@bryan-thompson/inspector-assessment-server 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/build/index.js +647 -0
  2. package/build/mcpProxy.js +63 -0
  3. package/package.json +49 -0
package/build/index.js ADDED
@@ -0,0 +1,647 @@
1
+ #!/usr/bin/env node
2
+ import cors from "cors";
3
+ import { parseArgs } from "node:util";
4
+ import { parse as shellParseArgs } from "shell-quote";
5
+ import nodeFetch, { Headers as NodeHeaders } from "node-fetch";
6
+ import fs from "node:fs";
7
+ // Type-compatible wrappers for node-fetch to work with browser-style types
8
+ const fetch = nodeFetch;
9
+ const Headers = NodeHeaders;
10
+ import { SSEClientTransport, SseError, } from "@modelcontextprotocol/sdk/client/sse.js";
11
+ import { StdioClientTransport, getDefaultEnvironment, } from "@modelcontextprotocol/sdk/client/stdio.js";
12
+ import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
13
+ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
14
+ import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
15
+ import express from "express";
16
+ import { findActualExecutable } from "spawn-rx";
17
+ import mcpProxy from "./mcpProxy.js";
18
+ import { randomUUID, randomBytes, timingSafeEqual } from "node:crypto";
19
+ const DEFAULT_MCP_PROXY_LISTEN_PORT = "6277";
20
+ const defaultEnvironment = {
21
+ ...getDefaultEnvironment(),
22
+ ...(process.env.MCP_ENV_VARS ? JSON.parse(process.env.MCP_ENV_VARS) : {}),
23
+ };
24
+ const { values } = parseArgs({
25
+ args: process.argv.slice(2),
26
+ options: {
27
+ env: { type: "string", default: "" },
28
+ args: { type: "string", default: "" },
29
+ command: { type: "string", default: "" },
30
+ transport: { type: "string", default: "" },
31
+ "server-url": { type: "string", default: "" },
32
+ },
33
+ });
34
+ // Function to get HTTP headers.
35
+ const getHttpHeaders = (req) => {
36
+ const headers = {};
37
+ // Iterate over all headers in the request
38
+ for (const key in req.headers) {
39
+ const lowerKey = key.toLowerCase();
40
+ // Check if the header is one we want to forward
41
+ if (lowerKey.startsWith("mcp-") ||
42
+ lowerKey === "authorization" ||
43
+ lowerKey === "last-event-id") {
44
+ // Exclude the proxy's own authentication header and the Client <-> Proxy session ID header
45
+ if (lowerKey !== "x-mcp-proxy-auth" && lowerKey !== "mcp-session-id") {
46
+ const value = req.headers[key];
47
+ if (typeof value === "string") {
48
+ // If the value is a string, use it directly
49
+ headers[key] = value;
50
+ }
51
+ else if (Array.isArray(value)) {
52
+ // If the value is an array, use the last element
53
+ const lastValue = value.at(-1);
54
+ if (lastValue !== undefined) {
55
+ headers[key] = lastValue;
56
+ }
57
+ }
58
+ // If value is undefined, it's skipped, which is correct.
59
+ }
60
+ }
61
+ }
62
+ // Handle the custom auth header separately. We expect `x-custom-auth-header`
63
+ // to be a string containing the name of the actual authentication header.
64
+ const customAuthHeaderName = req.headers["x-custom-auth-header"];
65
+ if (typeof customAuthHeaderName === "string") {
66
+ const lowerCaseHeaderName = customAuthHeaderName.toLowerCase();
67
+ const value = req.headers[lowerCaseHeaderName];
68
+ if (typeof value === "string") {
69
+ headers[customAuthHeaderName] = value;
70
+ }
71
+ else if (Array.isArray(value)) {
72
+ // If the actual auth header was sent multiple times, use the last value.
