@mcp-use/inspector 0.6.1 → 0.7.0-canary.4

package/dist/client/index.html

@@ -27,9 +27,9 @@
       rel="stylesheet"
     />
     <title>Inspector | mcp-use</title>
-    <script type="module" crossorigin src="/inspector/assets/index-DUf1336L.js"></script>
-    <link rel="stylesheet" crossorigin href="/inspector/assets/index-CAnbiFOL.css">
-    <script>window.__INSPECTOR_VERSION__ = "0.6.1";</script>
+    <script type="module" crossorigin src="/inspector/assets/index-B1pgTXiT.js"></script>
+    <link rel="stylesheet" crossorigin href="/inspector/assets/index-kVFYovMy.css">
+    <script>window.__INSPECTOR_VERSION__ = "0.7.0-canary.4";</script>
   </head>
   <body>
     <script>

package/dist/server/{chunk-WYBXXYSP.js → chunk-26WTIZ4S.js}

@@ -2,7 +2,7 @@ import {
   checkClientFiles,
   getClientDistPath,
   getContentType
-} from "./chunk-37X7HLUV.js";
+} from "./chunk-V5FEV5SU.js";
 
 // src/server/shared-static.ts
 import { existsSync, readFileSync } from "fs";

package/dist/server/{chunk-PYGYQT2G.js → chunk-6ZFXPXO4.js}

@@ -1,17 +1,17 @@
 import {
   registerInspectorRoutes
-} from "./chunk-555LGZ3I.js";
+} from "./chunk-XU7SXB3C.js";
 import {
   registerStaticRoutes
-} from "./chunk-WYBXXYSP.js";
+} from "./chunk-26WTIZ4S.js";
 import {
   checkClientFiles,
   getClientDistPath
-} from "./chunk-37X7HLUV.js";
+} from "./chunk-V5FEV5SU.js";
 
 // src/server/middleware.ts
 import { Hono } from "hono";
-function mountInspector(app) {
+function mountInspector(app, config) {
   const clientDistPath = getClientDistPath();
   if (!checkClientFiles(clientDistPath)) {
     console.warn(
@@ -22,12 +22,12 @@ function mountInspector(app) {
     );
   }
   if (app instanceof Hono) {
-    registerInspectorRoutes(app);
+    registerInspectorRoutes(app, config);
     registerStaticRoutes(app, clientDistPath);
     return;
   }
   const honoApp = new Hono();
-  registerInspectorRoutes(honoApp);
+  registerInspectorRoutes(honoApp, config);
   registerStaticRoutes(honoApp, clientDistPath);
   app.use((req, res, next) => {
     const url = new URL(req.url || "", `http://${req.headers.host}`);

package/dist/server/chunk-CVECQ7BJ.js

@@ -0,0 +1,78 @@
+import {
+  __publicField
+} from "./chunk-PKBMQBKP.js";
+
+// src/server/rpc-log-bus.ts
+var SimpleEventEmitter = class {
+  constructor() {
+    __publicField(this, "listeners", /* @__PURE__ */ new Map());
+  }
+  on(event, listener) {
+    if (!this.listeners.has(event)) {
+      this.listeners.set(event, /* @__PURE__ */ new Set());
+    }
+    this.listeners.get(event).add(listener);
+  }
+  off(event, listener) {
+    this.listeners.get(event)?.delete(listener);
+  }
+  emit(event, ...args) {
+    this.listeners.get(event)?.forEach((listener) => {
+      try {
+        listener(...args);
+      } catch (e) {
+        console.error("Error in event listener:", e);
+      }
+    });
+  }
+};
+var RpcLogBus = class {
+  constructor() {
+    __publicField(this, "emitter", new SimpleEventEmitter());
+    __publicField(this, "bufferByServer", /* @__PURE__ */ new Map());
+  }
+  publish(event) {
+    const buffer = this.bufferByServer.get(event.serverId) ?? [];
+    buffer.push(event);
+    if (buffer.length > 1e3) {
+      buffer.shift();
+    }
+    this.bufferByServer.set(event.serverId, buffer);
+    this.emitter.emit("event", event);
+  }
+  subscribe(serverIds, listener) {
+    const filter = new Set(serverIds);
+    const handler = (event) => {
+      if (filter.size === 0 || filter.has(event.serverId)) listener(event);
+    };
+    this.emitter.on("event", handler);
+    return () => this.emitter.off("event", handler);
+  }
+  getBuffer(serverIds, limit) {
+    const filter = new Set(serverIds);
+    const all = [];
+    for (const [serverId, buf] of this.bufferByServer.entries()) {
+      if (filter.size > 0 && !filter.has(serverId)) continue;
+      all.push(...buf);
+    }
+    all.sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+    if (limit === 0) return [];
+    if (!Number.isFinite(limit) || limit < 0) return all;
+    return all.slice(0, limit);
+  }
+  clear(serverIds) {
+    if (serverIds && serverIds.length > 0) {
+      const filter = new Set(serverIds);
+      for (const serverId of filter) {
+        this.bufferByServer.delete(serverId);
+      }
+    } else {
+      this.bufferByServer.clear();
+    }
+  }
+};
+var rpcLogBus = new RpcLogBus();
+
+export {
+  rpcLogBus
+};

