skybridge 0.0.0-dev.fa28ddd → 0.0.0-dev.fa2b1ba

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (186) hide show
  1. package/dist/cli/build-helpers.d.ts +7 -0
  2. package/dist/cli/build-helpers.js +82 -0
  3. package/dist/cli/build-helpers.js.map +1 -0
  4. package/dist/cli/build-helpers.test.d.ts +1 -0
  5. package/dist/cli/build-helpers.test.js +64 -0
  6. package/dist/cli/build-helpers.test.js.map +1 -0
  7. package/dist/cli/detect-port.d.ts +2 -2
  8. package/dist/cli/detect-port.js +9 -20
  9. package/dist/cli/detect-port.js.map +1 -1
  10. package/dist/cli/resolve-views-dir.d.ts +1 -0
  11. package/dist/cli/resolve-views-dir.js +17 -0
  12. package/dist/cli/resolve-views-dir.js.map +1 -0
  13. package/dist/commands/build.d.ts +0 -1
  14. package/dist/commands/build.js +18 -30
  15. package/dist/commands/build.js.map +1 -1
  16. package/dist/commands/dev.js +16 -0
  17. package/dist/commands/dev.js.map +1 -1
  18. package/dist/commands/start.js +7 -1
  19. package/dist/commands/start.js.map +1 -1
  20. package/dist/server/auth/discovery.d.ts +32 -0
  21. package/dist/server/auth/discovery.js +56 -0
  22. package/dist/server/auth/discovery.js.map +1 -0
  23. package/dist/server/auth/discovery.test.d.ts +1 -0
  24. package/dist/server/auth/discovery.test.js +93 -0
  25. package/dist/server/auth/discovery.test.js.map +1 -0
  26. package/dist/server/auth/index.d.ts +18 -0
  27. package/dist/server/auth/index.js +2 -0
  28. package/dist/server/auth/index.js.map +1 -0
  29. package/dist/server/auth/providers/auth0.d.ts +18 -0
  30. package/dist/server/auth/providers/auth0.js +31 -0
  31. package/dist/server/auth/providers/auth0.js.map +1 -0
  32. package/dist/server/auth/providers/auth0.test.d.ts +1 -0
  33. package/dist/server/auth/providers/auth0.test.js +48 -0
  34. package/dist/server/auth/providers/auth0.test.js.map +1 -0
  35. package/dist/server/auth/providers/clerk.d.ts +14 -0
  36. package/dist/server/auth/providers/clerk.js +16 -0
  37. package/dist/server/auth/providers/clerk.js.map +1 -0
  38. package/dist/server/auth/providers/clerk.test.d.ts +1 -0
  39. package/dist/server/auth/providers/clerk.test.js +28 -0
  40. package/dist/server/auth/providers/clerk.test.js.map +1 -0
  41. package/dist/server/auth/providers/custom.d.ts +24 -0
  42. package/dist/server/auth/providers/custom.js +37 -0
  43. package/dist/server/auth/providers/custom.js.map +1 -0
  44. package/dist/server/auth/providers/custom.test.d.ts +1 -0
  45. package/dist/server/auth/providers/custom.test.js +107 -0
  46. package/dist/server/auth/providers/custom.test.js.map +1 -0
  47. package/dist/server/auth/providers/descope.d.ts +15 -0
  48. package/dist/server/auth/providers/descope.js +33 -0
  49. package/dist/server/auth/providers/descope.js.map +1 -0
  50. package/dist/server/auth/providers/descope.test.d.ts +1 -0
  51. package/dist/server/auth/providers/descope.test.js +37 -0
  52. package/dist/server/auth/providers/descope.test.js.map +1 -0
  53. package/dist/server/auth/providers/shared.d.ts +2 -0
  54. package/dist/server/auth/providers/shared.js +6 -0
  55. package/dist/server/auth/providers/shared.js.map +1 -0
  56. package/dist/server/auth/providers/shared.test.d.ts +1 -0
  57. package/dist/server/auth/providers/shared.test.js +10 -0
  58. package/dist/server/auth/providers/shared.test.js.map +1 -0
  59. package/dist/server/auth/providers/stytch.d.ts +12 -0
  60. package/dist/server/auth/providers/stytch.js +13 -0
  61. package/dist/server/auth/providers/stytch.js.map +1 -0
  62. package/dist/server/auth/providers/workos.d.ts +11 -0
  63. package/dist/server/auth/providers/workos.js +12 -0
  64. package/dist/server/auth/providers/workos.js.map +1 -0
  65. package/dist/server/auth/setup.d.ts +4 -0
  66. package/dist/server/auth/setup.js +51 -0
  67. package/dist/server/auth/setup.js.map +1 -0
  68. package/dist/server/auth/setup.test.d.ts +1 -0
  69. package/dist/server/auth/setup.test.js +185 -0
  70. package/dist/server/auth/setup.test.js.map +1 -0
  71. package/dist/server/auth/verify.d.ts +12 -0
  72. package/dist/server/auth/verify.js +38 -0
  73. package/dist/server/auth/verify.js.map +1 -0
  74. package/dist/server/auth/verify.test.d.ts +1 -0
  75. package/dist/server/auth/verify.test.js +100 -0
  76. package/dist/server/auth/verify.test.js.map +1 -0
  77. package/dist/server/build-manifest.test.d.ts +1 -0
  78. package/dist/server/build-manifest.test.js +27 -0
  79. package/dist/server/build-manifest.test.js.map +1 -0
  80. package/dist/server/express.test.js +61 -0
  81. package/dist/server/express.test.js.map +1 -1
  82. package/dist/server/index.d.ts +9 -2
  83. package/dist/server/index.js +7 -1
  84. package/dist/server/index.js.map +1 -1
  85. package/dist/server/requestOrigin.d.ts +7 -0
  86. package/dist/server/requestOrigin.js +25 -0
  87. package/dist/server/requestOrigin.js.map +1 -0
  88. package/dist/server/server.d.ts +56 -35
  89. package/dist/server/server.js +197 -126
  90. package/dist/server/server.js.map +1 -1
