@browserstack/mcp-server 1.2.16 → 1.2.17

package/dist/config.d.ts

@@ -7,7 +7,8 @@ export declare class Config {
     readonly browserstackLocalOptions: Record<string, any>;
     readonly USE_OWN_LOCAL_BINARY_PROCESS: boolean;
     readonly REMOTE_MCP: boolean;
-    constructor(DEV_MODE: boolean, browserstackLocalOptions: Record<string, any>, USE_OWN_LOCAL_BINARY_PROCESS: boolean, REMOTE_MCP: boolean);
+    readonly UPLOAD_BASE_DIR: string | undefined;
+    constructor(DEV_MODE: boolean, browserstackLocalOptions: Record<string, any>, USE_OWN_LOCAL_BINARY_PROCESS: boolean, REMOTE_MCP: boolean, UPLOAD_BASE_DIR: string | undefined);
 }
 declare const config: Config;
 export default config;

package/dist/config.js

@@ -37,12 +37,16 @@ export class Config {
     browserstackLocalOptions;
     USE_OWN_LOCAL_BINARY_PROCESS;
     REMOTE_MCP;
-    constructor(DEV_MODE, browserstackLocalOptions, USE_OWN_LOCAL_BINARY_PROCESS, REMOTE_MCP) {
+    UPLOAD_BASE_DIR;
+    constructor(DEV_MODE, browserstackLocalOptions, USE_OWN_LOCAL_BINARY_PROCESS, REMOTE_MCP, UPLOAD_BASE_DIR) {
         this.DEV_MODE = DEV_MODE;
         this.browserstackLocalOptions = browserstackLocalOptions;
         this.USE_OWN_LOCAL_BINARY_PROCESS = USE_OWN_LOCAL_BINARY_PROCESS;
         this.REMOTE_MCP = REMOTE_MCP;
+        this.UPLOAD_BASE_DIR = UPLOAD_BASE_DIR;
     }
 }
-const config = new Config(process.env.DEV_MODE === "true", browserstackLocalOptions, process.env.USE_OWN_LOCAL_BINARY_PROCESS === "true", process.env.REMOTE_MCP === "true");
+const config = new Config(process.env.DEV_MODE === "true", browserstackLocalOptions, process.env.USE_OWN_LOCAL_BINARY_PROCESS === "true", process.env.REMOTE_MCP === "true", process.env.MCP_UPLOAD_BASE_DIR && process.env.MCP_UPLOAD_BASE_DIR.length > 0
+    ? process.env.MCP_UPLOAD_BASE_DIR
+    : undefined);
 export default config;

package/dist/lib/tm-base-url.js

@@ -1,6 +1,7 @@
 import { apiClient } from "./apiClient.js";
 import logger from "../logger.js";
 import { getBrowserStackAuth } from "./get-auth.js";
+import appConfig from "../config.js";
 const TM_BASE_URLS = [
     "https://test-management.browserstack.com",
     "https://test-management-eu.browserstack.com",
@@ -8,7 +9,10 @@ const TM_BASE_URLS = [
 ];
 let cachedBaseUrl = null;
 export async function getTMBaseURL(config) {
-    if (cachedBaseUrl) {
+    // Skip the module-level cache in remote (multi-tenant) mode: it is process-shared,
+    // so the first user's region would be served to every subsequent user — breaking
+    // requests for users on a different region's BrowserStack account.
+    if (!appConfig.REMOTE_MCP && cachedBaseUrl) {
         logger.debug(`Using cached TM base URL: ${cachedBaseUrl}`);
         return cachedBaseUrl;
     }
@@ -24,7 +28,11 @@ export async function getTMBaseURL(config) {
                 raise_error: false,
             });
             if (res.ok) {
-                cachedBaseUrl = baseUrl;
+                // Only populate the cache in single-tenant (stdio) mode; in remote mode
+                // the cache must stay empty so each user discovers their own region.
+                if (!appConfig.REMOTE_MCP) {
+                    cachedBaseUrl = baseUrl;
+                }
                 logger.info(`Selected TM base URL: ${baseUrl}`);
                 return baseUrl;
             }

