npm - @directus/api - Versions diffs - 35.2.0 → 36.0.0-rc.1 - Mend

@directus/api 35.2.0 → 36.0.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/dist/ai/chat/models/chat-request.js +48 -48
package/dist/ai/chat/models/object-request.js +6 -6
package/dist/ai/chat/models/providers.js +14 -14
package/dist/ai/chat/utils/parse-json-schema-7.js +22 -22
package/dist/ai/mcp/server.js +44 -6
package/dist/ai/mcp/utils.js +31 -0
package/dist/ai/tools/assets/index.js +3 -3
package/dist/ai/tools/collections/index.js +18 -18
package/dist/ai/tools/fields/index.js +18 -18
package/dist/ai/tools/files/index.js +18 -18
package/dist/ai/tools/flows/index.js +16 -16
package/dist/ai/tools/folders/index.js +18 -18
package/dist/ai/tools/items/index.js +17 -17
package/dist/ai/tools/operations/index.js +16 -16
package/dist/ai/tools/relations/index.js +22 -22
package/dist/ai/tools/schema/index.js +3 -3
package/dist/ai/tools/schema.js +159 -159
package/dist/ai/tools/system/index.js +3 -3
package/dist/ai/tools/trigger-flow/index.js +3 -3
package/dist/app.js +35 -11
package/dist/auth/drivers/ldap.js +3 -1
package/dist/auth/drivers/local.js +2 -0
package/dist/auth/drivers/oauth2.js +3 -1
package/dist/auth/drivers/openid.js +3 -1
package/dist/auth/drivers/saml.js +2 -0
package/dist/auth/utils/check-local-disabled.js +16 -0
package/dist/auth/utils/check-sso-enabled.js +14 -0
package/dist/auth.js +8 -5
package/dist/cli/commands/bootstrap/index.js +3 -0
package/dist/cli/commands/cache/clear.js +6 -1
package/dist/cli/commands/roles/create.js +4 -1
package/dist/cli/commands/users/create.js +3 -0
package/dist/constants.js +8 -1
package/dist/controllers/access.js +1 -1
package/dist/controllers/activity.js +2 -1
package/dist/controllers/assets.js +2 -0
package/dist/controllers/auth.js +13 -5
package/dist/controllers/collections.js +1 -1
package/dist/controllers/comments.js +1 -1
package/dist/controllers/dashboards.js +1 -1
package/dist/controllers/fields.js +1 -1
package/dist/controllers/files.js +3 -1
package/dist/controllers/flows.js +6 -5
package/dist/controllers/folders.js +1 -1
package/dist/controllers/graphql.js +2 -0
package/dist/controllers/items.js +3 -1
package/dist/controllers/license.js +119 -0
package/dist/controllers/mcp/index.js +38 -0
package/dist/controllers/mcp/oauth-clients.js +68 -0
package/dist/controllers/mcp/oauth-consent-page.js +316 -0
package/dist/controllers/mcp/oauth.js +381 -0
package/dist/controllers/mcp/templates/oauth-consent.liquid +62 -0
package/dist/controllers/mcp/templates/oauth-error.liquid +28 -0
package/dist/controllers/notifications.js +1 -1
package/dist/controllers/operations.js +1 -1
package/dist/controllers/panels.js +1 -1
package/dist/controllers/permissions.js +1 -1
package/dist/controllers/policies.js +1 -1
package/dist/controllers/presets.js +1 -1
package/dist/controllers/revisions.js +3 -2
package/dist/controllers/roles.js +1 -1
package/dist/controllers/server.js +38 -10
package/dist/controllers/shares.js +1 -1
package/dist/controllers/translations.js +1 -1
package/dist/controllers/users.js +1 -1
package/dist/controllers/utils.js +2 -2
package/dist/controllers/versions.js +12 -5
package/dist/database/get-ast-from-query/lib/convert-wildcards.js +10 -1
package/dist/database/get-ast-from-query/lib/parse-fields.js +2 -1
package/dist/database/helpers/fn/dialects/mysql.js +7 -12
package/dist/database/helpers/fn/dialects/oracle.js +3 -4
package/dist/database/helpers/fn/dialects/postgres.js +4 -26
package/dist/database/helpers/fn/json/mysql-json-path.js +22 -0
package/dist/database/helpers/fn/json/parse-function.js +14 -6
package/dist/database/helpers/fn/json/postgres-json-path.js +54 -0
package/dist/database/migrations/20260110A-add-ai-provider-settings.js +4 -4
package/dist/database/migrations/20260217A-null-item-versions.js +14 -0
package/dist/database/migrations/20260312A-add-ai-translation-settings.js +18 -0
package/dist/database/migrations/20260507A-add-licensing.js +22 -0
package/dist/database/migrations/20260512A-add-autosave-revision-interval.js +14 -0
package/dist/database/migrations/20260512B-add-mcp-oauth.js +87 -0
package/dist/database/run-ast/lib/apply-query/filter/operator.js +116 -33
package/dist/database/run-ast/lib/apply-query/index.js +4 -1
package/dist/database/run-ast/lib/apply-query/sort.js +17 -7
package/dist/database/run-ast/lib/get-db-query.js +21 -9
package/dist/database/run-ast/lib/parse-current-level.js +2 -1
package/dist/database/run-ast/run-ast.js +2 -1
package/dist/database/run-ast/utils/get-column.js +2 -1
package/dist/database/run-ast/utils/merge-with-parent-items.js +5 -3
package/dist/extensions/lib/installation/manager.js +1 -1
package/dist/extensions/lib/sandbox/register/operation.js +1 -1
package/dist/extensions/lib/sync/sync.js +1 -1
package/dist/extensions/manager.js +3 -3