  91. package/dist/server/view-name.test-d.d.ts +1 -0
  92. package/dist/server/view-name.test-d.js +8 -0
  93. package/dist/server/view-name.test-d.js.map +1 -0
  94. package/dist/server/view-resource-resolution.test.d.ts +6 -0
  95. package/dist/server/view-resource-resolution.test.js +171 -0
  96. package/dist/server/view-resource-resolution.test.js.map +1 -0
  97. package/dist/test/view.test.js +69 -101
  98. package/dist/test/view.test.js.map +1 -1
  99. package/dist/web/bridges/adaptor.d.ts +51 -0
  100. package/dist/web/bridges/adaptor.js +310 -0
  101. package/dist/web/bridges/adaptor.js.map +1 -0
  102. package/dist/web/bridges/adaptor.test.d.ts +1 -0
  103. package/dist/web/bridges/adaptor.test.js +197 -0
  104. package/dist/web/bridges/adaptor.test.js.map +1 -0
  105. package/dist/web/bridges/apps-sdk/bridge.d.ts +6 -2
  106. package/dist/web/bridges/apps-sdk/bridge.js +15 -4
  107. package/dist/web/bridges/apps-sdk/bridge.js.map +1 -1
  108. package/dist/web/bridges/apps-sdk/index.d.ts +0 -1
  109. package/dist/web/bridges/apps-sdk/index.js +0 -1
  110. package/dist/web/bridges/apps-sdk/index.js.map +1 -1
  111. package/dist/web/bridges/get-adaptor.d.ts +4 -4
  112. package/dist/web/bridges/get-adaptor.js +6 -11
  113. package/dist/web/bridges/get-adaptor.js.map +1 -1
  114. package/dist/web/bridges/get-adaptor.test.d.ts +1 -0
  115. package/dist/web/bridges/get-adaptor.test.js +32 -0
  116. package/dist/web/bridges/get-adaptor.test.js.map +1 -0
  117. package/dist/web/bridges/mcp-app/bridge.d.ts +15 -3
  118. package/dist/web/bridges/mcp-app/bridge.js +68 -5
  119. package/dist/web/bridges/mcp-app/bridge.js.map +1 -1
  120. package/dist/web/bridges/mcp-app/bridge.test.d.ts +1 -0
  121. package/dist/web/bridges/mcp-app/bridge.test.js +17 -0
  122. package/dist/web/bridges/mcp-app/bridge.test.js.map +1 -0
  123. package/dist/web/bridges/mcp-app/index.d.ts +0 -1
  124. package/dist/web/bridges/mcp-app/index.js +0 -1
  125. package/dist/web/bridges/mcp-app/index.js.map +1 -1
  126. package/dist/web/bridges/mcp-app/view-tools.test.d.ts +1 -0
  127. package/dist/web/bridges/mcp-app/view-tools.test.js +143 -0
  128. package/dist/web/bridges/mcp-app/view-tools.test.js.map +1 -0
  129. package/dist/web/bridges/types.d.ts +44 -1
  130. package/dist/web/bridges/types.js +14 -1
  131. package/dist/web/bridges/types.js.map +1 -1
  132. package/dist/web/bridges/types.test.d.ts +1 -0
  133. package/dist/web/bridges/types.test.js +19 -0
  134. package/dist/web/bridges/types.test.js.map +1 -0
  135. package/dist/web/components/modal-provider.js +4 -3
  136. package/dist/web/components/modal-provider.js.map +1 -1
  137. package/dist/web/create-store.test.js +8 -5
  138. package/dist/web/create-store.test.js.map +1 -1
  139. package/dist/web/data-llm.test.js +9 -5
  140. package/dist/web/data-llm.test.js.map +1 -1
  141. package/dist/web/generate-helpers.test-d.js +4 -2
  142. package/dist/web/generate-helpers.test-d.js.map +1 -1
  143. package/dist/web/hooks/index.d.ts +1 -0
  144. package/dist/web/hooks/index.js +1 -0
  145. package/dist/web/hooks/index.js.map +1 -1
  146. package/dist/web/hooks/use-call-tool.test.js +37 -23
  147. package/dist/web/hooks/use-call-tool.test.js.map +1 -1
  148. package/dist/web/hooks/use-display-mode.test.js +56 -20
  149. package/dist/web/hooks/use-display-mode.test.js.map +1 -1
  150. package/dist/web/hooks/use-download.test.js +11 -3
  151. package/dist/web/hooks/use-download.test.js.map +1 -1
  152. package/dist/web/hooks/use-files.test.js +10 -2
  153. package/dist/web/hooks/use-files.test.js.map +1 -1
  154. package/dist/web/hooks/use-layout.test.js +59 -26
  155. package/dist/web/hooks/use-layout.test.js.map +1 -1
  156. package/dist/web/hooks/use-open-external.test.js +13 -3
  157. package/dist/web/hooks/use-open-external.test.js.map +1 -1
  158. package/dist/web/hooks/use-register-view-tool.d.ts +38 -0
  159. package/dist/web/hooks/use-register-view-tool.js +50 -0
  160. package/dist/web/hooks/use-register-view-tool.js.map +1 -0
  161. package/dist/web/hooks/use-request-close.test.js +35 -40
  162. package/dist/web/hooks/use-request-close.test.js.map +1 -1
  163. package/dist/web/hooks/use-request-modal.test.js +10 -0
  164. package/dist/web/hooks/use-request-modal.test.js.map +1 -1
  165. package/dist/web/hooks/use-request-size.test.js +35 -53
  166. package/dist/web/hooks/use-request-size.test.js.map +1 -1
  167. package/dist/web/hooks/use-set-open-in-app-url.test.js +28 -8
  168. package/dist/web/hooks/use-set-open-in-app-url.test.js.map +1 -1
  169. package/dist/web/hooks/use-tool-info.d.ts +25 -7
  170. package/dist/web/hooks/use-tool-info.js +5 -8
  171. package/dist/web/hooks/use-tool-info.js.map +1 -1
  172. package/dist/web/hooks/use-tool-info.test-d.js +11 -29
  173. package/dist/web/hooks/use-tool-info.test-d.js.map +1 -1
  174. package/dist/web/hooks/use-tool-info.test.js +42 -32
  175. package/dist/web/hooks/use-tool-info.test.js.map +1 -1
  176. package/dist/web/hooks/use-user.test.js +81 -35
