umami-compass 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +300 -0
- package/SECURITY.md +32 -0
- package/dist/api/client.d.ts +15 -0
- package/dist/api/client.d.ts.map +1 -0
- package/dist/api/client.js +313 -0
- package/dist/api/client.js.map +1 -0
- package/dist/api/errors.d.ts +18 -0
- package/dist/api/errors.d.ts.map +1 -0
- package/dist/api/errors.js +28 -0
- package/dist/api/errors.js.map +1 -0
- package/dist/api/types.d.ts +101 -0
- package/dist/api/types.d.ts.map +1 -0
- package/dist/api/types.js +2 -0
- package/dist/api/types.js.map +1 -0
- package/dist/cli.d.ts +3 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +46 -0
- package/dist/cli.js.map +1 -0
- package/dist/config.d.ts +25 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +148 -0
- package/dist/config.js.map +1 -0
- package/dist/index.d.ts +9 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -0
- package/dist/mcp/modules/core.d.ts +3 -0
- package/dist/mcp/modules/core.d.ts.map +1 -0
- package/dist/mcp/modules/core.js +132 -0
- package/dist/mcp/modules/core.js.map +1 -0
- package/dist/mcp/modules/events.d.ts +3 -0
- package/dist/mcp/modules/events.d.ts.map +1 -0
- package/dist/mcp/modules/events.js +77 -0
- package/dist/mcp/modules/events.js.map +1 -0
- package/dist/mcp/modules/heatmaps.d.ts +3 -0
- package/dist/mcp/modules/heatmaps.d.ts.map +1 -0
- package/dist/mcp/modules/heatmaps.js +90 -0
- package/dist/mcp/modules/heatmaps.js.map +1 -0
- package/dist/mcp/modules/performance.d.ts +3 -0
- package/dist/mcp/modules/performance.d.ts.map +1 -0
- package/dist/mcp/modules/performance.js +114 -0
- package/dist/mcp/modules/performance.js.map +1 -0
- package/dist/mcp/modules/replay.d.ts +3 -0
- package/dist/mcp/modules/replay.d.ts.map +1 -0
- package/dist/mcp/modules/replay.js +41 -0
- package/dist/mcp/modules/replay.js.map +1 -0
- package/dist/mcp/modules/reports.d.ts +3 -0
- package/dist/mcp/modules/reports.d.ts.map +1 -0
- package/dist/mcp/modules/reports.js +301 -0
- package/dist/mcp/modules/reports.js.map +1 -0
- package/dist/mcp/modules/revenue.d.ts +3 -0
- package/dist/mcp/modules/revenue.d.ts.map +1 -0
- package/dist/mcp/modules/revenue.js +57 -0
- package/dist/mcp/modules/revenue.js.map +1 -0
- package/dist/mcp/modules/sessions.d.ts +3 -0
- package/dist/mcp/modules/sessions.d.ts.map +1 -0
- package/dist/mcp/modules/sessions.js +75 -0
- package/dist/mcp/modules/sessions.js.map +1 -0
- package/dist/mcp/report-utils.d.ts +15 -0
- package/dist/mcp/report-utils.d.ts.map +1 -0
- package/dist/mcp/report-utils.js +58 -0
- package/dist/mcp/report-utils.js.map +1 -0
- package/dist/mcp/result.d.ts +27 -0
- package/dist/mcp/result.d.ts.map +1 -0
- package/dist/mcp/result.js +42 -0
- package/dist/mcp/result.js.map +1 -0
- package/dist/mcp/schemas.d.ts +120 -0
- package/dist/mcp/schemas.d.ts.map +1 -0
- package/dist/mcp/schemas.js +148 -0
- package/dist/mcp/schemas.js.map +1 -0
- package/dist/mcp/tool-module.d.ts +19 -0
- package/dist/mcp/tool-module.d.ts.map +1 -0
- package/dist/mcp/tool-module.js +7 -0
- package/dist/mcp/tool-module.js.map +1 -0
- package/dist/server.d.ts +13 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +100 -0
- package/dist/server.js.map +1 -0
- package/dist/time.d.ts +6 -0
- package/dist/time.d.ts.map +1 -0
- package/dist/time.js +51 -0
- package/dist/time.js.map +1 -0
- package/dist/version.d.ts +2 -0
- package/dist/version.d.ts.map +1 -0
- package/dist/version.js +2 -0
- package/dist/version.js.map +1 -0
- package/package.json +78 -0
- package/server.json +80 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 webcredo and Umami Compass contributors
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,300 @@
|
|
|
1
|
+
# Umami Compass
|
|
2
|
+
|
|
3
|
+
**Open-source MCP server for Umami Analytics — Cloud and self-hosted.**
|
|
4
|
+
|
|
5
|
+

|
|
6
|
+
|
|
7
|
+
[](https://github.com/webcredo/umami-compass/actions/workflows/ci.yml)
|
|
8
|
+
[](LICENSE)
|
|
9
|
+
|
|
10
|
+
Umami Compass is a secure, read-only [Model Context Protocol](https://modelcontextprotocol.io/) server for [Umami Analytics](https://umami.is/). It gives MCP clients accurate Umami 3.2 analytics without exposing a database or allowing arbitrary network requests.
