skybridge 0.0.0-dev.fc2b815 → 0.0.0-dev.fc2ea93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (186) hide show
  1. package/dist/cli/build-helpers.d.ts +7 -0
  2. package/dist/cli/build-helpers.js +82 -0
  3. package/dist/cli/build-helpers.js.map +1 -0
  4. package/dist/cli/build-helpers.test.d.ts +1 -0
  5. package/dist/cli/build-helpers.test.js +64 -0
  6. package/dist/cli/build-helpers.test.js.map +1 -0
  7. package/dist/cli/detect-port.d.ts +2 -2
  8. package/dist/cli/detect-port.js +9 -20
  9. package/dist/cli/detect-port.js.map +1 -1
  10. package/dist/cli/resolve-views-dir.d.ts +1 -0
  11. package/dist/cli/resolve-views-dir.js +17 -0
  12. package/dist/cli/resolve-views-dir.js.map +1 -0
  13. package/dist/commands/build.d.ts +0 -1
  14. package/dist/commands/build.js +18 -30
  15. package/dist/commands/build.js.map +1 -1
  16. package/dist/commands/dev.js +16 -0
  17. package/dist/commands/dev.js.map +1 -1
  18. package/dist/commands/start.js +7 -1
  19. package/dist/commands/start.js.map +1 -1
  20. package/dist/server/auth/discovery.d.ts +32 -0
  21. package/dist/server/auth/discovery.js +56 -0
  22. package/dist/server/auth/discovery.js.map +1 -0
  23. package/dist/server/auth/discovery.test.d.ts +1 -0
  24. package/dist/server/auth/discovery.test.js +93 -0
  25. package/dist/server/auth/discovery.test.js.map +1 -0
  26. package/dist/server/auth/index.d.ts +18 -0
  27. package/dist/server/auth/index.js +2 -0
  28. package/dist/server/auth/index.js.map +1 -0
  29. package/dist/server/auth/providers/auth0.d.ts +18 -0
  30. package/dist/server/auth/providers/auth0.js +31 -0
  31. package/dist/server/auth/providers/auth0.js.map +1 -0
  32. package/dist/server/auth/providers/auth0.test.d.ts +1 -0
  33. package/dist/server/auth/providers/auth0.test.js +48 -0
  34. package/dist/server/auth/providers/auth0.test.js.map +1 -0
  35. package/dist/server/auth/providers/clerk.d.ts +14 -0
  36. package/dist/server/auth/providers/clerk.js +16 -0
  37. package/dist/server/auth/providers/clerk.js.map +1 -0
  38. package/dist/server/auth/providers/clerk.test.d.ts +1 -0
  39. package/dist/server/auth/providers/clerk.test.js +28 -0
  40. package/dist/server/auth/providers/clerk.test.js.map +1 -0
  41. package/dist/server/auth/providers/custom.d.ts +24 -0
  42. package/dist/server/auth/providers/custom.js +37 -0
  43. package/dist/server/auth/providers/custom.js.map +1 -0
  44. package/dist/server/auth/providers/custom.test.d.ts +1 -0
  45. package/dist/server/auth/providers/custom.test.js +107 -0
  46. package/dist/server/auth/providers/custom.test.js.map +1 -0
  47. package/dist/server/auth/providers/descope.d.ts +15 -0
  48. package/dist/server/auth/providers/descope.js +33 -0
  49. package/dist/server/auth/providers/descope.js.map +1 -0
  50. package/dist/server/auth/providers/descope.test.d.ts +1 -0
  51. package/dist/server/auth/providers/descope.test.js +37 -0
  52. package/dist/server/auth/providers/descope.test.js.map +1 -0
  53. package/dist/server/auth/providers/shared.d.ts +2 -0
  54. package/dist/server/auth/providers/shared.js +6 -0
  55. package/dist/server/auth/providers/shared.js.map +1 -0
  56. package/dist/server/auth/providers/shared.test.d.ts +1 -0
  57. package/dist/server/auth/providers/shared.test.js +10 -0
  58. package/dist/server/auth/providers/shared.test.js.map +1 -0
  59. package/dist/server/auth/providers/stytch.d.ts +12 -0
  60. package/dist/server/auth/providers/stytch.js +13 -0
  61. package/dist/server/auth/providers/stytch.js.map +1 -0
  62. package/dist/server/auth/providers/workos.d.ts +11 -0
  63. package/dist/server/auth/providers/workos.js +12 -0
  64. package/dist/server/auth/providers/workos.js.map +1 -0
  65. package/dist/server/auth/setup.d.ts +4 -0
  66. package/dist/server/auth/setup.js +51 -0
  67. package/dist/server/auth/setup.js.map +1 -0
  68. package/dist/server/auth/setup.test.d.ts +1 -0
  69. package/dist/server/auth/setup.test.js +185 -0
  70. package/dist/server/auth/setup.test.js.map +1 -0
  71. package/dist/server/auth/verify.d.ts +12 -0
  72. package/dist/server/auth/verify.js +38 -0
  73. package/dist/server/auth/verify.js.map +1 -0
  74. package/dist/server/auth/verify.test.d.ts +1 -0
  75. package/dist/server/auth/verify.test.js +100 -0
  76. package/dist/server/auth/verify.test.js.map +1 -0
  77. package/dist/server/build-manifest.test.d.ts +1 -0
  78. package/dist/server/build-manifest.test.js +27 -0
  79. package/dist/server/build-manifest.test.js.map +1 -0
  80. package/dist/server/express.test.js +61 -0
  81. package/dist/server/express.test.js.map +1 -1
  82. package/dist/server/index.d.ts +9 -2
  83. package/dist/server/index.js +7 -1
  84. package/dist/server/index.js.map +1 -1
  85. package/dist/server/requestOrigin.d.ts +7 -0
  86. package/dist/server/requestOrigin.js +25 -0
  87. package/dist/server/requestOrigin.js.map +1 -0
  88. package/dist/server/server.d.ts +56 -35
  89. package/dist/server/server.js +171 -122
  90. package/dist/server/server.js.map +1 -1
