json-object-editor 0.10.501 → 0.10.504

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 ## CHANGELOG
 
+### 0.10.500
+	500 - MCP integration (initial)
+	- MCP core module with JSON-RPC 2.0 endpoint (/mcp) protected by auth
+	- Manifest available at /.well-known/mcp/manifest.json for tool discovery
+	- Tools: listSchemas, getSchema, getObject, getObjectsByIds, queryObjects, searchCache, saveObject
+	- Tools mapped to real JOE APIs (Schemas, Storage, Cache) with sensitive-field sanitization
+	- Read-path prefers Cache for speed; saveObject uses Storage.save (events/history/socket emit)
+	- Adopted module init pattern: MCP.init() attaches routes via init.js; removed direct Server.js wiring
+
+	502 - MCP refinements + tooling
+	- Unified search tool; deprecated older object/query tools in manifest
+	- getObject flattens by default; optional depth param
+	- New hydrate tool returns core fields (from server/fields/core.js), all schemas, statuses, and tags
+	- Test pages: mcp-test updated; mcp-export generates Actions/Assistants configs
+	- Server serves JOE _www as root fallback so test pages are easy to reach
+	- Assistants plugin: support {type:"mcp", url} in tools → imports MCP manifest; dev TLS bypass option; improved error logs
+
+	503 - Hydrate simplification & manifest instance info
+	- Hydrate takes no params; always returns core fields, schemas, statuses, tags
+	- Hydrate includes full core field definitions from server/fields/core.js (not just names)
+	- Manifest now includes { joe: { name, version, hostname } }; mcp-test shows this
+
+	504 - Secure test pages + shared nav
+	- Secured /mcp-test.html and /mcp-export.html with standard JOE auth (root and JOEPATH paths)
+	- Added shared top nav between MCP Test and MCP Export pages
+	- MCP Export shows instance info (name/version/host) from manifest
+ 	- Added privacy_policy_url and terms_of_service_url to manifest; added public /privacy and /terms pages
+	- New Setting: PRIVACY_CONTACT used for contact email on /privacy and /terms
+
 ### 0.10.500
 	500 - MCP integration (initial)
 	- MCP core module with JSON-RPC 2.0 endpoint (/mcp) protected by auth

