chore(destination-mongodb): remove strict-encrypt variant, use env-aware TLS enforcement

[aaronsteers]

What

Removes the separate destination-mongodb-strict-encrypt connector by migrating its TLS enforcement logic into the base destination-mongodb connector, making it responsive to the DEPLOYMENT_MODE=CLOUD environment variable.

This is part of a broader effort to eliminate strict-encrypt connector variants, which create cross-connector dependencies in the publish workflow and complicate progressive rollouts (see workflow comments).

How

1. Added spec() override in MongodbDestination that removes the TLS configuration option for standalone instances when running in cloud deployment mode
2. Added TLS enforcement check in check() method that throws ConfigErrorException if a standalone instance doesn't have TLS enabled in cloud mode
3. Removed the dockerRepository override in metadata.yaml that pointed cloud to the strict-encrypt variant
4. Deleted the entire destination-mongodb-strict-encrypt connector directory

Review guide

1. MongodbDestination.java - Verify:
   • getIsCloudDeployment() is accessible (inherited from BaseConnector)
   • The spec JSON path navigation correctly targets the TLS property
   • The check logic matches the original strict-encrypt behavior
2. metadata.yaml - Confirm the registry override change is correct

User Impact

• Cloud users: No functional change - TLS will still be enforced for standalone MongoDB instances, just via the base connector image with environment-aware behavior
• OSS users: No change - TLS remains optional as before
• Simplifies connector maintenance: One fewer connector to maintain and publish

Can this PR be safely reverted and rolled back?

• YES 💚

---

Link to Devin run: https://app.devin.ai/sessions/bebef009e9144b0a8b6ad3f164acd8d6
Requested by: AJ Steers (@aaronsteers)

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[octavia-bot]

Note

📝 PR Converted to Draft

More info...

Thank you for creating this PR. As a policy to protect our engineers' time, Airbyte requires all PRs to be created first in draft status. Your PR has been automatically converted to draft status in respect for this policy.

As soon as your PR is ready for formal review, you can proceed to convert the PR to "ready for review" status by clicking the "Ready for review" button at the bottom of the PR page.

To skip draft status in future PRs, please include [ready] in your PR title or add the skip-draft-status label when creating your PR.

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

• 🛠️ Quick Fixes
  • /format-fix - Fixes most formatting issues.
  • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
• ❇️ AI Testing and Review:
  • /ai-docs-review - Provides AI-powered documentation recommendations for PRs with connector changes.
  • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
  • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
  • /ai-review - AI-powered PR review for connector safety and quality gates.
• 🚀 Connector Releases:
  • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
  • /bump-progressive-rollout-version - Bumps connector version with an RC suffix (2.16.10-rc.1) for progressive rollouts (enableProgressiveRollout: true).
    • Example: /bump-progressive-rollout-version changelog="Add new feature for progressive rollout"
• ☕️ JVM connectors:
  • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
    Example: /update-connector-cdk-version connector=destination-bigquery
  • /bump-bulk-cdk-version bump=patch changelog='foo' - Bump the Bulk CDK's version. bump can be major/minor/patch.
• 🐍 Python connectors:
  • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
  • /poe source example lock - Alias for /poe connector source-example lock.
  • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
  • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
• ⚙️ Admin commands:
  • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
    Example: /force-merge reason="CI is flaky, tests pass locally"

📚 Show Repo Guidance

Helpful Resources

• Breaking Changes Guide - Breaking changes, migration guides, and upgrade deadlines
• Developing Connectors Locally
• Managing Connector Secrets
• On-Demand Regression Tests
• #connector-ci-issues
• #connector-publish-updates
• #connector-build-statuses

📝 Edit this welcome message.

[github-actions]

destination-mongodb Connector Test Results

  5 files    5 suites   12m 46s ⏱️
111 tests 108 ✅ 3 💤 0 ❌
123 runs  120 ✅ 3 💤 0 ❌

Results for commit 35139b0.

♻️ This comment has been updated with latest results.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional flags.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View issue and 6 additional flags in Devin Review.

[devin-ai-integration]

🟡 Incorrect error message says 'read from' for a destination connector

The error message in the TLS enforcement check incorrectly says "TLS connection must be used to read from MongoDB" but this is a destination connector that writes to MongoDB, not reads from it.

Click to expand

Issue

At line 94, when TLS is not enabled for a standalone instance in cloud mode, the error message states:

throw new ConfigErrorException("TLS connection must be used to read from MongoDB.");

This message was copied from the original MongodbDestinationStrictEncrypt which had the same incorrect wording. For a destination connector, the message should say "write to" instead of "read from".

Impact

This is a cosmetic issue that may confuse users when they see the error message, as it incorrectly describes the operation being performed. The functionality works correctly - TLS enforcement still happens properly.

Recommendation: Change the error message to: "TLS connection must be used to write to MongoDB."

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[github-actions]

[markdownlint] _{reported by reviewdog 🐶}
MD049/emphasis-style Emphasis style [Expected: underscore; Actual: asterisk]

[github-actions]

[markdownlint] _{reported by reviewdog 🐶}
MD049/emphasis-style Emphasis style [Expected: underscore; Actual: asterisk]

[github-actions]

[markdownlint-fix] _{reported by reviewdog 🐶}

Suggested change

	| 0.3.0 | 2026-02-04 | [*PR_NUMBER_PLACEHOLDER*](https://github.com/airbytehq/airbyte/pull/*PR_NUMBER_PLACEHOLDER*) | Remove strict-encrypt variant; use environment-aware TLS enforcement |
	| 0.3.0 | 2026-02-04 | [_PR_NUMBER_PLACEHOLDER_](https://github.com/airbytehq/airbyte/pull/*PR_NUMBER_PLACEHOLDER*) | Remove strict-encrypt variant; use environment-aware TLS enforcement |

[github-actions]

Deploy preview for airbyte-docs ready!

✅ Preview
https://airbyte-docs-9taczydhh-airbyte-growth.vercel.app

Built with commit 35139b0.
This pull request is being automatically deployed with vercel-action