package/dist/flows.js +5 -5
package/dist/license/entitlements/lib/collections.js +37 -0
package/dist/license/entitlements/lib/custom-llms-enabled.js +18 -0
package/dist/license/entitlements/lib/custom-permission-rules-enabled.js +41 -0
package/dist/license/entitlements/lib/flows.js +29 -0
package/dist/license/entitlements/lib/seats.js +103 -0
package/dist/license/entitlements/lib/sso-enabled.js +45 -0
package/dist/license/entitlements/manager.js +256 -0
package/dist/license/index.js +4 -0
package/dist/license/manager.js +505 -0
package/dist/license/utils/compute-license-status.js +27 -0
package/dist/license/utils/get-core-grace-expires-at.js +38 -0
package/dist/license/utils/get-license-key.js +23 -0
package/dist/license/utils/get-license-token.js +23 -0
package/dist/license/utils/handle-license-error.js +41 -0
package/dist/license/utils/is-in-core-grace-period.js +11 -0
package/dist/license/utils/is-sso-bypass-allowed.js +21 -0
package/dist/license/utils/use-rpc.js +33 -0
package/dist/middleware/cache.js +4 -1
package/dist/middleware/error-handler.js +11 -0
package/dist/middleware/extract-token.js +11 -2
package/dist/middleware/is-admin.js +16 -0
package/dist/middleware/is-locked.js +16 -0
package/dist/middleware/mcp-oauth-guard.js +23 -0
package/dist/middleware/request-counter.js +5 -2
package/dist/packages/types/dist/index.js +117 -122
package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.js +10 -1
package/dist/permissions/utils/get-unaliased-field-key.js +2 -1
package/dist/request/is-denied-ip.js +2 -0
package/dist/schedules/license.js +31 -0
package/dist/schedules/oauth-cleanup.js +26 -0
package/dist/schedules/retention.js +1 -1
package/dist/schedules/telemetry.js +4 -1
package/dist/schedules/tus.js +1 -1
package/dist/schedules/utils/duration-to-cron.js +36 -0
package/dist/services/activity.js +15 -0
package/dist/services/authentication.js +12 -5
package/dist/services/collections.js +40 -10
package/dist/services/fields.js +6 -6
package/dist/services/flows.js +12 -0
package/dist/services/graphql/resolvers/system-admin.js +2 -2
package/dist/services/graphql/resolvers/system-global.js +1 -1
package/dist/services/graphql/resolvers/system.js +43 -27
package/dist/services/graphql/schema/get-types.js +28 -7
package/dist/services/graphql/schema/parse-query.js +8 -0
package/dist/services/graphql/schema/read.js +12 -0
package/dist/services/graphql/types/json-filter.js +30 -0
package/dist/services/index.js +6 -6
package/dist/services/items.js +32 -14
package/dist/services/mcp-oauth/cimd.js +307 -0
package/dist/services/mcp-oauth/index.js +1185 -0
package/dist/services/mcp-oauth/types/error.js +22 -0
package/dist/services/mcp-oauth/utils/cimd-egress.js +182 -0
package/dist/services/mcp-oauth/utils/domain.js +21 -0
package/dist/services/mcp-oauth/utils/loopback.js +11 -0
package/dist/services/mcp-oauth/utils/redirect.js +84 -0
package/dist/services/mcp-oauth/utils/registration-debug.js +131 -0
package/dist/services/payload.js +2 -1
package/dist/services/permissions.js +31 -9
package/dist/services/revisions.js +15 -0
package/dist/services/server.js +66 -68
package/dist/services/settings.js +37 -3
package/dist/services/users.js +23 -6
package/dist/services/utils.js +6 -1
package/dist/services/versions.js +160 -70
package/dist/utils/calculate-field-depth.js +1 -0
package/dist/utils/create-admin.js +3 -3
package/dist/utils/deep-freeze.js +24 -0
package/dist/utils/extract-function-name.js +13 -0
package/dist/utils/generate-translations.js +5 -5
package/dist/utils/get-accountability-for-token.js +13 -1
package/dist/utils/get-cache-key.js +1 -1
package/dist/utils/get-history-filter-query.js +22 -0
package/dist/utils/get-schema.js +2 -2
package/dist/utils/get-service.js +3 -3
package/dist/utils/is-admin.js +9 -0
package/dist/utils/is-unauthenticated.js +15 -0
package/dist/utils/parse-oauth-scope.js +12 -0
package/dist/utils/sanitize-query.js +2 -2
package/dist/utils/split-field-path.js +29 -0
package/dist/utils/store.js +1 -1
package/dist/utils/transaction.js +2 -2
package/dist/utils/translations-validation.js +2 -2
package/dist/utils/validate-query.js +35 -4
package/dist/utils/validate-user-count-integrity.js +28 -5
package/dist/utils/verify-session-jwt.js +5 -2
package/dist/utils/versioning/handle-version.js +131 -48
package/dist/utils/versioning/remove-circular.js +17 -0
package/dist/websocket/authenticate.js +2 -1
package/dist/websocket/collab/collab.js +1 -1
package/dist/websocket/collab/room.js +1 -1
package/dist/websocket/controllers/base.js +12 -0
package/dist/websocket/controllers/graphql.js +1 -1
package/dist/websocket/handlers/subscribe.js +1 -1
package/dist/websocket/messages.js +64 -64
package/dist/websocket/utils/items.js +2 -2
package/license +90 -80
package/package.json +33 -32
package/dist/controllers/mcp.js +0 -31

