drupal-mcp-connector 0.10.0 → 1.1.0

package/CHANGELOG.md

@@ -7,6 +7,89 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.0] - 2026-06-26
+
+### Security
+- Bump transitive `hono` 4.12.23 → 4.12.27 (via `@modelcontextprotocol/sdk`), clearing
+  5 advisories (1 high, 4 moderate): GHSA-88fw-hqm2-52qc (CORS wildcard-with-credentials),
+  GHSA-wwfh-h76j-fc44 (serve-static path traversal), GHSA-j6c9-x7qj-28xf, GHSA-rv63-4mwf-qqc2,
+  GHSA-wgpf-jwqj-8h8p. Lockfile-only; the SDK's `^4.11.4` range already permits the fix.
+  `npm audit` clean.
+
+### Added
+- Environment-keyed governance tiers. The `config/config.example.json` template now
+  models four least-privilege tiers — `prod`/`staging` (content), `dev` (developer),
+  `dev-admin` (admin/break-glass) — each pinned by OAuth scopes and a security preset.
+- New `config-editor` security preset (Developer tier): content-editor capabilities plus
+  governed config read/write. All presets gained `allowConfigRead` / `allowConfigWrite`
+  caps (mirroring the server-side governance profile), with `assertConfigReadAllowed` /
+  `assertConfigWriteAllowed` gates. Caps are surfaced by `drupal_security_info`.
+- Governed configuration tools: `drupal_config_get`, `drupal_config_list`,
+  `drupal_config_set`. These call Drupal's authoritative server-side MCP config tools via a
+  new JSON-RPC bridge (`src/lib/server-tools.js`, per-site `serverTools.url`) — not drush —
+  and are gated by the new config caps as a defence-in-depth second layer.
+- `drupal_mcp_whoami` — reports the agent's effective tier, preset, OAuth scopes, and
+  capabilities (read/write/delete/config/publish) for a site, so permitted actions are
+  visible up front. Publishing is always reported as server-gated.
+- Per-site `drushSsh.allowedCommands` allowlist. When set, only those Drush subcommands
+  may run on that site; the example `dev` site is pinned to `config:export` /
+  `config:status`, and prod/staging carry no `drushSsh` block at all.
+- CI: Slack release notification (`.github/workflows/release-notify.yml`) — posts to the
+  maintainers' release channel on release tags; no-ops without the `SLACK_WEBHOOK_RELEASES` secret.
+- `bin/drupal-mcp-launch.sh` — launcher script for starting the connector
+  (secret-manager-friendly local launch).
+
+### Removed
+- `.playwright-mcp/` page snapshots — throwaway browser-automation captures
+  that were committed by mistake; the directory is now gitignored.
+
+### Changed
+- CI: the CHANGELOG check now exempts Dependabot PRs automatically (author
+  `dependabot[bot]`), so dependency bumps no longer need a changelog entry or the
+  `no-changelog` label.
+- CI: made the Dependabot auto-merge workflow self-contained instead of calling
+  the private `Wilkes-Liberty/.github` reusable workflow. A public repo cannot use
+  a private reusable workflow, so the previous version startup-failed and
+  Dependabot PRs never auto-merged. Removed the dead `changelog-autoupdate.yml`
+  (also a private-reusable caller that needs an org GitHub App).
+
+### Fixed
+- JSON:API filter values are now DB-portable, fixing report-tool 500s on
+  PostgreSQL-backed sites. Boolean filters (e.g. `status`) serialized as
+  `'true'`/`'false'` were rejected by Postgres' `smallint` columns ("invalid
+  input syntax for type smallint"); they are now `1`/`0`.
+  `drupal_report_stale_content` filtered the integer `changed` timestamp with an
+  ISO-8601 string (same class of error); it now uses epoch seconds. MySQL coerced
+  both, which masked the bug. (#71)
+- `drupal_report_user_activity` now surfaces a top-level `approximate` flag when
+  any of its account counts hit the backend's safety ceiling — matching
+  `drupal_report_content_summary` and `drupal_report_taxonomy_usage`. Previously a
+  capped count (e.g. 1000 users) was presented as exact. (#75)
+- JSON:API `countEntities` now returns the **exact** total by paginating through
+  `links.next`, instead of trusting `meta.count` — which Drupal core JSON:API does
+  not provide. Previously every report count collapsed to the requested page size
+  (e.g. `1` per non-empty content type), reported as exact. Counts beyond a safety
+  ceiling (1000 records) are returned and flagged `approximate`. Fixes the
+  undercount in `drupal_report_content_summary`, `drupal_report_taxonomy_usage`,
+  and `drupal_report_user_activity`. (#73)
+
+## [1.0.0] - 2026-06-15
+
+First stable release. The tool surface, security model, and configuration
+schema are now considered stable and will follow semantic versioning.
+
+### Added
+- Stable **1.0** milestone: 89 tools across 20 modules with full read +
+  governed-write coverage (node/entity CRUD, revisions, moderation, scheduler,
+  fields, references, bulk operations, translations, paragraphs, structure,
+  search, and reports), `dryRun` preview on every write tool, the JSON:API and
+  GraphQL backends, the `write-plane` security preset, and multi-client launch
+  support (Claude Code, Claude Desktop, Grok Build).
+
+### Changed
+- No functional changes since 0.10.0 — this release promotes the 0.10.x feature
+  set to a stable 1.0 line.
+
 ## [0.10.0] - 2026-06-15
 
 ### Added
@@ -252,6 +335,7 @@ The connector is now **dual-protocol**: every tool runs against an abstract back
 - User tools gained explicit PII-access assertions.
 - Whole tree lint-clean (`npm run lint`) with object-injection sinks rewritten to safe lookups.