package/_www/mcp-export.html

@@ -0,0 +1,229 @@
+<!doctype html>
+<html>
+<head>
+	<meta charset="utf-8">
+	<title>JOE MCP → Assistant Config Export</title>
+	<meta name="viewport" content="width=device-width, initial-scale=1">
+	<style>
+		body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif;margin:20px;}
+		label{display:block;margin:8px 0 4px}
+		input,button,textarea{font-size:14px}
+		input[type=text]{min-width:320px}
+		textarea{width:100%;height:200px;font-family:ui-monospace,Menlo,Consolas,monospace}
+		pre{background:#f6f8fa;border:1px solid #e1e4e8;padding:10px;overflow:auto}
+		.grid{display:grid;grid-template-columns:1fr;gap:18px}
+		.row{display:flex;gap:10px;align-items:center;flex-wrap:wrap}
+		.small{font-size:12px;color:#666}
+		.good{color:#0a7d00}.bad{color:#b00020}
+		code{background:#f6f8fa;padding:2px 4px;border-radius:3px}
+	</style>
+</head>
+<body>
+	<nav style="display:flex;gap:10px;align-items:center;margin-bottom:8px">
+		<a href="/mcp-test.html">MCP Test</a>
+		<a href="/mcp-export.html">MCP Export</a>
+		<span style="margin-left:auto"></span>
+		<a href="/privacy" target="privacy_win" rel="noopener">Privacy</a>
+		<a href="/terms" target="terms_win" rel="noopener">Terms</a>
+	</nav>
+	<h1>JOE MCP → Assistant Config Export</h1>
+	<div class="small">Generate copy/paste config for Custom GPT Actions (OpenAPI) and Assistants (tools array).</div>
+
+	<pre id="instanceInfo" class="small">Loading instance info…</pre>
+
+	<div class="grid">
+		<section>
+			<h3>1) Server</h3>
+			<div class="row">
+				<label for="base">Base URL</label>
+				<input id="base" type="text" placeholder="https://example.com" />
+			</div>
+			<div class="row">
+				<label for="manifestPath">Manifest path</label>
+				<input id="manifestPath" type="text" value="/.well-known/mcp/manifest.json" />
+			</div>
+			<div class="row">
+				<label for="auth">Authorization header (optional)</label>
+				<input id="auth" type="text" placeholder="Basic BASE64(user:pass)" />
+			</div>
+			<div class="row">
+				<button id="load">Load manifest</button>
+				<span id="status" class="small"></span>
+			</div>
+			<pre id="manifestOut" style="display:none"></pre>
+		</section>
+
+		<section>
+			<h3>2) Custom GPT Actions (OpenAPI 3.1)</h3>
+			<div class="small">Paste this schema into GPT Builder → Actions → Import from text.</div>
+			<textarea id="openapi" readonly></textarea>
+		</section>
+
+		<section>
+			<h3>3) Assistants API tools (functions array)</h3>
+			<div class="small">Use this tools JSON in code when creating/updating an Assistant.</div>
+			<textarea id="tools" readonly></textarea>
+		</section>
+
+		<section>
+			<h3>4) Starter Agent Instructions</h3>
+			<div class="small">Copy into your Custom GPT or Assistant system prompt. Keep it brief and expand as needed.</div>
+			<textarea id="starter" readonly></textarea>
+		</section>
+
+		<section>
+			<h3>5) JSON-RPC request template</h3>
+			<div class="small">When the Assistant calls a tool, POST this body to <code>/mcp</code>.</div>
+			<pre>{
+  "jsonrpc": "2.0",
+  "id": "<opaque-id>",
+  "method": "<toolName>",
+  "params": { /* per-tool params */ }
+}</pre>
+		</section>
+	</div>
+
+	<script>
+(function(){
+  const $ = (id)=>document.getElementById(id);
+  const base = $('base');
+  const manifestPath = $('manifestPath');
+  const auth = $('auth');
+  const loadBtn = $('load');
+  const status = $('status');
+  const openapiEl = $('openapi');
+  const toolsEl = $('tools');
+  const manifestOut = $('manifestOut');
+
+  base.value = base.value || (location.origin);
+
+  function setStatus(msg, ok){
+    status.textContent = msg||'';
+    status.className = 'small ' + (ok===true?'good': ok===false?'bad':'');
+  }
+
+  function buildAssistantsTools(manifest){
+    const tools = (manifest.tools||[]).map(t=>({
+      type: 'function',
+      function: {
+        name: t.name,
+        description: t.description||'',
+        parameters: t.params || { type:'object' }
+      }
+    }));
+    return tools;
+  }
+
+  function buildOpenAPI(manifest, serverUrl){
