Wave 1 rollup: integrated 1579-wave-1 (#1600)#1601
Conversation
Document the contribution policy: we accept issues, not pull requests. Maintainers handle design and implementation through a prompt-driven workflow. Contributors who have already built a change locally should share the prompt they used rather than a diff. Cross-reference the policy from AGENTS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…icy (#1517) GitHub auto-populates pull_request_template.md into every new PR body, so it steers would-be external PR authors to CONTRIBUTORS.md before they submit a diff. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The policy takes effect after v2/main merges into main, leaving a single line of development. Tell contributors to open a well-formed issue rather than routing them to per-version project boards. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
) Give the CLI a stable machine-readable failure surface: - EXIT_CODES map (0 ok / 1 usage / 2 no-app / 3 auth-required / 4 unreachable / 5 tool-error) - ErrorEnvelope interface + CliExitCodeError for pre-classified exits - pure classifyError() (status/cause/pattern heuristics) and formatErrorOutput()/handleError() that emit one JSON line on stderr - in-process cli-runner mirrors the binary via formatErrorOutput so tests observe the real exit code and envelope - document the exit-code map + envelope shape in clients/cli/README.md Wave 1 foundation of the PR #1510 decomposition; shapes kept clean for reuse by --app-info (exit 2), stored-auth (exit 3), and --format json. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Redact Authorization, Cookie, Set-Cookie, Proxy-Authorization, X-Api-Key, and x-mcp-remote-auth to [REDACTED] in createFetchTracker before any request/response entry reaches the in-memory log, pino logger, or persisted session storage. Comparison is case-insensitive; original key casing is preserved and the live outbound request is untouched. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…#1556) Add a machine-readable summary of an MCP App's UI metadata: the AppInfo interface plus extractAppInfo(), which merges a tool's _meta.ui (resourceUri, visibility) with the linked UI resource's _meta.ui (csp, permissions, domain, prefersBorder, mimeType). Content-block matching is exact-URI first, then a lowercase + trailing-slash normalized match, then a single-block fallback since resources/read returns the requested resource by definition. Shared plumbing for the programmatic-review path (CLI --app-info, integration tests) without rendering the app. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…Uri, isHttpUrl (closes #1560) Extend the browser download library beyond JSON so the Apps host's ui/download-file support can download arbitrary embedded resources and open http(s) links safely, with no UI wiring in this change: - downloadBlob(): temp-anchor download core with a setTimeout(...,0)- deferred revokeObjectURL so a synchronous revoke can't abort the scheduled download (Firefox/Safari, intermittently Chrome). - downloadJsonFile(): refactored on top of downloadBlob; callers unchanged. - fileNameFromUri(): last path segment sanitized (control/format chars stripped, disallowed filename chars -> _, capped at 255, "download" fallback). - isHttpUrl(): parse-and-allowlist http(s) only, else null. Re-implementation of the downloadFile.ts slice of PR #1510 as Wave 1 of the #1579 decomposition. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…closes #1557) Add an `mcp_app_demo` tool/resource preset — a self-contained MCP App widget that exercises size-changed, ui/message, log notifications, and host-context rendering with no external server. Requires plumbing an optional `_meta` field through the composable test server's `ToolDefinition` and `ResourceDefinition` so clients can read tool-level `_meta.ui.resourceUri` and resource-level `_meta.ui.csp`. - composable-test-server: optional `_meta` on ToolDefinition/ResourceDefinition, passed through to registerTool config and the resource content item. - test-server-fixtures: `createMcpAppDemoTool()`, `createMcpAppDemoResource()`, inline `MCP_APP_DEMO_HTML` widget; wired into getDefaultServerConfig. - preset-registry: `mcp_app_demo` tool + `mcp_app_demo_widget` resource presets. - integration test asserting the `_meta` plumbing end-to-end. Wave 1 of PR #1510 decomposition. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
