@plank-cms/plank 0.29.0 → 0.30.1

package/dist/admin/index.html

@@ -12,7 +12,7 @@
       href="https://fonts.googleapis.com/css2?family=Google+Sans:ital,opsz,wght@0,17..18,400..700;1,17..18,400..700&display=swap"
       rel="stylesheet"
     />
-    <script type="module" crossorigin src="/admin/assets/index-2ycjq_gM.js"></script>
+    <script type="module" crossorigin src="/admin/assets/index-RfZ7f9RV.js"></script>
     <link rel="stylesheet" crossorigin href="/admin/assets/index-CHJ8C--M.css">
   </head>
   <body>

package/dist/index.js

@@ -93,7 +93,7 @@ function getUpdateScriptCommand(name) {
 }
 
 // src/commands/init.ts
-var PACKAGE_VERSION = "0.29.0";
+var PACKAGE_VERSION = "0.30.1";
 function generateSecret() {
   return randomBytes(32).toString("hex");
 }
@@ -203,7 +203,7 @@ import { dirname, join as join3, resolve as resolve2 } from "path";
 async function start() {
   config({ path: resolve2(process.cwd(), ".env") });
   process.env.PLANK_ADMIN_DIST = join3(dirname(fileURLToPath(import.meta.url)), "admin");
-  const { start: startServer } = await import("./server-KCPJO7V7.js");
+  const { start: startServer } = await import("./server-BDQYF2ZA.js");
   await startServer();
 }
 

package/dist/{server-KCPJO7V7.js → server-BDQYF2ZA.js}

@@ -4528,7 +4528,7 @@ import { randomBytes as randomBytes7, createHash } from "crypto";
 import { z as z7, flattenError as flattenError5 } from "zod";
 var CreateTokenSchema = z7.object({
   name: z7.string().min(1),
-  accessType: z7.enum(["read-only", "full-access"])
+  accessType: z7.enum(["read-only", "full-access", "mcp-server"])
 });
 function hashToken(token) {
   return createHash("sha256").update(token).digest("hex");
@@ -5834,7 +5834,9 @@ import { Router as Router3 } from "express";
 // ../core/dist/middlewares/apiToken.js
 import { createHash as createHash2 } from "crypto";
 var READ_ONLY_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
-async function apiToken(req, res, next) {
+var PUBLIC_API_ACCESS_TYPES = /* @__PURE__ */ new Set(["read-only", "full-access"]);
+var MCP_ACCESS_TYPES = /* @__PURE__ */ new Set(["mcp-server"]);
+async function enforceApiToken(req, res, next, allowedAccessTypes) {
   const header = req.headers.authorization;
   if (!header?.startsWith("Bearer ")) {
     res.status(401).json({ error: "API token required" });
@@ -5847,12 +5849,26 @@ async function apiToken(req, res, next) {
     res.status(401).json({ error: "Invalid API token" });
     return;
   }
+  if (!allowedAccessTypes.has(rows[0].access_type)) {
+    res.status(403).json({ error: "This token cannot access this endpoint" });
+    return;
+  }
   if (rows[0].access_type === "read-only" && !READ_ONLY_METHODS.has(req.method)) {
     res.status(403).json({ error: "This token only allows read access" });
     return;
   }
+  req.apiToken = {
+    id: rows[0].id,
+    accessType: rows[0].access_type
+  };
   next();
 }
+async function apiToken(req, res, next) {
+  await enforceApiToken(req, res, next, PUBLIC_API_ACCESS_TYPES);
+}
+async function mcpToken(req, res, next) {
+  await enforceApiToken(req, res, next, MCP_ACCESS_TYPES);
+}
 
 // ../core/dist/controllers/public.js
 function createMediaValue(url, options) {
@@ -6453,6 +6469,276 @@ router3.get("/:slug", listPublicEntries);
 router3.get("/:slug/:id", getPublicEntry);
 var public_default = router3;
 