  91. package/dist/server/view-name.test-d.d.ts +1 -0
  92. package/dist/server/view-name.test-d.js +8 -0
  93. package/dist/server/view-name.test-d.js.map +1 -0
  94. package/dist/server/view-resource-resolution.test.d.ts +6 -0
  95. package/dist/server/view-resource-resolution.test.js +103 -0
  96. package/dist/server/view-resource-resolution.test.js.map +1 -0
  97. package/dist/test/view.test.js +69 -101
  98. package/dist/test/view.test.js.map +1 -1
  99. package/dist/web/bridges/adaptor.d.ts +51 -0
  100. package/dist/web/bridges/adaptor.js +310 -0
  101. package/dist/web/bridges/adaptor.js.map +1 -0
  102. package/dist/web/bridges/adaptor.test.d.ts +1 -0
  103. package/dist/web/bridges/adaptor.test.js +197 -0
  104. package/dist/web/bridges/adaptor.test.js.map +1 -0
  105. package/dist/web/bridges/apps-sdk/bridge.d.ts +6 -2
  106. package/dist/web/bridges/apps-sdk/bridge.js +15 -4
  107. package/dist/web/bridges/apps-sdk/bridge.js.map +1 -1
  108. package/dist/web/bridges/apps-sdk/index.d.ts +0 -1
  109. package/dist/web/bridges/apps-sdk/index.js +0 -1
  110. package/dist/web/bridges/apps-sdk/index.js.map +1 -1
  111. package/dist/web/bridges/get-adaptor.d.ts +4 -4
  112. package/dist/web/bridges/get-adaptor.js +6 -11
  113. package/dist/web/bridges/get-adaptor.js.map +1 -1
  114. package/dist/web/bridges/get-adaptor.test.d.ts +1 -0
  115. package/dist/web/bridges/get-adaptor.test.js +32 -0
  116. package/dist/web/bridges/get-adaptor.test.js.map +1 -0
  117. package/dist/web/bridges/mcp-app/bridge.d.ts +15 -3
  118. package/dist/web/bridges/mcp-app/bridge.js +68 -5
  119. package/dist/web/bridges/mcp-app/bridge.js.map +1 -1
  120. package/dist/web/bridges/mcp-app/bridge.test.d.ts +1 -0
  121. package/dist/web/bridges/mcp-app/bridge.test.js +17 -0
  122. package/dist/web/bridges/mcp-app/bridge.test.js.map +1 -0
  123. package/dist/web/bridges/mcp-app/index.d.ts +0 -1
  124. package/dist/web/bridges/mcp-app/index.js +0 -1
  125. package/dist/web/bridges/mcp-app/index.js.map +1 -1
  126. package/dist/web/bridges/mcp-app/view-tools.test.d.ts +1 -0
  127. package/dist/web/bridges/mcp-app/view-tools.test.js +143 -0
  128. package/dist/web/bridges/mcp-app/view-tools.test.js.map +1 -0
  129. package/dist/web/bridges/types.d.ts +44 -1
  130. package/dist/web/bridges/types.js +14 -1
  131. package/dist/web/bridges/types.js.map +1 -1
  132. package/dist/web/bridges/types.test.d.ts +1 -0
  133. package/dist/web/bridges/types.test.js +19 -0
  134. package/dist/web/bridges/types.test.js.map +1 -0
  135. package/dist/web/components/modal-provider.js +4 -3
  136. package/dist/web/components/modal-provider.js.map +1 -1
  137. package/dist/web/create-store.test.js +8 -5
  138. package/dist/web/create-store.test.js.map +1 -1
  139. package/dist/web/data-llm.test.js +9 -5
  140. package/dist/web/data-llm.test.js.map +1 -1
  141. package/dist/web/generate-helpers.test-d.js +4 -2
  142. package/dist/web/generate-helpers.test-d.js.map +1 -1
  143. package/dist/web/hooks/index.d.ts +1 -0
  144. package/dist/web/hooks/index.js +1 -0
  145. package/dist/web/hooks/index.js.map +1 -1
  146. package/dist/web/hooks/use-call-tool.test.js +37 -23
  147. package/dist/web/hooks/use-call-tool.test.js.map +1 -1
  148. package/dist/web/hooks/use-display-mode.test.js +56 -20
  149. package/dist/web/hooks/use-display-mode.test.js.map +1 -1
  150. package/dist/web/hooks/use-download.test.js +11 -3
  151. package/dist/web/hooks/use-download.test.js.map +1 -1
  152. package/dist/web/hooks/use-files.test.js +10 -2
  153. package/dist/web/hooks/use-files.test.js.map +1 -1
  154. package/dist/web/hooks/use-layout.test.js +59 -26
  155. package/dist/web/hooks/use-layout.test.js.map +1 -1
  156. package/dist/web/hooks/use-open-external.test.js +13 -3
  157. package/dist/web/hooks/use-open-external.test.js.map +1 -1
  158. package/dist/web/hooks/use-register-view-tool.d.ts +38 -0
  159. package/dist/web/hooks/use-register-view-tool.js +50 -0
  160. package/dist/web/hooks/use-register-view-tool.js.map +1 -0
  161. package/dist/web/hooks/use-request-close.test.js +35 -40
  162. package/dist/web/hooks/use-request-close.test.js.map +1 -1
  163. package/dist/web/hooks/use-request-modal.test.js +10 -0
  164. package/dist/web/hooks/use-request-modal.test.js.map +1 -1
  165. package/dist/web/hooks/use-request-size.test.js +35 -53
  166. package/dist/web/hooks/use-request-size.test.js.map +1 -1
  167. package/dist/web/hooks/use-set-open-in-app-url.test.js +28 -8
  168. package/dist/web/hooks/use-set-open-in-app-url.test.js.map +1 -1
  169. package/dist/web/hooks/use-tool-info.d.ts +25 -7
  170. package/dist/web/hooks/use-tool-info.js +5 -8
  171. package/dist/web/hooks/use-tool-info.js.map +1 -1
  172. package/dist/web/hooks/use-tool-info.test-d.js +11 -29
  173. package/dist/web/hooks/use-tool-info.test-d.js.map +1 -1
  174. package/dist/web/hooks/use-tool-info.test.js +42 -32
  175. package/dist/web/hooks/use-tool-info.test.js.map +1 -1
  176. package/dist/web/hooks/use-user.test.js +81 -35
