mcp-researchpowerpack 7.1.2 → 7.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -2
- package/dist/index.js +12 -1
- package/dist/index.js.map +2 -2
- package/dist/mcp-use.json +2 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -87,11 +87,12 @@ capability with a clear error at call time.
|
|
|
87
87
|
| var | default | |
|
|
88
88
|
|-----|---------|---|
|
|
89
89
|
| `PORT` | `3000` | http port |
|
|
90
|
-
| `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS`, `MCP_URL`, or `
|
|
90
|
+
| `HOST` | `127.0.0.1` | bind address; cloud runtimes that set `PORT` auto-switch to `0.0.0.0`. public binds require `ALLOWED_ORIGINS`, `MCP_URL`, `CSP_URLS`, or `FLY_APP_NAME` |
|
|
91
91
|
| `ALLOWED_ORIGINS` | unset | comma-separated origins for host validation / cors; merged with `MCP_URL` and platform `CSP_URLS` when present |
|
|
92
92
|
| `MCP_URL` | unset | public mcp url; contributes its origin to host validation and well-known resource urls |
|
|
93
93
|
| `CSP_URLS` | unset | platform-provided comma-separated public origins; also contributes to host validation, including the derived mcp-use `--br-main` host |
|
|
94
|
-
| `
|
|
94
|
+
| `FLY_APP_NAME` | unset | Fly runtime app name; when present, `https://<app>.fly.dev` is added to host validation for Manufact's deploy verifier |
|
|
95
|
+
| `NODE_ENV` | unset | `production` also requires `ALLOWED_ORIGINS`, `MCP_URL`, `CSP_URLS`, or `FLY_APP_NAME`, even on a local bind |
|
|
95
96
|
| `DEBUG` | unset | `1` or `2` to bump mcp-use debug verbosity |
|
|
96
97
|
|
|
97
98
|
### providers
|
package/dist/index.js
CHANGED
|
@@ -5245,6 +5245,16 @@ function appendNormalizedOrigins(target, values, envName) {
|
|
|
5245
5245
|
target.push(...expandMcpUseMainBranchOrigin(origin));
|
|
5246
5246
|
}
|
|
5247
5247
|
}
|
|
5248
|
+
function appendFlyAppOrigin(target) {
|
|
5249
|
+
const flyAppName = process.env.FLY_APP_NAME?.trim();
|
|
5250
|
+
if (!flyAppName) {
|
|
5251
|
+
return;
|
|
5252
|
+
}
|
|
5253
|
+
if (!/^[a-z0-9][a-z0-9-]*$/i.test(flyAppName)) {
|
|
5254
|
+
throw new Error(`FLY_APP_NAME must be a valid Fly app name. Received: ${flyAppName}`);
|
|
5255
|
+
}
|
|
5256
|
+
appendNormalizedOrigins(target, [`https://${flyAppName}.fly.dev`], "FLY_APP_NAME");
|
|
5257
|
+
}
|
|
5248
5258
|
function resolveAllowedOrigins(baseUrl) {
|
|
5249
5259
|
const origins = [];
|
|
5250
5260
|
const explicitOrigins = parseCsvEnv(process.env.ALLOWED_ORIGINS);
|
|
@@ -5258,6 +5268,7 @@ function resolveAllowedOrigins(baseUrl) {
|
|
|
5258
5268
|
if (cspUrls && cspUrls.length > 0) {
|
|
5259
5269
|
appendNormalizedOrigins(origins, cspUrls, "CSP_URLS");
|
|
5260
5270
|
}
|
|
5271
|
+
appendFlyAppOrigin(origins);
|
|
5261
5272
|
const uniqueOrigins = [...new Set(origins)];
|
|
5262
5273
|
return uniqueOrigins.length > 0 ? uniqueOrigins : void 0;
|
|
5263
5274
|
}
|
|
@@ -5340,7 +5351,7 @@ async function main() {
|
|
|
5340
5351
|
startupLogger.info(`Host validation enabled for origins: ${allowedOriginList.join(", ")}`);
|
|
5341
5352
|
} else if (isProduction || isPublicBindHost(host)) {
|
|
5342
5353
|
startupLogger.error(
|
|
5343
|
-
"Public or production HTTP binding requires ALLOWED_ORIGINS, MCP_URL, or
|
|
5354
|
+
"Public or production HTTP binding requires ALLOWED_ORIGINS, MCP_URL, CSP_URLS, or FLY_APP_NAME to be set. Without host validation, the server is vulnerable to DNS rebinding attacks. Set ALLOWED_ORIGINS, MCP_URL, CSP_URLS, or FLY_APP_NAME to the public deployment URL or custom domain."
|
|
5344
5355
|
);
|
|
5345
5356
|
process.exit(1);
|
|
5346
5357
|
} else {
|