codeurali
diff --git a/‎.gitignore‎
Lines changed: 20 additions & 0 deletions b/‎.gitignore‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 25 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 0 additions & 12 deletions b/‎Dockerfile‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎README.md‎
Lines changed: 35 additions & 20 deletions b/‎README.md‎
Lines changed: 35 additions & 20 deletions
diff --git a/‎config.example.jsonc‎
Lines changed: 42 additions & 7 deletions b/‎config.example.jsonc‎
Lines changed: 42 additions & 7 deletions
diff --git a/‎dist/auth-provider.factory-IVYKBXVY.js‎
Lines changed: 1 addition & 0 deletions b/‎dist/auth-provider.factory-IVYKBXVY.js‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎dist/auth-provider.factory-MSMLSOX3.js‎
Lines changed: 0 additions & 1 deletion b/‎dist/auth-provider.factory-MSMLSOX3.js‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎dist/chunk-24RDOMG4.js‎
Lines changed: 0 additions & 29 deletions b/‎dist/chunk-24RDOMG4.js‎
Lines changed: 0 additions & 29 deletions
diff --git a/‎dist/chunk-KJ3HM2VM.js‎
Lines changed: 1 addition & 0 deletions b/‎dist/chunk-KJ3HM2VM.js‎
Lines changed: 1 addition & 0 deletions
@@ -13,6 +13,25 @@ coverage/
 test-output.txt
 *.local
 
+# Jekyll local dev
+docs/Gemfile.lock
+docs/_site/
+docs/_config_local.yml
+
+# Dev tooling (not needed by npm consumers)
+eslint.config.js
+jest.config.js
+tsconfig.json
+Dockerfile
+
+# Build / publish artifacts
+*.tgz
+*.zip
+.webappignore
+
+# Private planning docs
+ROADMAP-AUTH-METHODS.md
+
 # Windows
 Thumbs.db
 Desktop.ini
@@ -29,6 +48,7 @@ debug/
 !assets/logo.webp
 
 # Private planning & internal artifacts (security/privacy)
+workdoc/
 _bmad/
 _bmad-output/
 .codex/
 
@@ -5,6 +5,31 @@ Format: [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) — [Semantic V
 
 ---
 
+## [0.5.0] — 2026-03-24
+
+### Added
+
+- **Client Credentials auth** — App Registration-based service identity for unattended scenarios: CI/CD pipelines, Docker, Azure services. Configured via `authMethod: "client-credentials"` plus `tenantId`, `clientId`, and `clientSecret` (or `AZURE_CLIENT_SECRET` env var — recommended over config file).
+- **Managed Identity auth** — zero-secret outbound auth for Azure-hosted deployments (App Service, Container Apps, Azure VMs). Supports both system-assigned and user-assigned identities (`managedIdentityClientId`). Configured via `authMethod: "managed-identity"`.
+- **Entra JWT inbound validation** — when the server runs in HTTP transport mode, bearer tokens are validated against Entra ID JWKS. Implements RFC 9728 `/.well-known/oauth-protected-resource` for automatic MCP client discovery. Validation covers RS256 signature, issuer (`login.microsoftonline.com/{tenantId}/v2.0`), audience (bare GUID), required scope, `exp`/`nbf`, and 30-second clock skew. JWKS is cached with automatic rotation on `kid` miss.
+- **`authMethod` config option** — selects the auth provider: `"device-code"` (default, unchanged behavior), `"client-credentials"`, or `"managed-identity"`. Also available as the `AUTH_METHOD` environment variable.
+- **New environment variables** — `AUTH_METHOD`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_MANAGED_IDENTITY_CLIENT_ID` map to their config equivalents. Documented in `config.example.jsonc`.
+
+### Documentation
+
+- New `/authentication` section with one page per method: Device Code, Client Credentials, Managed Identity. Includes Azure platform setup steps, Dataverse App User registration, environment variable reference, and a sequence diagram for the hosted flow.
+
+### Internal
+
+- **`src/auth/auth-provider.interface.ts`** — `AuthProvider` contract; all providers implement `getToken(resource): Promise<string>`.
+- **`src/auth/auth-provider.factory.ts`** — Reads `authMethod` from config/env and instantiates the correct provider. Adding a new method requires no changes outside the factory.
+- **`src/auth/client-credentials-auth-provider.ts`** — MSAL confidential client flow (client_credentials grant) with in-memory token cache.
+- **`src/auth/managed-identity-auth-provider.ts`** — Azure IMDS token endpoint (`169.254.169.254`); falls back to `DefaultAzureCredential`-style resolution for user-assigned identities.
+- **`src/auth/entra-jwt-validator.ts`** — HTTP middleware; validates inbound Bearer tokens for the HTTP server.
+- **`src/auth/crypto-utils.ts`** — JWKS fetch + caching utilities extracted into a shared module.
+
+---
+
 ## [0.4.7] — 2026-03-08
 