+    const methodEnum = (manifest.tools||[]).map(t=>t.name);
+    const oneOf = (manifest.tools||[]).map(t=>({
+      type:'object',
+      description: t.description || t.name,
+      required: [],
+      properties: t.params && t.params.properties ? t.params.properties : {},
+    }));
+
+    const schema = {
+      openapi: '3.1.0',
+      info: { title: 'JOE MCP Bridge — ' + ((manifest.joe&&manifest.joe.name)||'JOE'), version: '1.0.0' },
+      servers: [{ url: serverUrl.replace(/\/$/,'') }],
+      paths: {
+        '/mcp': {
+          post: {
+            operationId: 'mcpCall',
+            summary: 'Call a JOE MCP tool',
+            description: 'Use one of: ' + methodEnum.join(', '),
+            requestBody: {
+              required: true,
+              content: {
+                'application/json': {
+                  schema: {
+                    type: 'object',
+                    required: ['jsonrpc','id','method','params'],
+                    properties: {
+                      jsonrpc: { type:'string', const:'2.0' },
+                      id: { type:'string' },
+                      method: { type:'string', enum: methodEnum },
+                      params: { oneOf: oneOf.length? oneOf : [{ type:'object' }] }
+                    }
+                  }
+                }
+              }
+            },
+            responses: { '200': { description:'OK' } }
+          }
+        }
+      }
+    };
+    return schema;
+  }
+
+  async function fetchJSON(url){
+    const headers = {};
+    if(auth.value){ headers['Authorization'] = auth.value; }
+    const res = await fetch(url, { headers });
+    if(!res.ok){
+      throw new Error('HTTP '+res.status+' '+(await res.text()));
+    }
+    return res.json();
+  }
+
+  loadBtn.onclick = async function(){
+    try{
+      setStatus('Loading...', null);
+      openapiEl.value = '';
+      toolsEl.value = '';
+      manifestOut.style.display='none';
+
+      const url = base.value.replace(/\/$/,'') + manifestPath.value;
+      const manifest = await fetchJSON(url);
+      if (manifest.joe){
+        $('instanceInfo').textContent = `Name: ${manifest.joe.name}\nVersion: ${manifest.joe.version}\nHost: ${manifest.joe.hostname}`;
+      }
+      manifestOut.style.display='block';
+      manifestOut.textContent = JSON.stringify(manifest, null, 2);
+
+      const tools = buildAssistantsTools(manifest);
+      toolsEl.value = JSON.stringify(tools, null, 2);
+
+      const openapi = buildOpenAPI(manifest, base.value);
+      openapiEl.value = JSON.stringify(openapi, null, 2);
+
+      // Starter prompt
+      const joeName = (manifest.joe && manifest.joe.name) || 'JOE';
+      const starter = [
+        `You are a data assistant for ${joeName} (JOE). Use only the provided tools.`,
+        '',
+        'Workflow:',
+        '1) hydrate {} to see core field definitions, schemas, statuses, tags.',
+        '2) listSchemas {} and getSchema { "name": "<schema>" } for field shapes.',
+        '3) search { "query": { "itemtype": "<schema>" }, "limit": 10 } (cache).',
+        '   Use { "source": "storage" } when results must be authoritative.',
+        '4) getObject { "_id": "<id>", "schema": "<schema>" } for a single item.',
+        '5) saveObject only on explicit user request; reflect changes and confirm first.',
+        '',
+        'Defaults:',
+        '- search: cache by default; keep limits small (10–25).',
+        '- flatten is optional and off by default; enable only if you need expanded refs.',
+        '',
+        'Examples:',
+        '- listSchemas {}',
+        '- getSchema { "name": "client" }',
+        '- search { "schema": "client", "source": "storage", "query": { "status": "active" }, "limit": 10 }',
+        '- getObject { "_id": "123", "schema": "client" }'
+      ].join('\n');
+      $('starter').value = starter;
+
+      setStatus('Manifest loaded. Config generated.', true);
+    }catch(e){
+      setStatus(e.message||String(e), false);
+    }
+  };
+
+  // Auto-load
+  setTimeout(()=>loadBtn.click(), 50);
+})();
+	</script>
+</body>
+</html>
+