  177. package/dist/web/hooks/use-user.test.js.map +1 -1
  178. package/dist/web/hooks/use-view-state.test.js +6 -2
  179. package/dist/web/hooks/use-view-state.test.js.map +1 -1
  180. package/package.json +6 -3
  181. package/dist/web/bridges/apps-sdk/adaptor.d.ts +0 -28
  182. package/dist/web/bridges/apps-sdk/adaptor.js +0 -113
  183. package/dist/web/bridges/apps-sdk/adaptor.js.map +0 -1
  184. package/dist/web/bridges/mcp-app/adaptor.d.ts +0 -52
  185. package/dist/web/bridges/mcp-app/adaptor.js +0 -280
  186. package/dist/web/bridges/mcp-app/adaptor.js.map +0 -1
@@ -0,0 +1,25 @@
1
+ /**
2
+ * Resolves this server's public origin from request headers, in precedence
3
+ * `x-forwarded-host` → `host` → localhost dev fallback. Shared by view serving
4
+ * and OAuth metadata so the two can't drift. `Origin` is deliberately ignored:
5
+ * it carries the *caller's* site, not this server's.
6
+ */
7
+ export function resolveServerOrigin(header) {
8
+ // Proxies may send X-Forwarded-* as a comma-separated chain; the client-facing
9
+ // hop is the first entry.
10
+ const firstHop = (value) => value?.split(",")[0]?.trim();
11
+ const forwardedHost = firstHop(header("x-forwarded-host"));
12
+ if (forwardedHost) {
13
+ const proto = firstHop(header("x-forwarded-proto")) || "https";
14
+ return `${proto}://${forwardedHost}`;
15
+ }
16
+ const host = header("host");
17
+ if (host) {
18
+ const proto = ["127.0.0.1:", "localhost:"].some((p) => host.startsWith(p))
19
+ ? "http"
20
+ : "https";
21
+ return `${proto}://${host}`;
22
+ }
23
+ return `http://localhost:${process.env.__PORT || "3000"}`;
24
+ }
25
+ //# sourceMappingURL=requestOrigin.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"requestOrigin.js","sourceRoot":"","sources":["../../src/server/requestOrigin.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAA2C;IAE3C,+EAA+E;IAC/E,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,CAAC,KAAyB,EAAE,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;IAC7E,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC,IAAI,OAAO,CAAC;QAC/D,OAAO,GAAG,KAAK,MAAM,aAAa,EAAE,CAAC;IACvC,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,KAAK,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACxE,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,OAAO,CAAC;QACZ,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IAC9B,CAAC;IACD,OAAO,oBAAoB,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC;AAC5D,CAAC","sourcesContent":["/**\n * Resolves this server's public origin from request headers, in precedence\n * `x-forwarded-host` → `host` → localhost dev fallback. Shared by view serving\n * and OAuth metadata so the two can't drift. `Origin` is deliberately ignored:\n * it carries the *caller's* site, not this server's.\n */\nexport function resolveServerOrigin(\n header: (key: string) => string | undefined,\n): string {\n // Proxies may send X-Forwarded-* as a comma-separated chain; the client-facing\n // hop is the first entry.\n const firstHop = (value: string | undefined) => value?.split(\",\")[0]?.trim();\n const forwardedHost = firstHop(header(\"x-forwarded-host\"));\n if (forwardedHost) {\n const proto = firstHop(header(\"x-forwarded-proto\")) || \"https\";\n return `${proto}://${forwardedHost}`;\n }\n const host = header(\"host\");\n if (host) {\n const proto = [\"127.0.0.1:\", \"localhost:\"].some((p) => host.startsWith(p))\n ? \"http\"\n : \"https\";\n return `${proto}://${host}`;\n }\n return `http://localhost:${process.env.__PORT || \"3000\"}`;\n}\n"]}
@@ -4,7 +4,8 @@ import { McpServer as McpServerBase } from "@modelcontextprotocol/sdk/server/mcp
4
4
  import type { AnySchema, SchemaOutput, ZodRawShapeCompat } from "@modelcontextprotocol/sdk/server/zod-compat.js";
5
5
  import type { RequestHandlerExtra } from "@modelcontextprotocol/sdk/shared/protocol.js";
6
6
  import type { ContentBlock, Implementation, RequestMeta, ServerNotification, ServerRequest, ServerResult, ToolAnnotations } from "@modelcontextprotocol/sdk/types.js";
7
- import { type ErrorRequestHandler, type Express, type RequestHandler } from "express";
7
+ import express, { type ErrorRequestHandler, type Express, type RequestHandler } from "express";
8
+ import type { OAuthConfig } from "./auth/index.js";
8
9
  import type { McpExtra, McpExtraFor, McpMethodString, McpMiddlewareFilter, McpMiddlewareFn, McpResultFor, McpTypedMiddlewareFn, McpWildcard } from "./middleware.js";
9
10
  /**
10
11
  * Type marker for a registered tool — carries its input, output, and response
@@ -18,7 +19,11 @@ export type ToolDef<TInput = unknown, TOutput = unknown, TResponseMetadata = unk
18
19
  output: TOutput;
19
20
  responseMetadata: TResponseMetadata;
20
21
  };
21
- /** Which host runtime a view targets — `"apps-sdk"` (ChatGPT) or `"mcp-app"` (MCP Apps spec). */
22
+ /**
23
+ * @deprecated Views now always emit a single ext-apps resource; host targeting
24
+ * no longer applies. Retained for backwards compatibility; will be removed in a
25
+ * future major.
