skybridge 0.0.0-dev.f8da531 → 0.0.0-dev.f8ef758

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (308) hide show
  1. package/README.md +123 -124
  2. package/dist/cli/build-helpers.d.ts +7 -0
  3. package/dist/cli/build-helpers.js +82 -0
  4. package/dist/cli/build-helpers.js.map +1 -0
  5. package/dist/cli/build-helpers.test.d.ts +1 -0
  6. package/dist/cli/build-helpers.test.js +64 -0
  7. package/dist/cli/build-helpers.test.js.map +1 -0
  8. package/dist/cli/detect-port.d.ts +2 -2
  9. package/dist/cli/detect-port.js +9 -20
  10. package/dist/cli/detect-port.js.map +1 -1
  11. package/dist/cli/header.js.map +1 -1
  12. package/dist/cli/resolve-views-dir.d.ts +1 -0
  13. package/dist/cli/resolve-views-dir.js +17 -0
  14. package/dist/cli/resolve-views-dir.js.map +1 -0
  15. package/dist/cli/run-command.js.map +1 -1
  16. package/dist/cli/telemetry.js.map +1 -1
  17. package/dist/cli/tunnel-control-server.js.map +1 -1
  18. package/dist/cli/tunnel-control-server.test.js.map +1 -1
  19. package/dist/cli/tunnel-handler.js.map +1 -1
  20. package/dist/cli/tunnel-handler.test.js.map +1 -1
  21. package/dist/cli/tunnel.js +2 -2
  22. package/dist/cli/tunnel.js.map +1 -1
  23. package/dist/cli/tunnel.test.js.map +1 -1
  24. package/dist/cli/types.js.map +1 -1
  25. package/dist/cli/use-execute-steps.js.map +1 -1
  26. package/dist/cli/use-messages.js.map +1 -1
  27. package/dist/cli/use-nodemon.js +11 -2
  28. package/dist/cli/use-nodemon.js.map +1 -1
  29. package/dist/cli/use-open-browser.d.ts +1 -0
  30. package/dist/cli/use-open-browser.js +44 -0
  31. package/dist/cli/use-open-browser.js.map +1 -0
  32. package/dist/cli/use-tunnel.js.map +1 -1
  33. package/dist/cli/use-typescript-check.js +1 -1
  34. package/dist/cli/use-typescript-check.js.map +1 -1
  35. package/dist/commands/build.d.ts +0 -1
  36. package/dist/commands/build.js +41 -18
  37. package/dist/commands/build.js.map +1 -1
  38. package/dist/commands/create.d.ts +9 -0
  39. package/dist/commands/create.js +30 -0
  40. package/dist/commands/create.js.map +1 -0
  41. package/dist/commands/dev.d.ts +1 -0
  42. package/dist/commands/dev.js +23 -0
  43. package/dist/commands/dev.js.map +1 -1
  44. package/dist/commands/start.js +7 -1
  45. package/dist/commands/start.js.map +1 -1
  46. package/dist/commands/telemetry/disable.js.map +1 -1
  47. package/dist/commands/telemetry/enable.js.map +1 -1
  48. package/dist/commands/telemetry/status.js.map +1 -1
  49. package/dist/server/asset-base-url-transform-plugin.d.ts +1 -0
  50. package/dist/server/asset-base-url-transform-plugin.js +16 -1
  51. package/dist/server/asset-base-url-transform-plugin.js.map +1 -1
  52. package/dist/server/asset-base-url-transform-plugin.test.js +51 -1
  53. package/dist/server/asset-base-url-transform-plugin.test.js.map +1 -1
  54. package/dist/server/auth/discovery.d.ts +11 -0
  55. package/dist/server/auth/discovery.js +51 -0
  56. package/dist/server/auth/discovery.js.map +1 -0
  57. package/dist/server/auth/discovery.test.d.ts +1 -0
  58. package/dist/server/auth/discovery.test.js +93 -0
  59. package/dist/server/auth/discovery.test.js.map +1 -0
  60. package/dist/server/auth/index.d.ts +18 -0
  61. package/dist/server/auth/index.js +2 -0
  62. package/dist/server/auth/index.js.map +1 -0
  63. package/dist/server/auth/providers/auth0.d.ts +13 -0
  64. package/dist/server/auth/providers/auth0.js +18 -0
  65. package/dist/server/auth/providers/auth0.js.map +1 -0
  66. package/dist/server/auth/providers/auth0.test.d.ts +1 -0
  67. package/dist/server/auth/providers/auth0.test.js +33 -0
  68. package/dist/server/auth/providers/auth0.test.js.map +1 -0
  69. package/dist/server/auth/providers/clerk.d.ts +14 -0
  70. package/dist/server/auth/providers/clerk.js +20 -0
  71. package/dist/server/auth/providers/clerk.js.map +1 -0
  72. package/dist/server/auth/providers/clerk.test.d.ts +1 -0
  73. package/dist/server/auth/providers/clerk.test.js +48 -0
  74. package/dist/server/auth/providers/clerk.test.js.map +1 -0
  75. package/dist/server/auth/providers/custom.d.ts +17 -0
  76. package/dist/server/auth/providers/custom.js +28 -0
  77. package/dist/server/auth/providers/custom.js.map +1 -0
  78. package/dist/server/auth/providers/custom.test.d.ts +1 -0
  79. package/dist/server/auth/providers/custom.test.js +91 -0
  80. package/dist/server/auth/providers/custom.test.js.map +1 -0
  81. package/dist/server/auth/providers/descope.d.ts +14 -0
  82. package/dist/server/auth/providers/descope.js +14 -0
  83. package/dist/server/auth/providers/descope.js.map +1 -0
  84. package/dist/server/auth/providers/descope.test.d.ts +1 -0
