@payloadcms/plugin-mcp 4.0.0-internal.293e026 → 4.0.0-internal.2fddfc0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (201) hide show
  1. package/dist/defaultAccess.d.ts +3 -0
  2. package/dist/defaultAccess.d.ts.map +1 -0
  3. package/dist/defaultAccess.js +3 -0
  4. package/dist/defaultAccess.js.map +1 -0
  5. package/dist/endpoint/access.d.ts +17 -5
  6. package/dist/endpoint/access.d.ts.map +1 -1
  7. package/dist/endpoint/access.js +82 -88
  8. package/dist/endpoint/access.js.map +1 -1
  9. package/dist/endpoint/index.d.ts.map +1 -1
  10. package/dist/endpoint/index.js +11 -0
  11. package/dist/endpoint/index.js.map +1 -1
  12. package/dist/exports/client.d.ts +1 -1
  13. package/dist/exports/client.d.ts.map +1 -1
  14. package/dist/exports/client.js +1 -1
  15. package/dist/exports/client.js.map +1 -1
  16. package/dist/exports/internal.d.ts +2 -0
  17. package/dist/exports/internal.d.ts.map +1 -0
  18. package/dist/exports/internal.js +3 -0
  19. package/dist/exports/internal.js.map +1 -0
  20. package/dist/index.d.ts.map +1 -1
  21. package/dist/index.js +13 -18
  22. package/dist/index.js.map +1 -1
  23. package/dist/mcp/buildMcpServer.d.ts.map +1 -1
  24. package/dist/mcp/buildMcpServer.js +102 -71
  25. package/dist/mcp/buildMcpServer.js.map +1 -1
  26. package/dist/mcp/builtin/collections/authTools.d.ts.map +1 -1
  27. package/dist/mcp/builtin/collections/authTools.js +44 -6
  28. package/dist/mcp/builtin/collections/authTools.js.map +1 -1
  29. package/dist/mcp/builtin/collections/countTool.d.ts +2 -0
  30. package/dist/mcp/builtin/collections/countTool.d.ts.map +1 -0
  31. package/dist/mcp/builtin/collections/countTool.js +69 -0
  32. package/dist/mcp/builtin/collections/countTool.js.map +1 -0
  33. package/dist/mcp/builtin/collections/countVersionsTool.d.ts +2 -0
  34. package/dist/mcp/builtin/collections/countVersionsTool.d.ts.map +1 -0
  35. package/dist/mcp/builtin/collections/countVersionsTool.js +65 -0
  36. package/dist/mcp/builtin/collections/countVersionsTool.js.map +1 -0
  37. package/dist/mcp/builtin/collections/createTool.d.ts +1 -1
  38. package/dist/mcp/builtin/collections/createTool.d.ts.map +1 -1
  39. package/dist/mcp/builtin/collections/createTool.js +38 -42
  40. package/dist/mcp/builtin/collections/createTool.js.map +1 -1
  41. package/dist/mcp/builtin/collections/deleteTool.d.ts +1 -1
  42. package/dist/mcp/builtin/collections/deleteTool.d.ts.map +1 -1
  43. package/dist/mcp/builtin/collections/deleteTool.js +14 -20
  44. package/dist/mcp/builtin/collections/deleteTool.js.map +1 -1
  45. package/dist/mcp/builtin/collections/duplicateTool.d.ts +2 -0
  46. package/dist/mcp/builtin/collections/duplicateTool.d.ts.map +1 -0
  47. package/dist/mcp/builtin/collections/duplicateTool.js +97 -0
  48. package/dist/mcp/builtin/collections/duplicateTool.js.map +1 -0
  49. package/dist/mcp/builtin/collections/findDistinctTool.d.ts +2 -0
  50. package/dist/mcp/builtin/collections/findDistinctTool.d.ts.map +1 -0
  51. package/dist/mcp/builtin/collections/findDistinctTool.js +93 -0
  52. package/dist/mcp/builtin/collections/findDistinctTool.js.map +1 -0
  53. package/dist/mcp/builtin/collections/findTool.d.ts +1 -1
  54. package/dist/mcp/builtin/collections/findTool.d.ts.map +1 -1
  55. package/dist/mcp/builtin/collections/findTool.js +49 -43
  56. package/dist/mcp/builtin/collections/findTool.js.map +1 -1
  57. package/dist/mcp/builtin/collections/findVersionByIDTool.d.ts +2 -0
  58. package/dist/mcp/builtin/collections/findVersionByIDTool.d.ts.map +1 -0
  59. package/dist/mcp/builtin/collections/findVersionByIDTool.js +84 -0
  60. package/dist/mcp/builtin/collections/findVersionByIDTool.js.map +1 -0
  61. package/dist/mcp/builtin/collections/findVersionsTool.d.ts +2 -0
  62. package/dist/mcp/builtin/collections/findVersionsTool.d.ts.map +1 -0
  63. package/dist/mcp/builtin/collections/findVersionsTool.js +99 -0
  64. package/dist/mcp/builtin/collections/findVersionsTool.js.map +1 -0
  65. package/dist/mcp/builtin/collections/formatCollectionError.d.ts +9 -0
  66. package/dist/mcp/builtin/collections/formatCollectionError.d.ts.map +1 -0
  67. package/dist/mcp/builtin/collections/formatCollectionError.js +60 -0
  68. package/dist/mcp/builtin/collections/formatCollectionError.js.map +1 -0
  69. package/dist/mcp/builtin/collections/getCollectionSchemaTool.d.ts +2 -0
  70. package/dist/mcp/builtin/collections/getCollectionSchemaTool.d.ts.map +1 -0
  71. package/dist/mcp/builtin/collections/getCollectionSchemaTool.js +47 -0
  72. package/dist/mcp/builtin/collections/getCollectionSchemaTool.js.map +1 -0
  73. package/dist/mcp/builtin/collections/restoreVersionTool.d.ts +2 -0
  74. package/dist/mcp/builtin/collections/restoreVersionTool.d.ts.map +1 -0
  75. package/dist/mcp/builtin/collections/restoreVersionTool.js +82 -0
  76. package/dist/mcp/builtin/collections/restoreVersionTool.js.map +1 -0
  77. package/dist/mcp/builtin/collections/updateTool.d.ts +1 -1
  78. package/dist/mcp/builtin/collections/updateTool.d.ts.map +1 -1
  79. package/dist/mcp/builtin/collections/updateTool.js +87 -86
  80. package/dist/mcp/builtin/collections/updateTool.js.map +1 -1
  81. package/dist/mcp/builtin/getConfigInfoTool.d.ts +2 -0
  82. package/dist/mcp/builtin/getConfigInfoTool.d.ts.map +1 -0
  83. package/dist/mcp/builtin/getConfigInfoTool.js +71 -0
  84. package/dist/mcp/builtin/getConfigInfoTool.js.map +1 -0
  85. package/dist/mcp/builtin/globals/countVersionsTool.d.ts +2 -0
  86. package/dist/mcp/builtin/globals/countVersionsTool.d.ts.map +1 -0
  87. package/dist/mcp/builtin/globals/countVersionsTool.js +65 -0
  88. package/dist/mcp/builtin/globals/countVersionsTool.js.map +1 -0
  89. package/dist/mcp/builtin/globals/findTool.d.ts.map +1 -1
  90. package/dist/mcp/builtin/globals/findTool.js +18 -21
  91. package/dist/mcp/builtin/globals/findTool.js.map +1 -1
  92. package/dist/mcp/builtin/globals/findVersionByIDTool.d.ts +2 -0
  93. package/dist/mcp/builtin/globals/findVersionByIDTool.d.ts.map +1 -0
  94. package/dist/mcp/builtin/globals/findVersionByIDTool.js +80 -0
  95. package/dist/mcp/builtin/globals/findVersionByIDTool.js.map +1 -0
  96. package/dist/mcp/builtin/globals/findVersionsTool.d.ts +2 -0
  97. package/dist/mcp/builtin/globals/findVersionsTool.d.ts.map +1 -0
  98. package/dist/mcp/builtin/globals/findVersionsTool.js +95 -0
  99. package/dist/mcp/builtin/globals/findVersionsTool.js.map +1 -0
  100. package/dist/mcp/builtin/globals/getGlobalSchemaTool.d.ts +2 -0
  101. package/dist/mcp/builtin/globals/getGlobalSchemaTool.d.ts.map +1 -0
  102. package/dist/mcp/builtin/globals/getGlobalSchemaTool.js +47 -0
  103. package/dist/mcp/builtin/globals/getGlobalSchemaTool.js.map +1 -0
  104. package/dist/mcp/builtin/globals/restoreVersionTool.d.ts +2 -0
  105. package/dist/mcp/builtin/globals/restoreVersionTool.d.ts.map +1 -0
  106. package/dist/mcp/builtin/globals/restoreVersionTool.js +78 -0
  107. package/dist/mcp/builtin/globals/restoreVersionTool.js.map +1 -0
  108. package/dist/mcp/builtin/globals/updateTool.d.ts.map +1 -1
