@mcp-use/cli 3.1.0-canary.2 → 3.1.0-canary.3

package/dist/shims/next-shims-cjs.cjs

@@ -0,0 +1,42 @@
+/**
+ * CommonJS-side Next.js runtime-module shim.
+ *
+ * Node's ESM loader hooks (registered via `module.register()`) don't
+ * intercept CommonJS `require()` calls made by tsx's CJS transformer. tsx
+ * compiles TypeScript to CJS by default, so a transitive `import 'server-only'`
+ * inside a user tool becomes `require('server-only')` at runtime — which
+ * ends up loading the real module and throwing.
+ *
+ * This file patches `Module._resolveFilename` at require-time so that any
+ * CJS `require()` for one of the shimmed specifiers resolves to a sibling
+ * no-op module instead.
+ *
+ * Loaded via `node -r <path>` (or `NODE_OPTIONS=-r <path>`) before the user
+ * entry is evaluated. Paired with `next-shims-register.mjs` on the ESM side
+ * for belt-and-braces coverage.
+ */
+
+const Module = require("node:module");
+const path = require("node:path");
+
+// Absolute path to the no-op CJS module that satisfies every shimmed specifier.
+const noopPath = path.join(__dirname, "next-shims-noop.cjs");
+
+// Single source of truth — see next-shims-registry.json. The loader.mjs reads
+// the same file so ESM and CJS interception stay in lockstep.
+const { shimmedModules } = require("./next-shims-registry.json");
+const SHIMMED = new Set(shimmedModules);
+
+const originalResolveFilename = Module._resolveFilename;
+
+Module._resolveFilename = function patchedResolveFilename(
+  request,
+  parent,
+  isMain,
+  options
+) {
+  if (SHIMMED.has(request)) {
+    return noopPath;
+  }
+  return originalResolveFilename.call(this, request, parent, isMain, options);
+};

