strapi-oauth-mcp-manager 0.1.0

package/dist/server/index.mjs

@@ -0,0 +1,801 @@
+import { randomBytes } from "node:crypto";
+const PLUGIN_ID = "strapi-oauth-mcp-manager";
+const PLUGIN_UID$3 = `plugin::${PLUGIN_ID}`;
+function extractBearerToken(authHeader) {
+  if (!authHeader?.startsWith("Bearer ")) {
+    return null;
+  }
+  return authHeader.slice(7);
+}
+function getBaseUrl$1(ctx, strapi) {
+  const forwardedProto = ctx.request.headers["x-forwarded-proto"] || ctx.protocol;
+  const forwardedHost = ctx.request.headers["x-forwarded-host"] || ctx.request.headers["host"];
+  const serverUrl = strapi.config.get("server.url") || "http://localhost:1337";
+  return forwardedHost ? `${forwardedProto}://${forwardedHost}` : serverUrl;
+}
+function buildWwwAuthenticateHeader(ctx, strapi) {
+  const baseUrl = getBaseUrl$1(ctx, strapi);
+  const resourceMetadataUrl = `${baseUrl}/api/${PLUGIN_ID}/.well-known/oauth-protected-resource`;
+  return `Bearer resource_metadata="${resourceMetadataUrl}"`;
+}
+async function validateOAuthToken(token, strapi) {
+  try {
+    const tokenRecord = await strapi.documents(`${PLUGIN_UID$3}.mcp-oauth-token`).findFirst({
+      filters: { accessToken: token, revoked: false }
+    });
+    if (!tokenRecord) {
+      return { valid: false };
+    }
+    if (new Date(tokenRecord.expiresAt) < /* @__PURE__ */ new Date()) {
+      return { valid: false, error: "Token expired" };
+    }
+    const client = await strapi.documents(`${PLUGIN_UID$3}.mcp-oauth-client`).findFirst({
+      filters: { clientId: tokenRecord.clientId }
+    });
+    if (!client) {
+      return { valid: false, error: "Client not found" };
+    }
+    return {
+      valid: true,
+      strapiApiToken: client.strapiApiToken
+    };
+  } catch (error) {
+    strapi.log.error(`[${PLUGIN_ID}] Error validating OAuth token`, { error });
+    return { valid: false, error: "Token validation failed" };
+  }
+}
+const mcpOauthMiddleware = (config2, { strapi }) => {
+  let endpointCache = [];
+  let lastCacheUpdate = 0;
+  const CACHE_TTL = 6e4;
+  async function refreshEndpointCache() {
+    const now = Date.now();
+    if (now - lastCacheUpdate > CACHE_TTL) {
+      try {
+        const endpoints = await strapi.documents(`${PLUGIN_UID$3}.mcp-endpoint`).findMany({
+          filters: { active: true }
+        });
+        endpointCache = endpoints.map((e) => e.path);
+        lastCacheUpdate = now;
+      } catch (error) {
+        strapi.log.error(`[${PLUGIN_ID}] Error refreshing endpoint cache`, { error });
+      }
+    }
+  }
+  function isProtectedPath(path) {
+    return endpointCache.some((endpoint) => path.includes(endpoint));
+  }
+  return async (ctx, next) => {
+    await refreshEndpointCache();
+    if (!isProtectedPath(ctx.path)) {
+      return next();
+    }
+    const authHeader = ctx.request.headers.authorization;
+    const token = extractBearerToken(authHeader);
+    if (!token) {
+      ctx.status = 401;
+      ctx.set("WWW-Authenticate", buildWwwAuthenticateHeader(ctx, strapi));
+      ctx.body = {
+        error: "Unauthorized",
+        message: "No authorization token provided"
+      };
+      return;
+    }
+    const oauthResult = await validateOAuthToken(token, strapi);
+    if (oauthResult.valid && oauthResult.strapiApiToken) {
+      ctx.state.strapiToken = oauthResult.strapiApiToken;
+      ctx.state.authMethod = "oauth";
+      return next();
+    }
+    ctx.state.strapiToken = token;
+    ctx.state.authMethod = "api-token";
+    return next();
+  };
+};
+const bootstrap = async ({ strapi }) => {
+  const middleware = mcpOauthMiddleware({}, { strapi });
+  strapi.server.use(middleware);
+  strapi.log.info(`[${PLUGIN_ID}] OAuth middleware registered`);
+  strapi.log.info(`[${PLUGIN_ID}] OAuth endpoints available at: /api/${PLUGIN_ID}/oauth/*`);
+  strapi.log.info(`[${PLUGIN_ID}] Discovery: /api/${PLUGIN_ID}/.well-known/oauth-authorization-server`);
