@harness-fe/mcp-server 4.0.0-next.1 → 4.0.0-next.3

package/dist/cli.d.ts

@@ -1,18 +0,0 @@
-#!/usr/bin/env node
-/**
- * CLI entry — boots WS bridge + MCP server (stdio or HTTP).
- *
- * Usage:
- *   npx @harness-fe/mcp-server                # 127.0.0.1, stdio MCP
- *   npx @harness-fe/mcp-server --host 0.0.0.0 --token auto
- *   npx @harness-fe/mcp-server --host 0.0.0.0 --token auto --mcp-transport http
- *
- * Leader / follower:
- *   - first process bound to the WS port = leader (in-process Bridge)
- *   - subsequent processes (EADDRINUSE) become followers that attach to
- *     the leader via the `mcp.call` control channel using `RemoteBridge`.
- *
- * This lets multiple Claude Code windows share a single dev-bridge daemon
- * (and thus the same browser / vite-plugin connections).
- */
-export {};

package/dist/cli.js

@@ -1,293 +0,0 @@
-#!/usr/bin/env node
-/**
- * CLI entry — boots WS bridge + MCP server (stdio or HTTP).
- *
- * Usage:
- *   npx @harness-fe/mcp-server                # 127.0.0.1, stdio MCP
- *   npx @harness-fe/mcp-server --host 0.0.0.0 --token auto
- *   npx @harness-fe/mcp-server --host 0.0.0.0 --token auto --mcp-transport http
- *
- * Leader / follower:
- *   - first process bound to the WS port = leader (in-process Bridge)
- *   - subsequent processes (EADDRINUSE) become followers that attach to
- *     the leader via the `mcp.call` control channel using `RemoteBridge`.
- *
- * This lets multiple Claude Code windows share a single dev-bridge daemon
- * (and thus the same browser / vite-plugin connections).
- */
-import { randomBytes } from 'node:crypto';
-import { DEFAULT_HOST, DEFAULT_WS_PORT, buildHttpUrl, isLoopbackHost, parseWsUrl, } from '@harness-fe/protocol';
-import { defaultDataDir } from './bridge.js';
-import { createDaemon } from './daemon.js';
-import { RemoteBridge } from './remoteBridge.js';
-import { startMcpStdioServer } from './mcp.js';
-function printHelpAndExit() {
-    const help = `harness-fe — frontend harness MCP daemon
-
-Usage:
-  harness-fe [options]
-
-Options:
-  --host <addr>          Bind address. Default 127.0.0.1.
-                         Use 0.0.0.0 to accept LAN connections (requires --token).
-  --port <number>        TCP port. Default ${DEFAULT_WS_PORT}.
-  --token <value|auto>   Token required for HTTP/WS auth. Pass "auto" to generate one.
-                         Required when --host is not loopback.
-  --mcp-transport <kind> stdio (default) or http. http mounts /mcp on the bridge.
-  --mcp-path <path>      URL path for the MCP HTTP endpoint. Default /mcp.
-  --public-host <addr>   Override the host printed in outbound URLs. Useful when
-                         binding 0.0.0.0 and the auto-detected LAN IP is wrong.
-  --experimental-env-var <name>
-                         Restrict experimental (in-testing) tools to machines
-                         where <name> is set to a non-empty value. Omit this and
-                         experimental tools are fully on (the default).
-  -h, --help             Show this help.
-
-Environment:
-  HARNESS_FE_HOST                Same as --host
-  HARNESS_FE_TOKEN               Same as --token (use "auto" to generate)
-  HARNESS_FE_MCP_TRANSPORT       Same as --mcp-transport
-  HARNESS_FE_MCP_PATH            Same as --mcp-path
-  HARNESS_FE_EXPERIMENTAL_ENV_VAR  Same as --experimental-env-var
-  HARNESS_FE_URL                 Full ws:// URL (legacy; --host/--port override it)
-`;
-    process.stderr.write(help);
-    process.exit(0);
-}
-function parseArgs(argv) {
-    const args = argv.slice(2);
-    let host;
-    let port;
-    let token;
-    let mcpTransport;
-    let mcpPath;
-    let publicHost;
-    let experimentalEnvVar;
-    for (let i = 0; i < args.length; i++) {
-        const a = args[i];
-        const next = () => {
-            const v = args[++i];
-            if (v == null) {
-                process.stderr.write(`harness-fe: missing value for ${a}\n`);
-                process.exit(2);
-            }
-            return v;
-        };
-        switch (a) {
-            case '-h':
-            case '--help':
-                printHelpAndExit();
-                break;
-            case '--host':
-                host = next();
-                break;
-            case '--port':