package/dist/controllers/mcp/oauth.js ADDED Viewed

@@ -0,0 +1,381 @@
+import async_handler_default from "../../utils/async-handler.js";
+import { useLogger } from "../../logger/index.js";
+import database_default from "../../database/index.js";
+import { Url } from "../../utils/url.js";
+import { RateLimiterRes, createRateLimiter } from "../../rate-limiter.js";
+import { getSchema } from "../../utils/get-schema.js";
+import { SettingsService } from "../../services/settings.js";
+import { getIPFromReq } from "../../utils/get-ip-from-req.js";
+import { getAccountabilityForToken } from "../../utils/get-accountability-for-token.js";
+import { getMcpUrls } from "../../ai/mcp/utils.js";
+import { OAuthError } from "../../services/mcp-oauth/types/error.js";
+import { getAllowedCustomRedirectSchemes } from "../../services/mcp-oauth/utils/redirect.js";
+import { summarizeDcrRegistrationMetadata } from "../../services/mcp-oauth/utils/registration-debug.js";
+import { McpOAuthService } from "../../services/mcp-oauth/index.js";
+import { renderConsentPage, renderErrorPage } from "./oauth-consent-page.js";
+import { useEnv } from "@directus/env";
+import { toBoolean } from "@directus/utils";
+import express, { Router } from "express";
+import { createHash } from "node:crypto";
+import { isIP } from "node:net";
+//#region src/controllers/mcp/oauth.ts
+function getRedirectIndicator(redirectUri, clientId, registrationType) {
+	try {
+		const redirectUrl = new URL(redirectUri);
+		const host = redirectUrl.hostname;
+		if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "[::1]") return "localhost";
+		if (isIP(host) !== 0) return "ip-address";
+		if (registrationType === "cimd") try {
+			const clientUrl = new URL(clientId);
+			if (redirectUrl.hostname !== clientUrl.hostname) return "cross-origin";
+		} catch {}
+	} catch {}
+}
+/**
+* RFC 6749 Section 3.1: reject requests with duplicate form parameters.
+* Express parses duplicates as arrays, so any array value indicates a duplicate.
+*/
+function rejectDuplicateParams(req, res, next) {
+	for (const [key, value] of Object.entries(req.body)) if (Array.isArray(value)) {
+		res.status(400).json({
+			error: "invalid_request",
+			error_description: `Duplicate parameter: ${key}`
+		});
+		return;
+	}
+	next();
+}
+/**
+* Consent endpoints are browser-based (rendered HTML form), so the session must
+* come from a cookie. Rejects bearer-token auth to prevent token-stealing attacks
+* where a malicious client tricks the user into submitting consent via API.
+*/
+function requireCookieAuth(req, res, next) {
+	if (req.tokenSource !== "cookie") {
+		res.status(403).json({
+			error: "access_denied",
+			error_description: "Cookie authentication required"
+		});
+		return;
+	}
+	next();
+}
+/**
+* CSRF protection via Origin header. Only allows requests from the same origin
+* as PUBLIC_URL. This guards the consent decision endpoint -- without it, a
+* malicious page could POST approval on behalf of an authenticated user.
+*/
+function requireSameOrigin(req, res, next) {
+	const env = useEnv();
+	const origin = req.headers["origin"];
+	if (!origin) {
+		res.status(403).json({
+			error: "access_denied",
+			error_description: "Origin header required"
+		});
+		return;
+	}
+	let publicUrl;
+	let requestOrigin;
+	try {
+		publicUrl = new URL(String(env["PUBLIC_URL"]));
+		requestOrigin = new URL(origin);
+	} catch {
+		res.status(403).json({
+			error: "access_denied",
+			error_description: "Malformed Origin header"
+		});
+		return;
+	}
+	if (publicUrl.origin !== requestOrigin.origin) {
+		res.status(403).json({
+			error: "access_denied",
+			error_description: "Cross-origin request not allowed"
+		});
+		return;
+	}
+	next();
+}
+/**
+* Override Helmet's CSP form-action directive on this response only.
+* The consent page form POSTs to 'self', but the 302 redirect targets external
+* callback URIs. Chrome extends form-action to the redirect chain.
+* Redirect URIs are validated at DCR/CIMD time (HTTPS, localhost, or known MCP desktop redirects only).