package/_www/mcp-test.html

@@ -17,8 +17,16 @@
 	</style>
 </head>
 <body>
-	<h1>JOE MCP Test</h1>
-	<div class="small">Use this page to discover tools and call the JSON-RPC endpoint.</div>
+    <nav style="display:flex;gap:10px;align-items:center;margin-bottom:8px">
+        <a href="/mcp-test.html">MCP Test</a>
+        <a href="/mcp-export.html">MCP Export</a>
+        <span style="margin-left:auto"></span>
+        <a href="/privacy" target="privacy_win" rel="noopener">Privacy</a>
+        <a href="/terms" target="terms_win" rel="noopener">Terms</a>
+    </nav>
+    <h1>JOE MCP Test</h1>
+    <div class="small">Use this page to discover tools and call the JSON-RPC endpoint.</div>
+    <pre id="instanceInfo" class="small">Loading instance info…</pre>
 	
 	<h3>Manifest</h3>
 	<div class="row">
@@ -82,7 +90,11 @@
 			try{
 				const url = base.value.replace(/\/$/,'') + '/.well-known/mcp/manifest.json';
 				manifest = await fetchJSON(url);
-				(manifest.tools||[]).forEach(t=>{
+                // Instance info
+                if (manifest.joe){
+                    $('instanceInfo').textContent = `Name: ${manifest.joe.name} | Version: ${manifest.joe.version} | Host: ${manifest.joe.hostname}`;
+                }
+                (manifest.tools||[]).forEach(t=>{
 					const opt=document.createElement('option');
 					opt.value=t.name; opt.textContent=t.name;
 					toolSel.appendChild(opt);
@@ -104,8 +116,13 @@
 			if(tool && tool.params){
 				params.value = JSON.stringify(Object.fromEntries(Object.keys(tool.params.properties||{}).map(k=>[k, null])), null, 2);
 			}
+			// Hydrate presets UI
+			if (name === 'hydrate') {
+				params.value = JSON.stringify({}, null, 2);
+			}
 		}
 		toolSel.onchange = renderToolInfo;
+
 		
 		callBtn.onclick = async function(){
 			setStatus(callStatus, 'Calling...', null);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "json-object-editor",
-  "version": "0.10.501",
+  "version": "0.10.504",
   "description": "JOE the Json Object Editor | Platform Edition",
   "main": "app.js",
   "scripts": {
@@ -38,14 +38,13 @@
     "craydent": "^0.8.9",
     "express": "^4.16.4",
     "googleapis": "^149.0.0",
-    "got": "^12.6.0",
     "jwt-decode": "^2.2.0",
     "mailgun": "^0.5.0",
     "mongojs": "^2.3.0",
     "mysql": "^2.16.0",
     "nodemailer": "^2.7.2",
     "nodemailer-ses-transport": "^1.4.0",
-    "openai": "^5.22.0",
+    "openai": "^5.23.2",
     "opener": "^1.4.3",
     "pem": "^1.13.2",
     "plaid": "^13.1.0",

package/readme.md

@@ -31,6 +31,8 @@ JOE is software that allows you to manage data models via JSON objects. There ar
 - Endpoints
   - Manifest (public): `GET /.well-known/mcp/manifest.json`
   - JSON-RPC (auth): `POST /mcp`
+  - Privacy (public): `/privacy` (uses Setting `PRIVACY_CONTACT` for contact email)
+  - Terms (public): `/terms`
 
 - Auth
   - If users exist, `POST /mcp` requires cookie or Basic Auth (same as other APIs). If no users configured, it is effectively open.
@@ -42,7 +44,7 @@ JOE is software that allows you to manage data models via JSON objects. There ar
 
 - Tools
   - `listSchemas(name?)`, `getSchema(name)`
-  - `getObject(_id, schema?)` (flattens by default; supports `depth` override)
+  - `getObject(_id, schema?)` (supports optional `flatten` and `depth`)
   - `search` (preferred): unified tool for cache and storage
     - Params: `{ schema?, query?, ids?, source?: 'cache'|'storage', limit?, flatten?, depth? }`
     - Defaults to cache across all collections; add `schema` to filter; set `source:"storage"` to query a specific schema in the DB.
@@ -117,6 +119,7 @@ JOE is software that allows you to manage data models via JSON objects. There ar
 
 - Troubleshooting
   - If you see a payload like `{ originalURL: "/...", site: "no site found" }`, the request hit the Sites catch-all. Ensure MCP routes are initialized before Sites (handled by default in `server/init.js` via `MCP.init()`), and use the correct URL: `/.well-known/mcp/manifest.json` or `/mcp`.
+  - To update contact email on /privacy and /terms, set Setting `PRIVACY_CONTACT`.
 
