json-object-editor 0.10.503 → 0.10.505

package/CHANGELOG.md

@@ -22,6 +22,18 @@
 	- Hydrate includes full core field definitions from server/fields/core.js (not just names)
 	- Manifest now includes { joe: { name, version, hostname } }; mcp-test shows this
 
+	504 - Secure test pages + shared nav
+	- Secured /mcp-test.html and /mcp-export.html with standard JOE auth (root and JOEPATH paths)
+	- Added shared top nav between MCP Test and MCP Export pages
+	- MCP Export shows instance info (name/version/host) from manifest
+ 	- Added privacy_policy_url and terms_of_service_url to manifest; added public /privacy and /terms pages
+	- New Setting: PRIVACY_CONTACT used for contact email on /privacy and /terms
+
+	505 - Prompt page and shared nav consolidation
+	- Added /mcp-prompt.html (concise starter instructions for Custom GPT/Assistants)
+	- Extracted shared nav to /JsonObjectEditor/_www/mcp-nav.js and used across Test/Export/Privacy/Terms
+	- Nav now shows instance name/version/host and links to Privacy/Terms (named windows)
+
 ### 0.10.500
 	500 - MCP integration (initial)
 	- MCP core module with JSON-RPC 2.0 endpoint (/mcp) protected by auth

package/_www/mcp-export.html

@@ -19,8 +19,10 @@
 	</style>
 </head>
 <body>
+    <div id="mcp-nav"></div>
+    <script src="/JsonObjectEditor/_www/mcp-nav.js"></script>
 	<h1>JOE MCP → Assistant Config Export</h1>
-	<div class="small">Generate copy/paste config for Custom GPT Actions (OpenAPI) and Assistants (tools array).</div>
+    <div class="small">Generate copy/paste config for Custom GPT Actions (OpenAPI) and Assistants (tools array).</div>
 
 	<div class="grid">
 		<section>
@@ -57,7 +59,13 @@
 		</section>
 
 		<section>
-			<h3>4) JSON-RPC request template</h3>
+			<h3>4) Starter Agent Instructions</h3>
+			<div class="small">Copy into your Custom GPT or Assistant system prompt. Keep it brief and expand as needed.</div>
+			<textarea id="starter" readonly></textarea>
+		</section>
+
+		<section>
+			<h3>5) JSON-RPC request template</h3>
 			<div class="small">When the Assistant calls a tool, POST this body to <code>/mcp</code>.</div>
 			<pre>{
   "jsonrpc": "2.0",
@@ -110,7 +118,7 @@
 
     const schema = {
       openapi: '3.1.0',
-      info: { title: 'JOE MCP Bridge', version: '1.0.0' },
+      info: { title: 'JOE MCP Bridge — ' + ((manifest.joe&&manifest.joe.name)||'JOE'), version: '1.0.0' },
       servers: [{ url: serverUrl.replace(/\/$/,'') }],
       paths: {
         '/mcp': {
@@ -162,6 +170,7 @@
 
       const url = base.value.replace(/\/$/,'') + manifestPath.value;
       const manifest = await fetchJSON(url);
+      // Instance info handled by shared nav script
       manifestOut.style.display='block';
       manifestOut.textContent = JSON.stringify(manifest, null, 2);
 
@@ -171,6 +180,33 @@
       const openapi = buildOpenAPI(manifest, base.value);
       openapiEl.value = JSON.stringify(openapi, null, 2);
 
+      // Starter prompt (concise)
+      const joeName = (manifest.joe && manifest.joe.name) || 'JOE';
+      const starter = [
+        `You are a data assistant for ${joeName} (JOE). Use only the provided tools.`,
+        '',
+        'Autonomy:',
+        '- Act autonomously; if a tool can answer, call it immediately (no permission prompts).',
+        '- Do not offer multiple-choice options; pick the best action.',
+        '- Ask one brief clarification only if a required parameter is missing.',
+        '- On a new session: call hydrate {} first, then proceed.',
+        '- Keep results scoped (limit 10–25). Flatten is optional and off by default; enable only when needed.',
+        '- Never expose secrets/tokens. Confirm with the user before saveObject.',
+        '',
+        'Typical flow:',
+        '- listSchemas {}, getSchema { "name": "<schema>" }',
+        '- search { "query": { "itemtype": "<schema>" }, "limit": 10 } (cache) or { "source": "storage" } when authoritative results are needed',
+        '- getObject { "_id": "<id>", "schema": "<schema>" } for a single item',
+        '- saveObject { "object": { ... } } only on explicit user request',
+        '',
+        'Examples:',
+        '- listSchemas {}',
+        '- getSchema { "name": "client" }',
+        '- search { "schema": "client", "source": "storage", "query": { "status": "active" }, "limit": 10 }',
+        '- getObject { "_id": "123", "schema": "client" }'
+      ].join('\n');
+      $('starter').value = starter;
+
       setStatus('Manifest loaded. Config generated.', true);
     }catch(e){
       setStatus(e.message||String(e), false);

