agent-discover 1.0.31 → 1.1.0

package/CHANGELOG.md

@@ -5,6 +5,31 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2026-04-08
+
+Federated marketplace release: `/api/browse` now spans the official MCP registry, npm, and PyPI in one query, with cross-process activation, prereqs probing, and a `uvx` install path. Full UI/REST/MCP coverage.
+
+### Added
+
+- **PyPI marketplace integration.** `MarketplaceClient.searchPypi()` resolves a curated list of well-known Python MCP servers (`mcp-server-fetch`, `mcp-server-git`, `mcp-server-time`, `mcp-server-postgres`, `mcp-server-sqlite`, `mcp-proxy`, `mcp-cli`, …) against the stable PyPI JSON API (`/pypi/<name>/json`) for live metadata, plus a best-effort HTML scrape of `pypi.org/search` to surface anything beyond the curated list. PyPI hits are tagged `runtime: python` and merged into `/api/browse` results alongside the official registry and npm.
+- **npm search fallback in `/api/browse`.** Two parallel npm queries (`<query> keywords:mcp` and `<query> mcp`) merge + dedupe with the official-registry results. The first variant catches packages that opted into the `keywords:mcp` tag; the second catches packages like Microsoft's `@playwright/mcp` that have no `keywords` field at all. Filtered to entries mentioning `mcp` / `model context protocol` in name/keywords/description.
+- **Federated dedupe with cross-source visibility.** Browse results are keyed by `<source>:<name>` (`registry:`, `npm:`, `pypi:`) so packages with colliding names across sources (e.g. `mcp-server-sqlite` exists on both npm and PyPI as different projects) all stay visible, while same-source version duplicates still collapse (highest semver wins).
+- **uvx install path in the dashboard.** The Browse-tab Install button now branches on `pkg.runtime === 'python'` (or `registry_name === 'pypi'`) and posts `command: 'uvx'`, `args: ['<pkg>']`, `tags: ['marketplace', 'pypi']`. The async pre-download path (`POST /api/servers`) and the explicit `POST /api/servers/:id/preinstall` endpoint both grew a `uv tool install <pkg>` branch alongside the existing `npm cache add`.
+- **Prereqs probe (`GET /api/prereqs`).** Spawns `npx --version`, `uvx --version`, `docker --version`, `uv --version` using `spawn` with `shell: true` so Windows `.cmd` shims resolve. Returns `{ npx, uvx, docker, uv }`. The dashboard fetches it on load and renders an orange banner above the Browse list when something needed for an install is missing, with install hints linking to nodejs.org / docs.astral.sh/uv.
+- **README/CHANGELOG/USER-MANUAL/API/ARCHITECTURE/DASHBOARD docs** brought fully up to date for the new federated marketplace, hydration, prereqs, and uvx flow.
+
+### Fixed
+
+- **Cross-process activation hydration.** Removed the `UPDATE servers SET active = 0` startup wipe in `context.ts`. Each fresh agent-discover process now reads `WHERE active = 1 AND installed = 1` and re-activates those servers in its own `McpProxy` on boot, with stale entries (failed activate) cleared back to `active = 0` so we don't retry forever. Activation lives in-memory in `McpProxy.activeServers` but the DB-backed `active` flag is the cross-process source of truth, so a tool activated via the dashboard UI is now visible to a freshly-spawned MCP client process without manual re-activation.
+- **Scoped npm names rejected by server-name validation.** The Browse-tab install path sanitised `@scope/pkg` → `@scope-pkg`, leaving the leading `@` which fails the registry's `^[a-zA-Z0-9]…$` regex with HTTP 422. Now strips `@` to match the parallel `__installFromNpm` path. Confirmed via Playwright e2e against `@modelcontextprotocol/server-everything`.
+- **Marketplace version-duplicates.** `parseResponse` now collapses one-row-per-version results from the official registry (`playwright-wizard-mcp ×3` → `×1`).
+
+### Security
+
+- **CRLF header injection in proxy secret merge.** When activating an SSE / streamable-http remote server, secrets stored for that server are merged into the outbound HTTP headers (`Authorization`, `API_KEY`, plus pass-through). Values containing `\r` or `\n` are now rejected before insertion to prevent HTTP header injection from a poisoned secret value. (`src/domain/proxy.ts`)
+
+[Note: 1.0.28 – 1.0.31 were intermediate dev tags during this work and have been folded into 1.1.0 for the public release.]
+
 ## [1.0.27] - 2026-04-08
 