+*/
+function relaxFormAction(res) {
+	const csp = res.getHeader("Content-Security-Policy");
+	if (typeof csp === "string") {
+		const customSchemes = getAllowedCustomRedirectSchemes();
+		const customSchemeSources = customSchemes.length > 0 ? ` ${customSchemes.join(" ")}` : "";
+		res.set("Content-Security-Policy", csp.replace(/form-action\s+([^;]+)/, `form-action $1 https: http://localhost:* http://127.0.0.1:*${customSchemeSources}`));
+	}
+}
+/**
+* Convert OAuthError to RFC 6749/7591 JSON error format (`{ error, error_description }`).
+* Non-OAuthError instances fall through to the default Directus error handler.
+*/
+function oauthErrorHandler(err, _req, res, next) {
+	if (err instanceof OAuthError) {
+		for (const [key, value] of Object.entries(err.headers)) res.set(key, value);
+		res.status(err.status).json({
+			error: err.code,
+			error_description: err.description
+		});
+		return;
+	}
+	next(err);
+}
+function setCorsWildcard(_req, res, next) {
+	res.set("Access-Control-Allow-Origin", "*");
+	next();
+}
+function noCache(res) {
+	res.set("Cache-Control", "no-store");
+	res.set("Pragma", "no-cache");
+}
+function setNoCacheHeaders(_req, res, next) {
+	noCache(res);
+	next();
+}
+function getRegistrationRequestDebugContext(req) {
+	return {
+		content_type: req.headers["content-type"],
+		user_agent: req.headers["user-agent"],
+		registration: summarizeDcrRegistrationMetadata(req.body)
+	};
+}
+function logRegistrationBodyParseError(err, req, _res, next) {
+	useLogger().debug({
+		reason: "invalid_json",
+		content_type: req.headers["content-type"],
+		error: err instanceof Error ? err.message : void 0
+	}, "MCP OAuth DCR request body parsing failed");
+	next(err);
+}
+function isOAuthHtmlEndpoint(req) {
+	return req.path === "/mcp-oauth/authorize" || req.path === "/mcp-oauth/authorize/decision";
+}
+async function loadOAuthPageOpts(req, settingsService, authenticatedUserId = req.accountability?.user) {
+	const env = useEnv();
+	const [settings, user] = await Promise.all([settingsService.readSingleton({ fields: [
+		"project_name",
+		"project_color",
+		"project_logo",
+		"default_appearance"
+	] }), authenticatedUserId ? database_default()("directus_users").where("id", authenticatedUserId).select("appearance").first() : null]);
+	const projectLogo = settings?.project_logo;
+	return {
+		projectName: settings?.project_name ?? "Directus",
+		projectColor: settings?.project_color ?? "#6644ff",
+		logoUrl: projectLogo ? new Url(env["PUBLIC_URL"]).addPath("assets", projectLogo).toString() : null,
+		appearance: user?.appearance ?? settings?.default_appearance ?? "auto"
+	};
+}
+/**
+* Middleware: check mcp_enabled + mcp_oauth_enabled settings.
+* Env vars (MCP_ENABLED, MCP_OAUTH_ENABLED) are already gated at the app.ts mount level.
+*/
+async function checkOAuthSettings(req, res, next) {
+	const settingsService = new SettingsService({ schema: req.schema ?? await getSchema() });
+	const settings = await settingsService.readSingleton({ fields: ["mcp_enabled", "mcp_oauth_enabled"] });
+	if (toBoolean(settings?.mcp_enabled) !== true || toBoolean(settings?.mcp_oauth_enabled) !== true) {
+		if (isOAuthHtmlEndpoint(req)) {
+			const pageOpts = await loadOAuthPageOpts(req, settingsService);
+			res.set("Content-Type", "text/html; charset=utf-8");
+			res.status(403).send(await renderErrorPage("MCP OAuth is disabled in project settings.", pageOpts));
+			return;
+		}
+		res.set("Access-Control-Allow-Origin", "*");
+		if (req.path.includes("/token")) noCache(res);
+		res.status(403).json({
+			error: "mcp_oauth_disabled",
+			error_description: "MCP OAuth is disabled in project settings."
+		});
+		return;
+	}
+	next();
+}
+function createRateLimitMiddleware(prefix) {
+	if (useEnv()[`${prefix}_ENABLED`] !== true) return (_req, _res, next) => next();
+	const limiter = createRateLimiter(prefix);
+	return (req, res, next) => {
+		limiter.consume(getIPFromReq(req) ?? "0.0.0.0").then(() => next()).catch((rlRes) => {