26
+ */
22
27
  export type ViewHostType = "apps-sdk" | "mcp-app";
23
28
  /**
24
29
  * Content Security Policy origins attached to a view's resource. Each list is
@@ -44,8 +49,16 @@ export interface ViewCsp {
44
49
  */
45
50
  export interface ViewNameRegistry {
46
51
  }
52
+ /**
53
+ * Resolve view component names from a registry: the union of its keys, or
54
+ * `string` when the registry is empty. The empty case happens before
55
+ * `.skybridge/views.d.ts` is generated; falling back to `string` keeps valid
56
+ * view names from erroring on a fresh checkout, and narrowing kicks in once
57
+ * the generated file augments the registry.
58
+ */
59
+ export type ViewNameFor<Registry> = [keyof Registry & string] extends [never] ? string : keyof Registry & string;
47
60
  /** Union of valid view component names. Narrowed by {@link ViewNameRegistry}. */
48
- export type ViewName = keyof ViewNameRegistry & string;
61
+ export type ViewName = ViewNameFor<ViewNameRegistry>;
49
62
  /**
50
63
  * Pass under `view` in a tool's `registerTool` config to render the tool's
51
64
  * result through a Skybridge view instead of a plain text response.
@@ -55,11 +68,14 @@ export interface ViewConfig {
55
68
  component: ViewName;
56
69
  /** Human-readable label the host may show alongside the view. */
57
70
  description?: string;
58
- /** Restrict where the view is rendered. Defaults to all known hosts. */
71
+ /**
72
+ * @deprecated No-op. Every view emits a single ext-apps resource regardless
73
+ * of this value. Will be removed in a future major.
74
+ */
59
75
  hosts?: ViewHostType[];
60
- /** Apps SDK only: request a visible border around the widget. */
76
+ /** Request a visible border around the view (forwarded as `ui.prefersBorder`). */
61
77
  prefersBorder?: boolean;
62
- /** Apps SDK only: override the iframe's served domain (advanced). */
78
+ /** Override the iframe's served domain (advanced; forwarded as `ui.domain`). */
63
79
  domain?: string;
64
80
  /** Per-view CSP overrides — see {@link ViewCsp}. */
65
81
  csp?: ViewCsp;
@@ -72,6 +88,18 @@ export type SecurityScheme = {
72
88
  type: "oauth2";
73
89
  scopes?: string[];
74
90
  };
91
+ /**
92
+ * Options forwarded to the built-in `express.json()` body parser. Derived
93
+ * from Express's own types so the public API doesn't depend on `body-parser`.
94
+ */
95
+ export type JsonOptions = NonNullable<Parameters<typeof express.json>[0]>;
96
+ /** Skybridge-specific server options, passed as the third `McpServer` constructor argument. */
97
+ export interface SkybridgeServerOptions {
98
+ /** Options for the built-in `express.json()` middleware, e.g. `{ limit: "10mb" }`. */
99
+ json?: JsonOptions;
100
+ /** Resource-server OAuth config. When set, mounts well-known metadata and bearer auth on `/mcp`. */
101
+ oauth?: OAuthConfig;
102
+ }
75
103
  /**
76
104
  * Well-known keys recognized by host runtimes when set on a tool's `_meta`.
77
105
  * Use {@link ToolMeta} to also pass arbitrary custom metadata alongside these.
@@ -199,34 +227,15 @@ interface McpServerBaseOmitted extends Omit<McpServerBase, "registerTool" | "con
199
227
  }
200
228
  declare const McpServerBaseOmitted: new (...args: ConstructorParameters<typeof McpServerBase>) => McpServerBaseOmitted;
201
229
  /**
202
- * The Skybridge server. Extends the MCP SDK's `McpServer` with a typed tool
203
- * registry, view resources, an embedded Express app, and protocol-level
204
- * middleware. Construct it with the same `Implementation` info you would pass
205
- * to the SDK, chain {@link McpServer.registerTool} calls to declare tools,
206
- * then call {@link McpServer.run} to start the HTTP server.
207
- *
208
- * The `TTools` generic accumulates each registered tool's input/output/meta
209
- * shape, so `typeof server` carries enough information for view-side helpers
210
- * like {@link generateHelpers} to produce fully-typed hooks.
211
- *
212
- * @typeParam TTools - Accumulated tool registry. Filled in by `registerTool`
213
- * chaining; you almost never set this manually.
214
- *
215
- * @example
216
- * ```ts
217
- * const server = new McpServer({ name: "my-app", version: "1.0.0" }, {})
218
- * .registerTool({
219
- * name: "search",
220
- * inputSchema: { query: z.string() },
221
- * view: { component: "search" },
222
- * }, async ({ query }) => ({ content: `Results for ${query}` }));
230
+ * Prime the build-time Vite manifest before user code constructs its
231
+ * `McpServer`. Called from the generated `dist/__entry.js`; not part of the
232
+ * user-facing API.
