drupal-mcp-connector 1.1.1 → 1.3.0

package/CHANGELOG.md

@@ -7,6 +7,50 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.3.0] - 2026-06-27
+
+### Fixed
+- `drupal_mcp_whoami` no longer over-reports configuration capabilities. Capabilities are
+  now the intersection of the connector security preset **and** the token's effective OAuth
+  scopes: `configRead` / `configWrite` require the dedicated `mcp_config` scope (config-editor
+  / Developer tier), and `write` / `delete` require `mcp_write`. Previously a content-tier
+  token (`mcp_read` / `mcp_write`) was reported with `configRead: true` even though the server
+  denies every `config_*` tool without `mcp_config`. When a site declares no OAuth scopes,
+  behaviour is unchanged (preset-only).
+
+### Changed
+- The config tools (`config_get` / `config_list` / `config_set`) now check for the
+  `mcp_config` scope up front (when OAuth scopes are configured) and fail fast with a clear
+  message instead of dispatching a call the governed server will deny — keeping connector
+  behaviour consistent with `drupal_mcp_whoami`. Aligns with mcp_sentinel isolating the config
+  tools under the dedicated `mcp_config` scope.
+
+## [1.2.0] - 2026-06-27
+
+### Changed
+- Widened the content/developer security presets so the connector supports full content
+  building and management. `content-editor` and `write-plane` now allow `paragraph`,
+  `block_content`, `menu_link_content`, `redirect`, `path_alias`, and `file` in addition
+  to `node`/`taxonomy_term`/`media`. `config-editor` (developer tier) additionally allows
+  the site-building config entities (`node_type`, `paragraphs_type`, `block_content_type`,
+  `media_type`, `field_config`, `field_storage_config`, `entity_form_display`,
+  `entity_view_display`, `taxonomy_vocabulary`) for read/introspection — content-model
+  changes go through the governed config bridge / `drush config:import`, not JSON:API
+  entity create.
+- Corrected the server-tool bridge tool names: `mcp_server_tool_bridge` exposes Tool-API
+  tools as `tool_api.<id>`, so the governed config tools are
+  `tool_api.mcp_sentinel_config_get` / `_list` / `_set` (previously documented as bare
+  `config_get` / `_list` / `_set`, which never resolved). Updated `SERVER_TOOLS` and
+  `docs/integration-contract.md` accordingly. These tools must be registered as enabled
+  `mcp_tool_config` entities on the Drupal site; they are not exposed by default.
+
+### Security
+- Deny-hardened the content/developer presets: `oauth2_token`, `key`, `consumer`,
+  `encryption_profile`, `mcp_tool_config`, and `mcp_policy_profile` are now in
+  `deniedEntityTypes` alongside `user`, so secrets, the agent's own governance config,
+  and account data stay blocked even if an allowlist is later widened. PII-bearing
+  `webform_submission` and `profile` are intentionally left off the allowlists.
+
 ## [1.1.1] - 2026-06-26
 
 ### Fixed

package/config/config.example.json

@@ -100,11 +100,11 @@
 
   "_security_presets": {
     "development":       "All operations allowed, incl. config read/write. Local dev / break-glass only.",
-    "content-editor":    "Create/edit nodes+media+terms. No deletes. No user entity access. Config read-only.",
-    "config-editor":     "content-editor + governed config read/write (Developer tier).",
+    "content-editor":    "Create/edit the full content set (node, media, taxonomy_term, paragraph, block_content, menu_link_content, redirect, path_alias, file). No deletes. Config read-only. Denies user + secrets/governance types.",
+    "config-editor":     "content-editor + site-building config entities (read/introspection) + governed config read/write (Developer tier). Model changes go via the config bridge, not JSON:API.",
     "auditor":           "Read-only. All entity types. User PII fields redacted. Config read-only.",
     "production-strict": "Read-only. No user entities. Broad PII redaction. No config access.",
-    "write-plane":       "Governed writes (no delete/mutations) on node, taxonomy_term, media. No user. Redacts pass/mail. Config read-only."
+    "write-plane":       "Governed writes (no delete/mutations) on the content set (node, taxonomy_term, media + structural content entities). Denies user + secrets/governance types. Redacts pass/mail. Config read-only."
   },
 