 ### Documentation

package/README.md

@@ -2,12 +2,14 @@
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 [![Node.js](https://img.shields.io/badge/node-%3E%3D20.11-brightgreen)](https://nodejs.org/)
-[![Tests](https://img.shields.io/badge/tests-152%20passing-brightgreen)]()
-[![MCP Tools](https://img.shields.io/badge/MCP%20tools-2-purple)]()
-[![REST Endpoints](https://img.shields.io/badge/REST-18%20endpoints-orange)]()
+[![Tests](https://img.shields.io/badge/tests-151%20passing-brightgreen)]()
+[![MCP Tools](https://img.shields.io/badge/MCP%20tools-1-purple)]()
+[![REST Endpoints](https://img.shields.io/badge/REST-19%20endpoints-orange)]()
 
 **MCP server registry and marketplace.** Discover, install, activate, and manage MCP tools on demand. Acts as a dynamic proxy -- activated servers have their tools merged into the registry's own tool list, so agents can use them without restarting.
 
+Search spans the **official MCP registry**, **npm**, and **PyPI** in one query, so popular servers that aren't in the official index (Microsoft `@playwright/mcp`, `@modelcontextprotocol/server-*`, `mcp-server-fetch`, `mcp-server-git`, …) all show up.
+
 Built for AI coding agents (Claude Code, Codex CLI, Gemini CLI, Aider) but works equally well with any MCP client, REST consumer, or WebSocket listener.
 
 ---
@@ -36,15 +38,19 @@ Static MCP configs mean every server is always running, even when unused. Adding
 ## Features
 
 - **Local registry** -- register MCP servers in a SQLite database with name, command, args, env, tags
-- **Marketplace browser** -- search the official MCP registry (`registry.modelcontextprotocol.io`) and install with one tool call
-- **On-demand activation** -- activate/deactivate servers at runtime; their tools appear and disappear dynamically
+- **Federated marketplace search** -- a single query hits the official MCP registry, npm, and PyPI in parallel, dedupes by `<source>:<name>`, and collapses version duplicates
+- **PyPI integration** -- curated list of well-known Python MCP servers (`mcp-server-fetch`, `mcp-server-git`, `mcp-server-time`, `mcp-server-postgres`, `mcp-server-sqlite`, `mcp-proxy`, …) plus live metadata via the PyPI JSON API; Python entries install via `uvx`
+- **npm fallback** -- two parallel npm searches (`keywords:mcp` and `<query> mcp`) catch packages that didn't tag themselves (e.g. Microsoft `@playwright/mcp`)
+- **Prereqs probe** -- `GET /api/prereqs` reports which package managers (`npx`, `uvx`, `docker`, `uv`) are available on the host; the dashboard surfaces a banner when something needed for an install is missing
+- **Cross-process activation** -- the `active` flag is the source of truth in SQLite; every fresh agent-discover process hydrates its in-memory proxy from the DB on startup, so tools activated in one process show up in others
+- **On-demand activation** -- activate/deactivate servers at runtime; their tools appear and disappear dynamically with `tools/list_changed` notifications
 - **Tool proxying** -- activated server tools are namespaced as `serverName__toolName` and merged into the tool list
-- **Multi-transport** -- supports stdio, SSE, and streamable-http transports for connecting to child servers
-- **Secret management** -- store API keys and tokens per server, automatically injected as env vars (stdio) or HTTP headers (SSE/streamable-http) on activation
+- **Multi-transport** -- stdio, SSE, and streamable-http transports for connecting to child servers
+- **Secret management** -- store API keys and tokens per server, automatically injected as env vars (stdio) or HTTP headers (SSE/streamable-http) on activation; CRLF-validated to prevent header injection
 - **Health checks** -- connect/disconnect probes for inactive servers, tool-list checks for active ones, with error count tracking
 - **Per-tool metrics** -- call counts, error counts, and average latency recorded automatically on every proxied tool call
 - **Full-text search** -- FTS5 search across server names, descriptions, and tags
-- **NPM pre-download** -- fire-and-forget `npm cache add` on registration for npx-based servers, plus a dedicated preinstall endpoint
+- **Pre-download** -- fire-and-forget `npm cache add` (npx servers) or `uv tool install` (uvx servers) on registration, plus a dedicated `/preinstall` endpoint
 - **Real-time dashboard** -- web UI at http://localhost:3424 with Servers and Browse tabs, dark/light theme, WebSocket updates
 - **3 transport layers** -- MCP (stdio), REST API (HTTP), WebSocket (real-time events)
 
@@ -110,12 +116,13 @@ Activated servers expose their tools through agent-discover, namespaced as `serv
 
 ---
 
-## REST API (18 endpoints)
+## REST API (19 endpoints)
 