  85. package/dist/server/auth/providers/descope.test.js +35 -0
  86. package/dist/server/auth/providers/descope.test.js.map +1 -0
  87. package/dist/server/auth/providers/stytch.d.ts +12 -0
  88. package/dist/server/auth/providers/stytch.js +17 -0
  89. package/dist/server/auth/providers/stytch.js.map +1 -0
  90. package/dist/server/auth/providers/stytch.test.d.ts +1 -0
  91. package/dist/server/auth/providers/stytch.test.js +33 -0
  92. package/dist/server/auth/providers/stytch.test.js.map +1 -0
  93. package/dist/server/auth/providers/workos.d.ts +11 -0
  94. package/dist/server/auth/providers/workos.js +16 -0
  95. package/dist/server/auth/providers/workos.js.map +1 -0
  96. package/dist/server/auth/providers/workos.test.d.ts +1 -0
  97. package/dist/server/auth/providers/workos.test.js +41 -0
  98. package/dist/server/auth/providers/workos.test.js.map +1 -0
  99. package/dist/server/auth/setup.d.ts +4 -0
  100. package/dist/server/auth/setup.js +51 -0
  101. package/dist/server/auth/setup.js.map +1 -0
  102. package/dist/server/auth/setup.test.d.ts +1 -0
  103. package/dist/server/auth/setup.test.js +185 -0
  104. package/dist/server/auth/setup.test.js.map +1 -0
  105. package/dist/server/auth/verify.d.ts +12 -0
  106. package/dist/server/auth/verify.js +38 -0
  107. package/dist/server/auth/verify.js.map +1 -0
  108. package/dist/server/auth/verify.test.d.ts +1 -0
  109. package/dist/server/auth/verify.test.js +100 -0
  110. package/dist/server/auth/verify.test.js.map +1 -0
  111. package/dist/server/auth.d.ts +20 -0
  112. package/dist/server/auth.js +28 -0
  113. package/dist/server/auth.js.map +1 -0
  114. package/dist/server/build-manifest.test.d.ts +1 -0
  115. package/dist/server/build-manifest.test.js +27 -0
  116. package/dist/server/build-manifest.test.js.map +1 -0
  117. package/dist/server/content-helpers.d.ts +40 -0
  118. package/dist/server/content-helpers.js +33 -0
  119. package/dist/server/content-helpers.js.map +1 -1
  120. package/dist/server/content-helpers.test.js.map +1 -1
  121. package/dist/server/express.d.ts +1 -5
  122. package/dist/server/express.js +13 -7
  123. package/dist/server/express.js.map +1 -1
  124. package/dist/server/express.test.js +214 -71
  125. package/dist/server/express.test.js.map +1 -1
  126. package/dist/server/file-ref.d.ts +28 -0
  127. package/dist/server/file-ref.js +27 -0
  128. package/dist/server/file-ref.js.map +1 -0
  129. package/dist/server/index.d.ts +11 -2
  130. package/dist/server/index.js +9 -1
  131. package/dist/server/index.js.map +1 -1
  132. package/dist/server/inferUtilityTypes.js.map +1 -1
  133. package/dist/server/metric.js.map +1 -1
  134. package/dist/server/middleware.d.ts +16 -3
  135. package/dist/server/middleware.js.map +1 -1
  136. package/dist/server/middleware.test-d.js.map +1 -1
  137. package/dist/server/middleware.test.js.map +1 -1
  138. package/dist/server/requestOrigin.d.ts +7 -0
  139. package/dist/server/requestOrigin.js +25 -0
  140. package/dist/server/requestOrigin.js.map +1 -0
  141. package/dist/server/server.d.ts +237 -7
  142. package/dist/server/server.js +278 -73
  143. package/dist/server/server.js.map +1 -1
  144. package/dist/server/templateHelper.d.ts +0 -2
  145. package/dist/server/templateHelper.js +3 -22
  146. package/dist/server/templateHelper.js.map +1 -1
  147. package/dist/server/templates.generated.d.ts +4 -0
  148. package/dist/server/templates.generated.js +47 -0
  149. package/dist/server/templates.generated.js.map +1 -0
  150. package/dist/server/tunnel-proxy-router.js.map +1 -1
  151. package/dist/server/tunnel-proxy-router.test.js.map +1 -1
  152. package/dist/server/view-resource-resolution.test.d.ts +6 -0
  153. package/dist/server/view-resource-resolution.test.js +88 -0
  154. package/dist/server/view-resource-resolution.test.js.map +1 -0
  155. package/dist/server/viewsDevServer.js.map +1 -1
  156. package/dist/test/utils.js.map +1 -1
  157. package/dist/test/view.test.js +45 -0
  158. package/dist/test/view.test.js.map +1 -1
  159. package/dist/version.js +1 -3
  160. package/dist/version.js.map +1 -1
  161. package/dist/web/bridges/apps-sdk/adaptor.d.ts +7 -2
  162. package/dist/web/bridges/apps-sdk/adaptor.js +27 -3
  163. package/dist/web/bridges/apps-sdk/adaptor.js.map +1 -1
  164. package/dist/web/bridges/apps-sdk/bridge.d.ts +1 -0
  165. package/dist/web/bridges/apps-sdk/bridge.js +1 -0
  166. package/dist/web/bridges/apps-sdk/bridge.js.map +1 -1
  167. package/dist/web/bridges/apps-sdk/index.js.map +1 -1
  168. package/dist/web/bridges/apps-sdk/types.d.ts +8 -1