package/dist/shims/next-shims-loader.mjs

@@ -0,0 +1,119 @@
+/**
+ * Node.js ESM loader hook that resolves Next.js server-runtime modules to
+ * no-op implementations when the MCP server runs outside of Next.js.
+ *
+ * Registered by `next-shims-register.mjs` when the CLI detects `next` in the
+ * user's package.json. See cli/src/utils/next-shims.ts for the host wiring.
+ *
+ * The mapping covers modules that exist inside a Next.js runtime but have
+ * no meaningful behavior outside of it. Each shim is a data: URL so the
+ * loader has zero on-disk footprint.
+ *
+ * The list of specifiers we intercept lives in `next-shims-registry.json`
+ * so this file and `next-shims-cjs.cjs` can't drift out of sync. The
+ * per-module stub bodies (below) still live here because each one has its
+ * own export surface.
+ */
+
+import registry from "./next-shims-registry.json" with { type: "json" };
+
+const SHIMS = new Map([
+  // `import "server-only"` — throws hard at import time in the real package.
+  // In the MCP process there is no client/server boundary to enforce.
+  ["server-only", "data:text/javascript,export{};"],
+
+  // `import "client-only"` — symmetric case; also throws in its real form.
+  ["client-only", "data:text/javascript,export{};"],
+
+  // `import { revalidatePath, revalidateTag, unstable_cache } from "next/cache"`
+  // revalidate* are side-effect functions; unstable_cache wraps a function
+  // and returns a memoized version — here we return the original untouched.
+  [
+    "next/cache",
+    "data:text/javascript," +
+      encodeURIComponent(
+        "export function revalidatePath(){}" +
+          "export function revalidateTag(){}" +
+          "export function unstable_cache(fn){return fn}" +
+          "export function unstable_noStore(){}" +
+          "export const unstable_cacheLife = ()=>{};" +
+          "export const unstable_cacheTag = ()=>{};"
+      ),
+  ],
+
+  // `import { headers, cookies, draftMode } from "next/headers"`
+  // The real implementation requires an incoming RSC request context. For the
+  // MCP server we return inert stand-ins — most tools only read metadata and
+  // default to empty values when they're unavailable.
+  [
+    "next/headers",
+    "data:text/javascript," +
+      encodeURIComponent(
+        "export function headers(){return new Headers();}" +
+          "export function cookies(){return{get(){return undefined},getAll(){return []},has(){return false},set(){},delete(){}};}" +
+          "export function draftMode(){return{isEnabled:false,enable(){},disable(){}};}"
+      ),
+  ],
+
+  // `import { redirect, notFound } from "next/navigation"` — server-side
+  // helpers. redirect/notFound throw special errors in Next; we keep their
+  // throw semantics so callers fail loudly instead of silently continuing.
+  [
+    "next/navigation",
+    "data:text/javascript," +
+      encodeURIComponent(
+        "export function redirect(u){const e=new Error('redirect('+u+') called outside Next.js');e.digest='NEXT_REDIRECT;'+u;throw e;}" +
+          "export function permanentRedirect(u){return redirect(u);}" +
+          "export function notFound(){const e=new Error('notFound() called outside Next.js');e.digest='NEXT_NOT_FOUND';throw e;}" +
+          "export const RedirectType={push:'push',replace:'replace'};"
+      ),
+  ],
+
+  // `import { NextResponse, NextRequest } from "next/server"` — thin wrappers
+  // around Response/Request. The MCP server rarely needs them, but importing
+  // the real module pulls in a lot of Next internals. Provide minimal stubs.
+  [
+    "next/server",
+    "data:text/javascript," +
+      encodeURIComponent(
+        "export class NextResponse extends Response{static json(data,init){return new Response(JSON.stringify(data),{...init,headers:{...(init&&init.headers),'content-type':'application/json'}});}static redirect(url,status){return new Response(null,{status:status||302,headers:{location:String(url)}});}static next(){return new Response(null);}static rewrite(){return new Response(null);}}" +
+          "export class NextRequest extends Request{constructor(input,init){super(input,init);this.nextUrl=new URL(typeof input==='string'?input:input.url);this.cookies={get(){return undefined},getAll(){return []},has(){return false},set(){},delete(){}};}}" +
+          "export const userAgent=()=>({ua:'',browser:{},device:{},engine:{},os:{},cpu:{},isBot:false});"
+      ),
+  ],
+]);
+
+// Sanity check: every entry in the registry must have a stub body in SHIMS,
+// and every stub body must correspond to a registered specifier. Drift here
+// means ESM imports succeed while CJS requires fall through (or vice versa),
+// which is the exact invariant the registry exists to prevent.
+{
+  const registered = new Set(registry.shimmedModules);
+  for (const key of SHIMS.keys()) {
+    if (!registered.has(key)) {
+      throw new Error(
+        `next-shims-loader: "${key}" has a stub body but is not in next-shims-registry.json`
+      );
+    }
+  }
+  for (const key of registered) {
+    if (!SHIMS.has(key)) {
+      throw new Error(
+        `next-shims-loader: "${key}" is in next-shims-registry.json but has no stub body in next-shims-loader.mjs`
+      );
+    }
+  }
+}
+
+/**
+ * @param {string} specifier
+ * @param {{conditions: string[], importAssertions: object, parentURL?: string}} context
+ * @param {(specifier: string, context: object) => Promise<{url: string, format?: string, shortCircuit?: boolean}>} nextResolve
+ */
+export async function resolve(specifier, context, nextResolve) {
+  const shim = SHIMS.get(specifier);
+  if (shim) {
+    return { url: shim, shortCircuit: true, format: "module" };
+  }
+  return nextResolve(specifier, context);
+}

