v1.3.0
Fixed
drupal_mcp_whoamino longer over-reports configuration capabilities. Capabilities are now the intersection of the connector security preset and the token's effective OAuth scopes:configRead/configWriterequire the dedicatedmcp_configscope (config-editor / Developer tier), andwrite/deleterequiremcp_write. Previously a content-tier token (mcp_read/mcp_write) was reported withconfigRead: trueeven though the server denies everyconfig_*tool withoutmcp_config. When a site declares no OAuth scopes, behaviour is unchanged (preset-only).
Changed
- The config tools (
config_get/config_list/config_set) now check for themcp_configscope up front (when OAuth scopes are configured) and fail fast with a clear message instead of dispatching a call the governed server will deny — keeping connector behaviour consistent withdrupal_mcp_whoami. Aligns with mcp_sentinel isolating the config tools under the dedicatedmcp_configscope.
Published to npm: drupal-mcp-connector@1.3.0 (trusted publishing, with provenance).