  177. package/dist/web/hooks/use-user.test.js.map +1 -1
  178. package/dist/web/hooks/use-view-state.test.js +6 -2
  179. package/dist/web/hooks/use-view-state.test.js.map +1 -1
  180. package/package.json +20 -17
  181. package/dist/web/bridges/apps-sdk/adaptor.d.ts +0 -28
  182. package/dist/web/bridges/apps-sdk/adaptor.js +0 -113
  183. package/dist/web/bridges/apps-sdk/adaptor.js.map +0 -1
  184. package/dist/web/bridges/mcp-app/adaptor.d.ts +0 -52
  185. package/dist/web/bridges/mcp-app/adaptor.js +0 -280
  186. package/dist/web/bridges/mcp-app/adaptor.js.map +0 -1
@@ -0,0 +1,25 @@
1
+ /**
2
+ * Resolves this server's public origin from request headers, in precedence
3
+ * `x-forwarded-host` → `host` → localhost dev fallback. Shared by view serving
4
+ * and OAuth metadata so the two can't drift. `Origin` is deliberately ignored:
5
+ * it carries the *caller's* site, not this server's.
6
+ */
7
+ export function resolveServerOrigin(header) {
8
+ // Proxies may send X-Forwarded-* as a comma-separated chain; the client-facing
9
+ // hop is the first entry.
10
+ const firstHop = (value) => value?.split(",")[0]?.trim();
11
+ const forwardedHost = firstHop(header("x-forwarded-host"));
12
+ if (forwardedHost) {
13
+ const proto = firstHop(header("x-forwarded-proto")) || "https";
14
+ return `${proto}://${forwardedHost}`;
15
+ }
16
+ const host = header("host");
17
+ if (host) {
18
+ const proto = ["127.0.0.1:", "localhost:"].some((p) => host.startsWith(p))
19
+ ? "http"
20
+ : "https";
21
+ return `${proto}://${host}`;
22
+ }
23
+ return `http://localhost:${process.env.__PORT || "3000"}`;
24
+ }
25
+ //# sourceMappingURL=requestOrigin.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"requestOrigin.js","sourceRoot":"","sources":["../../src/server/requestOrigin.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAA2C;IAE3C,+EAA+E;IAC/E,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,CAAC,KAAyB,EAAE,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;IAC7E,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC,IAAI,OAAO,CAAC;QAC/D,OAAO,GAAG,KAAK,MAAM,aAAa,EAAE,CAAC;IACvC,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,KAAK,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACxE,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,OAAO,CAAC;QACZ,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IAC9B,CAAC;IACD,OAAO,oBAAoB,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC;AAC5D,CAAC","sourcesContent":["/**\n * Resolves this server's public origin from request headers, in precedence\n * `x-forwarded-host` → `host` → localhost dev fallback. Shared by view serving\n * and OAuth metadata so the two can't drift. `Origin` is deliberately ignored:\n * it carries the *caller's* site, not this server's.\n */\nexport function resolveServerOrigin(\n header: (key: string) => string | undefined,\n): string {\n // Proxies may send X-Forwarded-* as a comma-separated chain; the client-facing\n // hop is the first entry.\n const firstHop = (value: string | undefined) => value?.split(\",\")[0]?.trim();\n const forwardedHost = firstHop(header(\"x-forwarded-host\"));\n if (forwardedHost) {\n const proto = firstHop(header(\"x-forwarded-proto\")) || \"https\";\n return `${proto}://${forwardedHost}`;\n }\n const host = header(\"host\");\n if (host) {\n const proto = [\"127.0.0.1:\", \"localhost:\"].some((p) => host.startsWith(p))\n ? \"http\"\n : \"https\";\n return `${proto}://${host}`;\n }\n return `http://localhost:${process.env.__PORT || \"3000\"}`;\n}\n"]}
@@ -4,7 +4,8 @@ import { McpServer as McpServerBase } from "@modelcontextprotocol/sdk/server/mcp
4
4
  import type { AnySchema, SchemaOutput, ZodRawShapeCompat } from "@modelcontextprotocol/sdk/server/zod-compat.js";
5
5
  import type { RequestHandlerExtra } from "@modelcontextprotocol/sdk/shared/protocol.js";
6
6
  import type { ContentBlock, Implementation, RequestMeta, ServerNotification, ServerRequest, ServerResult, ToolAnnotations } from "@modelcontextprotocol/sdk/types.js";
7
- import { type ErrorRequestHandler, type Express, type RequestHandler } from "express";
7
+ import express, { type ErrorRequestHandler, type Express, type RequestHandler } from "express";
8
+ import type { OAuthConfig } from "./auth/index.js";
8
9
  import type { McpExtra, McpExtraFor, McpMethodString, McpMiddlewareFilter, McpMiddlewareFn, McpResultFor, McpTypedMiddlewareFn, McpWildcard } from "./middleware.js";
9
10
  /**
10
11
  * Type marker for a registered tool — carries its input, output, and response
@@ -18,7 +19,11 @@ export type ToolDef<TInput = unknown, TOutput = unknown, TResponseMetadata = unk
18
19
  output: TOutput;
19
20
  responseMetadata: TResponseMetadata;
20
21
  };
21
- /** Which host runtime a view targets — `"apps-sdk"` (ChatGPT) or `"mcp-app"` (MCP Apps spec). */
22
+ /**
23
+ * @deprecated Views now always emit a single ext-apps resource; host targeting
24
+ * no longer applies. Retained for backwards compatibility; will be removed in a
25
+ * future major.