 ### Fixed
 
@@ -6,7 +6,7 @@
 
 **The most complete MCP server for Microsoft Dataverse.**
 
-73 tools · 4 resources · 10 guided workflows · Zero config auth
+73 tools · 4 resources · 10 guided workflows · Three auth modes
 
 [![npm](https://img.shields.io/npm/v/mcp-dataverse)](https://www.npmjs.com/package/mcp-dataverse)
 [![npm downloads](https://img.shields.io/npm/dm/mcp-dataverse)](https://www.npmjs.com/package/mcp-dataverse)
@@ -25,7 +25,7 @@
 
 AI agents hallucinate schema, guess column names, and build broken OData queries. This server gives them **real-time access** to your Dataverse environment — schema, records, metadata, solutions — through the [Model Context Protocol](https://modelcontextprotocol.io).
 
-- **No Azure AD app registration** — device code flow, zero pre-configuration
+- **Three auth modes** — device code (local), client credentials (CI/CD), managed identity (Azure-hosted)
 - **Works with any MCP client** — VS Code, Claude, Cursor, Windsurf, Gemini, Codex CLI
 - **Atomic tools** — each tool does one thing well; the AI picks the right one
 - **Structured outputs** — every response returns `{summary, data, suggestions}`
@@ -48,31 +48,45 @@ The interactive wizard configures your environment, registers the server in VS C
 
 ## Authentication
 
-**No PAC CLI, no app registration, no client secret.** Uses Microsoft's device code flow (MSAL):
+Three modes — choose based on where the server runs:
 
-1. **First tool call** → a sign-in code appears in the MCP Output panel (`View → Output → MCP`)
-2. Open `https://microsoft.com/devicelogin` → enter the code → sign in with your work account
-3. **Done.** Token is cached encrypted — all future starts are silent
+| Mode | When to use |
+|:-----|:------------|
+| **Device Code** (default) | Local development — interactive Microsoft login, token cached on disk |
+| **Client Credentials** | Unattended: CI/CD, Docker, Azure services — `authMethod: "client-credentials"` + App Registration |
+| **Managed Identity** | Azure-hosted (App Service, Container Apps) — zero secrets, `authMethod: "managed-identity"` |
 
-Re-authenticate after ~90 days of inactivity: `npx mcp-dataverse-auth`
+**Device code quick start:** authentication triggers on the first tool call.
+
+1. Open `View → Output → MCP` — a sign-in code appears
+2. Go to `https://microsoft.com/devicelogin`, enter the code, sign in with your work account
+3. Token is cached encrypted — all future starts are silent
+
+For client credentials and managed identity setup, see [Authentication docs](https://codeurali.github.io/mcp-dataverse/authentication).
 
 ---
 
 ## Capabilities
 
-| Category                | Count | Description                                                    |
+| Category | Count | Description |
 | ----------------------- | ----- | -------------------------------------------------------------- |
-| **Metadata**            | 8     | Tables, schema, relationships, option sets, entity keys        |
-| **Query**               | 3     | OData, FetchXML, paginated retrieval                           |
-| **CRUD**                | 6     | Get, create, update, delete, upsert, assign                    |
-| **Actions & Functions** | 6     | Bound/unbound Dataverse actions and functions                  |
-| **Batch**               | 1     | Up to 1000 operations atomically                               |
-| **Solutions**           | 3     | List solutions, components, publish customizations             |
-| **Search**              | 1     | Full-text Relevance Search                                     |
-| **Users & Teams**       | 3     | Users, roles, teams                                            |
-| **Files**               | 2     | Upload/download file and image columns                         |
-| **+ more**              | …     | Audit, trace logs, delta tracking, impersonation, annotations… |
-| **Assistance**          | 4     | Tool router, workflow guide                                    |
+| **Metadata** | 9 | Tables, schema, relationships, option sets, entity keys |
+| **Query** | 3 | OData, FetchXML, paginated retrieval |
+| **CRUD** | 6 | Get, create, update, delete, upsert, assign |
+| **Relations** | 4 | Associate, associate bulk, disassociate, query associations |
+| **Actions & Functions** | 6 | Bound/unbound Dataverse actions and functions |
+| **Batch** | 1 | Up to 1000 operations atomically |
+| **Solutions** | 2 | Publish customizations, create sitemap |
+| **Search** | 1 | Full-text Relevance Search |
+| **Users & Teams** | 4 | Users, roles, teams, role assignment |
+| **RBAC** | 7 | Role privileges: list, assign, remove, add, replace, get, team |
+| **Files** | 2 | Upload/download file and image columns |
+| **Audit & Trace** | 3 | Audit log, plugin trace logs, workflow trace logs |
+| **Annotations** | 2 | Notes and file attachments |
+| **Customization** | 4 | Custom actions, plugins, env variables, connection references |
+| **Attributes** | 5 | Create, update, delete columns; lookup and multi-select types |
+| **Assistance** | 2 | Tool router, tool tags |
+| **+ more** | … | Delta sync, impersonation, views, business units, duplicate detection |
 