 
+[1.0.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v1.0.0
 [0.10.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.10.0
 [0.9.1]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.9.1
 [0.9.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.9.0

package/README.md

@@ -51,7 +51,7 @@ See **[docs/architecture.md](docs/architecture.md)** for the backend abstraction
 
 ## Features
 
-### 89 Tools Across 20 Modules
+### 93 Tools Across 21 Modules
 
 | Module | Tools |
 |--------|-------|
@@ -75,6 +75,9 @@ See **[docs/architecture.md](docs/architecture.md)** for the backend abstraction
 | **Structure** | Menu links + custom blocks (list/create) |
 | **Search** | Best-effort content search (title match; Search API/Solr-ready) |
 | **Reports (extra)** | Orphaned references, unpublished content, missing-field audits |
+| **Config & Governance** | Governed config get/list/set via the server-tool bridge; `drupal_mcp_whoami` tier/capability report |
+
+**Preview writes with `dryRun`.** The node and entity create/update/delete tools accept an optional `dryRun: true` flag that validates the request and returns a preview of exactly what would be written — without committing anything to Drupal.
 
 ### MCP Resources
 Browsable, always-fresh context the client can read without calling a tool:
@@ -163,7 +166,7 @@ The connector works out of the box against Drupal core's JSON:API and a GraphQL
 - Role-bound policy profiles (operation gates, entity allow/deny, field redaction)
 - Tamper-evident audit log of every governed MCP operation, attributed to the acting account
 - Content locks that prevent edits to content a human is actively editing
-- OAuth scope enforcement (`mcp:read` / `mcp:write`) per tool
+- OAuth scope enforcement (`mcp_read` / `mcp_write`) per tool
 - HMAC-signed webhooks on MCP-driven entity changes
 
 ```bash
@@ -185,7 +188,7 @@ Governance keys off the authenticated account's role and OAuth scopes — not re
 | [OAuth client_credentials](docs/oauth-client-credentials.md) | Production OAuth deploy: scope→role mapping, JSON:API writes, config persistence, secret handling, troubleshooting |
 | [Architecture](docs/architecture.md) | Backend abstraction, canonical model, and how to extend it |
 | [GraphQL Setup](docs/graphql-local-setup.md) | GraphQL Compose backend + local TLS notes |
-| [Tools Reference](docs/tools-reference.md) | Full reference for all 89 tools |
+| [Tools Reference](docs/tools-reference.md) | Full reference for all 93 tools |
 | [Security Guide](docs/security.md) | Presets, entity access control, field redaction |
 | [Security Hardening](docs/security-hardening.md) | Optional transport, identity, and secrets controls |
 | [Threat Model](docs/threat-model.md) | Trust boundaries, threats & mitigations, residual risks, and the security-pass results |

package/config/config.example.json

@@ -10,7 +10,11 @@
     "_comment": "All optional. apiTokenEnv: read the Bearer token from this env var instead of apiToken (keeps secrets out of the config file). requireSecureAuth: reject anon/basic, require HTTPS+Bearer (recommended for production). Env overrides: MCP_CLIENT_ID overrides or disables the outbound identity header; MCP_AUTH_TOKEN requires bearer auth on the HTTPS /mcp endpoint; MCP_BIND_HOST restricts the listen interface (with TLS). See docs/security-hardening.md."
   },
 
-  "defaultSite": "production",
+  "_governance_tiers": {
+    "_comment": "These four sites model the MCP agent governance tiers: least privilege keyed by environment. The Drupal side (mcp_sentinel) is authoritative; the per-site security preset is a defence-in-depth second layer. Tiers: content (prod/staging), developer (dev), admin/break-glass (dev-admin). serverTools wires the governed config tools (drupal_config_get/list/set); drushSsh is dev-only and whitelisted to config export/status. See docs/integration-contract.md."
+  },
+
+  "defaultSite": "prod",
 
   "tls": {
     "_comment": "TLS is required for the HTTPS transport (MCP_TRANSPORT=https). Ignored in stdio mode.",
@@ -20,89 +24,91 @@
   },
 
   "sites": {
-    "production": {
-      "baseUrl":           "https://mysite.com",
-      "apiToken":          "eyJhbGciOiJSUzI1NiJ9...",
-      "apiTokenEnv":       "DRUPAL_TOKEN_PRODUCTION",
+    "prod": {
+      "_comment": "Content tier. Content/media/term CRUD; config read-only; cannot publish (server-side editorial gate). No drushSsh.",
+      "baseUrl":           "https://api.int.wilkesliberty.com",
       "requireSecureAuth": true,
-      "username":          "",
-      "password":          "",
-      "graphqlEndpoint":   "/graphql",
       "api":               "jsonapi",
-
-      "drushSsh": {
-        "_comment": "Optional. Enables drupal_drush_* tools. SSH key auth only — no passwords.",
-        "host":       "ssh.mysite.com",
-        "user":       "deploy",
-        "keyPath":    "~/.ssh/id_ed25519",
-        "drupalRoot": "/var/www/html/web",
-        "port":       22
+      "oauth": {
+        "tokenUrl":        "/oauth/token",
+        "clientId":        "mcp-agent",
+        "clientSecretEnv": "MCP_AGENT_CLIENT_SECRET",
+        "scopes":          ["mcp_read", "mcp_write"],
+        "grant":           "client_credentials"
       },
-
-      "security": {
-        "_comment": "Presets: development | content-editor | auditor | production-strict",
-        "preset":                "auditor",
-        "readOnly":              true,
-        "allowDestructive":      false,
-        "allowGraphqlMutations": false,
-        "allowedEntityTypes":    null,
-        "deniedEntityTypes":     ["user"],