  109. package/dist/mcp/builtin/globals/updateTool.js +31 -40
  110. package/dist/mcp/builtin/globals/updateTool.js.map +1 -1
  111. package/dist/mcp/builtin/validateEntityData.d.ts +14 -0
  112. package/dist/mcp/builtin/validateEntityData.d.ts.map +1 -0
  113. package/dist/mcp/builtin/validateEntityData.js +82 -0
  114. package/dist/mcp/builtin/validateEntityData.js.map +1 -0
  115. package/dist/mcp/builtinTools.d.ts +144 -19
  116. package/dist/mcp/builtinTools.d.ts.map +1 -1
  117. package/dist/mcp/builtinTools.js +119 -20
  118. package/dist/mcp/builtinTools.js.map +1 -1
  119. package/dist/mcp/sanitizeMCPConfig.d.ts +0 -1
  120. package/dist/mcp/sanitizeMCPConfig.d.ts.map +1 -1
  121. package/dist/mcp/sanitizeMCPConfig.js +120 -58
  122. package/dist/mcp/sanitizeMCPConfig.js.map +1 -1
  123. package/dist/stdio.d.ts +3 -2
  124. package/dist/stdio.d.ts.map +1 -1
  125. package/dist/stdio.js +27 -8
  126. package/dist/stdio.js.map +1 -1
  127. package/dist/types.d.ts +62 -108
  128. package/dist/types.d.ts.map +1 -1
  129. package/dist/types.js +4 -4
  130. package/dist/types.js.map +1 -1
  131. package/dist/utils/getPluginConfig.d.ts +1 -1
  132. package/dist/utils/getPluginConfig.js +1 -1
  133. package/dist/utils/getPluginConfig.js.map +1 -1
  134. package/dist/utils/schemaConversion/getEntityInputSchema.d.ts +11 -0
  135. package/dist/utils/schemaConversion/getEntityInputSchema.d.ts.map +1 -0
  136. package/dist/utils/schemaConversion/getEntityInputSchema.js +34 -0
  137. package/dist/utils/schemaConversion/getEntityInputSchema.js.map +1 -0
  138. package/dist/utils/whereSchema.d.ts +9 -0
  139. package/dist/utils/whereSchema.d.ts.map +1 -0
  140. package/dist/utils/whereSchema.js +13 -0
  141. package/dist/utils/whereSchema.js.map +1 -0
  142. package/package.json +8 -11
  143. package/src/defaultAccess.ts +3 -0
  144. package/src/endpoint/access.ts +88 -101
  145. package/src/endpoint/index.ts +14 -1
  146. package/src/exports/client.ts +2 -1
  147. package/src/exports/internal.ts +1 -0
  148. package/src/index.ts +8 -16
  149. package/src/mcp/buildMcpServer.ts +131 -96
  150. package/src/mcp/builtin/collections/authTools.ts +45 -9
  151. package/src/mcp/builtin/collections/countTool.ts +74 -0
  152. package/src/mcp/builtin/collections/countVersionsTool.ts +70 -0
  153. package/src/mcp/builtin/collections/createTool.ts +55 -59
  154. package/src/mcp/builtin/collections/deleteTool.ts +19 -16
  155. package/src/mcp/builtin/collections/duplicateTool.ts +135 -0
  156. package/src/mcp/builtin/collections/findDistinctTool.ts +120 -0
  157. package/src/mcp/builtin/collections/findTool.ts +63 -33
  158. package/src/mcp/builtin/collections/findVersionByIDTool.ts +110 -0
  159. package/src/mcp/builtin/collections/findVersionsTool.ts +155 -0
  160. package/src/mcp/builtin/collections/formatCollectionError.ts +84 -0
  161. package/src/mcp/builtin/collections/getCollectionSchemaTool.ts +46 -0
  162. package/src/mcp/builtin/collections/restoreVersionTool.ts +108 -0
  163. package/src/mcp/builtin/collections/updateTool.ts +111 -110
  164. package/src/mcp/builtin/getConfigInfoTool.ts +69 -0
  165. package/src/mcp/builtin/globals/countVersionsTool.ts +69 -0
  166. package/src/mcp/builtin/globals/findTool.ts +26 -17
  167. package/src/mcp/builtin/globals/findVersionByIDTool.ts +104 -0
  168. package/src/mcp/builtin/globals/findVersionsTool.ts +148 -0
  169. package/src/mcp/builtin/globals/getGlobalSchemaTool.ts +41 -0
  170. package/src/mcp/builtin/globals/restoreVersionTool.ts +100 -0
  171. package/src/mcp/builtin/globals/updateTool.ts +50 -55
  172. package/src/mcp/builtin/validateEntityData.ts +132 -0
  173. package/src/mcp/builtinTools.ts +111 -41
  174. package/src/mcp/sanitizeMCPConfig.ts +116 -78
  175. package/src/stdio.ts +23 -8
  176. package/src/types.ts +77 -112
  177. package/src/utils/getPluginConfig.ts +1 -1
  178. package/src/utils/schemaConversion/getEntityInputSchema.ts +78 -0
  179. package/src/utils/whereSchema.ts +24 -0
  180. package/dist/collection/getAccessField.d.ts +0 -12
  181. package/dist/collection/getAccessField.d.ts.map +0 -1
  182. package/dist/collection/getAccessField.js +0 -57
  183. package/dist/collection/getAccessField.js.map +0 -1
  184. package/dist/collection/index.d.ts +0 -6
  185. package/dist/collection/index.d.ts.map +0 -1
  186. package/dist/collection/index.js +0 -60
  187. package/dist/collection/index.js.map +0 -1
  188. package/dist/components/AccessField/index.client.d.ts +0 -10
  189. package/dist/components/AccessField/index.client.d.ts.map +0 -1
  190. package/dist/components/AccessField/index.client.js +0 -305
  191. package/dist/components/AccessField/index.client.js.map +0 -1
  192. package/dist/components/AccessField/index.css +0 -93
  193. package/dist/utils/schemaConversion/buildToolInput.d.ts +0 -29
  194. package/dist/utils/schemaConversion/buildToolInput.d.ts.map +0 -1
  195. package/dist/utils/schemaConversion/buildToolInput.js +0 -51
  196. package/dist/utils/schemaConversion/buildToolInput.js.map +0 -1
  197. package/src/collection/getAccessField.ts +0 -64
  198. package/src/collection/index.ts +0 -64
  199. package/src/components/AccessField/index.client.tsx +0 -344
  200. package/src/components/AccessField/index.css +0 -93
  201. package/src/utils/schemaConversion/buildToolInput.ts +0 -68
@@ -0,0 +1,3 @@
1
+ import type { MCPAccessArgs } from './types.js';
2
+ export declare const defaultAccess: ({ req }: MCPAccessArgs) => boolean;
3
+ //# sourceMappingURL=defaultAccess.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"defaultAccess.d.ts","sourceRoot":"","sources":["../src/defaultAccess.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAE/C,eAAO,MAAM,aAAa,GAAI,SAAS,aAAa,KAAG,OAA4B,CAAA"}
@@ -0,0 +1,3 @@
1
+ export const defaultAccess = ({ req })=>Boolean(req.user);
2
+
3
+ //# sourceMappingURL=defaultAccess.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/defaultAccess.ts"],"sourcesContent":["import type { MCPAccessArgs } from './types.js'\n\nexport const defaultAccess = ({ req }: MCPAccessArgs): boolean => Boolean(req.user)\n"],"names":["defaultAccess","req","Boolean","user"],"mappings":"AAEA,OAAO,MAAMA,gBAAgB,CAAC,EAAEC,GAAG,EAAiB,GAAcC,QAAQD,IAAIE,IAAI,EAAC"}
@@ -1,10 +1,22 @@
1
1
  import type { PayloadRequest } from 'payload';
2
- import type { AuthorizedMCP } from '../types.js';
2
+ import type { AuthorizedMCP, MCPItem } from '../types.js';
3
+ export type GetAuthorizedMCPArgs = {
4
+ overrideAccess: boolean;
5
+ req: PayloadRequest;
6
+ };
3
7
  /**
4
- * Resolves the API key (or dev-mode session) and returns the items the caller
5
- * may use. Denied items are dropped from the array.
8
+ * Resolves the MCP caller and returns the MCP surface authorized for that request.
9
+ *
10
+ * Authorization has two layers:
11
+ * 1. Payload collection/global permissions determine whether built-in operation tools are shown.
12
+ * 2. MCP `access` callbacks can further hide any configured tool, prompt, or resource.
13
+ *
14
+ * Like Payload core operations, `overrideAccess` skips both layers.