+			if (rlRes instanceof RateLimiterRes) {
+				res.set("Retry-After", String(Math.ceil(rlRes.msBeforeNext / 1e3)));
+				res.status(429).json({
+					error: "rate_limit_exceeded",
+					error_description: "Too many requests"
+				});
+			} else next(rlRes);
+		});
+	};
+}
+const oauthRateLimitMiddleware = createRateLimitMiddleware("RATE_LIMITER_MCP_OAUTH");
+const registrationRateLimitMiddleware = createRateLimitMiddleware("RATE_LIMITER_MCP_OAUTH_REGISTRATION");
+/**
+* Unauthenticated OAuth routes. Mounted before the authenticate middleware in app.ts.
+*
+* Routes: `/.well-known/oauth-protected-resource`, `/.well-known/oauth-authorization-server`
+* (RFC 9728/8414 discovery), `/mcp-oauth/authorize` (consent page with manual session check),
+* `/mcp-oauth/register` (DCR), `/mcp-oauth/token`, `/mcp-oauth/revoke`.
+*/
+const mcpOAuthPublicRouter = Router();
+mcpOAuthPublicRouter.get("/.well-known/oauth-protected-resource*", setCorsWildcard, async_handler_default(checkOAuthSettings), async_handler_default(async (_req, res) => {
+	const service = new McpOAuthService({ schema: await getSchema() });
+	res.json(service.getProtectedResourceMetadata());
+}));
+mcpOAuthPublicRouter.get("/.well-known/oauth-authorization-server*", setCorsWildcard, async_handler_default(checkOAuthSettings), async_handler_default(async (_req, res) => {
+	const service = new McpOAuthService({ schema: await getSchema() });
+	res.json(await service.getAuthorizationServerMetadata());
+}));
+mcpOAuthPublicRouter.get("/mcp-oauth/authorize", oauthRateLimitMiddleware, async_handler_default(checkOAuthSettings), async_handler_default(async (req, res) => {
+	const env = useEnv();
+	const loginUrl = new Url(env["PUBLIC_URL"]).addPath("admin", "login").toString();
+	const schema = await getSchema();
+	function redirectToLogin() {
+		res.redirect(302, `${loginUrl}?redirect=${encodeURIComponent(req.originalUrl)}`);
+	}
+	const cookieName = env["SESSION_COOKIE_NAME"];
+	const sessionToken = req.cookies?.[cookieName];
+	if (!sessionToken) {
+		redirectToLogin();
+		return;
+	}
+	let accountability;
+	try {
+		accountability = await getAccountabilityForToken(sessionToken, { schema });
+	} catch {
+		redirectToLogin();
+		return;
+	}
+	if (!accountability?.user || accountability.oauth) {
+		redirectToLogin();
+		return;
+	}
+	const pageOpts = await loadOAuthPageOpts(req, new SettingsService({ schema }), accountability.user);
+	const service = new McpOAuthService({ schema });
+	const sessionHash = createHash("sha256").update(sessionToken).digest("hex");
+	try {
+		const result = await service.validateAuthorization({
+			client_id: req.query["client_id"],
+			redirect_uri: req.query["redirect_uri"],
+			response_type: req.query["response_type"],
+			code_challenge: req.query["code_challenge"],
+			code_challenge_method: req.query["code_challenge_method"],
+			scope: req.query["scope"],
+			resource: req.query["resource"],
+			state: req.query["state"],
+			response_mode: req.query["response_mode"]
+		}, accountability.user, sessionHash);
+		const decisionUrl = new Url(env["PUBLIC_URL"]).addPath("mcp-oauth", "authorize", "decision").toString();
+		res.set("Content-Type", "text/html; charset=utf-8");
+		noCache(res);
+		relaxFormAction(res);
+		const clientId = req.query["client_id"];
+		const registrationType = result.registration_type ?? "dcr";
+		const consentData = {
+			clientName: result.client_name,
+			redirectUri: result.redirect_uri,
+			scope: result.scope,
+			signedParams: result.signed_params,
+			decisionUrl,
+			clientDomain: result.client_domain,
+			registrationType,
+			redirectIndicator: getRedirectIndicator(result.redirect_uri, clientId, registrationType)
+		};
+		res.send(await renderConsentPage(consentData, pageOpts));
+	} catch (err) {
+		if (!(err instanceof OAuthError)) throw err;
+		if (err.redirectable) {
+			const redirectUri = req.query["redirect_uri"];
+			const state = req.query["state"];
+			const { issuerUrl } = getMcpUrls();
+			const url = new URL(redirectUri);
+			url.searchParams.set("error", err.code);