73
+ const lastValue = value.at(-1);
74
+ if (lastValue !== undefined) {
75
+ headers[customAuthHeaderName] = lastValue;
76
+ }
77
+ }
78
+ }
79
+ // Handle multiple custom headers (new approach)
80
+ if (req.headers["x-custom-auth-headers"] !== undefined) {
81
+ try {
82
+ const customHeaderNames = JSON.parse(req.headers["x-custom-auth-headers"]);
83
+ if (Array.isArray(customHeaderNames)) {
84
+ customHeaderNames.forEach((headerName) => {
85
+ const lowerCaseHeaderName = headerName.toLowerCase();
86
+ if (req.headers[lowerCaseHeaderName] !== undefined) {
87
+ const value = req.headers[lowerCaseHeaderName];
88
+ headers[headerName] = Array.isArray(value)
89
+ ? value[value.length - 1]
90
+ : value;
91
+ }
92
+ });
93
+ }
94
+ }
95
+ catch (error) {
96
+ console.warn("Failed to parse x-custom-auth-headers:", error);
97
+ }
98
+ }
99
+ return headers;
100
+ };
101
+ /**
102
+ * Updates a headers object in-place, preserving the original Accept header.
103
+ * This is necessary to ensure that transports holding a reference to the headers
104
+ * object see the updates.
105
+ * @param currentHeaders The headers object to update.
106
+ * @param newHeaders The new headers to apply.
107
+ */
108
+ const updateHeadersInPlace = (currentHeaders, newHeaders) => {
109
+ // Preserve the Accept header, which is set at transport creation and
110
+ // is not present in subsequent client requests.
111
+ const accept = currentHeaders["Accept"];
112
+ // Clear the old headers and apply the new ones.
113
+ Object.keys(currentHeaders).forEach((key) => delete currentHeaders[key]);
114
+ Object.assign(currentHeaders, newHeaders);
115
+ // Restore the Accept header.
116
+ if (accept) {
117
+ currentHeaders["Accept"] = accept;
118
+ }
119
+ };
120
+ const app = express();
121
+ app.use(cors());
122
+ app.use((req, res, next) => {
123
+ res.header("Access-Control-Expose-Headers", "mcp-session-id");
124
+ next();
125
+ });
126
+ const webAppTransports = new Map(); // Web app transports by web app sessionId
127
+ const serverTransports = new Map(); // Server Transports by web app sessionId
128
+ const sessionHeaderHolders = new Map(); // For dynamic header updates
129
+ // Use provided token from environment or generate a new one
130
+ const sessionToken = process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex");
131
+ const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH;
132
+ // Origin validation middleware to prevent DNS rebinding attacks
133
+ const originValidationMiddleware = (req, res, next) => {
134
+ const origin = req.headers.origin;
135
+ // Default origins based on CLIENT_PORT or use environment variable
136
+ const clientPort = process.env.CLIENT_PORT || "6274";
137
+ const defaultOrigin = `http://localhost:${clientPort}`;
138
+ const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(",") || [
139
+ defaultOrigin,
140
+ ];
141
+ if (origin && !allowedOrigins.includes(origin)) {
142
+ console.error(`Invalid origin: ${origin}`);
143
+ res.status(403).json({
144
+ error: "Forbidden - invalid origin",
145
+ message: "Request blocked to prevent DNS rebinding attacks. Configure allowed origins via environment variable.",
146
+ });
147
+ return;
148
+ }
149
+ next();
150
+ };
151
+ const authMiddleware = (req, res, next) => {
152
+ if (authDisabled) {
153
+ return next();
154
+ }
155
+ const sendUnauthorized = () => {
156
+ res.status(401).json({
157
+ error: "Unauthorized",
158
+ message: "Authentication required. Use the session token shown in the console when starting the server.",
159
+ });
160
+ };
161
+ const authHeader = req.headers["x-mcp-proxy-auth"];
