npm - drupal-mcp-connector - Versions diffs - 1.1.1 → 1.2.0 - Mend

drupal-mcp-connector 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +26 -0
package/config/config.example.json +3 -3
package/package.json +1 -1
package/src/lib/security.js +73 -9
package/src/lib/server-tools.js +9 -4

package/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [1.2.0] - 2026-06-27
+### Changed
+- Widened the content/developer security presets so the connector supports full content
+  building and management. `content-editor` and `write-plane` now allow `paragraph`,
+  `block_content`, `menu_link_content`, `redirect`, `path_alias`, and `file` in addition
+  to `node`/`taxonomy_term`/`media`. `config-editor` (developer tier) additionally allows
+  the site-building config entities (`node_type`, `paragraphs_type`, `block_content_type`,
+  `media_type`, `field_config`, `field_storage_config`, `entity_form_display`,
+  `entity_view_display`, `taxonomy_vocabulary`) for read/introspection — content-model
+  changes go through the governed config bridge / `drush config:import`, not JSON:API
+  entity create.
+- Corrected the server-tool bridge tool names: `mcp_server_tool_bridge` exposes Tool-API
+  tools as `tool_api.<id>`, so the governed config tools are
+  `tool_api.mcp_sentinel_config_get` / `_list` / `_set` (previously documented as bare
+  `config_get` / `_list` / `_set`, which never resolved). Updated `SERVER_TOOLS` and
+  `docs/integration-contract.md` accordingly. These tools must be registered as enabled
+  `mcp_tool_config` entities on the Drupal site; they are not exposed by default.
+### Security
+- Deny-hardened the content/developer presets: `oauth2_token`, `key`, `consumer`,
+  `encryption_profile`, `mcp_tool_config`, and `mcp_policy_profile` are now in
+  `deniedEntityTypes` alongside `user`, so secrets, the agent's own governance config,
+  and account data stay blocked even if an allowlist is later widened. PII-bearing
+  `webform_submission` and `profile` are intentionally left off the allowlists.
 ## [1.1.1] - 2026-06-26
 ### Fixed

package/config/config.example.json CHANGED Viewed

@@ -100,11 +100,11 @@
   "_security_presets": {
     "development":       "All operations allowed, incl. config read/write. Local dev / break-glass only.",
-    "content-editor":    "Create/edit nodes+media+terms. No deletes. No user entity access. Config read-only.",
-    "config-editor":     "content-editor + governed config read/write (Developer tier).",
+    "content-editor":    "Create/edit the full content set (node, media, taxonomy_term, paragraph, block_content, menu_link_content, redirect, path_alias, file). No deletes. Config read-only. Denies user + secrets/governance types.",
+    "config-editor":     "content-editor + site-building config entities (read/introspection) + governed config read/write (Developer tier). Model changes go via the config bridge, not JSON:API.",
     "auditor":           "Read-only. All entity types. User PII fields redacted. Config read-only.",
     "production-strict": "Read-only. No user entities. Broad PII redaction. No config access.",
-    "write-plane":       "Governed writes (no delete/mutations) on node, taxonomy_term, media. No user. Redacts pass/mail. Config read-only."
+    "write-plane":       "Governed writes (no delete/mutations) on the content set (node, taxonomy_term, media + structural content entities). Denies user + secrets/governance types. Redacts pass/mail. Config read-only."
   },
   "_server_tools": {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "drupal-mcp-connector",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "A secure, multi-site Model Context Protocol (MCP) connector for Drupal — dual-protocol JSON:API and GraphQL.",
   "type": "module",
   "main": "src/index.js",