-                port = Number(next());
-                if (!Number.isFinite(port) || port <= 0) {
-                    process.stderr.write(`harness-fe: invalid --port\n`);
-                    process.exit(2);
-                }
-                break;
-            case '--token':
-                token = next();
-                break;
-            case '--mcp-transport': {
-                const v = next();
-                if (v !== 'stdio' && v !== 'http') {
-                    process.stderr.write(`harness-fe: invalid --mcp-transport (stdio|http)\n`);
-                    process.exit(2);
-                }
-                mcpTransport = v;
-                break;
-            }
-            case '--mcp-path':
-                mcpPath = next();
-                break;
-            case '--public-host':
-                publicHost = next();
-                break;
-            case '--experimental-env-var':
-                experimentalEnvVar = next();
-                break;
-            default:
-                process.stderr.write(`harness-fe: unknown argument ${a}\n`);
-                process.exit(2);
-        }
-    }
-    // Apply env fallbacks, then URL fallback for host/port.
-    const envUrl = process.env.HARNESS_FE_URL;
-    let envHost;
-    let envPort;
-    if (envUrl) {
-        try {
-            const parsed = parseWsUrl(envUrl);
-            envHost = parsed.host;
-            envPort = parsed.port;
-        }
-        catch {
-            // ignore — fall back to defaults below
-        }
-    }
-    const finalHost = host ?? process.env.HARNESS_FE_HOST ?? envHost ?? DEFAULT_HOST;
-    const finalPort = port ?? envPort ?? DEFAULT_WS_PORT;
-    let finalToken = token ?? process.env.HARNESS_FE_TOKEN;
-    if (finalToken === 'auto') {
-        finalToken = randomBytes(24).toString('base64url');
-    }
-    if (finalToken === '')
-        finalToken = undefined;
-    const finalTransport = (mcpTransport ?? process.env.HARNESS_FE_MCP_TRANSPORT) ??
-        'stdio';
-    if (finalTransport !== 'stdio' && finalTransport !== 'http') {
-        process.stderr.write(`harness-fe: invalid mcp transport "${finalTransport}"\n`);
-        process.exit(2);
-    }
-    const finalMcpPath = mcpPath ?? process.env.HARNESS_FE_MCP_PATH ?? '/mcp';
-    // Data dir defaults to port-keyed path. Explicit env override wins.
-    const finalDataDir = process.env.HARNESS_FE_DATA_DIR ?? defaultDataDir(finalPort);
-    const finalLabel = process.env.HARNESS_FE_LABEL || undefined;
-    // Omitted → undefined → experimental tools fully on (no gate). Supply a
-    // name only to restrict them to machines where that var is set.
-    const finalExperimentalEnvVar = experimentalEnvVar || process.env.HARNESS_FE_EXPERIMENTAL_ENV_VAR || undefined;
-    return {
-        host: finalHost,
-        port: finalPort,
-        token: finalToken,
-        mcpTransport: finalTransport,
-        mcpPath: finalMcpPath,
-        publicHost,
-        label: finalLabel,
-        dataDir: finalDataDir,
-        experimentalEnvVar: finalExperimentalEnvVar,
-    };
-}
-function validate(_cfg) {
-    // Token requirement is left entirely to the operator. We don't refuse
-    // a non-loopback bind without a token — that's their call, not ours.
-    // Warnings are emitted from the banner so the operator sees them; CI /
-    // automation that pipes stderr can suppress as needed.
-}
-function printBanner(cfg, role, viewerUrl) {
-    const lines = [];
-    const labelSuffix = cfg.label ? `  (${cfg.label})` : '';
-    lines.push(`[harness-fe] ${role}: WS bridge listening on ws://${cfg.host}:${cfg.port}${labelSuffix}`);
-    if (role === 'leader') {
-        // Surface the data dir so the user can see exactly where this
-        // daemon's sessions / recordings / projects are landing.
-        lines.push(`[harness-fe] data:   ${cfg.dataDir}`);
-    }
-    const isLan = !isLoopbackHost(cfg.host);
-    if (isLan) {
-        lines.push(`[harness-fe] WARNING: bound to non-loopback host ${cfg.host}.`);
-        if (cfg.token) {
-            lines.push(`[harness-fe]   anyone reaching this host:port with the token can read console / network / recordings.`);
-        }
-        else {
-            lines.push(`[harness-fe]   no token set — anyone on this network can read console / network / recordings.`);