package/dist/shims/next-shims-noop.cjs

@@ -0,0 +1,146 @@
+/**
+ * No-op CommonJS module used by the CJS shim.
+ *
+ * `Module._resolveFilename` in `next-shims-cjs.cjs` redirects every shimmed
+ * specifier (`server-only`, `next/cache`, etc.) to this file. A single
+ * flexible module satisfies all of them because each caller only accesses
+ * the exports relevant to its specifier; anything it doesn't touch is
+ * harmless.
+ *
+ * Keep exports aligned with `next-shims-loader.mjs`.
+ */
+
+"use strict";
+
+// --- next/cache ------------------------------------------------------------
+function revalidatePath() {}
+function revalidateTag() {}
+function unstable_cache(fn) {
+  return fn;
+}
+function unstable_noStore() {}
+const unstable_cacheLife = () => {};
+const unstable_cacheTag = () => {};
+
+// --- next/headers ----------------------------------------------------------
+function headers() {
+  return new Headers();
+}
+function cookies() {
+  return {
+    get() {
+      return undefined;
+    },
+    getAll() {
+      return [];
+    },
+    has() {
+      return false;
+    },
+    set() {},
+    delete() {},
+  };
+}
+function draftMode() {
+  return {
+    isEnabled: false,
+    enable() {},
+    disable() {},
+  };
+}
+
+// --- next/navigation -------------------------------------------------------
+function redirect(url) {
+  const err = new Error(`redirect(${url}) called outside Next.js`);
+  err.digest = "NEXT_REDIRECT;" + url;
+  throw err;
+}
+function permanentRedirect(url) {
+  return redirect(url);
+}
+function notFound() {
+  const err = new Error("notFound() called outside Next.js");
+  err.digest = "NEXT_NOT_FOUND";
+  throw err;
+}
+const RedirectType = { push: "push", replace: "replace" };
+
+// --- next/server -----------------------------------------------------------
+class NextResponse extends Response {
+  static json(data, init) {
+    const headers = { ...((init && init.headers) || {}) };
+    headers["content-type"] = "application/json";
+    return new Response(JSON.stringify(data), { ...init, headers });
+  }
+  static redirect(url, status) {
+    return new Response(null, {
+      status: status || 302,
+      headers: { location: String(url) },
+    });
+  }
+  static next() {
+    return new Response(null);
+  }
+  static rewrite() {
+    return new Response(null);
+  }
+}
+
+class NextRequest extends Request {
+  constructor(input, init) {
+    super(input, init);
+    this.nextUrl = new URL(typeof input === "string" ? input : input.url);
+    this.cookies = {
+      get() {
+        return undefined;
+      },
+      getAll() {
+        return [];
+      },
+      has() {
+        return false;
+      },
+      set() {},
+      delete() {},
+    };
+  }
+}
+
+function userAgent() {
+  return {
+    ua: "",
+    browser: {},
+    device: {},
+    engine: {},
+    os: {},
+    cpu: {},
+    isBot: false,
+  };
+}
+
+// --- export surface --------------------------------------------------------
+// `server-only` / `client-only` exports nothing; the import itself is the
+// side effect. Everything else is exported below; callers only read the
+// names their specifier exposes.
+module.exports = {
+  // next/cache
+  revalidatePath,
+  revalidateTag,
+  unstable_cache,
+  unstable_noStore,
+  unstable_cacheLife,
+  unstable_cacheTag,
+  // next/headers
+  headers,
+  cookies,
+  draftMode,
+  // next/navigation
+  redirect,
+  permanentRedirect,
+  notFound,
+  RedirectType,
+  // next/server
+  NextResponse,
+  NextRequest,
+  userAgent,
+};

package/dist/shims/next-shims-register.mjs

@@ -0,0 +1,14 @@
+/**
+ * Registers the Next.js server-runtime shim loader.
+ *
+ * Passed as `node --import=<this-file>` by the CLI when spawning tsx in
+ * --no-hmr mode, so the shim loader is active before tsx evaluates the
+ * user's MCP server entry.
+ *
+ * The HMR path calls `module.register()` directly in-process; see
+ * cli/src/utils/next-shims.ts.
+ */
+
+import { register } from "node:module";
+
+register("./next-shims-loader.mjs", import.meta.url);

package/dist/shims/next-shims-registry.json

@@ -0,0 +1,11 @@
+{
+  "$comment": "Single source of truth for the Next.js server-runtime modules we shim in the MCP server context (and reject in widget builds). Loaded by next-shims-cjs.cjs (CommonJS require) and next-shims-loader.mjs (ESM import assertions). When adding a new specifier, also add its stub to next-shims-noop.cjs and its data-URL stub to next-shims-loader.mjs.",
+  "shimmedModules": [
+    "server-only",
+    "client-only",
+    "next/cache",
+    "next/headers",
+    "next/navigation",
+    "next/server"
+  ]
+}