 [→ Full Capabilities Reference](https://codeurali.github.io/mcp-dataverse/capabilities)
 
@@ -126,7 +140,8 @@ MCP Dataverse is designed to be comprehensive, but most AI models work best with
 | Version | Feature | Status |
 | ------- | ------- | ------ |
 | **v0.4** | HTTP transport + attribute management + schema consistency | ✅ Released |
-| **v0.5** | Enterprise auth (Client Credentials, Managed Identity) + MCP Prompts | 🔴 Planned |
+| **v0.5** | Enterprise auth (Client Credentials, Managed Identity, Entra JWT) | ✅ Released |
+| **v0.6** | MCP Prompts + ERD generator + API snippet generator | 🔜 Planned |
 
 [→ Full Roadmap](https://codeurali.github.io/mcp-dataverse/roadmap)
 
 
@@ -1,10 +1,37 @@
 {
   "environmentUrl": "https://yourorg.crm.dynamics.com",
   "requestTimeoutMs": 30000,
-  "maxRetries": 3
+  "maxRetries": 3,
 }
 
-// HTTP transport mode (optional — uncomment to use)
+// ── Auth methods ──────────────────────────────────────────────────────────────
+//
+// Default (device-code) — interactive Microsoft login, token cached on disk.
+// No extra fields needed.
+//
+// Client Credentials — Azure AD App Registration for CI/CD and unattended scenarios.
+// {
+//   "environmentUrl": "https://yourorg.crm.dynamics.com",
+//   "authMethod": "client-credentials",
+//   "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+//   "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+//   "clientSecret": "your-client-secret"     // prefer AZURE_CLIENT_SECRET env var
+// }
+//
+// Managed Identity — zero-secret auth for Azure-hosted deployments.
+// System-assigned:
+// {
+//   "environmentUrl": "https://yourorg.crm.dynamics.com",
+//   "authMethod": "managed-identity"
+// }
+// User-assigned:
+// {
+//   "environmentUrl": "https://yourorg.crm.dynamics.com",
+//   "authMethod": "managed-identity",
+//   "managedIdentityClientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+// }
+//
+// ── HTTP transport mode (optional — uncomment to use) ─────────────────────────
 // {
 //   "environmentUrl": "https://yourorg.crm.dynamics.com",
 //   "requestTimeoutMs": 30000,
@@ -13,8 +40,16 @@
 //   "httpPort": 3000
 // }
 //
-// Matching environment variables:
-//   MCP_TRANSPORT=http
-//   MCP_HTTP_PORT=3000
-//   MCP_HTTP_SECRET=your-bearer-token   (optional: enables Authorization header check)
-//   MCP_HTTP_JSON_RESPONSE=true         (default: true; set to false for SSE streaming)
+// ── Environment variable reference ───────────────────────────────────────────
+//   DATAVERSE_ENV_URL                   environmentUrl
+//   AUTH_METHOD                         authMethod  (device-code | client-credentials | managed-identity)
+//   AZURE_TENANT_ID                     tenantId
+//   AZURE_CLIENT_ID                     clientId
+//   AZURE_CLIENT_SECRET                 clientSecret  (recommended over config file)
+//   AZURE_MANAGED_IDENTITY_CLIENT_ID    managedIdentityClientId
+//   REQUEST_TIMEOUT_MS                  requestTimeoutMs
+//   MAX_RETRIES                         maxRetries
+//   MCP_TRANSPORT                       http | stdio
+//   MCP_HTTP_PORT                       httpPort
+//   MCP_HTTP_SECRET                     bearer token for HTTP transport (optional)
+//   MCP_HTTP_JSON_RESPONSE              true | false  (default: true)
@@ -0,0 +1 @@
+import{a}from"./chunk-M5UROAVJ.js";import"./chunk-RYRO3QPE.js";import"./chunk-KJ3HM2VM.js";export{a as createAuthProvider};
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+import{a}from"./chunk-M5UROAVJ.js";import"./chunk-RYRO3QPE.js";import"./chunk-KJ3HM2VM.js";export{a as createAuthProvider};`