162
+ const authHeaderValue = Array.isArray(authHeader)
163
+ ? authHeader[0]
164
+ : authHeader;
165
+ if (!authHeaderValue || !authHeaderValue.startsWith("Bearer ")) {
166
+ sendUnauthorized();
167
+ return;
168
+ }
169
+ const providedToken = authHeaderValue.substring(7); // Remove 'Bearer ' prefix
170
+ const expectedToken = sessionToken;
171
+ // Convert to buffers for timing-safe comparison
172
+ const providedBuffer = Buffer.from(providedToken);
173
+ const expectedBuffer = Buffer.from(expectedToken);
174
+ // Check length first to prevent timing attacks
175
+ if (providedBuffer.length !== expectedBuffer.length) {
176
+ sendUnauthorized();
177
+ return;
178
+ }
179
+ // Perform timing-safe comparison
180
+ if (!timingSafeEqual(providedBuffer, expectedBuffer)) {
181
+ sendUnauthorized();
182
+ return;
183
+ }
184
+ next();
185
+ };
186
+ /**
187
+ * Converts a Node.js ReadableStream to a web-compatible ReadableStream
188
+ * This is necessary for the EventSource polyfill which expects web streams
189
+ */
190
+ const createWebReadableStream = (nodeStream) => {
191
+ return new ReadableStream({
192
+ start(controller) {
193
+ nodeStream.on("data", (chunk) => {
194
+ controller.enqueue(chunk);
195
+ });
196
+ nodeStream.on("end", () => {
197
+ controller.close();
198
+ });
199
+ nodeStream.on("error", (err) => {
200
+ controller.error(err);
201
+ });
202
+ },
203
+ });
204
+ };
205
+ /**
206
+ * Creates a `fetch` function that merges dynamic session headers with the
207
+ * headers from the actual request, ensuring that request-specific headers like
208
+ * `Content-Type` are preserved. For SSE requests, it also converts Node.js
209
+ * streams to web-compatible streams.
210
+ */
211
+ const createCustomFetch = (headerHolder) => {
212
+ return async (input, init) => {
213
+ // Determine the headers from the original request/init.
214
+ // The SDK may pass a Request object or a URL and an init object.
215
+ const originalHeaders = input instanceof Request ? input.headers : init?.headers;
216
+ // Start with our dynamic session headers.
217
+ const finalHeaders = new Headers(headerHolder.headers);
218
+ // Merge the SDK's request-specific headers, letting them overwrite.
219
+ // This is crucial for preserving Content-Type on POST requests.
220
+ new Headers(originalHeaders).forEach((value, key) => {
221
+ finalHeaders.set(key, value);
222
+ });
223
+ // Convert Headers to a plain object for node-fetch compatibility
224
+ const headersObject = {};
225
+ finalHeaders.forEach((value, key) => {
226
+ headersObject[key] = value;
227
+ });
228
+ // Get the response from node-fetch (cast input and init to handle type differences)
229
+ const response = await fetch(input, { ...init, headers: headersObject });
230
+ // Check if this is an SSE request by looking at the Accept header
231
+ const acceptHeader = finalHeaders.get("Accept");
232
+ const isSSE = acceptHeader?.includes("text/event-stream");
233
+ if (isSSE && response.body) {
234
+ // For SSE requests, we need to convert the Node.js stream to a web ReadableStream
235
+ // because the EventSource polyfill expects web-compatible streams
236
+ const webStream = createWebReadableStream(response.body);
237
+ // Create a new response with the web-compatible stream
238
+ // Convert node-fetch headers to plain object for web Response compatibility
239
+ const responseHeaders = {};
240
+ response.headers.forEach((value, key) => {
241
+ responseHeaders[key] = value;
242
+ });
243
+ return new Response(webStream, {
244
+ status: response.status,
245
+ statusText: response.statusText,