package/_www/mcp-nav.js

@@ -0,0 +1,42 @@
+;(function(){
+  function buildNav(){
+    var nav = document.createElement('nav');
+    nav.setAttribute('style','display:flex;gap:10px;align-items:center;margin-bottom:8px');
+    nav.innerHTML = [
+      '<a href="/mcp-test.html" target="mcp_test_win" rel="noopener">MCP Test</a>',
+      '<a href="/mcp-export.html" target="mcp_export_win" rel="noopener">MCP Export</a>',
+      '<a href="/mcp-prompt.html" target="mcp_prompt_win" rel="noopener">MCP Prompt</a>',
+      '<span style="margin-left:auto"></span>',
+      '<span id="mcp-nav-info" class="small" style="opacity:.8;margin-right:10px"></span>',
+      '<a href="/privacy" target="privacy_win" rel="noopener">Privacy</a>',
+      '<a href="/terms" target="terms_win" rel="noopener">Terms</a>'
+    ].join('');
+    return nav;
+  }
+  function insert(){
+    var placeholder = document.getElementById('mcp-nav');
+    var nav = buildNav();
+    if(placeholder){
+      placeholder.parentNode.replaceChild(nav, placeholder);
+    }else{
+      document.body.insertBefore(nav, document.body.firstChild);
+    }
+  }
+  async function updateInstance(){
+    try{
+      var res = await fetch('/.well-known/mcp/manifest.json');
+      if(!res.ok) return;
+      var m = await res.json();
+      var info = document.getElementById('mcp-nav-info');
+      if(info && m && m.joe){
+        info.textContent = 'Name: '+(m.joe.name||'JOE')+' | Version: '+(m.joe.version||'')+' | Host: '+(m.joe.hostname||'');
+      }
+    }catch(e){}
+  }
+  if(document.readyState === 'loading'){
+    document.addEventListener('DOMContentLoaded', insert);
+    document.addEventListener('DOMContentLoaded', updateInstance);
+  }else{ insert(); updateInstance(); }
+})();
+
+

package/_www/mcp-prompt.html

@@ -0,0 +1,29 @@
+<!doctype html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>JOE MCP Prompt</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <style>
+        body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif;margin:20px;}
+        textarea{width:100%;height:360px;font-family:ui-monospace,Menlo,Consolas,monospace}
+        .small{font-size:12px;color:#666}
+    </style>
+    </head>
+<body>
+    <div id="mcp-nav"></div>
+    <script src="/JsonObjectEditor/_www/mcp-nav.js"></script>
+    <h1>Starter Agent Instructions</h1>
+    <div class="small">Copy into your Custom GPT or Assistant system prompt. Adjust as needed.</div>
+    <textarea readonly id="prompt"></textarea>
+    <script>
+    (function(){
+        const text = [
+`You are a data assistant for JOE. Use only the provided tools.\n\nAutonomy:\n- Act autonomously; if a tool can answer, call it immediately (no permission prompts).\n- Do not offer multiple-choice options; pick the best action.\n- Ask one brief clarification only if a required parameter is missing.\n- On a new session: call hydrate {} first, then proceed.\n- Keep results scoped (limit 10–25). Flatten is optional and off by default; enable only when needed.\n- Never expose secrets/tokens. Confirm with the user before saveObject.\n\nTypical flow:\n- listSchemas {}, getSchema { "name": "<schema>" }\n- search { "query": { "itemtype": "<schema>" }, "limit": 10 } (cache) or { "source": "storage" } for authoritative results\n- getObject { "_id": "<id>", "schema": "<schema>" }\n- saveObject { "object": { ... } } only on explicit user request\n\nExamples:\n- listSchemas {}\n- getSchema { "name": "client" }\n- search { "schema": "client", "source": "storage", "query": { "status": "active" }, "limit": 10 }\n- getObject { "_id": "123", "schema": "client" }`
+        ].join('\n');
+        document.getElementById('prompt').value = text;
+    })();
+    </script>
+</body>
+</html>
+

package/_www/mcp-test.html

@@ -17,9 +17,10 @@
 	</style>
 </head>
 <body>
+    <div id="mcp-nav"></div>
+    <script src="/JsonObjectEditor/_www/mcp-nav.js"></script>
     <h1>JOE MCP Test</h1>
     <div class="small">Use this page to discover tools and call the JSON-RPC endpoint.</div>
-    <pre id="instanceInfo" class="small">Loading instance info…</pre>
 	
