@backstage/plugin-mcp-actions-backend 0.1.11-next.0 → 0.1.11

package/CHANGELOG.md

@@ -1,16 +1,10 @@
 # @backstage/plugin-mcp-actions-backend
 
-## 0.1.11-next.0
+## 0.1.11
 
 ### Patch Changes
 
-- Updated dependencies
-  - @backstage/backend-plugin-api@1.8.1-next.0
-  - @backstage/plugin-catalog-node@2.1.1-next.0
-  - @backstage/catalog-client@1.14.0
-  - @backstage/config@1.3.6
-  - @backstage/errors@1.2.7
-  - @backstage/types@1.2.2
+- 0e8eece: Fix OAuth 2.0 Protected Resource Metadata endpoint returning internal plugin URL, preventing some MCP clients like Claude Code from authenticating
 
 ## 0.1.10
 

package/dist/plugin.cjs.js

@@ -104,8 +104,8 @@ const mcpPlugin = backendPluginApi.createBackendPlugin({
             "/.well-known/oauth-protected-resource",
             async (_, res) => {
               const [authBaseUrl, mcpBaseUrl] = await Promise.all([
-                discovery.getBaseUrl("auth"),
-                discovery.getBaseUrl("mcp-actions")
+                discovery.getExternalBaseUrl("auth"),
+                discovery.getExternalBaseUrl("mcp-actions")
               ]);
               res.json({
                 resource: mcpBaseUrl,