+};
+const destroy = ({ strapi }) => {
+};
+const register = ({ strapi }) => {
+};
+const config = {
+  default: {},
+  validator() {
+  }
+};
+const kind$3 = "collectionType";
+const collectionName$3 = "mcp_oauth_clients";
+const info$3 = {
+  singularName: "mcp-oauth-client",
+  pluralName: "mcp-oauth-clients",
+  displayName: "MCP OAuth Client",
+  description: "OAuth 2.0 clients for MCP authentication"
+};
+const options$3 = {
+  draftAndPublish: false
+};
+const pluginOptions$3 = {
+  "content-manager": {
+    visible: true
+  },
+  "content-type-builder": {
+    visible: true
+  }
+};
+const attributes$3 = {
+  name: {
+    type: "string",
+    required: true
+  },
+  clientId: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  clientSecret: {
+    type: "string",
+    required: true,
+    "private": true
+  },
+  redirectUris: {
+    type: "json",
+    required: true
+  },
+  strapiApiToken: {
+    type: "string",
+    required: true,
+    "private": true
+  },
+  description: {
+    type: "text"
+  },
+  active: {
+    type: "boolean",
+    "default": true
+  }
+};
+const mcpOauthClient = {
+  kind: kind$3,
+  collectionName: collectionName$3,
+  info: info$3,
+  options: options$3,
+  pluginOptions: pluginOptions$3,
+  attributes: attributes$3
+};
+const kind$2 = "collectionType";
+const collectionName$2 = "mcp_oauth_codes";
+const info$2 = {
+  singularName: "mcp-oauth-code",
+  pluralName: "mcp-oauth-codes",
+  displayName: "MCP OAuth Code",
+  description: "OAuth 2.0 authorization codes"
+};
+const options$2 = {
+  draftAndPublish: false
+};
+const pluginOptions$2 = {
+  "content-manager": {
+    visible: false
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes$2 = {
+  code: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  clientId: {
+    type: "string",
+    required: true
+  },
+  redirectUri: {
+    type: "string",
+    required: true
+  },
+  codeChallenge: {
+    type: "string"
+  },
+  codeChallengeMethod: {
+    type: "string"
+  },
+  expiresAt: {
+    type: "datetime",
+    required: true
+  },
+  used: {
+    type: "boolean",
+    "default": false
+  }
+};
+const mcpOauthCode = {
+  kind: kind$2,
+  collectionName: collectionName$2,
+  info: info$2,
+  options: options$2,
+  pluginOptions: pluginOptions$2,
+  attributes: attributes$2
+};
+const kind$1 = "collectionType";
+const collectionName$1 = "mcp_oauth_tokens";
+const info$1 = {
+  singularName: "mcp-oauth-token",
+  pluralName: "mcp-oauth-tokens",
+  displayName: "MCP OAuth Token",
+  description: "OAuth 2.0 access and refresh tokens"
+};
+const options$1 = {
+  draftAndPublish: false
+};
+const pluginOptions$1 = {
+  "content-manager": {
+    visible: false
+  },
+  "content-type-builder": {
+    visible: false
+  }
+};
+const attributes$1 = {
+  accessToken: {
+    type: "string",
+    required: true,
+    unique: true,
+    "private": true
+  },
+  refreshToken: {
+    type: "string",
+    required: true,
+    unique: true,
+    "private": true
+  },
+  clientId: {
+    type: "string",
+    required: true
+  },
+  expiresAt: {
+    type: "datetime",
+    required: true
+  },
+  refreshExpiresAt: {
+    type: "datetime",
+    required: true
+  },
+  revoked: {
+    type: "boolean",
+    "default": false
+  }
+};
+const mcpOauthToken = {
+  kind: kind$1,
+  collectionName: collectionName$1,
+  info: info$1,
+  options: options$1,
+  pluginOptions: pluginOptions$1,
+  attributes: attributes$1
+};
+const kind = "collectionType";
+const collectionName = "mcp_endpoints";
+const info = {
+  singularName: "mcp-endpoint",
+  pluralName: "mcp-endpoints",
+  displayName: "MCP Endpoint",
+  description: "Registered MCP endpoints protected by OAuth"
+};
+const options = {
+  draftAndPublish: false
+};
+const pluginOptions = {
+  "content-manager": {
+    visible: true
+  },
+  "content-type-builder": {
+    visible: true
+  }
+};
+const attributes = {
+  name: {