|
|
11
|
+
|
|
12
|
+
Version `0.1.0` is the initial open-source release line. See [Compatibility](#compatibility) before using it with older Umami versions.
|
|
13
|
+
|
|
14
|
+
> The `npx` examples require `umami-compass` v0.1.0 or newer. For source-based evaluation, clone this repository, run `pnpm install --frozen-lockfile && pnpm build`, and use `node /absolute/path/to/umami-compass/dist/cli.js` as the MCP command.
|
|
15
|
+
|
|
16
|
+
## Why this project
|
|
17
|
+
|
|
18
|
+
Existing Umami MCP servers each cover part of the problem, but our July 2026 review found gaps around Umami 3.2 response correctness, Cloud authentication, safety boundaries, or extensibility. Umami Compass sets a higher, testable quality bar:
|
|
19
|
+
|
|
20
|
+
- Correct auth for both products: `x-umami-api-key` for Umami Cloud and Bearer/login auth for self-hosted instances.
|
|
21
|
+
- Umami 3.2-aware responses, including both `pageviews` and `sessions`, Core Web Vitals, funnels, journeys, attribution, retention, revenue, bounded heatmaps, and replay metadata.
|
|
22
|
+
- Read-only by construction: every tool declares MCP safety annotations; no create, update, delete, raw HTML, or arbitrary URL tool exists.
|
|
23
|
+
- Defense in depth: fixed upstream origin, HTTPS policy, website allowlist, range/page/response-byte caps, request timeout, cancellation propagation, and redacted errors.
|
|
24
|
+
- Agent-friendly output: machine-readable `structuredContent`, bounded pages/series/activity/heatmaps, clear descriptions, a resource, and an analytics prompt.
|
|
25
|
+
- Contributor-friendly architecture: endpoint modules, dependency-injected HTTP, a central access policy, ADRs, and real MCP integration tests.
|
|
26
|
+
|
|
27
|
+
See the dated [landscape review](docs/research/umami-mcp-landscape-2026-07.md) for the evidence and methodology.
|
|
28
|
+
|
|
29
|
+
## Quick start
|
|
30
|
+
|
|
31
|
+
Requirements: Node.js 22 or newer and an Umami identity with view-only access where possible.
|
|
32
|
+
|
|
33
|
+
### Umami Cloud
|
|
34
|
+
|
|
35
|
+
```json
|
|
36
|
+
{
|
|
37
|
+
"mcpServers": {
|
|
38
|
+
"umami": {
|
|
39
|
+
"command": "npx",
|
|
40
|
+
"args": ["-y", "umami-compass"],
|
|
41
|
+
"env": {
|
|
42
|
+
"UMAMI_API_KEY": "replace-with-your-api-key"
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
With `UMAMI_API_KEY` and no URL, the API root defaults to `https://api.umami.is/v1`.
