Skip to content

Releases: Wilkes-Liberty/drupal-mcp-connector

v1.7.0 — per-tool slash commands

Choose a tag to compare

@jmcerda jmcerda released this 01 Jul 19:05
6329ba5

[1.7.0] - 2026-07-01

Added

  • A slash command for every tool. All 119 drupal_* tools are now exposed as
    drupal-<tool> MCP prompts (e.g. drupal-create-node), generated dynamically from
    the tool definitions at startup and merged with the 5 existing workflow prompts.
    Being protocol-native prompts, they surface as slash commands in any MCP client
    (Claude, Gemini, Codex, …); each takes the tool's parameters as arguments and drives
    a single governed call to that tool, with destructive tools flagged to confirm first.
  • Claude Code command filesnpm run generate:commands writes one
    .claude/commands/drupal-<tool>.md per tool, giving the literal /drupal-<tool>
    form in Claude Code. Each file is scoped via allowed-tools to only its own
    mcp__drupal__<tool>. The committed files are kept in sync by a staleness test.
  • New src/tools/index.js — single source of truth aggregating every tool
    definition/handler, shared by the server, the per-tool prompts, and the command
    generator so the three can never drift. Operation classification (write/destructive)
    extracted to src/lib/operations.js and reused for the confirm-first warnings.

v1.6.0 — audit command suite

Choose a tag to compare

@jmcerda jmcerda released this 29 Jun 21:12
592e148

Adds 22 read-only audit tools across four groups, plus a composite dashboard and a drupal-full-audit prompt (119 tools total). All self-sufficient against stock Drupal — no companion module required.

  • Links & 404 integrity: drupal_report_404_log, redirect_health, broken_links (live checking opt-in + SSRF-guarded), alias_coverage, menu_integrity, broken_embeds.
  • Config & site-health: config_drift, config_best_practices, module_audit, permission_audit, status_report, text_format_audit, cache_config.
  • Content quality: duplicate_content, workflow_bottlenecks, translation_coverage, scheduled_content, readability, orphan_pages, pii_exposure, seo_meta_coverage.
  • Composite: drupal_audit_site_health — scored content/links/config dashboard with a roll-up grade.

Privileged audits read through the connector's own drush bridge (preferring the existing governed config server-tool when configured). Also hardens the drush bridge to redact secrets from its log line.

Published to npm as drupal-mcp-connector@1.6.0. Full notes in CHANGELOG.md.

v1.5.1 — node URL alias persistence (DEV-116)

Choose a tag to compare

@jmcerda jmcerda released this 29 Jun 20:32
4057e4f

Fix (DEV-116, High): node URL aliases set via the connector now actually persist.

drupal_update_node with fields.path = { alias, pathauto: 0 } returned success but silently reverted (causing nav 404s). Root cause: JSON:API deserialized the path field without the existing alias's pid, so Drupal created a duplicate path_alias (the older one stayed canonical) instead of updating in place.

  • The connector now reads the current alias's pid (new backend.getPathInfo) and round-trips it, so the alias is updated in place — one canonical alias, no duplicate. The DEV-114 path-omitted "preserve" had the same defect and is fixed too.
  • Honest responses: create/update re-read the node and return the persisted url.
  • Rename redirect: an explicit alias that replaces a different one also creates a 301 from the old path to entity:node/<id> (idempotent).

Verified end-to-end over JSON:API on Drupal 11. 397 tests pass; lint clean.

Connector-created nodes without an explicit path rely on Pathauto; a separate server-side Pathauto pattern misconfiguration (some bundles stored as a sequential array instead of the associative map the entity_bundle condition needs) blocks generation for some bundles and is fixed in the Drupal site (webcms), not the connector.

Published to npm as drupal-mcp-connector@1.5.1. Full notes in CHANGELOG.md.

v1.5.0 — paragraph update, menu parent/enabled, alias & 422 hardening (DEV-114)

Choose a tag to compare

@jmcerda jmcerda released this 29 Jun 04:22
b73afff

Added

  • drupal_update_paragraph — update an existing paragraph's field values in place.
  • drupal_update_menu_link — update a menu link by UUID; enabled preserved across edits.
  • drupal_create_menu_link accepts parent + enabled and creates links enabled by default.

Fixed

  • Menu links no longer silently regress to disabled (enabled is re-asserted on every write).
  • drupal_update_node without path preserves the existing URL alias ({ alias, pathauto: 0 }).
  • Intermittent create_menu_link 422 "path inaccessible" (LinkAccessConstraint race): retry once; prefer entity:node/<id> targets.