26
+ */
22
27
  export type ViewHostType = "apps-sdk" | "mcp-app";
23
28
  /**
24
29
  * Content Security Policy origins attached to a view's resource. Each list is
@@ -44,8 +49,16 @@ export interface ViewCsp {
44
49
  */
45
50
  export interface ViewNameRegistry {
46
51
  }
52
+ /**
53
+ * Resolve view component names from a registry: the union of its keys, or
54
+ * `string` when the registry is empty. The empty case happens before
55
+ * `.skybridge/views.d.ts` is generated; falling back to `string` keeps valid
56
+ * view names from erroring on a fresh checkout, and narrowing kicks in once
57
+ * the generated file augments the registry.
58
+ */
59
+ export type ViewNameFor<Registry> = [keyof Registry & string] extends [never] ? string : keyof Registry & string;
47
60
  /** Union of valid view component names. Narrowed by {@link ViewNameRegistry}. */
48
- export type ViewName = keyof ViewNameRegistry & string;
61
+ export type ViewName = ViewNameFor<ViewNameRegistry>;
49
62
  /**
50
63
  * Pass under `view` in a tool's `registerTool` config to render the tool's
51
64
  * result through a Skybridge view instead of a plain text response.
@@ -55,11 +68,14 @@ export interface ViewConfig {
55
68
  component: ViewName;
56
69
  /** Human-readable label the host may show alongside the view. */
57
70
  description?: string;
58
- /** Restrict where the view is rendered. Defaults to all known hosts. */
71
+ /**
72
+ * @deprecated No-op. Every view emits a single ext-apps resource regardless
73
+ * of this value. Will be removed in a future major.
74
+ */
59
75
  hosts?: ViewHostType[];
60
- /** Apps SDK only: request a visible border around the widget. */
76
+ /** Request a visible border around the view (forwarded as `ui.prefersBorder`). */
61
77
  prefersBorder?: boolean;
62
- /** Apps SDK only: override the iframe's served domain (advanced). */
78
+ /** Override the iframe's served domain (advanced; forwarded as `ui.domain`). */
63
79
  domain?: string;
64
80
  /** Per-view CSP overrides — see {@link ViewCsp}. */
65
81
  csp?: ViewCsp;
@@ -72,6 +88,18 @@ export type SecurityScheme = {
72
88
  type: "oauth2";
73
89
  scopes?: string[];
74
90
  };
91
+ /**
92
+ * Options forwarded to the built-in `express.json()` body parser. Derived
93
+ * from Express's own types so the public API doesn't depend on `body-parser`.
94
+ */
95
+ export type JsonOptions = NonNullable<Parameters<typeof express.json>[0]>;
96
+ /** Skybridge-specific server options, passed as the third `McpServer` constructor argument. */
97
+ export interface SkybridgeServerOptions {
98
+ /** Options for the built-in `express.json()` middleware, e.g. `{ limit: "10mb" }`. */
99
+ json?: JsonOptions;
100
+ /** Resource-server OAuth config. When set, mounts well-known metadata and bearer auth on `/mcp`. */
101
+ oauth?: OAuthConfig;
102
+ }
75
103
  /**
76
104
  * Well-known keys recognized by host runtimes when set on a tool's `_meta`.
77
105
  * Use {@link ToolMeta} to also pass arbitrary custom metadata alongside these.
@@ -199,34 +227,15 @@ interface McpServerBaseOmitted extends Omit<McpServerBase, "registerTool" | "con
199
227
  }
200
228
  declare const McpServerBaseOmitted: new (...args: ConstructorParameters<typeof McpServerBase>) => McpServerBaseOmitted;
201
229
  /**
202
- * The Skybridge server. Extends the MCP SDK's `McpServer` with a typed tool
203
- * registry, view resources, an embedded Express app, and protocol-level
204
- * middleware. Construct it with the same `Implementation` info you would pass
205
- * to the SDK, chain {@link McpServer.registerTool} calls to declare tools,
206
- * then call {@link McpServer.run} to start the HTTP server.
207
- *
208
- * The `TTools` generic accumulates each registered tool's input/output/meta
209
- * shape, so `typeof server` carries enough information for view-side helpers
210
- * like {@link generateHelpers} to produce fully-typed hooks.