|
|
50
|
+
|
|
51
|
+
### Self-hosted Umami
|
|
52
|
+
|
|
53
|
+
```json
|
|
54
|
+
{
|
|
55
|
+
"mcpServers": {
|
|
56
|
+
"umami": {
|
|
57
|
+
"command": "npx",
|
|
58
|
+
"args": ["-y", "umami-compass"],
|
|
59
|
+
"env": {
|
|
60
|
+
"UMAMI_URL": "https://analytics.example.com",
|
|
61
|
+
"UMAMI_USERNAME": "mcp-viewer",
|
|
62
|
+
"UMAMI_PASSWORD": "replace-me",
|
|
63
|
+
"UMAMI_WEBSITE_IDS": "6b2c8c10-908c-4a8e-a924-4049eb3bde8c"
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
`UMAMI_URL` is an instance origin; `/api` is appended. Use `UMAMI_API_URL` instead when a reverse proxy exposes a custom, exact API root.
|
|
71
|
+
|
|
72
|
+
`UMAMI_WEBSITE_IDS` is an optional safety allowlist, not a credential. Replace the example UUID with a website ID from Umami (or from `list_websites`), separate multiple IDs with commas, or remove the variable to use every website visible to the account.
|
|
73
|
+
|
|
74
|
+
Do not commit real credentials. Prefer a dedicated view-only Umami account and the client/OS secret store when available.
|
|
75
|
+
|
|
76
|
+
## Tools
|
|
77
|
+
|
|
78
|
+
The least-privilege default `core` set exposes seven aggregate tools. Row-level events, sessions, and other more sensitive modules are opt-in.
|
|
79
|
+
|
|
80
|
+
| Toolset | Tools | Default |
|
|
81
|
+
| --- | --- | --- |
|
|
82
|
+
| `core` | `list_websites`, `get_website`, `get_website_stats`, `get_pageviews`, `get_metrics`, `get_active_visitors`, `get_website_date_range` | Yes |
|
|
83
|
+
| `events` | `list_events`, `get_event_stats`, `get_event_series` | No |
|
|
84
|
+
| `sessions` | `list_sessions`, `get_session_stats`, `get_session`, `get_session_activity` | No |
|
|
85
|
+
| `performance` | `get_web_vitals`, `get_performance_breakdown` for LCP, INP, CLS, FCP, and TTFB | No |
|
|
86
|
+
| `reports` | Saved reports and segments plus goal, funnel, journey, retention, UTM, attribution, and multi-field breakdown reports | No |
|
|
87
|
+
| `revenue` | `get_revenue_stats`, `get_revenue_metrics` | No |
|
|
88
|
+
| `replay` | `list_replays` (metadata only; never raw rrweb payloads) | No |
|
|
89
|
+
| `heatmaps` | `get_heatmap` (click/scroll pages and bounded detail points) | No |
|
|
90
|
+
|
|
91
|
+
Set `UMAMI_TOOLSETS=all` or a comma-separated subset. The default has seven tools; `all` has 30. High-cardinality report, performance, heatmap, and activity results carry explicit limits and truncation metadata. The server also exposes the `umami://websites` resource and the `analytics_report` prompt.
|
|
92
|
+
|
|
93
|
+
## Configuration
|
|
94
|
+
|
|
95
|
+
Choose exactly one authentication mode.
|
|
96
|
+
|
|
97
|
+
### Authentication
|
|
98
|
+
|
|
99
|
+
- `UMAMI_API_KEY` — Umami Cloud/client API key. It is sent only as `x-umami-api-key`.
|
|
100
|
+
- `UMAMI_ACCESS_TOKEN` — existing Bearer token.
|
|
101
|
+
- `UMAMI_USERNAME` + `UMAMI_PASSWORD` — lazy self-hosted login with a cached token and one refresh on 401.
|
|
102
|
+
|
|
103
|
+
Authentication variables have no default. Configure only one of the three modes above.
|
|
104
|
+
|
|
105
|
+
### Endpoint and access scope
|
|
106
|
+
|
|
107
|
+
- `UMAMI_URL` — self-hosted instance origin; `/api` is appended. With API-key auth and no URL, the default is the Umami Cloud API root.
|
|
108
|
+
- `UMAMI_API_URL` — exact API root; takes the place of `UMAMI_URL`. No default.
|
|
109
|
+
- `UMAMI_WEBSITE_IDS` — comma-separated website UUID allowlist. Defaults to every site visible to the account.
