From 2d8b928e0312acc24853894af96d5c1a1bb68025 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 09:49:09 -0700
Subject: [PATCH 1/3] Refactor administrator fetch logic in login.inc.php

Refactor administrator fetching logic to process known IPs and fingerprints _after_ fetching the administrator record.

Those were not arrays outside the fetch block.
---
 public_html/backend/pages/login.inc.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php
index 27ab262..96bf271 100644
--- a/public_html/backend/pages/login.inc.php
+++ b/public_html/backend/pages/login.inc.php
@@ -30,10 +30,10 @@
 				where username = '". database::input(strtolower($_POST['username'])) ."'
 				or email = '". database::input(strtolower($_POST['username'])) ."'
 				limit 1;"
-			)->fetch(function($administrator){
-				$administrator['known_ips'] = f::string_split($administrator['known_ips']);
-				$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
-			});
+			)->fetch();
+
+			$administrator['known_ips'] = f::string_split($administrator['known_ips']);
+			$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
 
 			if (!$administrator) {
 				throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database'));
@@ -159,7 +159,7 @@
 
 			unset(session::$data['security.administrator']['verification']);
 
-			// TOTP (opt-in per administrator). When enrolled, always challenge —
+			// TOTP (opt-in per administrator). When enrolled, always challenge
 			// independent of the known-IP check below. Email OTP remains the
 			// fallback for admins who haven't enrolled.
 			if (!empty($administrator['totp_secret'])) {
@@ -383,4 +383,4 @@
 			});
 		});
 	});
-</script>
\ No newline at end of file
+</script>

From 623965012f469afcb30dc65da14b618801817434 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 09:58:10 -0700
Subject: [PATCH 2/3] Revert "Refactor administrator fetch logic in
 login.inc.php"

This reverts commit 2d8b928e0312acc24853894af96d5c1a1bb68025.

Restores the original fetch callback pattern where known_ips and
known_fingerprints processing happened inside the fetch block, ensuring
they are properly treated as arrays at the time of assignment.
---
 public_html/backend/pages/login.inc.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php
index 96bf271..7401482 100644
--- a/public_html/backend/pages/login.inc.php
+++ b/public_html/backend/pages/login.inc.php
@@ -30,10 +30,10 @@
 				where username = '". database::input(strtolower($_POST['username'])) ."'
 				or email = '". database::input(strtolower($_POST['username'])) ."'
 				limit 1;"
-			)->fetch();
-
-			$administrator['known_ips'] = f::string_split($administrator['known_ips']);
-			$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
+			)->fetch(function($administrator){
+				$administrator['known_ips'] = f::string_split($administrator['known_ips']);
+				$administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
+			});
 
 			if (!$administrator) {
 				throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database'));
@@ -126,7 +126,7 @@
 			}
 
 			if (!empty($administrator['last_ip_address']) && $administrator['last_ip_address'] != $_SERVER['REMOTE_ADDR']) {
-				notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then your login credentials might be compromised.'), [
+				notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then y[...]
 					'{username}' => $administrator['username'],
 					'{ip_address}' => $administrator['last_ip_address'],
 					'{hostname}' => $administrator['last_hostname'],
@@ -159,7 +159,7 @@
 
 			unset(session::$data['security.administrator']['verification']);
 
-			// TOTP (opt-in per administrator). When enrolled, always challenge
+			// TOTP (opt-in per administrator). When enrolled, always challenge вњ“
 			// independent of the known-IP check below. Email OTP remains the
 			// fallback for admins who haven't enrolled.
 			if (!empty($administrator['totp_secret'])) {
@@ -241,7 +241,7 @@
 
 			if (!empty($_POST['remember_me']) && defined('HMAC_KEY_REMEMBER_ME')) {
 				$token = f::token_create_remember($administrator['id'], $administrator['password_hash']);
-				header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''), false);
+				header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''),[...]
 			} else if (!empty($_COOKIE['remember_me'])) {
 				header('Set-Cookie: remember_me=; Path='. WS_DIR_APP .'; Max-Age=-1; HttpOnly; SameSite=Lax', false);
 			}

From afaee7b237a829137b0cdb88673aa71ec6a4a0d1 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 15:29:01 -0700
Subject: [PATCH 3/3] Add admin_get_mcp_tools function for backend tools

---
 .../includes/functions/func_admin.inc.php     | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/public_html/includes/functions/func_admin.inc.php b/public_html/includes/functions/func_admin.inc.php
index 3697791..7632bc7 100644
--- a/public_html/includes/functions/func_admin.inc.php
+++ b/public_html/includes/functions/func_admin.inc.php
@@ -103,3 +103,35 @@ function admin_get_widgets(): array {
 
 		return $widgets;
 	}
+
+	function admin_get_mcp_tools(): array {
+
+		$tools_cache_token = cache::token('backend_mcp_tools', ['administrator', 'language']);
+		if (!$toolsets = cache::get($tools_cache_token)) {
+
+			$toolsets = [];
+
+			foreach (f::file_search('app://backend/mcp/mcp_*.inc.php') as $mcp_file) {
+
+				// Include without polluting global scope
+				$toolset = (function() use ($mcp_file) {
+					return include $mcp_file;
+				})();
+
+				if (empty($toolset['name']) || !is_array($toolset['tools'])) {
+					continue;
+				}
+
+				$toolsets[] = [
+					'id' => preg_replace('#^mcp_(.+)\.inc\.php$#', '$1', basename($mcp_file)),
+					'name' => $toolset['name'],
+					'description' => $toolset['description'] ?? '',
+					'tools' => array_column($toolset['tools'] ?? [], 'name'),
+				];
+			}
+
+			cache::set($tools_cache_token, $toolsets);
+		}
+
+		return $toolsets;
+	}