 ## SERVER/PLATFORM mode
 	check port 2099

package/server/modules/MCP.js

@@ -63,7 +63,7 @@ MCP.tools = {
   },
 
   // Convenience: fetch a single object by _id (schema optional). Prefer cache; fallback to storage.
-  getObject: async ({ _id, schema, flatten = true, depth = 1 }, _ctx) => {
+  getObject: async ({ _id, schema, flatten = false, depth = 1 }, _ctx) => {
     if (!_id) throw new Error("Missing required param '_id'");
     // Fast path via global lookup
     let obj = (JOE && JOE.Cache && JOE.Cache.findByID) ? (JOE.Cache.findByID(_id) || null) : null;
@@ -152,6 +152,27 @@ MCP.tools = {
       } catch (e) { reject(e); }
     });
     return sanitizeItems(saved)[0];
+  },
+
+  // Hydration: surface core fields (from file), all schemas, statuses, and tags (no params)
+  hydrate: async (_params, _ctx) => {
+    let coreDef = (JOE && JOE.Fields && JOE.Fields['core']) || null;
+    if (!coreDef) {
+      try { coreDef = require(__dirname + '/../fields/core.js'); } catch (_e) { coreDef = {}; }
+    }
+    const coreFields = Object.keys(coreDef || {}).map(name => ({
+      name,
+      definition: coreDef[name]
+    }));
+
+    const payload = {
+      coreFields,
+      schemas: Object.keys(Schemas?.schema || {})
+    };
+    payload.statuses = sanitizeItems(JOE.Data?.status || []);
+    payload.tags = sanitizeItems(JOE.Data?.tag || [])
+
+    return payload;
   }
 
   // 🔧 Add more tools here as needed
@@ -164,12 +185,13 @@ MCP.tools = {
 MCP.descriptions = {
   listSchemas: "List all available JOE schema names.",
   getSchema: "Retrieve a full schema definition by name.",
-  getObject: "Fetch a single object by _id (schema optional). Flattens by default.",
+  getObject: "Fetch a single object by _id (schema optional). Supports optional flatten.",
   // getObjectsByIds: "Deprecated - use 'search' with ids.",
   // queryObjects: "Deprecated - use 'search'.",
   // searchCache: "Deprecated - use 'search'.",
-  search: "Unified search. Defaults to cache; set source=storage to query DB.",
-  saveObject: "Create/update an object; triggers events/history."
+  search: "Unified search. Defaults to cache; set source=storage to query DB. Flatten is optional (false by default).",
+  saveObject: "Create/update an object; triggers events/history.",
+  hydrate: "Describe core fields, statuses, tags, and inferred field shapes for an optional schema."
 };
 
 MCP.params = {
@@ -213,7 +235,8 @@ MCP.params = {
       object: { type: "object" }
     },
     required: ["object"]
-  }
+  },
+  hydrate: { type: "object", properties: {} }
 };
 
 MCP.returns = {
@@ -232,7 +255,8 @@ MCP.returns = {
       items: { type: "array", items: { type: "object" } }
     }
   },
-  saveObject: { type: "object" }
+  saveObject: { type: "object" },
+  hydrate: { type: "object" }
 };
 