) Add clients/web/src/components/elements/AppRenderer/hostContext.ts — a pure utilities module for the MCP Apps host: - currentTheme(): read the resolved Mantine color scheme from the DOM - currentStyles(): map the inspector's Mantine/-inspector design tokens to a McpUiHostStyles snapshot via STYLE_VARIABLE_SOURCES - measureContainerDimensions(): whole-pixel container measurement - snapshotHostContext(): assemble the initial McpUiHostContext seed Wave 1 of the PR #1510 decomposition (#1579). Pure extraction only — the AppRenderer/AppsScreen/createAppBridgeFactory rewrites belong to Wave 2. Full unit coverage (100% lines/statements/functions/branches). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Add a pure, DOM-free CSP-builder library at clients/web/src/lib/sandbox-csp.ts that validates app-supplied `_meta.ui.csp` requests, filters them to safe sources, builds the locked-down Content-Security-Policy string, and wraps untrusted widget HTML in a fixed host shell whose first <head> child is the CSP meta. - SAFE_CSP_SOURCE: strict regex that rejects directive/attribute breakouts (`;`, `"`, `<`, `>`, whitespace). - approveCspSources(): drops unsafe entries (with a warning) and omits empty keys; echoes back only what the host will enforce. - buildSandboxCspPolicy(): `default-src 'none'` catch-all, `form-action 'none'`, source-allowlist filtering, `'unsafe-inline'` for the app's own inline script/style. - escapeHtmlAttr() / wrapSandboxedHtml(): defense-in-depth so untrusted bytes never precede the applied policy. Re-implements the sandbox-csp portion of PR #1510 (Wave 1 of #1579) as a standalone library; wiring into the app bridge is a follow-up issue. Adds full unit tests (100% lines/statements/functions/branches) and lists the file in the web coverage `include` so it is gated (the untested legacy src/lib siblings stay out until they get tests). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…oses #1562) generateOAuthState() now throws when crypto.getRandomValues is unavailable instead of silently degrading to a non-cryptographic Math.random() fallback — OAuth state is a CSRF token and must be unpredictable. The web /oauth/callback handler now rejects a returned `state` param that does not parse to the expected 64-char-hex authId shape (a forgery indicator), surfacing a clear error toast instead of proceeding with an undefined session. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…rt (closes #1563) Wrap the Node transport's fetch with an undici EnvHttpProxyAgent dispatcher when a standard proxy env var is set, so the CLI and web backend can reach remote MCP servers through corporate proxies with zero new flags. undici is imported lazily (only when a proxy var is present) and added as a dependency at the repo root and in the CLI client; a missing undici raises an actionable error. Documents the behavior and dependency in the CLI README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…ge parity) (closes #1548) Migrate the web client's OAuth storage from BrowserOAuthStorage (sessionStorage) to RemoteOAuthStorage, which POSTs through the backend's /api/storage/oauth route to ~/.mcp-inspector/storage/oauth.json (mode 0600). A credential obtained in the browser is now the same blob the TUI/CLI read on the same host, giving web ⇄ TUI ⇄ CLI parity (Wave 1 of #1579). Core (shared with TUI/CLI): - OAuthStorageBase now drives a single async hydration (`ready()`, `getHydrationError()`); every post-redirect read (getClientInformation, getTokens, getCodeVerifier, getServerMetadata, getIdpSession) and every save awaits it so a late hydration merge cannot clobber a fresh write. getCodeVerifier/getServerMetadata become async; the store is created with skipHydration:true so there is no auto-hydration to race the explicit one. - store.ts adds normalizeServerUrl so a token saved under https://Example.com/mcp is found when the CLI asks for https://example.com/mcp/; getServerState falls back to the raw key. - remote-storage adapter POSTs with keepalive so the write survives the OAuth authorize redirect, surfaces swallowed persist failures, and gives richer read/write error messages. - generateOAuthState throws instead of silently degrading to Math.random. - NodeOAuthStorage honors MCP_INSPECTOR_OAUTH_STATE_PATH for isolated fixtures. Provider codeVerifier()/getServerMetadata() + the EMA idpOidc and connection-state readers await the now-async storage. Web: - environmentFactory + a new shared lib/remoteOAuthStorage accessor (memoized per {baseUrl, authToken}) wire