package/dist/utils/next-shims.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Next.js runtime-module shim wiring.
+ *
+ * When the CLI runs an MCP server that lives inside a Next.js app (the
+ * `src/mcp/` drop-in layout), transitive imports from the user's tools
+ * almost always pull in Next.js server-runtime modules:
+ *
+ *   - `server-only` — throws on import outside an RSC
+ *   - `next/cache` — revalidatePath / unstable_cache
+ *   - `next/headers` — headers() / cookies()
+ *   - `next/navigation` — redirect() / notFound()
+ *   - `next/server` — NextResponse / NextRequest
+ *
+ * These are all meaningful only inside a Next.js request; outside of one
+ * (i.e., in our MCP server process) they're either unusable or useless.
+ * Rather than asking the developer to write shim files, the CLI detects
+ * Next.js and installs an ESM loader hook that resolves these specifiers to
+ * no-op / inert implementations.
+ *
+ * Detection: presence of `next` in the user's package.json dependencies or
+ * devDependencies.
+ *
+ * Registration happens in two places:
+ *   1. HMR dev mode — inline, via `module.register()` in the parent process
+ *      before `tsImport` is called.
+ *   2. --no-hmr and build — via `NODE_OPTIONS=--import=<register.mjs>` on the
+ *      spawned tsx/esbuild process.
+ */
+/**
+ * Returns true when the project has `next` listed in package.json deps.
+ *
+ * Missing / unreadable package.json returns false silently — the shims are
+ * strictly additive, so "can't decide" should mean "don't shim".
+ */
+export declare function detectNextJsProject(projectPath: string): Promise<boolean>;
+/**
+ * Load Next.js's environment-file cascade into `process.env`.
+ *
+ * Next.js's dev server reads env files in this priority order (highest
+ * wins): `.env.development.local` → `.env.local` → `.env.development` →
+ * `.env`. Tools imported from a Next.js app usually assume these variables
+ * are populated, so the MCP CLI mirrors the same cascade when it runs
+ * inside a Next.js project.
+ *
+ * The values we set here flow to the spawned tsx child through
+ * `runCommand`'s `...process.env` merge.
+ */
+export declare function loadNextJsEnvFiles(projectPath: string): Promise<void>;
+/**
+ * Register the shim loader in the CURRENT Node.js process.
+ *
+ * Used by the HMR dev path, which imports the user's entry via
+ * `tsx/esm/api.tsImport` in-process (no child process). We install both:
+ *
+ *   - The ESM loader hook (handles `import ...` of shimmed specifiers)
+ *   - The CJS `Module._resolveFilename` patch (handles `require(...)`, which
+ *     tsx emits when transpiling TypeScript to CommonJS)
+ *
+ * Returns `true` if at least one half succeeded, `false` only when neither
+ * shim file can be located (graceful degradation — dev still works, users
+ * just see the raw Next.js error on `server-only` etc.).
+ */
+export declare function registerNextShimsInProcess(): Promise<boolean>;
+/**
+ * Build a child-process env that adds both the CJS preload (`-r ...`) and the
+ * ESM registration (`--import=...`) to NODE_OPTIONS, preserving any value
+ * the user already set.
+ *
+ * Both are needed because tsx loads user TypeScript as CJS by default (goes
+ * through `Module._resolveFilename` — covered by `-r`) while some modules are
+ * imported via ESM (covered by `--import=...`).
+ *
+ * If either shim file can't be found on disk, we degrade gracefully — the
+ * dev loop still starts, we just don't shim that half.
+ */
+export declare function withNextShimsEnv(baseEnv: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
+//# sourceMappingURL=next-shims.d.ts.map

package/dist/utils/next-shims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"next-shims.d.ts","sourceRoot":"","sources":["../../src/utils/next-shims.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAMH;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsB3E;AA4DD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,0BAA0B,IAAI,OAAO,CAAC,OAAO,CAAC,CAuBnE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,CAAC,UAAU,GACzB,MAAM,CAAC,UAAU,CAkBnB"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mcp-use/cli",
   "type": "module",
-  "version": "3.1.0-canary.2",
+  "version": "3.1.0-canary.3",
   "description": "The mcp-use CLI is a tool for building and deploying MCP servers with support for ChatGPT Apps, Code Mode, OAuth, Notifications, Sampling, Observability and more.",
   "author": "mcp-use, Inc.",
   "license": "MIT",
@@ -56,8 +56,8 @@
     "vite-plugin-singlefile": "^2.3.2",
     "ws": "^8.19.0",
     "zod": "4.3.5",
-    "@mcp-use/inspector": "2.2.1-canary.2",
-    "mcp-use": "1.24.3-canary.2"
+    "@mcp-use/inspector": "3.0.0-canary.3",
+    "mcp-use": "1.25.0-canary.3"
   },
   "devDependencies": {
     "@types/ws": "^8.18.1",