211
- *
212
- * @typeParam TTools - Accumulated tool registry. Filled in by `registerTool`
213
- * chaining; you almost never set this manually.
214
- *
215
- * @example
216
- * ```ts
217
- * const server = new McpServer({ name: "my-app", version: "1.0.0" }, {})
218
- * .registerTool({
219
- * name: "search",
220
- * inputSchema: { query: z.string() },
221
- * view: { component: "search" },
222
- * }, async ({ query }) => ({ content: `Results for ${query}` }));
230
+ * Prime the build-time Vite manifest before user code constructs its
231
+ * `McpServer`. Called from the generated `dist/__entry.js`; not part of the
232
+ * user-facing API.
223
233
  *
224
- * await server.run();
225
- * export type AppType = typeof server;
226
- * ```
227
- *
228
- * @see https://docs.skybridge.tech/api-reference/mcp-server
234
+ * @internal
229
235
  */
236
+ export declare function __setBuildManifest(manifest: Record<string, {
237
+ file: string;
238
+ }>): void;
230
239
  export declare class McpServer<TTools extends Record<string, ToolDef> = Record<never, ToolDef>> extends McpServerBaseOmitted {
231
240
  readonly $types: McpServerTypes<TTools>;
232
241
  /**
@@ -234,7 +243,9 @@ export declare class McpServer<TTools extends Record<string, ToolDef> = Record<n
234
243
  * custom routes, middleware, or settings — e.g.
235
244
  * `server.express.get("/health", ...)`.
236
245
  *
237
- * `express.json()` is pre-applied. Register your handlers before `run()`;
246
+ * `express.json()` is pre-applied tune it via the constructor's third
247
+ * argument, e.g. `new McpServer(info, {}, { json: { limit: "10mb" } })`.
248
+ * Register your handlers before `run()`;
238
249
  * after `run()`, dev-mode middleware, the `/mcp` route, and the default
239
250
  * error handler are appended in that order.
240
251
  *
@@ -247,10 +258,17 @@ export declare class McpServer<TTools extends Record<string, ToolDef> = Record<n
247
258
  private mcpMiddlewareApplied;
248
259
  private claimedViews;
249
260
  private viewMetaBuilders;
261
+ /**
262
+ * Maps a view resource's query-less path to its canonical registered URI
263
+ * (the one carrying the `?v=` cache key). Lets `resources/read` resolve the
264
+ * underlying view no matter which version param the consumer sends, since
265
+ * the param is only a cache key, not part of the resource's identity.
266
+ */
267
+ private viewUriByPath;
250
268
  private viteManifest;
251
269
  private readonly serverInfo;
252
270
  private readonly serverOptions?;
253
- constructor(serverInfo: Implementation, options?: ServerOptions);
271
+ constructor(serverInfo: Implementation, options?: ServerOptions, skybridgeOptions?: SkybridgeServerOptions);
254
272
  /**
255
273
  * Register Express middleware on the underlying app. Mirrors `app.use` —
256
274
  * pass handlers directly or a path-prefixed handler list. Register before
@@ -336,15 +354,18 @@ export declare class McpServer<TTools extends Record<string, ToolDef> = Record<n
336
354
  *
337
355
  * On Cloudflare Workers / workerd, returns an object exposing `fetch` so
338
356
  * the runtime can bridge incoming requests to the Node HTTP server. On
357
+ * Vercel (`VERCEL === "1"`), returns the Express app directly so the
358
+ * serverless function entry can call it as a `(req, res)` handler. On
339
359
  * Node, returns `undefined` once listening.
340
360
  */
341
361
  run(): Promise<{
342
362
  fetch: (...args: unknown[]) => unknown;
343
- } | undefined>;
363
+ } | Express | undefined>;
344
364
  private enforceOneToolPerView;
345
365
  private resolveViewRequestContext;
346
366
  private registerViewResources;
347
367
  private registerViewResource;
368
+ private serveLegacyAppsSdkUrl;
348
369
  private wrapHandler;
349
370
  private computeViewVersionParam;
350
371
  private lookupViewFile;
@@ -6,9 +6,11 @@ import { Server as SdkServer, } from "@modelcontextprotocol/sdk/server/index.js"
6
6
  import { McpServer as McpServerBase } from "@modelcontextprotocol/sdk/server/mcp.js";
7
7
  import { mergeWith, union } from "es-toolkit";
8
8
  import express, {} from "express";
9
+ import { setupOAuth } from "./auth/setup.js";
9
10
  import { createApp } from "./express.js";
10
11
  import { createMiddlewareEntry } from "./metric.js";
11
12
  import { buildMiddlewareChain, getHandlerMaps } from "./middleware.js";
13
+ import { resolveServerOrigin } from "./requestOrigin.js";
12
14
  import { templateHelper } from "./templateHelper.js";
13
15
  const mergeWithUnion = (target, source) => {
14
16
  return mergeWith(target, source, (targetVal, sourceVal) => {
@@ -17,6 +19,15 @@ const mergeWithUnion = (target, source) => {
17
19
  }
18
20
  });
19
21
  };
22
+ /**
23
+ * Drop the query string from a `ui://` view URI, leaving the bare path. The
24
+ * `?v=` cache key is the only query we append, so a plain split is enough and
25
+ * sidesteps `URL` normalization quirks on the non-special `ui:` scheme.