package/dist/plugin.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"plugin.cjs.js","sources":["../src/plugin.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport { json } from 'express';\nimport Router from 'express-promise-router';\nimport { McpService } from './services/McpService';\nimport { createStreamableRouter } from './routers/createStreamableRouter';\nimport { createSseRouter } from './routers/createSseRouter';\nimport {\n  actionsRegistryServiceRef,\n  actionsServiceRef,\n  metricsServiceRef,\n} from '@backstage/backend-plugin-api/alpha';\nimport { parseServerConfigs } from './config';\n\n/**\n * mcpPlugin backend plugin\n *\n * @public\n */\nexport const mcpPlugin = createBackendPlugin({\n  pluginId: 'mcp-actions',\n  register(env) {\n    env.registerInit({\n      deps: {\n        logger: coreServices.logger,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        httpRouter: coreServices.httpRouter,\n        actions: actionsServiceRef,\n        registry: actionsRegistryServiceRef,\n        rootRouter: coreServices.rootHttpRouter,\n        discovery: coreServices.discovery,\n        config: coreServices.rootConfig,\n        metrics: metricsServiceRef,\n      },\n      async init({\n        actions,\n        logger,\n        httpRouter,\n        httpAuth,\n        rootRouter,\n        discovery,\n        config,\n        metrics,\n      }) {\n        const serverConfigs = parseServerConfigs(config);\n        const namespacedToolNames = config.getOptionalBoolean(\n          'mcpActions.namespacedToolNames',\n        );\n\n        const mcpService = await McpService.create({\n          actions,\n          metrics,\n          namespacedToolNames,\n        });\n\n        const router = Router();\n        router.use(json());\n\n        if (serverConfigs && serverConfigs.size > 0) {\n          for (const [key, serverConfig] of serverConfigs) {\n            const streamableRouter = createStreamableRouter({\n              mcpService,\n              httpAuth,\n              logger,\n              metrics,\n              serverConfig,\n            });\n\n            router.use(`/v1/${key}`, streamableRouter);\n          }\n        } else {\n          const serverConfig = {\n            name: config.getOptionalString('mcpActions.name') ?? 'backstage',\n            description: config.getOptionalString('mcpActions.description'),\n            includeRules: [],\n            excludeRules: [],\n          };\n\n          const sseRouter = createSseRouter({\n            mcpService,\n            httpAuth,\n            serverConfig,\n          });\n\n          const streamableRouter = createStreamableRouter({\n            mcpService,\n            httpAuth,\n            logger,\n            metrics,\n            serverConfig,\n          });\n\n          router.use('/v1/sse', sseRouter);\n          router.use('/v1', streamableRouter);\n        }\n\n        httpRouter.use(router);\n\n        const oauthEnabled =\n          config.getOptionalBoolean(\n            'auth.experimentalDynamicClientRegistration.enabled',\n          ) ||\n          config.getOptionalBoolean(\n            'auth.experimentalClientIdMetadataDocuments.enabled',\n          );\n\n        if (oauthEnabled) {\n          // OAuth Authorization Server Metadata (RFC 8414)\n          // This should be replaced with throwing a WWW-Authenticate header, but that doesn't seem to be supported by\n          // many of the MCP clients as of yet. So this seems to be the oldest version of the spec that's implemented.