+// ../core/dist/routes/mcp.js
+import { Router as Router4 } from "express";
+
+// ../core/dist/controllers/mcp.js
+var MCP_PROTOCOL_VERSION = "2025-11-25";
+var JSON_RPC_VERSION = "2.0";
+var CONTENT_TYPES_URI = "plank://content-types";
+var LOCALES_URI = "plank://locales";
+function buildSchemaUri(slug) {
+  return `plank://content-types/${slug}/schema`;
+}
+function parseLocales(raw, fallback) {
+  if (!raw)
+    return [fallback];
+  try {
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed))
+      return [fallback];
+    const locales = parsed.filter((value) => typeof value === "string" && value.length > 0);
+    return locales.length > 0 ? [...new Set(locales)] : [fallback];
+  } catch {
+    return [fallback];
+  }
+}
+async function getLocalesPayload() {
+  const settings = await getSettings("general");
+  const defaultLocale = settings.default_locale ?? "en";
+  const locales = parseLocales(settings.locales, defaultLocale);
+  if (!locales.includes(defaultLocale)) {
+    locales.unshift(defaultLocale);
+  }
+  return { defaultLocale, locales };
+}
+async function getContentTypeSummaries() {
+  const contentTypes = await findAllContentTypes();
+  return contentTypes.map((contentType) => ({
+    name: contentType.name,
+    slug: contentType.slug,
+    kind: contentType.kind,
+    previewEnabled: contentType.previewEnabled ?? true,
+    isDefault: contentType.isDefault ?? false,
+    schemaUri: buildSchemaUri(contentType.slug),
+    updatedAt: contentType.updatedAt?.toISOString() ?? null
+  }));
+}
+async function listResources() {
+  const contentTypes = await getContentTypeSummaries();
+  return [
+    {
+      name: "content-types",
+      title: "Content Types",
+      uri: CONTENT_TYPES_URI,
+      description: "Lists the content types available in this Plank instance.",
+      mimeType: "application/json"
+    },
+    {
+      name: "locales",
+      title: "Locales",
+      uri: LOCALES_URI,
+      description: "Lists the enabled locales and the default locale for this Plank instance.",
+      mimeType: "application/json"
+    },
+    ...contentTypes.map((contentType) => ({
+      name: `content-type-schema-${contentType.slug}`,
+      title: `${contentType.name} schema`,
+      uri: contentType.schemaUri,
+      description: `Schema for the "${contentType.slug}" content type.`,
+      mimeType: "application/json",
+      annotations: contentType.updatedAt ? {
+        lastModified: contentType.updatedAt
+      } : void 0
+    }))
+  ];
+}
+async function readResource(uri) {
+  if (uri === CONTENT_TYPES_URI) {
+    return {
+      contents: [
+        {
+          uri,
+          mimeType: "application/json",
+          text: JSON.stringify({ contentTypes: await getContentTypeSummaries() }, null, 2)
+        }
+      ]
+    };
+  }
+  if (uri === LOCALES_URI) {
+    return {
+      contents: [
+        {
+          uri,
+          mimeType: "application/json",
+          text: JSON.stringify(await getLocalesPayload(), null, 2)
+        }
+      ]
+    };
+  }
+  const match = /^plank:\/\/content-types\/([^/]+)\/schema$/.exec(uri);
+  if (!match) {
+    throw buildJsonRpcError(-32602, "Unknown resource URI", { uri });
+  }
+  const slug = decodeURIComponent(match[1] ?? "");
+  const contentType = await findContentTypeBySlug(slug);
+  if (!contentType) {
+    throw buildJsonRpcError(-32004, "Content type not found", { slug });
+  }
+  return {
+    contents: [
+      {
+        uri,
+        mimeType: "application/json",
+        text: JSON.stringify(contentType, null, 2)
+      }
+    ]
+  };
+}
+function buildJsonRpcError(code, message, data) {
+  return data === void 0 ? { code, message } : { code, message, data };
+}
+function buildResult(id, result) {
+  return {
+    jsonrpc: JSON_RPC_VERSION,
+    id,
+    result
+  };
+}
+function buildError(id, error) {
+  return {
+    jsonrpc: JSON_RPC_VERSION,
+    id,
+    error
+  };
+}
+function isJsonRpcRequest(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+async function handleRequest(message) {
+  if (message.jsonrpc !== JSON_RPC_VERSION) {
+    return buildError(message.id ?? null, buildJsonRpcError(-32600, "Invalid JSON-RPC version"));
+  }
+  if (typeof message.method !== "string" || message.method.length === 0) {
+    return buildError(message.id ?? null, buildJsonRpcError(-32600, "Invalid method"));
+  }
+  if (message.id === void 0) {
+    if (message.method === "notifications/initialized") {
+      return null;
+    }
+    return null;
+  }
+  try {
+    switch (message.method) {
+      case "initialize": {
+        const version = await getCurrentVersion();
+        return buildResult(message.id, {
+          protocolVersion: MCP_PROTOCOL_VERSION,
+          capabilities: {
+            resources: {}
+          },
+          serverInfo: {