246
+ headers: responseHeaders,
247
+ });
248
+ }
249
+ // For non-SSE requests, return the response as-is (cast to handle type differences)
250
+ return response;
251
+ };
252
+ };
253
+ const createTransport = async (req) => {
254
+ const query = req.query;
255
+ console.log("Query parameters:", JSON.stringify(query));
256
+ const transportType = query.transportType;
257
+ if (transportType === "stdio") {
258
+ const command = query.command.trim();
259
+ const origArgs = shellParseArgs(query.args);
260
+ const queryEnv = query.env ? JSON.parse(query.env) : {};
261
+ const env = { ...defaultEnvironment, ...process.env, ...queryEnv };
262
+ const { cmd, args } = findActualExecutable(command, origArgs);
263
+ console.log(`STDIO transport: command=${cmd}, args=${args}`);
264
+ const transport = new StdioClientTransport({
265
+ command: cmd,
266
+ args,
267
+ env,
268
+ stderr: "pipe",
269
+ });
270
+ await transport.start();
271
+ return { transport };
272
+ }
273
+ else if (transportType === "sse") {
274
+ const url = query.url;
275
+ const headers = getHttpHeaders(req);
276
+ headers["Accept"] = "text/event-stream";
277
+ const headerHolder = { headers };
278
+ console.log(`SSE transport: url=${url}, headers=${JSON.stringify(headers)}`);
279
+ const transport = new SSEClientTransport(new URL(url), {
280
+ eventSourceInit: {
281
+ fetch: createCustomFetch(headerHolder),
282
+ },
283
+ requestInit: {
284
+ headers: headerHolder.headers,
285
+ },
286
+ });
287
+ await transport.start();
288
+ return { transport, headerHolder };
289
+ }
290
+ else if (transportType === "streamable-http") {
291
+ const headers = getHttpHeaders(req);
292
+ headers["Accept"] = "text/event-stream, application/json";
293
+ const headerHolder = { headers };
294
+ const transport = new StreamableHTTPClientTransport(new URL(query.url), {
295
+ // Pass a custom fetch to inject the latest headers on each request
296
+ fetch: createCustomFetch(headerHolder),
297
+ });
298
+ await transport.start();
299
+ return { transport, headerHolder };
300
+ }
301
+ else {
302
+ console.error(`Invalid transport type: ${transportType}`);
303
+ throw new Error("Invalid transport type specified");
304
+ }
305
+ };
306
+ app.get("/mcp", originValidationMiddleware, authMiddleware, async (req, res) => {
307
+ const sessionId = req.headers["mcp-session-id"];
308
+ console.log(`Received GET message for sessionId ${sessionId}`);
309
+ const headerHolder = sessionHeaderHolders.get(sessionId);
310
+ if (headerHolder) {
311
+ updateHeadersInPlace(headerHolder.headers, getHttpHeaders(req));
312
+ }
313
+ try {
314
+ const transport = webAppTransports.get(sessionId);
315
+ if (!transport) {
316
+ res.status(404).end("Session not found");
317
+ return;
318
+ }
319
+ else {
320
+ await transport.handleRequest(req, res);
321
+ }
322
+ }
323
+ catch (error) {
324
+ console.error("Error in /mcp route:", error);
325
+ res.status(500).json(error);
326
+ }
327
+ });
328
+ app.post("/mcp", originValidationMiddleware, authMiddleware, async (req, res) => {
329
+ const sessionId = req.headers["mcp-session-id"];
330
+ if (sessionId) {
331
+ console.log(`Received POST message for sessionId ${sessionId}`);
332
+ const headerHolder = sessionHeaderHolders.get(sessionId);
333
+ if (headerHolder) {
334
+ updateHeadersInPlace(headerHolder.headers, getHttpHeaders(req));
335
+ }
336
+ try {
337
+ const transport = webAppTransports.get(sessionId);
338
+ if (!transport) {
339
+ res.status(404).end("Transport not found for sessionId " + sessionId);
340
+ }
341
+ else {
342
+ await transport.handleRequest(req, res);