package/dist/lib/upload-validator.d.ts

@@ -0,0 +1,23 @@
+export interface UploadValidationOptions {
+    allowedExtensions: readonly string[];
+    maxSizeBytes: number;
+    allowedBaseDir?: string;
+}
+/**
+ * Canonicalizes and validates a user-supplied upload path. Returns the resolved
+ * absolute path that callers should stream from. Throws on any rule violation.
+ *
+ * Rules enforced:
+ *  - Path resolves (via realpath) to an existing regular file
+ *  - File size is within `maxSizeBytes`
+ *  - File extension is in `allowedExtensions` (case-insensitive)
+ *  - No path segment is a hidden dir/file (starts with `.`); blocks ~/.ssh,
+ *    ~/.aws, .env, etc. even after symlink resolution
+ *  - If `allowedBaseDir` is set, the canonical path must live inside it
+ */
+export declare function validateUploadPath(filePath: string, options: UploadValidationOptions): string;
+export declare const APP_BINARY_EXTENSIONS: readonly [".apk", ".aab", ".ipa", ".app", ".zip"];
+export declare const TEST_MANAGEMENT_ATTACHMENT_EXTENSIONS: readonly [".pdf", ".txt", ".md", ".doc", ".docx", ".png", ".jpg", ".jpeg", ".gif", ".csv", ".xls", ".xlsx", ".json", ".html", ".zip"];
+export declare const ONE_MB: number;
+export declare const MAX_APP_UPLOAD_BYTES: number;
+export declare const MAX_ATTACHMENT_UPLOAD_BYTES: number;

package/dist/lib/upload-validator.js

@@ -0,0 +1,94 @@
+import fs from "fs";
+import path from "path";
+/**
+ * Canonicalizes and validates a user-supplied upload path. Returns the resolved
+ * absolute path that callers should stream from. Throws on any rule violation.
+ *
+ * Rules enforced:
+ *  - Path resolves (via realpath) to an existing regular file
+ *  - File size is within `maxSizeBytes`
+ *  - File extension is in `allowedExtensions` (case-insensitive)
+ *  - No path segment is a hidden dir/file (starts with `.`); blocks ~/.ssh,
+ *    ~/.aws, .env, etc. even after symlink resolution
+ *  - If `allowedBaseDir` is set, the canonical path must live inside it
+ */
+export function validateUploadPath(filePath, options) {
+    if (typeof filePath !== "string" || filePath.trim().length === 0) {
+        throw new Error("Upload rejected: file path is empty.");
+    }
+    let canonical;
+    try {
+        canonical = fs.realpathSync(path.resolve(filePath));
+    }
+    catch {
+        throw new Error(`File not found at path: ${filePath}`);
+    }
+    let stats;
+    try {
+        stats = fs.statSync(canonical);
+    }
+    catch {
+        throw new Error(`File not found at path: ${filePath}`);
+    }
+    if (!stats.isFile()) {
+        throw new Error(`Upload rejected: path does not point to a regular file: ${filePath}`);
+    }
+    if (stats.size > options.maxSizeBytes) {
+        const maxMb = Math.round(options.maxSizeBytes / (1024 * 1024));
+        throw new Error(`Upload rejected: file exceeds maximum allowed size of ${maxMb} MB.`);
+    }
+    const segments = canonical.split(path.sep).filter((s) => s.length > 0);
+    for (const seg of segments) {
+        if (seg.startsWith(".") && seg !== "." && seg !== "..") {
+            throw new Error(`Upload rejected: path traverses a hidden directory or file ("${seg}"). Move the file to a non-hidden location or set MCP_UPLOAD_BASE_DIR.`);
+        }
+    }
+    const ext = path.extname(canonical).toLowerCase();
+    const allowed = options.allowedExtensions.map((e) => e.toLowerCase());
+    if (!allowed.includes(ext)) {
+        throw new Error(`Upload rejected: file extension "${ext || "(none)"}" is not in the allowed list (${allowed.join(", ")}).`);
+    }
+    if (options.allowedBaseDir) {
+        let baseCanonical;
+        try {
+            baseCanonical = fs.realpathSync(path.resolve(options.allowedBaseDir));
+        }
+        catch {
+            throw new Error(`Upload rejected: configured MCP_UPLOAD_BASE_DIR does not exist (${options.allowedBaseDir}).`);
+        }
+        const baseWithSep = baseCanonical.endsWith(path.sep)
+            ? baseCanonical
+            : baseCanonical + path.sep;
+        if (canonical !== baseCanonical && !canonical.startsWith(baseWithSep)) {
+            throw new Error(`Upload rejected: file must be located inside ${baseCanonical}.`);
+        }
+    }
+    return canonical;
+}
+export const APP_BINARY_EXTENSIONS = [
+    ".apk",
+    ".aab",
+    ".ipa",
+    ".app",
+    ".zip",
+];
+export const TEST_MANAGEMENT_ATTACHMENT_EXTENSIONS = [
+    ".pdf",
+    ".txt",
+    ".md",
+    ".doc",
+    ".docx",
+    ".png",
+    ".jpg",
+    ".jpeg",
+    ".gif",
+    ".csv",
+    ".xls",
+    ".xlsx",
+    ".json",
+    ".html",
+    ".zip",
+];
+export const ONE_MB = 1024 * 1024;
+export const MAX_APP_UPLOAD_BYTES = 4 * 1024 * ONE_MB; // 4 GB — matches BrowserStack app upload limit
+export const MAX_ATTACHMENT_UPLOAD_BYTES = 100 * ONE_MB; // 100 MB