+    type: "string",
+    required: true
+  },
+  pluginId: {
+    type: "string",
+    required: true
+  },
+  path: {
+    type: "string",
+    required: true,
+    unique: true
+  },
+  description: {
+    type: "text"
+  },
+  active: {
+    type: "boolean",
+    "default": true
+  }
+};
+const mcpEndpoint = {
+  kind,
+  collectionName,
+  info,
+  options,
+  pluginOptions,
+  attributes
+};
+const contentTypes = {
+  "mcp-oauth-client": { schema: mcpOauthClient },
+  "mcp-oauth-code": { schema: mcpOauthCode },
+  "mcp-oauth-token": { schema: mcpOauthToken },
+  "mcp-endpoint": { schema: mcpEndpoint }
+};
+const PLUGIN_UID$2 = `plugin::${PLUGIN_ID}`;
+function getBaseUrl(ctx, strapi) {
+  const forwardedProto = ctx.request.headers["x-forwarded-proto"] || ctx.protocol;
+  const forwardedHost = ctx.request.headers["x-forwarded-host"] || ctx.request.headers["host"];
+  const serverUrl = strapi.config.get("server.url") || "http://localhost:1337";
+  return forwardedHost ? `${forwardedProto}://${forwardedHost}` : serverUrl;
+}
+function matchRedirectUri(redirectUri, allowedPatterns) {
+  return allowedPatterns.some((pattern) => {
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
+    const regexPattern = escaped.replace(/\*/g, "[^/]*");
+    const regex = new RegExp("^" + regexPattern + "$");
+    return regex.test(redirectUri);
+  });
+}
+const oauthController = ({ strapi }) => ({
+  /**
+   * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+   * GET /.well-known/oauth-authorization-server
+   */
+  async discovery(ctx) {
+    const baseUrl = getBaseUrl(ctx, strapi);
+    const pluginPath = `/api/${PLUGIN_ID}`;
+    const issuer = `${baseUrl}${pluginPath}`;
+    ctx.body = {
+      issuer,
+      authorization_endpoint: `${baseUrl}${pluginPath}/oauth/authorize`,
+      token_endpoint: `${baseUrl}${pluginPath}/oauth/token`,
+      response_types_supported: ["code"],
+      grant_types_supported: ["authorization_code", "refresh_token"],
+      token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
+      code_challenge_methods_supported: ["S256"]
+    };
+  },
+  /**
+   * OAuth 2.0 Protected Resource Metadata (RFC 9728)
+   * GET /.well-known/oauth-protected-resource
+   */
+  async protectedResource(ctx) {
+    const baseUrl = getBaseUrl(ctx, strapi);
+    const pluginPath = `/api/${PLUGIN_ID}`;
+    const authServer = `${baseUrl}${pluginPath}`;
+    const endpoints = await strapi.documents(`${PLUGIN_UID$2}.mcp-endpoint`).findMany({
+      filters: { active: true }
+    });
+    const resources = endpoints.map((e) => `${baseUrl}${e.path}`);
+    ctx.body = {
+      resource: resources.length === 1 ? resources[0] : resources,
+      authorization_servers: [authServer],
+      bearer_methods_supported: ["header"]
+    };
+  },
+  /**
+   * OAuth 2.0 Authorization Endpoint
+   * GET /oauth/authorize
+   */
+  async authorize(ctx) {
+    const { client_id, redirect_uri, response_type, state, code_challenge, code_challenge_method } = ctx.query;
+    if (!client_id) {
+      ctx.status = 400;
+      ctx.body = { error: "invalid_request", error_description: "client_id is required" };
+      return;
+    }
+    if (!redirect_uri) {
+      ctx.status = 400;
+      ctx.body = { error: "invalid_request", error_description: "redirect_uri is required" };
+      return;
+    }
+    if (response_type !== "code") {
+      ctx.status = 400;
+      ctx.body = { error: "unsupported_response_type", error_description: "Only code response type is supported" };
+      return;
+    }
+    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
+      filters: { clientId: client_id, active: true }
+    });
+    if (!client) {
+      ctx.status = 400;
+      ctx.body = { error: "invalid_client", error_description: "Unknown client_id" };
+      return;
+    }
+    const allowedRedirects = client.redirectUris;
+    if (!matchRedirectUri(redirect_uri, allowedRedirects)) {