343
+ }
344
+ }
345
+ catch (error) {
346
+ console.error("Error in /mcp route:", error);
347
+ res.status(500).json(error);
348
+ }
349
+ }
350
+ else {
351
+ console.log("New StreamableHttp connection request");
352
+ try {
353
+ const { transport: serverTransport, headerHolder } = await createTransport(req);
354
+ const webAppTransport = new StreamableHTTPServerTransport({
355
+ sessionIdGenerator: randomUUID,
356
+ onsessioninitialized: (sessionId) => {
357
+ webAppTransports.set(sessionId, webAppTransport);
358
+ serverTransports.set(sessionId, serverTransport); // eslint-disable-line @typescript-eslint/no-non-null-assertion
359
+ if (headerHolder) {
360
+ sessionHeaderHolders.set(sessionId, headerHolder);
361
+ }
362
+ console.log("Client <-> Proxy sessionId: " + sessionId);
363
+ },
364
+ onsessionclosed: (sessionId) => {
365
+ webAppTransports.delete(sessionId);
366
+ serverTransports.delete(sessionId);
367
+ sessionHeaderHolders.delete(sessionId);
368
+ },
369
+ });
370
+ console.log("Created StreamableHttp client transport");
371
+ await webAppTransport.start();
372
+ mcpProxy({
373
+ transportToClient: webAppTransport,
374
+ transportToServer: serverTransport,
375
+ });
376
+ await webAppTransport.handleRequest(req, res, req.body);
377
+ }
378
+ catch (error) {
379
+ if (error instanceof SseError && error.code === 401) {
380
+ console.error("Received 401 Unauthorized from MCP server:", error.message);
381
+ res.status(401).json(error);
382
+ return;
383
+ }
384
+ console.error("Error in /mcp POST route:", error);
385
+ res.status(500).json(error);
386
+ }
387
+ }
388
+ });
389
+ app.delete("/mcp", originValidationMiddleware, authMiddleware, async (req, res) => {
390
+ const sessionId = req.headers["mcp-session-id"];
391
+ console.log(`Received DELETE message for sessionId ${sessionId}`);
392
+ if (sessionId) {
393
+ try {
394
+ const serverTransport = serverTransports.get(sessionId);
395
+ if (!serverTransport) {
396
+ res.status(404).end("Transport not found for sessionId " + sessionId);
397
+ }
398
+ else {
399
+ await serverTransport.terminateSession();
400
+ webAppTransports.delete(sessionId);
401
+ serverTransports.delete(sessionId);
402
+ sessionHeaderHolders.delete(sessionId);
403
+ console.log(`Transports removed for sessionId ${sessionId}`);
404
+ }
405
+ res.status(200).end();
406
+ }
407
+ catch (error) {
408
+ console.error("Error in /mcp route:", error);
409
+ res.status(500).json(error);
410
+ }
411
+ }
412
+ });
413
+ app.get("/stdio", originValidationMiddleware, authMiddleware, async (req, res) => {
414
+ try {
415
+ console.log("New STDIO connection request");
416
+ const { transport: serverTransport } = await createTransport(req);
417
+ const proxyFullAddress = req.query.proxyFullAddress || "";
418
+ const prefix = proxyFullAddress || "";
419
+ const endpoint = `${prefix}/message`;
420
+ const webAppTransport = new SSEServerTransport(endpoint, res);
421
+ webAppTransports.set(webAppTransport.sessionId, webAppTransport);
422
+ console.log("Created client transport");
423
+ serverTransports.set(webAppTransport.sessionId, serverTransport);
424
+ console.log("Created server transport");
425
+ await webAppTransport.start();
426
+ serverTransport.stderr.on("data", (chunk) => {
427
+ if (chunk.toString().includes("MODULE_NOT_FOUND")) {
428
+ // Server command not found, remove transports
429
+ const message = "Command not found, transports removed";
430
+ webAppTransport.send({
431
+ jsonrpc: "2.0",
432
+ method: "notifications/message",
433
+ params: {
434
+ level: "emergency",
435
+ logger: "proxy",
436
+ data: {