package/dist/tools/accessibility.js

@@ -144,7 +144,7 @@ async function createAuthConfig(args, config) {
 async function executeCreateAuthConfig(args, server, config) {
     try {
         trackMCP("createAccessibilityAuthConfig", server.server.getClientVersion(), undefined, config);
-        logger.info(`Creating auth config: ${JSON.stringify(args)}`);
+        logger.info(`Creating auth config: ${JSON.stringify({ ...args, password: "***" })}`);
         const result = await createAuthConfig(args, config);
         return createSuccessResponse([
             `✅ Auth config "${args.name}" created successfully with ID: ${result.data?.id}`,

package/dist/tools/appautomate-utils/native-execution/appautomate.d.ts

@@ -38,6 +38,6 @@ export declare function uploadEspressoApp(appPath: string, config: BrowserStackC
 export declare function uploadEspressoTestSuite(testSuitePath: string, config: BrowserStackConfig): Promise<string>;
 export declare function uploadXcuiApp(appPath: string, config: BrowserStackConfig): Promise<string>;
 export declare function uploadXcuiTestSuite(testSuitePath: string, config: BrowserStackConfig): Promise<string>;
-export declare function triggerEspressoBuild(app_url: string, test_suite_url: string, devices: string[], project: string): Promise<string>;
+export declare function triggerEspressoBuild(app_url: string, test_suite_url: string, devices: string[], project: string, config: BrowserStackConfig): Promise<string>;
 export declare function triggerXcuiBuild(app_url: string, test_suite_url: string, devices: string[], project: string, config: BrowserStackConfig): Promise<string>;
 export {};