 All endpoints return JSON. CORS enabled.
 
 ```
 GET    /health                            Version, uptime
+GET    /api/prereqs                       Probe host for npx/uvx/docker/uv availability
 GET    /api/servers                       List servers (?query=, ?source=, ?installed=)
 GET    /api/servers/:id                   Server details + tools
 POST   /api/servers                       Register new server
@@ -123,14 +130,14 @@ PUT    /api/servers/:id                   Update server config (description, com
 DELETE /api/servers/:id                   Unregister (deactivates first if active)
 POST   /api/servers/:id/activate          Activate -- start server, discover tools, begin proxying
 POST   /api/servers/:id/deactivate        Deactivate -- stop server, remove tools
-POST   /api/servers/:id/preinstall        Pre-download npx package to npm cache
+POST   /api/servers/:id/preinstall        Pre-download package (npm cache add for npx, uv tool install for uvx)
 GET    /api/servers/:id/secrets           List secrets (masked values)
 PUT    /api/servers/:id/secrets/:key      Set a secret (upsert)
 DELETE /api/servers/:id/secrets/:key      Delete a secret
 POST   /api/servers/:id/health            Run health check (connect/disconnect probe)
 GET    /api/servers/:id/metrics           Per-tool metrics for a server (call count, errors, latency)
 GET    /api/metrics                       Metrics overview across all servers
-GET    /api/browse                        Proxy to official MCP registry (?query=, ?limit=, ?cursor=)
+GET    /api/browse                        Federated search: official registry + npm + PyPI (?query=, ?limit=, ?cursor=)
 GET    /api/npm-check                     Check if an npm package exists (?package=)
 GET    /api/status                        Active servers summary (names, tool counts, tool lists)
 ```
@@ -143,7 +150,7 @@ The web dashboard auto-starts at **http://localhost:3424** and provides two view
 
 **Servers tab** -- all registered servers as cards showing health dots, error counts, active/inactive status, description, tags, tools list, and expandable Secrets/Metrics/Config sections. Action buttons for activate, deactivate, health check, and delete.
 
-**Browse tab** -- search the official MCP registry. Results show server name, version, description, packages, and an install button.
+**Browse tab** -- federated search across the official MCP registry, npm, and PyPI. Each card shows the runtime tag (`node`, `python`, `streamable-http`, …), version, description, and an install button that picks the right command (`npx`, `uvx`, or remote URL) automatically. A prereq banner at the top of the tab warns when a required package manager (`npx`, `uvx`, `docker`) is missing on the host.
 
 Real-time updates via WebSocket with 2-second database polling. Dark and light themes with persistent preference.
 
@@ -152,10 +159,11 @@ Real-time updates via WebSocket with 2-second database polling. Dark and light t
 ## Testing
 
 ```bash
-npm test              # 152 tests across 8 files
+npm test              # 151 tests across 8 files
 npm run test:watch    # Watch mode
 npm run test:coverage # Coverage report
 npm run check         # Full CI: typecheck + lint + format + test
+npm run test:e2e:ui   # Playwright dashboard smoke tests
 ```
 
 ---
@@ -167,6 +175,16 @@ npm run check         # Full CI: typecheck + lint + format + test
 | `AGENT_DISCOVER_PORT` | `3424`                        | Dashboard HTTP port  |
 | `AGENT_DISCOVER_DB`   | `~/.claude/agent-discover.db` | SQLite database path |
 
+### Host package manager prerequisites
+
+agent-discover spawns child MCP servers via the host's installed package managers. Install whatever you intend to use; missing tools are reported by `GET /api/prereqs` and surfaced as a banner in the Browse tab.
+
+| Tool     | Used for                        | Install hint                                          |
+| -------- | ------------------------------- | ----------------------------------------------------- |
+| `npx`    | npm-published MCP servers       | ships with [Node.js](https://nodejs.org/)             |
+| `uvx`    | PyPI-published MCP servers      | install [uv](https://docs.astral.sh/uv/)              |
+| `docker` | Docker-image MCP servers (rare) | install [Docker](https://docs.docker.com/get-docker/) |
+
 ---
 
 ## Documentation

package/agent-desk-plugin.json

@@ -2,7 +2,7 @@
   "id": "agent-discover",
   "name": "Discover",
   "icon": "explore",
-  "version": "1.0.31",
+  "version": "1.1.0",
   "description": "MCP server registry — browse, install, configure, monitor",
   "ui": "./dist/ui/app.js",
   "css": "./dist/ui/styles.css",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-discover",
-  "version": "1.0.31",
+  "version": "1.1.0",
   "mcpName": "io.github.keshrath/agent-discover",
   "description": "MCP server registry and marketplace — discover, install, activate, and manage MCP tools on demand",
   "type": "module",