  169. package/dist/web/bridges/apps-sdk/types.js.map +1 -1
  170. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.d.ts +11 -0
  171. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js +11 -0
  172. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js.map +1 -1
  173. package/dist/web/bridges/get-adaptor.d.ts +7 -0
  174. package/dist/web/bridges/get-adaptor.js +7 -0
  175. package/dist/web/bridges/get-adaptor.js.map +1 -1
  176. package/dist/web/bridges/index.js.map +1 -1
  177. package/dist/web/bridges/mcp-app/adaptor.d.ts +7 -2
  178. package/dist/web/bridges/mcp-app/adaptor.js +21 -6
  179. package/dist/web/bridges/mcp-app/adaptor.js.map +1 -1
  180. package/dist/web/bridges/mcp-app/bridge.d.ts +4 -2
  181. package/dist/web/bridges/mcp-app/bridge.js +23 -1
  182. package/dist/web/bridges/mcp-app/bridge.js.map +1 -1
  183. package/dist/web/bridges/mcp-app/index.js.map +1 -1
  184. package/dist/web/bridges/mcp-app/types.js.map +1 -1
  185. package/dist/web/bridges/mcp-app/use-mcp-app-context.d.ts +12 -0
  186. package/dist/web/bridges/mcp-app/use-mcp-app-context.js +12 -0
  187. package/dist/web/bridges/mcp-app/use-mcp-app-context.js.map +1 -1
  188. package/dist/web/bridges/mcp-app/use-mcp-app-context.test.js.map +1 -1
  189. package/dist/web/bridges/mcp-app/view-tools.test.d.ts +1 -0
  190. package/dist/web/bridges/mcp-app/view-tools.test.js +144 -0
  191. package/dist/web/bridges/mcp-app/view-tools.test.js.map +1 -0
  192. package/dist/web/bridges/types.d.ts +98 -3
  193. package/dist/web/bridges/types.js.map +1 -1
  194. package/dist/web/bridges/use-host-context.d.ts +5 -0
  195. package/dist/web/bridges/use-host-context.js +5 -0
  196. package/dist/web/bridges/use-host-context.js.map +1 -1
  197. package/dist/web/components/modal-provider.js.map +1 -1
  198. package/dist/web/create-store.d.ts +26 -0
  199. package/dist/web/create-store.js +26 -0
  200. package/dist/web/create-store.js.map +1 -1
  201. package/dist/web/create-store.test.js.map +1 -1
  202. package/dist/web/data-llm.d.ts +33 -0
  203. package/dist/web/data-llm.js +28 -0
  204. package/dist/web/data-llm.js.map +1 -1
  205. package/dist/web/data-llm.test.js.map +1 -1
  206. package/dist/web/generate-helpers.d.ts +2 -0
  207. package/dist/web/generate-helpers.js +2 -0
  208. package/dist/web/generate-helpers.js.map +1 -1
  209. package/dist/web/generate-helpers.test-d.js +4 -2
  210. package/dist/web/generate-helpers.test-d.js.map +1 -1
  211. package/dist/web/generate-helpers.test.js.map +1 -1
  212. package/dist/web/helpers/state.js.map +1 -1
  213. package/dist/web/helpers/state.test.js.map +1 -1
  214. package/dist/web/hooks/index.d.ts +4 -0
  215. package/dist/web/hooks/index.js +4 -0
  216. package/dist/web/hooks/index.js.map +1 -1
  217. package/dist/web/hooks/test/utils.d.ts +6 -2
  218. package/dist/web/hooks/test/utils.js +13 -2
  219. package/dist/web/hooks/test/utils.js.map +1 -1
  220. package/dist/web/hooks/use-call-tool.d.ts +45 -0
  221. package/dist/web/hooks/use-call-tool.js +28 -0
  222. package/dist/web/hooks/use-call-tool.js.map +1 -1
  223. package/dist/web/hooks/use-call-tool.test-d.js.map +1 -1
  224. package/dist/web/hooks/use-call-tool.test.js +27 -6
  225. package/dist/web/hooks/use-call-tool.test.js.map +1 -1
  226. package/dist/web/hooks/use-display-mode.d.ts +20 -0
  227. package/dist/web/hooks/use-display-mode.js +20 -0
  228. package/dist/web/hooks/use-display-mode.js.map +1 -1
  229. package/dist/web/hooks/use-display-mode.test-d.js.map +1 -1
  230. package/dist/web/hooks/use-display-mode.test.js.map +1 -1
  231. package/dist/web/hooks/use-download.d.ts +5 -0
  232. package/dist/web/hooks/use-download.js +8 -0
  233. package/dist/web/hooks/use-download.js.map +1 -0
  234. package/dist/web/hooks/use-download.test.d.ts +1 -0
  235. package/dist/web/hooks/use-download.test.js +95 -0
  236. package/dist/web/hooks/use-download.test.js.map +1 -0
  237. package/dist/web/hooks/use-files.d.ts +32 -0
  238. package/dist/web/hooks/use-files.js +32 -0
  239. package/dist/web/hooks/use-files.js.map +1 -1
  240. package/dist/web/hooks/use-files.test.js.map +1 -1
  241. package/dist/web/hooks/use-layout.d.ts +2 -0
  242. package/dist/web/hooks/use-layout.js +2 -0
  243. package/dist/web/hooks/use-layout.js.map +1 -1
  244. package/dist/web/hooks/use-layout.test.js.map +1 -1
  245. package/dist/web/hooks/use-open-external.d.ts +17 -0
  246. package/dist/web/hooks/use-open-external.js +16 -0
  247. package/dist/web/hooks/use-open-external.js.map +1 -1
  248. package/dist/web/hooks/use-open-external.test.js.map +1 -1
