Skip to content

Commit 7f6c6ec

Browse files
authored
Release 5.0.0 (#31)
* Prepare release * Configure .gitattributes * Add guidance for coding agents * Use consistent 403 error descriptions * Flag as early preview release * Restructure documentation for Marketplace
1 parent e5bf04d commit 7f6c6ec

8 files changed

Lines changed: 235 additions & 30 deletions

File tree

.gitattributes

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
/.github/ export-ignore
2+
/tests/ export-ignore
3+
4+
/.gitattributes export-ignore
5+
/AGENTS.md export-ignore
6+
/bootstrap-phpstan.php export-ignore
7+
/composer.lock export-ignore
8+
/config/test.php export-ignore
9+
/phpcs.xml export-ignore
10+
/phpstan.neon export-ignore
11+
/scoper.inc.php export-ignore

AGENTS.md

Lines changed: 130 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,130 @@
1+
# AGENTS.md
2+
3+
## Purpose
4+
5+
This file is the agent-facing guide for the `McpServer` Matomo plugin.
6+
7+
Use it to discover the codebase quickly, make targeted changes, and extend the plugin without breaking existing MCP behavior or drifting from the current structure.
8+
9+
This document is repo-specific. Prefer it over generic Matomo assumptions when working in this repository.
10+
11+
## Scope And Defaults
12+
13+
- Optimize for small, targeted changes.
14+
- Preserve existing structure and naming unless a refactor is explicitly requested.
15+
- Treat checked-in `vendor/` code as read-only unless the task is explicitly about dependency or vendor refresh.
16+
- Do not duplicate README setup/product documentation unless the change requires agent execution context.
17+
- Treat `README.md` as public-facing documentation. Keep the `## Description` section suitable for Matomo Marketplace display, and keep repository-structure or agent workflow guidance in `AGENTS.md` instead.
18+
19+
## Repository Map
20+
21+
### Plugin entrypoints and metadata
22+
23+
- `API.php`: main MCP API endpoint, request validation flow, auth/error handling, and hand-off into the server.
24+
- `McpServer.php`: plugin lifecycle hooks, stylesheet registration, install/uninstall table setup.
25+
- `McpServerFactory.php`: server/container wiring and MCP server construction.
26+
- `SystemSettings.php`: plugin settings, including MCP enablement.
27+
- `plugin.json`, `composer.json`: plugin metadata and PHP dependency constraints.
28+
29+
### MCP capability surface
30+
31+
- `McpTools/`: user-facing MCP tools. Start here for new capabilities or changes to tool behavior.
32+
- `Schemas/`: tool output schemas grouped by domain (`Sites`, `Reports`, `Goals`, `Segments`, `Dimensions`).
33+
- `Contracts/`: shared typed records and ports. Use these when a boundary needs an explicit typed contract.
34+
35+
### Domain and infrastructure layers
36+
37+
- `Services/`: domain/query logic and Matomo-facing gateways, grouped by feature area.
38+
- `Support/Api/`: endpoint boundary helpers, request-id extraction, JSON-RPC error responses, and MCP endpoint rules.
39+
- `Support/`: shared pagination, normalization, logging, tooling helpers, and error mapping.
40+
- `Server/`: MCP server handler support.
41+
- `Session/`: MCP session persistence and session table management.
42+
43+
### Verification and maintenance
44+
45+
- `tests/Integration/`: primary coverage for externally visible behavior and cross-layer plugin behavior.
46+
- `tests/Unit/`: focused unit coverage for isolated logic.
47+
- `tests/Framework/`: shared test helpers and contract assertions.
48+
- `.github/workflows/`: CI expectations for plugin tests, PHPCS, PHPStan, and checklist gates.
49+
- `phpcs.xml`, `phpstan.neon`: local code-quality configuration for this plugin.