26
+ */
27
+ function stripQuery(uri) {
28
+ const queryIndex = uri.indexOf("?");
29
+ return queryIndex === -1 ? uri : uri.slice(0, queryIndex);
30
+ }
20
31
  /**
21
32
  * Coerce a tool handler's return value into an MCP `content` array. Strings
22
33
  * become a single `TextContent`; a single block is wrapped in an array;
@@ -65,13 +76,31 @@ const McpServerBaseOmitted = McpServerBase;
65
76
  *
66
77
  * @see https://docs.skybridge.tech/api-reference/mcp-server
67
78
  */
79
+ // Side channel populated by `dist/__entry.js` before user code is imported.
80
+ // Set at module scope rather than passed through the constructor because the
81
+ // wrapper has the manifest before the user's `new McpServer(...)` runs, and
82
+ // threading it through every call site (including user templates) is exactly
83
+ // the boilerplate this design is trying to hide.
84
+ let pendingBuildManifest = null;
85
+ /**
86
+ * Prime the build-time Vite manifest before user code constructs its
87
+ * `McpServer`. Called from the generated `dist/__entry.js`; not part of the
88
+ * user-facing API.
89
+ *
90
+ * @internal
91
+ */
92
+ export function __setBuildManifest(manifest) {
93
+ pendingBuildManifest = manifest;
94
+ }
68
95
  export class McpServer extends McpServerBaseOmitted {
69
96
  /**
70
97
  * The underlying Express app. Use this to extend the HTTP server with
71
98
  * custom routes, middleware, or settings — e.g.
72
99
  * `server.express.get("/health", ...)`.
73
100
  *
74
- * `express.json()` is pre-applied. Register your handlers before `run()`;
101
+ * `express.json()` is pre-applied tune it via the constructor's third
102
+ * argument, e.g. `new McpServer(info, {}, { json: { limit: "10mb" } })`.
103
+ * Register your handlers before `run()`;
75
104
  * after `run()`, dev-mode middleware, the `/mcp` route, and the default
76
105
  * error handler are appended in that order.
77
106
  *
@@ -84,15 +113,34 @@ export class McpServer extends McpServerBaseOmitted {
84
113
  mcpMiddlewareApplied = false;
85
114
  claimedViews = new Map();
86
115
  viewMetaBuilders = new Map();
116
+ /**
117
+ * Maps a view resource's query-less path to its canonical registered URI
118
+ * (the one carrying the `?v=` cache key). Lets `resources/read` resolve the
119
+ * underlying view no matter which version param the consumer sends, since
120
+ * the param is only a cache key, not part of the resource's identity.
121
+ */
122
+ viewUriByPath = new Map();
87
123
  viteManifest = null;
88
124
  serverInfo;
89
125
  serverOptions;
90
- constructor(serverInfo, options) {
126
+ constructor(serverInfo, options, skybridgeOptions) {
91
127
  super(serverInfo, options);
92
128
  this.serverInfo = serverInfo;
93
129
  this.serverOptions = options;
94
130
  this.express = express();
95
- this.express.use(express.json());
131
+ this.express.use(express.json(skybridgeOptions?.json));
132
+ if (skybridgeOptions?.oauth) {
133
+ setupOAuth(this.express, skybridgeOptions.oauth);
134
+ }
135
+ // Pick up the manifest if `dist/__entry.js` primed it before importing
136
+ // user code. Consume-once: clear after the first construction so a
137
+ // subsequent test that doesn't prime can't inherit stale state.
138
+ // Explicit `setViteManifest` calls still win because they happen after
139
+ // construction.
140
+ if (pendingBuildManifest) {
141
+ this.setViteManifest(pendingBuildManifest);
142
+ pendingBuildManifest = null;
143
+ }
96
144
  }
97
145
  use(pathOrHandler, ...handlers) {
98
146
  // Branching is load-bearing: Express's `app.use` overloads can't be
@@ -165,10 +213,47 @@ export class McpServer extends McpServerBaseOmitted {
165
213
  return result;
166
214
  },
167
215
  };
216
+ // Resolve a view's `resources/read` by its query-less path so the
217
+ // underlying asset is served no matter the `?v=` value (stale cache key,
218
+ // no param, etc.). The version param is a cache-busting hint for external
219
+ // consumers; it must not gate resolution. We rewrite the lookup URI to the
220
+ // canonical registered one, then restore the requested URI on the response
221
+ // so the consumer-facing URI is never rewritten.
222
+ const viewReadResolveEntry = {
223
+ filter: "resources/read",
224
+ handler: async (req, _extra, next) => {
225
+ const requested = req.params.uri;
226
+ if (typeof requested !== "string") {
227
+ return next();
228
+ }
229
+ const path = stripQuery(requested);
230
+ const canonical = this.viewUriByPath.get(path);
231
+ if (!canonical) {
232
+ return next();
233
+ }
234
+ req.params.uri = canonical;
235
+ try {
236
+ const result = (await next());
237
+ for (const content of result.contents ?? []) {
238
+ if (typeof content.uri === "string" &&
239
+ stripQuery(content.uri) === stripQuery(canonical)) {
240
+ content.uri = requested;
241
+ }
242
+ }
243
+ return result;
244
+ }
245
+ finally {
246
+ // Restore the shared request params so middleware outer to us never
247
+ // observes the rewritten lookup URI after next() unwinds.
