@browserstack/mcp-server 1.2.18 → 1.2.20-beta.1

package/dist/lib/apiClient.js

@@ -55,7 +55,6 @@ function getAxiosAgent() {
                 host: proxyHost,
                 port: Number(proxyPort),
                 ca,
-                rejectUnauthorized: false, // Set to true if you want strict SSL
             });
         }
         else {
@@ -67,7 +66,6 @@ function getAxiosAgent() {
         // CA only
         return new https.Agent({
             ca: fs.readFileSync(caCertPath),
-            rejectUnauthorized: false, // Set to true for strict SSL
         });
     }
     // Default agent (no proxy, no CA)

package/dist/tools/applive-utils/start-session.js

@@ -5,7 +5,6 @@ import { uploadApp } from "./upload-app.js";
 import { getBrowserStackAuth } from "../../lib/get-auth.js";
 import { findDeviceByName } from "./device-search.js";
 import { pickVersion } from "./version-utils.js";
-import childProcess from "child_process";
 import envConfig from "../../config.js";
 /**
  * Start an App Live session: filter, select, upload, and open.
@@ -69,33 +68,44 @@ export async function startSession(args, options) {
     });
     const launchUrl = `https://app-live.browserstack.com/dashboard#${params.toString()}&device=${deviceParam}`;
     if (!envConfig.REMOTE_MCP) {
-        openBrowser(launchUrl);
+        const openCommand = getOpenBrowserCommand(launchUrl);
+        if (openCommand) {
+            return [
+                `App Live session URL: ${launchUrl}${note}`,
+                ``,
+                `To open the session in the default browser, run:`,
+                `    ${openCommand}`,
+            ].join("\n");
+        }
     }
     return launchUrl + note;
 }
 /**
- * Opens the launch URL in the default browser.
- * @param launchUrl - The URL to open.
- * @throws Will throw an error if the browser fails to open.
+ * Returns the platform-appropriate shell command to open `launchUrl` in the
+ * default browser, or null if the URL is not a trusted BrowserStack URL.
+ *
+ * The command is returned to the MCP client so the host agent can prompt the
+ * user before executing it. The server itself never spawns a process, which
+ * eliminates the command-injection surface entirely.
  */
-function openBrowser(launchUrl) {
+function getOpenBrowserCommand(launchUrl) {
+    let parsed;
     try {
-        const command = process.platform === "darwin"
-            ? ["open", launchUrl]
-            : process.platform === "win32"
-                ? ["cmd", "/c", "start", launchUrl]
-                : ["xdg-open", launchUrl];
-        // nosemgrep:javascript.lang.security.detect-child-process.detect-child-process
-        const child = childProcess.spawn(command[0], command.slice(1), {
-            stdio: "ignore",
-            detached: true,
-        });
-        child.on("error", (error) => {
-            logger.error(`Failed to open browser automatically: ${error}. Please open this URL manually: ${launchUrl}`);
-        });
-        child.unref();
+        parsed = new URL(launchUrl);
+    }
+    catch {
+        logger.error(`Refusing to surface malformed URL: ${launchUrl}`);
+        return null;
     }
-    catch (error) {
-        logger.error(`Failed to open browser automatically: ${error}. Please open this URL manually: ${launchUrl}`);
+    if (parsed.protocol !== "https:" ||
+        !/(^|\.)browserstack\.com$/i.test(parsed.hostname)) {
+        logger.error(`Refusing to surface untrusted URL: ${launchUrl}`);
+        return null;
     }
+    const quoted = `"${parsed.toString()}"`;
+    if (process.platform === "darwin")
+        return `open ${quoted}`;
+    if (process.platform === "win32")
+        return `cmd /c start "" ${quoted}`;
+    return `xdg-open ${quoted}`;
 }

