tidewave 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f3737d76d054bed63cb68932692d012571e6dc6592e4acb3d38cfc996e136c9
-  data.tar.gz: 826dda40d4b76b7e399f91bf696463a1b8c70554ebc29a96ddea0d3aa43cef4a
+  metadata.gz: 728311a2ea0525028ccf9209d06bc1079f9258e35d534409f4ac867ff5212d32
+  data.tar.gz: 11c1b092dc830897e59cb39f71de745b840acfd6f8845bf058c9010a06258e75
 SHA512:
-  metadata.gz: 7f48e43388215ba5d6db70be3e450d7f3358921f82ae4b6c855801ad3ee48aeea3ff1cdd2b7d00acbf072556cf8b4ab5982541f894b470a502dbf149c63a798f
-  data.tar.gz: d4acf2d1625913bbbbae42d74c9816f200dba1ab2e25dff182a83c63aff9f236c21062b8745568beb2dd4378e39cc23073d7c39cde725a31c36a74e0ba2edfd2
+  metadata.gz: f9b49181b3f571b668de00287f0fec47088256ee335e31036385cedcb3b8c34274529d70a4f21d9c114279d9a1f5e52a56cab75b8465546863e0fd539fd1b390
+  data.tar.gz: 1201a00a28892246592c158bc0e90cb5a6ce5d69a6a3533ef81bb8c853d2124d3544d029e8346613fa4d099010869f83cae49bcad82d890d1e935ee9f54903f4

data/README.md

@@ -29,7 +29,7 @@ If you want to use Docker for development, you either need to enable the configu
 
 ### Content security policy
 
-If you have enabled Content-Security-Policy, Tidewave will automatically enable "unsafe-eval" under `script-src` in order for contextual browser testing to work correctly.
+If you have enabled Content-Security-Policy, Tidewave will automatically enable "unsafe-eval" under `script-src` in order for contextual browser testing to work correctly. It also disables the `frame-ancestors` directive.
 
 ### Web server requirements
 
@@ -55,6 +55,8 @@ The following config is available:
 
   * `allow_remote_access` - Tidewave only allows requests from localhost by default, even if your server listens on other interfaces as well. If you trust your network and need to access Tidewave from a different machine, this configuration can be set to `true`
 
+  * `logger_middleware` - The logger middleware Tidewave should wrap to silence its own logs
+
   * `preferred_orm` - which ORM to use, either `:active_record` (default) or `:sequel`
 
   * `team` - set your Tidewave Team configuration, such as `config.tidewave.team = { id: "my-company" }`

data/lib/tidewave/configuration.rb

@@ -2,7 +2,7 @@
 
 module Tidewave
   class Configuration
-    attr_accessor :logger, :allow_remote_access, :preferred_orm, :dev, :client_url, :team
+    attr_accessor :logger, :allow_remote_access, :preferred_orm, :dev, :client_url, :team, :logger_middleware
 
     def initialize
       @logger = nil
@@ -11,6 +11,7 @@ module Tidewave
       @dev = false
       @client_url = "https://tidewave.ai"
       @team = {}
+      @logger_middleware = nil
     end
   end
 end

data/lib/tidewave/middleware.rb

@@ -8,12 +8,13 @@ require "active_support/core_ext/class"
 require "active_support/core_ext/object/blank"
 require "json"
 require "erb"
+require_relative "streamable_http_transport"
 
 class Tidewave::Middleware
   TIDEWAVE_ROUTE = "tidewave".freeze
-  SSE_ROUTE = "mcp".freeze
-  MESSAGES_ROUTE = "mcp/message".freeze
+  MCP_ROUTE = "mcp".freeze
   SHELL_ROUTE = "shell".freeze
+  CONFIG_ROUTE = "config".freeze
 