|
|
110
|
+
- `UMAMI_TOOLSETS` — comma-separated toolsets or `all`. Available values are `core`, `events`, `sessions`, `performance`, `reports`, `revenue`, `replay`, and `heatmaps`. Defaults to `core`.
|
|
111
|
+
|
|
112
|
+
### Safety limits
|
|
113
|
+
|
|
114
|
+
- `UMAMI_REQUEST_TIMEOUT_MS` — per-request timeout from 1,000 to 120,000 ms. Defaults to `30000`.
|
|
115
|
+
- `UMAMI_MAX_RANGE_DAYS` — maximum analytics range from 1 to 3,650 days. Defaults to `366`.
|
|
116
|
+
- `UMAMI_MAX_RESPONSE_BYTES` — maximum decoded upstream JSON body from 102,400 to 52,428,800 bytes. Defaults to `10485760`.
|
|
117
|
+
- `UMAMI_ALLOW_INSECURE_HTTP` — permits non-loopback HTTP when set to `true`. Defaults to `false`.
|
|
118
|
+
|
|
119
|
+
HTTPS is mandatory by default. Plain HTTP is accepted automatically only for `localhost`, `127.0.0.1`, and `::1`.
|
|
120
|
+
|
|
121
|
+
## Client setup
|
|
122
|
+
|
|
123
|
+
All examples below use Umami Cloud. Export the secret in the environment that launches your client:
|
|
124
|
+
|
|
125
|
+
```sh
|
|
126
|
+
export UMAMI_API_KEY="replace-with-your-api-key"
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
For self-hosted Umami, replace `UMAMI_API_KEY` with the variables shown in [Self-hosted Umami](#self-hosted-umami). Add `UMAMI_TOOLSETS=all` only if the account has the matching Umami section permissions and you want the optional data surfaces.
|
|
130
|
+
|
|
131
|
+
### Codex CLI, IDE extension, and ChatGPT desktop
|
|
132
|
+
|
|
133
|
+
Codex clients and ChatGPT desktop on the same host share `~/.codex/config.toml`. `env_vars` forwards the secret without writing its value into the config:
|
|
134
|
+
|
|
135
|
+
```toml
|
|
136
|
+
[mcp_servers.umami-compass]
|
|
137
|
+
command = "npx"
|
|
138
|
+
args = ["-y", "umami-compass"]
|
|
139
|
+
env_vars = ["UMAMI_API_KEY"]
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
Run `codex mcp list` or `/mcp` to verify it. In the Codex IDE extension or ChatGPT desktop, you can also open **MCP servers**, add a **STDIO** server with command `npx -y umami-compass`, then restart the client. See the official [Codex and ChatGPT MCP guide](https://developers.openai.com/codex/mcp/).
|
|
143
|
+
|
|
144
|
+
ChatGPT web does not read local Codex config. The current package is local stdio; a hosted plugin requires the future authenticated remote transport.
|
|
145
|
+
|
|
146
|
+
### Claude Code
|
|
147
|
+
|
|
148
|
+
Use user scope to keep the personal server outside the repository:
|
|
149
|
+
|
|
150
|
+
```sh
|
|
151
|
+
claude mcp add --scope user --transport stdio \
|
|
152
|
+
--env UMAMI_API_KEY="$UMAMI_API_KEY" \
|
|
153
|
+
umami-compass -- npx -y umami-compass
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
Verify with `claude mcp list` or `/mcp`. For a team-safe `.mcp.json`, Claude Code supports `${UMAMI_API_KEY}` expansion; never commit the actual value. See the official [Claude Code MCP guide](https://code.claude.com/docs/en/mcp).
|
|
157
|
+
|
|
158
|
+
### Claude Desktop
|
|
159
|
+
|
|
160
|
+
Open **Settings → Developer → Edit Config**. On macOS the file is `~/Library/Application Support/Claude/claude_desktop_config.json`; on Windows it is `%APPDATA%\Claude\claude_desktop_config.json`.