6
15
  */
7
- export declare const getAuthorizedMCP: (args: {
16
+ export declare const getAuthorizedMCP: (args: GetAuthorizedMCPArgs) => Promise<AuthorizedMCP>;
17
+ export declare const filterMCPItems: ({ items, overrideAccess, req, }: {
18
+ items: MCPItem[];
19
+ overrideAccess: boolean;
8
20
  req: PayloadRequest;
9
- }) => Promise<AuthorizedMCP>;
21
+ }) => Promise<MCPItem[]>;
10
22
  //# sourceMappingURL=access.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/endpoint/access.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAyB,cAAc,EAAa,MAAM,SAAS,CAAA;AAK/E,OAAO,KAAK,EAAE,aAAa,EAAiB,MAAM,aAAa,CAAA;AAK/D;;;GAGG;AACH,eAAO,MAAM,gBAAgB,EAAE,CAAC,IAAI,EAAE;IAAE,GAAG,EAAE,cAAc,CAAA;CAAE,KAAK,OAAO,CAAC,aAAa,CAiDtF,CAAA"}
1
+ {"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/endpoint/access.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAwB,MAAM,SAAS,CAAA;AAInE,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA;AAIzD,MAAM,MAAM,oBAAoB,GAAG;IACjC,cAAc,EAAE,OAAO,CAAA;IACvB,GAAG,EAAE,cAAc,CAAA;CACpB,CAAA;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,EAAE,CAAC,IAAI,EAAE,oBAAoB,KAAK,OAAO,CAAC,aAAa,CAmCnF,CAAA;AAED,eAAO,MAAM,cAAc,GAAU,iCAIlC;IACD,KAAK,EAAE,OAAO,EAAE,CAAA;IAChB,cAAc,EAAE,OAAO,CAAA;IACvB,GAAG,EAAE,cAAc,CAAA;CACpB,KAAG,OAAO,CAAC,OAAO,EAAE,CAmBpB,CAAA"}
@@ -1,106 +1,100 @@
1
- import crypto from 'crypto';
2
- import { UnauthorizedError } from 'payload';
3
- import { getLogger } from '../utils/getLogger.js';
1
+ import { getAccessResults, UnauthorizedError } from 'payload';
4
2
  import { getPluginConfig } from '../utils/getPluginConfig.js';
5
3
  /**
6
- * Resolves the API key (or dev-mode session) and returns the items the caller
7
- * may use. Denied items are dropped from the array.
8
- */ export const getAuthorizedMCP = async ({ req })=>{
9
- const logger = getLogger({
10
- payload: req.payload
11
- });
4
+ * Resolves the MCP caller and returns the MCP surface authorized for that request.
5
+ *
6
+ * Authorization has two layers:
7
+ * 1. Payload collection/global permissions determine whether built-in operation tools are shown.
8
+ * 2. MCP `access` callbacks can further hide any configured tool, prompt, or resource.
9
+ *
10
+ * Like Payload core operations, `overrideAccess` skips both layers.
11
+ */ export const getAuthorizedMCP = async ({ overrideAccess, req })=>{
12
12
  const pluginConfig = getPluginConfig({
13
13
  config: req.payload.config
14
14
  });
15
- const authHeader = req.headers.get('Authorization');
16
- const hasBearerToken = authHeader?.startsWith('Bearer ');
17
- const buildAuthorized = (apiKeyDoc)=>({
18
- items: pluginConfig.items.filter((item)=>{
19
- switch(item.type){
20
- case 'collectionTool':
21
- return apiKeyDoc.access.collections?.[item.collectionSlug]?.[item.key] !== false;
22
- case 'globalTool':
23
- return apiKeyDoc.access.globals?.[item.globalSlug]?.[item.key] !== false;
24
- case 'prompt':
25
- return apiKeyDoc.access.prompts?.[item.key] !== false;
26
- case 'resource':
27
- return apiKeyDoc.access.resources?.[item.key] !== false;
28
- case 'tool':
29
- return apiKeyDoc.access.tools?.[item.key] !== false;
30
- }
31
- }),
32
- overrideAccess: typeof apiKeyDoc.overrideAccess === 'boolean' ? apiKeyDoc.overrideAccess : false,
33
- user: apiKeyDoc.user
34
- });
35
- if (pluginConfig.overrideAuth) {
36
- return await pluginConfig.overrideAuth({
37
- getAPIKeyDoc: (overrideApiKey)=>getAPIKeyDoc({
38
- logger,
39
- overrideApiKey,
40
- pluginConfig,
41
- req
42
- }),
43
- getAuthorizedMCP: ({ apiKeyDoc })=>buildAuthorized(apiKeyDoc),
15
+ if (pluginConfig.overrideGetAuthorizedMCP) {
16
+ return await pluginConfig.overrideGetAuthorizedMCP({
17
+ overrideAccess,
44
18
  pluginConfig,
45
19
  req
46
20
  });
47
21
  }
48
- if (process.env.NODE_ENV === 'development' && !hasBearerToken) {
49
- logger.info('Dev mode: skipping API key check, using session user');
50
- return buildAuthorized({
51
- id: -1,
52
- access: {},
53
- overrideAccess: true,
54
- user: req.user ?? null
55
- });
22
+ if (req.headers) {
23
+ const headers = new Headers(req.headers);
24
+ const hasAuthorization = headers.has('Authorization');
25
+ headers.set('DisableAutologin', 'true');
26
+ req.user = (await req.payload.auth({
27
+ headers,
28
+ req
29
+ })).user;
30
+ if (hasAuthorization && !req.user) {
31
+ throw new UnauthorizedError(req.t);
32
+ }
56
33
  }
57
- return buildAuthorized(await getAPIKeyDoc({
58
- logger,
59
- pluginConfig,
60
- req
61
- }));
34
+ return {
35
+ items: await filterMCPItems({
36
+ items: pluginConfig.items,
37
+ overrideAccess,
38
+ req
39
+ }),
40
+ overrideAccess,
41
+ user: req.user
42
+ };
62
43
  };
63
- const getAPIKeyDoc = async ({ logger, overrideApiKey, pluginConfig, req })=>{
64
- const authHeader = req.headers.get('Authorization');
65
- const hasBearerToken = authHeader?.startsWith('Bearer ');
66
- const apiKey = overrideApiKey ?? (hasBearerToken ? authHeader?.replace('Bearer ', '').trim() || null : null);
67
- if (!apiKey) {
68
- throw new UnauthorizedError();
69
- }
70
- const sha256APIKeyIndex = crypto.createHmac('sha256', req.payload.secret).update(apiKey).digest('hex');
71
- const doc = await req.payload.db.findOne({
72
- collection: 'payload-mcp-api-keys',
73
- req,
74
- where: {
75
- apiKeyIndex: {
76
- equals: sha256APIKeyIndex
77
- }
78
- }
79
- });
80
- if (!doc || !doc.user) {
81
- throw new UnauthorizedError();
44
+ export const filterMCPItems = async ({ items, overrideAccess, req })=>{
45
+ // Match Payload core: overrideAccess bypasses access evaluation instead of
46
+ // forcing each access function to return true.
