npm - @mcp-use/inspector - Versions diffs - 0.18.4 → 0.18.5-canary.1 - Mend

@mcp-use/inspector 0.18.4 → 0.18.5-canary.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (238) hide show

package/dist/cli.js CHANGED Viewed

@@ -13,7 +13,7 @@ import open from "open";
 // src/server/shared-routes.ts
 import { mountMcpProxy, mountOAuthProxy } from "mcp-use/server";
-// src/server/shared-utils-browser.ts
+// src/server/shared-utils.ts
 function toBase64(str) {
   if (typeof window !== "undefined" && typeof window.btoa === "function") {
     return window.btoa(str);
@@ -461,6 +461,9 @@ function generateWidgetContentHtml(widgetData) {
         }
         // Inject MCP widget utilities for Image component and file access
+        // __mcpServerUrl provides the server origin for widgets to use in API calls
+        // (e.g., fetch(window.__mcpServerUrl + '/api/fruits') instead of hardcoding localhost)
+        window.__mcpServerUrl = ${devServerBaseUrl ? `"${devServerBaseUrl}"` : '""'};
         window.__mcpPublicUrl = ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/public"` : '""'};
         window.__getFile = function(filename) {
           return ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/widgets/"` : '""'} + filename;
@@ -741,7 +744,7 @@ function generateWidgetContentHtml(widgetData) {
   console.log("[Widget Content] Generated HTML length:", modifiedHtml.length);
   return { html: modifiedHtml };
 }
-function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
+function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl, frameAncestors) {
   const trustedCdns = [
     "https://persistent.oaistatic.com",
     "https://*.oaistatic.com",
@@ -788,6 +791,12 @@ function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
   if (frameDomains && frameDomains.length > 0) {
     frameSrc = `'self' blob: ${frameDomains.join(" ")}`;
   }
+  let frameAncestorsPolicy = "'self'";
+  if (devServerOrigin && !frameAncestors) {
+    frameAncestorsPolicy = "*";
+  } else if (frameAncestors) {
+    frameAncestorsPolicy = frameAncestors;
+  }
   const headers = {
     "Content-Security-Policy": [
       "default-src 'self'",
@@ -800,7 +809,7 @@ function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
       `media-src ${mediaSrc}`,
       `font-src ${fontSrc}`,
       `connect-src ${connectSrc}`,
-      "frame-ancestors 'self'"
+      `frame-ancestors ${frameAncestorsPolicy}`
     ].join("; "),
     "X-Frame-Options": "SAMEORIGIN",
     "X-Content-Type-Options": "nosniff",
@@ -826,7 +835,7 @@ function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
       "media-src 'self' data: https: blob:",
       `font-src 'self' data: ${prodResourceDomainsStr}`,
       `connect-src ${prodConnectSrc}`,
-      "frame-ancestors 'self'"
+      `frame-ancestors ${frameAncestorsPolicy}`
     ].join("; ");
   }
   return headers;
@@ -1301,6 +1310,36 @@ function formatErrorResponse(error, context) {
 }
 // src/server/shared-routes.ts
+function getFrameAncestorsFromEnv() {
+  const envValue = process.env.MCP_INSPECTOR_FRAME_ANCESTORS;
+  if (!envValue) return void 0;
+  const trimmed = envValue.trim();
+  if (trimmed === "*") return "*";
+  return trimmed;
+}
+function toLocalhostUrl(externalUrl, requestUrl) {
+  try {
+    const url = new URL(externalUrl);
+    if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
+      return externalUrl;
+    }
+    let localPort = "3000";
+    try {
+      const reqUrl = new URL(requestUrl);
+      if (reqUrl.hostname === "localhost" || reqUrl.hostname === "127.0.0.1") {
+        localPort = reqUrl.port || "3000";
+      }
+    } catch {
+    }
+    const portMatch = url.hostname.match(/^(\d+)-/);
+    if (portMatch) {
+      localPort = portMatch[1];
+    }
+    return `http://localhost:${localPort}${url.pathname}${url.search}`;
+  } catch {
+    return externalUrl;
+  }
+}
 async function fetchWithRetry2(url, options, maxRetries = 3, initialDelay = 500) {
   let lastError;
   for (let attempt = 0; attempt <= maxRetries; attempt++) {
@@ -1439,7 +1478,12 @@ function registerInspectorRoutes(app2, config) {
       if (result.error) {
         return c.html(`<html><body>Error: ${result.error}</body></html>`, 404);
       }