50+
51+
## Where To Start
52+
53+
### If the task touches endpoint behavior, auth, or request boundaries
54+
55+
Start with `API.php` and `Support/Api/`. Follow the current request flow before editing:
56+
57+
1. request format and endpoint validation
58+
2. request parsing / JSON-RPC metadata extraction
59+
3. auth and access checks
60+
4. MCP enabled/disabled behavior
61+
5. server transport hand-off
62+
63+
Check existing integration tests before changing any of these behaviors. Start with `tests/Integration/McpApiEndpointBoundaryTest.php`.
64+
65+
### If the task adds or changes an MCP tool
66+
67+
Start in `McpTools/`, then trace the matching implementation in `Services/` and `Schemas/`.
68+
69+
Preferred flow:
70+
71+
1. tool class defines the user-facing capability
72+
2. service or gateway code fetches/transforms Matomo data
73+
3. schema defines the output contract
74+
4. tests cover the visible behavior
75+
76+
### If the task changes domain behavior
77+
78+
Find the domain area under `Services/Sites`, `Services/Reports`, `Services/Goals`, `Services/Segments`, `Services/Dimensions`, or `Services/System`.
79+
80+
Before editing:
81+
82+
- find the integration tests that currently cover the behavior
83+
- check for matching records or ports in `Contracts/`
84+
- check for supporting pagination, normalization, or error helpers in `Support/`
85+
86+
## Extension Rules
87+
88+
### Adding new MCP capabilities
89+
90+
- Add user-facing capability through a tool class in `McpTools/`.
91+
- Keep Matomo/core access in focused services or gateway classes under `Services/`.
92+
- Define or update output schemas in `Schemas/`.
93+
- Use `Contracts/` only when a shared typed record or service boundary improves clarity.
94+
95+
### Keeping boundaries clean
96+
97+
- Do not move Matomo access logic into tool classes when it belongs in services.
98+
- Do not bypass existing support helpers if pagination, normalization, logging, or error mapping already has a home.
99+
- Prefer matching existing domain grouping and naming patterns over inventing a new layout for a small feature.
100+
101+
### Testing expectations for new behavior
102+
103+
- Cover externally visible behavior with integration tests first.
104+
- Add unit tests for isolated logic where they provide fast, focused regression coverage.
105+
- Do not introduce new public behavior without matching tests.
106+
107+
## Verification Expectations
108+
109+
### For code changes
110+
111+
Treat all of the following as the default verification bar:
112+
113+
- run the full plugin test suite
114+
- run targeted tests for the touched behavior when focused coverage exists
115+
- run PHPStan with this plugin's configuration
116+
- run PHPCS with this plugin's rules
117+
118+
The full plugin suite is required for code changes to reduce the chance of breaking unrelated MCP tools or shared plugin behavior.
119+
120+
### For docs-only changes
121+
122+
Lighter verification is acceptable. Full plugin-suite execution is not required for product or README copy edits unless the documentation change affects engineering instructions that should be validated against the codebase.
123+
124+
## Guardrails
125+
126+
- Prefer small, reviewable changes over cross-cutting rewrites.
127+
- Avoid broad refactors during feature work unless explicitly requested.
128+
- Preserve existing public behavior unless the task explicitly changes it.
129+
- Keep agent guidance and implementation guidance aligned with current repo truth.
130+
- When unsure where code belongs, choose the existing nearest feature area instead of creating a new abstraction layer by default.