+      strapi.log.warn(`[${PLUGIN_ID}] Invalid redirect_uri: ${redirect_uri}`);
+      strapi.log.warn(`[${PLUGIN_ID}] Allowed patterns: ${allowedRedirects.join(", ")}`);
+      ctx.status = 400;
+      ctx.body = { error: "invalid_request", error_description: "Invalid redirect_uri" };
+      return;
+    }
+    const code = randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + 10 * 60 * 1e3);
+    await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).create({
+      data: {
+        code,
+        clientId: client_id,
+        redirectUri: redirect_uri,
+        codeChallenge: code_challenge || null,
+        codeChallengeMethod: code_challenge_method || null,
+        expiresAt: expiresAt.toISOString(),
+        used: false
+      }
+    });
+    const redirectUrl = new URL(redirect_uri);
+    redirectUrl.searchParams.set("code", code);
+    if (state) {
+      redirectUrl.searchParams.set("state", state);
+    }
+    ctx.redirect(redirectUrl.toString());
+  },
+  /**
+   * OAuth 2.0 Token Endpoint
+   * POST /oauth/token
+   */
+  async token(ctx) {
+    const { grant_type, code, redirect_uri, client_id, client_secret, refresh_token } = ctx.request.body;
+    let authClientId = client_id;
+    let authClientSecret = client_secret;
+    const authHeader = ctx.request.headers.authorization;
+    if (authHeader && authHeader.startsWith("Basic ")) {
+      const credentials = Buffer.from(authHeader.slice(6), "base64").toString();
+      const [id, secret] = credentials.split(":");
+      authClientId = authClientId || id;
+      authClientSecret = authClientSecret || secret;
+    }
+    if (!authClientId) {
+      ctx.status = 401;
+      ctx.body = { error: "invalid_client", error_description: "Client authentication required" };
+      return;
+    }
+    const client = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-client`).findFirst({
+      filters: { clientId: authClientId, active: true }
+    });
+    if (!client || authClientSecret && client.clientSecret !== authClientSecret) {
+      ctx.status = 401;
+      ctx.body = { error: "invalid_client", error_description: "Invalid client credentials" };
+      return;
+    }
+    if (grant_type === "authorization_code") {
+      await handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_uri);
+    } else if (grant_type === "refresh_token") {
+      await handleRefreshTokenGrant(ctx, strapi, client, refresh_token);
+    } else {
+      ctx.status = 400;
+      ctx.body = { error: "unsupported_grant_type", error_description: "Unsupported grant type" };
+    }
+  }
+});
+async function handleAuthorizationCodeGrant(ctx, strapi, client, code, redirect_uri) {
+  if (!code) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_request", error_description: "code is required" };
+    return;
+  }
+  const authCode = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).findFirst({
+    filters: { code, clientId: client.clientId, used: false }
+  });
+  if (!authCode) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Invalid authorization code" };
+    return;
+  }
+  if (new Date(authCode.expiresAt) < /* @__PURE__ */ new Date()) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Authorization code expired" };
+    return;
+  }
+  if (authCode.redirectUri !== redirect_uri) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "redirect_uri mismatch" };
+    return;
+  }
+  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-code`).update({
+    documentId: authCode.documentId,
+    data: { used: true }
+  });
+  const accessToken = randomBytes(32).toString("hex");
+  const refreshToken = randomBytes(32).toString("hex");
+  const expiresIn = 3600;
+  const refreshExpiresIn = 30 * 24 * 3600;
+  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).create({
+    data: {
+      accessToken,
+      refreshToken,
+      clientId: client.clientId,
+      expiresAt: new Date(Date.now() + expiresIn * 1e3).toISOString(),