package/dist/server/{chunk-DGUMOD7P.js → chunk-KW44WB52.js}

@@ -312,7 +312,16 @@ function generateWidgetContainerHtml(basePath, toolId) {
   `;
 }
 function generateWidgetContentHtml(widgetData) {
-  const { serverId, uri, toolInput, toolOutput, resourceData, toolId } = widgetData;
+  const {
+    serverId,
+    uri,
+    toolInput,
+    toolOutput,
+    resourceData,
+    toolId,
+    devServerBaseUrl,
+    theme
+  } = widgetData;
   console.log("[Widget Content] Using pre-fetched resource for:", {
     serverId,
     uri
@@ -343,23 +352,31 @@ function generateWidgetContentHtml(widgetData) {
   const safeToolOutput = JSON.stringify(toolOutput ?? null).replace(/</g, "\\u003c").replace(/>/g, "\\u003e");
   const safeToolId = JSON.stringify(toolId);
   const safeWidgetStateKey = JSON.stringify(widgetStateKey);
+  const safeTheme = JSON.stringify(theme === "dark" ? "dark" : "light");
   const apiScript = `
     <script>
       (function() {
         'use strict';
 
         // Change URL to "/" for React Router compatibility
-        if (window.location.pathname !== '/') {
+        // Skip if running in Inspector dev-widget proxy to prevent redirecting iframe to Inspector home
+        if (window.location.pathname !== '/' && !window.location.pathname.includes('/dev-widget/')) {
           history.replaceState(null, '', '/');
         }
 
+        // Inject MCP widget utilities for Image component and file access
+        window.__mcpPublicUrl = ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/public"` : '""'};
+        window.__getFile = function(filename) {
+          return ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/widgets/"` : '""'} + filename;
+        };
+
         const openaiAPI = {
           toolInput: ${safeToolInput},
           toolOutput: ${safeToolOutput},
           toolResponseMetadata: null,
           displayMode: 'inline',
           maxHeight: 600,
-          theme: 'dark',
+          theme: ${safeTheme},
           locale: 'en-US',
           safeArea: { insets: { top: 0, bottom: 0, left: 0, right: 0 } },
           userAgent: {},
@@ -432,6 +449,20 @@ function generateWidgetContentHtml(widgetData) {
             return this.sendFollowupTurn(prompt);
           },
 
+          async notifyIntrinsicHeight(height) {
+            console.log('[OpenAI Widget] notifyIntrinsicHeight called with:', height);
+            if (typeof height !== 'number' || height < 0) {
+              console.error('[OpenAI Widget] Invalid height value:', height);
+              throw new Error('Height must be a non-negative number');
+            }
+            const message = {
+              type: 'openai:notifyIntrinsicHeight',
+              height
+            };
+            console.log('[OpenAI Widget] Sending postMessage to parent:', message);
+            window.parent.postMessage(message, '*');
+          },
+
           openExternal(payload) {
             const href = typeof payload === 'string' ? payload : payload?.href;
             if (href) {
@@ -476,6 +507,18 @@ function generateWidgetContentHtml(widgetData) {
           } catch (err) {}
         }, 0);
 