   "_server_tools": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "drupal-mcp-connector",
-  "version": "1.1.1",
+  "version": "1.3.0",
   "description": "A secure, multi-site Model Context Protocol (MCP) connector for Drupal — dual-protocol JSON:API and GraphQL.",
   "type": "module",
   "main": "src/index.js",

package/src/lib/security.js

@@ -13,11 +13,17 @@ import { parse } from "graphql";
  * ─── Quick presets ────────────────────────────────────────────────────────
  *
  *   "preset": "development"        Everything allowed. Default if no security key.
- *   "preset": "content-editor"     Create/edit nodes+media. No user mgmt, no deletes. Config read-only.
- *   "preset": "config-editor"      content-editor + governed config read/write (Developer tier).
+ *   "preset": "content-editor"     Create/edit content (nodes, media, terms, paragraphs, blocks,
+ *                                  menu links, redirects, aliases, files). No deletes. Config read-only.
+ *   "preset": "config-editor"      content-editor + site-building config READ + governed config
+ *                                  read/write (Developer tier). Model changes go via the config bridge.
  *   "preset": "auditor"            Read-only. All entity types. User fields redacted.
  *   "preset": "production-strict"  Read-only. Explicit allowlist required. Redacts PII.
- *   "preset": "write-plane"        Governed writes (no delete/mutations) on node, term, media.
+ *   "preset": "write-plane"        Governed writes (no delete/mutations) on the content set
+ *                                  (node, term, media + structural content entities).
+ *
+ * Secrets, the agent's own governance config, and account data (see SENSITIVE_DENY)
+ * are always denied on the content/developer tiers, regardless of the allowlist.
  *
  * Presets can be overridden by adding explicit keys alongside them.
  *
@@ -51,6 +57,57 @@ import { parse } from "graphql";
  *  The connector never writes these fields either when redaction is active.
  */
 
+// ---------------------------------------------------------------------------
+// Shared entity-type groups
+// ---------------------------------------------------------------------------
+//
+// The connector allowlist is deliberately safe-by-default: the Drupal site
+// exposes secret-, governance-, and PII-bearing entity types over JSON:API
+// (oauth2_token, key, consumer, mcp_tool_config, profile, webform_submission,
+// …), so anything not explicitly listed stays denied. Widen these groups to
+// grant capability; never flip a content/developer tier to allowedEntityTypes:
+// null.
+
+// Content (fieldable) entities used to build and manage page content. All are
+// JSON:API-writable, so the standard entity tools create/update them directly.
+const CONTENT_STRUCTURAL = [
+  "paragraph",
+  "block_content",
+  "menu_link_content",
+  "redirect",
+  "path_alias",
+  "file",
+];
+
+// Content-model *config* entities. Allowlisted for READ / introspection only —
+// they are config entities, so building/changing them goes through the governed
+// config bridge (config_set → mcp_sentinel) or `drush config:import`, NOT
+// drupal_entity_create. Granted to the developer tier only.
+const SITE_BUILDER_CONFIG = [
+  "node_type",
+  "paragraphs_type",
+  "block_content_type",
+  "media_type",
+  "field_config",
+  "field_storage_config",
+  "entity_form_display",
+  "entity_view_display",
+  "taxonomy_vocabulary",
+];
+
+// Always-blocked: secrets, the agent's own governance config, and account data.
+// Belt-and-suspenders denylist — these stay blocked even if a future change
+// widens an allowlist. (deniedEntityTypes takes priority over allowedEntityTypes.)
+const SENSITIVE_DENY = [
+  "user",
+  "oauth2_token",
+  "key",
+  "consumer",
+  "encryption_profile",
+  "mcp_tool_config",
+  "mcp_policy_profile",
+];
+
 // ---------------------------------------------------------------------------
 // Preset definitions
 // ---------------------------------------------------------------------------
@@ -74,8 +131,10 @@ const PRESETS = {
     allowGraphqlMutations: false,
     allowConfigRead: true,            // config read-only
     allowConfigWrite: false,
-    allowedEntityTypes: ["node", "media", "file", "taxonomy_term", "menu_link_content"],
-    deniedEntityTypes: ["user"],
+    // Full content building: base content types + structural content entities
+    // (paragraphs, custom blocks, menu links, redirects, aliases, files).
+    allowedEntityTypes: ["node", "media", "taxonomy_term", ...CONTENT_STRUCTURAL],
+    deniedEntityTypes: [...SENSITIVE_DENY],
     entityRules: {
       node:          { allowedOperations: ["read", "create", "update"] },
       media:         { allowedOperations: ["read", "create", "update"] },
@@ -93,8 +152,11 @@ const PRESETS = {
     allowGraphqlMutations: false,
     allowConfigRead: true,
     allowConfigWrite: true,           // governed config writes via drupal_config_set
-    allowedEntityTypes: ["node", "media", "file", "taxonomy_term", "menu_link_content"],
-    deniedEntityTypes: ["user"],
+    // content-editor's content set PLUS site-building config entities, the
+    // latter for READ / introspection only — model changes go through the
+    // governed config bridge (drupal_config_set) / drush config:import.
+    allowedEntityTypes: ["node", "media", "taxonomy_term", ...CONTENT_STRUCTURAL, ...SITE_BUILDER_CONFIG],
+    deniedEntityTypes: [...SENSITIVE_DENY],
     entityRules: {
       node:          { allowedOperations: ["read", "create", "update"] },
       media:         { allowedOperations: ["read", "create", "update"] },
@@ -141,8 +203,10 @@ const PRESETS = {
     allowGraphqlMutations: false,     // writes go through the JSON:API plane
     allowConfigRead: true,            // config read-only
     allowConfigWrite: false,
-    allowedEntityTypes: ["node", "taxonomy_term", "media"],
-    deniedEntityTypes: ["user"],
+    // Full content building on the content tier: base content + structural
+    // content entities. No site-building config entities (developer tier only).
+    allowedEntityTypes: ["node", "taxonomy_term", "media", ...CONTENT_STRUCTURAL],
+    deniedEntityTypes: [...SENSITIVE_DENY],
     entityRules: {},
     globalRedactedFields: ["pass", "mail"],
   },
@@ -259,6 +323,41 @@ export function assertConfigWriteAllowed(secConfig) {
   }
 }
 
