Install

Works with Drupal: ^10 || ^11

Using Composer to manage Drupal site dependencies

Alternative installation files

Download tar.gz 41.94 KB
MD5: 20dffb217f066ab1aea2a33dc1dc76cb
SHA-1: 235ebf7bc68029c6c51526b3f3f6d3aa76054f99
SHA-256: 4c4e0f2833d410ee5c4794b22dd5640f33dd354cbd307430a8efb873c5f68b68
Download zip 67.67 KB
MD5: 3b0f620a1ba1fb50f308c24d57c13e97
SHA-1: da88b961767721a5f85aa6acb38e372420d76600
SHA-256: 4ee9270128c7338680d842f1e9bc6de1ba2fdc20a8f0b233bc374c23925c178b
Downloads are for manual installation, which is not recommended when using Drupal 8 or later.

Release notes

Project Context Connector 1.1.0

This release focuses on security hardening, improved documentation, and enhanced configurability. All sites using CORS wildcard patterns should review the breaking change below.

Security Improvements

  • Added custom access checker for signed route with proper Drupal access control integration and audit trail
  • Enhanced CORS validation with scheme enforcement - prevents unintended cross-scheme origin matches
  • Improved HMAC timestamp validation with sanity checks, leading zero rejection, and range validation (2000-2100)
  • Added rate limiting for OPTIONS requests to prevent CORS probing attacks

New Features

  • New configuration option: expose_database_version allows hiding database version for minimal information disclosure
  • HTTP origin security warnings in admin form
  • Comprehensive README with AI agent integration examples (Claude/ChatGPT, Slack bots, Python automation, MCP servers)
  • Quick Start guide (5 minutes to production)
  • Detailed troubleshooting section with common issues and solutions

Documentation

  • README expanded from 150 to 700+ lines with security best practices, use cases, and integration guides
  • SECURITY.md enhanced with threat model, secret management procedures, rotation workflows, and compliance considerations
  • Added authentication methods comparison table
  • Complete CHANGELOG with semantic versioning

Breaking Changes

IMPORTANT: CORS wildcard patterns now match ONLY subdomains, not the base domain itself.

  • Before: *.example.com matched both example.com and sub.example.com
  • After: *.example.com matches ONLY sub.example.com (not the base domain)
  • Action Required: If you need both, add both patterns explicitly:
    • https://example.com
    • https://*.example.com

Upgrade Notes

  • Clear caches after upgrade: drush cr
  • Review CORS configuration if using wildcard patterns
  • New expose_database_version setting defaults to true (maintains current behavior)
  • Consider rotating HMAC secrets after upgrade (see SECURITY.md for procedures)

Full Changelog

See CHANGELOG.md for complete details.

Created by: victorjimenezv
Created on: 16 Feb 2026 at 20:13 UTC
Last updated: 16 Feb 2026 at 20:13 UTC
Git tag 1.1.0
Bug fixes
Unsupported

Other releases