+        // Listen for widget state requests from inspector
+        window.addEventListener('message', (event) => {
+          if (event.data?.type === 'mcp-inspector:getWidgetState') {
+            window.parent.postMessage({
+              type: 'mcp-inspector:widgetStateResponse',
+              toolId: event.data.toolId,
+              state: openaiAPI.widgetState
+            }, '*');
+            return;
+          }
+        });
+
         // Listen for globals changes from parent (for displayMode, theme, etc.)
         window.addEventListener('message', (event) => {
           // Handle new general globalsChanged message
@@ -602,34 +645,58 @@ function generateWidgetContentHtml(widgetData) {
   console.log("[Widget Content] Generated HTML length:", modifiedHtml.length);
   return { html: modifiedHtml };
 }
-function getWidgetSecurityHeaders(widgetCSP) {
+function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
   const trustedCdns = [
     "https://persistent.oaistatic.com",
     "https://*.oaistatic.com",
     "https://unpkg.com",
     "https://cdn.jsdelivr.net",
     "https://cdnjs.cloudflare.com",
-    "https://cdn.skypack.dev"
+    "https://cdn.skypack.dev",
+    "https://*.openai.com"
   ];
-  const allResourceDomains = [...trustedCdns];
+  const prodResourceDomains = [...trustedCdns];
   if (widgetCSP?.resource_domains) {
-    allResourceDomains.push(...widgetCSP.resource_domains);
+    prodResourceDomains.push(...widgetCSP.resource_domains);
+  }
+  const prodResourceDomainsStr = prodResourceDomains.join(" ");
+  let devServerOrigin = null;
+  const allResourceDomains = [...prodResourceDomains];
+  if (devServerBaseUrl) {
+    try {
+      devServerOrigin = new URL(devServerBaseUrl).origin;
+      allResourceDomains.push(devServerOrigin);
+    } catch (e) {
+      console.warn(`[CSP] Invalid devServerBaseUrl: ${devServerBaseUrl}`);
+    }
   }
   const resourceDomainsStr = allResourceDomains.join(" ");
+  let imgSrc = "'self' data: https: blob:";
+  if (devServerOrigin) {
+    imgSrc = `'self' data: https: blob: ${devServerOrigin}`;
+  }
+  let mediaSrc = "'self' data: https: blob:";
+  if (devServerOrigin) {
+    mediaSrc = `'self' data: https: blob: ${devServerOrigin}`;
+  }
+  let fontSrc = `'self' data: ${resourceDomainsStr}`;
+  if (devServerOrigin) {
+    fontSrc = `'self' data: https: http: ${resourceDomainsStr}`;
+  }
   let connectSrc = "'self' https: wss: ws:";
   if (widgetCSP?.connect_domains && widgetCSP.connect_domains.length > 0) {
     connectSrc = `'self' ${widgetCSP.connect_domains.join(" ")} https: wss: ws:`;
   }
-  return {
+  const headers = {
     "Content-Security-Policy": [
       "default-src 'self'",
       `script-src 'self' 'unsafe-inline' 'unsafe-eval' ${resourceDomainsStr}`,
       "worker-src 'self' blob:",
       "child-src 'self' blob:",
       `style-src 'self' 'unsafe-inline' ${resourceDomainsStr}`,
-      "img-src 'self' data: https: blob:",
-      "media-src 'self' data: https: blob:",
-      `font-src 'self' data: ${resourceDomainsStr}`,
+      `img-src ${imgSrc}`,
+      `media-src ${mediaSrc}`,
+      `font-src ${fontSrc}`,
       `connect-src ${connectSrc}`,
       "frame-ancestors 'self'"
     ].join("; "),
@@ -639,6 +706,22 @@ function getWidgetSecurityHeaders(widgetCSP) {
     Pragma: "no-cache",
     Expires: "0"
   };
+  if (devServerOrigin) {
+    const prodConnectSrc = "'self' https: wss: ws:";
+    headers["Content-Security-Policy-Report-Only"] = [
+      "default-src 'self'",
+      `script-src 'self' 'unsafe-inline' 'unsafe-eval' ${prodResourceDomainsStr}`,
+      "worker-src 'self' blob:",
+      "child-src 'self' blob:",
+      `style-src 'self' 'unsafe-inline' ${prodResourceDomainsStr}`,
+      "img-src 'self' data: https: blob:",
+      "media-src 'self' data: https: blob:",
+      `font-src 'self' data: ${prodResourceDomainsStr}`,
+      `connect-src ${prodConnectSrc}`,
+      "frame-ancestors 'self'"
+    ].join("; ");
+  }
+  return headers;
 }
 