+/**
+ * Whether the site's OAuth token carries a given scope. When the site declares
+ * no OAuth scopes (no agent channel configured), scope gating is a no-op and
+ * this returns true so preset-only (non-OAuth) setups are unaffected.
+ * @param {object} site Resolved site config.
+ * @param {string} scope OAuth scope machine id (e.g. "mcp_config").
+ * @returns {boolean} True if the scope is present, or no scopes are configured.
+ */
+export function hasScope(site, scope) {
+  const scopes = site?.oauth?.scopes ?? [];
+  return scopes.length === 0 || scopes.includes(scope);
+}
+
+/**
+ * Gate the config tools (get/list/set) on the dedicated `mcp_config` OAuth
+ * scope, which the governed server requires for every config_* tool. When OAuth
+ * scopes are configured but `mcp_config` is absent, fail fast with a clear
+ * message instead of dispatching a call the server will deny — keeping the
+ * connector's behaviour and its drupal_mcp_whoami report consistent with what
+ * the token can actually exercise.
+ * @param {object} site Resolved site config.
+ * @param {string} operationLabel Label used in the error message.
+ * @returns {void}
+ * @throws {SecurityError} if scopes are configured and `mcp_config` is missing.
+ */
+export function assertConfigScope(site, operationLabel) {
+  if (!hasScope(site, "mcp_config")) {
+    throw new SecurityError(
+      "Config tools require the 'mcp_config' OAuth scope (config-editor / " +
+      "Developer tier); this token does not carry it. " +
+      `Operation blocked: ${operationLabel}.`
+    );
+  }
+}
+
 /**
  * @param {object} secConfig Resolved security config.
  * @param {string} entityType Entity type targeted by the delete.

package/src/lib/server-tools.js

@@ -25,12 +25,17 @@ import { clearToken } from "./oauth.js";
 