437
+ message,
438
+ },
439
+ },
440
+ });
441
+ webAppTransport.close();
442
+ serverTransport.close();
443
+ webAppTransports.delete(webAppTransport.sessionId);
444
+ serverTransports.delete(webAppTransport.sessionId);
445
+ sessionHeaderHolders.delete(webAppTransport.sessionId);
446
+ console.error(message);
447
+ }
448
+ else {
449
+ // Inspect message and attempt to assign a RFC 5424 Syslog Protocol level
450
+ let level;
451
+ let message = chunk.toString().trim();
452
+ let ucMsg = chunk.toString().toUpperCase();
453
+ if (ucMsg.includes("DEBUG")) {
454
+ level = "debug";
455
+ }
456
+ else if (ucMsg.includes("INFO")) {
457
+ level = "info";
458
+ }
459
+ else if (ucMsg.includes("NOTICE")) {
460
+ level = "notice";
461
+ }
462
+ else if (ucMsg.includes("WARN")) {
463
+ level = "warning";
464
+ }
465
+ else if (ucMsg.includes("ERROR")) {
466
+ level = "error";
467
+ }
468
+ else if (ucMsg.includes("CRITICAL")) {
469
+ level = "critical";
470
+ }
471
+ else if (ucMsg.includes("ALERT")) {
472
+ level = "alert";
473
+ }
474
+ else if (ucMsg.includes("EMERGENCY")) {
475
+ level = "emergency";
476
+ }
477
+ else if (ucMsg.includes("SIGINT")) {
478
+ message = "SIGINT received. Server shutdown.";
479
+ level = "emergency";
480
+ }
481
+ else if (ucMsg.includes("SIGHUP")) {
482
+ message = "SIGHUP received. Server shutdown.";
483
+ level = "emergency";
484
+ }
485
+ else if (ucMsg.includes("SIGTERM")) {
486
+ message = "SIGTERM received. Server shutdown.";
487
+ level = "emergency";
488
+ }
489
+ else {
490
+ level = "info";
491
+ }
492
+ webAppTransport.send({
493
+ jsonrpc: "2.0",
494
+ method: "notifications/message",
495
+ params: {
496
+ level,
497
+ logger: "stdio",
498
+ data: {
499
+ message,
500
+ },
501
+ },
502
+ });
503
+ }
504
+ });
505
+ mcpProxy({
506
+ transportToClient: webAppTransport,
507
+ transportToServer: serverTransport,
508
+ });
509
+ }
510
+ catch (error) {
511
+ if (error instanceof SseError && error.code === 401) {
512
+ console.error("Received 401 Unauthorized from MCP server. Authentication failure.");
513
+ res.status(401).json(error);
514
+ return;
515
+ }
516
+ console.error("Error in /stdio route:", error);
517
+ res.status(500).json(error);
518
+ }
519
+ });
520
+ app.get("/sse", originValidationMiddleware, authMiddleware, async (req, res) => {
521
+ try {
522
+ console.log("New SSE connection request. NOTE: The SSE transport is deprecated and has been replaced by StreamableHttp");
523
+ const { transport: serverTransport, headerHolder } = await createTransport(req);
524
+ const proxyFullAddress = req.query.proxyFullAddress || "";
525
+ const prefix = proxyFullAddress || "";
526
+ const endpoint = `${prefix}/message`;
527
+ const webAppTransport = new SSEServerTransport(endpoint, res);
528
+ webAppTransports.set(webAppTransport.sessionId, webAppTransport);
529
+ console.log("Created client transport");
530
+ serverTransports.set(webAppTransport.sessionId, serverTransport); // eslint-disable-line @typescript-eslint/no-non-null-assertion
531
+ if (headerHolder) {
532
+ sessionHeaderHolders.set(webAppTransport.sessionId, headerHolder);
533
+ }
534
+ console.log("Created server transport");
535
+ await webAppTransport.start();
536
+ mcpProxy({
537
+ transportToClient: webAppTransport,
538
+ transportToServer: serverTransport,
539
+ });
540
+ }
541
+ catch (error) {
542
+ if (error instanceof SseError && error.code === 401) {
543
+ console.error("Received 401 Unauthorized from MCP server. Authentication failure.");
544
+ res.status(401).json(error);
545
+ return;
546
+ }
547