-      const headers = getWidgetSecurityHeaders(widgetData.widgetCSP);
+      const headers = getWidgetSecurityHeaders(
+        widgetData.widgetCSP,
+        void 0,
+        // No dev server for production widgets
+        getFrameAncestorsFromEnv()
+      );
       Object.entries(headers).forEach(([key, value]) => {
         c.header(key, value);
       });
@@ -1462,7 +1506,14 @@ function registerInspectorRoutes(app2, config) {
           404
         );
       }
-      const response = await fetchWithRetry2(widgetData.devWidgetUrl);
+      const localDevWidgetUrl = toLocalhostUrl(
+        widgetData.devWidgetUrl,
+        c.req.url
+      );
+      console.log(
+        `[Dev Widget Proxy] Fetching from: ${localDevWidgetUrl} (original: ${widgetData.devWidgetUrl})`
+      );
+      const response = await fetchWithRetry2(localDevWidgetUrl);
       if (!response.ok) {
         const status = response.status;
         return c.html(
@@ -1483,7 +1534,6 @@ function registerInspectorRoutes(app2, config) {
         return c.html(`<html><body>Error: ${result.error}</body></html>`, 500);
       }
       html = result.html;
-      const proxyBase = `/inspector/api/dev-widget/${toolId}/assets`;
       const widgetNameMatch = widgetData.devWidgetUrl?.match(
         /\/mcp-use\/widgets\/([^/?]+)/
       );
@@ -1494,23 +1544,22 @@ function registerInspectorRoutes(app2, config) {
       );
       html = html.replace(
         new RegExp(
-          `(src|href)="(${escapedBaseUrl}/mcp-use/widgets/[^"]+)"`,
+          `(src|href)="(${escapedBaseUrl})(/mcp-use/widgets/[^"]+)"`,
           "g"
         ),
-        (_match, attr, url) => {
-          const path = url.replace(widgetData.devServerBaseUrl, "");
-          return `${attr}="${proxyBase}${path}"`;
+        (_match, attr, _origin, path) => {
+          return `${attr}="${path}"`;
         }
       );
       html = html.replace(
-        /(src|href)="(\/mcp-use\/widgets\/[^"]+)"/g,
-        (_match, attr, path) => {
-          return `${attr}="${widgetData.devServerBaseUrl}${path}"`;
+        /((?:src|href)\s*=\s*|from\s+)(['"])(https?:\/\/(?:localhost|0\.0\.0\.0|127\.0\.0\.1):\d+)(\/mcp-use\/widgets\/[^'"]+)(['"])/g,
+        (_match, attr, q1, _origin, path, q2) => {
+          return `${attr}${q1}${path}${q2}`;
         }
       );
       html = html.replace(/(src|href)="\.\/([^"]+)"/g, (match, attr, path) => {
         if (path.match(/\.(js|css|png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot)$/i)) {
-          return `${attr}="${proxyBase}/mcp-use/widgets/${widgetName}/${path}"`;
+          return `${attr}="/mcp-use/widgets/${widgetName}/${path}"`;
         }
         return match;
       });
@@ -1519,7 +1568,7 @@ function registerInspectorRoutes(app2, config) {
         const wsProtocol = devServerUrl.protocol === "https:" ? "wss" : "ws";
         const wsHost = devServerUrl.host;
         const directWsUrl = `${wsProtocol}://${wsHost}/mcp-use/widgets/`;
-        const baseTag = `<base href="${widgetData.devServerBaseUrl}/mcp-use/widgets/${widgetName}/">`;
+        const baseTag = `<base href="/mcp-use/widgets/${widgetName}/">`;
         const cspWarningScript = `
     <script>
       // Listen for CSP violations (from Report-Only policy)
@@ -1551,11 +1600,16 @@ function registerInspectorRoutes(app2, config) {
       }
       const headers = getWidgetSecurityHeaders(
         widgetData.widgetCSP,
-        widgetData.devServerBaseUrl
+        widgetData.devServerBaseUrl,
+        getFrameAncestorsFromEnv()
       );
       Object.entries(headers).forEach(([key, value]) => {
         c.header(key, value);
       });
+      const scriptUrls = [...html.matchAll(/src\s*=\s*["']([^"']+)["']/g)].map(
+        (m) => m[1]
+      );
+      console.log(`[Dev Widget Proxy] Final HTML script URLs:`, scriptUrls);
       return c.html(html);
     } catch (error) {
       console.error("[Dev Widget Proxy] Error:", error);
@@ -1566,24 +1620,36 @@ function registerInspectorRoutes(app2, config) {
   app2.get("/inspector/api/dev-widget/:toolId/assets/*", async (c) => {
     try {
       const toolId = c.req.param("toolId");
-      const assetPath = c.req.path.replace(
+      const reqUrl = new URL(c.req.url);