223
233
  *
224
- * await server.run();
225
- * export type AppType = typeof server;
226
- * ```
227
- *
228
- * @see https://docs.skybridge.tech/api-reference/mcp-server
234
+ * @internal
229
235
  */
236
+ export declare function __setBuildManifest(manifest: Record<string, {
237
+ file: string;
238
+ }>): void;
230
239
  export declare class McpServer<TTools extends Record<string, ToolDef> = Record<never, ToolDef>> extends McpServerBaseOmitted {
231
240
  readonly $types: McpServerTypes<TTools>;
232
241
  /**
@@ -234,7 +243,9 @@ export declare class McpServer<TTools extends Record<string, ToolDef> = Record<n
234
243
  * custom routes, middleware, or settings — e.g.
235
244
  * `server.express.get("/health", ...)`.
236
245
  *
237
- * `express.json()` is pre-applied. Register your handlers before `run()`;
246
+ * `express.json()` is pre-applied tune it via the constructor's third
247
+ * argument, e.g. `new McpServer(info, {}, { json: { limit: "10mb" } })`.
248
+ * Register your handlers before `run()`;
238
249
  * after `run()`, dev-mode middleware, the `/mcp` route, and the default
239
250
  * error handler are appended in that order.
240
251
  *
@@ -247,10 +258,17 @@ export declare class McpServer<TTools extends Record<string, ToolDef> = Record<n
247
258
  private mcpMiddlewareApplied;
248
259
  private claimedViews;
249
260
  private viewMetaBuilders;
261
+ /**
262
+ * Maps a view resource's query-less path to its canonical registered URI
263
+ * (the one carrying the `?v=` cache key). Lets `resources/read` resolve the
264
+ * underlying view no matter which version param the consumer sends, since
265
+ * the param is only a cache key, not part of the resource's identity.
266
+ */
267
+ private viewUriByPath;
250
268
  private viteManifest;
251
269
  private readonly serverInfo;
252
270
  private readonly serverOptions?;
253
- constructor(serverInfo: Implementation, options?: ServerOptions);
271
+ constructor(serverInfo: Implementation, options?: ServerOptions, skybridgeOptions?: SkybridgeServerOptions);
254
272
  /**
255
273
  * Register Express middleware on the underlying app. Mirrors `app.use` —
256
274
  * pass handlers directly or a path-prefixed handler list. Register before
@@ -336,15 +354,18 @@ export declare class McpServer<TTools extends Record<string, ToolDef> = Record<n
336
354
  *
337
355
  * On Cloudflare Workers / workerd, returns an object exposing `fetch` so
338
356
  * the runtime can bridge incoming requests to the Node HTTP server. On
357
+ * Vercel (`VERCEL === "1"`), returns the Express app directly so the
358
+ * serverless function entry can call it as a `(req, res)` handler. On
339
359
  * Node, returns `undefined` once listening.
340
360
  */
341
361
  run(): Promise<{
342
362
  fetch: (...args: unknown[]) => unknown;
343
- } | undefined>;
363
+ } | Express | undefined>;
344
364
  private enforceOneToolPerView;
345
365
  private resolveViewRequestContext;
346
366
  private registerViewResources;
347
367
  private registerViewResource;
368
+ private serveLegacyAppsSdkUrl;
348
369
  private wrapHandler;
349
370
  private computeViewVersionParam;
350
371
  private lookupViewFile;
@@ -6,9 +6,11 @@ import { Server as SdkServer, } from "@modelcontextprotocol/sdk/server/index.js"
6
6
  import { McpServer as McpServerBase } from "@modelcontextprotocol/sdk/server/mcp.js";
7
7
  import { mergeWith, union } from "es-toolkit";
8
8
  import express, {} from "express";
9
+ import { setupOAuth } from "./auth/setup.js";
9
10
  import { createApp } from "./express.js";
10
11
  import { createMiddlewareEntry } from "./metric.js";
11
12
  import { buildMiddlewareChain, getHandlerMaps } from "./middleware.js";
13
+ import { resolveServerOrigin } from "./requestOrigin.js";
12
14
  import { templateHelper } from "./templateHelper.js";
13
15
  const mergeWithUnion = (target, source) => {
14
16
  return mergeWith(target, source, (targetVal, sourceVal) => {
@@ -17,6 +19,28 @@ const mergeWithUnion = (target, source) => {
17
19
  }
18
20
  });
19
21
  };
22
+ /**
23
+ * Normalize an `x-forwarded-prefix` value into a leading-slash, no-trailing-slash
24
+ * path. Takes the first hop of a comma-separated proxy chain.
25
+ * "/v1/", "v1", "/v1, /internal" → "/v1"; "", "/", undefined → "".
26
+ */
27
+ function normalizeForwardedPrefix(raw) {
28
+ const firstHop = raw?.split(",")[0]?.trim() ?? "";
29
+ const trimmed = firstHop.replace(/\/+$/, "");
30
+ if (trimmed === "") {
31
+ return "";
32
+ }
33
+ return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
34
+ }
35
+ /**
36
+ * Drop the query string from a `ui://` view URI, leaving the bare path. The
37
+ * `?v=` cache key is the only query we append, so a plain split is enough and
38
+ * sidesteps `URL` normalization quirks on the non-special `ui:` scheme.
39
+ */
40
+ function stripQuery(uri) {
41
+ const queryIndex = uri.indexOf("?");
42
+ return queryIndex === -1 ? uri : uri.slice(0, queryIndex);
43
+ }
20
44
  /**
21
45
  * Coerce a tool handler's return value into an MCP `content` array. Strings
22
46
  * become a single `TextContent`; a single block is wrapped in an array;
@@ -65,13 +89,31 @@ const McpServerBaseOmitted = McpServerBase;
65
89
  *
66
90
  * @see https://docs.skybridge.tech/api-reference/mcp-server
67
91
  */
92
+ // Side channel populated by `dist/__entry.js` before user code is imported.
93
+ // Set at module scope rather than passed through the constructor because the
94
+ // wrapper has the manifest before the user's `new McpServer(...)` runs, and
95
+ // threading it through every call site (including user templates) is exactly
96
+ // the boilerplate this design is trying to hide.