|
|
161
|
+
|
|
162
|
+
```json
|
|
163
|
+
{
|
|
164
|
+
"mcpServers": {
|
|
165
|
+
"umami-compass": {
|
|
166
|
+
"command": "npx",
|
|
167
|
+
"args": ["-y", "umami-compass"],
|
|
168
|
+
"env": {
|
|
169
|
+
"UMAMI_API_KEY": "replace-with-your-api-key"
|
|
170
|
+
}
|
|
171
|
+
}
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
Protect the config file because this client format stores the value, then fully quit and restart Claude Desktop. See the official [local MCP server guide](https://modelcontextprotocol.io/docs/develop/connect-local-servers).
|
|
177
|
+
|
|
178
|
+
### Cursor
|
|
179
|
+
|
|
180
|
+
Put this in the private global `~/.cursor/mcp.json`, or in `.cursor/mcp.json` only when it contains no real credentials:
|
|
181
|
+
|
|
182
|
+
```json
|
|
183
|
+
{
|
|
184
|
+
"mcpServers": {
|
|
185
|
+
"umami-compass": {
|
|
186
|
+
"command": "npx",
|
|
187
|
+
"args": ["-y", "umami-compass"],
|
|
188
|
+
"env": {
|
|
189
|
+
"UMAMI_API_KEY": "replace-with-your-api-key"
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
Enable the server in **Cursor Settings → MCP**. See the official [Cursor MCP documentation](https://docs.cursor.com/context/model-context-protocol).
|
|
197
|
+
|
|
198
|
+
### VS Code / GitHub Copilot
|
|
199
|
+
|
|
200
|
+
Use **MCP: Open User Configuration** for a personal config, or `.vscode/mcp.json` for a shared command. VS Code uses `servers` (not `mcpServers`) and can prompt for a masked secret:
|
|
201
|
+
|
|
202
|
+
```json
|
|
203
|
+
{
|
|
204
|
+
"inputs": [
|
|
205
|
+
{
|
|
206
|
+
"type": "promptString",
|
|
207
|
+
"id": "umami-api-key",
|
|
208
|
+
"description": "Umami API key",
|
|
209
|
+
"password": true
|
|
210
|
+
}
|
|
211
|
+
],
|
|
212
|
+
"servers": {
|
|
213
|
+
"umami-compass": {
|
|
214
|
+
"type": "stdio",
|
|
215
|
+
"command": "npx",
|
|
216
|
+
"args": ["-y", "umami-compass"],
|
|
217
|
+
"env": {
|
|
218
|
+
"UMAMI_API_KEY": "${input:umami-api-key}"
|
|
219
|
+
}
|
|
220
|
+
}
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
Run **MCP: List Servers** to start, inspect, or troubleshoot it. See the official [VS Code MCP guide](https://code.visualstudio.com/docs/agent-customization/mcp-servers).
|
|
226
|
+
|
|
227
|
+
### Gemini CLI
|
|
228
|
+
|
|
229
|
+
Add this to the user-level `~/.gemini/settings.json` (or project `.gemini/settings.json`). Gemini expands shell variables in `env`:
|
|
230
|
+
|
|
231
|
+
```json
|
|
232
|
+
{
|
|
233
|
+
"mcpServers": {
|
|
234
|
+
"umami-compass": {
|
|
235
|
+
"command": "npx",
|
|
236
|
+
"args": ["-y", "umami-compass"],
|
|
237
|
+
"env": {
|
|
238
|
+
"UMAMI_API_KEY": "$UMAMI_API_KEY"
|
|
239
|
+
},
|
|
240
|
+
"trust": false
|
|
241
|
+
}
|
|
242
|
+
}
|
|
243
|
+
}
|
|
244
|
+
```
|
|
245
|
+
|
|
246
|
+
Verify with `gemini mcp list` or `/mcp`. See the official [Gemini CLI MCP guide](https://geminicli.com/docs/tools/mcp-server/).
|
|
247
|
+
|
|
248
|
+
### Troubleshooting
|
|
249
|
+
|
|
250
|
+
- Run `npx -y umami-compass --version` first; Node.js 22+ is required.
|
|
251
|
+
- A client showing zero tools usually needs a full restart after its configuration changed.
|
|
252
|
+
- `401` means the credential or auth mode is wrong; `403` can mean the Umami account lacks permission for that website section.