+      const assetPath = reqUrl.pathname.replace(
         `/inspector/api/dev-widget/${toolId}/assets`,
         ""
-      );
+      ) + reqUrl.search;
       const widgetData = getWidgetData(toolId);
       if (!widgetData?.devServerBaseUrl) {
         return c.notFound();
       }
-      const devAssetUrl = `${widgetData.devServerBaseUrl}${assetPath}`;
+      const localBaseUrl = toLocalhostUrl(
+        widgetData.devServerBaseUrl,
+        c.req.url
+      );
+      const devAssetUrl = `${localBaseUrl}${assetPath}`;
+      console.log(`[Dev Widget Asset Proxy] ${assetPath} \u2192 ${devAssetUrl}`);
       const response = await fetch(devAssetUrl, {
         headers: {
           Accept: c.req.header("Accept") || "*/*"
         }
       });
       if (!response.ok) {
+        console.warn(
+          `[Dev Widget Asset Proxy] ${devAssetUrl} \u2192 ${response.status}`
+        );
         return c.notFound();
       }
       const contentType = response.headers.get("Content-Type") || "application/octet-stream";
+      console.log(
+        `[Dev Widget Asset Proxy] ${assetPath} \u2192 ${response.status} ${contentType}`
+      );
       const headers = {
         "Content-Type": contentType
       };
@@ -1759,8 +1825,7 @@ function registerInspectorRoutes(app2, config) {
 import { existsSync as existsSync2, readFileSync } from "fs";
 import { join as join2 } from "path";
-// src/server/shared-utils.ts
-import { Buffer as Buffer2 } from "buffer";
+// src/server/file-utils.ts
 import { existsSync } from "fs";
 import { dirname, join } from "path";
 import { fileURLToPath } from "url";
@@ -1796,22 +1861,25 @@ function getClientDistPath() {
   }
   return join(__dirname, "../web");
 }
-var widgetDataStore2 = /* @__PURE__ */ new Map();
-setInterval(
-  () => {
-    const now = Date.now();
-    const ONE_HOUR = 60 * 60 * 1e3;
-    for (const [toolId, data] of widgetDataStore2.entries()) {
-      if (now - data.timestamp > ONE_HOUR) {
-        widgetDataStore2.delete(toolId);
-      }
-    }
-  },
-  5 * 60 * 1e3
-).unref();
 // src/server/shared-static.ts
-function registerStaticRoutes(app2, clientDistPath) {
+function injectRuntimeConfig(html, config) {
+  if (!config) return html;
+  const scripts = [];
+  if (config.devMode) {
+    scripts.push(`<script>window.__MCP_DEV_MODE__ = true;</script>`);
+  }
+  if (config.sandboxOrigin) {
+    scripts.push(
+      `<script>window.__MCP_SANDBOX_ORIGIN__ = ${JSON.stringify(config.sandboxOrigin)};</script>`
+    );
+  }
+  if (scripts.length === 0) return html;
+  const injection = scripts.join("\n    ");
+  return html.replace("</head>", `    ${injection}
+  </head>`);
+}
+function registerStaticRoutes(app2, clientDistPath, runtimeConfig) {
   const distPath = clientDistPath || getClientDistPath();
   if (!checkClientFiles(distPath)) {
     console.warn(`\u26A0\uFE0F  MCP Inspector client files not found at ${distPath}`);
@@ -1853,7 +1921,10 @@ function registerStaticRoutes(app2, clientDistPath) {
   app2.get("/inspector", (c) => {
     const indexPath = join2(distPath, "index.html");
     if (existsSync2(indexPath)) {
-      const content = readFileSync(indexPath, "utf-8");
+      const content = injectRuntimeConfig(
+        readFileSync(indexPath, "utf-8"),
+        runtimeConfig
+      );
       return c.html(content);
     }
     return c.html(`
@@ -1872,7 +1943,10 @@ function registerStaticRoutes(app2, clientDistPath) {
   const handleInspectorRoute = (c) => {
     const indexPath = join2(distPath, "index.html");
     if (existsSync2(indexPath)) {
-      const content = readFileSync(indexPath, "utf-8");
+      const content = injectRuntimeConfig(
+        readFileSync(indexPath, "utf-8"),
+        runtimeConfig
+      );
       return c.html(content);
     }
     return c.notFound();
@@ -1882,7 +1956,10 @@ function registerStaticRoutes(app2, clientDistPath) {
   app2.get("*", (c) => {
     const indexPath = join2(distPath, "index.html");
     if (existsSync2(indexPath)) {
-      const content = readFileSync(indexPath, "utf-8");
+      const content = injectRuntimeConfig(
+        readFileSync(indexPath, "utf-8"),
+        runtimeConfig
+      );
       return c.html(content);
     }
     return c.html(`