248
+ req.params.uri = requested;
249
+ }
250
+ },
251
+ };
168
252
  const monitoringEntry = createMiddlewareEntry();
169
253
  const entries = [
170
254
  ...(monitoringEntry ? [monitoringEntry] : []),
171
255
  viewListMetaEntry,
256
+ viewReadResolveEntry,
172
257
  ...this.mcpMiddlewareEntries,
173
258
  ];
174
259
  if (entries.length === 0) {
@@ -224,10 +309,24 @@ export class McpServer extends McpServerBaseOmitted {
224
309
  *
225
310
  * On Cloudflare Workers / workerd, returns an object exposing `fetch` so
226
311
  * the runtime can bridge incoming requests to the Node HTTP server. On
312
+ * Vercel (`VERCEL === "1"`), returns the Express app directly so the
313
+ * serverless function entry can call it as a `(req, res)` handler. On
227
314
  * Node, returns `undefined` once listening.
228
315
  */
229
316
  async run() {
230
317
  this.applyMcpMiddleware();
318
+ if (process.env.VERCEL === "1") {
319
+ // createApp only reads httpServer inside its dev-only branch
320
+ // (viewsDevServer); under VERCEL=1 + NODE_ENV=production it's a
321
+ // bare object passed to satisfy the required parameter.
322
+ const httpServer = http.createServer();
323
+ await createApp({
324
+ mcpServer: this,
325
+ httpServer,
326
+ errorMiddleware: this.customErrorMiddleware,
327
+ });
328
+ return this.express;
329
+ }
231
330
  const httpServer = http.createServer();
232
331
  await createApp({
233
332
  mcpServer: this,
@@ -283,27 +382,7 @@ export class McpServer extends McpServerBaseOmitted {
283
382
  return Array.isArray(val) ? val[0] : val;
284
383
  };
285
384
  const isClaude = header("user-agent") === "Claude-User";
286
- let serverUrl;
287
- const forwardedHost = header("x-forwarded-host");
288
- const origin = header("origin");
289
- const host = header("host");
290
- if (forwardedHost) {
291
- const proto = header("x-forwarded-proto") || "https";
292
- serverUrl = `${proto}://${forwardedHost}`;
293
- }
294
- else if (origin) {
295
- serverUrl = origin;
296
- }
297
- else if (host) {
298
- const proto = ["127.0.0.1:", "localhost:"].some((p) => host.startsWith(p))
299
- ? "http"
300
- : "https";
301
- serverUrl = `${proto}://${host}`;
302
- }
303
- else {
304
- const devPort = process.env.__PORT || "3000";
305
- serverUrl = `http://localhost:${devPort}`;
306
- }
385
+ const serverUrl = resolveServerOrigin(header);
307
386
  const connectDomains = [serverUrl];
308
387
  if (!isProduction) {
309
388
  const wsUrl = new URL(serverUrl);
@@ -327,111 +406,74 @@ export class McpServer extends McpServerBaseOmitted {
327
406
  return { serverUrl, connectDomains, contentMetaOverrides };
328
407
  }
329
408
  registerViewResources(toolName, view, toolMeta) {
330
- const hosts = view.hosts ?? ["apps-sdk", "mcp-app"];
331
409
  // Append a content-derived version param so hosts (e.g. ChatGPT) bust
332
410
  // their cache when the bundle changes, but keep the URI stable across
333
411
  // `tools/list` calls when the bundle hasn't changed.
334
412
  const versionParam = this.computeViewVersionParam(view.component);
335
- if (hosts.includes("apps-sdk")) {
336
- const viewResource = {
337
- hostType: "apps-sdk",
338
- uri: `ui://views/apps-sdk/${view.component}.html${versionParam}`,
339
- mimeType: "text/html+skybridge",
340
- buildContentMeta: ({ resourceDomains, connectDomains, domain }, overrides) => {
341
- const defaults = {
342
- "openai/widgetCSP": {
343
- resource_domains: resourceDomains,
344
- connect_domains: connectDomains,
413
+ const viewResource = {
414
+ hostType: "mcp-app",
415
+ uri: `ui://views/ext-apps/${view.component}.html${versionParam}`,
416
+ mimeType: "text/html;profile=mcp-app",
417
+ buildContentMeta: ({ resourceDomains, connectDomains, domain, baseUriDomains }, overrides) => {
418
+ const defaults = {
419
+ ui: {
420
+ csp: {
421
+ resourceDomains,
422
+ connectDomains,
423
+ baseUriDomains,
345
424
  },
346
- "openai/widgetDomain": domain,
347
- "openai/widgetDescription": view.description,
348
- };
349
- const fromView = {
350
- "openai/widgetCSP": {
351
- resource_domains: view.csp?.resourceDomains,
352
- connect_domains: view.csp?.connectDomains,
353
- frame_domains: view.csp?.frameDomains,
354
- redirect_domains: view.csp?.redirectDomains,
355
- },
356
- "openai/widgetDomain": view.domain,
357
- "openai/widgetPrefersBorder": view.prefersBorder,
358
- };
359
- const base = mergeWithUnion(mergeWithUnion(defaults, fromView), {
360
- "openai/widgetDomain": overrides.domain,
361
- });
362
- if (view._meta) {
363
- return { ...base, ...view._meta };
364
- }
365
- return base;
366
- },
367
- };
368
- this.registerViewResource({
369
- name: toolName,
370
- viewResource,
371
- view,
372
- });
373
- toolMeta["openai/outputTemplate"] = viewResource.uri;
374
- }
375
- if (hosts.includes("mcp-app")) {
376
- const viewResource = {