-        "globalRedactedFields":  ["pass", "mail", "field_api_key", "field_private"],
-        "entityRules": {
-          "node": {
-            "allowedOperations": ["read"],
-            "deniedBundles":     ["private_document", "internal_memo"]
-          }
-        }
-      }
+      "serverTools": { "url": "/mcp" },
+      "security":    { "preset": "content-editor" }
     },
 
     "staging": {
-      "baseUrl":  "https://staging.mysite.com",
-      "username": "api-user",
-      "password": "change-me-use-token-instead",
-      "api":      "jsonapi",
-      "security": { "preset": "content-editor" }
-    },
-
-    "local": {
-      "_comment": "Plain HTTP is allowed for localhost targets only. A warning is logged.",
-      "baseUrl":  "http://mysite.lndo.site",
-      "username": "admin",
-      "password": "admin",
-      "security": { "preset": "development" }
+      "_comment": "Content tier. Same capabilities as prod against the staging environment.",
+      "baseUrl":           "https://api-stg.int.wilkesliberty.com",
+      "requireSecureAuth": true,
+      "api":               "jsonapi",
+      "oauth": {
+        "tokenUrl":        "/oauth/token",
+        "clientId":        "mcp-agent",
+        "clientSecretEnv": "MCP_AGENT_CLIENT_SECRET_STG",
+        "scopes":          ["mcp_read", "mcp_write"],
+        "grant":           "client_credentials"
+      },
+      "serverTools": { "url": "/mcp" },
+      "security":    { "preset": "content-editor" }
     },
 
-    "graphql_only": {
-      "_comment": "A site that exposes GraphQL only (JSON:API disabled). GraphQL is read-only.",
-      "baseUrl":         "https://api.example.com",
-      "graphqlEndpoint": "/graphql",
-      "api":             "graphql",
-      "security":        { "preset": "auditor" }
+    "dev": {
+      "_comment": "Developer tier (DDEV). Content + governed config read/write. Drush bridge is dev-only and whitelisted to config export/status; the agent mutates config via drupal_config_set, then exports to YAML for a PR.",
+      "baseUrl":           "https://api.wilkesliberty.dev",
+      "requireSecureAuth": true,
+      "api":               "jsonapi",
+      "oauth": {
+        "tokenUrl":        "/oauth/token",
+        "clientId":        "mcp-agent",
+        "clientSecretEnv": "MCP_AGENT_CLIENT_SECRET_DEV",
+        "scopes":          ["mcp_read", "mcp_write", "mcp_config"],
+        "grant":           "client_credentials"
+      },
+      "serverTools": { "url": "/mcp" },
+      "drushSsh": {
+        "_comment": "Dev only. DDEV web-container SSH target. Whitelisted to config export/status — every other drupal_drush_* tool is blocked here.",
+        "host":            "<ddev-web-container-ssh-host>",
+        "user":            "<ddev-ssh-user>",
+        "keyPath":         "~/.ssh/id_ed25519",
+        "drupalRoot":      "/var/www/html/web",
+        "port":            22,
+        "allowedCommands": ["config:export", "config:status"]
+      },
+      "security": { "preset": "config-editor" }
     },
 
-    "oauth_write_plane": {
-      "_comment": "OAuth2 client_credentials grant against simple_oauth. The client secret is read from the named env var and never stored here.",
-      "baseUrl":           "https://api.example.com",
+    "dev-admin": {
+      "_comment": "Admin / break-glass tier (DDEV). All capabilities incl. destructive + config import — non-standing. Reuses the dev secret. No drushSsh (admin ops go through governed/approval-gated server tools).",
+      "baseUrl":           "https://api.wilkesliberty.dev",
       "requireSecureAuth": true,
       "api":               "jsonapi",
       "oauth": {
         "tokenUrl":        "/oauth/token",
-        "clientId":        "mcp-agent-prod",
-        "clientSecretEnv": "MCP_AGENT_CLIENT_SECRET",
-        "scopes":          ["mcp:read", "mcp:write"],
+        "clientId":        "mcp-agent",
+        "clientSecretEnv": "MCP_AGENT_CLIENT_SECRET_DEV",
+        "scopes":          ["mcp_read", "mcp_write", "mcp_config", "mcp_admin"],
         "grant":           "client_credentials"
       },
-      "security": { "preset": "write-plane" }
+      "serverTools": { "url": "/mcp" },
+      "security":    { "preset": "development" }
     }
   },
 
   "_security_presets": {
-    "development":       "All operations allowed. Local dev only.",
-    "content-editor":    "Create/edit nodes+media+terms. No deletes. No user entity access.",
-    "auditor":           "Read-only. All entity types. User PII fields redacted.",
-    "production-strict": "Read-only. No user entities. Broad PII redaction.",
-    "write-plane":       "Governed writes (no delete/mutations) on node, taxonomy_term, media. No user. Redacts pass/mail."
+    "development":       "All operations allowed, incl. config read/write. Local dev / break-glass only.",
+    "content-editor":    "Create/edit nodes+media+terms. No deletes. No user entity access. Config read-only.",
+    "config-editor":     "content-editor + governed config read/write (Developer tier).",
+    "auditor":           "Read-only. All entity types. User PII fields redacted. Config read-only.",
+    "production-strict": "Read-only. No user entities. Broad PII redaction. No config access.",
+    "write-plane":       "Governed writes (no delete/mutations) on node, taxonomy_term, media. No user. Redacts pass/mail. Config read-only."
+  },
+
+  "_server_tools": {
+    "_comment": "serverTools.url is the JSON-RPC endpoint of the Drupal-side governed MCP tools (mcp_server_tool_bridge / mcp_sentinel), resolved against baseUrl. Required for drupal_config_get/list/set. Authenticated with the same OAuth bearer."