package/dist/client/components/ui/SandboxedIframe.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"SandboxedIframe.d.ts","sourceRoot":"","sources":["../../../../src/client/components/ui/SandboxedIframe.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAaH,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;IACrC,gBAAgB,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;CAClD;AAED,UAAU,oBAAoB;IAC5B,4CAA4C;IAC5C,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,GAAG,CAAC,EAAE;QACJ,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;IACF,yEAAyE;IACzE,WAAW,CAAC,EAAE;QACZ,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,gEAAgE;IAChE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,IAAI,CAAC;IAC1B,gFAAgF;IAChF,SAAS,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,qCAAqC;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,KAAK,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;IAC5B,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,~~wHA8I1B~~,CAAC"}
1	+ {"version":3,"file":"SandboxedIframe.d.ts","sourceRoot":"","sources":["../../../../src/client/components/ui/SandboxedIframe.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAaH,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;IACrC,gBAAgB,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;CAClD;AAED,UAAU,oBAAoB;IAC5B,4CAA4C;IAC5C,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,GAAG,CAAC,EAAE;QACJ,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;IACF,yEAAyE;IACzE,WAAW,CAAC,EAAE;QACZ,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,gEAAgE;IAChE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,IAAI,CAAC;IAC1B,gFAAgF;IAChF,SAAS,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,qCAAqC;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,KAAK,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;IAC5B,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,wHAsJ1B,CAAC"}