377
- hostType: "mcp-app",
378
- uri: `ui://views/ext-apps/${view.component}.html${versionParam}`,
379
- mimeType: "text/html;profile=mcp-app",
380
- buildContentMeta: ({ resourceDomains, connectDomains, domain, baseUriDomains }, overrides) => {
381
- const defaults = {
382
- ui: {
383
- csp: {
384
- resourceDomains,
385
- connectDomains,
386
- baseUriDomains,
387
- },
388
- domain,
389
- },
390
- };
391
- const fromView = {
392
- ui: {
393
- ...(view.description && { description: view.description }),
394
- ...(view.prefersBorder !== undefined && {
395
- prefersBorder: view.prefersBorder,
425
+ domain,
426
+ },
427
+ };
428
+ const fromView = {
429
+ ui: {
430
+ ...(view.description && { description: view.description }),
431
+ ...(view.prefersBorder !== undefined && {
432
+ prefersBorder: view.prefersBorder,
433
+ }),
434
+ ...(view.domain && { domain: view.domain }),
435
+ csp: {
436
+ ...(view.csp?.resourceDomains && {
437
+ resourceDomains: view.csp.resourceDomains,
438
+ }),
439
+ ...(view.csp?.connectDomains && {
440
+ connectDomains: view.csp.connectDomains,
441
+ }),
442
+ ...(view.csp?.frameDomains && {
443
+ frameDomains: view.csp.frameDomains,
444
+ }),
445
+ ...(view.csp?.baseUriDomains && {
446
+ baseUriDomains: view.csp.baseUriDomains,
396
447
  }),
397
- ...(view.domain && { domain: view.domain }),
398
- csp: {
399
- ...(view.csp?.resourceDomains && {
400
- resourceDomains: view.csp.resourceDomains,
401
- }),
402
- ...(view.csp?.connectDomains && {
403
- connectDomains: view.csp.connectDomains,
404
- }),
405
- ...(view.csp?.frameDomains && {
406
- frameDomains: view.csp.frameDomains,
407
- }),
408
- ...(view.csp?.baseUriDomains && {
409
- baseUriDomains: view.csp.baseUriDomains,
410
- }),
411
- ...(view.csp?.redirectDomains && {
412
- redirectDomains: view.csp.redirectDomains,
413
- }),
414
- },
415
448
  },
416
- };
417
- const base = mergeWithUnion(mergeWithUnion(defaults, fromView), {
418
- ui: overrides,
419
- });
420
- if (view._meta) {
421
- return { ...base, ...view._meta };
422
- }
423
- return base;
424
- },
425
- };
426
- this.registerViewResource({
427
- name: toolName,
428
- viewResource,
429
- view,
430
- });
431
- // @ts-expect-error - For backwards compatibility with Claude current implementation of the specs
432
- toolMeta["ui/resourceUri"] = viewResource.uri;
433
- toolMeta.ui = { ...toolMeta.ui, resourceUri: viewResource.uri };
434
- }
449
+ },
450
+ };
451
+ const ui = mergeWithUnion(mergeWithUnion(defaults, fromView), {
452
+ ui: overrides,
453
+ });
454
+ const base = {
455
+ ...ui,
456
+ ...(view.description && {
457
+ "openai/widgetDescription": view.description,
458
+ }),
459
+ ...(view.csp?.redirectDomains && {
460
+ "openai/widgetCSP": { redirect_domains: view.csp.redirectDomains },
461
+ }),
462
+ };
463
+ if (view._meta) {
464
+ return { ...base, ...view._meta };
465
+ }
466
+ return base;
467
+ },
468
+ };
469
+ this.registerViewResource({ name: toolName, viewResource, view });
470
+ // Advertise via the MCP Apps standard pointer only — ChatGPT renders from
471
+ // ui.resourceUri (verified), and not emitting openai/outputTemplate lets us
472
+ // retire the legacy apps-sdk resource later. The legacy apps-sdk URL is still
473
+ // served (see registerViewResource) so already-published apps keep resolving.
474
+ // @ts-expect-error - For backwards compatibility with Claude current implementation of the specs
475
+ toolMeta["ui/resourceUri"] = viewResource.uri;
476
+ toolMeta.ui = { ...toolMeta.ui, resourceUri: viewResource.uri };
435
477
  }
436
478
  registerViewResource({ name, viewResource, view, }) {
437
479
  const { hostType, uri: viewUri, mimeType, buildContentMeta } = viewResource;
@@ -445,6 +487,8 @@ export class McpServer extends McpServerBaseOmitted {
445
487
  }, contentMetaOverrides);
446
488
  };
447
489
  this.viewMetaBuilders.set(viewUri, buildMeta);
490
+ this.viewUriByPath.set(stripQuery(viewUri), viewUri);
491
+ this.serveLegacyAppsSdkUrl(view.component, viewUri);
448
492
  this.registerResource(name, viewUri, { description: view.description }, async (uri, extra) => {
449
493
  const isProduction = process.env.NODE_ENV === "production";
450
494
  const { serverUrl } = this.resolveViewRequestContext(extra);
@@ -467,6 +511,11 @@ export class McpServer extends McpServerBaseOmitted {
467
511
  };
468
512
  });
469
513
  }
514
+ serveLegacyAppsSdkUrl(component, canonicalUri) {
515
+ this.viewUriByPath.set(`ui://views/apps-sdk/${component}.html`, canonicalUri);
516
+ this.viewUriByPath.set(`ui://widgets/apps-sdk/${component}.html`, canonicalUri);
517
+ this.viewUriByPath.set(`ui://widgets/ext-apps/${component}.html`, canonicalUri);
518
+ }
470
519
  wrapHandler(cb, { attachViewUUID }) {
471
520
  return async (args, extra) => {
472
521
  const result = await cb(args, extra);