   INVALID_IP = <<~TEXT.freeze
     For security reasons, Tidewave does not accept remote connections by default.
@@ -30,9 +31,8 @@ class Tidewave::Middleware
     @app = FastMcp.rack_middleware(app,
       name: "tidewave",
       version: Tidewave::VERSION,
-      path_prefix: "/" + TIDEWAVE_ROUTE,
-      messages_route: MESSAGES_ROUTE,
-      sse_route: SSE_ROUTE,
+      path_prefix: "/" + TIDEWAVE_ROUTE + "/" + MCP_ROUTE,
+      transport: Tidewave::StreamableHttpTransport,
       logger: config.logger || Logger.new(Rails.root.join("log", "tidewave.log")),
       # Rails runs the HostAuthorization in dev, so we skip this
       allowed_origins: [],
@@ -62,23 +62,26 @@ class Tidewave::Middleware
       case [ request.request_method, path ]
       when [ "GET", [ TIDEWAVE_ROUTE ] ]
         return home(request)
+      when [ "GET", [ TIDEWAVE_ROUTE, CONFIG_ROUTE ] ]
+        return config_endpoint(request)
       when [ "POST", [ TIDEWAVE_ROUTE, SHELL_ROUTE ] ]
         return shell(request)
       end
     end
 
-    @app.call(env)
+    status, headers, body = @app.call(env)
+
+    # Remove X-Frame-Options headers for non-Tidewave routes to allow embedding.
+    # CSP headers are configured in the CSP application environment.
+    headers.delete("X-Frame-Options")
+
+    [ status, headers, body ]
   end
 
   private
 
   def home(request)
-    config = {
-      "project_name" => @project_name,
-      "framework_type" => "rails",
-      "tidewave_version" => Tidewave::VERSION,
-      "team" => @team
-    }
+    config = config_data
 
     html = <<~HTML
       <html>
@@ -95,6 +98,19 @@ class Tidewave::Middleware
     [ 200, { "Content-Type" => "text/html" }, [ html ] ]
   end
 
+  def config_endpoint(request)
+    [ 200, { "Content-Type" => "application/json" }, [ JSON.generate(config_data) ] ]
+  end
+
+  def config_data
+    {
+      "project_name" => @project_name,
+      "framework_type" => "rails",
+      "tidewave_version" => Tidewave::VERSION,
+      "team" => @team
+    }
+  end
+
   def forbidden(message)
     Rails.logger.warn(message)
     [ 403, { "Content-Type" => "text/plain" }, [ message ] ]

data/lib/tidewave/railtie.rb

@@ -32,6 +32,8 @@ module Tidewave
           content_security_policy.directives["script-src"].try do |script_src|
             script_src << "'unsafe-eval'" unless script_src.include?("'unsafe-eval'")
           end
+
+          content_security_policy.directives.delete("frame-ancestors")
         end
       end
     end
@@ -39,7 +41,6 @@ module Tidewave
     initializer "tidewave.intercept_exceptions" do |app|
       # We intercept exceptions from DebugExceptions, format the
       # information as text and inject into the exception page html.
-
       ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
         request.set_header("tidewave.exception", exception)
       end
@@ -49,7 +50,8 @@ module Tidewave
 
     initializer "tidewave.logging" do |app|
       # Do not pollute user logs with tidewave requests.
-      app.middleware.insert_before(Rails::Rack::Logger, Tidewave::QuietRequestsMiddleware)
+      logger_middleware = app.config.tidewave.logger_middleware || Rails::Rack::Logger
+      app.middleware.insert_before(logger_middleware, Tidewave::QuietRequestsMiddleware)
     end
   end
 end