   },
 
   "_mcp_client_registration": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "drupal-mcp-connector",
-  "version": "0.10.0",
+  "version": "1.1.0",
   "description": "A secure, multi-site Model Context Protocol (MCP) connector for Drupal — dual-protocol JSON:API and GraphQL.",
   "type": "module",
   "main": "src/index.js",
@@ -56,7 +56,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
-    "graphql": "^16.9.0",
+    "graphql": "^17.0.0",
     "node-fetch": "^3.3.2",
     "ssh2": "^1.16.0"
   },

package/src/index.js

@@ -67,13 +67,14 @@ import * as paragraphs   from "./tools/paragraphs.js";
 import * as structure    from "./tools/structure.js";
 import * as search       from "./tools/search.js";
 import * as reportsExtra from "./tools/reports-extra.js";
+import * as config       from "./tools/config.js";
 
 // ---------------------------------------------------------------------------
 // Aggregate tools
 // ---------------------------------------------------------------------------
 
 const allModules = [nodes, taxonomy, users, media, graphql, site, entities, reports, drush,
-  revisions, moderation, scheduler, fields, references, bulk, translations, paragraphs, structure, search, reportsExtra];
+  revisions, moderation, scheduler, fields, references, bulk, translations, paragraphs, structure, search, reportsExtra, config];
 
 // Flatten every module's tool definitions into one ListTools payload, and merge
 // their handler maps into a single closed dispatch table keyed by tool name.
@@ -95,7 +96,9 @@ const WRITE_PREFIXES       = ["drupal_create_", "drupal_update_", "drupal_upload
   "drupal_drush_updatedb", "drupal_drush_module_enable",
   "drupal_drush_module_disable", "drupal_drush_user_create",
   // v1.0 feature tools that perform writes but don't start with create_/update_:
-  "drupal_bulk_", "drupal_revert_", "drupal_schedule_", "drupal_set_"];
+  "drupal_bulk_", "drupal_revert_", "drupal_schedule_", "drupal_set_",
+  // Governed config write (also gated inside the handler by the config-write cap):
+  "drupal_config_set"];
 const DESTRUCTIVE_PREFIXES = ["drupal_delete_", "drupal_drush_module_disable"];
 
 /**

package/src/lib/backends/jsonapi.js

@@ -20,6 +20,14 @@ import {
 // these are dropped from canonical `fields` (the canonical id is the UUID).
 const INTERNAL_ATTR_RE = /^drupal_internal__/;
 
+// countEntities() pagination. Drupal core JSON:API returns no total in `meta`,
+// so an exact count is obtained by walking pages until `links.next` is gone.
+// COUNT_PAGE_SIZE is Drupal's default max page size; COUNT_MAX_RECORDS bounds
+// the walk so a huge collection can't issue unbounded requests (mirrors the
+// GraphQL backend's MAX_CLIENT_RECORDS) — past it the count is approximate.
+const COUNT_PAGE_SIZE = 50;
+const COUNT_MAX_RECORDS = 1000;
+
 /**
  * Detect the JSON:API error Drupal returns when a write attempts to set the
  * `status` (published) field on a content_moderation-governed entity. Such
@@ -88,18 +96,33 @@ function inferType(value) {
  * @param {{field: string, op?: string, value: *}} cond Filter condition.
  * @returns {void}
  */
+/**
+ * Serialize a filter value to a DB-portable string. Booleans become "1"/"0":
+ * Drupal stores `status` and other boolean fields in integer/smallint columns,
+ * and PostgreSQL rejects the literals "true"/"false" there ("invalid input
+ * syntax for type smallint"). MySQL coerces them, which hid this. Everything
+ * else is stringified unchanged (the string "true" stays "true").
+ * @param {*} value
+ * @returns {string}
+ */
+function filterValue(value) {
+  if (value === true) return "1";
+  if (value === false) return "0";
+  return String(value);
+}
+
 function applyFilter(params, { field, op = "eq", value }) {
   if (op === "eq") {
-    params.append(`filter[${field}]`, String(value));
+    params.append(`filter[${field}]`, filterValue(value));
     return;
   }
   const key = `c_${field}`;
   params.append(`filter[${key}][condition][path]`, field);
   params.append(`filter[${key}][condition][operator]`, OP_MAP.get(op) || "=");
   if (op === "in" && Array.isArray(value)) {
-    value.forEach((v, i) => params.append(`filter[${key}][condition][value][${i}]`, String(v)));
+    value.forEach((v, i) => params.append(`filter[${key}][condition][value][${i}]`, filterValue(v)));
   } else if (op !== "isNull") {
-    params.append(`filter[${key}][condition][value]`, String(value));
+    params.append(`filter[${key}][condition][value]`, filterValue(value));
   }
 }
 
@@ -374,17 +397,47 @@ export class JsonApiBackend extends Backend {
   }
 
   /**
-   * Return an exact entity count. Requests page[limit]=1 and reads the
-   * server-provided meta.count, so no full result set is transferred.
+   * Count entities matching the descriptor. Drupal core JSON:API exposes no
+   * total in `meta`, so unless the site provides `meta.count` (jsonapi_extras /
+   * a custom normalizer), the count is obtained by walking pages via
+   * `links.next`. The total is exact when the walk reaches the end; if it hits
+   * the COUNT_MAX_RECORDS safety ceiling first, the partial total is returned
+   * with `approximate: true` (i.e. the true count is at least that value).
    * @param {import("../canonical.js").QueryDescriptor} descriptor
-   * @returns {Promise<{count: number, approximate: false}>}
+   * @returns {Promise<{count: number, approximate: boolean}>}
    */
   async countEntities(descriptor) {
-    const params = this.compileQuery({ ...descriptor, page: { limit: 1 } });
-    const qs = params.toString();
     const base = this.resourcePath(descriptor.entityType, descriptor.bundle);
-    const data = await drupalFetch(this.site, qs ? `${base}?${qs}` : base);
-    return { count: data.meta?.count ?? (data.data || []).length, approximate: false };
+    let total = 0;
+    let offset = 0;
+    for (;;) {
+      const params = this.compileQuery({ ...descriptor, page: { limit: COUNT_PAGE_SIZE, offset } });
+      const qs = params.toString();
+      const data = await drupalFetch(this.site, qs ? `${base}?${qs}` : base);
+
+      // Prefer an exact server-supplied total when the site exposes one
+      // (jsonapi_extras / a custom normalizer). Only the first page can carry it.