 	<h3>Manifest</h3>
 	<div class="row">
@@ -83,10 +84,7 @@
 			try{
 				const url = base.value.replace(/\/$/,'') + '/.well-known/mcp/manifest.json';
 				manifest = await fetchJSON(url);
-                // Instance info
-                if (manifest.joe){
-                    $('instanceInfo').textContent = `Name: ${manifest.joe.name} | Version: ${manifest.joe.version} | Host: ${manifest.joe.hostname}`;
-                }
+                // Instance info handled by shared nav script
                 (manifest.tools||[]).forEach(t=>{
 					const opt=document.createElement('option');
 					opt.value=t.name; opt.textContent=t.name;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "json-object-editor",
-  "version": "0.10.503",
+  "version": "0.10.505",
   "description": "JOE the Json Object Editor | Platform Edition",
   "main": "app.js",
   "scripts": {

package/readme.md

@@ -31,6 +31,8 @@ JOE is software that allows you to manage data models via JSON objects. There ar
 - Endpoints
   - Manifest (public): `GET /.well-known/mcp/manifest.json`
   - JSON-RPC (auth): `POST /mcp`
+  - Privacy (public): `/privacy` (uses Setting `PRIVACY_CONTACT` for contact email)
+  - Terms (public): `/terms`
 
 - Auth
   - If users exist, `POST /mcp` requires cookie or Basic Auth (same as other APIs). If no users configured, it is effectively open.
@@ -42,7 +44,7 @@ JOE is software that allows you to manage data models via JSON objects. There ar
 
 - Tools
   - `listSchemas(name?)`, `getSchema(name)`
-  - `getObject(_id, schema?)` (flattens by default; supports `depth` override)
+  - `getObject(_id, schema?)` (supports optional `flatten` and `depth`)
   - `search` (preferred): unified tool for cache and storage
     - Params: `{ schema?, query?, ids?, source?: 'cache'|'storage', limit?, flatten?, depth? }`
     - Defaults to cache across all collections; add `schema` to filter; set `source:"storage"` to query a specific schema in the DB.
@@ -117,6 +119,7 @@ JOE is software that allows you to manage data models via JSON objects. There ar
 
 - Troubleshooting
   - If you see a payload like `{ originalURL: "/...", site: "no site found" }`, the request hit the Sites catch-all. Ensure MCP routes are initialized before Sites (handled by default in `server/init.js` via `MCP.init()`), and use the correct URL: `/.well-known/mcp/manifest.json` or `/mcp`.
+  - To update contact email on /privacy and /terms, set Setting `PRIVACY_CONTACT`.
 
 ## SERVER/PLATFORM mode
 	check port 2099

package/server/modules/MCP.js

@@ -63,7 +63,7 @@ MCP.tools = {
   },
 
   // Convenience: fetch a single object by _id (schema optional). Prefer cache; fallback to storage.
-  getObject: async ({ _id, schema, flatten = true, depth = 1 }, _ctx) => {
+  getObject: async ({ _id, schema, flatten = false, depth = 1 }, _ctx) => {
     if (!_id) throw new Error("Missing required param '_id'");
     // Fast path via global lookup
     let obj = (JOE && JOE.Cache && JOE.Cache.findByID) ? (JOE.Cache.findByID(_id) || null) : null;
@@ -185,11 +185,11 @@ MCP.tools = {
 MCP.descriptions = {
   listSchemas: "List all available JOE schema names.",
   getSchema: "Retrieve a full schema definition by name.",
-  getObject: "Fetch a single object by _id (schema optional). Flattens by default.",
+  getObject: "Fetch a single object by _id (schema optional). Supports optional flatten.",
   // getObjectsByIds: "Deprecated - use 'search' with ids.",
   // queryObjects: "Deprecated - use 'search'.",
   // searchCache: "Deprecated - use 'search'.",
-  search: "Unified search. Defaults to cache; set source=storage to query DB.",
+  search: "Unified search. Defaults to cache; set source=storage to query DB. Flatten is optional (false by default).",
   saveObject: "Create/update an object; triggers events/history.",
   hydrate: "Describe core fields, statuses, tags, and inferred field shapes for an optional schema."
 };
@@ -278,7 +278,10 @@ MCP.manifest = async function (req, res) {
       version: (JOE && JOE.VERSION) || '',
       hostname: (JOE && JOE.webconfig && JOE.webconfig.hostname) || ''
     };
-    return res.json({ version: "1.0", joe, tools });
+    const base = req.protocol+':'+(req.get('host')||'');
+    const privacyUrl = base+'/'+'privacy';
+    const termsUrl = base+'/'+'terms';
+    return res.json({ version: "1.0", joe, privacy_policy_url: privacyUrl, terms_of_service_url: termsUrl, tools });
   } catch (e) {
     console.log('[MCP] manifest error:', e);
     return res.status(500).json({ error: e.message || 'manifest error' });