-            lines.push(`[harness-fe]   add --token auto (or HARNESS_FE_TOKEN=…) to enable auth.`);
-        }
-    }
-    // Always print the dashboard URL. The token (when present) is folded
-    // into the query so the first hit hands it off to a cookie; without a
-    // token, auth is disabled and the URL works on its own.
-    const host = cfg.publicHost ?? viewerHost(viewerUrl) ?? cfg.host;
-    const dashboard = buildHttpUrl({ host, port: cfg.port, token: cfg.token });
-    lines.push(`[harness-fe] dashboard: ${dashboard}`);
-    if (cfg.mcpTransport === 'http') {
-        const mcp = buildHttpUrl({ host, port: cfg.port, token: cfg.token, path: cfg.mcpPath });
-        lines.push(`[harness-fe] mcp http:  ${mcp}`);
-        if (cfg.token) {
-            const mcpNoTok = buildHttpUrl({ host, port: cfg.port, path: cfg.mcpPath });
-            lines.push(`[harness-fe]   agent config: { "url": "${mcpNoTok}", "headers": { "Authorization": "Bearer ${cfg.token}" } }`);
-        }
-        else {
-            lines.push(`[harness-fe]   agent config: { "url": "${mcp}" }   (no auth — token unset)`);
-        }
-    }
-    if (cfg.token) {
-        lines.push(`[harness-fe] token:     ${cfg.token}`);
-    }
-    process.stderr.write(lines.join('\n') + '\n');
-}
-function viewerHost(viewerUrl) {
-    if (!viewerUrl)
-        return undefined;
-    try {
-        return new URL(viewerUrl).hostname;
-    }
-    catch {
-        return undefined;
-    }
-}
-async function main() {
-    const cfg = parseArgs(process.argv);
-    validate(cfg);
-    const { active, shutdown, role } = await startBridgeOrAttach(cfg);
-    printBanner(cfg, role, active.getViewerBaseUrl());
-    if (cfg.mcpTransport === 'stdio') {
-        await startMcpStdioServer(active, { experimentalEnvVar: cfg.experimentalEnvVar });
-        process.stderr.write('[harness-fe] MCP stdio server connected\n');
-    }
-    else {
-        // HTTP transport: the leader's createDaemon() call already mounted
-        // /mcp via mcpHttp:true. Followers fall through here with no leader
-        // attached, so HTTP mode is unsupported for them.
-        if (role === 'follower') {
-            process.stderr.write('[harness-fe] --mcp-transport=http is only supported on the leader. ' +
-                'Another daemon already holds the port; stop it first.\n');
-            await shutdown();
-            process.exit(2);
-        }
-        process.stderr.write(`[harness-fe] MCP http server mounted at ${cfg.mcpPath}\n`);
-    }
-    const onSignal = async () => {
-        process.stderr.write('[harness-fe] shutting down\n');
-        await shutdown();
-        process.exit(0);
-    };
-    process.on('SIGINT', onSignal);
-    process.on('SIGTERM', onSignal);
-}
-async function startBridgeOrAttach(cfg) {
-    // Leader path: use createDaemon so there's exactly one boot path between
-    // the CLI and any host application that embeds the daemon. The factory
-    // mounts /mcp itself when mcpHttp:true, so we don't need to call
-    // startMcpHttpServer here.
-    const daemon = createDaemon({
-        port: cfg.port,
-        host: cfg.host,
-        dataDir: cfg.dataDir,
-        label: cfg.label,
-        token: cfg.token,
-        publicHost: cfg.publicHost,
-        mcpHttp: cfg.mcpTransport === 'http',
-        mcpPath: cfg.mcpPath,
-        experimentalEnvVar: cfg.experimentalEnvVar,
-    });
-    try {
-        await daemon.start();
-        return {
-            active: daemon.bridge,
-            shutdown: () => daemon.stop(),
-            role: 'leader',
-        };
-    }
-    catch (err) {
-        if (err?.code !== 'EADDRINUSE')
-            throw err;
-        // Factory's bridge.start failed on EADDRINUSE; the factory itself
-        // didn't mount anything else, so there's nothing further to clean up.
-    }
-    // Port already taken — attach as follower.
-    const remote = new RemoteBridge({ port: cfg.port, host: cfg.host, token: cfg.token });
-    await remote.connect();
-    return {
-        active: remote,
-        shutdown: () => remote.stop(),
-        role: 'follower',
-    };
-}
-main().catch((err) => {
-    process.stderr.write(`[harness-fe] fatal: ${err?.stack ?? err}\n`);
-    process.exit(1);
-});