+      refreshExpiresAt: new Date(Date.now() + refreshExpiresIn * 1e3).toISOString(),
+      revoked: false
+    }
+  });
+  ctx.body = {
+    access_token: accessToken,
+    token_type: "Bearer",
+    expires_in: expiresIn,
+    refresh_token: refreshToken
+  };
+}
+async function handleRefreshTokenGrant(ctx, strapi, client, refreshToken) {
+  if (!refreshToken) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_request", error_description: "refresh_token is required" };
+    return;
+  }
+  const token = await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).findFirst({
+    filters: { refreshToken, clientId: client.clientId, revoked: false }
+  });
+  if (!token) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Invalid refresh token" };
+    return;
+  }
+  if (new Date(token.refreshExpiresAt) < /* @__PURE__ */ new Date()) {
+    ctx.status = 400;
+    ctx.body = { error: "invalid_grant", error_description: "Refresh token expired" };
+    return;
+  }
+  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).update({
+    documentId: token.documentId,
+    data: { revoked: true }
+  });
+  const newAccessToken = randomBytes(32).toString("hex");
+  const newRefreshToken = randomBytes(32).toString("hex");
+  const expiresIn = 3600;
+  const refreshExpiresIn = 30 * 24 * 3600;
+  await strapi.documents(`${PLUGIN_UID$2}.mcp-oauth-token`).create({
+    data: {
+      accessToken: newAccessToken,
+      refreshToken: newRefreshToken,
+      clientId: client.clientId,
+      expiresAt: new Date(Date.now() + expiresIn * 1e3).toISOString(),
+      refreshExpiresAt: new Date(Date.now() + refreshExpiresIn * 1e3).toISOString(),
+      revoked: false
+    }
+  });
+  ctx.body = {
+    access_token: newAccessToken,
+    token_type: "Bearer",
+    expires_in: expiresIn,
+    refresh_token: newRefreshToken
+  };
+}
+const controllers = {
+  oauth: oauthController
+};
+const middlewares = {
+  "mcp-oauth": mcpOauthMiddleware
+};
+const policies = {};
+const contentApi = [
+  // OAuth 2.0 Authorization Server Metadata (RFC 8414)
+  {
+    method: "GET",
+    path: "/.well-known/oauth-authorization-server",
+    handler: "oauth.discovery",
+    config: {
+      auth: false,
+      policies: []
+    }
+  },
+  // OAuth 2.0 Protected Resource Metadata (RFC 9728)
+  {
+    method: "GET",
+    path: "/.well-known/oauth-protected-resource",
+    handler: "oauth.protectedResource",
+    config: {
+      auth: false,
+      policies: []
+    }
+  },
+  // OAuth 2.0 Authorization Endpoint
+  {
+    method: "GET",
+    path: "/oauth/authorize",
+    handler: "oauth.authorize",
+    config: {
+      auth: false,
+      policies: []
+    }
+  },
+  // OAuth 2.0 Token Endpoint
+  {
+    method: "POST",
+    path: "/oauth/token",
+    handler: "oauth.token",
+    config: {
+      auth: false,
+      policies: []
+    }
+  }
+];
+const admin = [];
+const routes = {
+  "content-api": {
+    type: "content-api",
+    routes: [...contentApi]
+  },
+  admin: {
+    type: "admin",
+    routes: [...admin]
+  }
+};
+const PLUGIN_UID$1 = `plugin::${PLUGIN_ID}`;
+const oauthService = ({ strapi }) => ({
+  /**
+   * Validate an OAuth access token
+   */
+  async validateToken(accessToken) {
+    try {
+      const tokenRecord = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findFirst({
+        filters: { accessToken, revoked: false }
+      });
+      if (!tokenRecord) {
+        return { valid: false };
+      }
+      if (new Date(tokenRecord.expiresAt) < /* @__PURE__ */ new Date()) {
+        return { valid: false, error: "Token expired" };
+      }
+      const client = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-client`).findFirst({
+        filters: { clientId: tokenRecord.clientId }
+      });
+      if (!client) {
+        return { valid: false, error: "Client not found" };
+      }
+      return {
+        valid: true,
+        strapiApiToken: client.strapiApiToken,