97
+ let pendingBuildManifest = null;
98
+ /**
99
+ * Prime the build-time Vite manifest before user code constructs its
100
+ * `McpServer`. Called from the generated `dist/__entry.js`; not part of the
101
+ * user-facing API.
102
+ *
103
+ * @internal
104
+ */
105
+ export function __setBuildManifest(manifest) {
106
+ pendingBuildManifest = manifest;
107
+ }
68
108
  export class McpServer extends McpServerBaseOmitted {
69
109
  /**
70
110
  * The underlying Express app. Use this to extend the HTTP server with
71
111
  * custom routes, middleware, or settings — e.g.
72
112
  * `server.express.get("/health", ...)`.
73
113
  *
74
- * `express.json()` is pre-applied. Register your handlers before `run()`;
114
+ * `express.json()` is pre-applied tune it via the constructor's third
115
+ * argument, e.g. `new McpServer(info, {}, { json: { limit: "10mb" } })`.
116
+ * Register your handlers before `run()`;
75
117
  * after `run()`, dev-mode middleware, the `/mcp` route, and the default
76
118
  * error handler are appended in that order.
77
119
  *
@@ -84,15 +126,34 @@ export class McpServer extends McpServerBaseOmitted {
84
126
  mcpMiddlewareApplied = false;
85
127
  claimedViews = new Map();
86
128
  viewMetaBuilders = new Map();
129
+ /**
130
+ * Maps a view resource's query-less path to its canonical registered URI
131
+ * (the one carrying the `?v=` cache key). Lets `resources/read` resolve the
132
+ * underlying view no matter which version param the consumer sends, since
133
+ * the param is only a cache key, not part of the resource's identity.
134
+ */
135
+ viewUriByPath = new Map();
87
136
  viteManifest = null;
88
137
  serverInfo;
89
138
  serverOptions;
90
- constructor(serverInfo, options) {
139
+ constructor(serverInfo, options, skybridgeOptions) {
91
140
  super(serverInfo, options);
92
141
  this.serverInfo = serverInfo;
93
142
  this.serverOptions = options;
94
143
  this.express = express();
95
- this.express.use(express.json());
144
+ this.express.use(express.json(skybridgeOptions?.json));
145
+ if (skybridgeOptions?.oauth) {
146
+ setupOAuth(this.express, skybridgeOptions.oauth);
147
+ }
148
+ // Pick up the manifest if `dist/__entry.js` primed it before importing
149
+ // user code. Consume-once: clear after the first construction so a
150
+ // subsequent test that doesn't prime can't inherit stale state.
151
+ // Explicit `setViteManifest` calls still win because they happen after
152
+ // construction.
153
+ if (pendingBuildManifest) {
154
+ this.setViteManifest(pendingBuildManifest);
155
+ pendingBuildManifest = null;
156
+ }
96
157
  }
97
158
  use(pathOrHandler, ...handlers) {
98
159
  // Branching is load-bearing: Express's `app.use` overloads can't be
@@ -165,10 +226,47 @@ export class McpServer extends McpServerBaseOmitted {
165
226
  return result;
166
227
  },
167
228
  };
229
+ // Resolve a view's `resources/read` by its query-less path so the
230
+ // underlying asset is served no matter the `?v=` value (stale cache key,
231
+ // no param, etc.). The version param is a cache-busting hint for external
232
+ // consumers; it must not gate resolution. We rewrite the lookup URI to the
233
+ // canonical registered one, then restore the requested URI on the response
234
+ // so the consumer-facing URI is never rewritten.
235
+ const viewReadResolveEntry = {
236
+ filter: "resources/read",
237
+ handler: async (req, _extra, next) => {
238
+ const requested = req.params.uri;
239
+ if (typeof requested !== "string") {
240
+ return next();
241
+ }
242
+ const path = stripQuery(requested);
243
+ const canonical = this.viewUriByPath.get(path);
244
+ if (!canonical) {
245
+ return next();
246
+ }
247
+ req.params.uri = canonical;
248
+ try {
249
+ const result = (await next());
250
+ for (const content of result.contents ?? []) {
251
+ if (typeof content.uri === "string" &&
252
+ stripQuery(content.uri) === stripQuery(canonical)) {
253
+ content.uri = requested;
254
+ }
255
+ }
256
+ return result;
257
+ }
258
+ finally {
259
+ // Restore the shared request params so middleware outer to us never
260
+ // observes the rewritten lookup URI after next() unwinds.
261
+ req.params.uri = requested;
262
+ }
263
+ },
264
+ };
168
265
  const monitoringEntry = createMiddlewareEntry();
169
266
  const entries = [
170
267
  ...(monitoringEntry ? [monitoringEntry] : []),
171
268
  viewListMetaEntry,
269
+ viewReadResolveEntry,
172
270
  ...this.mcpMiddlewareEntries,
173
271
  ];
174
272
  if (entries.length === 0) {
@@ -224,10 +322,24 @@ export class McpServer extends McpServerBaseOmitted {
224
322
  *
225
323
  * On Cloudflare Workers / workerd, returns an object exposing `fetch` so
226
324
  * the runtime can bridge incoming requests to the Node HTTP server. On
325
+ * Vercel (`VERCEL === "1"`), returns the Express app directly so the
326
+ * serverless function entry can call it as a `(req, res)` handler. On
227
327
  * Node, returns `undefined` once listening.
228
328
  */
229
329
  async run() {
230
330
  this.applyMcpMiddleware();
331
+ if (process.env.VERCEL === "1") {
332
+ // createApp only reads httpServer inside its dev-only branch
333
+ // (viewsDevServer); under VERCEL=1 + NODE_ENV=production it's a
334
+ // bare object passed to satisfy the required parameter.