+            name: "plank-cms",
+            title: "Plank CMS",
+            version
+          },
+          instructions: "Use resources/list to discover available resources, then resources/read to load Plank content types, per-type schemas, and locales."
+        });
+      }
+      case "ping":
+        return buildResult(message.id, {});
+      case "resources/list":
+        return buildResult(message.id, { resources: await listResources() });
+      case "resources/read": {
+        const uri = message.params?.uri;
+        if (typeof uri !== "string" || uri.length === 0) {
+          return buildError(message.id, buildJsonRpcError(-32602, "A resource URI is required"));
+        }
+        return buildResult(message.id, await readResource(uri));
+      }
+      default:
+        return buildError(message.id, buildJsonRpcError(-32601, "Method not found", { method: message.method }));
+    }
+  } catch (error) {
+    if (isJsonRpcError(error)) {
+      return buildError(message.id, error);
+    }
+    return buildError(message.id, buildJsonRpcError(-32603, "Internal server error"));
+  }
+}
+function isJsonRpcError(error) {
+  return typeof error === "object" && error !== null && "code" in error && "message" in error;
+}
+async function handleMcpRequest(req, res) {
+  const payload = req.body;
+  if (Array.isArray(payload)) {
+    if (payload.length === 0) {
+      res.status(400).json(buildError(null, buildJsonRpcError(-32600, "Batch requests cannot be empty")));
+      return;
+    }
+    const responses = (await Promise.all(payload.map(async (message) => {
+      if (!isJsonRpcRequest(message)) {
+        return buildError(null, buildJsonRpcError(-32600, "Invalid request"));
+      }
+      return await handleRequest(message);
+    }))).filter((response2) => response2 !== null);
+    if (responses.length === 0) {
+      res.status(202).end();
+      return;
+    }
+    res.json(responses);
+    return;
+  }
+  if (!isJsonRpcRequest(payload)) {
+    res.status(400).json(buildError(null, buildJsonRpcError(-32600, "Invalid request")));
+    return;
+  }
+  const response = await handleRequest(payload);
+  if (!response) {
+    res.status(202).end();
+    return;
+  }
+  res.json(response);
+}
+function handleMcpGet(_req, res) {
+  res.status(200).json({
+    name: "plank-cms",
+    transport: "streamable-http",
+    endpoint: "/mcp",
+    protocolVersion: MCP_PROTOCOL_VERSION,
+    capabilities: ["resources"]
+  });
+}
+function handleMcpDelete(_req, res) {
+  res.status(405).json({ error: "Session termination is not supported" });
+}
+
+// ../core/dist/middlewares/mcpOrigin.js
+function validateMcpOrigin(req, res, next) {
+  const origin = req.get("origin");
+  if (!origin) {
+    next();
+    return;
+  }
+  const host = req.get("host");
+  if (!host) {
+    res.status(400).json({ error: "Missing Host header" });
+    return;
+  }
+  const forwardedProto = req.get("x-forwarded-proto");
+  const protocol = forwardedProto ? forwardedProto.split(",")[0].trim() : req.protocol;
+  const allowedOrigins = /* @__PURE__ */ new Set([`${protocol}://${host}`]);
+  if (!process.env.PLANK_ADMIN_DIST) {
+    const port = process.env.PLANK_PORT ?? "5500";
+    allowedOrigins.add(`http://localhost:${port}`);
+    allowedOrigins.add("http://localhost:3000");
+  }
+  if (!allowedOrigins.has(origin)) {
+    res.status(403).json({ error: "Origin not allowed" });
+    return;
+  }
+  next();
+}
+
+// ../core/dist/routes/mcp.js
+var router4 = Router4();
+router4.use(validateMcpOrigin);
+router4.use(mcpToken);
+router4.get("/", handleMcpGet);
+router4.post("/", handleMcpRequest);
+router4.delete("/", handleMcpDelete);
+var mcp_default = router4;
+
 // ../core/dist/middlewares/errorHandler.js
 import { ZodError, flattenError as flattenError6 } from "zod";
 function parseUniqueViolationField(detail) {
@@ -6523,6 +6809,7 @@ var cmsCorOptions = cors({ origin: cmsAllowedOrigins, credentials: true });
 app.use("/cms/auth", cmsCorOptions, auth_default);
 app.use("/cms/admin", cmsCorOptions, admin_default);
 app.use("/api", cors(), public_default);
+app.use("/mcp", mcp_default);
 app.get("/", (_req, res) => {
   if (isDev) {
     res.redirect(adminDevUrl);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plank-cms/plank",
-  "version": "0.29.0",
+  "version": "0.30.1",
   "description": "Self-hosted headless CMS. Deploy in minutes on your own infrastructure.",
   "type": "module",
   "files": [
@@ -55,9 +55,9 @@
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",
     "tsup": "^8.5.0",
-    "@plank-cms/core": "0.29.0",
-    "@plank-cms/schema": "0.29.0",
-    "@plank-cms/db": "0.29.0"
+    "@plank-cms/core": "0.30.1",
+    "@plank-cms/db": "0.30.1",
+    "@plank-cms/schema": "0.30.1"
   },
   "scripts": {
     "build": "tsup",