data/lib/tidewave/streamable_http_transport.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require "json"
+require "rack"
+require "fast_mcp"
+
+module Tidewave
+  # Streamable HTTP transport for MCP (POST-only, no SSE)
+  # This transport implements a simplified version of the MCP Streamable HTTP protocol
+  # that only supports POST requests for JSON-RPC messages. Unlike the full protocol,
+  # it does not support Server-Sent Events (SSE) for streaming responses.
+  class StreamableHttpTransport < FastMcp::Transports::BaseTransport
+    attr_reader :app, :path
+
+    def initialize(app, server, options = {})
+      super(server, logger: options[:logger])
+      @app = app
+      @path = options[:path_prefix] || "/mcp"
+      @running = false
+    end
+
+    def start
+      @logger.debug("Starting Streamable HTTP transport (POST-only) at path: #{@path}")
+      @running = true
+    end
+
+    def stop
+      @logger.debug("Stopping Streamable HTTP transport")
+      @running = false
+    end
+
+    # Send a message - capture response for synchronous HTTP
+    # Required by FastMCP::Transports::BaseTransport interface
+    def send_message(message)
+      @logger.debug("send_message called, capturing response: #{message.inspect}")
+      @captured_response = message
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+
+      if request.path == @path
+        @server.transport = self
+        handle_mcp_request(request, env)
+      else
+        @app.call(env)
+      end
+    end
+
+    private
+
+    def handle_mcp_request(request, env)
+      if request.post?
+        handle_post_request(request)
+      else
+        method_not_allowed_response
+      end
+    end
+
+    def handle_post_request(request)
+      @logger.debug("Received POST request to MCP endpoint")
+
+      begin
+        body = request.body.read
+        message = JSON.parse(body)
+
+        @logger.debug("Processing message: #{message.inspect}")
+
+        unless valid_jsonrpc_message?(message)
+          return json_rpc_error_response(400, -32600, "Invalid Request", nil)
+        end
+
+        # Capture the response that will be sent via send_message
+        @captured_response = nil
+        @server.handle_json_request(message)
+
+        @logger.debug("Sending response: #{@captured_response.inspect}")
+
+        [
+          200,
+          { "Content-Type" => "application/json" },
+          [ JSON.generate(@captured_response) ]
+        ]
+      rescue JSON::ParserError => e
+        @logger.error("Invalid JSON in request: #{e.message}")
+        json_rpc_error_response(400, -32700, "Parse error", nil)
+      rescue => e
+        @logger.error("Error processing message: #{e.message}")
+        @logger.error(e.backtrace.join("\n")) if e.backtrace
+        json_rpc_error_response(500, -32603, "Internal error", nil)
+      end
+    end
+
+    def valid_jsonrpc_message?(message)
+      return false unless message.is_a?(Hash)
+      return false unless message["jsonrpc"] == "2.0"
+
+      message.key?("method") || message.key?("result") || message.key?("error")
+    end
+
+    def method_not_allowed_response
+      [
+        405,
+        { "Content-Type" => "application/json" },
+        [ JSON.generate({
+          jsonrpc: "2.0",
+          error: {
+            code: -32601,
+            message: "Method not allowed. This endpoint only supports POST requests."
+          },
+          id: nil
+        }) ]
+      ]
+    end
+
+    def json_rpc_error_response(http_status, code, message, id)
+      [
+        http_status,
+        { "Content-Type" => "application/json" },
+        [ JSON.generate({
+          jsonrpc: "2.0",
+          error: {
+            code: code,
+            message: message
+          },
+          id: id
+        }) ]
+      ]
+    end
+  end
+end

data/lib/tidewave/tools/execute_sql_query.rb

@@ -22,6 +22,12 @@ class Tidewave::Tools::ExecuteSqlQuery < Tidewave::Tools::Base
     optional(:arguments).value(:array).description("The arguments to pass to the query. The query must contain corresponding parameter placeholders.")
   end
 
+  def @input_schema.json_schema
+    schema = super
+    schema[:properties][:arguments][:items] = {}
+    schema
+  end
+
   RESULT_LIMIT = 50
 
   def call(query:, arguments: [])

data/lib/tidewave/tools/project_eval.rb

@@ -23,6 +23,12 @@ class Tidewave::Tools::ProjectEval < Tidewave::Tools::Base
     optional(:json).hidden().filled(:bool).description("Whether to return the result as JSON with structured output containing result, success, stdout, and stderr fields. Defaults to false.")
   end
 
+  def @input_schema.json_schema
+    schema = super
+    schema[:properties][:arguments][:items] = {}
+    schema
+  end
+
   def call(code:, arguments: [], timeout: 30_000, json: false)
     original_stdout = $stdout
     original_stderr = $stderr

data/lib/tidewave/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tidewave
-  VERSION = "0.3.1"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tidewave
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Yorick Jacquin
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-09-16 00:00:00.000000000 Z
+date: 2025-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: 1.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -72,6 +72,7 @@ files:
 - lib/tidewave/middleware.rb
 - lib/tidewave/quiet_requests_middleware.rb
 - lib/tidewave/railtie.rb
+- lib/tidewave/streamable_http_transport.rb
 - lib/tidewave/tools/base.rb
 - lib/tidewave/tools/execute_sql_query.rb
 - lib/tidewave/tools/get_docs.rb