  249. package/dist/web/hooks/use-register-view-tool.d.ts +38 -0
  250. package/dist/web/hooks/use-register-view-tool.js +50 -0
  251. package/dist/web/hooks/use-register-view-tool.js.map +1 -0
  252. package/dist/web/hooks/use-request-close.d.ts +16 -0
  253. package/dist/web/hooks/use-request-close.js +21 -0
  254. package/dist/web/hooks/use-request-close.js.map +1 -0
  255. package/dist/web/hooks/use-request-close.test.d.ts +1 -0
  256. package/dist/web/hooks/use-request-close.test.js +52 -0
  257. package/dist/web/hooks/use-request-close.test.js.map +1 -0
  258. package/dist/web/hooks/use-request-modal.d.ts +16 -1
  259. package/dist/web/hooks/use-request-modal.js +16 -1
  260. package/dist/web/hooks/use-request-modal.js.map +1 -1
  261. package/dist/web/hooks/use-request-modal.test.js.map +1 -1
  262. package/dist/web/hooks/use-request-size.d.ts +20 -0
  263. package/dist/web/hooks/use-request-size.js +24 -0
  264. package/dist/web/hooks/use-request-size.js.map +1 -0
  265. package/dist/web/hooks/use-request-size.test.d.ts +1 -0
  266. package/dist/web/hooks/use-request-size.test.js +65 -0
  267. package/dist/web/hooks/use-request-size.test.js.map +1 -0
  268. package/dist/web/hooks/use-send-follow-up-message.d.ts +19 -1
  269. package/dist/web/hooks/use-send-follow-up-message.js +19 -2
  270. package/dist/web/hooks/use-send-follow-up-message.js.map +1 -1
  271. package/dist/web/hooks/use-set-open-in-app-url.d.ts +17 -0
  272. package/dist/web/hooks/use-set-open-in-app-url.js +17 -0
  273. package/dist/web/hooks/use-set-open-in-app-url.js.map +1 -1
  274. package/dist/web/hooks/use-set-open-in-app-url.test.js.map +1 -1
  275. package/dist/web/hooks/use-tool-info.d.ts +53 -2
  276. package/dist/web/hooks/use-tool-info.js +30 -7
  277. package/dist/web/hooks/use-tool-info.js.map +1 -1
  278. package/dist/web/hooks/use-tool-info.test-d.js +11 -29
  279. package/dist/web/hooks/use-tool-info.test-d.js.map +1 -1
  280. package/dist/web/hooks/use-tool-info.test.js +5 -5
  281. package/dist/web/hooks/use-tool-info.test.js.map +1 -1
  282. package/dist/web/hooks/use-user.d.ts +2 -0
  283. package/dist/web/hooks/use-user.js +2 -0
  284. package/dist/web/hooks/use-user.js.map +1 -1
  285. package/dist/web/hooks/use-user.test.js.map +1 -1
  286. package/dist/web/hooks/use-view-state.d.ts +21 -0
  287. package/dist/web/hooks/use-view-state.js.map +1 -1
  288. package/dist/web/hooks/use-view-state.test.js.map +1 -1
  289. package/dist/web/index.js.map +1 -1
  290. package/dist/web/mount-view.d.ts +19 -0
  291. package/dist/web/mount-view.js +19 -0
  292. package/dist/web/mount-view.js.map +1 -1
  293. package/dist/web/plugin/data-llm.test.js.map +1 -1
  294. package/dist/web/plugin/plugin.d.ts +28 -0
  295. package/dist/web/plugin/plugin.js +35 -9
  296. package/dist/web/plugin/plugin.js.map +1 -1
  297. package/dist/web/plugin/scan-views.js.map +1 -1
  298. package/dist/web/plugin/scan-views.test.js.map +1 -1
  299. package/dist/web/plugin/transform-data-llm.js.map +1 -1
  300. package/dist/web/plugin/transform-data-llm.test.js.map +1 -1
  301. package/dist/web/plugin/validate-view.js.map +1 -1
  302. package/dist/web/plugin/validate-view.test.js.map +1 -1
  303. package/dist/web/proxy.js.map +1 -1
  304. package/dist/web/types.d.ts +4 -0
  305. package/dist/web/types.js.map +1 -1
  306. package/package.json +28 -18
  307. package/dist/server/templates/development.hbs +0 -12
  308. package/dist/server/templates/production.hbs +0 -6
@@ -5,9 +5,12 @@ import path from "node:path";
5
5
  import { Server as SdkServer, } from "@modelcontextprotocol/sdk/server/index.js";
6
6
  import { McpServer as McpServerBase } from "@modelcontextprotocol/sdk/server/mcp.js";
7
7
  import { mergeWith, union } from "es-toolkit";
8
+ import express, {} from "express";
9
+ import { setupOAuth } from "./auth/setup.js";
8
10
  import { createApp } from "./express.js";
9
11
  import { createMiddlewareEntry } from "./metric.js";
10
12
  import { buildMiddlewareChain, getHandlerMaps } from "./middleware.js";
13
+ import { resolveServerOrigin } from "./requestOrigin.js";
11
14
  import { templateHelper } from "./templateHelper.js";
12
15
  const mergeWithUnion = (target, source) => {
13
16
  return mergeWith(target, source, (targetVal, sourceVal) => {
@@ -16,6 +19,21 @@ const mergeWithUnion = (target, source) => {
16
19
  }
17
20
  });
18
21
  };
22
+ /**
23
+ * Drop the query string from a `ui://` view URI, leaving the bare path. The
24
+ * `?v=` cache key is the only query we append, so a plain split is enough and
25
+ * sidesteps `URL` normalization quirks on the non-special `ui:` scheme.
