEnabled_BypassesElicitation() + public async Task CallToolHandler_WithSecretTool_WhenDangerouslyDisableElicitationEnabled_BypassesElicitation() { - // Create tool loader with insecure disable elicitation enabled - var options = new ToolLoaderOptions(InsecureDisableElicitation: true); + // Create tool loader with dangerously disable elicitation enabled + var options = new ToolLoaderOptions(DangerouslyDisableElicitation: true); var (toolLoader, commandFactory) = CreateToolLoader(options); // Add the fake secret command to the command factory @@ -693,10 +693,10 @@ public async Task CallToolHandler_WithSecretTool_WhenInsecureDisableElicitationE } [Fact] - public async Task CallToolHandler_WithSecretTool_WhenInsecureDisableElicitationDisabled_StillRequiresElicitation() + public async Task CallToolHandler_WithSecretTool_WhenDangerouslyDisableElicitationDisabled_StillRequiresElicitation() { - // Create tool loader with insecure disable elicitation disabled (default) - var options = new ToolLoaderOptions(InsecureDisableElicitation: false); + // Create tool loader with dangerously disable elicitation disabled (default) + var options = new ToolLoaderOptions(DangerouslyDisableElicitation: false); var (toolLoader, commandFactory) = CreateToolLoader(options); // Add the fake secret command to the command factory @@ -735,23 +735,23 @@ public async Task CallToolHandler_WithSecretTool_WhenInsecureDisableElicitationD } [Fact] - public void ToolLoaderOptions_DefaultInsecureDisableElicitation_IsFalse() + public void ToolLoaderOptions_DefaultDangerouslyDisableElicitation_IsFalse() { // Arrange & Act var options = new ToolLoaderOptions(); // Assert - Assert.False(options.InsecureDisableElicitation); + Assert.False(options.DangerouslyDisableElicitation); } [Fact] - public void ToolLoaderOptions_WithInsecureDisableElicitationTrue_IsSetCorrectly() + public void ToolLoaderOptions_WithDangerouslyDisableElicitationTrue_IsSetCorrectly() { // Arrange & Act - var options = new ToolLoaderOptions(InsecureDisableElicitation: true); + var options = new ToolLoaderOptions(DangerouslyDisableElicitation: true); // Assert - Assert.True(options.InsecureDisableElicitation); + Assert.True(options.DangerouslyDisableElicitation); } [Fact] diff --git a/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/ServiceStartCommandTests.cs b/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/ServiceStartCommandTests.cs index 4465af5a86..f5c663a3c7 100644 --- a/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/ServiceStartCommandTests.cs +++ b/core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/ServiceStartCommandTests.cs @@ -56,41 +56,41 @@ public void ServiceOption_ParsesCorrectly(string? inputService, string expectedS [Theory] [InlineData(true)] [InlineData(false)] - public void InsecureDisableElicitationOption_ParsesCorrectly(bool expectedValue) + public void DangerouslyDisableElicitationOption_ParsesCorrectly(bool expectedValue) { // Arrange - var parseResult = CreateParseResultWithInsecureDisableElicitation(expectedValue); + var parseResult = CreateParseResultWithDangerouslyDisableElicitation(expectedValue); // Act - var actualValue = parseResult.GetValue(ServiceOptionDefinitions.InsecureDisableElicitation); + var actualValue = parseResult.GetValue(ServiceOptionDefinitions.DangerouslyDisableElicitation); // Assert Assert.Equal(expectedValue, actualValue); } [Fact] - public void InsecureDisableElicitationOption_DefaultsToFalse() + public void DangerouslyDisableElicitationOption_DefaultsToFalse() { // Arrange var parseResult = CreateParseResult(null); // Act - var actualValue = parseResult.GetValue(ServiceOptionDefinitions.InsecureDisableElicitation); + var actualValue = parseResult.GetValue(ServiceOptionDefinitions.DangerouslyDisableElicitation); // Assert Assert.False(actualValue); } [Fact] - public void AllOptionsRegistered_IncludesInsecureDisableElicitation() + public void AllOptionsRegistered_IncludesDangerouslyDisableElicitation() { // Arrange & Act var command = _command.GetCommand(); // Assert - var hasInsecureDisableElicitationOption = command.Options.Any(o => - o.Name == ServiceOptionDefinitions.InsecureDisableElicitation.Name); - Assert.True(hasInsecureDisableElicitationOption, "InsecureDisableElicitation option should be registered"); + var hasDangerouslyDisableElicitationOption = command.Options.Any(o => + o.Name == ServiceOptionDefinitions.DangerouslyDisableElicitation.Name); + Assert.True(hasDangerouslyDisableElicitationOption, "DangerouslyDisableElicitation option should be registered"); } [Fact] @@ -224,7 +224,7 @@ public void BindOptions_WithAllOptions_ReturnsCorrectlyConfiguredOptions() Assert.True(options.ReadOnly); Assert.True(options.Debug); Assert.False(options.DangerouslyDisableHttpIncomingAuth); - Assert.True(options.InsecureDisableElicitation); + Assert.True(options.DangerouslyDisableElicitation); } [Fact] @@ -278,7 +278,7 @@ public void BindOptions_WithDefaults_ReturnsDefaultValues() Assert.False(options.ReadOnly); // Default readonly Assert.False(options.Debug); Assert.False(options.DangerouslyDisableHttpIncomingAuth); - Assert.False(options.InsecureDisableElicitation); + Assert.False(options.DangerouslyDisableElicitation); Assert.Null(options.SupportLoggingFolder); } @@ -630,7 +630,7 @@ public void InitializedHandler_SetsStartupInformation() ReadOnly = false, Debug = true, Namespace = ["storage", "keyvault"], - InsecureDisableElicitation = false, + DangerouslyDisableElicitation = false, DangerouslyDisableHttpIncomingAuth = true, }; var activity = new Activity("test-activity"); @@ -647,8 +647,8 @@ public void InitializedHandler_SetsStartupInformation() var dangerouslyDisableHttpIncomingAuth = GetAndAssertTagKeyValue(activity, TagName.DangerouslyDisableHttpIncomingAuth); Assert.Equal(serviceStartOptions.DangerouslyDisableHttpIncomingAuth, dangerouslyDisableHttpIncomingAuth); - var insecureDisableElicitation = GetAndAssertTagKeyValue(activity, TagName.InsecureDisableElicitation); - Assert.Equal(serviceStartOptions.InsecureDisableElicitation, insecureDisableElicitation); + var dangerouslyDisableElicitation = GetAndAssertTagKeyValue(activity, TagName.DangerouslyDisableElicitation); + Assert.Equal(serviceStartOptions.DangerouslyDisableElicitation, dangerouslyDisableElicitation); var transport = GetAndAssertTagKeyValue(activity, TagName.Transport); Assert.Equal(serviceStartOptions.Transport, transport); @@ -680,7 +680,7 @@ public void InitializedHandler_SetsCorrectInformationWhenNull() Mode = null, ReadOnly = true, Debug = false, - InsecureDisableElicitation = true, + DangerouslyDisableElicitation = true, DangerouslyDisableHttpIncomingAuth = false, }; var activity = new Activity("test-activity"); @@ -699,8 +699,8 @@ public void InitializedHandler_SetsCorrectInformationWhenNull() var dangerouslyDisableHttpIncomingAuth = GetAndAssertTagKeyValue(activity, TagName.DangerouslyDisableHttpIncomingAuth); Assert.Equal(serviceStartOptions.DangerouslyDisableHttpIncomingAuth, dangerouslyDisableHttpIncomingAuth); - var insecureDisableElicitation = GetAndAssertTagKeyValue(activity, TagName.InsecureDisableElicitation); - Assert.Equal(serviceStartOptions.InsecureDisableElicitation, insecureDisableElicitation); + var dangerouslyDisableElicitation = GetAndAssertTagKeyValue(activity, TagName.DangerouslyDisableElicitation); + Assert.Equal(serviceStartOptions.DangerouslyDisableElicitation, dangerouslyDisableElicitation); var transport = GetAndAssertTagKeyValue(activity, TagName.Transport); Assert.Equal(serviceStartOptions.Transport, transport); @@ -738,7 +738,7 @@ private static ParseResult CreateParseResult(string? serviceValue) return root.Parse([.. args]); } - private ParseResult CreateParseResultWithInsecureDisableElicitation(bool insecureDisableElicitation) + private ParseResult CreateParseResultWithDangerouslyDisableElicitation(bool dangerouslyDisableElicitation) { var args = new List { @@ -746,9 +746,9 @@ private ParseResult CreateParseResultWithInsecureDisableElicitation(bool insecur "stdio" }; - if (insecureDisableElicitation) + if (dangerouslyDisableElicitation) { - args.Add("--insecure-disable-elicitation"); + args.Add("--dangerously-disable-elicitation"); } return _command.GetCommand().Parse([.. args]); @@ -807,7 +807,7 @@ private ParseResult CreateParseResultWithAllOptions() "--mode", "all", "--read-only", "--debug", - "--insecure-disable-elicitation" + "--dangerously-disable-elicitation" }; return _command.GetCommand().Parse([.. args]); diff --git a/core/Microsoft.Mcp.Core/src/Commands/TelemetryConstants.cs b/core/Microsoft.Mcp.Core/src/Commands/TelemetryConstants.cs index 9abbd9ec0a..da86bd15e4 100644 --- a/core/Microsoft.Mcp.Core/src/Commands/TelemetryConstants.cs +++ b/core/Microsoft.Mcp.Core/src/Commands/TelemetryConstants.cs @@ -24,7 +24,7 @@ public class TagName public const string IsReadOnly = "IsReadOnly"; public const string Namespace = "Namespace"; public const string ToolCount = "ToolCount"; - public const string InsecureDisableElicitation = "InsecureDisableElicitation"; + public const string DangerouslyDisableElicitation = "DangerouslyDisableElicitation"; public const string IsDebug = "IsDebug"; public const string DangerouslyDisableHttpIncomingAuth = "DangerouslyDisableHttpIncomingAuth"; public const string Tool = "Tool"; diff --git a/servers/Azure.Mcp.Server/CHANGELOG.md b/servers/Azure.Mcp.Server/CHANGELOG.md index 903b306b1c..1c173d87a5 100644 --- a/servers/Azure.Mcp.Server/CHANGELOG.md +++ b/servers/Azure.Mcp.Server/CHANGELOG.md @@ -635,7 +635,7 @@ For a complete history of pre-release changes, see versions [0.9.9](#099-2025-10 ### Features Added -- Added the `--insecure-disable-elicitation` server startup switch. When enabled, the server will bypass user confirmation (elicitation) for tools marked as handling secrets and execute them immediately. This is **INSECURE** and meant only for controlled automation scenarios (e.g., CI or disposable test environments) because it removes a safety barrier that helps prevent accidental disclosure of sensitive data. [[#486](https://github.com/microsoft/mcp/pull/486)] +- Added the `--dangerously-disable-elicitation` server startup switch. When enabled, the server will bypass user confirmation (elicitation) for tools marked as handling secrets and execute them immediately. This is **DANGEROUS** and meant only for controlled automation scenarios (e.g., CI or disposable test environments) because it removes a safety barrier that helps prevent accidental disclosure of sensitive data. [[#486](https://github.com/microsoft/mcp/pull/486)] - Enhanced Azure authentication with targeted credential selection via the `AZURE_TOKEN_CREDENTIALS` environment variable: [[#56](https://github.com/microsoft/mcp/pull/56)] - `"dev"`: Development credentials (Visual Studio → Visual Studio Code → Azure CLI → Azure PowerShell → Azure Developer CLI) - `"prod"`: Production credentials (Environment → Workload Identity → Managed Identity) diff --git a/servers/Azure.Mcp.Server/docs/azmcp-commands.md b/servers/Azure.Mcp.Server/docs/azmcp-commands.md index 69b07ffc70..6e1df46d73 100644 --- a/servers/Azure.Mcp.Server/docs/azmcp-commands.md +++ b/servers/Azure.Mcp.Server/docs/azmcp-commands.md @@ -181,9 +181,9 @@ The `azmcp server start` command supports the following options: | `--read-only` | No | `false` | Only expose read-only operations | | `--debug` | No | `false` | Enable verbose debug logging to stderr | | `--dangerously-disable-http-incoming-auth` | No | false | Dangerously disable HTTP incoming authentication | -| `--insecure-disable-elicitation` | No | `false` | **⚠️ INSECURE**: Disable user consent prompts for sensitive operations | +| `--dangerously-disable-elicitation` | No | `false` | **⚠️ DANGEROUS**: Disable user consent prompts for sensitive operations | -> **⚠️ Security Warning for `--insecure-disable-elicitation`:** +> **⚠️ Security Warning for `--dangerously-disable-elicitation`:** > > This option disables user confirmations (elicitations) before running tools that read sensitive data. When enabled: > - Tools that handle secrets, credentials, or sensitive data will execute without user confirmation @@ -194,7 +194,7 @@ The `azmcp server start` command supports the following options: > **Example usage (use with caution):** > ```bash > # For automated scenarios only - bypasses security prompts -> azmcp server start --insecure-disable-elicitation +> azmcp server start --dangerously-disable-elicitation > ``` #### Server Info @@ -1107,7 +1107,7 @@ Tools that handle sensitive data such as secrets require user consent before exe > - Certificate private keys > - Other confidential data > -> These prompts protect against unauthorized access to sensitive information. You can bypass elicitation in automated scenarios using the `--insecure-disable-elicitation` server start option, but this should only be used in trusted environments. +> These prompts protect against unauthorized access to sensitive information. You can bypass elicitation in automated scenarios using the `--dangerously-disable-elicitation` server start option, but this should only be used in trusted environments. ```bash # Creates a secret in a key vault (will prompt for user consent) diff --git a/servers/Azure.Mcp.Server/vscode/CHANGELOG.md b/servers/Azure.Mcp.Server/vscode/CHANGELOG.md index c0ae4ae236..2e1335c894 100644 --- a/servers/Azure.Mcp.Server/vscode/CHANGELOG.md +++ b/servers/Azure.Mcp.Server/vscode/CHANGELOG.md @@ -523,7 +523,7 @@ For a complete history of pre-release changes, see versions [0.9.9](#099-2025-10 ### Added -- Added the `--insecure-disable-elicitation` server startup switch. When enabled, the server will bypass user confirmation (elicitation) for tools marked as handling secrets and execute them immediately. This is **INSECURE** and meant only for controlled automation scenarios (e.g., CI or disposable test environments) because it removes a safety barrier that helps prevent accidental disclosure of sensitive data. [[#486](https://github.com/microsoft/mcp/pull/486)] +- Added the `--dangerously-disable-elicitation` server startup switch. When enabled, the server will bypass user confirmation (elicitation) for tools marked as handling secrets and execute them immediately. This is **DANGEROUS** and meant only for controlled automation scenarios (e.g., CI or disposable test environments) because it removes a safety barrier that helps prevent accidental disclosure of sensitive data. [[#486](https://github.com/microsoft/mcp/pull/486)] - Enhanced Azure authentication with targeted credential selection via the `AZURE_TOKEN_CREDENTIALS` environment variable: [[#56](https://github.com/microsoft/mcp/pull/56)] - `"dev"`: Development credentials (Visual Studio → Visual Studio Code → Azure CLI → Azure PowerShell → Azure Developer CLI) - `"prod"`: Production credentials (Environment → Workload Identity → Managed Identity)