 // ----------------------
@@ -249,7 +273,15 @@ MCP.manifest = async function (req, res) {
       params: MCP.params[name],
       returns: MCP.returns[name]
     }));
-    return res.json({ version: "1.0", tools });
+    const joe = {
+      name: (JOE && JOE.webconfig && JOE.webconfig.name) || 'JOE',
+      version: (JOE && JOE.VERSION) || '',
+      hostname: (JOE && JOE.webconfig && JOE.webconfig.hostname) || ''
+    };
+    const base = req.protocol+':'+(req.get('host')||'');
+    const privacyUrl = base+'/'+'privacy';
+    const termsUrl = base+'/'+'terms';
+    return res.json({ version: "1.0", joe, privacy_policy_url: privacyUrl, terms_of_service_url: termsUrl, tools });
   } catch (e) {
     console.log('[MCP] manifest error:', e);
     return res.status(500).json({ error: e.message || 'manifest error' });

package/server/modules/Server.js

@@ -104,6 +104,61 @@ server.use(function(req, res, next) {
     res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
     next();
 });
+// Public Privacy & Terms pages
+server.get(['/privacy','/privacy-policy'],function(req,res){
+    const host = req.protocol+'://'+req.get('host');
+    const name = (JOE && JOE.webconfig && JOE.webconfig.name) || 'JOE';
+    const updated = new Date().toISOString().split('T')[0];
+    const contact = (JOE && JOE.Utils && JOE.Utils.Settings && JOE.Utils.Settings('PRIVACY_CONTACT')) || 'admin@example.com';
+    res.send(`
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Privacy Policy - ${name}</title></head>
+<body style="font-family:system-ui,Segoe UI,Roboto,Arial,sans-serif;padding:20px;max-width:900px;line-height:1.6">
+  <h1>Privacy Policy for JOE MCP Interface</h1>
+  <p><em>Last updated: ${updated}</em></p>
+  <h3>Data Processed</h3>
+  <p>The JOE MCP interface allows AI systems to retrieve structured data from the JOE platform, such as schemas, objects, and metadata. It does not store, sell, or share personal data.</p>
+  <h3>Data Sources</h3>
+  <p>All information returned by this interface comes from the JOE instance it’s connected to (${host}). Access to internal data is subject to your JOE configuration and authentication.</p>
+  <h3>Third-Party Access</h3>
+  <p>This API may be called by authorized OpenAI models or assistants when configured by a verified user. Calls are only executed when explicitly invoked as part of an agent’s reasoning process.</p>
+  <h3>Logging</h3>
+  <p>Standard request logs (timestamps, method calls, and errors) may be recorded for security and debugging. Logs do not include object contents or personal data.</p>
+  <h3>Security</h3>
+  <p>All connections are made over HTTPS. No credentials or session tokens are shared with external systems.</p>
+  <h3>Contact</h3>
+  <p>For privacy concerns, contact ${contact}.</p>
+</body></html>`);
+});
+server.get(['/terms','/terms-of-service'],function(req,res){
+    const host = req.protocol+'://'+req.get('host');
+    const name = (JOE && JOE.webconfig && JOE.webconfig.name) || 'JOE';
+    const updated = new Date().toISOString().split('T')[0];
+    const contact = (JOE && JOE.Utils && JOE.Utils.Settings && JOE.Utils.Settings('PRIVACY_CONTACT')) || 'admin@example.com';
+    res.send(`
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Terms of Service - ${name}</title></head>
+<body style="font-family:system-ui,Segoe UI,Roboto,Arial,sans-serif;padding:20px;max-width:900px;line-height:1.6">
+  <h1>Terms of Service for JOE MCP Interface</h1>
+  <p><em>Last updated: ${updated}</em></p>
+  <p>Use of this interface implies consent to log and process structured data requests for schema and object retrieval purposes. Access is governed by your JOE configuration and authentication. Do not submit sensitive data unless you are authorized to do so.</p>
+  <p>For questions, contact ${contact}.</p>
+</body></html>`);
+});
+// Secure MCP test/export pages with standard auth (root and JOEPATH paths)
+server.get('/mcp-test.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-test.html'));
+});
+server.get('/mcp-export.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-export.html'));
+});
+server.get(JOE.webconfig.joepath+'_www/mcp-test.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-test.html'));
+});
+server.get(JOE.webconfig.joepath+'_www/mcp-export.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-export.html'));
+});
+
 server.use(JOE.webconfig.joepath,express.static(JOE.joedir));
 
 //USER