+      if (offset === 0 && typeof data?.meta?.count === "number") {
+        return { count: data.meta.count, approximate: false };
+      }
+
+      const got = (data?.data || []).length;
+      total += got;
+
+      // No further page advertised → the whole set has been walked: exact.
+      if (!data?.links?.next?.href || got === 0) {
+        return { count: total, approximate: false };
+      }
+
+      // Advance by the rows actually returned (robust to server-side page-size
+      // caps that may return fewer than COUNT_PAGE_SIZE per page).
+      offset += got;
+
+      // Bounded walk: stop and flag the partial total as approximate.
+      if (total >= COUNT_MAX_RECORDS) {
+        return { count: total, approximate: true };
+      }
+    }
   }
 
   /**

package/src/lib/security.js

@@ -13,7 +13,8 @@ import { parse } from "graphql";
  * ─── Quick presets ────────────────────────────────────────────────────────
  *
  *   "preset": "development"        Everything allowed. Default if no security key.
- *   "preset": "content-editor"     Create/edit nodes+media. No user mgmt, no deletes.
+ *   "preset": "content-editor"     Create/edit nodes+media. No user mgmt, no deletes. Config read-only.
+ *   "preset": "config-editor"      content-editor + governed config read/write (Developer tier).
  *   "preset": "auditor"            Read-only. All entity types. User fields redacted.
  *   "preset": "production-strict"  Read-only. Explicit allowlist required. Redacts PII.
  *   "preset": "write-plane"        Governed writes (no delete/mutations) on node, term, media.
@@ -25,6 +26,11 @@ import { parse } from "graphql";
  *  readOnly            true  → reject all create/update/delete/graphql-mutation calls
  *  allowDestructive    false → reject all delete operations
  *  allowGraphqlMutations false → reject drupal_graphql when mutation is detected
+ *  allowConfigRead     false → reject drupal_config_get / drupal_config_list
+ *  allowConfigWrite    false → reject drupal_config_set
+ *
+ *  Config caps mirror the server-side governance profile (allow_config_read /
+ *  allow_config_write). Drupal stays authoritative; this is defence in depth.
  *
  *  allowedEntityTypes  string[] | null   null = allow all; array = allowlist
  *  deniedEntityTypes   string[]          always-blocked entity types
@@ -54,6 +60,8 @@ const PRESETS = {
     readOnly: false,
     allowDestructive: true,
     allowGraphqlMutations: true,
+    allowConfigRead: true,
+    allowConfigWrite: true,
     allowedEntityTypes: null,
     deniedEntityTypes: [],
     entityRules: {},
@@ -64,6 +72,27 @@ const PRESETS = {
     readOnly: false,
     allowDestructive: false,          // no deletes
     allowGraphqlMutations: false,
+    allowConfigRead: true,            // config read-only
+    allowConfigWrite: false,
+    allowedEntityTypes: ["node", "media", "file", "taxonomy_term", "menu_link_content"],
+    deniedEntityTypes: ["user"],
+    entityRules: {
+      node:          { allowedOperations: ["read", "create", "update"] },
+      media:         { allowedOperations: ["read", "create", "update"] },
+      file:          { allowedOperations: ["read", "create"] },
+      taxonomy_term: { allowedOperations: ["read", "create", "update"] },
+    },
+    globalRedactedFields: [],
+  },
+
+  "config-editor": {
+    // Developer tier: content-editor capabilities PLUS governed config read/write.
+    // The Drupal-side governance layer remains authoritative; this is defence in depth.
+    readOnly: false,
+    allowDestructive: false,          // no deletes
+    allowGraphqlMutations: false,
+    allowConfigRead: true,
+    allowConfigWrite: true,           // governed config writes via drupal_config_set
     allowedEntityTypes: ["node", "media", "file", "taxonomy_term", "menu_link_content"],
     deniedEntityTypes: ["user"],
     entityRules: {
@@ -79,6 +108,8 @@ const PRESETS = {
     readOnly: true,
     allowDestructive: false,
     allowGraphqlMutations: false,
+    allowConfigRead: true,            // read-only inspection of config
+    allowConfigWrite: false,
     allowedEntityTypes: null,         // read any entity type
     deniedEntityTypes: [],
     entityRules: {
@@ -94,6 +125,8 @@ const PRESETS = {
     readOnly: true,
     allowDestructive: false,
     allowGraphqlMutations: false,
+    allowConfigRead: false,           // nothing implicit; opt in per site
+    allowConfigWrite: false,
     allowedEntityTypes: null,         // set an explicit allowlist in your config
     deniedEntityTypes: ["user"],      // no user data at all
     entityRules: {},
@@ -106,6 +139,8 @@ const PRESETS = {
     readOnly: false,
     allowDestructive: false,          // no deletes
     allowGraphqlMutations: false,     // writes go through the JSON:API plane
+    allowConfigRead: true,            // config read-only
+    allowConfigWrite: false,
     allowedEntityTypes: ["node", "taxonomy_term", "media"],
     deniedEntityTypes: ["user"],
     entityRules: {},
@@ -132,6 +167,8 @@ export function resolveSecurityConfig(site) {
     readOnly:              raw.readOnly              ?? preset.readOnly,
     allowDestructive:      raw.allowDestructive      ?? preset.allowDestructive,
     allowGraphqlMutations: raw.allowGraphqlMutations ?? preset.allowGraphqlMutations,
+    allowConfigRead:       raw.allowConfigRead       ?? preset.allowConfigRead       ?? false,
+    allowConfigWrite:      raw.allowConfigWrite      ?? preset.allowConfigWrite      ?? false,
     allowedEntityTypes:    raw.allowedEntityTypes    ?? preset.allowedEntityTypes,
     deniedEntityTypes:     raw.deniedEntityTypes     ?? preset.deniedEntityTypes,
     entityRules:           mergeEntityRules(preset.entityRules, raw.entityRules ?? {}),
@@ -189,6 +226,39 @@ export function assertNotReadOnly(secConfig, operationLabel) {
   }
 }
 
+/**
+ * Gate config reads (drupal_config_get / drupal_config_list).