Resolves DEV-114. Published to npm as drupal-mcp-connector@1.5.0.

v1.4.0 — active redirect tools (DEV-111)

Choose a tag to compare

@jmcerda jmcerda released this 29 Jun 04:09
93b7bd3

Added

  • Redirect tools (drupal_create_redirect, drupal_update_redirect) for the contrib Redirect module.
    • drupal_create_redirect produces a redirect that serves its 301 (or chosen code) immediately: source leading slash stripped to the module's slash-less stored form (the "saved but never fires" cause), destination normalized to a Drupal link-field URI (bare paths wrapped internal:; entity:node/ID and absolute URLs passed through), status_code defaulting to 301 with 302/303/307/308 accepted.
    • drupal_update_redirect repoints an existing redirect's source/target or changes its status code via a partial update — the enable/fix path for a redirect that isn't firing.
    • Governed by the per-site security policy (redirect writes / administer redirects).

Resolves DEV-111. Published to npm as drupal-mcp-connector@1.4.0.

v1.3.2

Choose a tag to compare

@jmcerda jmcerda released this 28 Jun 02:48
cad273a

Fixed

  • drupal_config_set now forwards the configuration map under the data key the governed server tool (tool_api.mcp_sentinel_config_set) requires, instead of value. Previously every config_set was rejected with -32602 … Missing required properties: data. The public tool surface is unchanged — callers still pass value (a map of top-level keys to new values); it is translated to data at the call site. config_get / config_list were unaffected.

Full Changelog: v1.3.1...v1.3.2

v1.3.1

Choose a tag to compare

@jmcerda jmcerda released this 28 Jun 02:07
449208d

Fixed

  • The server-tool bridge client now performs the MCP Streamable-HTTP session handshake before calling governed config tools. It POSTs initialize, reads the Mcp-Session-Id response header, sends notifications/initialized, then issues tools/call carrying that session id — caching the session per site and re-initialising transparently on server-side expiry. Previously it POSTed a bare tools/call with no session, which Drupal's session-mandatory mcp_server rejected with -32600 ("A valid session id is REQUIRED for non-initialize requests"), so drupal_config_get / _list / _set always failed. Responses are now parsed for both application/json and text/event-stream (SSE) transports, and the request advertises MCP-Protocol-Version: 2025-06-18. The existing 401 → token-refresh retry is preserved and layered with a single session re-init/replay.

Full Changelog: v1.3.0...v1.3.1

v1.3.0

Choose a tag to compare

@jmcerda jmcerda released this 27 Jun 22:19
c501f61

Fixed

  • drupal_mcp_whoami no longer over-reports configuration capabilities. Capabilities are now the intersection of the connector security preset and the token's effective OAuth scopes: configRead / configWrite require the dedicated mcp_config scope (config-editor / Developer tier), and write / delete require mcp_write. Previously a content-tier token (mcp_read / mcp_write) was reported with configRead: true even though the server denies every config_* tool without mcp_config. When a site declares no OAuth scopes, behaviour is unchanged (preset-only).

Changed

  • The config tools (config_get / config_list / config_set) now check for the mcp_config scope up front (when OAuth scopes are configured) and fail fast with a clear message instead of dispatching a call the governed server will deny — keeping connector behaviour consistent with drupal_mcp_whoami. Aligns with mcp_sentinel isolating the config tools under the dedicated mcp_config scope.

Published to npm: drupal-mcp-connector@1.3.0 (trusted publishing, with provenance).

v1.2.0

Choose a tag to compare

@jmcerda jmcerda released this 27 Jun 15:54
d92868c

Minor release — widened content/developer security presets for full content building.

Changed

  • content-editor / write-plane now allow paragraph, block_content, menu_link_content, redirect, path_alias, and file (in addition to node/taxonomy_term/media).
  • config-editor (developer tier) additionally allows site-building config entities (node_type, paragraphs_type, block_content_type, media_type, field_config, field_storage_config, entity_form_display, entity_view_display, taxonomy_vocabulary) for read/introspection — content-model changes go through the governed config bridge / drush config:import, not JSON:API entity create.
  • Corrected the server-tool bridge tool names: Tool-API tools are exposed as tool_api.<id>, so the governed config tools are tool_api.mcp_sentinel_config_get / _list / _set.

Security

  • Deny-hardened all three presets: oauth2_token, key, consumer, encryption_profile, mcp_tool_config, and mcp_policy_profile are now in deniedEntityTypes alongside user. PII-bearing webform_submission and profile are intentionally left off the allowlists.

Full changelog: https://github.com/Wilkes-Liberty/drupal-mcp-connector/blob/master/CHANGELOG.md

v1.1.1

Choose a tag to compare

@jmcerda jmcerda released this 26 Jun 14:15
5600ba0

Patch release — docs-only. Published to npm as drupal-mcp-connector@1.1.1.

Fixed

  • Corrected stale tool/module counts (89→93, 20→21) and the example startup banner version (v1.0.0→v1.1.0) across architecture.md, getting-started.md, whitepaper.md, and tools-reference.md after the 1.1.0 release.