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,8 @@
11
## Changelog
2+
3+
### 5.0.0
4+
5+
- Initial release
6+
- Added MCP over HTTP endpoint
7+
- Added tools for sites, reports, goals, segments, and dimensions
8+
- Added admin page for MCP client setup

README.md

Lines changed: 20 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,41 +1,36 @@
11
# Matomo MCP Server Plugin
22

3-
## Endpoint
3+
## Description
44

5-
Use the API endpoint:
5+
McpServer is an early preview plugin that adds a secure Model Context Protocol (MCP) endpoint to Matomo so AI assistants and MCP-compatible clients can work with analytics context directly from your Matomo instance.
66

7-
`index.php?module=API&method=McpServer.mcp&format=mcp`
7+
It provides read-oriented tools for sites, reports, processed report data, goals, segments, and dimensions using the same Matomo authentication and access rules you already use in Matomo.
88

9-
- `format=mcp` is required.
10-
- The endpoint is root-request only and rejects nested/proxy access (including `API.getBulkRequest`) with `400`.
11-
- Unauthenticated requests return `401` with `WWW-Authenticate: Bearer realm="mcp"`.
9+
### Setup
1210

13-
## Configuration
11+
1. Install the plugin in Matomo.
12+
2. Activate **McpServer** in **Administration -> Plugins**.
13+
3. Enable MCP in **Administration -> System -> Plugin Settings -> McpServer**.
14+
4. Configure your MCP client with the endpoint and a Matomo `token_auth` that already has access to the data you want to expose.
1415

15-
Configure options in `config/config.ini.php`:
16+
For the recommended end-user setup flow, use the in-product connect guide at **Administration -> Platform -> MCP Server**.
1617

17-
```ini
18-
[McpServer]
19-
session_ttl = 3600
20-
log_tool_calls = 0
21-
log_tool_call_level = DEBUG
22-
log_tool_call_parameters_full = 0
23-
```
18+
### Security And Access Model
2419

25-
- `session_ttl`: Session TTL in seconds. Default is `3600` if missing or invalid.
26-
- `log_tool_calls`: Enables tool-call logging when set to `1`. Default is disabled when missing or set to `0`.
27-
- `log_tool_call_level`: Tool-call logging level when `log_tool_calls = 1`. Accepted values: `ERROR`, `WARN`/`WARNING`, `INFO`, `DEBUG`, `VERBOSE` (case-insensitive). Missing or invalid values default to `DEBUG`. `VERBOSE` is logged via debug-level logger calls.
28-
- `log_tool_call_parameters_full`: Logs full tool-call parameter values when set to `1`. Default is redacted parameter logging when set to `0` (may expose sensitive input data when enabled).
20+
- MCP access is disabled by default.
21+
- The plugin uses Matomo authentication.
22+
- Data access is limited to the same sites and reports the Matomo user can already access.
23+
- If features such as the Visitor Log are available to that user, MCP clients may access the same underlying data scope.
2924

30-
## Enabling MCP
25+
### Additional Documentation
3126

32-
MCP access is disabled by default and must be enabled in **Administration -> System -> Plugin Settings -> McpServer**.
27+
The FAQ includes additional technical documentation for endpoint details, configuration, MCP enablement behavior, supported capabilities, and troubleshooting.
3328

34-
When disabled, requests to `index.php?module=API&method=McpServer.mcp&format=mcp` behave as follows:
29+
## Support
3530

36-
- Unauthenticated requests receive `401 Unauthorized` with `WWW-Authenticate: Bearer realm="mcp"`.
37-
- Authenticated requests with a top-level JSON-RPC `id` receive `403 Forbidden` with a JSON-RPC error response instructing the user to contact their Matomo administrator.
38-
- Authenticated requests without a top-level `id` (for example notifications, invalid JSON, or batch payloads) receive `403 Forbidden` with an empty body.
31+
- Issues: <https://github.com/matomo-org/plugin-McpServer/issues>
32+
- Forum: <https://forum.matomo.org>
33+
- Source: <https://github.com/matomo-org/plugin-McpServer>
3934