+ * @param {object} secConfig Resolved security config.
+ * @returns {void}
+ * @throws {SecurityError} if config reads are disabled for this site.
+ */
+export function assertConfigReadAllowed(secConfig) {
+  if (!secConfig.allowConfigRead) {
+    throw new SecurityError(
+      "Config reads are disabled for this site. " +
+      "To enable, use a preset with config access (e.g. config-editor) " +
+      "or set security.allowConfigRead = true in your config."
+    );
+  }
+}
+
+/**
+ * Gate config writes (drupal_config_set). Server-side governance remains
+ * authoritative; this is the connector-side defence-in-depth layer.
+ * @param {object} secConfig Resolved security config.
+ * @returns {void}
+ * @throws {SecurityError} if config writes are disabled for this site.
+ */
+export function assertConfigWriteAllowed(secConfig) {
+  if (!secConfig.allowConfigWrite) {
+    throw new SecurityError(
+      "Config writes are disabled for this site. " +
+      "To enable, use the config-editor preset (Developer tier) " +
+      "or set security.allowConfigWrite = true in your config."
+    );
+  }
+}
+
 /**
  * @param {object} secConfig Resolved security config.
  * @param {string} entityType Entity type targeted by the delete.
@@ -467,6 +537,8 @@ export function getSecuritySummary(site) {
     readOnly:              cfg.readOnly,
     allowDestructive:      cfg.allowDestructive,
     allowGraphqlMutations: cfg.allowGraphqlMutations,
+    allowConfigRead:       cfg.allowConfigRead,
+    allowConfigWrite:      cfg.allowConfigWrite,
     allowedEntityTypes:    cfg.allowedEntityTypes ?? "all",
     deniedEntityTypes:     cfg.deniedEntityTypes,
     entityRules:           cfg.entityRules,

package/src/lib/server-tools.js

@@ -0,0 +1,136 @@
+/**
+ * Server-tool bridge — call governed MCP tools exposed by Drupal.
+ *
+ * The connector itself is an MCP *server* for the AI client. For governed
+ * configuration operations, Drupal exposes its own MCP tools server-side
+ * (the `mcp_server_tool_bridge` / `mcp_sentinel` modules). This module makes
+ * the connector an MCP *client* of that server so config get/list/set are
+ * mediated by Drupal's authoritative governance layer rather than by drush.
+ *
+ * Transport: JSON-RPC 2.0 over HTTPS POST to the per-site `serverTools.url`
+ * endpoint, authenticated with the same OAuth bearer used for JSON:API. The
+ * endpoint path is configurable so it tracks whatever route the Drupal-side
+ * bridge publishes.
+ *
+ * Config (per site):
+ *   "serverTools": { "url": "/mcp" }   // path is resolved against site.baseUrl
+ *
+ * Tools are NOT functional until the Drupal-side governed config tools ship;
+ * until then the server returns a tool-not-found error, surfaced verbatim.
+ */
+
+import fetch from "node-fetch";
+import { authHeadersAsync, clientHeaders } from "./config.js";
+import { clearToken } from "./oauth.js";
+
+/**
+ * Canonical server-side tool names for governed config operations.
+ * Keep the mapping here so a server-side rename is a one-line change.
+ */
+export const SERVER_TOOLS = {
+  configGet:  "config_get",
+  configList: "config_list",
+  configSet:  "config_set",
+};
+
+// Monotonic JSON-RPC request id. A simple counter keeps ids unique per process
+// without relying on Math.random()/Date.now().
+let rpcId = 0;
+
+/**
+ * Resolve a site's server-tools endpoint, or throw a clear, actionable error
+ * when the site has no `serverTools` block (mirrors the drush bridge's
+ * graceful "not configured" failure).
+ * @param {object} site Resolved site config.
+ * @returns {string} Fully-qualified endpoint URL.
+ * @throws {Error} if the site has no serverTools.url configured.
+ */
+function resolveEndpoint(site) {
+  const url = site.serverTools?.url;
+  if (!url) {
+    throw new Error(
+      `Server-tool bridge not configured for site "${site._name}". ` +
+      "Add a \"serverTools\": { \"url\": \"/mcp\" } block to this site's config. " +
+      "See docs/integration-contract.md."
+    );
+  }
+  // Absolute URL wins; otherwise resolve the path against the site base URL.
+  return /^https?:\/\//.test(url) ? url : `${site.baseUrl}${url}`;
+}
+
+/**
+ * Call a governed MCP tool on the Drupal server via JSON-RPC `tools/call`.
+ *
+ * For OAuth2 sites a 401 triggers a single retry: the cached token is cleared,
+ * re-acquired, and the request replayed once (mirrors drupalFetch).
+ * @param {object} site Resolved site config (provides baseUrl + auth).
+ * @param {string} toolName Server-side MCP tool name (see SERVER_TOOLS).
+ * @param {object} [args] Tool arguments object.
+ * @returns {Promise<*>} The tool's structured result.
+ * @throws {Error} on transport failure, JSON-RPC error, or tool error.
+ */
+export async function callServerTool(site, toolName, args = {}) {
+  const endpoint = resolveEndpoint(site);
+  const payload = {
+    jsonrpc: "2.0",
+    id: ++rpcId,
+    method: "tools/call",
+    params: { name: toolName, arguments: args },
+  };
+
+  async function attempt() {
+    return fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        ...clientHeaders(),
+        ...(await authHeadersAsync(site)),
+      },
+      body: JSON.stringify(payload),
+    });
+  }
+
+  let res = await attempt();
+
+  // OAuth sites: a 401 may mean the token expired server-side. Refresh once.
+  if (res.status === 401 && site.oauth) {
+    clearToken(site);
+    res = await attempt();
+  }
+
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Server-tool call ${toolName} failed ${res.status}: ${text}`);
+  }
+
+  const body = await res.json();
+
+  // JSON-RPC transport-level error.
