mcp-researchpowerpack 7.1.1 → 7.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -3
- package/dist/index.js +32 -4
- package/dist/index.js.map +2 -2
- package/dist/mcp-use.json +2 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -87,11 +87,12 @@ capability with a clear error at call time.
|
|
|
87
87
|
| var | default | |
|
|
88
88
|
|-----|---------|---|
|
|
89
89
|
| `PORT` | `3000` | http port |
|
|
90
|
-
| `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS`, `MCP_URL`, or `
|
|
90
|
+
| `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS`, `MCP_URL`, `CSP_URLS`, or `FLY_APP_NAME` |
|
|
91
91
|
| `ALLOWED_ORIGINS` | unset | comma-separated origins for host validation / cors; merged with `MCP_URL` and platform `CSP_URLS` when present |
|
|
92
92
|
| `MCP_URL` | unset | public mcp url; contributes its origin to host validation and well-known resource urls |
|
|
93
|
-
| `CSP_URLS` | unset | platform-provided comma-separated public origins; also contributes to host validation |
|
|
94
|
-
| `
|
|
93
|
+
| `CSP_URLS` | unset | platform-provided comma-separated public origins; also contributes to host validation, including the derived mcp-use `--br-main` host |
|
|
94
|
+
| `FLY_APP_NAME` | unset | Fly runtime app name; when present, `https://<app>.fly.dev` is added to host validation for Manufact's deploy verifier |
|
|
95
|
+
| `NODE_ENV` | unset | `production` also requires `ALLOWED_ORIGINS`, `MCP_URL`, `CSP_URLS`, or `FLY_APP_NAME`, even on a local bind |
|
|
95
96
|
| `DEBUG` | unset | `1` or `2` to bump mcp-use debug verbosity |
|
|
96
97
|
|
|
97
98
|
### providers
|
package/dist/index.js
CHANGED
|
@@ -5228,19 +5228,47 @@ function normalizeOrigin(value, envName) {
|
|
|
5228
5228
|
throw new Error(`${envName} must contain absolute URLs with protocol. Received: ${value}`);
|
|
5229
5229
|
}
|
|
5230
5230
|
}
|
|
5231
|
+
function expandMcpUseMainBranchOrigin(origin) {
|
|
5232
|
+
const parsed = new URL(origin);
|
|
5233
|
+
const hostname = parsed.hostname.toLowerCase();
|
|
5234
|
+
const suffix = ".run.mcp-use.com";
|
|
5235
|
+
if (!hostname.endsWith(suffix) || hostname.includes("--br-")) {
|
|
5236
|
+
return [origin];
|
|
5237
|
+
}
|
|
5238
|
+
const slug = hostname.slice(0, -suffix.length);
|
|
5239
|
+
const branchOrigin = `${parsed.protocol}//${slug}--br-main${suffix}${parsed.port ? `:${parsed.port}` : ""}`;
|
|
5240
|
+
return [origin, branchOrigin];
|
|
5241
|
+
}
|
|
5242
|
+
function appendNormalizedOrigins(target, values, envName) {
|
|
5243
|
+
for (const value of values) {
|
|
5244
|
+
const origin = normalizeOrigin(value, envName);
|
|
5245
|
+
target.push(...expandMcpUseMainBranchOrigin(origin));
|
|
5246
|
+
}
|
|
5247
|
+
}
|
|
5248
|
+
function appendFlyAppOrigin(target) {
|
|
5249
|
+
const flyAppName = process.env.FLY_APP_NAME?.trim();
|
|
5250
|
+
if (!flyAppName) {
|
|
5251
|
+
return;
|
|
5252
|
+
}
|
|
5253
|
+
if (!/^[a-z0-9][a-z0-9-]*$/i.test(flyAppName)) {
|
|
5254
|
+
throw new Error(`FLY_APP_NAME must be a valid Fly app name. Received: ${flyAppName}`);
|
|
5255
|
+
}
|
|
5256
|
+
appendNormalizedOrigins(target, [`https://${flyAppName}.fly.dev`], "FLY_APP_NAME");
|
|
5257
|
+
}
|
|
5231
5258
|
function resolveAllowedOrigins(baseUrl) {
|
|
5232
5259
|
const origins = [];
|
|
5233
5260
|
const explicitOrigins = parseCsvEnv(process.env.ALLOWED_ORIGINS);
|
|
5234
5261
|
if (explicitOrigins && explicitOrigins.length > 0) {
|
|
5235
|
-
origins
|
|
5262
|
+
appendNormalizedOrigins(origins, explicitOrigins, "ALLOWED_ORIGINS");
|
|
5236
5263
|
}
|
|
5237
5264
|
if (baseUrl) {
|
|
5238
|
-
origins
|
|
5265
|
+
appendNormalizedOrigins(origins, [baseUrl], "MCP_URL");
|
|
5239
5266
|
}
|
|
5240
5267
|
const cspUrls = parseCsvEnv(process.env.CSP_URLS);
|
|
5241
5268
|
if (cspUrls && cspUrls.length > 0) {
|
|
5242
|
-
origins
|
|
5269
|
+
appendNormalizedOrigins(origins, cspUrls, "CSP_URLS");
|
|
5243
5270
|
}
|
|
5271
|
+
appendFlyAppOrigin(origins);
|
|
5244
5272
|
const uniqueOrigins = [...new Set(origins)];
|
|
5245
5273
|
return uniqueOrigins.length > 0 ? uniqueOrigins : void 0;
|
|
5246
5274
|
}
|
|
@@ -5323,7 +5351,7 @@ async function main() {
|
|
|
5323
5351
|
startupLogger.info(`Host validation enabled for origins: ${allowedOriginList.join(", ")}`);
|
|
5324
5352
|
} else if (isProduction || isPublicBindHost(host)) {
|
|
5325
5353
|
startupLogger.error(
|
|
5326
|
-
"Public or production HTTP binding requires ALLOWED_ORIGINS, MCP_URL, or
|
|
5354
|
+
"Public or production HTTP binding requires ALLOWED_ORIGINS, MCP_URL, CSP_URLS, or FLY_APP_NAME to be set. Without host validation, the server is vulnerable to DNS rebinding attacks. Set ALLOWED_ORIGINS, MCP_URL, CSP_URLS, or FLY_APP_NAME to the public deployment URL or custom domain."
|
|
5327
5355
|
);
|
|
5328
5356
|
process.exit(1);
|
|
5329
5357
|
} else {
|