 export {

package/dist/server/chunk-PKBMQBKP.js

@@ -0,0 +1,7 @@
+var __defProp = Object.defineProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+
+export {
+  __publicField
+};

package/dist/server/{chunk-37X7HLUV.js → chunk-V5FEV5SU.js}

@@ -267,7 +267,9 @@ function storeWidgetData(data) {
     toolOutput,
     resourceData,
     toolId,
-    widgetCSP
+    widgetCSP: _widgetCSP,
+    devWidgetUrl,
+    devServerBaseUrl
   } = data;
   console.log("[Widget Store] Received request for toolId:", toolId);
   console.log("[Widget Store] Fields:", {
@@ -276,7 +278,9 @@ function storeWidgetData(data) {
     hasResourceData: !!resourceData,
     hasToolInput: !!toolInput,
     hasToolOutput: !!toolOutput,
-    hasWidgetCSP: !!widgetCSP
+    hasWidgetCSP: !!_widgetCSP,
+    devWidgetUrl,
+    devServerBaseUrl
   });
   if (!serverId || !uri || !toolId || !resourceData) {
     const missingFields = [];
@@ -298,7 +302,9 @@ function storeWidgetData(data) {
     resourceData,
     toolId,
     timestamp: Date.now(),
-    widgetCSP
+    widgetCSP: _widgetCSP,
+    devWidgetUrl,
+    devServerBaseUrl
   });
   console.log("[Widget Store] Data stored successfully for toolId:", toolId);
   return { success: true };
@@ -341,7 +347,17 @@ function generateWidgetContainerHtml(basePath, toolId) {
   `;
 }
 function generateWidgetContentHtml(widgetData) {
-  const { serverId, uri, toolInput, toolOutput, resourceData, toolId } = widgetData;
+  const {
+    serverId,
+    uri,
+    toolInput,
+    toolOutput,
+    resourceData,
+    toolId,
+    widgetCSP: _widgetCSP,
+    devServerBaseUrl,
+    theme
+  } = widgetData;
   console.log("[Widget Content] Using pre-fetched resource for:", {
     serverId,
     uri
@@ -372,23 +388,31 @@ function generateWidgetContentHtml(widgetData) {
   const safeToolOutput = JSON.stringify(toolOutput ?? null).replace(/</g, "\\u003c").replace(/>/g, "\\u003e");
   const safeToolId = JSON.stringify(toolId);
   const safeWidgetStateKey = JSON.stringify(widgetStateKey);
+  const safeTheme = JSON.stringify(theme === "dark" ? "dark" : "light");
   const apiScript = `
     <script>
       (function() {
         'use strict';
 
         // Change URL to "/" for React Router compatibility
-        if (window.location.pathname !== '/') {
+        // Skip if running in Inspector dev-widget proxy to prevent redirecting iframe to Inspector home
+        if (window.location.pathname !== '/' && !window.location.pathname.includes('/dev-widget/')) {
           history.replaceState(null, '', '/');
         }
 
+        // Inject MCP widget utilities for Image component and file access
+        window.__mcpPublicUrl = ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/public"` : '""'};
+        window.__getFile = function(filename) {
+          return ${devServerBaseUrl ? `"${devServerBaseUrl}/mcp-use/widgets/"` : '""'} + filename;
+        };
+
         const openaiAPI = {
           toolInput: ${safeToolInput},
           toolOutput: ${safeToolOutput},
           toolResponseMetadata: null,
           displayMode: 'inline',
           maxHeight: 600,
-          theme: 'dark',
+          theme: ${safeTheme},
           locale: 'en-US',
           safeArea: { insets: { top: 0, bottom: 0, left: 0, right: 0 } },
           userAgent: {},
@@ -483,6 +507,17 @@ function generateWidgetContentHtml(widgetData) {
           enumerable: true
         });
 