+			url.searchParams.set("error_description", err.description);
+			if (state) url.searchParams.set("state", state);
+			url.searchParams.set("iss", issuerUrl);
+			res.redirect(302, url.toString());
+			return;
+		}
+		res.set("Content-Type", "text/html; charset=utf-8");
+		noCache(res);
+		res.status(err.status).send(await renderErrorPage(err.description, pageOpts));
+	}
+}));
+mcpOAuthPublicRouter.post("/mcp-oauth/register", registrationRateLimitMiddleware, async_handler_default(checkOAuthSettings), express.json(), logRegistrationBodyParseError, setCorsWildcard, async_handler_default(async (req, res) => {
+	const logger = useLogger();
+	const service = new McpOAuthService({ schema: await getSchema() });
+	const debugContext = getRegistrationRequestDebugContext(req);
+	let result;
+	try {
+		result = await service.registerClient(req.body);
+	} catch (err) {
+		if (err instanceof OAuthError) logger.debug({
+			...debugContext,
+			status: err.status,
+			code: err.code,
+			description: err.description
+		}, "MCP OAuth DCR request rejected");
+		else logger.debug({
+			...debugContext,
+			error: err instanceof Error ? {
+				name: err.name,
+				message: err.message
+			} : void 0
+		}, "MCP OAuth DCR request failed");
+		throw err;
+	}
+	logger.debug({
+		client_id: result.client_id,
+		token_endpoint_auth_method: result.token_endpoint_auth_method,
+		redirect_uri_count: result.redirect_uris.length,
+		grant_types: result.grant_types
+	}, "MCP OAuth DCR client registered");
+	res.set("Cache-Control", "no-store");
+	res.status(201).json(result);
+}));
+mcpOAuthPublicRouter.post("/mcp-oauth/token", oauthRateLimitMiddleware, async_handler_default(checkOAuthSettings), express.urlencoded({ extended: false }), rejectDuplicateParams, setCorsWildcard, setNoCacheHeaders, async_handler_default(async (req, res) => {
+	const service = new McpOAuthService({ schema: await getSchema() });
+	const context = {
+		ip: getIPFromReq(req) ?? "0.0.0.0",
+		userAgent: req.headers["user-agent"] ?? "unknown"
+	};
+	const grantType = req.body.grant_type;
+	let result;
+	const authParams = {
+		...req.body,
+		authorization_header: req.headers.authorization
+	};
+	if (grantType === "authorization_code") result = await service.exchangeCode(authParams, context);
+	else if (grantType === "refresh_token") result = await service.refreshToken(authParams, context);
+	else if (!grantType) throw new OAuthError(400, "invalid_request", "grant_type is required");
+	else throw new OAuthError(400, "unsupported_grant_type", `Unsupported grant_type: ${grantType}`);
+	res.json(result);
+}));
+mcpOAuthPublicRouter.post("/mcp-oauth/revoke", oauthRateLimitMiddleware, async_handler_default(checkOAuthSettings), express.urlencoded({ extended: false }), rejectDuplicateParams, setCorsWildcard, async_handler_default(async (req, res) => {
+	await new McpOAuthService({ schema: await getSchema() }).revokeToken({
+		...req.body,
+		authorization_header: req.headers.authorization
+	});
+	res.status(200).json({});
+}));
+mcpOAuthPublicRouter.use(oauthErrorHandler);
+/**
+* Authenticated OAuth routes. Mounted after the authenticate middleware in app.ts.
+* Requires cookie-based auth + same-origin checks (consent is a browser interaction).
+*
+* Routes: `/mcp-oauth/authorize/decision` (native form POST with 302 redirect).
+*/
+const mcpOAuthProtectedRouter = Router();
+mcpOAuthProtectedRouter.post("/mcp-oauth/authorize/decision", async_handler_default(checkOAuthSettings), express.urlencoded({ extended: false }), rejectDuplicateParams, requireCookieAuth, requireSameOrigin, async_handler_default(async (req, res) => {
+	const redirectUrl = await new McpOAuthService({ schema: req.schema }).processDecision(req.body, req.accountability.user, req.token);
+	res.set("Referrer-Policy", "no-referrer");
+	noCache(res);
+	res.redirect(302, redirectUrl);
+}));
+mcpOAuthProtectedRouter.use(oauthErrorHandler);
+//#endregion
+export { getRedirectIndicator, mcpOAuthProtectedRouter, mcpOAuthPublicRouter };