+ else if (error instanceof SseError && error.code === 404) {
548
+ console.error("Received 404 not found from MCP server. Does the MCP server support SSE?");
549
+ res.status(404).json(error);
550
+ return;
551
+ }
552
+ else if (JSON.stringify(error).includes("ECONNREFUSED")) {
553
+ console.error("Connection refused. Is the MCP server running?");
554
+ res.status(500).json(error);
555
+ }
556
+ console.error("Error in /sse route:", error);
557
+ res.status(500).json(error);
558
+ }
559
+ });
560
+ app.post("/message", originValidationMiddleware, authMiddleware, async (req, res) => {
561
+ try {
562
+ const sessionId = req.query.sessionId;
563
+ console.log(`Received POST message for sessionId ${sessionId}`);
564
+ const headerHolder = sessionHeaderHolders.get(sessionId);
565
+ if (headerHolder) {
566
+ updateHeadersInPlace(headerHolder.headers, getHttpHeaders(req));
567
+ }
568
+ const transport = webAppTransports.get(sessionId);
569
+ if (!transport) {
570
+ res.status(404).end("Session not found");
571
+ return;
572
+ }
573
+ await transport.handlePostMessage(req, res);
574
+ }
575
+ catch (error) {
576
+ console.error("Error in /message route:", error);
577
+ res.status(500).json(error);
578
+ }
579
+ });
580
+ app.get("/health", (req, res) => {
581
+ res.json({
582
+ status: "ok",
583
+ });
584
+ });
585
+ // Assessment result persistence endpoint
586
+ app.post("/assessment/save", originValidationMiddleware, authMiddleware, express.json({ limit: "10mb" }), // Allow large JSON payloads
587
+ async (req, res) => {
588
+ try {
589
+ const { serverName, assessment } = req.body;
590
+ const sanitizedName = (serverName || "unknown").replace(/[^a-zA-Z0-9-_]/g, "_");
591
+ const filename = `/tmp/inspector-assessment-${sanitizedName}.json`;
592
+ // Delete old file if exists (cleanup)
593
+ if (fs.existsSync(filename)) {
594
+ fs.unlinkSync(filename);
595
+ }
596
+ // Save new assessment
597
+ fs.writeFileSync(filename, JSON.stringify(assessment, null, 2));
598
+ res.json({
599
+ success: true,
600
+ path: filename,
601
+ message: `Assessment saved to ${filename}`,
602
+ });
603
+ }
604
+ catch (error) {
605
+ res.status(500).json({
606
+ success: false,
607
+ error: error instanceof Error ? error.message : "Unknown error",
608
+ });
609
+ }
610
+ });
611
+ app.get("/config", originValidationMiddleware, authMiddleware, (req, res) => {
612
+ try {
613
+ res.json({
614
+ defaultEnvironment,
615
+ defaultCommand: values.command,
616
+ defaultArgs: values.args,
617
+ defaultTransport: values.transport,
618
+ defaultServerUrl: values["server-url"],
619
+ });
620
+ }
621
+ catch (error) {
622
+ console.error("Error in /config route:", error);
623
+ res.status(500).json(error);
624
+ }
625
+ });
626
+ const PORT = parseInt(process.env.SERVER_PORT || DEFAULT_MCP_PROXY_LISTEN_PORT, 10);
627
+ const HOST = process.env.HOST || "localhost";
628
+ const server = app.listen(PORT, HOST);
629
+ server.on("listening", () => {
630
+ console.log(`⚙️ Proxy server listening on ${HOST}:${PORT}`);
631
+ if (!authDisabled) {
632
+ console.log(`🔑 Session token: ${sessionToken}\n ` +
633
+ `Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth`);
634
+ }
635
+ else {
636
+ console.log(`⚠️ WARNING: Authentication is disabled. This is not recommended.`);
637
+ }
638
+ });
639
+ server.on("error", (err) => {
640
+ if (err.message.includes(`EADDRINUSE`)) {
641
+ console.error(`❌ Proxy Server PORT IS IN USE at port ${PORT} ❌ `);
642
+ }
643
+ else {
644
+ console.error(err.message);
645
+ }
646
+ process.exit(1);
647
+ });
package/build/mcpProxy.js ADDED
@@ -0,0 +1,63 @@
1