26
+ */
27
+ function stripQuery(uri) {
28
+ const queryIndex = uri.indexOf("?");
29
+ return queryIndex === -1 ? uri : uri.slice(0, queryIndex);
30
+ }
31
+ /**
32
+ * Coerce a tool handler's return value into an MCP `content` array. Strings
33
+ * become a single `TextContent`; a single block is wrapped in an array;
34
+ * `undefined` produces `[]`. Mostly used internally — exported so consumers
35
+ * who build content lazily can apply the same normalization.
36
+ */
19
37
  export function normalizeContent(content) {
20
38
  if (content === undefined) {
21
39
  return [];
@@ -29,31 +47,109 @@ export function normalizeContent(content) {
29
47
  return [content];
30
48
  }
31
49
  const McpServerBaseOmitted = McpServerBase;
50
+ /**
51
+ * The Skybridge server. Extends the MCP SDK's `McpServer` with a typed tool
52
+ * registry, view resources, an embedded Express app, and protocol-level
53
+ * middleware. Construct it with the same `Implementation` info you would pass
54
+ * to the SDK, chain {@link McpServer.registerTool} calls to declare tools,
55
+ * then call {@link McpServer.run} to start the HTTP server.
56
+ *
57
+ * The `TTools` generic accumulates each registered tool's input/output/meta
58
+ * shape, so `typeof server` carries enough information for view-side helpers
59
+ * like {@link generateHelpers} to produce fully-typed hooks.
60
+ *
61
+ * @typeParam TTools - Accumulated tool registry. Filled in by `registerTool`
62
+ * chaining; you almost never set this manually.
63
+ *
64
+ * @example
65
+ * ```ts
66
+ * const server = new McpServer({ name: "my-app", version: "1.0.0" }, {})
67
+ * .registerTool({
68
+ * name: "search",
69
+ * inputSchema: { query: z.string() },
70
+ * view: { component: "search" },
71
+ * }, async ({ query }) => ({ content: `Results for ${query}` }));
72
+ *
73
+ * await server.run();
74
+ * export type AppType = typeof server;
75
+ * ```
76
+ *
77
+ * @see https://docs.skybridge.tech/api-reference/mcp-server
78
+ */
79
+ // Side channel populated by `dist/__entry.js` before user code is imported.
80
+ // Set at module scope rather than passed through the constructor because the
81
+ // wrapper has the manifest before the user's `new McpServer(...)` runs, and
82
+ // threading it through every call site (including user templates) is exactly
83
+ // the boilerplate this design is trying to hide.
84
+ let pendingBuildManifest = null;
85
+ /**
86
+ * Prime the build-time Vite manifest before user code constructs its
87
+ * `McpServer`. Called from the generated `dist/__entry.js`; not part of the
88
+ * user-facing API.
89
+ *
90
+ * @internal
91
+ */
92
+ export function __setBuildManifest(manifest) {
93
+ pendingBuildManifest = manifest;
94
+ }
32
95
  export class McpServer extends McpServerBaseOmitted {
96
+ /**
97
+ * The underlying Express app. Use this to extend the HTTP server with
98
+ * custom routes, middleware, or settings — e.g.
99
+ * `server.express.get("/health", ...)`.
100
+ *
101
+ * `express.json()` is pre-applied — tune it via the constructor's third
102
+ * argument, e.g. `new McpServer(info, {}, { json: { limit: "10mb" } })`.
103
+ * Register your handlers before `run()`;
104
+ * after `run()`, dev-mode middleware, the `/mcp` route, and the default
105
+ * error handler are appended in that order.
106
+ *
107
+ * Note: Alpic Cloud only routes traffic to `/mcp` — custom routes work
108
+ * locally and on self-hosted deployments.
109
+ */
33
110
  express;
34
- customMiddleware = [];
35
111
  customErrorMiddleware = [];
36
112
  mcpMiddlewareEntries = [];
37
113
  mcpMiddlewareApplied = false;
38
114
  claimedViews = new Map();
115
+ viewMetaBuilders = new Map();
116
+ /**
117
+ * Maps a view resource's query-less path to its canonical registered URI
118
+ * (the one carrying the `?v=` cache key). Lets `resources/read` resolve the
119
+ * underlying view no matter which version param the consumer sends, since
120
+ * the param is only a cache key, not part of the resource's identity.
121
+ */
122
+ viewUriByPath = new Map();
123
+ viteManifest = null;
39
124
  serverInfo;
40
125
  serverOptions;
41
- constructor(serverInfo, options) {
126
+ constructor(serverInfo, options, skybridgeOptions) {
42
127
  super(serverInfo, options);
43
128
  this.serverInfo = serverInfo;
44
129
  this.serverOptions = options;
130
+ this.express = express();
131
+ this.express.use(express.json(skybridgeOptions?.json));
132
+ if (skybridgeOptions?.oauth) {
133
+ setupOAuth(this.express, skybridgeOptions.oauth);
134
+ }
135
+ // Pick up the manifest if `dist/__entry.js` primed it before importing
136
+ // user code. Consume-once: clear after the first construction so a
137
+ // subsequent test that doesn't prime can't inherit stale state.
