feat: Change read-only mode default to FALSE (deployments allowed)

facundofarias · claude · facundofarias · commit b5c9e0833a3b · 2025-11-13T10:02:08.000+01:00
Changed the default behavior from read-only enabled to deployments allowed by default. This makes the MCP server more permissive out of the box while still allowing users to enable read-only mode for security if needed. Changes: - Default: readOnlyMode = false (deployments allowed) - Configuration parsing updated in src/config.ts - Server factory default changed in src/mcp-server.ts - Error message updated to reflect optional security feature - All tests updated to expect new default behavior - Documentation comments updated throughout Users can still enable read-only mode by: - Setting DEPLOYHQ_READ_ONLY=true environment variable - Using --read-only CLI flag 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/__tests__/config.test.ts b/src/__tests__/config.test.ts
@@ -18,14 +18,14 @@ describe('Configuration Parsing', () => {
 
   describe('parseServerConfig', () => {
     describe('Default behavior', () => {
-      it('should default to read-only mode enabled', () => {
+      it('should default to read-only mode disabled (deployments allowed)', () => {
         // Clear any existing config
         delete process.env.DEPLOYHQ_READ_ONLY;
         process.argv = ['node', 'test.js'];
 
         const config = parseServerConfig();
 
-        expect(config.readOnlyMode).toBe(true);
+        expect(config.readOnlyMode).toBe(false);
       });
     });
 
@@ -129,13 +129,14 @@ describe('Configuration Parsing', () => {
         expect(config.readOnlyMode).toBe(false);
       });
 
-      it('should default to true for unrecognized values', () => {
+      it('should fall back to default for unrecognized values', () => {
         process.env.DEPLOYHQ_READ_ONLY = 'maybe';
         process.argv = ['node', 'test.js'];
 
         const config = parseServerConfig();
 
-        expect(config.readOnlyMode).toBe(true);
+        // Unrecognized values are ignored and we use the default (false)
+        expect(config.readOnlyMode).toBe(false);
       });
     });
 
@@ -274,7 +275,7 @@ describe('Configuration Parsing', () => {
 
         const config = parseServerConfig();
 
-        expect(config.readOnlyMode).toBe(true);
+        expect(config.readOnlyMode).toBe(false);
       });
     });
   });
@@ -333,7 +334,8 @@ describe('Configuration Parsing', () => {
 
       const config = parseServerConfig();
 
-      expect(config.readOnlyMode).toBe(true);
+      // Empty string is ignored and we use the default (false)
+      expect(config.readOnlyMode).toBe(false);
     });
 
     it('should handle multiple --read-only flags (last one wins)', () => {
diff --git a/src/__tests__/read-only-mode.test.ts b/src/__tests__/read-only-mode.test.ts
@@ -91,12 +91,12 @@ describe('Read-Only Mode Integration', () => {
       expect(response.content[0].text).toContain('test-deployment-uuid');
     });
 
-    it('should use default read-only mode (enabled) when no config provided', async () => {
+    it('should use default read-only mode (disabled) when no config provided', async () => {
       const server = createMCPServer(
         'test@example.com',
         'api-key',
         'test-account'
-        // No config provided - should default to read-only
+        // No config provided - should default to deployments allowed
       );
 
       const response = await invokeToolForTest(server, 'create_deployment', {
@@ -106,9 +106,9 @@ describe('Read-Only Mode Integration', () => {
         end_revision: 'def456',
       });
 
-      // Should return an error response (read-only by default)
-      expect(response.isError).toBe(true);
-      expect(response.content[0].text).toContain('read-only mode');
+      // Should return a successful response (deployments allowed by default)
+      expect(response.isError).toBeUndefined();
+      expect(response.content[0].text).toContain('identifier');
     });
 
     it('should include helpful error message with configuration instructions', async () => {
diff --git a/src/config.ts b/src/config.ts
@@ -6,7 +6,7 @@
 export interface ServerConfig {
   /**
    * Read-only mode: when enabled, write operations (like create_deployment) are blocked
-   * Default: true (read-only enabled by default for security)
+   * Default: false (deployments allowed by default)
    */
   readOnlyMode: boolean;
 }
@@ -68,7 +68,7 @@ function parseReadOnlyFlag(): boolean | undefined {
  * Precedence (highest to lowest):
  * 1. CLI flags (--read-only)
  * 2. Environment variables (DEPLOYHQ_READ_ONLY)
- * 3. Default values (read-only mode enabled by default)
+ * 3. Default values (deployments allowed by default)
  *
  * @returns ServerConfig object with parsed configuration
  */
@@ -86,8 +86,8 @@ export function parseServerConfig(): ServerConfig {
     return { readOnlyMode: envValue };
   }
 
-  // Default to read-only mode enabled (secure by default)
-  return { readOnlyMode: true };
+  // Default to read-only mode disabled (deployments allowed by default)
+  return { readOnlyMode: false };
 }
 
 /**
diff --git a/src/mcp-server.ts b/src/mcp-server.ts
@@ -29,7 +29,7 @@ export function createMCPServer(
   username: string,
   password: string,
   account: string,
-  config: ServerConfig = { readOnlyMode: true }
+  config: ServerConfig = { readOnlyMode: false }
 ): Server {
   // Create DeployHQ client with user credentials
   const client = new DeployHQClient({
@@ -127,10 +127,10 @@ export function createMCPServer(
             throw new Error(
               'FORBIDDEN: Server is running in read-only mode. ' +
               'Deployment creation is disabled for security.\n\n' +
-              'To enable deployments:\n' +
+              'To disable read-only mode:\n' +
               '- Set environment variable: DEPLOYHQ_READ_ONLY=false\n' +
               '- Or use CLI flag: --read-only=false\n\n' +
-              'Read-only mode is enabled by default to prevent ' +
+              'Read-only mode can be enabled to prevent ' +
               'accidental deployments when using AI assistants.'
             );
           }