package/dist/controllers/mcp/templates/oauth-consent.liquid ADDED Viewed

@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html lang="en"{{ themeAttr | raw }}>
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorize - {{ projectName }}</title>
+<style>{{ styles | raw }}</style>
+</head>
+<body>
+<div class="card">
+  <div class="logo-row">
+    <div class="{{ logoClass }}">
+      {% if logoUrl %}
+        <img src="{{ logoUrl }}" alt="{{ logoAlt }}">
+      {% elsif logoDataUri %}
+        <img src="{{ logoDataUri | raw }}" alt="Directus">
+      {% endif %}
+    </div>
+  </div>
+  <h1><strong>{{ clientName }}</strong> is requesting access</h1>
+  <div class="details">
+    <div class="details-label">Details</div>
+    <div class="detail-row">
+      <span class="detail-key">Name</span>
+      <span class="detail-value name">{{ clientName }}</span>
+    </div>
+    {% if clientDomain %}
+    <div class="detail-row">
+      <span class="detail-key">Domain</span>
+      <span class="detail-value">{{ clientDomain }}</span>
+    </div>
+    {% endif %}
+    <div class="detail-row">
+      <span class="detail-key">Redirect URI</span>
+      <span class="detail-value">{{ redirectUri }}</span>
+    </div>
+    {% if redirectIndicator == 'localhost' %}
+    <div class="detail-row">
+      <span class="detail-key"></span>
+      <span class="detail-value redirect-warn">Redirects to your local machine. Another application on this device could intercept this authorization.</span>
+    </div>
+    {% elsif redirectIndicator == 'cross-origin' %}
+    <div class="detail-row">
+      <span class="detail-key"></span>
+      <span class="detail-value redirect-warn">Redirect goes to a different domain than the application.</span>
+    </div>
+    {% elsif redirectIndicator == 'ip-address' %}
+    <div class="detail-row">
+      <span class="detail-key"></span>
+      <span class="detail-value redirect-warn">Redirect uses an IP address.</span>
+    </div>
+    {% endif %}
+  </div>
+  <p class="note">This MCP client is requesting to be authorized. If you approve, it will be able to access data on <strong>{{ projectName }}</strong> on your behalf. This application has not been verified by <strong>{{ projectName }}</strong>.</p>
+  <form action="{{ decisionUrl }}" method="POST" class="actions">
+    <input type="hidden" name="signed_params" value="{{ signedParams }}">
+    <button type="submit" name="approved" value="false" class="btn-cancel">Cancel</button>
+    <button type="submit" name="approved" value="true" class="btn-approve">Approve</button>
+  </form>
+</div>
+</body>
+</html>

package/dist/controllers/mcp/templates/oauth-error.liquid ADDED Viewed

@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html lang="en"{{ themeAttr | raw }}>
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorization Error - {{ projectName }}</title>
+<style>
+{{ styles | raw }}
+h1 { color: var(--theme--danger); }
+.note { text-align: center; }
+</style>
+</head>
+<body>
+<div class="card">
+  <div class="logo-row">
+    <div class="{{ logoClass }}">
+      {% if logoUrl %}
+        <img src="{{ logoUrl }}" alt="{{ logoAlt }}">
+      {% elsif logoDataUri %}
+        <img src="{{ logoDataUri | raw }}" alt="Directus">
+      {% endif %}
+    </div>
+  </div>
+  <h1>Authorization Error</h1>
+  <p class="note">{{ description }}</p>
+</div>
+</body>
+</html>

package/dist/controllers/notifications.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { NotificationsService } from "../services/notifications.js";
 import { respond } from "../middleware/respond.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";

package/dist/controllers/operations.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import { OperationsService } from "../services/operations.js";
 import use_collection_default from "../middleware/use-collection.js";

package/dist/controllers/panels.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import { PanelsService } from "../services/panels.js";
 import use_collection_default from "../middleware/use-collection.js";

package/dist/controllers/permissions.js CHANGED Viewed

@@ -1,8 +1,8 @@
 import async_handler_default from "../utils/async-handler.js";
 import database_default from "../database/index.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
 import { fetchAccountabilityCollectionAccess } from "../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import { PermissionsService } from "../services/permissions.js";
 import use_collection_default from "../middleware/use-collection.js";