package/dist/server/{chunk-LUMZ7A6H.js → chunk-ATXH3EXI.js} RENAMED Viewed

@@ -1,13 +1,13 @@
 import {
   registerInspectorRoutes
-} from "./chunk-3QHKG7YB.js";
+} from "./chunk-RRJYFKES.js";
 import {
   registerStaticRoutes
-} from "./chunk-AINOWQTV.js";
+} from "./chunk-OJE2DNAQ.js";
 import {
   checkClientFiles,
   getClientDistPath
-} from "./chunk-R4HZ2WDD.js";
+} from "./chunk-IDMHJUEM.js";
 // src/server/middleware.ts
 import { Hono } from "hono";
@@ -21,14 +21,18 @@ function mountInspector(app, config) {
       `   Run 'yarn build' in the inspector package to build the UI`
     );
   }
+  const runtimeConfig = {
+    devMode: config?.devMode,
+    sandboxOrigin: config?.sandboxOrigin
+  };
   if (app instanceof Hono) {
     registerInspectorRoutes(app, config);
-    registerStaticRoutes(app, clientDistPath);
+    registerStaticRoutes(app, clientDistPath, runtimeConfig);
     return;
   }
   const honoApp = new Hono();
   registerInspectorRoutes(honoApp, config);
-  registerStaticRoutes(honoApp, clientDistPath);
+  registerStaticRoutes(honoApp, clientDistPath, runtimeConfig);
   app.use((req, res, next) => {
     const url = new URL(req.url || "", `http://${req.headers.host}`);
     const request = new Request(url, {

package/dist/server/chunk-IDMHJUEM.js ADDED Viewed

@@ -0,0 +1,42 @@
+// src/server/file-utils.ts
+import { existsSync } from "fs";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+function getContentType(filePath) {
+  if (filePath.endsWith(".js")) {
+    return "application/javascript";
+  } else if (filePath.endsWith(".css")) {
+    return "text/css";
+  } else if (filePath.endsWith(".svg")) {
+    return "image/svg+xml";
+  } else if (filePath.endsWith(".html")) {
+    return "text/html";
+  } else if (filePath.endsWith(".json")) {
+    return "application/json";
+  } else if (filePath.endsWith(".png")) {
+    return "image/png";
+  } else if (filePath.endsWith(".jpg") || filePath.endsWith(".jpeg")) {
+    return "image/jpeg";
+  } else if (filePath.endsWith(".ico")) {
+    return "image/x-icon";
+  } else {
+    return "application/octet-stream";
+  }
+}
+function checkClientFiles(clientDistPath) {
+  return existsSync(clientDistPath);
+}
+function getClientDistPath() {
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = dirname(__filename);
+  if (__dirname.endsWith("dist") || __dirname.endsWith("dist/")) {
+    return join(__dirname, "web");
+  }
+  return join(__dirname, "../web");
+}
+export {
+  getContentType,
+  checkClientFiles,
+  getClientDistPath
+};

package/dist/server/{chunk-3CIR2XAF.js → chunk-LWRYFYSL.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-// src/server/shared-utils-browser.ts
+// src/server/shared-utils.ts
 function toBase64(str) {
   if (typeof window !== "undefined" && typeof window.btoa === "function") {
     return window.btoa(str);
@@ -446,6 +446,9 @@ function generateWidgetContentHtml(widgetData) {
         }
         // Inject MCP widget utilities for Image component and file access
+        // __mcpServerUrl provides the server origin for widgets to use in API calls
+        // (e.g., fetch(window.__mcpServerUrl + '/api/fruits') instead of hardcoding localhost)
+        window.__mcpServerUrl = ${devServerBaseUrl ? `"${devServerBaseUrl}"` : '""'};
         window.__mcpPublicUrl = ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/public"` : '""'};
         window.__getFile = function(filename) {
           return ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/widgets/"` : '""'} + filename;
@@ -740,7 +743,7 @@ function transformMcpAppsCspToSnakeCase(mcpAppsCsp) {
   }
   return Object.keys(result).length > 0 ? result : void 0;
 }
-function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
+function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl, frameAncestors) {
   const trustedCdns = [
     "https://persistent.oaistatic.com",
     "https://*.oaistatic.com",
@@ -787,6 +790,12 @@ function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
   if (frameDomains && frameDomains.length > 0) {
     frameSrc = `'self' blob: ${frameDomains.join(" ")}`;
   }
+  let frameAncestorsPolicy = "'self'";
+  if (devServerOrigin && !frameAncestors) {
+    frameAncestorsPolicy = "*";
+  } else if (frameAncestors) {
+    frameAncestorsPolicy = frameAncestors;
+  }
   const headers = {
     "Content-Security-Policy": [
       "default-src 'self'",
@@ -799,7 +808,7 @@ function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
       `media-src ${mediaSrc}`,
       `font-src ${fontSrc}`,
       `connect-src ${connectSrc}`,
-      "frame-ancestors 'self'"
+      `frame-ancestors ${frameAncestorsPolicy}`
     ].join("; "),
     "X-Frame-Options": "SAMEORIGIN",
     "X-Content-Type-Options": "nosniff",
@@ -825,7 +834,7 @@ function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
       "media-src 'self' data: https: blob:",
       `font-src 'self' data: ${prodResourceDomainsStr}`,
       `connect-src ${prodConnectSrc}`,
-      "frame-ancestors 'self'"
+      `frame-ancestors ${frameAncestorsPolicy}`
     ].join("; ");
   }
   return headers;