package/dist/tools/live-utils/start-session.js

@@ -1,5 +1,4 @@
 import logger from "../../logger.js";
-import childProcess from "child_process";
 import { filterDesktop } from "./desktop-filter.js";
 import { filterMobile } from "./mobile-filter.js";
 import { PlatformType, } from "./types.js";
@@ -39,10 +38,19 @@ export async function startBrowserSession(args, config) {
     const url = args.platformType === PlatformType.DESKTOP
         ? buildDesktopUrl(args, entry, isLocal)
         : buildMobileUrl(args, entry, isLocal);
+    const note = entry.notes ? `, ${entry.notes}` : "";
     if (!envConfig.REMOTE_MCP) {
-        openBrowser(url);
+        const openCommand = getOpenBrowserCommand(url);
+        if (openCommand) {
+            return [
+                `Live session URL: ${url}${note}`,
+                ``,
+                `To open the session in the default browser, run:`,
+                `    ${openCommand}`,
+            ].join("\n");
+        }
     }
-    return entry.notes ? `${url}, ${entry.notes}` : url;
+    return `${url}${note}`;
 }
 function buildDesktopUrl(args, e, isLocal) {
     const params = new URLSearchParams({
@@ -79,24 +87,33 @@ function buildMobileUrl(args, d, isLocal) {
     });
     return `https://live.browserstack.com/dashboard#${params.toString()}`;
 }
-// ——— Open a browser window ———
-function openBrowser(launchUrl) {
+// ——— Build a browser-open command for the host agent ———
+/**
+ * Returns the platform-appropriate shell command to open `launchUrl` in the
+ * default browser, or null if the URL is not a trusted BrowserStack URL.
+ *
+ * The command is returned to the MCP client so the host agent can prompt the
+ * user before executing it. The server itself never spawns a process, which
+ * eliminates the command-injection surface entirely.
+ */
+function getOpenBrowserCommand(launchUrl) {
+    let parsed;
     try {
-        const command = process.platform === "darwin"
-            ? ["open", launchUrl]
-            : process.platform === "win32"
-                ? ["cmd", "/c", "start", `""`, `"${launchUrl}"`]
-                : ["xdg-open", launchUrl];
-        // nosemgrep:javascript.lang.security.detect-child-process.detect-child-process
-        const child = childProcess.spawn(command[0], command.slice(1), {
-            stdio: "ignore",
-            detached: true,
-            ...(process.platform === "win32" ? { shell: true } : {}),
-        });
-        child.on("error", (err) => logger.error(`Failed to open browser: ${err}. URL: ${launchUrl}`));
-        child.unref();
+        parsed = new URL(launchUrl);
+    }
+    catch {
+        logger.error(`Refusing to surface malformed URL: ${launchUrl}`);
+        return null;
     }
-    catch (err) {
-        logger.error(`Failed to launch browser: ${err}. URL: ${launchUrl}`);
+    if (parsed.protocol !== "https:" ||
+        !/(^|\.)browserstack\.com$/i.test(parsed.hostname)) {
+        logger.error(`Refusing to surface untrusted URL: ${launchUrl}`);
+        return null;
     }
+    const quoted = `"${parsed.toString()}"`;
+    if (process.platform === "darwin")
+        return `open ${quoted}`;
+    if (process.platform === "win32")
+        return `cmd /c start "" ${quoted}`;
+    return `xdg-open ${quoted}`;
 }

package/dist/tools/testmanagement-utils/TCG-utils/api.d.ts

@@ -7,6 +7,15 @@ export declare function fetchFormFields(projectId: string, config: BrowserStackC
     default_fields: any;
     custom_fields: any;
 }>;
+/**
+ * Resolve a default-field input (priority/case_type) to the form's display or
+ * internal name, matching case-insensitively. Returns undefined if no match.
+ */
+export declare function normalizeDefaultFieldValue(fieldValues: Array<{
+    internal_name?: string | null;
+    name?: string;
+    value: any;
+}>, input: string, emit: "name" | "internal_name"): string | undefined;
 /**
  * Trigger AI-based test case generation for a document.
  */

package/dist/tools/testmanagement-utils/TCG-utils/api.js

@@ -16,6 +16,20 @@ export async function fetchFormFields(projectId, config) {
     });
     return res.data;
 }
+/**
+ * Resolve a default-field input (priority/case_type) to the form's display or
+ * internal name, matching case-insensitively. Returns undefined if no match.
+ */
+export function normalizeDefaultFieldValue(fieldValues, input, emit) {
+    const normalized = input.toLowerCase().trim();
+    const match = fieldValues.find((v) => (v.internal_name ?? "").toLowerCase() === normalized ||
+        (v.name ?? "").toLowerCase() === normalized);
+    if (!match)
+        return undefined;
+    if (emit === "name")
+        return match.name;
+    return match.internal_name ?? match.name;
+}
 /**
  * Trigger AI-based test case generation for a document.
  */

package/dist/tools/testmanagement-utils/create-testcase.d.ts

@@ -22,6 +22,7 @@ export interface TestCaseCreateRequest {
     tags?: string[];
     custom_fields?: Record<string, string>;
     automation_status?: string;
+    priority?: string;
 }
 export interface TestCaseResponse {
     data: {
@@ -70,6 +71,7 @@ export declare const CreateTestCaseSchema: z.ZodObject<{
     tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
     custom_fields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     automation_status: z.ZodOptional<z.ZodString>;
+    priority: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 export declare function sanitizeArgs(args: any): any;
 export declare function createTestCase(params: TestCaseCreateRequest, config: BrowserStackConfig): Promise<CallToolResult>;