package/dist/tools/appautomate-utils/native-execution/appautomate.js

@@ -2,6 +2,9 @@ import fs from "fs";
 import FormData from "form-data";
 import { apiClient } from "../../../lib/apiClient.js";
 import { customFuzzySearch } from "../../../lib/fuzzy.js";
+import { getBrowserStackAuth } from "../../../lib/get-auth.js";
+import { validateUploadPath, APP_BINARY_EXTENSIONS, MAX_APP_UPLOAD_BYTES, } from "../../../lib/upload-validator.js";
+import appConfig from "../../../config.js";
 /**
  * Finds devices that exactly match the provided display name.
  * Uses fuzzy search first, and then filters for exact case-insensitive match.
@@ -73,12 +76,13 @@ export function validateArgs(args) {
  * Uploads an application file to AppAutomate and returns the app URL
  */
 export async function uploadApp(appPath, username, password) {
-    const filePath = appPath;
-    if (!fs.existsSync(filePath)) {
-        throw new Error(`File not found at path: ${filePath}`);
-    }
+    const safePath = validateUploadPath(appPath, {
+        allowedExtensions: APP_BINARY_EXTENSIONS,
+        maxSizeBytes: MAX_APP_UPLOAD_BYTES,
+        allowedBaseDir: appConfig.UPLOAD_BASE_DIR,
+    });
     const formData = new FormData();
-    formData.append("file", fs.createReadStream(filePath));
+    formData.append("file", fs.createReadStream(safePath));
     const response = await apiClient.post({
         url: "https://api-cloud.browserstack.com/app-automate/upload",
         headers: {
@@ -95,12 +99,14 @@ export async function uploadApp(appPath, username, password) {
     }
 }
 // Helper to upload a file to a given BrowserStack endpoint and return a specific property from the response.
-async function uploadFileToBrowserStack(filePath, endpoint, responseKey, config) {
-    if (!fs.existsSync(filePath)) {
-        throw new Error(`File not found at path: ${filePath}`);
-    }
+async function uploadFileToBrowserStack(filePath, endpoint, responseKey, config, validation) {
+    const safePath = validateUploadPath(filePath, {
+        allowedExtensions: validation.allowedExtensions,
+        maxSizeBytes: MAX_APP_UPLOAD_BYTES,
+        allowedBaseDir: appConfig.UPLOAD_BASE_DIR,
+    });
     const formData = new FormData();
-    formData.append("file", fs.createReadStream(filePath));
+    formData.append("file", fs.createReadStream(safePath));
     const authHeader = "Basic " +
         Buffer.from(`${config["browserstack-username"]}:${config["browserstack-access-key"]}`).toString("base64");
     const response = await apiClient.post({
@@ -118,31 +124,27 @@ async function uploadFileToBrowserStack(filePath, endpoint, responseKey, config)
 }
 //Uploads an Android app (.apk or .aab) to BrowserStack Espresso endpoint and returns the app_url
 export async function uploadEspressoApp(appPath, config) {
-    return uploadFileToBrowserStack(appPath, "https://api-cloud.browserstack.com/app-automate/espresso/v2/app", "app_url", config);
+    return uploadFileToBrowserStack(appPath, "https://api-cloud.browserstack.com/app-automate/espresso/v2/app", "app_url", config, { allowedExtensions: [".apk", ".aab"] });
 }
 //Uploads an Espresso test suite (.apk) to BrowserStack and returns the test_suite_url
 export async function uploadEspressoTestSuite(testSuitePath, config) {
-    return uploadFileToBrowserStack(testSuitePath, "https://api-cloud.browserstack.com/app-automate/espresso/v2/test-suite", "test_suite_url", config);
+    return uploadFileToBrowserStack(testSuitePath, "https://api-cloud.browserstack.com/app-automate/espresso/v2/test-suite", "test_suite_url", config, { allowedExtensions: [".apk"] });
 }
 //Uploads an iOS app (.ipa) to BrowserStack XCUITest endpoint and returns the app_url
 export async function uploadXcuiApp(appPath, config) {
-    return uploadFileToBrowserStack(appPath, "https://api-cloud.browserstack.com/app-automate/xcuitest/v2/app", "app_url", config);
+    return uploadFileToBrowserStack(appPath, "https://api-cloud.browserstack.com/app-automate/xcuitest/v2/app", "app_url", config, { allowedExtensions: [".ipa"] });
 }
 //Uploads an XCUITest test suite (.zip) to BrowserStack and returns the test_suite_url
 export async function uploadXcuiTestSuite(testSuitePath, config) {
-    return uploadFileToBrowserStack(testSuitePath, "https://api-cloud.browserstack.com/app-automate/xcuitest/v2/test-suite", "test_suite_url", config);
+    return uploadFileToBrowserStack(testSuitePath, "https://api-cloud.browserstack.com/app-automate/xcuitest/v2/test-suite", "test_suite_url", config, { allowedExtensions: [".zip"] });
 }
 // Triggers an Espresso test run on BrowserStack and returns the build_id
-export async function triggerEspressoBuild(app_url, test_suite_url, devices, project) {
-    const auth = {
-        username: process.env.BROWSERSTACK_USERNAME || "",
-        password: process.env.BROWSERSTACK_ACCESS_KEY || "",
-    };
+export async function triggerEspressoBuild(app_url, test_suite_url, devices, project, config) {
+    const authHeader = "Basic " + Buffer.from(getBrowserStackAuth(config)).toString("base64");
     const response = await apiClient.post({
         url: "https://api-cloud.browserstack.com/app-automate/espresso/v2/build",
         headers: {
-            Authorization: "Basic " +
-                Buffer.from(`${auth.username}:${auth.password}`).toString("base64"),
+            Authorization: authHeader,
             "Content-Type": "application/json",
         },
         body: {

package/dist/tools/appautomate.js

@@ -133,7 +133,7 @@ async function runAppTestsOnBrowserStack(args, config) {
                     const [, deviceName, osVersion] = device;
                     return `${deviceName}-${osVersion}`;
                 });
-                const build_id = await triggerEspressoBuild(app_url, test_suite_url, deviceStrings, args.project);
+                const build_id = await triggerEspressoBuild(app_url, test_suite_url, deviceStrings, args.project, config);
                 return {
                     content: [
                         {