package/dist/dashboardApi.d.ts

@@ -1,40 +0,0 @@
-/**
- * JSON API surface consumed by `@harness-fe/dashboard-ui` (the React SPA).
- *
- * The shape mirrors what the legacy server-rendered dashboard.ts displayed,
- * but as JSON so the SPA can render it with proper components and live
- * updates. Routes live under `/api/*` to keep them clearly separated from
- * SPA assets (`/dashboard/*`) and the replay viewer (`/replay/*`).
- *
- * Reuses `createReplayExport` from replayCreate.ts for the replay POST —
- * same logic the legacy dashboard's form submission ran through, just
- * returns JSON instead of redirecting.
- *
- * Auth is already enforced by `isAuthorized` in bridge.ts before this
- * handler runs, so we never need to check tokens here.
- */
-import type { IncomingMessage, ServerResponse } from 'node:http';
-import type { IStore, ProjectMeta, RecordingChunkSummary, ReplayExportMeta, SessionMeta, SessionSummary, StoreEvent } from './store/types.js';
-export interface ProjectListEntry {
-    project: ProjectMeta;
-    recentSessions: SessionMeta[];
-}
-export interface SessionDetailResponse {
-    session: SessionMeta;
-    summary: SessionSummary;
-    chunks: RecordingChunkSummary[];
-    timeline: StoreEvent[];
-    exports: ReplayExportMeta[];
-}
-export interface ReplayCreateBody {
-    tabId?: string;
-    ts?: number;
-    windowMs?: number;
-    since?: number;
-    until?: number;
-    label?: string;
-}
-export declare function createDashboardApiHandler(store: IStore, getBaseUrl: () => string | undefined, onExportCreated?: (input: {
-    sessionId: string;
-    projectId?: string;
-}) => void): (req: IncomingMessage, res: ServerResponse) => boolean | Promise<boolean>;

