drupal-mcp-connector 0.6.1 → 0.7.1

package/CHANGELOG.md

@@ -7,6 +7,42 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.1] - 2026-06-08
+
+### Fixed
+- The connector now reports its real version — sourced from `package.json` at
+  runtime — in the MCP handshake, the `X-MCP-Client` identity header, and the
+  startup logs. A hardcoded version literal had drifted and under-reported it
+  (0.7.0 still announced itself as `0.6.0`).
+
+### Documentation
+- Corrected Node version references (18 → 20) in the README and getting-started
+  guide to match `engines.node >=20.0.0`, and updated the example startup banner
+  to the current version.
+- Rewrote CONTRIBUTING.md: prerequisites, full dev-script list, a tests section,
+  accurate PR/CI gates, and the PR-then-tag release flow for protected `master`.
+
+## [0.7.0] - 2026-06-08
+
+### Added
+- CI: lint/syntax/unit tests now run across a Node `20, 22` matrix so the
+  advertised `engines.node >=20` floor is actually exercised.
+- CI: `release.yml` publishes to npm on a `v*` tag via **trusted publishing**
+  (GitHub Actions OIDC — no token/secret), gated on a tag↔`package.json` version
+  match. Provenance is attached automatically. One-time trusted-publisher setup
+  on npmjs.com (see CONTRIBUTING.md → Releasing).
+
+### Removed
+- **BREAKING:** dropped support for Node 18 (`engines.node` is now `>=20.0.0`).
+  Node 18 reached end-of-life in April 2025, and the vitest 4 dev toolchain
+  requires Node >=20.
+
+### Changed
+- Dev dependency: bumped `vitest` `^2.1.0` → `^4.1.8`, resolving three Dependabot
+  alerts in the test toolchain (vitest UI file read/execute — critical; vite path
+  traversal and esbuild dev-server exposure — moderate). All are devDependencies
+  and do not ship to consumers.
+
 ## [0.6.1] - 2026-06-04
 
 First release published to npm.
@@ -87,6 +123,9 @@ The connector is now **dual-protocol**: every tool runs against an abstract back
 - User tools gained explicit PII-access assertions.
 - Whole tree lint-clean (`npm run lint`) with object-injection sinks rewritten to safe lookups.
 
+[0.7.1]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.7.1
+[0.7.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.7.0
+[0.6.1]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.6.1
 [0.6.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.6.0
 [0.5.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.5.0
 [0.4.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.4.0

package/README.md

@@ -3,11 +3,11 @@
 > A secure, multi-site Model Context Protocol (MCP) connector for Drupal — dual-protocol JSON:API and GraphQL access, governed content tools, audit reports, and an SSH Drush bridge.
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Node.js](https://img.shields.io/badge/node-%3E%3D18-green)](https://nodejs.org)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D20-green)](https://nodejs.org)
 [![Drupal](https://img.shields.io/badge/drupal-10%20%7C%2011-blue)](https://drupal.org)
 [![MCP](https://img.shields.io/badge/MCP-2025--11--25-purple)](https://modelcontextprotocol.io)
 
-Created by **Jeremy Michael Cerda**. Built and maintained by [Wilkes & Liberty, LLC](https://github.com/Wilkes-Liberty).
+Built by **Jeremy Michael Cerda** (jmcerda@wilkesliberty.com). Maintained by [Wilkes & Liberty, LLC](https://github.com/Wilkes-Liberty).
 
 ---
 
@@ -98,7 +98,7 @@ Presets layer with entity allow/deny lists, per-bundle operation rules, and fiel
 
 ## Requirements
 
-- **Node.js** 18+
+- **Node.js** 20+
 - **Drupal** 10 or 11 (JSON:API ships in core)
 - For the **GraphQL backend**: [GraphQL Compose](https://www.drupal.org/project/graphql_compose)
 - For **token auth** (recommended): [Simple OAuth](https://www.drupal.org/project/simple_oauth)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "drupal-mcp-connector",
-  "version": "0.6.1",
+  "version": "0.7.1",
   "description": "A secure, multi-site Model Context Protocol (MCP) connector for Drupal — dual-protocol JSON:API and GraphQL.",
   "type": "module",
   "main": "src/index.js",
@@ -40,7 +40,7 @@
     "Wilkes & Liberty, LLC <opensource@wilkesliberty.com> (https://wilkesliberty.com)"
   ],
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "scripts": {
     "start":        "node src/index.js",
@@ -65,6 +65,6 @@
     "eslint-plugin-security": "^3.0.0",
     "eslint-plugin-n": "^17.0.0",
     "globals": "^15.0.0",
-    "vitest": "^2.1.0"
+    "vitest": "^4.1.8"
   }
 }

package/src/index.js

@@ -34,7 +34,7 @@ import { CallToolRequestSchema,
   ListPromptsRequestSchema,
   GetPromptRequestSchema }   from "@modelcontextprotocol/sdk/types.js";
 
-import { getSiteConfig, listSiteNames, getTlsConfig } from "./lib/config.js";
+import { getSiteConfig, listSiteNames, getTlsConfig, CLIENT_VERSION } from "./lib/config.js";
 import { makeBearerCheck } from "./lib/http-auth.js";
 import { resolveSecurityConfig, assertNotReadOnly,
   assertDestructiveAllowed, assertGraphqlMutationAllowed,
@@ -298,7 +298,7 @@ function getPromptMessages(name, args) {
 // ---------------------------------------------------------------------------
 
 const server = new Server(
-  { name: "drupal-mcp-connector", version: "0.6.0" },
+  { name: "drupal-mcp-connector", version: CLIENT_VERSION },
   { capabilities: { tools: {}, resources: {}, prompts: {} } }
 );
 
@@ -368,7 +368,7 @@ if (transport === "stdio") {
   const stdioTransport = new StdioServerTransport();
   await server.connect(stdioTransport);
   console.error(
-    "[drupal-mcp-connector v0.6.0] stdio transport active. " +
+    `[drupal-mcp-connector v${CLIENT_VERSION}] stdio transport active. ` +
     `${allDefinitions.length} tools · ${RESOURCES.length} resources · ${PROMPTS.length} prompts`
   );
 
@@ -488,7 +488,7 @@ if (transport === "stdio") {
   nodeServer.listen(port, bindHost, () => {
     const proto = hasTls ? "https" : "http";
     console.error(
-      `[drupal-mcp-connector v0.6.0] Listening on ${proto}://${bindHost}:${port}/mcp\n` +
+      `[drupal-mcp-connector v${CLIENT_VERSION}] Listening on ${proto}://${bindHost}:${port}/mcp\n` +
       `  ${allDefinitions.length} tools · ${RESOURCES.length} resources · ${PROMPTS.length} prompts`
     );
   });

package/src/lib/config.js

@@ -13,8 +13,11 @@ import { validateBaseUrl }               from "./validate.js";
 import { SecurityError }                 from "./security.js";
 import { getAccessToken }                from "./oauth.js";
 
-/** Connector version for the X-MCP-Client identity label. Keep in sync with package.json. */
-export const CLIENT_VERSION = "0.6.0";
+// eslint-disable-next-line security/detect-non-literal-fs-filename -- fixed path relative to this module (the package's own package.json), not user input
+const pkg = JSON.parse(readFileSync(new URL("../../package.json", import.meta.url), "utf8"));
+
+/** Connector version, sourced from package.json so it never drifts out of sync. */
+export const CLIENT_VERSION = pkg.version;
 
 /**
  * Identity headers sent on every outbound Drupal request. Lets governance layers