package/dist/tools/applive-utils/upload-app.js

@@ -1,12 +1,16 @@
 import { apiClient } from "../../lib/apiClient.js";
 import FormData from "form-data";
 import fs from "fs";
+import { validateUploadPath, APP_BINARY_EXTENSIONS, MAX_APP_UPLOAD_BYTES, } from "../../lib/upload-validator.js";
+import appConfig from "../../config.js";
 export async function uploadApp(filePath, username, password) {
-    if (!fs.existsSync(filePath)) {
-        throw new Error(`File not found at path: ${filePath}`);
-    }
+    const safePath = validateUploadPath(filePath, {
+        allowedExtensions: APP_BINARY_EXTENSIONS,
+        maxSizeBytes: MAX_APP_UPLOAD_BYTES,
+        allowedBaseDir: appConfig.UPLOAD_BASE_DIR,
+    });
     const formData = new FormData();
-    formData.append("file", fs.createReadStream(filePath));
+    formData.append("file", fs.createReadStream(safePath));
     try {
         const response = await apiClient.post({
             url: "https://api-cloud.browserstack.com/app-live/upload",

package/dist/tools/percy-sdk.js

@@ -1,6 +1,7 @@
 import { trackMCP } from "../index.js";
 import { fetchPercyChanges } from "./review-agent.js";
 import { addListTestFiles } from "./list-test-files.js";
+import { runPercyScan } from "./run-percy-scan.js";
 import { SetUpPercyParamsShape } from "./sdk-utils/common/schema.js";
 import { updateTestsWithPercyCommands } from "./add-percy-snapshots.js";
 import { approveOrDeclinePercyBuild } from "./review-agent-utils/percy-approve-reject.js";
@@ -8,10 +9,7 @@ import { setUpPercyHandler, simulatePercyChangeHandler, } from "./sdk-utils/hand
 import { z } from "zod";
 import { SETUP_PERCY_DESCRIPTION, LIST_TEST_FILES_DESCRIPTION, PERCY_SNAPSHOT_COMMANDS_DESCRIPTION, SIMULATE_PERCY_CHANGE_DESCRIPTION, } from "./sdk-utils/common/constants.js";
 import { UpdateTestFileWithInstructionsParams } from "./percy-snapshot-utils/constants.js";
-import { 
-// PMAA-100: kept commented so the registration block below is easy to restore once the proper fix lands.
-// RunPercyScanParamsShape,
-FetchPercyChangesParamsShape, ManagePercyBuildApprovalParamsShape, } from "./sdk-utils/common/schema.js";
+import { RunPercyScanParamsShape, FetchPercyChangesParamsShape, ManagePercyBuildApprovalParamsShape, } from "./sdk-utils/common/schema.js";
 import { handleMCPError } from "../lib/utils.js";
 export function registerPercyTools(server, config) {
     const tools = {};
@@ -68,22 +66,15 @@ export function registerPercyTools(server, config) {
             return handleMCPError("listTestFiles", server, config, error);
         }
     });
-    // PMAA-100: runPercyScan temporarily disabled — fetched Percy token was being
-    // returned in plaintext within tool output (see HackerOne #3576387). Re-enable
-    // once the token is replaced with a placeholder in run-percy-scan.ts.
-    // tools.runPercyScan = server.tool(
-    //   "runPercyScan",
-    //   "Run a Percy visual test scan. Example prompts : Run this Percy build/scan. Never run percy scan/build without this tool",
-    //   RunPercyScanParamsShape,
-    //   async (args) => {
-    //     try {
-    //       trackMCP("runPercyScan", server.server.getClientVersion()!, config);
-    //       return runPercyScan(args, config);
-    //     } catch (error) {
-    //       return handleMCPError("runPercyScan", server, config, error);
-    //     }
-    //   },
-    // );
+    tools.runPercyScan = server.tool("runPercyScan", "Run a Percy visual test scan. Example prompts : Run this Percy build/scan. Never run percy scan/build without this tool", RunPercyScanParamsShape, async (args) => {
+        try {
+            trackMCP("runPercyScan", server.server.getClientVersion(), config);
+            return runPercyScan(args);
+        }
+        catch (error) {
+            return handleMCPError("runPercyScan", server, config, error);
+        }
+    });
     tools.fetchPercyChanges = server.tool("fetchPercyChanges", "Retrieves and summarizes all visual changes detected by Percy AI between the latest and previous builds, helping quickly review what has changed in your project.", FetchPercyChangesParamsShape, async (args) => {
         try {
             trackMCP("fetchPercyChanges", server.server.getClientVersion(), config);

package/dist/tools/run-percy-scan.d.ts

@@ -1,8 +1,7 @@
 import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { PercyIntegrationTypeEnum } from "./sdk-utils/common/types.js";
-import { BrowserStackConfig } from "../lib/types.js";
 export declare function runPercyScan(args: {
     projectName: string;
     integrationType: PercyIntegrationTypeEnum;
     instruction?: string;
-}, config: BrowserStackConfig): Promise<CallToolResult>;
+}): Promise<CallToolResult>;

