MCP Server for Statamic Icon

MCP Server for Statamic

2.2.4

April 14th, 2026

Fixed

  • Critical: Update action on entries, terms, and globals no longer crashes with Cannot access offset of type string on string when blueprints include third-party fieldtypes (e.g., SEO Pro) — validation falls back to incoming-only fields on TypeError
  • OAuth CIMD discovery: cimd_enabled config checks use (bool) cast with true default — previously silently disabled by strict comparison, env strings, and missing config keys from shallow merge
  • OAuth path-suffixed discovery: Added /.well-known/oauth-authorization-server/{path} and /.well-known/oauth-protected-resource/{path} routes per RFC 8414 §3.1 — MCP clients (incl. ChatGPT) use path insertion for discovery and previously got 403

Added

  • OAuth 2.1 CIMD support: Client ID Metadata Document resolution — MCP clients can present verified application identity on consent screen
  • CIMD resolver with SSRF protection, JSON-LD validation, and configurable caching
  • 10 update validation tests (deep nested replicator/bard/grid/group, round-trip, crashing fieldtype simulation)
  • 24 discovery endpoint tests (CIMD config edge cases, path-suffixed routes, CP route changes, revocation endpoint, full ChatGPT-style client discovery flow)
  • Comprehensive CIMD test suite (unit, feature, E2E)

See CHANGELOG for full details.

2.2.3

April 14th, 2026

Fixed

  • CIMD still not detected by ChatGPT: Added path-suffixed discovery routes per RFC 8414 §3.1. MCP clients following the 2025-11-25 spec resolve discovery for /mcp/statamic at /.well-known/oauth-authorization-server/mcp/statamic — without these routes the request returned 403, so ChatGPT never saw client_id_metadata_document_supported and disabled CIMD.

2.2.2

April 14th, 2026

Fixed

  • CIMD still not detected: All cimd_enabled config lookups now default to true when the key is missing. mergeConfigFrom() only does a shallow merge — published config files from before v2.2.0 don't have the cimd_enabled key, so it returned null and CIMD stayed disabled. No config republish needed.

2.2.1

April 14th, 2026

Fixed

  • CIMD not detected by clients: cimd_enabled config check used strict === true comparison against an env string — CIMD was never advertised in discovery metadata. Fixed in DiscoveryController, AuthorizeController, and OAuthTokenController.

2.2.0

April 14th, 2026

Fixed

  • Critical: Update action on entries, terms, and globals no longer crashes with Cannot access offset of type string on string when blueprints include third-party fieldtypes (e.g., SEO Pro)

Added

  • OAuth 2.1 CIMD support: Client ID Metadata Document resolution — MCP clients present verified identity on the consent screen
  • 10 new update validation tests covering deeply nested blueprints
  • Comprehensive CIMD test suite

See CHANGELOG for full details.

2.1.0

April 13th, 2026

Highlights

Fieldtype process() pipeline — Data saved via MCP now matches the Statamic CP format. All content routers call $fields->process()->values() after validation, ensuring Terms strip prefixes, Bard normalizes nodes, and Relationships wrap values correctly.

ENG-697 fix — Entry updates with terms field type no longer crash. Relationship fields (terms, entries, users, assets) and checkboxes normalize bare strings to arrays before validation.

Security hardening — OAuth auth code/refresh token double-spend prevented, client_name XSS sanitized, HTTPS enforced on OAuth endpoints, default scopes restricted to read-only.

See CHANGELOG.md for full details.

Upgrading

No breaking changes. composer update cboxdk/statamic-mcp is sufficient.

OAuth default scopes changed from * to read-only. If your OAuth clients need write access, set STATAMIC_MCP_OAUTH_DEFAULT_SCOPES in your .env:

STATAMIC_MCP_OAUTH_DEFAULT_SCOPES#89DDFF;">=#89DDFF;">"content:read,content:write,blueprints:read,entries:read,entries:write#89DDFF;">"

Existing tokens are not affected — only new OAuth clients created after upgrade will use the new defaults.

2.0.4

April 10th, 2026

Fixed

  • Critical: Entry creation no longer crashes with "Cannot access offset of type string on string" when data contains complex nested fields (Bard, Replicator)
  • Date fields now accept any common format (Y-m-d, Y-m-d H:i, ISO 8601, {date, time} objects) — values are normalized to the Zulu format Statamic expects before validation
  • date and published in entry data are now correctly extracted as first-class entry properties instead of failing blueprint validation on dated collections

Added

  • NormalizesDateFields trait for consistent date handling across all routers (Entries, Terms, Globals)
  • 13 new integration tests covering date normalization, published extraction, and error handling

2.0.3

April 9th, 2026

Fixed

  • Critical: Blueprint update action no longer destroys existing fields — fields are now merged by default instead of replaced
  • Blueprint update preserves tab and section organization in multi-tab blueprints

Added

  • replace_fields parameter on blueprint update for explicit full-replacement when needed

2.0.2

March 19th, 2026

Fixed

  • Install command no longer crashes on sites without a database — migrations are now skipped automatically when file-based storage drivers are configured (the default)
  • Config publish prompt: confirming "Overwrite? yes" now actually overwrites the file (previously --force stayed false, so vendor:publish silently skipped it)
  • Migration failures are caught with actionable guidance instead of crashing the installer
  • Completion message now reflects what actually happened during install

Added

  • --skip-migrations flag on mcp:statamic:install as an explicit escape hatch

Full Changelog: https://github.com/cboxdk/statamic-mcp/compare/v2.0.1...v2.0.2

2.0.1

March 18th, 2026

Fixed

  • Token expiry date validation no longer blocks submission — max_token_lifetime_days is now a default suggestion, not a hard server-side rejection
  • Token form error feedback uses Statamic toast notifications and native ui-error-message components with red border highlighting

Added

  • Scope presets (Read Only, Content Editor, Full Access) in token create/edit form, matching documented common combinations
  • Preset-aware badge display in admin token table — shows preset name instead of listing individual scopes
  • Admin token form now uses Statamic-style grouped permission cards with per-group "Check All"

Removed

  • Internal development plans and specs (docs/superpowers/) accidentally included in v2.0.0

2.0.0

March 18th, 2026

v2.0.0 — Storage drivers, OAuth 2.1, audit overhaul, security hardening

Major release: storage driver abstraction, MCP OAuth 2.1 with PKCE, comprehensive audit logging, router-based tool architecture, and security hardening.

Breaking Changes

  • Statamic v5 dropped — requires Statamic v6.6+, Laravel 12/13, PHP 8.3+
  • Laravel MCP v0.6 — new tool attribute pattern
  • Router architecture — 140+ tools consolidated into 11 domain routers
  • Tool names changedstatamic.blueprints.liststatamic-blueprints with action: list
  • Config restructured — re-publish required

Highlights

  • Storage drivers: File (YAML/JSONL, default) and Database (Eloquent)
  • OAuth 2.1: PKCE S256, Dynamic Client Registration, refresh token rotation, revocation
  • 21 scoped API tokens with fine-grained access control
  • CP Dashboard: User + Admin pages with token management and audit log
  • Security: 8 review rounds, 30+ findings fixed
  • Laravel 13 support
  • 772 tests, PHPStan Level 8, full CI matrix

Upgrade Guide

See UPGRADE.md for migration steps from v1.x.

Full Changelog

See CHANGELOG.md for complete details.