+  if (body.error) {
+    const { code, message } = body.error;
+    const hasCode = code !== undefined && code !== null;
+    throw new Error(`Server-tool ${toolName} error${hasCode ? ` (${code})` : ""}: ${message}`);
+  }
+
+  // MCP tools/call result: { content: [...], isError?: boolean }.
+  const result = body.result;
+  if (result?.isError) {
+    const detail = extractTextContent(result) || "tool reported an error";
+    throw new Error(`Server-tool ${toolName} reported an error: ${detail}`);
+  }
+  return result;
+}
+
+/**
+ * Pull the concatenated text from an MCP tool result's content array.
+ * @param {object} result MCP tools/call result.
+ * @returns {string} Joined text content (empty string if none).
+ */
+function extractTextContent(result) {
+  if (!Array.isArray(result?.content)) return "";
+  return result.content
+    .filter((c) => c?.type === "text" && typeof c.text === "string")
+    .map((c) => c.text)
+    .join("\n");
+}

package/src/tools/config.js

@@ -0,0 +1,173 @@
+/**
+ * Tool group: Governed configuration + agent identity.
+ *
+ * Configuration get/list/set are mediated by Drupal's authoritative governance
+ * layer: each tool calls a server-side MCP tool over the bridge in
+ * lib/server-tools.js (NOT drush). The connector-side security caps
+ * (allowConfigRead / allowConfigWrite) are a second, defence-in-depth gate.
+ *
+ * drupal_mcp_whoami reports the agent's effective tier/profile/capabilities for
+ * a site so the agent and a human operator can see what is permitted up front,
+ * reducing surprise denials.
+ */
+
+import { getSiteConfig } from "../lib/config.js";
+import {
+  resolveSecurityConfig,
+  getSecuritySummary,
+  assertNotReadOnly,
+  assertConfigReadAllowed,
+  assertConfigWriteAllowed,
+} from "../lib/security.js";
+import { callServerTool, SERVER_TOOLS } from "../lib/server-tools.js";
+
+// ---------------------------------------------------------------------------
+// Config tools (governed via the server-tool bridge)
+// ---------------------------------------------------------------------------
+
+/**
+ * Read a single configuration object by name (e.g. "system.site").
+ * @param {object} args - { site?, name }.
+ * @returns {Promise<*>} The server tool's result.
+ * @throws {SecurityError} if config reads are disabled for the site.
+ */
+async function configGet({ site: siteName, name }) {
+  const site = getSiteConfig(siteName);
+  assertConfigReadAllowed(resolveSecurityConfig(site));
+  return callServerTool(site, SERVER_TOOLS.configGet, { name });
+}
+
+/**
+ * List configuration object names, optionally filtered by a name prefix.
+ * @param {object} args - { site?, prefix? }.
+ * @returns {Promise<*>} The server tool's result.
+ * @throws {SecurityError} if config reads are disabled for the site.
+ */
+async function configList({ site: siteName, prefix }) {
+  const site = getSiteConfig(siteName);
+  assertConfigReadAllowed(resolveSecurityConfig(site));
+  const args = prefix ? { prefix } : {};
+  return callServerTool(site, SERVER_TOOLS.configList, args);
+}
+
+/**
+ * Set a configuration value. Governed and audited server-side; the connector
+ * additionally enforces the config-write cap before dispatching.
+ * @param {object} args - { site?, name, value }.
+ * @returns {Promise<*>} The server tool's result.
+ * @throws {SecurityError} if the site is read-only or config writes are disabled.
+ */
+async function configSet({ site: siteName, name, value }) {
+  const site = getSiteConfig(siteName);
+  const sec = resolveSecurityConfig(site);
+  assertNotReadOnly(sec, `config:set ${name}`);
+  assertConfigWriteAllowed(sec);
+  return callServerTool(site, SERVER_TOOLS.configSet, { name, value });
+}
+
+// ---------------------------------------------------------------------------
+// Identity / capabilities
+// ---------------------------------------------------------------------------
+
+/**
+ * Infer the governance tier from OAuth scopes (authoritative signal) when
+ * present, else from the security preset. Mirrors the scope-keyed model in
+ * the MCP agent governance design.
+ * @param {object} site Resolved site config.
+ * @param {object} sec Resolved security config.
+ * @returns {string} One of "admin" | "developer" | "content" | "read-only".
+ */
+function inferTier(site, sec) {
+  const scopes = site.oauth?.scopes ?? [];
+  if (scopes.includes("mcp_admin"))  return "admin";
+  if (scopes.includes("mcp_config")) return "developer";
+  if (scopes.includes("mcp_write"))  return "content";
+  if (scopes.length) return "read-only";
+
+  // No OAuth scopes — fall back to preset semantics.
+  if (sec.allowConfigWrite) return "developer";
+  if (!sec.readOnly)        return "content";
+  return "read-only";
+}
+
+/**
+ * Report the agent's effective tier, profile, and capabilities for a site.
+ * Policy only — no credentials, no backend call.
+ * @param {object} args - { site? }.
+ * @returns {Promise<object>} Effective identity + capability summary.
+ */
+async function whoami({ site: siteName }) {
+  const site = getSiteConfig(siteName);
+  const sec = resolveSecurityConfig(site);
+  const summary = getSecuritySummary(site);
+  return {
+    site: site._name,
+    tier: inferTier(site, sec),
+    preset: summary.preset,
+    scopes: site.oauth?.scopes ?? [],
+    api: site.api ?? "auto",
+    serverToolsConfigured: Boolean(site.serverTools?.url),
+    capabilities: {
+      read:        true,
+      write:       !sec.readOnly,
+      delete:      sec.allowDestructive && !sec.readOnly,
+      configRead:  sec.allowConfigRead,
+      configWrite: sec.allowConfigWrite && !sec.readOnly,
+      // Publishing is always gated server-side (editorial workflow); the agent
+      // never holds the publish transition. Surfaced here so it is explicit.