package/dist/tools/run-percy-scan.js

@@ -1,14 +1,8 @@
-import { getBrowserStackAuth } from "../lib/get-auth.js";
-import { fetchPercyToken } from "./sdk-utils/percy-web/fetchPercyToken.js";
 import { storedPercyResults } from "../lib/inmemory-store.js";
 import { getFrameworkTestCommand, PERCY_FALLBACK_STEPS, } from "./sdk-utils/percy-web/constants.js";
 import path from "path";
-export async function runPercyScan(args, config) {
-    const { projectName, integrationType, instruction } = args;
-    const authorization = getBrowserStackAuth(config);
-    const percyToken = await fetchPercyToken(projectName, authorization, {
-        type: integrationType,
-    });
+export async function runPercyScan(args) {
+    const { projectName, instruction } = args;
     // Check if we have stored data and project matches
     const stored = storedPercyResults.get();
     // Compute if we have updated files to run
@@ -16,7 +10,7 @@ export async function runPercyScan(args, config) {
     const updatedFiles = hasUpdatedFiles ? getUpdatedFiles(stored) : [];
     // Build steps array with conditional spread
     const steps = [
-        generatePercyTokenInstructions(percyToken),
+        generatePercyTokenInstructions(),
         ...(hasUpdatedFiles ? generateUpdatedFilesSteps(stored, updatedFiles) : []),
         ...(instruction && !hasUpdatedFiles
             ? generateInstructionSteps(instruction)
@@ -35,12 +29,14 @@ export async function runPercyScan(args, config) {
         ],
     };
 }
-function generatePercyTokenInstructions(percyToken) {
-    return `Set the environment variable for your project:
+function generatePercyTokenInstructions() {
+    return `Set the PERCY_TOKEN environment variable for your project. Retrieve your project's token from the Percy dashboard (https://percy.io → Project Settings → Project Token) and add it to your project's .env file (PERCY_TOKEN=<your Percy project token>) or export it in your shell:
 
-export PERCY_TOKEN="${percyToken}"
+  - macOS/Linux:    export PERCY_TOKEN="<your Percy project token>"
+  - Windows (PS):   $env:PERCY_TOKEN="<your Percy project token>"
+  - Windows (CMD):  set PERCY_TOKEN=<your Percy project token>
 
-(For Windows: use 'setx PERCY_TOKEN "${percyToken}"' or 'set PERCY_TOKEN=${percyToken}' as appropriate.)`;
+Do not paste the token into chat or commit it.`;
 }
 const toAbs = (p) => p ? path.resolve(p) : undefined;
 function checkForUpdatedFiles(stored, // storedPercyResults structure

package/dist/tools/sdk-utils/bstack/commands.js

@@ -33,7 +33,7 @@ const GRADLE_SETUP_INSTRUCTIONS = `
    jvmArgs "-javaagent:\${browserstackSDKArtifact.file}"
 `;
 // Generates Maven archetype command for Windows platform
-function getMavenCommandForWindows(framework, mavenFramework) {
+function getMavenCommandForWindows(username, accessKey, mavenFramework) {
     return (`mvn archetype:generate -B ` +
         `-DarchetypeGroupId="${MAVEN_ARCHETYPE_GROUP_ID}" ` +
         `-DarchetypeArtifactId="${MAVEN_ARCHETYPE_ARTIFACT_ID}" ` +
@@ -41,8 +41,8 @@ function getMavenCommandForWindows(framework, mavenFramework) {
         `-DgroupId="${MAVEN_ARCHETYPE_GROUP_ID}" ` +
         `-DartifactId="${MAVEN_ARCHETYPE_ARTIFACT_ID}" ` +
         `-Dversion="${MAVEN_ARCHETYPE_VERSION}" ` +
-        `-DBROWSERSTACK_USERNAME="${process.env.BROWSERSTACK_USERNAME}" ` +
-        `-DBROWSERSTACK_ACCESS_KEY="${process.env.BROWSERSTACK_ACCESS_KEY}" ` +
+        `-DBROWSERSTACK_USERNAME="${username}" ` +
+        `-DBROWSERSTACK_ACCESS_KEY="${accessKey}" ` +
         `-DBROWSERSTACK_FRAMEWORK="${mavenFramework}"`);
 }
 // Generates Maven archetype command for Unix-like platforms (macOS/Linux)
@@ -60,7 +60,7 @@ function getJavaSDKInstructions(framework, username, accessKey) {
     const isWindows = process.platform === "win32";
     const platformLabel = isWindows ? "Windows" : "macOS/Linux";
     const mavenCommand = isWindows
-        ? getMavenCommandForWindows(framework, mavenFramework)
+        ? getMavenCommandForWindows(username, accessKey, mavenFramework)
         : getMavenCommandForUnix(username, accessKey, mavenFramework);
     return `---STEP---
 Install BrowserStack Java SDK