335
+ const httpServer = http.createServer();
336
+ await createApp({
337
+ mcpServer: this,
338
+ httpServer,
339
+ errorMiddleware: this.customErrorMiddleware,
340
+ });
341
+ return this.express;
342
+ }
231
343
  const httpServer = http.createServer();
232
344
  await createApp({
233
345
  mcpServer: this,
@@ -283,27 +395,12 @@ export class McpServer extends McpServerBaseOmitted {
283
395
  return Array.isArray(val) ? val[0] : val;
284
396
  };
285
397
  const isClaude = header("user-agent") === "Claude-User";
286
- let serverUrl;
287
- const forwardedHost = header("x-forwarded-host");
288
- const origin = header("origin");
289
- const host = header("host");
290
- if (forwardedHost) {
291
- const proto = header("x-forwarded-proto") || "https";
292
- serverUrl = `${proto}://${forwardedHost}`;
293
- }
294
- else if (origin) {
295
- serverUrl = origin;
296
- }
297
- else if (host) {
298
- const proto = ["127.0.0.1:", "localhost:"].some((p) => host.startsWith(p))
299
- ? "http"
300
- : "https";
301
- serverUrl = `${proto}://${host}`;
302
- }
303
- else {
304
- const devPort = process.env.__PORT || "3000";
305
- serverUrl = `http://localhost:${devPort}`;
306
- }
398
+ const serverUrl = resolveServerOrigin(header);
399
+ // Path prefix the proxy routed this request under (e.g. `foo.com/v1`). Read
400
+ // per-request so one process can serve many hosts/prefixes at once: the
401
+ // origin is recovered from x-forwarded-host, the prefix from
402
+ // x-forwarded-prefix. Empty when served at the origin root.
403
+ const assetsBasePath = normalizeForwardedPrefix(header("x-forwarded-prefix"));
307
404
  const connectDomains = [serverUrl];
308
405
  if (!isProduction) {
309
406
  const wsUrl = new URL(serverUrl);
@@ -324,114 +421,77 @@ export class McpServer extends McpServerBaseOmitted {
324
421
  .slice(0, 32);
325
422
  contentMetaOverrides = { domain: `${hash}.claudemcpcontent.com` };
326
423
  }
327
- return { serverUrl, connectDomains, contentMetaOverrides };
424
+ return { serverUrl, assetsBasePath, connectDomains, contentMetaOverrides };
328
425
  }
329
426
  registerViewResources(toolName, view, toolMeta) {
330
- const hosts = view.hosts ?? ["apps-sdk", "mcp-app"];
331
427
  // Append a content-derived version param so hosts (e.g. ChatGPT) bust
332
428
  // their cache when the bundle changes, but keep the URI stable across
333
429
  // `tools/list` calls when the bundle hasn't changed.
334
430
  const versionParam = this.computeViewVersionParam(view.component);
335
- if (hosts.includes("apps-sdk")) {
336
- const viewResource = {
337
- hostType: "apps-sdk",
338
- uri: `ui://views/apps-sdk/${view.component}.html${versionParam}`,
339
- mimeType: "text/html+skybridge",
340
- buildContentMeta: ({ resourceDomains, connectDomains, domain }, overrides) => {
341
- const defaults = {
342
- "openai/widgetCSP": {
343
- resource_domains: resourceDomains,
344
- connect_domains: connectDomains,
345
- },
346
- "openai/widgetDomain": domain,
347
- "openai/widgetDescription": view.description,
348
- };
349
- const fromView = {
350
- "openai/widgetCSP": {
351
- resource_domains: view.csp?.resourceDomains,
352
- connect_domains: view.csp?.connectDomains,
353
- frame_domains: view.csp?.frameDomains,
354
- redirect_domains: view.csp?.redirectDomains,
355
- },
356
- "openai/widgetDomain": view.domain,
357
- "openai/widgetPrefersBorder": view.prefersBorder,
358
- };
359
- const base = mergeWithUnion(mergeWithUnion(defaults, fromView), {
360
- "openai/widgetDomain": overrides.domain,
361
- });
362
- if (view._meta) {
363
- return { ...base, ...view._meta };
364
- }
365
- return base;
366
- },
367
- };
368
- this.registerViewResource({
369
- name: toolName,
370
- viewResource,
371
- view,
372
- });
373
- toolMeta["openai/outputTemplate"] = viewResource.uri;
374
- }
375
- if (hosts.includes("mcp-app")) {
376
- const viewResource = {
377
- hostType: "mcp-app",
378
- uri: `ui://views/ext-apps/${view.component}.html${versionParam}`,
379
- mimeType: "text/html;profile=mcp-app",
380
- buildContentMeta: ({ resourceDomains, connectDomains, domain, baseUriDomains }, overrides) => {
381
- const defaults = {
382
- ui: {
383
- csp: {
384
- resourceDomains,
385
- connectDomains,
386
- baseUriDomains,
387
- },
388
- domain,
431
+ const viewResource = {
432
+ hostType: "mcp-app",
433
+ uri: `ui://views/ext-apps/${view.component}.html${versionParam}`,
434
+ mimeType: "text/html;profile=mcp-app",
435
+ buildContentMeta: ({ resourceDomains, connectDomains, domain, baseUriDomains }, overrides) => {
436
+ const defaults = {
437
+ ui: {
438
+ csp: {
439
+ resourceDomains,
440
+ connectDomains,
441
+ baseUriDomains,
389
442
  },
390
- };
391
- const fromView = {
392
- ui: {
393
- ...(view.description && { description: view.description }),
394
- ...(view.prefersBorder !== undefined && {
395
- prefersBorder: view.prefersBorder,
443
+ domain,
444
+ },
445
+ };
446
+ const fromView = {
447
+ ui: {
448