+        // Listen for widget state requests from inspector
+        window.addEventListener('message', (event) => {
+          if (event.data?.type === 'mcp-inspector:getWidgetState') {
+            window.parent.postMessage({
+              type: 'mcp-inspector:widgetStateResponse',
+              toolId: event.data.toolId,
+              state: openaiAPI.widgetState
+            }, '*');
+          }
+        });
+
         setTimeout(() => {
           try {
             const globalsEvent = new CustomEvent('openai:set_globals', {
@@ -536,34 +571,58 @@ function generateWidgetContentHtml(widgetData) {
   console.log("[Widget Content] Generated HTML length:", modifiedHtml.length);
   return { html: modifiedHtml };
 }
-function getWidgetSecurityHeaders(widgetCSP) {
+function getWidgetSecurityHeaders(widgetCSP, devServerBaseUrl) {
   const trustedCdns = [
     "https://persistent.oaistatic.com",
     "https://*.oaistatic.com",
     "https://unpkg.com",
     "https://cdn.jsdelivr.net",
     "https://cdnjs.cloudflare.com",
-    "https://cdn.skypack.dev"
+    "https://cdn.skypack.dev",
+    "https://*.openai.com"
   ];
-  const allResourceDomains = [...trustedCdns];
+  const prodResourceDomains = [...trustedCdns];
   if (widgetCSP?.resource_domains) {
-    allResourceDomains.push(...widgetCSP.resource_domains);
+    prodResourceDomains.push(...widgetCSP.resource_domains);
+  }
+  const prodResourceDomainsStr = prodResourceDomains.join(" ");
+  let devServerOrigin = null;
+  const allResourceDomains = [...prodResourceDomains];
+  if (devServerBaseUrl) {
+    try {
+      devServerOrigin = new URL(devServerBaseUrl).origin;
+      allResourceDomains.push(devServerOrigin);
+    } catch (e) {
+      console.warn(`[CSP] Invalid devServerBaseUrl: ${devServerBaseUrl}`);
+    }
   }
   const resourceDomainsStr = allResourceDomains.join(" ");
+  let imgSrc = "'self' data: https: blob:";
+  if (devServerOrigin) {
+    imgSrc = `'self' data: https: blob: ${devServerOrigin}`;
+  }
+  let mediaSrc = "'self' data: https: blob:";
+  if (devServerOrigin) {
+    mediaSrc = `'self' data: https: blob: ${devServerOrigin}`;
+  }
+  let fontSrc = `'self' data: ${resourceDomainsStr}`;
+  if (devServerOrigin) {
+    fontSrc = `'self' data: https: http: ${resourceDomainsStr}`;
+  }
   let connectSrc = "'self' https: wss: ws:";
   if (widgetCSP?.connect_domains && widgetCSP.connect_domains.length > 0) {
     connectSrc = `'self' ${widgetCSP.connect_domains.join(" ")} https: wss: ws:`;
   }
-  return {
+  const headers = {
     "Content-Security-Policy": [
       "default-src 'self'",
       `script-src 'self' 'unsafe-inline' 'unsafe-eval' ${resourceDomainsStr}`,
       "worker-src 'self' blob:",
       "child-src 'self' blob:",
       `style-src 'self' 'unsafe-inline' ${resourceDomainsStr}`,
-      "img-src 'self' data: https: blob:",
-      "media-src 'self' data: https: blob:",
-      `font-src 'self' data: ${resourceDomainsStr}`,
+      `img-src ${imgSrc}`,
+      `media-src ${mediaSrc}`,
+      `font-src ${fontSrc}`,
       `connect-src ${connectSrc}`,
       "frame-ancestors 'self'"
     ].join("; "),
@@ -573,6 +632,22 @@ function getWidgetSecurityHeaders(widgetCSP) {
     Pragma: "no-cache",
     Expires: "0"
   };
+  if (devServerOrigin) {
+    const prodConnectSrc = "'self' https: wss: ws:";
+    headers["Content-Security-Policy-Report-Only"] = [
+      "default-src 'self'",
+      `script-src 'self' 'unsafe-inline' 'unsafe-eval' ${prodResourceDomainsStr}`,
+      "worker-src 'self' blob:",
+      "child-src 'self' blob:",
+      `style-src 'self' 'unsafe-inline' ${prodResourceDomainsStr}`,
+      "img-src 'self' data: https: blob:",
+      "media-src 'self' data: https: blob:",
+      `font-src 'self' data: ${prodResourceDomainsStr}`,
+      `connect-src ${prodConnectSrc}`,
+      "frame-ancestors 'self'"
+    ].join("; ");
+  }
+  return headers;
 }
 
 export {