mcp-researchpowerpack 7.1.0 → 7.1.2

package/README.md

@@ -87,10 +87,11 @@ capability with a clear error at call time.
 | var | default | |
 |-----|---------|---|
 | `PORT` | `3000` | http port |
-| `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS` or `MCP_URL` |
-| `ALLOWED_ORIGINS` | unset | comma-separated origins for host validation / cors |
-| `MCP_URL` | unset | public mcp url; when `ALLOWED_ORIGINS` is absent, the server derives the allowed origin and well-known resource urls from this value |
-| `NODE_ENV` | unset | `production` also requires `ALLOWED_ORIGINS` or `MCP_URL`, even on a local bind |
+| `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS`, `MCP_URL`, or `CSP_URLS` |
+| `ALLOWED_ORIGINS` | unset | comma-separated origins for host validation / cors; merged with `MCP_URL` and platform `CSP_URLS` when present |
+| `MCP_URL` | unset | public mcp url; contributes its origin to host validation and well-known resource urls |
+| `CSP_URLS` | unset | platform-provided comma-separated public origins; also contributes to host validation, including the derived mcp-use `--br-main` host |
+| `NODE_ENV` | unset | `production` also requires `ALLOWED_ORIGINS`, `MCP_URL`, or `CSP_URLS`, even on a local bind |
 | `DEBUG` | unset | `1` or `2` to bump mcp-use debug verbosity |
 
 ### providers

package/dist/index.js

@@ -5228,15 +5228,38 @@ function normalizeOrigin(value, envName) {
     throw new Error(`${envName} must contain absolute URLs with protocol. Received: ${value}`);
   }
 }
+function expandMcpUseMainBranchOrigin(origin) {
+  const parsed = new URL(origin);
+  const hostname = parsed.hostname.toLowerCase();
+  const suffix = ".run.mcp-use.com";
+  if (!hostname.endsWith(suffix) || hostname.includes("--br-")) {
+    return [origin];
+  }
+  const slug = hostname.slice(0, -suffix.length);
+  const branchOrigin = `${parsed.protocol}//${slug}--br-main${suffix}${parsed.port ? `:${parsed.port}` : ""}`;
+  return [origin, branchOrigin];
+}
+function appendNormalizedOrigins(target, values, envName) {
+  for (const value of values) {
+    const origin = normalizeOrigin(value, envName);
+    target.push(...expandMcpUseMainBranchOrigin(origin));
+  }
+}
 function resolveAllowedOrigins(baseUrl) {
+  const origins = [];
   const explicitOrigins = parseCsvEnv(process.env.ALLOWED_ORIGINS);
   if (explicitOrigins && explicitOrigins.length > 0) {
-    return explicitOrigins.map((origin) => normalizeOrigin(origin, "ALLOWED_ORIGINS"));
+    appendNormalizedOrigins(origins, explicitOrigins, "ALLOWED_ORIGINS");
   }
   if (baseUrl) {
-    return [normalizeOrigin(baseUrl, "MCP_URL")];
+    appendNormalizedOrigins(origins, [baseUrl], "MCP_URL");
   }
-  return void 0;
+  const cspUrls = parseCsvEnv(process.env.CSP_URLS);
+  if (cspUrls && cspUrls.length > 0) {
+    appendNormalizedOrigins(origins, cspUrls, "CSP_URLS");
+  }
+  const uniqueOrigins = [...new Set(origins)];
+  return uniqueOrigins.length > 0 ? uniqueOrigins : void 0;
 }
 function isLoopbackHost(host) {
   const normalized = host.trim().toLowerCase();
@@ -5317,7 +5340,7 @@ async function main() {
     startupLogger.info(`Host validation enabled for origins: ${allowedOriginList.join(", ")}`);
   } else if (isProduction || isPublicBindHost(host)) {
     startupLogger.error(
-      "Public or production HTTP binding requires ALLOWED_ORIGINS or MCP_URL to be set. Without host validation, the server is vulnerable to DNS rebinding attacks. Set ALLOWED_ORIGINS or MCP_URL to the public deployment URL or custom domain."
+      "Public or production HTTP binding requires ALLOWED_ORIGINS, MCP_URL, or CSP_URLS to be set. Without host validation, the server is vulnerable to DNS rebinding attacks. Set ALLOWED_ORIGINS, MCP_URL, or CSP_URLS to the public deployment URL or custom domain."
     );
     process.exit(1);
   } else {