package/src/lib/security.js CHANGED Viewed

@@ -13,11 +13,17 @@ import { parse } from "graphql";
  * ─── Quick presets ────────────────────────────────────────────────────────
  *
  *   "preset": "development"        Everything allowed. Default if no security key.
- *   "preset": "content-editor"     Create/edit nodes+media. No user mgmt, no deletes. Config read-only.
- *   "preset": "config-editor"      content-editor + governed config read/write (Developer tier).
+ *   "preset": "content-editor"     Create/edit content (nodes, media, terms, paragraphs, blocks,
+ *                                  menu links, redirects, aliases, files). No deletes. Config read-only.
+ *   "preset": "config-editor"      content-editor + site-building config READ + governed config
+ *                                  read/write (Developer tier). Model changes go via the config bridge.
  *   "preset": "auditor"            Read-only. All entity types. User fields redacted.
  *   "preset": "production-strict"  Read-only. Explicit allowlist required. Redacts PII.
- *   "preset": "write-plane"        Governed writes (no delete/mutations) on node, term, media.
+ *   "preset": "write-plane"        Governed writes (no delete/mutations) on the content set
+ *                                  (node, term, media + structural content entities).
+ *
+ * Secrets, the agent's own governance config, and account data (see SENSITIVE_DENY)
+ * are always denied on the content/developer tiers, regardless of the allowlist.
  *
  * Presets can be overridden by adding explicit keys alongside them.
  *
@@ -51,6 +57,57 @@ import { parse } from "graphql";
  *  The connector never writes these fields either when redaction is active.
  */
+// ---------------------------------------------------------------------------
+// Shared entity-type groups
+// ---------------------------------------------------------------------------
+//
+// The connector allowlist is deliberately safe-by-default: the Drupal site
+// exposes secret-, governance-, and PII-bearing entity types over JSON:API
+// (oauth2_token, key, consumer, mcp_tool_config, profile, webform_submission,
+// …), so anything not explicitly listed stays denied. Widen these groups to
+// grant capability; never flip a content/developer tier to allowedEntityTypes:
+// null.
+// Content (fieldable) entities used to build and manage page content. All are
+// JSON:API-writable, so the standard entity tools create/update them directly.
+const CONTENT_STRUCTURAL = [
+  "paragraph",
+  "block_content",
+  "menu_link_content",
+  "redirect",
+  "path_alias",
+  "file",
+];
+// Content-model *config* entities. Allowlisted for READ / introspection only —
+// they are config entities, so building/changing them goes through the governed
+// config bridge (config_set → mcp_sentinel) or `drush config:import`, NOT
+// drupal_entity_create. Granted to the developer tier only.
+const SITE_BUILDER_CONFIG = [
+  "node_type",
+  "paragraphs_type",
+  "block_content_type",
+  "media_type",
+  "field_config",
+  "field_storage_config",
+  "entity_form_display",
+  "entity_view_display",
+  "taxonomy_vocabulary",
+];
+// Always-blocked: secrets, the agent's own governance config, and account data.
+// Belt-and-suspenders denylist — these stay blocked even if a future change
+// widens an allowlist. (deniedEntityTypes takes priority over allowedEntityTypes.)
+const SENSITIVE_DENY = [
+  "user",
+  "oauth2_token",
+  "key",
+  "consumer",
+  "encryption_profile",
+  "mcp_tool_config",
+  "mcp_policy_profile",
+];
 // ---------------------------------------------------------------------------
 // Preset definitions
 // ---------------------------------------------------------------------------
@@ -74,8 +131,10 @@ const PRESETS = {
     allowGraphqlMutations: false,
     allowConfigRead: true,            // config read-only
     allowConfigWrite: false,
-    allowedEntityTypes: ["node", "media", "file", "taxonomy_term", "menu_link_content"],
-    deniedEntityTypes: ["user"],
+    // Full content building: base content types + structural content entities
+    // (paragraphs, custom blocks, menu links, redirects, aliases, files).
+    allowedEntityTypes: ["node", "media", "taxonomy_term", ...CONTENT_STRUCTURAL],
+    deniedEntityTypes: [...SENSITIVE_DENY],
     entityRules: {
       node:          { allowedOperations: ["read", "create", "update"] },
       media:         { allowedOperations: ["read", "create", "update"] },
@@ -93,8 +152,11 @@ const PRESETS = {
     allowGraphqlMutations: false,
     allowConfigRead: true,
     allowConfigWrite: true,           // governed config writes via drupal_config_set
-    allowedEntityTypes: ["node", "media", "file", "taxonomy_term", "menu_link_content"],
-    deniedEntityTypes: ["user"],
+    // content-editor's content set PLUS site-building config entities, the
+    // latter for READ / introspection only — model changes go through the
+    // governed config bridge (drupal_config_set) / drush config:import.
+    allowedEntityTypes: ["node", "media", "taxonomy_term", ...CONTENT_STRUCTURAL, ...SITE_BUILDER_CONFIG],
+    deniedEntityTypes: [...SENSITIVE_DENY],
     entityRules: {
       node:          { allowedOperations: ["read", "create", "update"] },
       media:         { allowedOperations: ["read", "create", "update"] },
@@ -141,8 +203,10 @@ const PRESETS = {
     allowGraphqlMutations: false,     // writes go through the JSON:API plane
     allowConfigRead: true,            // config read-only
     allowConfigWrite: false,
-    allowedEntityTypes: ["node", "taxonomy_term", "media"],
-    deniedEntityTypes: ["user"],
+    // Full content building on the content tier: base content + structural
+    // content entities. No site-building config entities (developer tier only).
+    allowedEntityTypes: ["node", "taxonomy_term", "media", ...CONTENT_STRUCTURAL],
+    deniedEntityTypes: [...SENSITIVE_DENY],
     entityRules: {},
     globalRedactedFields: ["pass", "mail"],
   },

package/src/lib/server-tools.js CHANGED Viewed

@@ -25,12 +25,17 @@ import { clearToken } from "./oauth.js";
 /**
  * Canonical server-side tool names for governed config operations.
- * Keep the mapping here so a server-side rename is a one-line change.
+ *
+ * Drupal's mcp_server_tool_bridge exposes every Tool-API tool through the MCP
+ * protocol under the derivative name `tool_api.<mcp_tool_config id>`, so the
+ * governed config tools registered against mcp_sentinel's McpConfigGet/List/Set
+ * plugins surface as `tool_api.mcp_sentinel_config_*`. Keep the mapping here so
+ * a server-side rename is a one-line change.
  */
 export const SERVER_TOOLS = {
-  configGet:  "config_get",
-  configList: "config_list",
-  configSet:  "config_set",
+  configGet:  "tool_api.mcp_sentinel_config_get",
+  configList: "tool_api.mcp_sentinel_config_list",
+  configSet:  "tool_api.mcp_sentinel_config_set",
 };
 // Monotonic JSON-RPC request id. A simple counter keeps ids unique per process