+ import { isJSONRPCRequest } from "@modelcontextprotocol/sdk/types.js";
2
+ function onClientError(error) {
3
+ console.error("Error from inspector client:", error);
4
+ }
5
+ function onServerError(error) {
6
+ if (error?.cause && JSON.stringify(error.cause).includes("ECONNREFUSED")) {
7
+ console.error("Connection refused. Is the MCP server running?");
8
+ }
9
+ else if (error.message && error.message.includes("404")) {
10
+ console.error("Error accessing endpoint (HTTP 404)");
11
+ }
12
+ else {
13
+ console.error("Error from MCP server:", error);
14
+ }
15
+ }
16
+ export default function mcpProxy({ transportToClient, transportToServer, }) {
17
+ let transportToClientClosed = false;
18
+ let transportToServerClosed = false;
19
+ let reportedServerSession = false;
20
+ transportToClient.onmessage = (message) => {
21
+ transportToServer.send(message).catch((error) => {
22
+ // Send error response back to client if it was a request (has id) and connection is still open
23
+ if (isJSONRPCRequest(message) && !transportToClientClosed) {
24
+ const errorResponse = {
25
+ jsonrpc: "2.0",
26
+ id: message.id,
27
+ error: {
28
+ code: -32001,
29
+ message: error.message,
30
+ data: error,
31
+ },
32
+ };
33
+ transportToClient.send(errorResponse).catch(onClientError);
34
+ }
35
+ });
36
+ };
37
+ transportToServer.onmessage = (message) => {
38
+ if (!reportedServerSession) {
39
+ if (transportToServer.sessionId) {
40
+ // Can only report for StreamableHttp
41
+ console.error("Proxy <-> Server sessionId: " + transportToServer.sessionId);
42
+ }
43
+ reportedServerSession = true;
44
+ }
45
+ transportToClient.send(message).catch(onClientError);
46
+ };
47
+ transportToClient.onclose = () => {
48
+ if (transportToServerClosed) {
49
+ return;
50
+ }
51
+ transportToClientClosed = true;
52
+ transportToServer.close().catch(onServerError);
53
+ };
54
+ transportToServer.onclose = () => {
55
+ if (transportToClientClosed) {
56
+ return;
57
+ }
58
+ transportToServerClosed = true;
59
+ transportToClient.close().catch(onClientError);
60
+ };
61
+ transportToClient.onerror = onClientError;
62
+ transportToServer.onerror = onServerError;
63
+ }
package/package.json ADDED
@@ -0,0 +1,49 @@
1
+ {
2
+ "name": "@bryan-thompson/inspector-assessment-server",
3
+ "version": "1.0.0",
4
+ "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
5
+ "license": "MIT",
6
+ "author": "Bryan Thompson <bryan@triepod.ai>",
7
+ "contributors": [
8
+ "Anthropic, PBC (original MCP Inspector)"
9
+ ],
10
+ "homepage": "https://github.com/triepod-ai/inspector-assessment",
11
+ "bugs": "https://github.com/triepod-ai/inspector-assessment/issues",
12
+ "repository": {
13
+ "type": "git",
14
+ "url": "https://github.com/triepod-ai/inspector-assessment.git"
15
+ },
16
+ "type": "module",
17
+ "bin": {
18
+ "mcp-inspector-assess-server": "build/index.js"
19
+ },
20
+ "publishConfig": {
21
+ "access": "public"
22
+ },
23
+ "files": [
24
+ "build"
25
+ ],
26
+ "scripts": {
27
+ "build": "tsc",
28
+ "start": "node build/index.js",
29
+ "dev": "tsx watch --clear-screen=false src/index.ts",
30
+ "dev:windows": "tsx watch --clear-screen=false src/index.ts < NUL"
31
+ },
32
+ "devDependencies": {
33
+ "@types/cors": "^2.8.19",
34
+ "@types/express": "^4.17.23",
35
+ "@types/shell-quote": "^1.7.5",
36
+ "@types/ws": "^8.5.12",
37
+ "tsx": "^4.19.0",
38
+ "typescript": "^5.6.2"
39
+ },
40
+ "dependencies": {
41
+ "@modelcontextprotocol/sdk": "^1.18.2",
42
+ "cors": "^2.8.5",
43
+ "express": "^5.1.0",
44
+ "shell-quote": "^1.8.3",
45
+ "spawn-rx": "^5.1.2",
46
+ "ws": "^8.18.0",
47
+ "zod": "^3.25.76"
48
+ }
49
+ }