php-mcp/changelog/2026/jan/features.md

# Core-MCP - January 2026

## Features Implemented

### Workspace Context Security

Prevents cross-tenant data leakage by requiring authenticated workspace context.

**Files:**
- `Exceptions/MissingWorkspaceContextException.php`
- `Context/WorkspaceContext.php` - Value object
- `Tools/Concerns/RequiresWorkspaceContext.php` - Tool trait
- `Middleware/ValidateWorkspaceContext.php`

**Security Guarantees:**
- Workspace context MUST come from authentication
- Cross-tenant access prevented by design
- Tools throw exceptions when called without context

---

### Query Security

Defence in depth for SQL injection prevention.

**Files:**
- `Exceptions/ForbiddenQueryException.php`
- `Services/SqlQueryValidator.php` - Multi-layer validation

**Features:**
- Blocked keywords: INSERT, UPDATE, DELETE, DROP, UNION
- Pattern detection: stacked queries, hex encoding, SLEEP/BENCHMARK
- Comment stripping to prevent obfuscation
- Query whitelist matching
- Read-only database connection support

**Config:** `mcp.database.connection`, `mcp.database.use_whitelist`, `mcp.database.blocked_tables`

---

### MCP Playground UI

Interactive interface for testing MCP tools.

**Files:**
- `Services/ToolRegistry.php` - Tool discovery and schemas
- `View/Modal/Admin/McpPlayground.php` - Livewire component
- `View/Blade/admin/mcp-playground.blade.php`

**Features:**
- Tool browser with search and category filtering
- Dynamic form builder from JSON schemas
- JSON response viewer with syntax highlighting
- Conversation history (last 50 executions)
- Example input pre-fill
- API key validation

**Route:** `GET /admin/mcp/playground`

---

### Tool Usage Analytics

Usage tracking and dashboard for MCP tools.

**Files:**
- `Migrations/2026_01_26_*` - mcp_tool_metrics, mcp_tool_combinations
- `Models/ToolMetric.php`
- `DTO/ToolStats.php`
- `Services/ToolAnalyticsService.php`
- `Events/ToolExecuted.php`
- `Listeners/RecordToolExecution.php`
- `View/Modal/Admin/ToolAnalyticsDashboard.php`
- `View/Modal/Admin/ToolAnalyticsDetail.php`
- `Console/Commands/PruneMetricsCommand.php`

**Features:**
- Per-tool call counts with daily granularity
- Average, min, max response times
- Error rates with threshold highlighting
- Tool combination tracking
- Admin dashboard with sortable tables
- Date range filtering

**Routes:**
- `GET /admin/mcp/analytics` - Dashboard
- `GET /admin/mcp/analytics/tool/{name}` - Tool detail

**Config:** `mcp.analytics.enabled`, `mcp.analytics.retention_days`

---

### EXPLAIN Query Analysis

Query optimization insights with automated performance analysis.

**Files:**
- `Tools/QueryDatabase.php` - Added `explain` parameter
- Enhanced with human-readable performance interpretation

**Features:**
- Optional EXPLAIN execution before query runs
- Detects full table scans
- Identifies missing indexes
- Warns about filesort and temporary tables
- Shows row count estimates
- Includes MySQL warnings when available

**Usage:**
```json
{
  "query": "SELECT * FROM users WHERE email = 'test@example.com'",
  "explain": true
}
```

**Response includes:**
- Raw EXPLAIN output
- Performance warnings (full scans, high row counts)
- Index usage analysis
- Optimization recommendations
monorepo sepration 2026-01-26 20:57:41 +00:00			`# Core-MCP - January 2026`

			`## Features Implemented`

			`### Workspace Context Security`

			`Prevents cross-tenant data leakage by requiring authenticated workspace context.`

			`Files:`
			- `Exceptions/MissingWorkspaceContextException.php`
			- `Context/WorkspaceContext.php` - Value object
			- `Tools/Concerns/RequiresWorkspaceContext.php` - Tool trait
			- `Middleware/ValidateWorkspaceContext.php`

			`Security Guarantees:`
			`- Workspace context MUST come from authentication`
			`- Cross-tenant access prevented by design`
			`- Tools throw exceptions when called without context`

			`---`

			`### Query Security`

			`Defence in depth for SQL injection prevention.`

			`Files:`
			- `Exceptions/ForbiddenQueryException.php`
			- `Services/SqlQueryValidator.php` - Multi-layer validation

			`Features:`
			`- Blocked keywords: INSERT, UPDATE, DELETE, DROP, UNION`
			`- Pattern detection: stacked queries, hex encoding, SLEEP/BENCHMARK`
			`- Comment stripping to prevent obfuscation`
			`- Query whitelist matching`
			`- Read-only database connection support`

			Config: `mcp.database.connection`, `mcp.database.use_whitelist`, `mcp.database.blocked_tables`

			`---`

			`### MCP Playground UI`

			`Interactive interface for testing MCP tools.`

			`Files:`
			- `Services/ToolRegistry.php` - Tool discovery and schemas
			- `View/Modal/Admin/McpPlayground.php` - Livewire component
			- `View/Blade/admin/mcp-playground.blade.php`

			`Features:`
			`- Tool browser with search and category filtering`
			`- Dynamic form builder from JSON schemas`
			`- JSON response viewer with syntax highlighting`
			`- Conversation history (last 50 executions)`
			`- Example input pre-fill`
			`- API key validation`

			Route: `GET /admin/mcp/playground`

			`---`

			`### Tool Usage Analytics`

			`Usage tracking and dashboard for MCP tools.`

			`Files:`
			- `Migrations/2026_01_26_*` - mcp_tool_metrics, mcp_tool_combinations
			- `Models/ToolMetric.php`
			- `DTO/ToolStats.php`
			- `Services/ToolAnalyticsService.php`
			- `Events/ToolExecuted.php`
			- `Listeners/RecordToolExecution.php`
			- `View/Modal/Admin/ToolAnalyticsDashboard.php`
			- `View/Modal/Admin/ToolAnalyticsDetail.php`
			- `Console/Commands/PruneMetricsCommand.php`

			`Features:`
			`- Per-tool call counts with daily granularity`
			`- Average, min, max response times`
			`- Error rates with threshold highlighting`
			`- Tool combination tracking`
			`- Admin dashboard with sortable tables`
			`- Date range filtering`

			`Routes:`
			- `GET /admin/mcp/analytics` - Dashboard
			- `GET /admin/mcp/analytics/tool/{name}` - Tool detail

			Config: `mcp.analytics.enabled`, `mcp.analytics.retention_days`

			`---`

			`### EXPLAIN Query Analysis`

			`Query optimization insights with automated performance analysis.`

			`Files:`
			- `Tools/QueryDatabase.php` - Added `explain` parameter
			`- Enhanced with human-readable performance interpretation`

			`Features:`
			`- Optional EXPLAIN execution before query runs`
			`- Detects full table scans`
			`- Identifies missing indexes`
			`- Warns about filesort and temporary tables`
			`- Shows row count estimates`
			`- Includes MySQL warnings when available`

			`Usage:`
			```json
			`{`
			`"query": "SELECT * FROM users WHERE email = 'test@example.com'",`
			`"explain": true`
			`}`
			```

			`Response includes:`
			`- Raw EXPLAIN output`
			`- Performance warnings (full scans, high row counts)`
			`- Index usage analysis`
			`- Optimization recommendations`