package/dist/tools/testmanagement-utils/create-testcase.js

@@ -1,8 +1,9 @@
 import { apiClient } from "../../lib/apiClient.js";
 import { z } from "zod";
 import { formatAxiosError } from "../../lib/error.js";
-import { projectIdentifierToId } from "./TCG-utils/api.js";
+import { fetchFormFields, normalizeDefaultFieldValue, projectIdentifierToId, } from "./TCG-utils/api.js";
 import { getTMBaseURL } from "../../lib/tm-base-url.js";
+import logger from "../../logger.js";
 export const CreateTestCaseSchema = z.object({
     project_identifier: z
         .string()
@@ -54,6 +55,10 @@ export const CreateTestCaseSchema = z.object({
         .string()
         .optional()
         .describe("Automation status of the test case. Common values include 'not_automated', 'automated', 'automation_not_required'."),
+    priority: z
+        .string()
+        .optional()
+        .describe("Priority of the test case. Accepts either display name (e.g. 'Critical', 'High', 'Medium', 'Low') or internal name (e.g. 'medium'). If omitted, the project default (usually 'Medium') is applied. Valid values are per-project and discoverable via the form-fields endpoint."),
 });
 export function sanitizeArgs(args) {
     const cleaned = { ...args };
@@ -74,8 +79,27 @@ export function sanitizeArgs(args) {
     return cleaned;
 }
 import { getBrowserStackAuth } from "../../lib/get-auth.js";
+/**
+ * Normalize priority to the display name the create endpoint accepts (it
+ * rejects lowercase). On lookup failure, pass the raw value through.
+ */
+async function normalizePriority(projectIdentifier, priority, config) {
+    try {
+        const numericProjectId = await projectIdentifierToId(projectIdentifier, config);
+        const { default_fields } = await fetchFormFields(numericProjectId, config);
+        return (normalizeDefaultFieldValue(default_fields?.priority?.values ?? [], priority, "name") ?? priority);
+    }
+    catch (err) {
+        logger.warn("Failed to normalize priority value; passing through as given: %s", err instanceof Error ? err.message : String(err));
+        return priority;
+    }
+}
 export async function createTestCase(params, config) {
-    const body = { test_case: params };
+    const testCaseParams = { ...params };
+    if (testCaseParams.priority !== undefined) {
+        testCaseParams.priority = await normalizePriority(params.project_identifier, testCaseParams.priority, config);
+    }
+    const body = { test_case: testCaseParams };
     const authString = getBrowserStackAuth(config);
     const [username, password] = authString.split(":");
     try {

package/dist/tools/testmanagement-utils/update-testcase.js

@@ -1,7 +1,7 @@
 import { apiClient } from "../../lib/apiClient.js";
 import { z } from "zod";
 import { formatAxiosError } from "../../lib/error.js";
-import { fetchFormFields, projectIdentifierToId } from "./TCG-utils/api.js";
+import { fetchFormFields, normalizeDefaultFieldValue, projectIdentifierToId, } from "./TCG-utils/api.js";
 import { getTMBaseURL } from "../../lib/tm-base-url.js";
 import { getBrowserStackAuth } from "../../lib/get-auth.js";
 import logger from "../../logger.js";
@@ -62,26 +62,6 @@ export const UpdateTestCaseSchema = z.object({
         .optional()
         .describe("Map of custom field name/id to value. Valid field names and value types are per-project; discover them via the project's form fields."),
 });
-/**
- * Build a normalizer for a default field's accepted value.
- * The TM PATCH endpoint accepts different casings for different default
- * fields (Title-Case display name for priority/case_type, snake_case
- * internal_name for automation_status). We accept either from the caller
- * and emit the form the API actually wants.
- *
- * Returns undefined when no matching option is found — callers should
- * pass the raw value through so the backend can surface its own error.
- */
-function normalizeDefaultFieldValue(fieldValues, input, emit) {
-    const normalized = input.toLowerCase().trim();
-    const match = fieldValues.find((v) => (v.internal_name ?? "").toLowerCase() === normalized ||
-        (v.name ?? "").toLowerCase() === normalized);
-    if (!match)
-        return undefined;
-    if (emit === "name")
-        return match.name;
-    return match.internal_name ?? match.name;
-}
 /**
  * Normalise default-field inputs (priority/case_type/automation_status) to
  * what the TM PATCH endpoint accepts. Fetches the project's form-fields

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@browserstack/mcp-server",
-  "version": "1.2.18",
+  "version": "1.2.20-beta.1",
   "description": "BrowserStack's Official MCP Server",
   "mcpName": "io.github.browserstack/mcp-server",
   "main": "dist/index.js",