|
|
253
|
+
- For self-hosted local development, `http://localhost:3000` is allowed. Other plain HTTP origins require the explicit unsafe opt-in.
|
|
254
|
+
- Start with the default toolsets. Enable `performance`, `reports`, `revenue`, `replay`, or `heatmaps` only as needed.
|
|
255
|
+
- Enable `events` or `sessions` only when the client needs row-level data and the Umami identity is allowed to expose it.
|
|
256
|
+
|
|
257
|
+
## Architecture
|
|
258
|
+
|
|
259
|
+
```mermaid
|
|
260
|
+
flowchart LR
|
|
261
|
+
Client["MCP client"] -->|stdio / JSON-RPC| Server["MCP server"]
|
|
262
|
+
Server --> Policy["Module + access policy"]
|
|
263
|
+
Policy --> Modules["Core / Events / Sessions / Performance / Reports / Revenue / Replay / Heatmaps"]
|
|
264
|
+
Modules --> API["Typed, fixed-origin Umami client"]
|
|
265
|
+
API -->|"API key / Bearer / lazy login"| Umami["Umami Cloud or self-hosted 3.2+"]
|
|
266
|
+
```
|
|
267
|
+
|
|
268
|
+
The package intentionally ships stdio first. A public HTTP transport needs OAuth 2.1, tenant isolation, rate limits, and an operational threat model; binding an unauthenticated endpoint would weaken the project.
|
|
269
|
+
|
|
270
|
+
Future management tools are anticipated but cannot slip into the read-only build accidentally. Every module declares `access: "read" | "write"`, and the server rejects write modules under the default policy. See [architecture](docs/architecture.md) and [ADR-0001](docs/adr/0001-read-only-core-and-write-policy.md).
|
|
271
|
+
|
|
272
|
+
See the [Umami 3.2 API coverage matrix](docs/research/umami-api-coverage-3.2.md) for what is implemented, deliberately excluded, and prioritized next.
|
|
273
|
+
|
|
274
|
+
## Development
|
|
275
|
+
|
|
276
|
+
```sh
|
|
277
|
+
corepack enable
|
|
278
|
+
pnpm install --frozen-lockfile
|
|
279
|
+
pnpm check
|
|
280
|
+
pnpm dev
|
|
281
|
+
```
|
|
282
|
+
|
|
283
|
+
To add an endpoint, follow [Adding a tool](docs/adding-a-tool.md). For project expectations and pull requests, see [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
284
|
+
|
|
285
|
+
## Compatibility
|
|
286
|
+
|
|
287
|
+
- Umami 3.2.x is the reference implementation and test target.
|
|
288
|
+
- Older Umami releases may work for unchanged endpoints but are not promised yet.
|
|
289
|
+
- Node.js 22, 24, and 26 are tested in CI.
|
|
290
|
+
- MCP SDK v1 is used because it is the stable production line as of July 2026; the v2 branch is still pre-release.
|
|
291
|
+
|
|
292
|
+
## Security and privacy
|
|
293
|
+
|
|
294
|
+
Analytics, session metadata, revenue, and replay metadata can be sensitive. Use least-privilege credentials, an allowlist, the smallest toolset, and short time ranges. Read [SECURITY.md](SECURITY.md) before production use.
|
|
295
|
+
|
|
296
|
+
Umami Compass is an independent community project and is not affiliated with Umami Software.
|
|
297
|
+
|
|
298
|
+
## License
|
|
299
|
+
|
|
300
|
+
[MIT](LICENSE) © 2026 webcredo and Umami Compass contributors.
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# Security policy
|
|
2
|
+
|
|
3
|
+
## Supported versions
|
|
4
|
+
|
|
5
|
+
Until the first stable release, security fixes are made on the latest `0.x` release only.
|
|
6
|
+
|
|
7
|
+
## Report a vulnerability
|
|
8
|
+
|
|
9
|
+
Do not open a public issue for a suspected vulnerability. Use GitHub's **Security → Report a vulnerability** private reporting flow for `webcredo/umami-compass`. Include the affected version, impact, reproduction steps, and any suggested mitigation.