\n          rootRouter.use(\n            '/.well-known/oauth-authorization-server',\n            async (_, res) => {\n              const authBaseUrl = await discovery.getBaseUrl('auth');\n              const oidcResponse = await fetch(\n                `${authBaseUrl}/.well-known/openid-configuration`,\n              );\n              res.json(await oidcResponse.json());\n            },\n          );\n\n          // Protected Resource Metadata (RFC 9728)\n          // https://datatracker.ietf.org/doc/html/rfc9728\n          // This allows MCP clients to discover the authorization server for this resource\n          rootRouter.use(\n            '/.well-known/oauth-protected-resource',\n            async (_, res) => {\n              const [authBaseUrl, mcpBaseUrl] = await Promise.all([\n                discovery.getBaseUrl('auth'),\n                discovery.getBaseUrl('mcp-actions'),\n              ]);\n              res.json({\n                resource: mcpBaseUrl,\n                authorization_servers: [authBaseUrl],\n              });\n            },\n          );\n        }\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","coreServices","actionsServiceRef","actionsRegistryServiceRef","metricsServiceRef","config","parseServerConfigs","McpService","Router","json","createStreamableRouter","createSseRouter"],"mappings":";;;;;;;;;;;;;;;AAoCO,MAAM,YAAYA,oCAAA,CAAoB;AAAA,EAC3C,QAAA,EAAU,aAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,QAAQC,6BAAA,CAAa,MAAA;AAAA,QACrB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,YAAYA,6BAAA,CAAa,UAAA;AAAA,QACzB,OAAA,EAASC,uBAAA;AAAA,QACT,QAAA,EAAUC,+BAAA;AAAA,QACV,YAAYF,6BAAA,CAAa,cAAA;AAAA,QACzB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,OAAA,EAASG;AAAA,OACX;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,OAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,SAAA;AAAA,gBACAC,QAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAM,aAAA,GAAgBC,0BAAmBD,QAAM,CAAA;AAC/C,QAAA,MAAM,sBAAsBA,QAAA,CAAO,kBAAA;AAAA,UACjC;AAAA,SACF;AAEA,QAAA,MAAM,UAAA,GAAa,MAAME,qBAAA,CAAW,MAAA,CAAO;AAAA,UACzC,OAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,SAASC,8BAAA,EAAO;AACtB,QAAA,MAAA,CAAO,GAAA,CAAIC,cAAM,CAAA;AAEjB,QAAA,IAAI,aAAA,IAAiB,aAAA,CAAc,IAAA,GAAO,CAAA,EAAG;AAC3C,UAAA,KAAA,MAAW,CAAC,GAAA,EAAK,YAAY,CAAA,IAAK,aAAA,EAAe;AAC/C,YAAA,MAAM,mBAAmBC,6CAAA,CAAuB;AAAA,cAC9C,UAAA;AAAA,cACA,QAAA;AAAA,cACA,MAAA;AAAA,cACA,OAAA;AAAA,cACA;AAAA,aACD,CAAA;AAED,YAAA,MAAA,CAAO,GAAA,CAAI,CAAA,IAAA,EAAO,GAAG,CAAA,CAAA,EAAI,gBAAgB,CAAA;AAAA,UAC3C;AAAA,QACF,CAAA,MAAO;AACL,UAAA,MAAM,YAAA,GAAe;AAAA,YACnB,IAAA,EAAML,QAAA,CAAO,iBAAA,CAAkB,iBAAiB,CAAA,IAAK,WAAA;AAAA,YACrD,WAAA,EAAaA,QAAA,CAAO,iBAAA,CAAkB,wBAAwB,CAAA;AAAA,YAC9D,cAAc,EAAC;AAAA,YACf,cAAc;AAAC,WACjB;AAEA,UAAA,MAAM,YAAYM,+BAAA,CAAgB;AAAA,YAChC,UAAA;AAAA,YACA,QAAA;AAAA,YACA;AAAA,WACD,CAAA;AAED,UAAA,MAAM,mBAAmBD,6CAAA,CAAuB;AAAA,YAC9C,UAAA;AAAA,YACA,QAAA;AAAA,YACA,MAAA;AAAA,YACA,OAAA;AAAA,YACA;AAAA,WACD,CAAA;AAED,UAAA,MAAA,CAAO,GAAA,CAAI,WAAW,SAAS,CAAA;AAC/B,UAAA,MAAA,CAAO,GAAA,CAAI,OAAO,gBAAgB,CAAA;AAAA,QACpC;AAEA,QAAA,UAAA,CAAW,IAAI,MAAM,CAAA;AAErB,QAAA,MAAM,eACJL,QAAA,CAAO,kBAAA;AAAA,UACL;AAAA,aAEFA,QAAA,CAAO,kBAAA;AAAA,UACL;AAAA,SACF;AAEF,QAAA,IAAI,YAAA,EAAc;AAIhB,UAAA,UAAA,CAAW,GAAA;AAAA,YACT,yCAAA;AAAA,YACA,OAAO,GAAG,GAAA,KAAQ;AAChB,cAAA,MAAM,WAAA,GAAc,MAAM,SAAA,CAAU,UAAA,CAAW,MAAM,CAAA;AACrD,cAAA,MAAM,eAAe,MAAM,KAAA;AAAA,gBACzB,GAAG,WAAW,CAAA,iCAAA;AAAA,eAChB;AACA,cAAA,GAAA,CAAI,IAAA,CAAK,MAAM,YAAA,CAAa,IAAA,EAAM,CAAA;AAAA,YACpC;AAAA,WACF;AAKA,UAAA,UAAA,CAAW,GAAA;AAAA,YACT,uCAAA;AAAA,YACA,OAAO,GAAG,GAAA,KAAQ;AAChB,cAAA,MAAM,CAAC,WAAA,EAAa,UAAU,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,gBAClD,SAAA,CAAU,WAAW,MAAM,CAAA;AAAA,gBAC3B,SAAA,CAAU,WAAW,aAAa;AAAA,eACnC,CAAA;AACD,cAAA,GAAA,CAAI,IAAA,CAAK;AAAA,gBACP,QAAA,EAAU,UAAA;AAAA,gBACV,qBAAA,EAAuB,CAAC,WAAW;AAAA,eACpC,CAAA;AAAA,YACH;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}