+      publish:     false,
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Definitions & handlers
+// ---------------------------------------------------------------------------
+
+export const definitions = [
+  {
+    name: "drupal_config_get",
+    description: "Read a single Drupal configuration object by name (e.g. \"system.site\") via the governed server-side config tool. Requires config read access.",
+    inputSchema: {
+      type: "object",
+      required: ["name"],
+      properties: { site: { type: "string" }, name: { type: "string" } },
+    },
+  },
+  {
+    name: "drupal_config_list",
+    description: "List Drupal configuration object names, optionally filtered by a name prefix, via the governed server-side config tool. Requires config read access.",
+    inputSchema: {
+      type: "object",
+      properties: { site: { type: "string" }, prefix: { type: "string" } },
+    },
+  },
+  {
+    name: "drupal_config_set",
+    description: "Set a Drupal configuration value via the governed server-side config tool. Audited and gated server-side; requires the config-editor (Developer) tier. Then export to YAML for a PR.",
+    inputSchema: {
+      type: "object",
+      required: ["name", "value"],
+      properties: {
+        site:  { type: "string" },
+        name:  { type: "string" },
+        value: { description: "The configuration value to set (object, array, or scalar)." },
+      },
+    },
+  },
+  {
+    name: "drupal_mcp_whoami",
+    description: "Report the agent's effective governance tier, security preset, OAuth scopes, and capabilities (read/write/delete/config/publish) for a site. No credentials, no backend call.",
+    inputSchema: {
+      type: "object",
+      properties: { site: { type: "string" } },
+    },
+  },
+];
+
+export const handlers = {
+  drupal_config_get:  configGet,
+  drupal_config_list: configList,
+  drupal_config_set:  configSet,
+  drupal_mcp_whoami:  whoami,
+};

package/src/tools/drush.js

@@ -21,7 +21,7 @@ import { readFileSync }  from "fs";
 import { homedir }       from "os";
 import { join, resolve, normalize } from "path";
 import { getSiteConfig } from "../lib/config.js";
-import { resolveSecurityConfig, assertNotReadOnly } from "../lib/security.js";
+import { resolveSecurityConfig, assertNotReadOnly, SecurityError } from "../lib/security.js";
 import { validateMachineName, validateSqlQuery, sanitizeSshArg } from "../lib/validate.js";
 
 // ---------------------------------------------------------------------------
@@ -38,6 +38,26 @@ function getDrushConfig(site) {
   return site.drushSsh;
 }
 
+/**
+ * Enforce an optional per-site command allowlist. When `drushSsh.allowedCommands`
+ * is present, only those Drush subcommands may run on that site — every other
+ * drupal_drush_* tool is blocked. Used to pin the dev site to config:export /
+ * config:status while keeping the bridge off prod/staging entirely.
+ * @param {object} sshCfg Resolved drushSsh config block.
+ * @param {string} subcommand The Drush subcommand (drushArgs[0]).
+ * @returns {void}
+ * @throws {SecurityError} if an allowlist is set and the subcommand is not on it.
+ */
+function assertCommandAllowed(sshCfg, subcommand) {
+  const allow = sshCfg.allowedCommands;
+  if (Array.isArray(allow) && !allow.includes(subcommand)) {
+    throw new SecurityError(
+      `Drush command "${subcommand}" is not permitted on this site. ` +
+      `Allowed: ${allow.join(", ")}.`
+    );
+  }
+}
+
 /**
  * Resolve and validate the SSH key path. Prevents path traversal.
  */
@@ -76,6 +96,7 @@ function resolveKeyPath(rawPath) {
  */
 function sshDrush(site, drushArgs, timeoutMs = 30000) {
   const sshCfg  = getDrushConfig(site);
+  assertCommandAllowed(sshCfg, drushArgs[0]);
   const keyPath = resolveKeyPath(sshCfg.keyPath);
 
   // Validate drupalRoot is an absolute path with no traversal

package/src/tools/reports.js

@@ -72,8 +72,12 @@ async function staleContent({ site: siteName, type, days = 180, status, limit =
   assertReadAllowed(sec, "node", type);
   const backend = await resolveBackend(site);
   const contentType = type || "article";
-  const cutoff = new Date(Date.now() - days * 86400000).toISOString();
-  const filters = [{ field: "changed", op: "lt", value: cutoff }];
+  // `changed` is an integer Unix timestamp (seconds). Filter with epoch seconds,
+  // not an ISO string — PostgreSQL rejects the string against an integer column.
+  const cutoffMs = Date.now() - days * 86400000;
+  const cutoffTs = Math.floor(cutoffMs / 1000);
+  const cutoff = new Date(cutoffMs).toISOString();
+  const filters = [{ field: "changed", op: "lt", value: cutoffTs }];
   if (status !== undefined) filters.push({ field: "status", op: "eq", value: status });
   const res = await backend.listEntities({
     entityType: "node", bundle: contentType,
@@ -346,6 +350,10 @@ async function userActivity({ site: siteName, inactiveDays = 90, limit = 50 }) {
     backend.countEntities({ entityType: "user", bundle: "user", filters: [{ field: "status", op: "eq", value: false }] }),
     backend.countEntities({ entityType: "user", bundle: "user", filters: [{ field: "status", op: "eq", value: true }, { field: "login", op: "eq", value: 0 }] }),
   ]);
+  // A count past the backend's safety ceiling comes back approximate; surface
+  // that so the summary totals aren't presented as exact (cf. contentSummary,
+  // taxonomyUsage).
+  const approximate = active.approximate || blocked.approximate || neverLoggedIn.approximate;
   let inactiveUsers = [];
   try {
     const res = await backend.listEntities({
@@ -369,6 +377,7 @@ async function userActivity({ site: siteName, inactiveDays = 90, limit = 50 }) {
     inactiveUsers = [];
   }
   return {
+    approximate,
     summary: {
       activeAccounts: active.count,
       blockedAccounts: blocked.count,