package/dist/dashboardApi.js

@@ -1,142 +0,0 @@
-/**
- * JSON API surface consumed by `@harness-fe/dashboard-ui` (the React SPA).
- *
- * The shape mirrors what the legacy server-rendered dashboard.ts displayed,
- * but as JSON so the SPA can render it with proper components and live
- * updates. Routes live under `/api/*` to keep them clearly separated from
- * SPA assets (`/dashboard/*`) and the replay viewer (`/replay/*`).
- *
- * Reuses `createReplayExport` from replayCreate.ts for the replay POST —
- * same logic the legacy dashboard's form submission ran through, just
- * returns JSON instead of redirecting.
- *
- * Auth is already enforced by `isAuthorized` in bridge.ts before this
- * handler runs, so we never need to check tokens here.
- */
-import { createReplayExport } from './replayCreate.js';
-const TIMELINE_DEFAULT_TAIL = 100;
-const SESSIONS_PER_PROJECT = 10;
-export function createDashboardApiHandler(store, getBaseUrl, onExportCreated) {
-    return async (req, res) => {
-        if (!req.url)
-            return false;
-        const url = new URL(req.url, 'http://localhost');
-        const path = url.pathname;
-        if (!path.startsWith('/api/'))
-            return false;
-        const method = req.method ?? 'GET';
-        // GET /api/projects
-        if (method === 'GET' && path === '/api/projects') {
-            const projects = store.listProjects();
-            const entries = projects.map((project) => {
-                const recentSessions = store.listSessions({
-                    projectId: project.id,
-                    limit: SESSIONS_PER_PROJECT,
-                });
-                return { project, recentSessions };
-            });
-            sendJson(res, 200, { projects: entries });
-            return true;
-        }
-        // GET /api/sessions?projectId=&tabId=&buildId=&limit=
-        if (method === 'GET' && path === '/api/sessions') {
-            const sessions = store.listSessions({
-                projectId: url.searchParams.get('projectId') ?? undefined,
-                tabId: url.searchParams.get('tabId') ?? undefined,
-                buildId: url.searchParams.get('buildId') ?? undefined,
-                limit: parseIntOr(url.searchParams.get('limit'), 50),
-            });
-            sendJson(res, 200, { sessions });
-            return true;
-        }
-        // /api/sessions/:id and /api/sessions/:id/replay
-        const sessionMatch = path.match(/^\/api\/sessions\/([^/]+)(\/replay)?$/);
-        if (sessionMatch) {
-            const sessionId = decodeURIComponent(sessionMatch[1]);
-            const isReplay = !!sessionMatch[2];
-            if (isReplay && method === 'POST') {
-                let body;
-                try {
-                    body = await readJsonBody(req);
-                }
-                catch (err) {
-                    sendJson(res, 400, { error: `invalid JSON body: ${err.message}` });
-                    return true;
-                }
-                const result = createReplayExport(store, getBaseUrl(), {
-                    sessionId,
-                    tabId: body.tabId,
-                    ts: body.ts,
-                    windowMs: body.windowMs,
-                    since: body.since,
-                    until: body.until,
-                    label: body.label,
-                });
-                const status = result.error ? 400 : 200;
-                if (!result.error && result.exportId && onExportCreated) {
-                    // Find the session's project so subscribers can filter.
-                    const projectId = store.getSession(sessionId)?.participants[0]?.projectId;
-                    onExportCreated({ sessionId, projectId });
-                }
-                sendJson(res, status, result);
-                return true;
-            }
-            if (method === 'GET') {
-                const session = store.getSession(sessionId);
-                if (!session) {
-                    sendJson(res, 404, { error: 'session not found', sessionId });
-                    return true;
-                }
-                const summary = store.summary(sessionId);
-                const chunks = store.listRecordings(sessionId);
-                const tailN = parseIntOr(url.searchParams.get('timeline'), TIMELINE_DEFAULT_TAIL);
-                const timeline = store.tail(sessionId, { n: tailN });
-                // Exports for the session's owning project (filter by sessionId).
-                const projectId = session.participants[0]?.projectId ?? '';
-                const exports = projectId
-                    ? store.listExports(projectId, 50).filter((e) => e.sessionId === sessionId)
-                    : [];
-                const body = {
-                    session,
-                    summary,
-                    chunks,
-                    timeline,
-                    exports,
-                };
-                sendJson(res, 200, body);
-                return true;
-            }
-        }
-        // Any other /api/ path → 404 (consumed so the legacy handler doesn't try).
-        sendJson(res, 404, { error: 'not found', path });
-        return true;
-    };
-}
-function sendJson(res, status, body) {
-    res.statusCode = status;
-    res.setHeader('content-type', 'application/json; charset=utf-8');
-    res.setHeader('cache-control', 'no-store');
-    res.end(JSON.stringify(body));
-}
-async function readJsonBody(req) {
-    const chunks = [];
-    let total = 0;
-    const MAX = 1024 * 1024; // 1 MB — replay create bodies are tiny; cap to defend against DoS
-    for await (const chunk of req) {
-        const buf = chunk;
-        total += buf.length;
-        if (total > MAX)
-            throw new Error(`request body exceeds ${MAX} bytes`);
-        chunks.push(buf);
-    }
-    if (chunks.length === 0)
-        return {};
-    const text = Buffer.concat(chunks).toString('utf-8');
-    return JSON.parse(text);
-}
-function parseIntOr(raw, fallback) {
-    if (raw == null)
-        return fallback;
-    const n = Number.parseInt(raw, 10);
-    return Number.isFinite(n) && n > 0 ? n : fallback;
-}

package/dist/dashboardSpa.d.ts

@@ -1,18 +0,0 @@
-/**
- * HTTP handler that serves the React SPA built by `@harness-fe/dashboard-ui`.
- *
- * Routing rules (after the `isAuthorized` middleware in bridge.ts):
- *   - GET /                          → 302 to /dashboard/?token=<preserved> (legacy root)
- *   - GET /sessions/:id              → 302 to /dashboard/sessions/:id?token=… (legacy bookmarks)
- *   - GET /dashboard                 → 302 to /dashboard/?token=<preserved>
- *   - GET /dashboard/                → serve index.html (SPA shell)
- *   - GET /dashboard/<asset.ext>     → serve that file from dist/ (if it exists)
- *   - GET /dashboard/<other-path>    → serve index.html (SPA client-side routing)
- *
- * The dist directory is resolved at module load via `require.resolve()` on
- * the dashboard-ui package — same trick `replayViewer.ts` uses for
- * rrweb-player. No copy step needed; pnpm workspace symlinks just work in
- * dev, and `pnpm deploy` bundles the dist into the published tarball.
- */
-import type { IncomingMessage, ServerResponse } from 'node:http';
-export declare function createDashboardSpaHandler(): (req: IncomingMessage, res: ServerResponse) => boolean;