47
+ if (overrideAccess) {
48
+ return items;
82
49
  }
83
- logger.info('API Key is valid');
84
- const userRef = doc.user;
85
- const userID = typeof userRef === 'object' && userRef !== null && 'id' in userRef ? userRef.id : userRef;
86
- const user = await req.payload.findByID({
87
- id: userID,
88
- collection: pluginConfig.userCollection,
89
- depth: 0,
90
- disableErrors: true,
50
+ const authorizedItems = [];
51
+ const permissions = await getAccessResults({
91
52
  req
92
53
  });
93
- if (!user) {
94
- throw new UnauthorizedError();
95
- }
96
- return {
97
- ...doc,
98
- user: {
99
- ...user,
100
- _strategy: 'mcp-api-key',
101
- collection: pluginConfig.userCollection
54
+ for (const item of items){
55
+ if (!await checkItemAccess({
56
+ item,
57
+ permissions,
58
+ req
59
+ })) {
60
+ continue;
102
61
  }
103
- };
62
+ authorizedItems.push(item);
63
+ }
64
+ return authorizedItems;
65
+ };
66
+ /**
67
+ * Runs MCP item access callbacks
68
+ */ const checkItemAccess = async ({ item, permissions, req })=>{
69
+ switch(item.type){
70
+ case 'collectionTool':
71
+ return !item.tool.access || await item.tool.access({
72
+ collectionSlug: item.collectionSlug,
73
+ permissions,
74
+ req
75
+ });
76
+ case 'globalTool':
77
+ return !item.tool.access || await item.tool.access({
78
+ globalSlug: item.globalSlug,
79
+ permissions,
80
+ req
81
+ });
82
+ case 'prompt':
83
+ return !item.prompt.access || await item.prompt.access({
84
+ permissions,
85
+ req
86
+ });
87
+ case 'resource':
88
+ return !item.resource.access || await item.resource.access({
89
+ permissions,
90
+ req
91
+ });
92
+ case 'tool':
93
+ return !item.tool.access || await item.tool.access({
94
+ permissions,
95
+ req
96
+ });
97
+ }
104
98
  };
105
99
 
106
100
  //# sourceMappingURL=access.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/endpoint/access.ts"],"sourcesContent":["import type { DefaultDocumentIDType, PayloadRequest, TypedUser } from 'payload'\n\nimport crypto from 'crypto'\nimport { UnauthorizedError } from 'payload'\n\nimport type { AuthorizedMCP, MCPAPIKeysDoc } from '../types.js'\n\nimport { getLogger } from '../utils/getLogger.js'\nimport { getPluginConfig } from '../utils/getPluginConfig.js'\n\n/**\n * Resolves the API key (or dev-mode session) and returns the items the caller\n * may use. Denied items are dropped from the array.\n */\nexport const getAuthorizedMCP: (args: { req: PayloadRequest }) => Promise<AuthorizedMCP> = async ({\n req,\n}) => {\n const logger = getLogger({ payload: req.payload })\n const pluginConfig = getPluginConfig({ config: req.payload.config })\n\n const authHeader = req.headers.get('Authorization')\n const hasBearerToken = authHeader?.startsWith('Bearer ')\n\n const buildAuthorized = (apiKeyDoc: MCPAPIKeysDoc): AuthorizedMCP => ({\n items: pluginConfig.items.filter((item) => {\n switch (item.type) {\n case 'collectionTool':\n return apiKeyDoc.access.collections?.[item.collectionSlug]?.[item.key] !== false\n case 'globalTool':\n return apiKeyDoc.access.globals?.[item.globalSlug]?.[item.key] !== false\n case 'prompt':\n return apiKeyDoc.access.prompts?.[item.key] !== false\n case 'resource':\n return apiKeyDoc.access.resources?.[item.key] !== false\n case 'tool':\n return apiKeyDoc.access.tools?.[item.key] !== false\n }\n }),\n overrideAccess:\n typeof apiKeyDoc.overrideAccess === 'boolean' ? apiKeyDoc.overrideAccess : false,\n user: apiKeyDoc.user,\n })\n\n if (pluginConfig.overrideAuth) {\n return await pluginConfig.overrideAuth({\n getAPIKeyDoc: (overrideApiKey) => getAPIKeyDoc({ logger, overrideApiKey, pluginConfig, req }),\n getAuthorizedMCP: ({ apiKeyDoc }) => buildAuthorized(apiKeyDoc),\n pluginConfig,\n req,\n })\n }\n\n if (process.env.NODE_ENV === 'development' && !hasBearerToken) {\n logger.info('Dev mode: skipping API key check, using session user')\n return buildAuthorized({\n id: -1,\n access: {},\n overrideAccess: true,\n user: req.user ?? null,\n })\n }\n\n return buildAuthorized(await getAPIKeyDoc({ logger, pluginConfig, req }))\n}\n\nconst getAPIKeyDoc = async ({\n logger,\n overrideApiKey,\n pluginConfig,\n req,\n}: {\n logger: ReturnType<typeof getLogger>\n overrideApiKey?: string\n pluginConfig: ReturnType<typeof getPluginConfig>\n req: PayloadRequest\n}): Promise<MCPAPIKeysDoc> => {\n const authHeader = req.headers.get('Authorization')\n const hasBearerToken = authHeader?.startsWith('Bearer ')\n\n const apiKey =\n overrideApiKey ?? (hasBearerToken ? authHeader?.replace('Bearer ', '').trim() || null : null)\n\n if (!apiKey) {\n throw new UnauthorizedError()\n }\n\n const sha256APIKeyIndex = crypto\n .createHmac('sha256', req.payload.secret)\n .update(apiKey)\n .digest('hex')\n\n const doc = await req.payload.db.findOne<MCPAPIKeysDoc>({\n collection: 'payload-mcp-api-keys',\n req,\n where: {\n apiKeyIndex: { equals: sha256APIKeyIndex },\n },\n })\n\n if (!doc || !doc.user) {\n throw new UnauthorizedError()\n }\n\n logger.info('API Key is valid')\n\n const userRef = doc.user\n const userID =\n typeof userRef === 'object' && userRef !== null && 'id' in userRef\n ? userRef.id\n : (userRef as unknown as DefaultDocumentIDType)\n\n const user = (await req.payload.findByID({\n id: userID,\n collection: pluginConfig.userCollection,\n depth: 0,\n disableErrors: true,\n req,\n })) as null | TypedUser\n\n if (!user) {\n throw new UnauthorizedError()\n }\n\n return {\n ...doc,\n user: {\n ...user,\n _strategy: 'mcp-api-key' as const,\n collection: pluginConfig.userCollection,\n },\n }\n}\n"],"names":["crypto","UnauthorizedError","getLogger","getPluginConfig","getAuthorizedMCP","req","logger","payload","pluginConfig","config","authHeader","headers","get","hasBearerToken","startsWith","buildAuthorized","apiKeyDoc","items","filter","item","type","access","collections","collectionSlug","key","globals","globalSlug","prompts","resources","tools","overrideAccess","user","overrideAuth","getAPIKeyDoc","overrideApiKey","process","env","NODE_ENV","info","id","apiKey","replace","trim","sha256APIKeyIndex","createHmac","secret","update","digest","doc","db","findOne","collection","where","apiKeyIndex","equals","userRef","userID","findByID","userCollection","depth","disableErrors","_strategy"],"mappings":"AAEA,OAAOA,YAAY,SAAQ;AAC3B,SAASC,iBAAiB,QAAQ,UAAS;AAI3C,SAASC,SAAS,QAAQ,wBAAuB;AACjD,SAASC,eAAe,QAAQ,8BAA6B;AAE7D;;;CAGC,GACD,OAAO,MAAMC,mBAA8E,OAAO,EAChGC,GAAG,EACJ;IACC,MAAMC,SAASJ,UAAU;QAAEK,SAASF,IAAIE,OAAO;IAAC;IAChD,MAAMC,eAAeL,gBAAgB;QAAEM,QAAQJ,IAAIE,OAAO,CAACE,MAAM;IAAC;IAElE,MAAMC,aAAaL,IAAIM,OAAO,CAACC,GAAG,CAAC;IACnC,MAAMC,iBAAiBH,YAAYI,WAAW;IAE9C,MAAMC,kBAAkB,CAACC,YAA6C,CAAA;YACpEC,OAAOT,aAAaS,KAAK,CAACC,MAAM,CAAC,CAACC;gBAChC,OAAQA,KAAKC,IAAI;oBACf,KAAK;wBACH,OAAOJ,UAAUK,MAAM,CAACC,WAAW,EAAE,CAACH,KAAKI,cAAc,CAAC,EAAE,CAACJ,KAAKK,GAAG,CAAC,KAAK;oBAC7E,KAAK;wBACH,OAAOR,UAAUK,MAAM,CAACI,OAAO,EAAE,CAACN,KAAKO,UAAU,CAAC,EAAE,CAACP,KAAKK,GAAG,CAAC,KAAK;oBACrE,KAAK;wBACH,OAAOR,UAAUK,MAAM,CAACM,OAAO,EAAE,CAACR,KAAKK,GAAG,CAAC,KAAK;oBAClD,KAAK;wBACH,OAAOR,UAAUK,MAAM,CAACO,SAAS,EAAE,CAACT,KAAKK,GAAG,CAAC,KAAK;oBACpD,KAAK;wBACH,OAAOR,UAAUK,MAAM,CAACQ,KAAK,EAAE,CAACV,KAAKK,GAAG,CAAC,KAAK;gBAClD;YACF;YACAM,gBACE,OAAOd,UAAUc,cAAc,KAAK,YAAYd,UAAUc,cAAc,GAAG;YAC7EC,MAAMf,UAAUe,IAAI;QACtB,CAAA;IAEA,IAAIvB,aAAawB,YAAY,EAAE;QAC7B,OAAO,MAAMxB,aAAawB,YAAY,CAAC;YACrCC,cAAc,CAACC,iBAAmBD,aAAa;oBAAE3B;oBAAQ4B;oBAAgB1B;oBAAcH;gBAAI;YAC3FD,kBAAkB,CAAC,EAAEY,SAAS,EAAE,GAAKD,gBAAgBC;YACrDR;YACAH;QACF;IACF;IAEA,IAAI8B,QAAQC,GAAG,CAACC,QAAQ,KAAK,iBAAiB,CAACxB,gBAAgB;QAC7DP,OAAOgC,IAAI,CAAC;QACZ,OAAOvB,gBAAgB;YACrBwB,IAAI,CAAC;YACLlB,QAAQ,CAAC;YACTS,gBAAgB;YAChBC,MAAM1B,IAAI0B,IAAI,IAAI;QACpB;IACF;IAEA,OAAOhB,gBAAgB,MAAMkB,aAAa;QAAE3B;QAAQE;QAAcH;IAAI;AACxE,EAAC;AAED,MAAM4B,eAAe,OAAO,EAC1B3B,MAAM,EACN4B,cAAc,EACd1B,YAAY,EACZH,GAAG,EAMJ;IACC,MAAMK,aAAaL,IAAIM,OAAO,CAACC,GAAG,CAAC;IACnC,MAAMC,iBAAiBH,YAAYI,WAAW;IAE9C,MAAM0B,SACJN,kBAAmBrB,CAAAA,iBAAiBH,YAAY+B,QAAQ,WAAW,IAAIC,UAAU,OAAO,IAAG;IAE7F,IAAI,CAACF,QAAQ;QACX,MAAM,IAAIvC;IACZ;IAEA,MAAM0C,oBAAoB3C,OACvB4C,UAAU,CAAC,UAAUvC,IAAIE,OAAO,CAACsC,MAAM,EACvCC,MAAM,CAACN,QACPO,MAAM,CAAC;IAEV,MAAMC,MAAM,MAAM3C,IAAIE,OAAO,CAAC0C,EAAE,CAACC,OAAO,CAAgB;QACtDC,YAAY;QACZ9C;QACA+C,OAAO;YACLC,aAAa;gBAAEC,QAAQX;YAAkB;QAC3C;IACF;IAEA,IAAI,CAACK,OAAO,CAACA,IAAIjB,IAAI,EAAE;QACrB,MAAM,IAAI9B;IACZ;IAEAK,OAAOgC,IAAI,CAAC;IAEZ,MAAMiB,UAAUP,IAAIjB,IAAI;IACxB,MAAMyB,SACJ,OAAOD,YAAY,YAAYA,YAAY,QAAQ,QAAQA,UACvDA,QAAQhB,EAAE,GACTgB;IAEP,MAAMxB,OAAQ,MAAM1B,IAAIE,OAAO,CAACkD,QAAQ,CAAC;QACvClB,IAAIiB;QACJL,YAAY3C,aAAakD,cAAc;QACvCC,OAAO;QACPC,eAAe;QACfvD;IACF;IAEA,IAAI,CAAC0B,MAAM;QACT,MAAM,IAAI9B;IACZ;IAEA,OAAO;QACL,GAAG+C,GAAG;QACNjB,MAAM;YACJ,GAAGA,IAAI;YACP8B,WAAW;YACXV,YAAY3C,aAAakD,cAAc;QACzC;IACF;AACF"}
1
+ {"version":3,"sources":["../../src/endpoint/access.ts"],"sourcesContent":["import type { PayloadRequest, SanitizedPermissions } from 'payload'\n\nimport { getAccessResults, UnauthorizedError } from 'payload'\n\nimport type { AuthorizedMCP, MCPItem } from '../types.js'\n\nimport { getPluginConfig } from '../utils/getPluginConfig.js'\n\nexport type GetAuthorizedMCPArgs = {\n overrideAccess: boolean\n req: PayloadRequest\n}\n\n/**\n * Resolves the MCP caller and returns the MCP surface authorized for that request.\n *\n * Authorization has two layers:\n * 1. Payload collection/global permissions determine whether built-in operation tools are shown.\n * 2. MCP `access` callbacks can further hide any configured tool, prompt, or resource.\n *\n * Like Payload core operations, `overrideAccess` skips both layers.\n */\nexport const getAuthorizedMCP: (args: GetAuthorizedMCPArgs) => Promise<AuthorizedMCP> = async ({\n overrideAccess,\n req,\n}) => {\n const pluginConfig = getPluginConfig({ config: req.payload.config })\n\n if (pluginConfig.overrideGetAuthorizedMCP) {\n return await pluginConfig.overrideGetAuthorizedMCP({\n overrideAccess,\n pluginConfig,\n req,\n })\n }\n\n if (req.headers) {\n const headers = new Headers(req.headers)\n const hasAuthorization = headers.has('Authorization')\n\n headers.set('DisableAutologin', 'true')\n req.user = (await req.payload.auth({ headers, req })).user\n\n if (hasAuthorization && !req.user) {\n throw new UnauthorizedError(req.t)\n }\n }\n\n return {\n items: await filterMCPItems({\n items: pluginConfig.items,\n overrideAccess,\n req,\n }),\n overrideAccess,\n user: req.user,\n }\n}\n\nexport const filterMCPItems = async ({\n items,\n overrideAccess,\n req,\n}: {\n items: MCPItem[]\n overrideAccess: boolean\n req: PayloadRequest\n}): Promise<MCPItem[]> => {\n // Match Payload core: overrideAccess bypasses access evaluation instead of\n // forcing each access function to return true.\n if (overrideAccess) {\n return items\n }\n\n const authorizedItems: MCPItem[] = []\n\n const permissions = await getAccessResults({ req })\n\n for (const item of items) {\n if (!(await checkItemAccess({ item, permissions, req }))) {\n continue\n }\n authorizedItems.push(item)\n }\n\n return authorizedItems\n}\n\n/**\n * Runs MCP item access callbacks\n */\nconst checkItemAccess = async ({\n item,\n permissions,\n req,\n}: {\n item: MCPItem\n permissions?: SanitizedPermissions\n req: PayloadRequest\n}): Promise<boolean> => {\n switch (item.type) {\n case 'collectionTool':\n return (\n !item.tool.access ||\n (await item.tool.access({ collectionSlug: item.collectionSlug, permissions, req }))\n )\n case 'globalTool':\n return (\n !item.tool.access ||\n (await item.tool.access({ globalSlug: item.globalSlug, permissions, req }))\n )\n case 'prompt':\n return !item.prompt.access || (await item.prompt.access({ permissions, req }))\n case 'resource':\n return !item.resource.access || (await item.resource.access({ permissions, req }))\n case 'tool':\n return !item.tool.access || (await item.tool.access({ permissions, req }))\n }\n}\n"],"names":["getAccessResults","UnauthorizedError","getPluginConfig","getAuthorizedMCP","overrideAccess","req","pluginConfig","config","payload","overrideGetAuthorizedMCP","headers","Headers","hasAuthorization","has","set","user","auth","t","items","filterMCPItems","authorizedItems","permissions","item","checkItemAccess","push","type","tool","access","collectionSlug","globalSlug","prompt","resource"],"mappings":"AAEA,SAASA,gBAAgB,EAAEC,iBAAiB,QAAQ,UAAS;AAI7D,SAASC,eAAe,QAAQ,8BAA6B;AAO7D;;;;;;;;CAQC,GACD,OAAO,MAAMC,mBAA2E,OAAO,EAC7FC,cAAc,EACdC,GAAG,EACJ;IACC,MAAMC,eAAeJ,gBAAgB;QAAEK,QAAQF,IAAIG,OAAO,CAACD,MAAM;IAAC;IAElE,IAAID,aAAaG,wBAAwB,EAAE;QACzC,OAAO,MAAMH,aAAaG,wBAAwB,CAAC;YACjDL;YACAE;YACAD;QACF;IACF;IAEA,IAAIA,IAAIK,OAAO,EAAE;QACf,MAAMA,UAAU,IAAIC,QAAQN,IAAIK,OAAO;QACvC,MAAME,mBAAmBF,QAAQG,GAAG,CAAC;QAErCH,QAAQI,GAAG,CAAC,oBAAoB;QAChCT,IAAIU,IAAI,GAAG,AAAC,CAAA,MAAMV,IAAIG,OAAO,CAACQ,IAAI,CAAC;YAAEN;YAASL;QAAI,EAAC,EAAGU,IAAI;QAE1D,IAAIH,oBAAoB,CAACP,IAAIU,IAAI,EAAE;YACjC,MAAM,IAAId,kBAAkBI,IAAIY,CAAC;QACnC;IACF;IAEA,OAAO;QACLC,OAAO,MAAMC,eAAe;YAC1BD,OAAOZ,aAAaY,KAAK;YACzBd;YACAC;QACF;QACAD;QACAW,MAAMV,IAAIU,IAAI;IAChB;AACF,EAAC;AAED,OAAO,MAAMI,iBAAiB,OAAO,EACnCD,KAAK,EACLd,cAAc,EACdC,GAAG,EAKJ;IACC,2EAA2E;IAC3E,+CAA+C;IAC/C,IAAID,gBAAgB;QAClB,OAAOc;IACT;IAEA,MAAME,kBAA6B,EAAE;IAErC,MAAMC,cAAc,MAAMrB,iBAAiB;QAAEK;IAAI;IAEjD,KAAK,MAAMiB,QAAQJ,MAAO;QACxB,IAAI,CAAE,MAAMK,gBAAgB;YAAED;YAAMD;YAAahB;QAAI,IAAK;YACxD;QACF;QACAe,gBAAgBI,IAAI,CAACF;IACvB;IAEA,OAAOF;AACT,EAAC;AAED;;CAEC,GACD,MAAMG,kBAAkB,OAAO,EAC7BD,IAAI,EACJD,WAAW,EACXhB,GAAG,EAKJ;IACC,OAAQiB,KAAKG,IAAI;QACf,KAAK;YACH,OACE,CAACH,KAAKI,IAAI,CAACC,MAAM,IAChB,MAAML,KAAKI,IAAI,CAACC,MAAM,CAAC;gBAAEC,gBAAgBN,KAAKM,cAAc;gBAAEP;gBAAahB;YAAI;QAEpF,KAAK;YACH,OACE,CAACiB,KAAKI,IAAI,CAACC,MAAM,IAChB,MAAML,KAAKI,IAAI,CAACC,MAAM,CAAC;gBAAEE,YAAYP,KAAKO,UAAU;gBAAER;gBAAahB;YAAI;QAE5E,KAAK;YACH,OAAO,CAACiB,KAAKQ,MAAM,CAACH,MAAM,IAAK,MAAML,KAAKQ,MAAM,CAACH,MAAM,CAAC;gBAAEN;gBAAahB;YAAI;QAC7E,KAAK;YACH,OAAO,CAACiB,KAAKS,QAAQ,CAACJ,MAAM,IAAK,MAAML,KAAKS,QAAQ,CAACJ,MAAM,CAAC;gBAAEN;gBAAahB;YAAI;QACjF,KAAK;YACH,OAAO,CAACiB,KAAKI,IAAI,CAACC,MAAM,IAAK,MAAML,KAAKI,IAAI,CAACC,MAAM,CAAC;gBAAEN;gBAAahB;YAAI;IAC3E;AACF"}