138
+ // Explicit `setViteManifest` calls still win because they happen after
139
+ // construction.
140
+ if (pendingBuildManifest) {
141
+ this.setViteManifest(pendingBuildManifest);
142
+ pendingBuildManifest = null;
143
+ }
45
144
  }
46
145
  use(pathOrHandler, ...handlers) {
146
+ // Branching is load-bearing: Express's `app.use` overloads can't be
147
+ // resolved against a `string | RequestHandler` union, so we narrow.
47
148
  if (typeof pathOrHandler === "string") {
48
- this.customMiddleware.push({
49
- path: pathOrHandler,
50
- handlers,
51
- });
149
+ this.express.use(pathOrHandler, ...handlers);
52
150
  }
53
151
  else {
54
- this.customMiddleware.push({
55
- handlers: [pathOrHandler, ...handlers],
56
- });
152
+ this.express.use(pathOrHandler, ...handlers);
57
153
  }
58
154
  return this;
59
155
  }
@@ -97,10 +193,69 @@ export class McpServer extends McpServerBaseOmitted {
97
193
  return;
98
194
  }
99
195
  this.mcpMiddlewareApplied = true;
196
+ // Surface view-resource _meta on `resources/list` (per ext-apps spec:
197
+ // hosts/checkers read CSP & domain at list time before fetching content).
198
+ const viewListMetaEntry = {
199
+ filter: "resources/list",
200
+ handler: async (_req, extra, next) => {
201
+ const result = (await next());
202
+ for (const resource of result.resources) {
203
+ const builder = this.viewMetaBuilders.get(resource.uri);
204
+ if (!builder) {
205
+ continue;
206
+ }
207
+ const meta = builder(extra);
208
+ resource._meta = {
209
+ ...(resource._meta ?? {}),
210
+ ...meta,
211
+ };
212
+ }
213
+ return result;
214
+ },
215
+ };
216
+ // Resolve a view's `resources/read` by its query-less path so the
217
+ // underlying asset is served no matter the `?v=` value (stale cache key,
218
+ // no param, etc.). The version param is a cache-busting hint for external
219
+ // consumers; it must not gate resolution. We rewrite the lookup URI to the
220
+ // canonical registered one, then restore the requested URI on the response
221
+ // so the consumer-facing URI is never rewritten.
222
+ const viewReadResolveEntry = {
223
+ filter: "resources/read",
224
+ handler: async (req, _extra, next) => {
225
+ const requested = req.params.uri;
226
+ if (typeof requested !== "string") {
227
+ return next();
228
+ }
229
+ const path = stripQuery(requested);
230
+ const canonical = this.viewUriByPath.get(path);
231
+ if (!canonical) {
232
+ return next();
233
+ }
234
+ req.params.uri = canonical;
235
+ try {
236
+ const result = (await next());
237
+ for (const content of result.contents ?? []) {
238
+ if (typeof content.uri === "string" &&
239
+ stripQuery(content.uri) === path) {
240
+ content.uri = requested;
241
+ }
242
+ }
243
+ return result;
244
+ }
245
+ finally {
246
+ // Restore the shared request params so middleware outer to us never
247
+ // observes the rewritten lookup URI after next() unwinds.
248
+ req.params.uri = requested;
249
+ }
250
+ },
251
+ };
100
252
  const monitoringEntry = createMiddlewareEntry();
101
- const entries = monitoringEntry
102
- ? [monitoringEntry, ...this.mcpMiddlewareEntries]
103
- : this.mcpMiddlewareEntries;
253
+ const entries = [
254
+ ...(monitoringEntry ? [monitoringEntry] : []),
255
+ viewListMetaEntry,
256
+ viewReadResolveEntry,
257
+ ...this.mcpMiddlewareEntries,
258
+ ];
104
259
  if (entries.length === 0) {
105
260
  return;
106
261
  }
@@ -115,6 +270,14 @@ export class McpServer extends McpServerBaseOmitted {
115
270
  instrumentMap(requestHandlers, false);
116
271
  instrumentMap(notificationHandlers, true);
117
272
  }
273
+ /**
274
+ * Connect to an MCP transport (override of the SDK's `connect`). Use this
275
+ * when you're embedding Skybridge in a host that already manages its own
276
+ * transport (e.g. stdio for desktop apps); for HTTP, prefer {@link McpServer.run}
277
+ * which sets the transport up for you. Locks in any middleware registered
278
+ * via {@link McpServer.mcpMiddleware} — further calls to that method will
279
+ * throw afterwards.
280
+ */
118
281
  async connect(transport) {
119
282
  this.applyMcpMiddleware();
120
283
  return McpServerBase.prototype.connect.call(this, transport);
@@ -138,28 +301,58 @@ export class McpServer extends McpServerBaseOmitted {
138
301
  target._notificationHandlers = notificationHandlers;
139
302
  await fresh.connect(transport);
140
303
  }
304
+ /**
305
+ * Start the HTTP server. Listens on `process.env.__PORT` (default `3000`),
306
+ * mounts the `/mcp` route, applies any custom Express middleware registered
307
+ * via {@link McpServer.use} / {@link McpServer.useOnError}, and locks in
308
+ * any MCP middleware registered via {@link McpServer.mcpMiddleware}.
309
+ *
310
+ * On Cloudflare Workers / workerd, returns an object exposing `fetch` so
311
+ * the runtime can bridge incoming requests to the Node HTTP server. On
312
+ * Vercel (`VERCEL === "1"`), returns the Express app directly so the
313
+ * serverless function entry can call it as a `(req, res)` handler. On
314
+ * Node, returns `undefined` once listening.