+        clientId: client.clientId
+      };
+    } catch (error) {
+      strapi.log.error(`[${PLUGIN_ID}] Error validating token`, { error });
+      return { valid: false, error: "Token validation failed" };
+    }
+  },
+  /**
+   * Revoke all tokens for a client
+   */
+  async revokeClientTokens(clientId) {
+    const tokens = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findMany({
+      filters: { clientId, revoked: false }
+    });
+    for (const token of tokens) {
+      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).update({
+        documentId: token.documentId,
+        data: { revoked: true }
+      });
+    }
+    return tokens.length;
+  },
+  /**
+   * Clean up expired tokens and codes
+   */
+  async cleanupExpired() {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const expiredCodes = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).findMany({
+      filters: { expiresAt: { $lt: now } }
+    });
+    for (const code of expiredCodes) {
+      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-code`).delete({
+        documentId: code.documentId
+      });
+    }
+    const expiredTokens = await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).findMany({
+      filters: { refreshExpiresAt: { $lt: now } }
+    });
+    for (const token of expiredTokens) {
+      await strapi.documents(`${PLUGIN_UID$1}.mcp-oauth-token`).delete({
+        documentId: token.documentId
+      });
+    }
+    return {
+      tokens: expiredTokens.length,
+      codes: expiredCodes.length
+    };
+  }
+});
+const PLUGIN_UID = `plugin::${PLUGIN_ID}`;
+const endpointService = ({ strapi }) => ({
+  /**
+   * Register an MCP endpoint for OAuth protection
+   */
+  async register(endpoint) {
+    const existing = await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findFirst({
+      filters: { path: endpoint.path }
+    });
+    if (existing) {
+      return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).update({
+        documentId: existing.documentId,
+        data: {
+          name: endpoint.name,
+          pluginId: endpoint.pluginId,
+          description: endpoint.description,
+          active: true
+        }
+      });
+    }
+    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).create({
+      data: {
+        name: endpoint.name,
+        pluginId: endpoint.pluginId,
+        path: endpoint.path,
+        description: endpoint.description,
+        active: true
+      }
+    });
+  },
+  /**
+   * Unregister an MCP endpoint
+   */
+  async unregister(path) {
+    const endpoint = await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findFirst({
+      filters: { path }
+    });
+    if (!endpoint) {
+      return false;
+    }
+    await strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).update({
+      documentId: endpoint.documentId,
+      data: { active: false }
+    });
+    return true;
+  },
+  /**
+   * Get all registered endpoints
+   */
+  async getAll(activeOnly = true) {
+    const filters = activeOnly ? { active: true } : {};
+    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findMany({ filters });
+  },
+  /**
+   * Get endpoints for a specific plugin
+   */
+  async getByPlugin(pluginId, activeOnly = true) {
+    const filters = { pluginId };
+    if (activeOnly) {
+      filters.active = true;
+    }
+    return strapi.documents(`${PLUGIN_UID}.mcp-endpoint`).findMany({ filters });
+  },
+  /**
+   * Check if a path is a protected endpoint
+   */
+  async isProtected(path) {
+    const endpoints = await this.getAll(true);
+    return endpoints.some((e) => path.includes(e.path));
+  }
+});
+const services = {
+  oauth: oauthService,
+  endpoint: endpointService
+};
+const index = {
+  register,
+  bootstrap,
+  destroy,
+  config,
+  controllers,
+  routes,
+  services,
+  contentTypes,
+  policies,
+  middlewares
+};
+export {
+  index as default
+};