feat: Removed scope app-engine:functions:run as it's not needed (#227)

Author: christian-kreuzberger-dtx

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## Unreleased Changes
 
+### Scopes
+
+- Removed scope `app-engine:functions:run` as it's not needed
 - Breaking: Changed default HTTP server host binding from `0.0.0.0` to `127.0.0.1` for improved security
 
 ## 0.11.0

README.md

@@ -324,7 +324,6 @@ Depending on the features you are using, the following scopes are needed:
 **Available for both Platform Tokens and OAuth Clients:**
 
 - `app-engine:apps:run` - needed for almost all tools
-- `app-engine:functions:run` - needed for for almost all tools
 - `environment-api:entities:read` - for retrieving ownership details from monitored entities (_currently not available for Platform Tokens_)
 - `automation:workflows:read` - read Workflows
 - `automation:workflows:write` - create and update Workflows
@@ -347,9 +346,12 @@ Depending on the features you are using, the following scopes are needed:
 - `email:emails:send` - needed for `send_email` tool to send emails
 - `settings:objects:read` - needed for reading ownership information and Guardians (SRG) from settings
 
-  **Note**: Please ensure that `settings:objects:read` is used, and _not_ the similarly named scope `app-settings:objects:read`.
+**Notes**:
 
-**Important**: Some features requiring `environment-api:entities:read` will only work with OAuth Clients. For most use cases, Platform Tokens provide all necessary functionality.
+- Please ensure that `settings:objects:read` is used, and _not_ the similarly named scope `app-settings:objects:read`.
+- Versions before 0.12.0 required the scope `app-engine:functions:run`, which is no longer required.
+
+**Important**: Some features requiring `environment-api:entities:read` will not work with Platform Tokens.
 
 ## ✨ Example prompts ✨
 
@@ -531,7 +533,7 @@ In most cases, authentication issues are related to missing scopes or invalid to
 **For OAuth Clients:**
 In case of OAuth-related problems, you can troubleshoot SSO/OAuth issues based on our [Dynatrace Developer Documentation](https://developer.dynatrace.com/develop/access-platform-apis-from-outside/#get-bearer-token-and-call-app-function).
 
-It is recommended to test access with the following API (which requires minimal scopes `app-engine:apps:run` and `app-engine:functions:run`):
+It is recommended to test access with the following API (which requires minimal scopes `app-engine:apps:run` and, e.g., `storage:logs:read`):
 