package/dist/tools/sdk-utils/handler.js

@@ -1,7 +1,5 @@
 import { formatToolResult } from "./common/utils.js";
 import { PercyIntegrationTypeEnum } from "./common/types.js";
-import { getBrowserStackAuth } from "../../lib/get-auth.js";
-import { fetchPercyToken } from "./percy-web/fetchPercyToken.js";
 import { runPercyWeb } from "./percy-web/handler.js";
 import { runPercyAutomateOnly } from "./percy-automate/handler.js";
 import { runBstackSDKOnly } from "./bstack/sdkHandler.js";
@@ -32,7 +30,6 @@ export async function setUpPercyHandler(rawInput, config) {
             filePaths: input.filePaths || [],
             testFiles: {},
         });
-        const authorization = getBrowserStackAuth(config);
         const folderPaths = input.folderPaths || [];
         const filePaths = input.filePaths || [];
         const percyInput = {
@@ -50,9 +47,7 @@ export async function setUpPercyHandler(rawInput, config) {
             if (!supportCheck.supported) {
                 return percyUnsupportedResult(PercyIntegrationTypeEnum.WEB, supportCheck);
             }
-            // Fetch the Percy token
-            const percyToken = await fetchPercyToken(input.projectName, authorization, { type: PercyIntegrationTypeEnum.WEB });
-            const result = runPercyWeb(percyInput, percyToken);
+            const result = runPercyWeb(percyInput);
             return await formatToolResult(result, "percy-web");
         }
         else if (input.integrationType === PercyIntegrationTypeEnum.AUTOMATE) {
@@ -93,8 +88,7 @@ export async function setUpPercyHandler(rawInput, config) {
                 };
                 const sdkResult = await runBstackSDKOnly(sdkInput, config, true);
                 // Percy Automate instructions
-                const percyToken = await fetchPercyToken(input.projectName, authorization, { type: PercyIntegrationTypeEnum.AUTOMATE });
-                const percyAutomateResult = runPercyAutomateOnly(percyInput, percyToken);
+                const percyAutomateResult = runPercyAutomateOnly(percyInput);
                 // Combine steps: warning, SDK steps, Percy Automate steps
                 const steps = [
                     {

package/dist/tools/sdk-utils/percy-automate/handler.d.ts

@@ -1,3 +1,3 @@
 import { RunTestsInstructionResult } from "../common/types.js";
 import { SetUpPercyInput } from "../common/schema.js";
-export declare function runPercyAutomateOnly(input: SetUpPercyInput, percyToken: string): RunTestsInstructionResult;
+export declare function runPercyAutomateOnly(input: SetUpPercyInput): RunTestsInstructionResult;

package/dist/tools/sdk-utils/percy-automate/handler.js

@@ -1,5 +1,5 @@
 import { SUPPORTED_CONFIGURATIONS } from "./frameworks.js";
-export function runPercyAutomateOnly(input, percyToken) {
+export function runPercyAutomateOnly(input) {
     const steps = [];
     // Assume configuration is supported due to guardrails at orchestration layer
     const languageConfig = SUPPORTED_CONFIGURATIONS[input.detectedLanguage];
@@ -15,7 +15,7 @@ export function runPercyAutomateOnly(input, percyToken) {
     steps.push({
         type: "instruction",
         title: "Set Percy Token in Environment",
-        content: `Here is percy token if required {${percyToken}}`,
+        content: `Retrieve your project's token from the Percy dashboard (https://percy.io → Project Settings → Project Token) and add it to your project's .env file (PERCY_TOKEN=<your Percy project token>) or export it in your shell (e.g. export PERCY_TOKEN="<your Percy project token>"). Do not paste the token into chat or commit it.`,
     });
     steps.push({
         type: "instruction",

package/dist/tools/sdk-utils/percy-web/handler.d.ts

@@ -1,4 +1,4 @@
 import { RunTestsInstructionResult } from "../common/types.js";
 import { SetUpPercyInput } from "../common/schema.js";
 export declare let percyWebSetupInstructions: string;
-export declare function runPercyWeb(input: SetUpPercyInput, percyToken: string): RunTestsInstructionResult;
+export declare function runPercyWeb(input: SetUpPercyInput): RunTestsInstructionResult;