4035
## License
4136

docs/faq.md

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
# McpServer FAQ
2+
3+
## Endpoint
4+
5+
Use the API endpoint:
6+
7+
`index.php?module=API&method=McpServer.mcp&format=mcp`
8+
9+
- `format=mcp` is required.
10+
- The endpoint is root-request only and rejects nested/proxy access (including `API.getBulkRequest`) with `400`.
11+
- Unauthenticated requests return `401` with `WWW-Authenticate: Bearer realm="mcp"`.
12+
13+
## Configuration
14+
15+
Configure options in `config/config.ini.php`:
16+
17+
```ini
18+
[McpServer]
19+
session_ttl = 3600
20+
log_tool_calls = 0
21+
log_tool_call_level = DEBUG
22+
log_tool_call_parameters_full = 0
23+
```
24+
25+
- `session_ttl`: Session TTL in seconds. Default is `3600` if missing or invalid.
26+
- `log_tool_calls`: Enables tool-call logging when set to `1`. Default is disabled when missing or set to `0`.
27+
- `log_tool_call_level`: Tool-call logging level when `log_tool_calls = 1`. Accepted values: `ERROR`, `WARN`/`WARNING`, `INFO`, `DEBUG`, `VERBOSE` (case-insensitive). Missing or invalid values default to `DEBUG`. `VERBOSE` is logged via debug-level logger calls.
28+
- `log_tool_call_parameters_full`: Logs full tool-call parameter values when set to `1`. Default is redacted parameter logging when set to `0` (may expose sensitive input data when enabled).
29+
30+
## Enabling MCP
31+
32+
MCP access is disabled by default and must be enabled in **Administration -> System -> Plugin Settings -> McpServer**.
33+
34+
When disabled, requests to `index.php?module=API&method=McpServer.mcp&format=mcp` behave as follows:
35+
36+
- Unauthenticated requests receive `401 Unauthorized` with `WWW-Authenticate: Bearer realm="mcp"`.
37+
- Authenticated requests with a top-level JSON-RPC `id` receive `403 Forbidden` with a JSON-RPC error response instructing the user to contact their Matomo administrator.
38+
- Authenticated requests without a top-level `id` (for example notifications, invalid JSON, or batch payloads) receive `403 Forbidden` with an empty body.
39+
40+
## Supported MCP Capabilities
41+
42+
The plugin is focused on read-oriented analytics workflows. The exact tool surface may expand over time, but the initial release includes tools around:
43+
44+
- sites
45+
- reports and report metadata
46+
- processed report data
47+
- goals
48+
- segments
49+
- dimensions
50+
51+
## Troubleshooting
52+
53+
- `401 Unauthorized`: verify the Bearer token is present, active, and belongs to a user with access to the requested site data.
54+
- `403 Forbidden`: if MCP is disabled, enable MCP in **Administration -> System -> Plugin Settings -> McpServer**. If MCP is already enabled, verify the authenticated Matomo user has access to the requested site or report data.
55+
- `400 Bad Request`: verify the client is using the exact MCP endpoint and is not proxying requests through `API.getBulkRequest`.

lang/en.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@
1919
"ConnectTroubleshooting400Action": "Re-check the endpoint URL and that your client sends valid MCP requests.",
2020
"ConnectTroubleshooting401": "Missing or invalid authentication token.",
2121
"ConnectTroubleshooting401Action": "Verify you are sending %1$sAuthorization: Bearer &lt;token_auth&gt;%2$s and that the token is active.",
22-
"ConnectTroubleshooting403": "MCP Server is disabled by configuration.",
23-
"ConnectTroubleshooting403Action": "Confirm MCP is enabled in your Matomo instance.",
22+
"ConnectTroubleshooting403": "MCP Server is disabled or the authenticated Matomo user does not have access to the requested data.",
23+
"ConnectTroubleshooting403Action": "Confirm MCP is enabled in your Matomo instance. If it is already enabled, verify the token belongs to a user with access to the requested site or report data.",
2424
"ConnectTroubleshootingTitle": "Troubleshooting",
2525
"ConnectTokenTitle": "Get a Matomo Token",
2626
"ConnectWhatYouNeedTitle": "What You'll Need",

plugin.json

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "McpServer",
3-
"description": "Matomo MCP Server",
3+
"description": "Early preview: connect AI assistants and MCP clients to Matomo with secure access to sites, reports, goals, segments, and dimensions.",
44
"version": "5.0.0",
55
"theme": false,
66
"require": {
@@ -19,7 +19,14 @@
1919
"forum": "https://forum.matomo.org",
2020
"source": "https://github.com/matomo-org/plugin-McpServer"
2121
},
22-
"homepage": "",
22+
"homepage": "https://github.com/matomo-org/plugin-McpServer",
2323
"license": "GPL v3+",
24-
"keywords": []
24+
"keywords": [
25+
"mcp",
26+
"ai",
27+
"assistant",
28+
"analytics",
29+
"integration"
30+
],
31+
"category": "integration"
2532
}

screenshots/_cover.png

45.9 KB
Loading

0 commit comments

Comments
 (0)