RemoteOAuthStorage into the connection path, the EMA IdP hook, and the per-server "clear OAuth" action so all three share one in-memory view of oauth.json. Tests: async-hydration + normalizeServerUrl suite, keepalive/error-path coverage, and the sync→async migration across existing storage/provider/EMA tests. Web validate + coverage gate + integration suite green; CLI/TUI/ launcher validate green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Address @claude review of #1583: - statusOf() now only treats a numeric `.code` as an HTTP status when it is in the 100-599 range, so an MCP SDK McpError JSON-RPC code (e.g. -32601 MethodNotFound) is no longer leaked into the envelope `status` or misclassified as AUTH_REQUIRED (it falls back to USAGE). - causeOf() now carries a depth cap (MAX_CAUSE_DEPTH) so a cyclic/ self-referential `error.cause` chain terminates instead of recursing infinitely. - Add tests for both: a -32601 McpError-shaped error (status undefined, exit USAGE) and a self-referential cause chain (finite string). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Address code-review DRY note on PR #1587: MCP_APP_DEMO_URI was defined in both the fixture and the integration test. Export it from the fixture and import it in the test so the two stay in lockstep. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…asymmetry, tighten test
- Soften the OAuth-callback-rejected toast: the shape guard is
defense-in-depth, not full CSRF prevention (PKCE remains primary), so the
message no longer overstates ("rejecting to prevent a cross-site request" ->
"did not originate from this session").
- Document the intentional asymmetry between a present-but-malformed `state`
(rejected) and a wholly absent `state` (accepted, matched via
OAUTH_PENDING_SERVER_KEY) — rejecting the null case would mask real provider
error redirects that omit `state`.
- Make the "valid state is not rejected" test assert the specific downstream
"could not be matched" toast (seeding OAUTH_PENDING_SERVER_KEY) instead of an
indirect "some toast fired" check.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…edence Address round-1 review nits on apps.ts: - readUiMeta now accepts `unknown` and narrows internally, removing the three `as WithUiMeta` casts at its call sites (readability win). - Add a comment documenting that the content-block-then-result precedence for `_meta.ui` is intentional (posture lives on the content block; no shallow merge). - Add a TODO to switch to the named McpUiToolMeta/McpUiResourceMeta types once the upstream extensionless re-export is fixed for NodeNext. Coverage: apps.ts 100% lines / 97.05% branch / 100% funcs — clears the gate. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
undici 8.5.0 requires Node >= 22.19.0 (its declared engines), so CI's Node 20.x could not load undici's CacheStorage (missing webidl.util.markAsUncloneable) and the proxy integration tests failed. Bump the CI setup-node to 22.x to match the repo's Node floor. Reconcile the declared floor with undici's real requirement: bump root engines.node to >=22.19.0 and correct the CLI README note (undici 8.5.0 needs >=22.19.0, not >=22.7.5). Also document proxy support in the web README and clarify that a caller-supplied eventSourceInit.fetch bypasses the proxy wrapper by design. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Address round-1 @claude review of #1588 (no behavior change to the enforced policy): - approveCspSources / buildSandboxCspPolicy: document that resourceDomains intentionally feeds script-src/style-src per the McpUiResourceCsp contract, and that approve screens injection-safety only (not breadth — a bare `*` is accepted; safe under the opaque-origin sandbox). - CSP_KEYS: replace the `satisfies` (proves listed keys valid) with an exhaustiveCspKeys() helper that ALSO fails to compile if the upstream ext-apps type gains a domain key CSP_KEYS omits, so a requested restriction can never be silently dropped. - SAFE_CSP_SOURCE: accept case-insensitive schemes (URL schemes are case-insensitive); previously over-rejected `HTTPS://…`. Adds tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…n path Address round-2 code-review note on PR #1587: the _meta passthrough was wired only into the regular registerTool path, so an App-flavored task tool would not surface tool-level _meta. Add _meta to TaskToolDefinition and a matching conditional spread on both registerToolTask overload configs so the two registration paths behave symmetrically. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…palive/memo caveats Address round-1 @claude review of #1592: - OAuthStorageBase.clear* no longer mutate the pre-hydration (empty) store — a clear issued before hydration is deferred until it lands, so it merges onto the real persisted state instead of (a) being resurrected by the late rehydrate merge or (b) persisting a near-empty blob that clobbers every other server's on-disk credential. Already-hydrated clears stay synchronous. - store.setServerState migrates a pre-normalization raw-key blob onto the canonical key on first partial write (was: shadowed it with a fresh canonical entry, orphaning the raw blob's other fields). clearServerState now also drops the raw-key orphan. - Document the keepalive 64KB combined-body ceiling on the remote-storage write, the getRemoteOAuthStorage memo key intentionally omitting fetchFn, and the real ordering invariant behind the sync getScope. - Tests for the clear-before-hydration and raw-key-migration paths. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
The root package.json engines.node was bumped to >=22.19.0 but the root package entry in package-lock.json still declared >=22.7.5. Regenerate so the lockfile matches package.json for npm ci. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Address round-3 code-review note on PR #1587: resource `_meta` is applied only by the default read handler; a customHandler from onRegisterResource replaces the contents wholesale and would drop it. Document this on ResourceDefinition._meta so a future App UI resource with a custom read handler knows to re-add _meta itself. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Round-2 @claude review of #1592 caught a seventh member of the clear family that the first pass missed: clearClientInformation still wrote to the store synchronously, carrying the same pre-hydration clobber risk the clearAfterHydration helper was written for (a clear before hydration lands persists a near-empty blob, overwriting the whole on-disk oauth.json). Wrap its mutation the same way and add a clear-before-hydration test proving a sibling token (and thus every other server's blob) survives. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
… getScope Round-3 @claude review of #1592 (optional nit): getClientRegistrationKind is the other synchronous getter that, like getScope, is safe only because its sole caller (buildOAuthConnectionState) awaits getClientInformation/ getServerMetadata first, flushing hydration before this runs on the post-redirect callback path. Add a docstring mirroring getScope's so a future refactor doesn't read it without a preceding awaited storage read. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
Completes requirement #2 of #1517: a table mapping each active version to its base branch, project board, and version label, plus a "Label by version" note mirroring AGENTS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…1596) Root-cause and deterministically fix the recurring 5s-timeout flakes that surfaced under v8-instrumented, concurrent load. All fixes are test-only; no product source changed. No test was skipped or disabled, and the per-file coverage gate (>=90 on all four dims) still holds. Common root cause across the modal/form/screen suites: userEvent.setup() schedules a real setTimeout between keystrokes. Under CPU contention those yields balloon, so multi-field interactions blew past the 5s per-test timeout. Fix: userEvent.setup({ delay: null }) removes the per-keystroke real-timer dependence (typing dispatches synchronously), making the suites load-independent. Per file: - ServerConfigModal / ServerImportConfigModal / ServerImportJsonModal / ResourcesScreen / InspectorView: userEvent.setup({ delay: null }). - PromptArgumentsForm (completions): replaced wall-clock sleeps sized just past the 300ms completion debounce (await setTimeout(400)) — which race the debounce timer under load — with awaited conditions (findBy/waitFor) on the real rendered outcome, plus delay:null. Negative assertions now lean on the component's synchronous state/timer teardown instead of a timed window, so they are deterministic regardless of machine speed. - inspectorClient integration "tracks stderr logs": the child's stderr is piped out-of-band from the tool's JSON-RPC response, so reading the log synchronously after callTool raced the stderr chunk. Wrapped the assertion in vi.waitFor so it polls until the line lands. Verified: web validate + 6x test:coverage (4 sequential + 2 concurrent under load) + standalone test:integration, all green (229 files / 3237 tests per coverage run; 799 integration tests), zero intermittent failures. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…ound 1) The "cancels a pending debounce timer when the input is re-focused" test passed trivially after the delay:null change: synchronous typing meant the assertion ran at t≈0, before the 300ms debounce could ever fire, so it passed whether or not handleFocus's clearTimeout worked. Rewrote it with fake timers so the debounce window elapses deterministically (advance the clock by 400ms directly). The interaction is driven with fireEvent rather than userEvent because userEvent's async internals deadlock under vitest fake timers with the Mantine/happy-dom stack. Verified load-bearing: removing the clearTimeout in handleFocus makes it fail (expected 1 to be 0), and it passes once restored. Also tightened the sibling-context comment (with delay:null the sibling is reliably "es"); the tolerant /^es?$/ regex is left as-is. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
…ase change; tree unchanged)
…odes feat(cli): exit-code map + structured JSON error envelopes
…ase change; tree unchanged)
feat(core): add AppInfo + extractAppInfo() to core/mcp/apps.ts
…ase change; tree unchanged)
…ders feat(core): redact sensitive headers in the fetch log
…ase change; tree unchanged)
feat(web): downloadFile.ts enhancements (downloadBlob, fileNameFromUri, isHttpUrl)
…ase change; tree unchanged)
feat(test-servers): mcp_app_demo preset + _meta on tool/resource defs
…ase change; tree unchanged)
feat(web): add sandbox CSP builder library (closes #1558)
…ase change; tree unchanged)
…e-hardening auth hardening: generateOAuthState requires WebCrypto; OAuth callback rejects unparseable state
…ase change; tree unchanged)
feat(core): honor HTTPS_PROXY/HTTP_PROXY/NO_PROXY in the Node transport
…ase change; tree unchanged)
…t-utils feat(web): extract hostContext utilities for the Apps host
…ase change; tree unchanged)
…-oauth-storage Web: migrate auth store to shared /store API (RemoteOAuthStorage parity with TUI/CLI)
…ase change; tree unchanged)
…utors-md docs: add CONTRIBUTORS.md issues-only policy (#1517)
…ase change; tree unchanged)
…lity test(web): eliminate timeout flakiness in the web test suite
ci: enforce the ≥90% per-file coverage gate in CI
|
➕ Folded into the rollup after the fact: #1550 (PR #1603) — ci: enforce the ≥90% per-file coverage gate in CI. Now merged into |
…llup — tracked separately, not Wave 1
|
✂️ Update — CONTRIBUTORS docs pulled out of this rollup. #1517/#1537 (and its follow-up #1595) are unrelated to the #1510 Wave-1 decomposition, so they were removed from |
Closes #1600
Wave 1 rollup —
1579-wave-1→v2/mainThis is the single rollup PR for Wave 1 of the #1579 decomposition (re-implementing PR #1510 as scoped issues). Rather than merging each Wave-1 PR individually, they were integrated onto
1579-wave-1, verified together, and are proposed here to merge intov2/mainin one go.Every bundled PR was individually: exhaustively
@claude-reviewed to clean, CI-green, and smoke-tested/AGENTS.md-audited on its own issue. The integrated branch then passed a full verification pass (below).Bundled work
Original Wave 1 (10):
AppInfo/extractAppInfo(feat(core): add AppInfo + extractAppInfo() to core/mcp/apps.ts #1584)mcp_app_demo+_meta(feat(test-servers): mcp_app_demo preset + _meta on tool/resource defs #1587)downloadFileenhancements (feat(web): downloadFile.ts enhancements (downloadBlob, fileNameFromUri, isHttpUrl) #1586)generateOAuthState+ callback state reject (auth hardening: generateOAuthState requires WebCrypto; OAuth callback rejects unparseable state #1589)HTTPS_PROXY/HTTP_PROXY/NO_PROXY(feat(core): honor HTTPS_PROXY/HTTP_PROXY/NO_PROXY in the Node transport #1590)RemoteOAuthStorageparity + async hydration (Web: migrate auth store to shared /store API (RemoteOAuthStorage parity with TUI/CLI) #1592)Wave 1 follow-ups (surfaced during review/smoke):
clients/web/src/lib/**under coverage (test(web): gate src/lib/** under the vitest coverage include globs #1599)Integration verification (on the merged branch)
validate(all clients): ✅ PASStest:integration: ✅ 809 tests1579-wave-1: ✅ all PASSFull integration audit: #1600 (comment)
Closes on merge
Closes #1600, #1556, #1557, #1558, #1559, #1560, #1561, #1562, #1563, #1564, #1548, #1593, #1594, #1596