package/dist/tools/sdk-utils/percy-web/handler.js

@@ -1,6 +1,6 @@
 import { SUPPORTED_CONFIGURATIONS } from "./frameworks.js";
 export let percyWebSetupInstructions = "";
-export function runPercyWeb(input, percyToken) {
+export function runPercyWeb(input) {
     const steps = [];
     // Assume configuration is supported due to guardrails at orchestration layer
     const languageConfig = SUPPORTED_CONFIGURATIONS[input.detectedLanguage];
@@ -12,9 +12,12 @@ export function runPercyWeb(input, percyToken) {
     steps.push({
         type: "instruction",
         title: "Set Percy Token in Environment",
-        content: `Set the environment variable for your project:
-        export PERCY_TOKEN="${percyToken}"
-        (For Windows: use 'setx PERCY_TOKEN "${percyToken}"' or 'set PERCY_TOKEN=${percyToken}' as appropriate.)`,
+        content: `Retrieve your project's token from the Percy dashboard (https://percy.io → Project Settings → Project Token) and add it to your project's .env file (PERCY_TOKEN=<your Percy project token>) or export it in your shell:
+        macOS/Linux:    export PERCY_TOKEN="<your Percy project token>"
+        Windows (PS):   $env:PERCY_TOKEN="<your Percy project token>"
+        Windows (CMD):  set PERCY_TOKEN=<your Percy project token>
+
+Do not paste the token into chat or commit it.`,
     });
     steps.push({
         type: "instruction",

package/dist/tools/testmanagement-utils/update-testcase.js

@@ -141,7 +141,7 @@ export async function updateTestCase(params, config) {
     if (params.preconditions !== undefined)
         testCaseBody.preconditions = params.preconditions;
     if (params.test_case_steps !== undefined)
-        testCaseBody.steps = params.test_case_steps;
+        testCaseBody.test_case_steps = params.test_case_steps;
     if (params.owner !== undefined)
         testCaseBody.owner = params.owner;
     if (params.status !== undefined)

package/dist/tools/testmanagement-utils/upload-file.js

@@ -8,6 +8,8 @@ import { getBrowserStackAuth } from "../../lib/get-auth.js";
 import { signedUrlMap } from "../../lib/inmemory-store.js";
 import { projectIdentifierToId } from "./TCG-utils/api.js";
 import { getTMBaseURL } from "../../lib/tm-base-url.js";
+import { validateUploadPath, TEST_MANAGEMENT_ATTACHMENT_EXTENSIONS, MAX_ATTACHMENT_UPLOAD_BYTES, } from "../../lib/upload-validator.js";
+import appConfig from "../../config.js";
 /**
  * Schema for the upload file tool
  */
@@ -25,22 +27,17 @@ export const UploadFileSchema = z.object({
 export async function uploadFile(args, config) {
     const { project_identifier, file_path } = args;
     try {
-        // Validate file exists
-        if (!fs.existsSync(file_path)) {
-            return {
-                content: [
-                    {
-                        type: "text",
-                        text: `File ${file_path} does not exist.`,
-                    },
-                ],
-                isError: true,
-            };
-        }
+        // Canonicalize path and enforce upload safety rules (extension, size,
+        // hidden-directory traversal, optional base-dir containment).
+        const safePath = validateUploadPath(file_path, {
+            allowedExtensions: TEST_MANAGEMENT_ATTACHMENT_EXTENSIONS,
+            maxSizeBytes: MAX_ATTACHMENT_UPLOAD_BYTES,
+            allowedBaseDir: appConfig.UPLOAD_BASE_DIR,
+        });
         // Get the project ID
         const projectIdResponse = await projectIdentifierToId(project_identifier, config);
         const formData = new FormData();
-        formData.append("attachments[]", fs.createReadStream(file_path));
+        formData.append("attachments[]", fs.createReadStream(safePath));
         const tmBaseUrl = await getTMBaseURL(config);
         const uploadUrl = `${tmBaseUrl}/api/v1/projects/${projectIdResponse}/generic/attachments/ai_uploads`;
         const response = await apiClient.post({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@browserstack/mcp-server",
-  "version": "1.2.16",
+  "version": "1.2.17",
   "description": "BrowserStack's Official MCP Server",
   "mcpName": "io.github.browserstack/mcp-server",
   "main": "dist/index.js",