315
+ */
141
316
  async run() {
142
317
  this.applyMcpMiddleware();
143
- const httpServer = http.createServer();
144
- if (!this.express) {
145
- this.express = await createApp({
318
+ if (process.env.VERCEL === "1") {
319
+ // createApp only reads httpServer inside its dev-only branch
320
+ // (viewsDevServer); under VERCEL=1 + NODE_ENV=production it's a
321
+ // bare object passed to satisfy the required parameter.
322
+ const httpServer = http.createServer();
323
+ await createApp({
146
324
  mcpServer: this,
147
325
  httpServer,
148
- customMiddleware: this.customMiddleware,
149
326
  errorMiddleware: this.customErrorMiddleware,
150
327
  });
328
+ return this.express;
151
329
  }
330
+ const httpServer = http.createServer();
331
+ await createApp({
332
+ mcpServer: this,
333
+ httpServer,
334
+ errorMiddleware: this.customErrorMiddleware,
335
+ });
152
336
  httpServer.on("request", this.express);
337
+ const port = parseInt(process.env.__PORT ?? "3000", 10);
153
338
  await new Promise((resolve, reject) => {
154
339
  httpServer.on("error", (error) => {
155
340
  console.error("Failed to start server:", error);
156
341
  reject(error);
157
342
  });
158
- const port = parseInt(process.env.__PORT ?? "3000", 10);
159
343
  httpServer.listen(port, () => {
160
344
  resolve();
161
345
  });
162
346
  });
347
+ // On workerd, bridge the Node http server to a Workers fetch handler.
348
+ // The specifier is held in a variable to sidestep tsc's module resolution
349
+ // (`cloudflare:node` only exists under wrangler/workerd).
350
+ if (typeof navigator !== "undefined" &&
351
+ navigator.userAgent === "Cloudflare-Workers") {
352
+ const cloudflareNode = "cloudflare:node";
353
+ const { httpServerHandler } = await import(cloudflareNode);
354
+ return httpServerHandler({ port });
355
+ }
163
356
  const shutdown = () => {
164
357
  // Drop both handlers so a second signal falls through to Node's default
165
358
  // (force-quit on a second Ctrl+C while drain is hanging).
@@ -172,6 +365,7 @@ export class McpServer extends McpServerBaseOmitted {
172
365
  };
173
366
  process.on("SIGTERM", shutdown);
174
367
  process.on("SIGINT", shutdown);
368
+ return undefined;
175
369
  }
176
370
  enforceOneToolPerView(component, toolName) {
177
371
  const existingTool = this.claimedViews.get(component);
@@ -180,6 +374,37 @@ export class McpServer extends McpServerBaseOmitted {
180
374
  }
181
375
  this.claimedViews.set(component, toolName);
182
376
  }
377
+ resolveViewRequestContext(extra) {
378
+ const isProduction = process.env.NODE_ENV === "production";
379
+ const headers = extra?.requestInfo?.headers || {};
380
+ const header = (key) => {
381
+ const val = headers[key];
382
+ return Array.isArray(val) ? val[0] : val;
383
+ };
384
+ const isClaude = header("user-agent") === "Claude-User";
385
+ const serverUrl = resolveServerOrigin(header);
386
+ const connectDomains = [serverUrl];
387
+ if (!isProduction) {
388
+ const wsUrl = new URL(serverUrl);
389
+ wsUrl.protocol = wsUrl.protocol === "https:" ? "wss:" : "ws:";
390
+ connectDomains.push(wsUrl.origin);
391
+ }
392
+ let contentMetaOverrides = {};
393
+ if (isClaude) {
394
+ const pathname = extra?.requestInfo?.url?.pathname ?? "";
395
+ const rawUrl = header("x-alpic-forwarded-url") ?? `${serverUrl}${pathname}`;
396
+ // Strip a lone trailing slash so the hash matches the connector URL
397
+ // as registered with Claude (which has no trailing slash on bare origins).