+ ...(view.description && { description: view.description }),
449
+ ...(view.prefersBorder !== undefined && {
450
+ prefersBorder: view.prefersBorder,
451
+ }),
452
+ ...(view.domain && { domain: view.domain }),
453
+ csp: {
454
+ ...(view.csp?.resourceDomains && {
455
+ resourceDomains: view.csp.resourceDomains,
456
+ }),
457
+ ...(view.csp?.connectDomains && {
458
+ connectDomains: view.csp.connectDomains,
459
+ }),
460
+ ...(view.csp?.frameDomains && {
461
+ frameDomains: view.csp.frameDomains,
462
+ }),
463
+ ...(view.csp?.baseUriDomains && {
464
+ baseUriDomains: view.csp.baseUriDomains,
396
465
  }),
397
- ...(view.domain && { domain: view.domain }),
398
- csp: {
399
- ...(view.csp?.resourceDomains && {
400
- resourceDomains: view.csp.resourceDomains,
401
- }),
402
- ...(view.csp?.connectDomains && {
403
- connectDomains: view.csp.connectDomains,
404
- }),
405
- ...(view.csp?.frameDomains && {
406
- frameDomains: view.csp.frameDomains,
407
- }),
408
- ...(view.csp?.baseUriDomains && {
409
- baseUriDomains: view.csp.baseUriDomains,
410
- }),
411
- ...(view.csp?.redirectDomains && {
412
- redirectDomains: view.csp.redirectDomains,
413
- }),
414
- },
415
466
  },
416
- };
417
- const base = mergeWithUnion(mergeWithUnion(defaults, fromView), {
418
- ui: overrides,
419
- });
420
- if (view._meta) {
421
- return { ...base, ...view._meta };
422
- }
423
- return base;
424
- },
425
- };
426
- this.registerViewResource({
427
- name: toolName,
428
- viewResource,
429
- view,
430
- });
431
- // @ts-expect-error - For backwards compatibility with Claude current implementation of the specs
432
- toolMeta["ui/resourceUri"] = viewResource.uri;
433
- toolMeta.ui = { ...toolMeta.ui, resourceUri: viewResource.uri };
434
- }
467
+ },
468
+ };
469
+ const ui = mergeWithUnion(mergeWithUnion(defaults, fromView), {
470
+ ui: overrides,
471
+ });
472
+ const base = {
473
+ ...ui,
474
+ ...(view.description && {
475
+ "openai/widgetDescription": view.description,
476
+ }),
477
+ ...(view.csp?.redirectDomains && {
478
+ "openai/widgetCSP": { redirect_domains: view.csp.redirectDomains },
479
+ }),
480
+ };
481
+ if (view._meta) {
482
+ return { ...base, ...view._meta };
483
+ }
484
+ return base;
485
+ },
486
+ };
487
+ this.registerViewResource({ name: toolName, viewResource, view });
488
+ // Advertise via the MCP Apps standard pointer only — ChatGPT renders from
489
+ // ui.resourceUri (verified), and not emitting openai/outputTemplate lets us
490
+ // retire the legacy apps-sdk resource later. The legacy apps-sdk URL is still
491
+ // served (see registerViewResource) so already-published apps keep resolving.
492
+ // @ts-expect-error - For backwards compatibility with Claude current implementation of the specs
493
+ toolMeta["ui/resourceUri"] = viewResource.uri;
494
+ toolMeta.ui = { ...toolMeta.ui, resourceUri: viewResource.uri };
435
495
  }
436
496
  registerViewResource({ name, viewResource, view, }) {
437
497
  const { hostType, uri: viewUri, mimeType, buildContentMeta } = viewResource;
@@ -445,19 +505,25 @@ export class McpServer extends McpServerBaseOmitted {
445
505
  }, contentMetaOverrides);
446
506
  };
447
507
  this.viewMetaBuilders.set(viewUri, buildMeta);
508
+ this.viewUriByPath.set(stripQuery(viewUri), viewUri);
509
+ this.serveLegacyAppsSdkUrl(view.component, viewUri);
448
510
  this.registerResource(name, viewUri, { description: view.description }, async (uri, extra) => {
449
511
  const isProduction = process.env.NODE_ENV === "production";
450
- const { serverUrl } = this.resolveViewRequestContext(extra);
512
+ const { serverUrl, assetsBasePath } = this.resolveViewRequestContext(extra);
513
+ // The view resolves all assets (template imports + runtime lazy chunks
514
+ // via `window.skybridge.serverUrl`) against this base, so it carries the
515
+ // proxy path prefix. CSP domains in `buildMeta` stay the bare origin.
516
+ const viewBase = `${serverUrl}${assetsBasePath}`;
451
517
  const html = isProduction
452
518
  ? templateHelper.renderProduction({
453
519
  hostType,
454
- serverUrl,
520
+ serverUrl: viewBase,
455
521
  viewFile: this.lookupViewFile(view.component),
456
522
  styleFile: this.lookupDistFile("style.css") ?? "",
457
523
  })
458
524
  : templateHelper.renderDevelopment({
459
525
  hostType,
460
- serverUrl,
526
+ serverUrl: viewBase,
461
527
  viewName: view.component,
462
528
  });
463
529
  return {
@@ -467,6 +533,11 @@ export class McpServer extends McpServerBaseOmitted {
467
533
  };
468
534
  });
469
535
  }
536
+ serveLegacyAppsSdkUrl(component, canonicalUri) {
537
+ this.viewUriByPath.set(`ui://views/apps-sdk/${component}.html`, canonicalUri);
538
+ this.viewUriByPath.set(`ui://widgets/apps-sdk/${component}.html`, canonicalUri);
539
+ this.viewUriByPath.set(`ui://widgets/ext-apps/${component}.html`, canonicalUri);
540
+ }
470
541
  wrapHandler(cb, { attachViewUUID }) {
471
542
  return async (args, extra) => {
472
543
  const result = await cb(args, extra);