mcp-researchpowerpack 7.1.0 → 7.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +5 -4
  2. package/dist/index.js +10 -4
  3. package/dist/index.js.map +2 -2
  4. package/dist/mcp-use.json +2 -2
  5. package/package.json +1 -1
package/README.md CHANGED
@@ -87,10 +87,11 @@ capability with a clear error at call time.
87
87
  | var | default | |
88
88
  |-----|---------|---|
89
89
  | `PORT` | `3000` | http port |
90
- | `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS` or `MCP_URL` |
91
- | `ALLOWED_ORIGINS` | unset | comma-separated origins for host validation / cors |
92
- | `MCP_URL` | unset | public mcp url; when `ALLOWED_ORIGINS` is absent, the server derives the allowed origin and well-known resource urls from this value |
93
- | `NODE_ENV` | unset | `production` also requires `ALLOWED_ORIGINS` or `MCP_URL`, even on a local bind |
90
+ | `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS`, `MCP_URL`, or `CSP_URLS` |
91
+ | `ALLOWED_ORIGINS` | unset | comma-separated origins for host validation / cors; merged with `MCP_URL` and platform `CSP_URLS` when present |
92
+ | `MCP_URL` | unset | public mcp url; contributes its origin to host validation and well-known resource urls |
93
+ | `CSP_URLS` | unset | platform-provided comma-separated public origins; also contributes to host validation |
94
+ | `NODE_ENV` | unset | `production` also requires `ALLOWED_ORIGINS`, `MCP_URL`, or `CSP_URLS`, even on a local bind |
94
95
  | `DEBUG` | unset | `1` or `2` to bump mcp-use debug verbosity |
95
96
 
96
97
  ### providers
package/dist/index.js CHANGED
@@ -5229,14 +5229,20 @@ function normalizeOrigin(value, envName) {
5229
5229
  }
5230
5230
  }
5231
5231
  function resolveAllowedOrigins(baseUrl) {
5232
+ const origins = [];
5232
5233
  const explicitOrigins = parseCsvEnv(process.env.ALLOWED_ORIGINS);
5233
5234
  if (explicitOrigins && explicitOrigins.length > 0) {
5234
- return explicitOrigins.map((origin) => normalizeOrigin(origin, "ALLOWED_ORIGINS"));
5235
+ origins.push(...explicitOrigins.map((origin) => normalizeOrigin(origin, "ALLOWED_ORIGINS")));
5235
5236
  }
5236
5237
  if (baseUrl) {
5237
- return [normalizeOrigin(baseUrl, "MCP_URL")];
5238
+ origins.push(normalizeOrigin(baseUrl, "MCP_URL"));
5238
5239
  }
5239
- return void 0;
5240
+ const cspUrls = parseCsvEnv(process.env.CSP_URLS);
5241
+ if (cspUrls && cspUrls.length > 0) {
5242
+ origins.push(...cspUrls.map((origin) => normalizeOrigin(origin, "CSP_URLS")));
5243
+ }
5244
+ const uniqueOrigins = [...new Set(origins)];
5245
+ return uniqueOrigins.length > 0 ? uniqueOrigins : void 0;
5240
5246
  }
5241
5247
  function isLoopbackHost(host) {
5242
5248
  const normalized = host.trim().toLowerCase();
@@ -5317,7 +5323,7 @@ async function main() {
5317
5323
  startupLogger.info(`Host validation enabled for origins: ${allowedOriginList.join(", ")}`);
5318
5324
  } else if (isProduction || isPublicBindHost(host)) {
5319
5325
  startupLogger.error(
5320
- "Public or production HTTP binding requires ALLOWED_ORIGINS or MCP_URL to be set. Without host validation, the server is vulnerable to DNS rebinding attacks. Set ALLOWED_ORIGINS or MCP_URL to the public deployment URL or custom domain."
5326
+ "Public or production HTTP binding requires ALLOWED_ORIGINS, MCP_URL, or CSP_URLS to be set. Without host validation, the server is vulnerable to DNS rebinding attacks. Set ALLOWED_ORIGINS, MCP_URL, or CSP_URLS to the public deployment URL or custom domain."
5321
5327
  );
5322
5328
  process.exit(1);
5323
5329
  } else {