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/endpoint/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAY,KAAK,cAAc,EAAE,MAAM,SAAS,CAAA;AAMvD,eAAO,MAAM,WAAW,EAAE,cA2BzB,CAAA"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/endpoint/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAY,KAAK,cAAc,EAAE,MAAM,SAAS,CAAA;AAMvD,eAAO,MAAM,WAAW,EAAE,cAwCzB,CAAA"}
@@ -11,7 +11,18 @@ export const mcpEndpoint = async (req)=>{
11
11
  const pluginConfig = getPluginConfig({
12
12
  config: req.payload.config
13
13
  });
14
+ const overrideAccessParam = new URL(req.url).searchParams.get('overrideAccess');
15
+ if (overrideAccessParam !== null && process.env.NODE_ENV !== 'development') {
16
+ throw new APIError('MCP overrideAccess is only available in development.', 400);
17
+ }
18
+ let overrideAccess = false;
19
+ if (overrideAccessParam === 'true') {
20
+ overrideAccess = true;
21
+ } else if (overrideAccessParam !== null && overrideAccessParam !== 'false') {
22
+ throw new APIError('MCP overrideAccess must be "true" or "false".', 400);
23
+ }
14
24
  const authorizedMCP = await getAuthorizedMCP({
25
+ overrideAccess,
15
26
  req
16
27
  });
17
28
  const server = buildMcpServer({
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/endpoint/index.ts"],"sourcesContent":["import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/server'\nimport { APIError, type PayloadHandler } from 'payload'\n\nimport { buildMcpServer } from '../mcp/buildMcpServer.js'\nimport { getPluginConfig } from '../utils/getPluginConfig.js'\nimport { getAuthorizedMCP } from './access.js'\n\nexport const mcpEndpoint: PayloadHandler = async (req) => {\n if (!req.url) {\n throw new APIError('Missing request URL', 400)\n }\n\n req.payloadAPI = 'MCP' as const\n\n const pluginConfig = getPluginConfig({ config: req.payload.config })\n const authorizedMCP = await getAuthorizedMCP({ req })\n\n const server = buildMcpServer({ authorizedMCP, pluginConfig, req })\n\n const transport = new WebStandardStreamableHTTPServerTransport({\n enableJsonResponse: true,\n sessionIdGenerator: undefined, // stateless mode\n })\n\n await server.connect(transport)\n\n const mcpRequest = new Request(req.url, {\n body: req.body,\n duplex: 'half',\n headers: req.headers,\n method: req.method,\n } as { duplex: 'half' } & RequestInit)\n\n return await transport.handleRequest(mcpRequest)\n}\n"],"names":["WebStandardStreamableHTTPServerTransport","APIError","buildMcpServer","getPluginConfig","getAuthorizedMCP","mcpEndpoint","req","url","payloadAPI","pluginConfig","config","payload","authorizedMCP","server","transport","enableJsonResponse","sessionIdGenerator","undefined","connect","mcpRequest","Request","body","duplex","headers","method","handleRequest"],"mappings":"AAAA,SAASA,wCAAwC,QAAQ,+BAA8B;AACvF,SAASC,QAAQ,QAA6B,UAAS;AAEvD,SAASC,cAAc,QAAQ,2BAA0B;AACzD,SAASC,eAAe,QAAQ,8BAA6B;AAC7D,SAASC,gBAAgB,QAAQ,cAAa;AAE9C,OAAO,MAAMC,cAA8B,OAAOC;IAChD,IAAI,CAACA,IAAIC,GAAG,EAAE;QACZ,MAAM,IAAIN,SAAS,uBAAuB;IAC5C;IAEAK,IAAIE,UAAU,GAAG;IAEjB,MAAMC,eAAeN,gBAAgB;QAAEO,QAAQJ,IAAIK,OAAO,CAACD,MAAM;IAAC;IAClE,MAAME,gBAAgB,MAAMR,iBAAiB;QAAEE;IAAI;IAEnD,MAAMO,SAASX,eAAe;QAAEU;QAAeH;QAAcH;IAAI;IAEjE,MAAMQ,YAAY,IAAId,yCAAyC;QAC7De,oBAAoB;QACpBC,oBAAoBC;IACtB;IAEA,MAAMJ,OAAOK,OAAO,CAACJ;IAErB,MAAMK,aAAa,IAAIC,QAAQd,IAAIC,GAAG,EAAE;QACtCc,MAAMf,IAAIe,IAAI;QACdC,QAAQ;QACRC,SAASjB,IAAIiB,OAAO;QACpBC,QAAQlB,IAAIkB,MAAM;IACpB;IAEA,OAAO,MAAMV,UAAUW,aAAa,CAACN;AACvC,EAAC"}
1
+ {"version":3,"sources":["../../src/endpoint/index.ts"],"sourcesContent":["import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/server'\nimport { APIError, type PayloadHandler } from 'payload'\n\nimport { buildMcpServer } from '../mcp/buildMcpServer.js'\nimport { getPluginConfig } from '../utils/getPluginConfig.js'\nimport { getAuthorizedMCP } from './access.js'\n\nexport const mcpEndpoint: PayloadHandler = async (req) => {\n if (!req.url) {\n throw new APIError('Missing request URL', 400)\n }\n\n req.payloadAPI = 'MCP' as const\n\n const pluginConfig = getPluginConfig({ config: req.payload.config })\n const overrideAccessParam = new URL(req.url).searchParams.get('overrideAccess')\n\n if (overrideAccessParam !== null && process.env.NODE_ENV !== 'development') {\n throw new APIError('MCP overrideAccess is only available in development.', 400)\n }\n\n let overrideAccess = false\n if (overrideAccessParam === 'true') {\n overrideAccess = true\n } else if (overrideAccessParam !== null && overrideAccessParam !== 'false') {\n throw new APIError('MCP overrideAccess must be \"true\" or \"false\".', 400)\n }\n\n const authorizedMCP = await getAuthorizedMCP({ overrideAccess, req })\n\n const server = buildMcpServer({ authorizedMCP, pluginConfig, req })\n\n const transport = new WebStandardStreamableHTTPServerTransport({\n enableJsonResponse: true,\n sessionIdGenerator: undefined, // stateless mode\n })\n\n await server.connect(transport)\n\n const mcpRequest = new Request(req.url, {\n body: req.body,\n duplex: 'half',\n headers: req.headers,\n method: req.method,\n } as { duplex: 'half' } & RequestInit)\n\n return await transport.handleRequest(mcpRequest)\n}\n"],"names":["WebStandardStreamableHTTPServerTransport","APIError","buildMcpServer","getPluginConfig","getAuthorizedMCP","mcpEndpoint","req","url","payloadAPI","pluginConfig","config","payload","overrideAccessParam","URL","searchParams","get","process","env","NODE_ENV","overrideAccess","authorizedMCP","server","transport","enableJsonResponse","sessionIdGenerator","undefined","connect","mcpRequest","Request","body","duplex","headers","method","handleRequest"],"mappings":"AAAA,SAASA,wCAAwC,QAAQ,+BAA8B;AACvF,SAASC,QAAQ,QAA6B,UAAS;AAEvD,SAASC,cAAc,QAAQ,2BAA0B;AACzD,SAASC,eAAe,QAAQ,8BAA6B;AAC7D,SAASC,gBAAgB,QAAQ,cAAa;AAE9C,OAAO,MAAMC,cAA8B,OAAOC;IAChD,IAAI,CAACA,IAAIC,GAAG,EAAE;QACZ,MAAM,IAAIN,SAAS,uBAAuB;IAC5C;IAEAK,IAAIE,UAAU,GAAG;IAEjB,MAAMC,eAAeN,gBAAgB;QAAEO,QAAQJ,IAAIK,OAAO,CAACD,MAAM;IAAC;IAClE,MAAME,sBAAsB,IAAIC,IAAIP,IAAIC,GAAG,EAAEO,YAAY,CAACC,GAAG,CAAC;IAE9D,IAAIH,wBAAwB,QAAQI,QAAQC,GAAG,CAACC,QAAQ,KAAK,eAAe;QAC1E,MAAM,IAAIjB,SAAS,wDAAwD;IAC7E;IAEA,IAAIkB,iBAAiB;IACrB,IAAIP,wBAAwB,QAAQ;QAClCO,iBAAiB;IACnB,OAAO,IAAIP,wBAAwB,QAAQA,wBAAwB,SAAS;QAC1E,MAAM,IAAIX,SAAS,iDAAiD;IACtE;IAEA,MAAMmB,gBAAgB,MAAMhB,iBAAiB;QAAEe;QAAgBb;IAAI;IAEnE,MAAMe,SAASnB,eAAe;QAAEkB;QAAeX;QAAcH;IAAI;IAEjE,MAAMgB,YAAY,IAAItB,yCAAyC;QAC7DuB,oBAAoB;QACpBC,oBAAoBC;IACtB;IAEA,MAAMJ,OAAOK,OAAO,CAACJ;IAErB,MAAMK,aAAa,IAAIC,QAAQtB,IAAIC,GAAG,EAAE;QACtCsB,MAAMvB,IAAIuB,IAAI;QACdC,QAAQ;QACRC,SAASzB,IAAIyB,OAAO;QACpBC,QAAQ1B,IAAI0B,MAAM;IACpB;IAEA,OAAO,MAAMV,UAAUW,aAAa,CAACN;AACvC,EAAC"}
