Skip to content

mcp-data-platform-v0.33.4

Choose a tag to compare

View all tags
@github-actions github-actions released this 06 Mar 20:13
· 85 commits to main since this release
v0.33.4
f8f6254
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Summary

Fixes two bugs in the Asset Portal and hardens the JSX renderer, provenance tracking, and test coverage.

Bug Fix: Blank JSX Content in Asset Viewer

Problem: Agent-generated JSX components define React components but never call createRoot/ReactDOM.render, so the iframe rendered blank with no errors.

Fix: The JsxRenderer now detects whether content is self-mounting (contains createRoot or ReactDOM.render) and handles each path differently:

  • Self-mounting path (backward compatible): content with mount calls uses the existing import-map + inline injection, now with error handling
  • Auto-mount path (new): content without mount calls goes through bare-specifier resolution (rewrites from 'react' to absolute esm.sh URLs for blob module compatibility), automatic export default detection, and dynamic import via React.createElement(mod.default)

Additional hardening:

  • Memory leak fix: module blob URLs are now tracked via useRef and properly revoked on cleanup
  • Single source of truth: IMPORT_MAP is derived from BARE_IMPORT_MAP — no more duplicated maps
  • XSS prevention: error display uses textContent via a showError() helper instead of innerHTML concatenation
  • Fewer false positives: hasMountCode uses regex (/\bcreateRoot\s*\(/) instead of String.includes(), reducing false matches from comments
  • Class component support: ensureExport now handles class declarations alongside function|const|let
  • CSP updated: added blob: to script-src and connect-src for the auto-mount path

Bug Fix: Empty Provenance ("No provenance data available")

Problem: The provenance middleware accumulates tool calls keyed by session ID, but AwareHandler's session ID was not propagated through the Go request context. MCPToolCallMiddleware used the default "stdio" key while save_artifact used a different key, resulting in an empty harvest.

Fix: Context-based session ID propagation:

  • AwareHandler now calls WithAwareSessionID(ctx, sessionID) in both handleInitialize and handleExisting, injecting the session ID into the Go request context
  • MCPToolCallMiddleware falls back to AwareSessionID(ctx) when the MCP SDK returns the default "stdio" session ID
  • This ensures Streamable HTTP requests always get the correct per-client session ID regardless of MCP SDK behavior
Transport Before After
Streamable HTTP + AwareHandler Works only if client echoes Mcp-Session-Id header Always works via context propagation
SSE All clients share "stdio" key Same (AwareHandler doesn't wrap SSE)
stdio Uses "stdio" Same (no HTTP layer)

Other Improvements

  • Provenance log noise reduced: Harvest() log level lowered from Info to Debug — no longer logs on every save_artifact call in production
  • Diagnostic logging: Record(), Harvest(), and save_artifact handler now emit structured debug/info logs with session ID and tool call counts for troubleshooting

Test Coverage

  • Integration test added: TestMiddlewareChain_AwareHandler_ProvenanceSessionID wires up the full AwareHandler → Stateless StreamableHTTP → MCPToolCallMiddlewareMCPProvenanceMiddleware chain and verifies end-to-end session ID propagation with a real HTTP transport
  • Unit tests: AwareSessionID/WithAwareSessionID roundtrip, handleInitialize and handleExisting context propagation, MCPToolCallMiddleware AwareHandler fallback
  • All new functions at 100% coverage

Files Changed

  • pkg/session/handler.goWithAwareSessionID/AwareSessionID context helpers
  • pkg/middleware/mcp.go — AwareHandler session ID fallback in MCPToolCallMiddleware
  • pkg/middleware/mcp_provenance.go — diagnostic logging, Harvest log level fix
  • pkg/toolkits/portal/toolkit.gosave_artifact provenance diagnostic logging
  • ui/src/components/renderers/JsxRenderer.tsx — auto-mount, memory leak, XSS, dedup fixes

Installation

Homebrew (macOS)

brew install txn2/tap/mcp-data-platform

Claude Code CLI

claude mcp add mcp-data-platform -- mcp-data-platform

Docker

docker pull ghcr.io/txn2/mcp-data-platform:v0.33.4

Verification

All release artifacts are signed with Cosign. Verify with:

cosign verify-blob --bundle mcp-data-platform_0.33.4_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_0.33.4_linux_amd64.tar.gz
Assets 25
Loading