|
|
10
|
+
|
|
11
|
+
You should receive an acknowledgement within 72 hours. We aim to provide an initial assessment within 7 days. Timelines for a fix and coordinated disclosure depend on severity and complexity.
|
|
12
|
+
|
|
13
|
+
## Security model
|
|
14
|
+
|
|
15
|
+
Umami Compass is a local stdio process. It connects only to the single Umami API root configured at process start.
|
|
16
|
+
|
|
17
|
+
- No tool accepts an upstream URL, fetches arbitrary HTML, or changes the API root.
|
|
18
|
+
- No mutation tool is shipped in `v0.1`.
|
|
19
|
+
- API keys, access tokens, usernames, and passwords are never returned or intentionally logged.
|
|
20
|
+
- Upstream response bodies are not copied into errors.
|
|
21
|
+
- Redirects are rejected to prevent credentials from being forwarded to another origin.
|
|
22
|
+
- Non-loopback HTTP is rejected unless explicitly allowed.
|
|
23
|
+
- Website allowlists, bounded pages/date ranges/decoded response bodies, request timeouts, and MCP cancellation limit access and resource use.
|
|
24
|
+
- Raw session replay event streams are excluded because they can be large and privacy-sensitive.
|
|
25
|
+
|
|
26
|
+
The MCP host is part of the trust boundary: it launches the process, supplies secrets, chooses which model receives results, and may log tool calls. Use a trusted host and a dedicated read-only Umami identity.
|
|
27
|
+
|
|
28
|
+
## Future remote and write capabilities
|
|
29
|
+
|
|
30
|
+
Public Streamable HTTP will not ship without OAuth 2.1 resource-server behavior, exact token audience validation, HTTPS, tenant isolation, rate limiting, and deployment guidance.
|
|
31
|
+
|
|
32
|
+
Future management modules must be separate from read modules and require explicit operator opt-in, least-privilege scopes, per-tool risk annotations, confirmation for destructive actions, audit events, and dedicated tests. The default policy will remain read-only.
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import type { UmamiCompassConfig } from "../config.js";
|
|
2
|
+
import type { HeatmapReportRequest, PagedResponse, Query, ReadOnlyReportRequest, Website } from "./types.js";
|
|
3
|
+
export type Fetch = typeof globalThis.fetch;
|
|
4
|
+
export declare class UmamiClient {
|
|
5
|
+
#private;
|
|
6
|
+
constructor(config: UmamiCompassConfig, fetchImplementation?: Fetch);
|
|
7
|
+
isWebsiteAllowed(websiteId: string): boolean;
|
|
8
|
+
assertWebsiteAllowed(websiteId: string): void;
|
|
9
|
+
listWebsites(query: Query, signal?: AbortSignal): Promise<PagedResponse<Website> | unknown>;
|
|
10
|
+
getWebsite(websiteId: string, signal?: AbortSignal): Promise<Website>;
|
|
11
|
+
get<T = unknown>(path: string, query?: Query, signal?: AbortSignal): Promise<T>;
|
|
12
|
+
getHeatmapReport<T = unknown>(request: HeatmapReportRequest, signal?: AbortSignal): Promise<T>;
|
|
13
|
+
runReport<T = unknown>(request: ReadOnlyReportRequest, signal?: AbortSignal): Promise<T>;
|
|
14
|
+
}
|
|
15
|
+
//# sourceMappingURL=client.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGvD,OAAO,KAAK,EACV,oBAAoB,EAEpB,aAAa,EACb,KAAK,EACL,qBAAqB,EACrB,OAAO,EACR,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,KAAK,GAAG,OAAO,UAAU,CAAC,KAAK,CAAC;AA8J5C,qBAAa,WAAW;;gBAOV,MAAM,EAAE,kBAAkB,EAAE,mBAAmB,GAAE,KAAwB;IAKrF,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAI5C,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IASvC,YAAY,CAChB,KAAK,EAAE,KAAK,EACZ,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAuCtC,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC;IAYrE,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC;IAI/E,gBAAgB,CAAC,CAAC,GAAG,OAAO,EAChC,OAAO,EAAE,oBAAoB,EAC7B,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,CAAC,CAAC;IAIP,SAAS,CAAC,CAAC,GAAG,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC;CAqJ/F"}
|