@@ -1,2 +1,2 @@
1
- export { AccessField } from '../components/AccessField/index.client.js';
1
+ export {};
2
2
  //# sourceMappingURL=client.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/exports/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,2CAA2C,CAAA"}
1
+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/exports/client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAA"}
@@ -1,4 +1,4 @@
1
1
  'use client';
2
- export { AccessField } from '../components/AccessField/index.client.js';
2
+ export { };
3
3
 
4
4
  //# sourceMappingURL=client.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/exports/client.ts"],"sourcesContent":["'use client'\nexport { AccessField } from '../components/AccessField/index.client.js'\n"],"names":["AccessField"],"mappings":"AAAA;AACA,SAASA,WAAW,QAAQ,4CAA2C"}
1
+ {"version":3,"sources":["../../src/exports/client.ts"],"sourcesContent":["'use client'\n\nexport {}\n"],"names":[],"mappings":"AAAA;AAEA,WAAS"}
@@ -0,0 +1,2 @@
1
+ export { filterMCPItems, getAuthorizedMCP } from '../endpoint/access.js';
2
+ //# sourceMappingURL=internal.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"internal.d.ts","sourceRoot":"","sources":["../../src/exports/internal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA"}
@@ -0,0 +1,3 @@
1
+ export { filterMCPItems, getAuthorizedMCP } from '../endpoint/access.js';
2
+
3
+ //# sourceMappingURL=internal.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/exports/internal.ts"],"sourcesContent":["export { filterMCPItems, getAuthorizedMCP } from '../endpoint/access.js'\n"],"names":["filterMCPItems","getAuthorizedMCP"],"mappings":"AAAA,SAASA,cAAc,EAAEC,gBAAgB,QAAQ,wBAAuB"}
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAA;AAM1F,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAiB,cAAc;QAC7B,UAAU,EAAE,SAAS,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAA;KACjD;IACD,UAAU,iBAAiB;QACzB,uFAAuF;QACvF,wBAAwB,EAAE,eAAe,CAAA;KAC1C;CACF;AAED,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,wBAAwB,EAAE,CAAA;AAExE,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAElG,eAAO,MAAM,SAAS,wDAwCpB,CAAA"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAA;AAK1F,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAiB,cAAc;QAC7B,UAAU,EAAE,SAAS,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAA;KACjD;IACD,UAAU,iBAAiB;QACzB,uFAAuF;QACvF,wBAAwB,EAAE,eAAe,CAAA;KAC1C;CACF;AAED,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,wBAAwB,EAAE,CAAA;AAExE,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAElG,eAAO,MAAM,SAAS,wDAiCpB,CAAA"}
package/dist/index.js CHANGED
@@ -1,5 +1,4 @@
1
- import { defaultUserCollection, definePlugin } from 'payload';
2
- import { getAPIKeysCollection } from './collection/index.js';
1
+ import { definePlugin } from 'payload';
3
2
  import { mcpEndpoint } from './endpoint/index.js';
4
3
  import { sanitizeMCPConfig } from './mcp/sanitizeMCPConfig.js';
5
4
  export { defineCollectionTool, defineGlobalTool, definePrompt, defineTool } from './defineTool.js';
@@ -7,16 +6,6 @@ export const mcpPlugin = definePlugin({
7
6
  slug: '@payloadcms/plugin-mcp',
8
7
  order: 10,
9
8
  plugin: ({ config, plugins, ...rawConfig })=>{
10
- // Our `payload-mcp-api-keys` is auth-enabled; if it'd be the only auth
11
- // collection, Payload's later sanitize would pick it as `admin.user`.
12
- // Pre-seed the default user collection to prevent that.
13
- if (!config.admin?.user) {
14
- const firstCollectionWithAuth = (config.collections ?? []).find(({ auth })=>Boolean(auth));
15
- if (!firstCollectionWithAuth) {
16
- ;
17
- (config.collections ??= []).push(defaultUserCollection);
18
- }
19
- }
20
9
  const pluginConfig = sanitizeMCPConfig({
21
10
  config,
22
11
  pluginConfig: rawConfig
@@ -27,12 +16,6 @@ export const mcpPlugin = definePlugin({
27
16
  // @ts-expect-error
28
17
  registered.sanitizedOptions = pluginConfig;
29
18
  }
30
- ;
31
- (config.collections ??= []).push(getAPIKeysCollection({
32
- pluginConfig
33
- }));
34
- // Keep the API-keys collection registered even when disabled, so DB schema
35
- // and generated types don't drift between enabled/disabled environments.
36
19
  if (pluginConfig.disabled) {
37
20
  return config;
38
21
  }
@@ -45,6 +28,18 @@ export const mcpPlugin = definePlugin({
45
28
  handler: mcpEndpoint,
46
29
  method: 'post',
47
30
  path: '/mcp'
31
+ },
32
+ // Streamable HTTP's optional server=>client GET stream. We don't offer
33
+ // one, so answer 405 per spec-— clients then skip it cleanly
34
+ {
35
+ handler: ()=>new Response(null, {
36
+ headers: {
37
+ Allow: 'POST'
38
+ },
39
+ status: 405
40
+ }),
41
+ method: 'get',
42
+ path: '/mcp'
48
43
  }
49
44
  ]
50
45
  };
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { defaultUserCollection, definePlugin } from 'payload'\n\nimport type { AuthorizedMCP, MCPPluginConfig, SanitizedMCPPluginConfig } from './types.js'\n\nimport { getAPIKeysCollection } from './collection/index.js'\nimport { mcpEndpoint } from './endpoint/index.js'\nimport { sanitizeMCPConfig } from './mcp/sanitizeMCPConfig.js'\n\ndeclare module 'payload' {\n export interface PayloadRequest {\n payloadAPI: 'GraphQL' | 'local' | 'MCP' | 'REST'\n }\n interface RegisteredPlugins {\n /** After the plugin's `plugin` callback runs, `options` holds the sanitized config. */\n '@payloadcms/plugin-mcp': MCPPluginConfig\n }\n}\n\nexport type { AuthorizedMCP, MCPPluginConfig, SanitizedMCPPluginConfig }\n\nexport { defineCollectionTool, defineGlobalTool, definePrompt, defineTool } from './defineTool.js'\n\nexport const mcpPlugin = definePlugin<MCPPluginConfig>({\n slug: '@payloadcms/plugin-mcp',\n order: 10,\n plugin: ({ config, plugins, ...rawConfig }) => {\n // Our `payload-mcp-api-keys` is auth-enabled; if it'd be the only auth\n // collection, Payload's later sanitize would pick it as `admin.user`.