398
+ const url = rawUrl.endsWith("/") ? rawUrl.slice(0, -1) : rawUrl;
399
+ const hash = crypto
400
+ .createHash("sha256")
401
+ .update(url)
402
+ .digest("hex")
403
+ .slice(0, 32);
404
+ contentMetaOverrides = { domain: `${hash}.claudemcpcontent.com` };
405
+ }
406
+ return { serverUrl, connectDomains, contentMetaOverrides };
407
+ }
183
408
  registerViewResources(toolName, view, toolMeta) {
184
409
  const hosts = view.hosts ?? ["apps-sdk", "mcp-app"];
185
410
  // Append a content-derived version param so hosts (e.g. ChatGPT) bust
@@ -284,40 +509,25 @@ export class McpServer extends McpServerBaseOmitted {
284
509
  });
285
510
  // @ts-expect-error - For backwards compatibility with Claude current implementation of the specs
286
511
  toolMeta["ui/resourceUri"] = viewResource.uri;
287
- toolMeta.ui = { resourceUri: viewResource.uri };
512
+ toolMeta.ui = { ...toolMeta.ui, resourceUri: viewResource.uri };
288
513
  }
289
514
  }
290
515
  registerViewResource({ name, viewResource, view, }) {
291
516
  const { hostType, uri: viewUri, mimeType, buildContentMeta } = viewResource;
517
+ const buildMeta = (extra) => {
518
+ const { serverUrl, connectDomains, contentMetaOverrides } = this.resolveViewRequestContext(extra);
519
+ return buildContentMeta({
520
+ resourceDomains: [serverUrl],
521
+ connectDomains,
522
+ domain: serverUrl,
523
+ baseUriDomains: [serverUrl],
524
+ }, contentMetaOverrides);
525
+ };
526
+ this.viewMetaBuilders.set(viewUri, buildMeta);
527
+ this.viewUriByPath.set(stripQuery(viewUri), viewUri);
292
528
  this.registerResource(name, viewUri, { description: view.description }, async (uri, extra) => {
293
529
  const isProduction = process.env.NODE_ENV === "production";
294
- const isClaude = extra?.requestInfo?.headers?.["user-agent"] === "Claude-User";
295
- const headers = extra?.requestInfo?.headers || {};
296
- const header = (key) => {
297
- const val = headers[key];
298
- return Array.isArray(val) ? val[0] : val;
299
- };
300
- let serverUrl;
301
- const forwardedHost = header("x-forwarded-host");
302
- const origin = header("origin");
303
- const host = header("host");
304
- if (forwardedHost) {
305
- const proto = header("x-forwarded-proto") || "https";
306
- serverUrl = `${proto}://${forwardedHost}`;
307
- }
308
- else if (origin) {
309
- serverUrl = origin;
310
- }
311
- else if (host) {
312
- const proto = ["127.0.0.1:", "localhost:"].some((p) => host.startsWith(p))
313
- ? "http"
314
- : "https";
315
- serverUrl = `${proto}://${host}`;
316
- }
317
- else {
318
- const devPort = process.env.__PORT || "3000";
319
- serverUrl = `http://localhost:${devPort}`;
320
- }
530
+ const { serverUrl } = this.resolveViewRequestContext(extra);
321
531
  const html = isProduction
322
532
  ? templateHelper.renderProduction({
323
533
  hostType,
@@ -330,35 +540,9 @@ export class McpServer extends McpServerBaseOmitted {
330
540
  serverUrl,
331
541
  viewName: view.component,
332
542
  });
333
- const connectDomains = [serverUrl];
334
- if (!isProduction) {
335
- const wsUrl = new URL(serverUrl);
336
- wsUrl.protocol = wsUrl.protocol === "https:" ? "wss:" : "ws:";
337
- connectDomains.push(wsUrl.origin);
338
- }
339
- let contentMetaOverrides = {};
340
- if (isClaude) {
341
- const pathname = extra?.requestInfo?.url?.pathname ?? "";
342
- const rawUrl = header("x-alpic-forwarded-url") ?? `${serverUrl}${pathname}`;
343
- // Strip a lone trailing slash so the hash matches the connector URL
344
- // as registered with Claude (which has no trailing slash on bare origins).
345
- const url = rawUrl.endsWith("/") ? rawUrl.slice(0, -1) : rawUrl;
346
- const hash = crypto
347
- .createHash("sha256")
348
- .update(url)
349
- .digest("hex")
350
- .slice(0, 32);
351
- contentMetaOverrides = { domain: `${hash}.claudemcpcontent.com` };
352
- }
353
- const contentMeta = buildContentMeta({
354
- resourceDomains: [serverUrl],
355
- connectDomains,
356
- domain: serverUrl,
357
- baseUriDomains: [serverUrl],
358
- }, contentMetaOverrides);
359
543
  return {
360
544
  contents: [
361
- { uri: uri.href, mimeType, text: html, _meta: contentMeta },
545
+ { uri: uri.href, mimeType, text: html, _meta: buildMeta(extra) },
362
546
  ],
363
547
  };
364
548
  });
@@ -411,7 +595,20 @@ export class McpServer extends McpServerBaseOmitted {
411
595
  const manifest = this.readManifest();
412
596
  return manifest[key]?.file;
413
597
  }
598
+ /**
599
+ * Inject the Vite manifest as a value rather than letting `readManifest()`
600
+ * load it from disk. Required for runtimes without a usable filesystem
601
+ * (Cloudflare Workers, etc.) — the user's `skybridge build` emits the
602
+ * manifest as a JS module which the entry imports and passes here.
603
+ */
604
+ setViteManifest(manifest) {
605
+ this.viteManifest = manifest;
606
+ return this;
607
+ }
414
608
  readManifest() {
609
+ if (this.viteManifest) {
610
+ return this.viteManifest;
611
+ }
415
612
  return JSON.parse(readFileSync(path.join(process.cwd(), "dist", "assets", ".vite", "manifest.json"), "utf-8"));
416
613
  }
417
614
  registerTool(...args) {
@@ -422,8 +619,16 @@ export class McpServer extends McpServerBaseOmitted {
422
619
  }
423
620
  const config = args[0];
424
621
  const cb = args[1];
425
- const { name, view, _meta: userToolMeta, ...toolFields } = config;
622
+ const { name, view, securitySchemes, _meta: userToolMeta, ...toolFields } = config;
426
623
  const toolMeta = { ...userToolMeta };
624
+ if (securitySchemes) {
625
+ // SEP-1488 puts `securitySchemes` at the top level of the tool
626
+ // descriptor, but the SDK's `registerTool` drops unknown top-level
627
+ // fields, so the canonical spot isn't reachable without intercepting
628
+ // `tools/list`. Use the `_meta` back-compat mirror documented in the
629
+ // Apps SDK reference until SEP-1488 lands in the spec.
630
+ toolMeta.securitySchemes = securitySchemes;
631
+ }
427
632
  if (view) {
428
633
  this.enforceOneToolPerView(view.component, name);
429
634
  this.registerViewResources(name, view, toolMeta);