 /**
  * Canonical server-side tool names for governed config operations.
- * Keep the mapping here so a server-side rename is a one-line change.
+ *
+ * Drupal's mcp_server_tool_bridge exposes every Tool-API tool through the MCP
+ * protocol under the derivative name `tool_api.<mcp_tool_config id>`, so the
+ * governed config tools registered against mcp_sentinel's McpConfigGet/List/Set
+ * plugins surface as `tool_api.mcp_sentinel_config_*`. Keep the mapping here so
+ * a server-side rename is a one-line change.
  */
 export const SERVER_TOOLS = {
-  configGet:  "config_get",
-  configList: "config_list",
-  configSet:  "config_set",
+  configGet:  "tool_api.mcp_sentinel_config_get",
+  configList: "tool_api.mcp_sentinel_config_list",
+  configSet:  "tool_api.mcp_sentinel_config_set",
 };
 
 // Monotonic JSON-RPC request id. A simple counter keeps ids unique per process

package/src/tools/config.js

@@ -18,6 +18,8 @@ import {
   assertNotReadOnly,
   assertConfigReadAllowed,
   assertConfigWriteAllowed,
+  assertConfigScope,
+  hasScope,
 } from "../lib/security.js";
 import { callServerTool, SERVER_TOOLS } from "../lib/server-tools.js";
 
@@ -33,6 +35,7 @@ import { callServerTool, SERVER_TOOLS } from "../lib/server-tools.js";
  */
 async function configGet({ site: siteName, name }) {
   const site = getSiteConfig(siteName);
+  assertConfigScope(site, `config:get ${name}`);
   assertConfigReadAllowed(resolveSecurityConfig(site));
   return callServerTool(site, SERVER_TOOLS.configGet, { name });
 }
@@ -45,6 +48,7 @@ async function configGet({ site: siteName, name }) {
  */
 async function configList({ site: siteName, prefix }) {
   const site = getSiteConfig(siteName);
+  assertConfigScope(site, "config:list");
   assertConfigReadAllowed(resolveSecurityConfig(site));
   const args = prefix ? { prefix } : {};
   return callServerTool(site, SERVER_TOOLS.configList, args);
@@ -60,6 +64,7 @@ async function configList({ site: siteName, prefix }) {
 async function configSet({ site: siteName, name, value }) {
   const site = getSiteConfig(siteName);
   const sec = resolveSecurityConfig(site);
+  assertConfigScope(site, `config:set ${name}`);
   assertNotReadOnly(sec, `config:set ${name}`);
   assertConfigWriteAllowed(sec);
   return callServerTool(site, SERVER_TOOLS.configSet, { name, value });
@@ -100,6 +105,13 @@ async function whoami({ site: siteName }) {
   const site = getSiteConfig(siteName);
   const sec = resolveSecurityConfig(site);
   const summary = getSecuritySummary(site);
+  // Effective capability = connector preset AND the scope the server demands.
+  // Reporting the preset alone over-states what the token can do — e.g. the
+  // content-editor preset allows config reads locally, but every config_* tool
+  // is gated server-side on mcp_config, which the content tier does not hold.
+  // When no OAuth scopes are configured, hasScope() is a no-op (preset-only).
+  const canWrite  = !sec.readOnly && hasScope(site, "mcp_write");
+  const canConfig = hasScope(site, "mcp_config");
   return {
     site: site._name,
     tier: inferTier(site, sec),
@@ -108,11 +120,11 @@ async function whoami({ site: siteName }) {
     api: site.api ?? "auto",
     serverToolsConfigured: Boolean(site.serverTools?.url),
     capabilities: {
-      read:        true,
-      write:       !sec.readOnly,
-      delete:      sec.allowDestructive && !sec.readOnly,
-      configRead:  sec.allowConfigRead,
-      configWrite: sec.allowConfigWrite && !sec.readOnly,
+      read:        hasScope(site, "mcp_read"),
+      write:       canWrite,
+      delete:      sec.allowDestructive && canWrite,
+      configRead:  sec.allowConfigRead  && canConfig,
+      configWrite: sec.allowConfigWrite && !sec.readOnly && canConfig,
       // Publishing is always gated server-side (editorial workflow); the agent
       // never holds the publish transition. Surfaced here so it is explicit.
       publish:     false,