\n // Pre-seed the default user collection to prevent that.\n if (!config.admin?.user) {\n const firstCollectionWithAuth = (config.collections ?? []).find(({ auth }) => Boolean(auth))\n if (!firstCollectionWithAuth) {\n ;(config.collections ??= []).push(defaultUserCollection)\n }\n }\n\n const pluginConfig = sanitizeMCPConfig({ config, pluginConfig: rawConfig })\n\n // Stash the sanitized config on plugin options so `getPluginConfig()` reads it.\n const registered = plugins['@payloadcms/plugin-mcp']\n if (registered) {\n // @ts-expect-error\n registered.sanitizedOptions = pluginConfig as unknown as typeof registered.options\n }\n\n ;(config.collections ??= []).push(getAPIKeysCollection({ pluginConfig }))\n\n // Keep the API-keys collection registered even when disabled, so DB schema\n // and generated types don't drift between enabled/disabled environments.\n if (pluginConfig.disabled) {\n return config\n }\n\n return {\n ...config,\n endpoints: [\n ...(config.endpoints ?? []),\n // Payload prefixes /api, so the full path is /api/mcp.\n { handler: mcpEndpoint, method: 'post', path: '/mcp' },\n ],\n }\n },\n})\n"],"names":["defaultUserCollection","definePlugin","getAPIKeysCollection","mcpEndpoint","sanitizeMCPConfig","defineCollectionTool","defineGlobalTool","definePrompt","defineTool","mcpPlugin","slug","order","plugin","config","plugins","rawConfig","admin","user","firstCollectionWithAuth","collections","find","auth","Boolean","push","pluginConfig","registered","sanitizedOptions","disabled","endpoints","handler","method","path"],"mappings":"AAAA,SAASA,qBAAqB,EAAEC,YAAY,QAAQ,UAAS;AAI7D,SAASC,oBAAoB,QAAQ,wBAAuB;AAC5D,SAASC,WAAW,QAAQ,sBAAqB;AACjD,SAASC,iBAAiB,QAAQ,6BAA4B;AAc9D,SAASC,oBAAoB,EAAEC,gBAAgB,EAAEC,YAAY,EAAEC,UAAU,QAAQ,kBAAiB;AAElG,OAAO,MAAMC,YAAYR,aAA8B;IACrDS,MAAM;IACNC,OAAO;IACPC,QAAQ,CAAC,EAAEC,MAAM,EAAEC,OAAO,EAAE,GAAGC,WAAW;QACxC,uEAAuE;QACvE,sEAAsE;QACtE,wDAAwD;QACxD,IAAI,CAACF,OAAOG,KAAK,EAAEC,MAAM;YACvB,MAAMC,0BAA0B,AAACL,CAAAA,OAAOM,WAAW,IAAI,EAAE,AAAD,EAAGC,IAAI,CAAC,CAAC,EAAEC,IAAI,EAAE,GAAKC,QAAQD;YACtF,IAAI,CAACH,yBAAyB;;gBAC1BL,CAAAA,OAAOM,WAAW,KAAK,EAAE,AAAD,EAAGI,IAAI,CAACvB;YACpC;QACF;QAEA,MAAMwB,eAAepB,kBAAkB;YAAES;YAAQW,cAAcT;QAAU;QAEzE,gFAAgF;QAChF,MAAMU,aAAaX,OAAO,CAAC,yBAAyB;QACpD,IAAIW,YAAY;YACd,mBAAmB;YACnBA,WAAWC,gBAAgB,GAAGF;QAChC;;QAEEX,CAAAA,OAAOM,WAAW,KAAK,EAAE,AAAD,EAAGI,IAAI,CAACrB,qBAAqB;YAAEsB;QAAa;QAEtE,2EAA2E;QAC3E,yEAAyE;QACzE,IAAIA,aAAaG,QAAQ,EAAE;YACzB,OAAOd;QACT;QAEA,OAAO;YACL,GAAGA,MAAM;YACTe,WAAW;mBACLf,OAAOe,SAAS,IAAI,EAAE;gBAC1B,uDAAuD;gBACvD;oBAAEC,SAAS1B;oBAAa2B,QAAQ;oBAAQC,MAAM;gBAAO;aACtD;QACH;IACF;AACF,GAAE"}
1
+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { definePlugin } from 'payload'\n\nimport type { AuthorizedMCP, MCPPluginConfig, SanitizedMCPPluginConfig } from './types.js'\n\nimport { mcpEndpoint } from './endpoint/index.js'\nimport { sanitizeMCPConfig } from './mcp/sanitizeMCPConfig.js'\n\ndeclare module 'payload' {\n export interface PayloadRequest {\n payloadAPI: 'GraphQL' | 'local' | 'MCP' | 'REST'\n }\n interface RegisteredPlugins {\n /** After the plugin's `plugin` callback runs, `options` holds the sanitized config. */\n '@payloadcms/plugin-mcp': MCPPluginConfig\n }\n}\n\nexport type { AuthorizedMCP, MCPPluginConfig, SanitizedMCPPluginConfig }\n\nexport { defineCollectionTool, defineGlobalTool, definePrompt, defineTool } from './defineTool.js'\n\nexport const mcpPlugin = definePlugin<MCPPluginConfig>({\n slug: '@payloadcms/plugin-mcp',\n order: 10,\n plugin: ({ config, plugins, ...rawConfig }) => {\n const pluginConfig = sanitizeMCPConfig({ config, pluginConfig: rawConfig })\n\n // Stash the sanitized config on plugin options so `getPluginConfig()` reads it.\n const registered = plugins['@payloadcms/plugin-mcp']\n if (registered) {\n // @ts-expect-error\n registered.sanitizedOptions = pluginConfig as unknown as typeof registered.options\n }\n\n if (pluginConfig.disabled) {\n return config\n }\n\n return {\n ...config,\n endpoints: [\n ...(config.endpoints ?? []),\n // Payload prefixes /api, so the full path is /api/mcp.\n { handler: mcpEndpoint, method: 'post', path: '/mcp' },\n // Streamable HTTP's optional server=>client GET stream. We don't offer\n // one, so answer 405 per spec-— clients then skip it cleanly\n {\n handler: () => new Response(null, { headers: { Allow: 'POST' }, status: 405 }),\n method: 'get',\n path: '/mcp',\n },\n ],\n }\n },\n})\n"],"names":["definePlugin","mcpEndpoint","sanitizeMCPConfig","defineCollectionTool","defineGlobalTool","definePrompt","defineTool","mcpPlugin","slug","order","plugin","config","plugins","rawConfig","pluginConfig","registered","sanitizedOptions","disabled","endpoints","handler","method","path","Response","headers","Allow","status"],"mappings":"AAAA,SAASA,YAAY,QAAQ,UAAS;AAItC,SAASC,WAAW,QAAQ,sBAAqB;AACjD,SAASC,iBAAiB,QAAQ,6BAA4B;AAc9D,SAASC,oBAAoB,EAAEC,gBAAgB,EAAEC,YAAY,EAAEC,UAAU,QAAQ,kBAAiB;AAElG,OAAO,MAAMC,YAAYP,aAA8B;IACrDQ,MAAM;IACNC,OAAO;IACPC,QAAQ,CAAC,EAAEC,MAAM,EAAEC,OAAO,EAAE,GAAGC,WAAW;QACxC,MAAMC,eAAeZ,kBAAkB;YAAES;YAAQG,cAAcD;QAAU;QAEzE,gFAAgF;QAChF,MAAME,aAAaH,OAAO,CAAC,yBAAyB;QACpD,IAAIG,YAAY;YACd,mBAAmB;YACnBA,WAAWC,gBAAgB,GAAGF;QAChC;QAEA,IAAIA,aAAaG,QAAQ,EAAE;YACzB,OAAON;QACT;QAEA,OAAO;YACL,GAAGA,MAAM;YACTO,WAAW;mBACLP,OAAOO,SAAS,IAAI,EAAE;gBAC1B,uDAAuD;gBACvD;oBAAEC,SAASlB;oBAAamB,QAAQ;oBAAQC,MAAM;gBAAO;gBACrD,uEAAuE;gBACvE,6DAA6D;gBAC7D;oBACEF,SAAS,IAAM,IAAIG,SAAS,MAAM;4BAAEC,SAAS;gCAAEC,OAAO;4BAAO;4BAAGC,QAAQ;wBAAI;oBAC5EL,QAAQ;oBACRC,MAAM;gBACR;aACD;QACH;IACF;AACF,GAAE"}
@@ -1 +1 @@
1
- {"version":3,"file":"buildMcpServer.d.ts","sourceRoot":"","sources":["../../src/mcp/buildMcpServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAsB,MAAM,8BAA8B,CAAA;AAC5E,OAAO,EAA0C,KAAK,cAAc,EAAE,MAAM,SAAS,CAAA;AAErF,OAAO,KAAK,EACV,aAAa,EAIb,wBAAwB,EACzB,MAAM,aAAa,CAAA;AAiBpB;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAAI,uCAI5B;IACD,aAAa,EAAE,aAAa,CAAA;IAC5B,YAAY,EAAE,wBAAwB,CAAA;IACtC,GAAG,EAAE,cAAc,CAAA;CACpB,KAAG,SAwLH,CAAA"}
1
+ {"version":3,"file":"buildMcpServer.d.ts","sourceRoot":"","sources":["../../src/mcp/buildMcpServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAsB,MAAM,8BAA8B,CAAA;AAC5E,OAAO,EAAY,KAAK,cAAc,EAAE,MAAM,SAAS,CAAA;AAGvD,OAAO,KAAK,EACV,aAAa,EAMb,wBAAwB,EAEzB,MAAM,aAAa,CAAA;AAKpB;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAAI,uCAI5B;IACD,aAAa,EAAE,aAAa,CAAA;IAC5B,YAAY,EAAE,wBAAwB,CAAA;IACtC,GAAG,EAAE,cAAc,CAAA;CACpB,KAAG,SA8LH,CAAA"}