+{"version":3,"file":"plugin.cjs.js","sources":["../src/plugin.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport { json } from 'express';\nimport Router from 'express-promise-router';\nimport { McpService } from './services/McpService';\nimport { createStreamableRouter } from './routers/createStreamableRouter';\nimport { createSseRouter } from './routers/createSseRouter';\nimport {\n  actionsRegistryServiceRef,\n  actionsServiceRef,\n  metricsServiceRef,\n} from '@backstage/backend-plugin-api/alpha';\nimport { parseServerConfigs } from './config';\n\n/**\n * mcpPlugin backend plugin\n *\n * @public\n */\nexport const mcpPlugin = createBackendPlugin({\n  pluginId: 'mcp-actions',\n  register(env) {\n    env.registerInit({\n      deps: {\n        logger: coreServices.logger,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        httpRouter: coreServices.httpRouter,\n        actions: actionsServiceRef,\n        registry: actionsRegistryServiceRef,\n        rootRouter: coreServices.rootHttpRouter,\n        discovery: coreServices.discovery,\n        config: coreServices.rootConfig,\n        metrics: metricsServiceRef,\n      },\n      async init({\n        actions,\n        logger,\n        httpRouter,\n        httpAuth,\n        rootRouter,\n        discovery,\n        config,\n        metrics,\n      }) {\n        const serverConfigs = parseServerConfigs(config);\n        const namespacedToolNames = config.getOptionalBoolean(\n          'mcpActions.namespacedToolNames',\n        );\n\n        const mcpService = await McpService.create({\n          actions,\n          metrics,\n          namespacedToolNames,\n        });\n\n        const router = Router();\n        router.use(json());\n\n        if (serverConfigs && serverConfigs.size > 0) {\n          for (const [key, serverConfig] of serverConfigs) {\n            const streamableRouter = createStreamableRouter({\n              mcpService,\n              httpAuth,\n              logger,\n              metrics,\n              serverConfig,\n            });\n\n            router.use(`/v1/${key}`, streamableRouter);\n          }\n        } else {\n          const serverConfig = {\n            name: config.getOptionalString('mcpActions.name') ?? 'backstage',\n            description: config.getOptionalString('mcpActions.description'),\n            includeRules: [],\n            excludeRules: [],\n          };\n\n          const sseRouter = createSseRouter({\n            mcpService,\n            httpAuth,\n            serverConfig,\n          });\n\n          const streamableRouter = createStreamableRouter({\n            mcpService,\n            httpAuth,\n            logger,\n            metrics,\n            serverConfig,\n          });\n\n          router.use('/v1/sse', sseRouter);\n          router.use('/v1', streamableRouter);\n        }\n\n        httpRouter.use(router);\n\n        const oauthEnabled =\n          config.getOptionalBoolean(\n            'auth.experimentalDynamicClientRegistration.enabled',\n          ) ||\n          config.getOptionalBoolean(\n            'auth.experimentalClientIdMetadataDocuments.enabled',\n          );\n\n        if (oauthEnabled) {\n          // OAuth Authorization Server Metadata (RFC 8414)\n          // This should be replaced with throwing a WWW-Authenticate header, but that doesn't seem to be supported by\n          // many of the MCP clients as of yet. So this seems to be the oldest version of the spec that's implemented.\n          rootRouter.use(\n            '/.well-known/oauth-authorization-server',\n            async (_, res) => {\n              const authBaseUrl = await discovery.getBaseUrl('auth');\n              const oidcResponse = await fetch(\n                `${authBaseUrl}/.well-known/openid-configuration`,\n              );\n              res.json(await oidcResponse.json());\n            },\n          );\n\n          // Protected Resource Metadata (RFC 9728)\n          // https://datatracker.ietf.org/doc/html/rfc9728\n          // This allows MCP clients to discover the authorization server for this resource\n          rootRouter.use(\n            '/.well-known/oauth-protected-resource',\n            async (_, res) => {\n              const [authBaseUrl, mcpBaseUrl] = await Promise.all([\n                discovery.getExternalBaseUrl('auth'),\n                discovery.getExternalBaseUrl('mcp-actions'),\n              ]);\n              res.json({\n                resource: mcpBaseUrl,\n                authorization_servers: [authBaseUrl],\n              });\n            },\n          );\n        }\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","coreServices","actionsServiceRef","actionsRegistryServiceRef","metricsServiceRef","config","parseServerConfigs","McpService","Router","json","createStreamableRouter","createSseRouter"],"mappings":";;;;;;;;;;;;;;;AAoCO,MAAM,YAAYA,oCAAA,CAAoB;AAAA,EAC3C,QAAA,EAAU,aAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,QAAQC,6BAAA,CAAa,MAAA;AAAA,QACrB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,YAAYA,6BAAA,CAAa,UAAA;AAAA,QACzB,OAAA,EAASC,uBAAA;AAAA,QACT,QAAA,EAAUC,+BAAA;AAAA,QACV,YAAYF,6BAAA,CAAa,cAAA;AAAA,QACzB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,OAAA,EAASG;AAAA,OACX;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,OAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,SAAA;AAAA,gBACAC,QAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAM,aAAA,GAAgBC,0BAAmBD,QAAM,CAAA;AAC/C,QAAA,MAAM,sBAAsBA,QAAA,CAAO,kBAAA;AAAA,UACjC;AAAA,SACF;AAEA,QAAA,MAAM,UAAA,GAAa,MAAME,qBAAA,CAAW,MAAA,CAAO;AAAA,UACzC,OAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,SAASC,8BAAA,EAAO;AACtB,QAAA,MAAA,CAAO,GAAA,CAAIC,cAAM,CAAA;AAEjB,QAAA,IAAI,aAAA,IAAiB,aAAA,CAAc,IAAA,GAAO,CAAA,EAAG;AAC3C,UAAA,KAAA,MAAW,CAAC,GAAA,EAAK,YAAY,CAAA,IAAK,aAAA,EAAe;AAC/C,YAAA,MAAM,mBAAmBC,6CAAA,CAAuB;AAAA,cAC9C,UAAA;AAAA,cACA,QAAA;AAAA,cACA,MAAA;AAAA,cACA,OAAA;AAAA,cACA;AAAA,aACD,CAAA;AAED,YAAA,MAAA,CAAO,GAAA,CAAI,CAAA,IAAA,EAAO,GAAG,CAAA,CAAA,EAAI,gBAAgB,CAAA;AAAA,UAC3C;AAAA,QACF,CAAA,MAAO;AACL,UAAA,MAAM,YAAA,GAAe;AAAA,YACnB,IAAA,EAAML,QAAA,CAAO,iBAAA,CAAkB,iBAAiB,CAAA,IAAK,WAAA;AAAA,YACrD,WAAA,EAAaA,QAAA,CAAO,iBAAA,CAAkB,wBAAwB,CAAA;AAAA,YAC9D,cAAc,EAAC;AAAA,YACf,cAAc;AAAC,WACjB;AAEA,UAAA,MAAM,YAAYM,+BAAA,CAAgB;AAAA,YAChC,UAAA;AAAA,YACA,QAAA;AAAA,YACA;AAAA,WACD,CAAA;AAED,UAAA,MAAM,mBAAmBD,6CAAA,CAAuB;AAAA,YAC9C,UAAA;AAAA,YACA,QAAA;AAAA,YACA,MAAA;AAAA,YACA,OAAA;AAAA,YACA;AAAA,WACD,CAAA;AAED,UAAA,MAAA,CAAO,GAAA,CAAI,WAAW,SAAS,CAAA;AAC/B,UAAA,MAAA,CAAO,GAAA,CAAI,OAAO,gBAAgB,CAAA;AAAA,QACpC;AAEA,QAAA,UAAA,CAAW,IAAI,MAAM,CAAA;AAErB,QAAA,MAAM,eACJL,QAAA,CAAO,kBAAA;AAAA,UACL;AAAA,aAEFA,QAAA,CAAO,kBAAA;AAAA,UACL;AAAA,SACF;AAEF,QAAA,IAAI,YAAA,EAAc;AAIhB,UAAA,UAAA,CAAW,GAAA;AAAA,YACT,yCAAA;AAAA,YACA,OAAO,GAAG,GAAA,KAAQ;AAChB,cAAA,MAAM,WAAA,GAAc,MAAM,SAAA,CAAU,UAAA,CAAW,MAAM,CAAA;AACrD,cAAA,MAAM,eAAe,MAAM,KAAA;AAAA,gBACzB,GAAG,WAAW,CAAA,iCAAA;AAAA,eAChB;AACA,cAAA,GAAA,CAAI,IAAA,CAAK,MAAM,YAAA,CAAa,IAAA,EAAM,CAAA;AAAA,YACpC;AAAA,WACF;AAKA,UAAA,UAAA,CAAW,GAAA;AAAA,YACT,uCAAA;AAAA,YACA,OAAO,GAAG,GAAA,KAAQ;AAChB,cAAA,MAAM,CAAC,WAAA,EAAa,UAAU,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,gBAClD,SAAA,CAAU,mBAAmB,MAAM,CAAA;AAAA,gBACnC,SAAA,CAAU,mBAAmB,aAAa;AAAA,eAC3C,CAAA;AACD,cAAA,GAAA,CAAI,IAAA,CAAK;AAAA,gBACP,QAAA,EAAU,UAAA;AAAA,gBACV,qBAAA,EAAuB,CAAC,WAAW;AAAA,eACpC,CAAA;AAAA,YACH;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-mcp-actions-backend",
-  "version": "0.1.11-next.0",
+  "version": "0.1.11",
   "backstage": {
     "role": "backend-plugin",
     "pluginId": "mcp-actions",
@@ -39,12 +39,12 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.8.1-next.0",
-    "@backstage/catalog-client": "1.14.0",
-    "@backstage/config": "1.3.6",
-    "@backstage/errors": "1.2.7",
-    "@backstage/plugin-catalog-node": "2.1.1-next.0",
-    "@backstage/types": "1.2.2",
+    "@backstage/backend-plugin-api": "^1.8.0",
+    "@backstage/catalog-client": "^1.14.0",
+    "@backstage/config": "^1.3.6",
+    "@backstage/errors": "^1.2.7",
+    "@backstage/plugin-catalog-node": "^2.1.0",
+    "@backstage/types": "^1.2.2",
     "@cfworker/json-schema": "^4.1.1",
     "@modelcontextprotocol/sdk": "^1.25.2",
     "express": "^4.22.0",
@@ -53,9 +53,9 @@
     "zod": "^3.25.76 || ^4.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.16.1-next.0",
-    "@backstage/backend-test-utils": "1.11.2-next.0",
-    "@backstage/cli": "0.36.1-next.0",
+    "@backstage/backend-defaults": "^0.16.0",
+    "@backstage/backend-test-utils": "^1.11.1",
+    "@backstage/cli": "^0.36.0",
     "@types/express": "^4.17.6",
     "@types/supertest": "^2.0.8",
     "supertest": "^7.0.0"