package/dist/server/{chunk-AINOWQTV.js → chunk-OJE2DNAQ.js} RENAMED Viewed

@@ -2,12 +2,28 @@ import {
   checkClientFiles,
   getClientDistPath,
   getContentType
-} from "./chunk-R4HZ2WDD.js";
+} from "./chunk-IDMHJUEM.js";
 // src/server/shared-static.ts
 import { existsSync, readFileSync } from "fs";
 import { join } from "path";
-function registerStaticRoutes(app, clientDistPath) {
+function injectRuntimeConfig(html, config) {
+  if (!config) return html;
+  const scripts = [];
+  if (config.devMode) {
+    scripts.push(`<script>window.__MCP_DEV_MODE__ = true;</script>`);
+  }
+  if (config.sandboxOrigin) {
+    scripts.push(
+      `<script>window.__MCP_SANDBOX_ORIGIN__ = ${JSON.stringify(config.sandboxOrigin)};</script>`
+    );
+  }
+  if (scripts.length === 0) return html;
+  const injection = scripts.join("\n    ");
+  return html.replace("</head>", `    ${injection}
+  </head>`);
+}
+function registerStaticRoutes(app, clientDistPath, runtimeConfig) {
   const distPath = clientDistPath || getClientDistPath();
   if (!checkClientFiles(distPath)) {
     console.warn(`\u26A0\uFE0F  MCP Inspector client files not found at ${distPath}`);
@@ -49,7 +65,10 @@ function registerStaticRoutes(app, clientDistPath) {
   app.get("/inspector", (c) => {
     const indexPath = join(distPath, "index.html");
     if (existsSync(indexPath)) {
-      const content = readFileSync(indexPath, "utf-8");
+      const content = injectRuntimeConfig(
+        readFileSync(indexPath, "utf-8"),
+        runtimeConfig
+      );
       return c.html(content);
     }
     return c.html(`
@@ -68,7 +87,10 @@ function registerStaticRoutes(app, clientDistPath) {
   const handleInspectorRoute = (c) => {
     const indexPath = join(distPath, "index.html");
     if (existsSync(indexPath)) {
-      const content = readFileSync(indexPath, "utf-8");
+      const content = injectRuntimeConfig(
+        readFileSync(indexPath, "utf-8"),
+        runtimeConfig
+      );
       return c.html(content);
     }
     return c.notFound();
@@ -78,7 +100,10 @@ function registerStaticRoutes(app, clientDistPath) {
   app.get("*", (c) => {
     const indexPath = join(distPath, "index.html");
     if (existsSync(indexPath)) {
-      const content = readFileSync(indexPath, "utf-8");
+      const content = injectRuntimeConfig(
+        readFileSync(indexPath, "utf-8"),
+        runtimeConfig
+      );
       return c.html(content);
     }
     return c.html(`