package/server/modules/Server.js

@@ -104,6 +104,65 @@ server.use(function(req, res, next) {
     res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
     next();
 });
+// Public Privacy & Terms pages
+server.get(['/privacy','/privacy-policy'],function(req,res){
+    const host = req.protocol+'://'+req.get('host');
+    const name = (JOE && JOE.webconfig && JOE.webconfig.name) || 'JOE';
+    const updated = new Date().toISOString().split('T')[0];
+    const contact = (JOE && JOE.Utils && JOE.Utils.Settings && JOE.Utils.Settings('PRIVACY_CONTACT')) || 'admin@example.com';
+    res.send(`
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Privacy Policy - ${name}</title></head>
+<body style="font-family:system-ui,Segoe UI,Roboto,Arial,sans-serif;padding:20px;max-width:900px;line-height:1.6">
+  <div id="mcp-nav"></div>
+  <script src="${JOE.webconfig.joepath}_www/mcp-nav.js"></script>
+  <h1>Privacy Policy for JOE MCP Interface</h1>
+  <p><em>Last updated: ${updated}</em></p>
+  <h3>Data Processed</h3>
+  <p>The JOE MCP interface allows AI systems to retrieve structured data from the JOE platform, such as schemas, objects, and metadata. It does not store, sell, or share personal data.</p>
+  <h3>Data Sources</h3>
+  <p>All information returned by this interface comes from the JOE instance it’s connected to (${host}). Access to internal data is subject to your JOE configuration and authentication.</p>
+  <h3>Third-Party Access</h3>
+  <p>This API may be called by authorized OpenAI models or assistants when configured by a verified user. Calls are only executed when explicitly invoked as part of an agent’s reasoning process.</p>
+  <h3>Logging</h3>
+  <p>Standard request logs (timestamps, method calls, and errors) may be recorded for security and debugging. Logs do not include object contents or personal data.</p>
+  <h3>Security</h3>
+  <p>All connections are made over HTTPS. No credentials or session tokens are shared with external systems.</p>
+  <h3>Contact</h3>
+  <p>For privacy concerns, contact ${contact}.</p>
+</body></html>`);
+});
+server.get(['/terms','/terms-of-service'],function(req,res){
+    const host = req.protocol+'://'+req.get('host');
+    const name = (JOE && JOE.webconfig && JOE.webconfig.name) || 'JOE';
+    const updated = new Date().toISOString().split('T')[0];
+    const contact = (JOE && JOE.Utils && JOE.Utils.Settings && JOE.Utils.Settings('PRIVACY_CONTACT')) || 'admin@example.com';
+    res.send(`
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Terms of Service - ${name}</title></head>
+<body style="font-family:system-ui,Segoe UI,Roboto,Arial,sans-serif;padding:20px;max-width:900px;line-height:1.6">
+  <div id="mcp-nav"></div>
+  <script src="${JOE.webconfig.joepath}_www/mcp-nav.js"></script>
+  <h1>Terms of Service for JOE MCP Interface</h1>
+  <p><em>Last updated: ${updated}</em></p>
+  <p>Use of this interface implies consent to log and process structured data requests for schema and object retrieval purposes. Access is governed by your JOE configuration and authentication. Do not submit sensitive data unless you are authorized to do so.</p>
+  <p>For questions, contact ${contact}.</p>
+</body></html>`);
+});
+// Secure MCP test/export pages with standard auth (root and JOEPATH paths)
+server.get('/mcp-test.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-test.html'));
+});
+server.get('/mcp-export.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-export.html'));
+});
+server.get(JOE.webconfig.joepath+'_www/mcp-test.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-test.html'));
+});
+server.get(JOE.webconfig.joepath+'_www/mcp-export.html',auth,function(req,res){
+    res.sendFile(path.join(JOE.joedir,'_www','mcp-export.html'));
+});
+
 server.use(JOE.webconfig.joepath,express.static(JOE.joedir));
 
 //USER