 1. Use OAuth Client ID and Secret to retrieve a Bearer Token (only valid for a couple of minutes):
 
@@ -541,7 +543,7 @@ curl --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id={your-client-id}' \
   --data-urlencode 'client_secret={your-client-secret}' \
-  --data-urlencode 'scope=app-engine:apps:run app-engine:functions:run'
+  --data-urlencode 'scope=app-engine:apps:run storage:logs:read'
 ```
 
 2. Use `access_token` from the response of the above call as the bearer-token in the next call:

integration-tests/davis-copilot-explain-dql.integration.test.ts

@@ -15,7 +15,6 @@ config();
 
 const scopesBase = [
   'app-engine:apps:run', // needed for environmentInformationClient
-  'app-engine:functions:run', // needed for environmentInformationClient
 ];
 
 describe('DQL Explanation Integration Tests', () => {

integration-tests/dynatrace-clients.integration.test.ts

@@ -21,7 +21,6 @@ const API_RATE_LIMIT_DELAY = 100; // Delay in milliseconds to avoid hitting API
 
 const scopesBase = [
   'app-engine:apps:run', // needed for environmentInformationClient
-  'app-engine:functions:run', // needed for environmentInformationClient
 ];
 
 describe('Dynatrace Clients Integration Tests', () => {

integration-tests/execute-dql.integration.test.ts

@@ -17,7 +17,6 @@ const API_RATE_LIMIT_DELAY = 100; // Delay in milliseconds to avoid hitting API
 
 const scopesBase = [
   'app-engine:apps:run', // needed for environmentInformationClient
-  'app-engine:functions:run', // needed for environmentInformationClient
 ];
 
 const scopesDqlExecution = [

integration-tests/find-monitored-entity-by-name.integration.test.ts

@@ -18,7 +18,6 @@ const API_RATE_LIMIT_DELAY = 100; // Delay in milliseconds to avoid hitting API
 
 const scopesBase = [
   'app-engine:apps:run', // needed for environmentInformationClient
-  'app-engine:functions:run', // needed for environmentInformationClient
 ];
 
 const scopesEntitySearch = [

integration-tests/send-email.integration.test.ts

@@ -4,7 +4,7 @@
  * This test verifies the email sending functionality by making actual API calls
  * to the Dynatrace environment. These tests require valid authentication credentials
  * and the email:emails:send scope.
- * 
+ *
  * IMPORTANT: Update the TEST_EMAIL_* variables below with your own email addresses
  * be        subject: '[Integration Test] Invalid Email Test',
         body: {
@@ -25,7 +25,6 @@ const API_RATE_LIMIT_DELAY = 100; // Delay in milliseconds to avoid hitting API
 
 const scopesBase = [
   'app-engine:apps:run', // needed for environmentInformationClient
-  'app-engine:functions:run', // needed for environmentInformationClient
 ];
 
 const scopesEmail = [
@@ -156,7 +155,7 @@ fetch logs
 This email was sent to multiple recipients to test the TO, CC, and BCC functionality:
 
 - **TO**: ${TEST_EMAIL_TO}, ${TEST_EMAIL_TO}
-- **CC**: ${TEST_EMAIL_CC}  
+- **CC**: ${TEST_EMAIL_CC}
 - **BCC**: ${TEST_EMAIL_BCC}
 
 All recipients should receive this message according to their designation.`,

src/authentication/dynatrace-oauth-auth-code-flow.test.ts

@@ -6,7 +6,7 @@ describe('OAuth Authorization Code Flow', () => {
   const mockConfig: OAuthAuthorizationConfig = {
     clientId: 'dt0s08.mocked-client',
     redirectUri: 'http://localhost:5343/auth/login',
-    scopes: ['app-engine:apps:run', 'app-engine:functions:run', 'storage:logs:read'], // Basic Example scopes
+    scopes: ['app-engine:apps:run', 'storage:logs:read'], // Basic Example scopes
   };
 
   test('createAuthorizationUrl generates valid URL with PKCE', () => {
@@ -22,7 +22,7 @@ describe('OAuth Authorization Code Flow', () => {
     expect(url.searchParams.get('response_type')).toBe('code');
     expect(url.searchParams.get('client_id')).toBe('dt0s08.mocked-client');
     expect(url.searchParams.get('redirect_uri')).toBe('http://localhost:5343/auth/login');
-    expect(url.searchParams.get('scope')).toBe('app-engine:apps:run app-engine:functions:run storage:logs:read');
+    expect(url.searchParams.get('scope')).toBe('app-engine:apps:run storage:logs:read');
     expect(url.searchParams.get('code_challenge_method')).toBe('S256');
     expect(url.searchParams.get('code_challenge')).toMatch(/^[A-Za-z0-9_-]{43}$/); // SHA256 base64url = 43 chars
     expect(url.searchParams.get('state')).toBe(result.state);
@@ -32,21 +32,18 @@ describe('OAuth Authorization Code Flow', () => {
     const result = createAuthorizationUrl('https://sso.dynatrace.com', mockConfig);
 
     // Check that the raw URL string contains %20 for spaces, not +
-    expect(result.authorizationUrl).toMatch(
-      /scope=app-engine%3Aapps%3Arun%20app-engine%3Afunctions%3Arun%20storage%3Alogs%3Aread/,
-    );
+    expect(result.authorizationUrl).toMatch(/scope=app-engine%3Aapps%3Arun%20storage%3Alogs%3Aread/);
 
     // Verify that + is not used for space encoding in scopes
     expect(result.authorizationUrl).not.toMatch(/scope=.*\+.*(?=&|$)/);
 
     // Verify that colons are properly encoded as %3A
     expect(result.authorizationUrl).toMatch(/app-engine%3Aapps%3Arun/);
-    expect(result.authorizationUrl).toMatch(/app-engine%3Afunctions%3Arun/);
     expect(result.authorizationUrl).toMatch(/storage%3Alogs%3Aread/);
 
     // Double-check by parsing the URL and verifying the decoded scope
     const url = new URL(result.authorizationUrl);
-    expect(url.searchParams.get('scope')).toBe('app-engine:apps:run app-engine:functions:run storage:logs:read');
+    expect(url.searchParams.get('scope')).toBe('app-engine:apps:run storage:logs:read');
   });
 
   test('startOAuthRedirectServer returns server configuration', async () => {

src/index.ts

@@ -71,7 +71,6 @@ const DT_MCP_AUTH_CODE_FLOW_OAUTH_CLIENT_ID = 'dt0s08.dt-app-local'; // ToDo: Re
 // Base Scopes for MCP Server tools
 let scopesBase = [
   'app-engine:apps:run', // needed for environmentInformationClient
-  'app-engine:functions:run', // needed for environmentInformationClient
 ];
 
 // All scopes needed by the MCP server tools