package/dist/controllers/policies.js CHANGED Viewed

@@ -1,8 +1,8 @@
 import async_handler_default from "../utils/async-handler.js";
 import database_default from "../database/index.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
 import { fetchAccountabilityPolicyGlobals } from "../permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import { PoliciesService } from "../services/policies.js";
 import use_collection_default from "../middleware/use-collection.js";

package/dist/controllers/presets.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
 import { PresetsService } from "../services/presets.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";

package/dist/controllers/revisions.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import async_handler_default from "../utils/async-handler.js";
-import { respond } from "../middleware/respond.js";
 import { RevisionsService } from "../services/revisions.js";
+import { respond } from "../middleware/respond.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";
@@ -19,7 +19,8 @@ const readHandler = async_handler_default(async (req, res, next) => {
 		schema: req.schema
 	});
 	const records = await service.readByQuery(req.sanitizedQuery);
-	const meta = await metaService.getMetaForQuery("directus_revisions", req.sanitizedQuery);
+	const historyQuery = service.getLimitedHistoryQuery(req.sanitizedQuery);
+	const meta = await metaService.getMetaForQuery("directus_revisions", historyQuery);
 	res.locals["payload"] = {
 		data: records || null,
 		meta

package/dist/controllers/roles.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
 import { RolesService } from "../services/roles.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";

package/dist/controllers/server.js CHANGED Viewed

@@ -4,10 +4,14 @@ import { respond } from "../middleware/respond.js";
 import { ServerService } from "../services/server.js";
 import { SpecificationService } from "../services/specifications.js";
 import "../services/index.js";
+import { getLicenseManager } from "../license/manager.js";
 import { createAdmin } from "../utils/create-admin.js";
 import { useEnv } from "@directus/env";
-import { ErrorCode, ForbiddenError, RouteNotFoundError, isDirectusError } from "@directus/errors";
+import { ErrorCode, ForbiddenError, InvalidPayloadError, RouteNotFoundError, isDirectusError } from "@directus/errors";
+import { toBoolean } from "@directus/utils";
 import { Router } from "express";
+import { fromZodError } from "zod-validation-error";
+import z from "zod";
 import { format } from "date-fns";
 //#region src/controllers/server.ts
@@ -46,7 +50,7 @@ router.get("/info", async_handler_default(async (req, res, next) => {
 	res.locals["payload"] = { data };
 	return next();
 }), respond);
-router.get("/health", async_handler_default(async (req, res, next) => {
+if (toBoolean(env["HEALTHCHECK_ENABLED"]) !== false) router.get("/health", async_handler_default(async (req, res, next) => {
 	const data = await new ServerService({
 		accountability: req.accountability,
 		schema: req.schema
@@ -57,19 +61,43 @@ router.get("/health", async_handler_default(async (req, res, next) => {
 	res.locals["cache"] = false;
 	return next();
 }), respond);
+const SetupSchema = z.object({
+	admin: z.object({
+		email: z.string(),
+		password: z.string(),
+		first_name: z.string().optional(),
+		last_name: z.string().optional()
+	}),
+	license_key: z.string().optional(),
+	owner: z.object({
+		project_owner: z.string().nullable(),
+		project_usage: z.enum([
+			"personal",
+			"commercial",
+			"community"
+		]).nullable(),
+		org_name: z.string().nullable(),
+		product_updates: z.boolean()
+	}).optional()
+});
 router.post("/setup", async_handler_default(async (req, _res, next) => {
 	if (await new ServerService({ schema: req.schema }).isSetupCompleted()) throw new ForbiddenError();
+	const { error, data } = SetupSchema.safeParse(req.body);
+	if (error) throw new InvalidPayloadError({ reason: fromZodError(error).message });
+	const licenseManager = getLicenseManager();
 	try {
+		if (data.license_key) await licenseManager.activate(data.license_key);
 		await createAdmin(req.schema, {
-			email: req.body.project_owner,
-			password: req.body.password,
-			first_name: req.body.first_name,
-			last_name: req.body.last_name
+			email: data.admin.email,
+			password: data.admin.password,
+			first_name: data.admin.first_name,
+			last_name: data.admin.last_name
 		});
-		new SettingsService({ schema: req.schema }).setOwner(req.body);
-	} catch (error) {
-		if (isDirectusError(error, ErrorCode.Forbidden)) return next();
-		throw error;
+		const settingsService = new SettingsService({ schema: req.schema });
+		if (data.owner) settingsService.setOwner(data.owner);
+	} catch (error$1) {
+		if (isDirectusError(error$1, ErrorCode.Forbidden)) return next();
+		throw error$1;
 	}
 	return next();
 }), respond);

package/dist/controllers/shares.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
 import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS, UUID_REGEX } from "../constants.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { SharesService } from "../services/shares.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";

package/dist/controllers/translations.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import { TranslationsService } from "../services/translations.js";
 import use_collection_default from "../middleware/use-collection.js";