sunpeak 0.20.42 → 0.20.47

package/bin/commands/inspect.mjs

@@ -308,7 +308,7 @@ async function negotiateOAuth(serverUrl) {
 
   // Try the anonymous/auto-approved path first: follow the authorization URL
   // without a browser and see if it immediately redirects with a code.
-  const code = await tryAnonymousOAuth(authUrl.toString(), callbackUrl);
+  const code = await tryAnonymousOAuth(authUrl.toString(), callbackUrl, oauthState.stateParam);
   if (code) {
     // Complete the flow with the authorization code.
     const tokenResult = await auth(provider, {
@@ -347,15 +347,17 @@ async function negotiateOAuth(serverUrl) {
  *
  * @param {string} authUrl - The authorization URL
  * @param {string} callbackUrl - The expected callback URL prefix
+ * @param {string} [expectedState] - OAuth state value that must be echoed by the callback
+ * @param {typeof fetch} [fetchFn]
  * @returns {Promise<string | null>}
  */
-async function tryAnonymousOAuth(authUrl, callbackUrl) {
+async function tryAnonymousOAuth(authUrl, callbackUrl, expectedState, fetchFn = fetch) {
   // Follow redirects manually to detect when the server redirects back
   // to our callback URL with a code parameter.
   let url = authUrl;
   const maxRedirects = 10;
   for (let i = 0; i < maxRedirects; i++) {
-    const response = await fetch(url, { redirect: 'manual' });
+    const response = await fetchFn(url, { redirect: 'manual' });
     const location = response.headers.get('location');
 
     if (!location) {
@@ -366,11 +368,21 @@ async function tryAnonymousOAuth(authUrl, callbackUrl) {
     }
 
     // Resolve relative redirects.
-    const resolved = new URL(location, url).toString();
+    const resolvedUrl = new URL(location, url);
+    if (resolvedUrl.protocol !== 'http:' && resolvedUrl.protocol !== 'https:') {
+      throw new Error(
+        `OAuth authorization redirect has unsupported scheme: ${resolvedUrl.protocol}`
+      );
+    }
+    const resolved = resolvedUrl.toString();
 
     // Check if the redirect goes to our callback URL.
     if (resolved.startsWith(callbackUrl)) {
       const params = new URL(resolved).searchParams;
+      const state = params.get('state');
+      if (expectedState && state !== expectedState) {
+        throw new Error('OAuth state mismatch — callback rejected');
+      }
       const code = params.get('code');
       if (code) return code;
       const error = params.get('error');
@@ -906,45 +918,68 @@ async function discoverSimulations(client) {
 
 /**
  * Load simulation JSON fixtures from a directory and merge into discovered simulations.
+ *
+ * Each fixture becomes a simulation keyed by its filename, so a tool can have
+ * multiple fixtures (e.g. `show-albums.json` and `show-albums-empty.json`
+ * both targeting tool `show-albums`). Auto-discovered slots are kept only for
+ * tools that have no fixture file.
+ *
  * @param {string} dir - Simulation directory path
  * @param {Record<string, object>} simulations - Discovered simulations to merge into
  */
-function mergeSimulationFixtures(dir, simulations) {
+export function mergeSimulationFixtures(dir, simulations) {
   if (!existsSync(dir)) return;
 
   const files = readdirSync(dir).filter((f) => f.endsWith('.json'));
+
+  // Load every fixture first so we can group by tool name. We need the grouping
+  // to decide whether to keep the auto-discovered slot (no fixtures) or replace
+  // it with one entry per fixture file (one or more fixtures).
+  const fixtures = [];
   for (const file of files) {
     try {
       const fixture = JSON.parse(readFileSync(join(dir, file), 'utf-8'));
-      const toolName = fixture.tool;
-      if (!toolName) continue;
-
-      // Find matching simulation by tool name
-      const sim = simulations[toolName];
-      if (sim) {
-        // Merge fixture data into discovered simulation
-        if (fixture.toolInput !== undefined) sim.toolInput = fixture.toolInput;
-        if (fixture.toolResult !== undefined) sim.toolResult = fixture.toolResult;
-        if (fixture.serverTools !== undefined) sim.serverTools = fixture.serverTools;
-        if (fixture.userMessage !== undefined) sim.userMessage = fixture.userMessage;
-        if (fixture.hostContext !== undefined) sim.hostContext = fixture.hostContext;
-      } else {
-        // Create a new simulation from the fixture (tool not on server, but user wants to mock it)
-        const simName = file.replace(/\.json$/, '');
-        simulations[simName] = {
-          name: simName,
-          tool: { name: toolName, inputSchema: { type: 'object' } },
-          toolInput: fixture.toolInput,
-          toolResult: fixture.toolResult,
-          serverTools: fixture.serverTools,
-          userMessage: fixture.userMessage,
-          hostContext: fixture.hostContext,
-        };
-      }
+      if (!fixture.tool) continue;
+      fixtures.push({ file, fixture });
     } catch (err) {
       console.warn(`Warning: Failed to parse simulation fixture ${file}:`, err.message);
     }
   }
+
+  const byTool = new Map();
+  for (const item of fixtures) {
+    const tool = item.fixture.tool;
+    if (!byTool.has(tool)) byTool.set(tool, []);
+    byTool.get(tool).push(item);
+  }
+
+  for (const [toolName, items] of byTool) {
+    const discovered = simulations[toolName];
+
+    // Drop the auto-discovered slot if none of the fixtures will reuse its
+    // key (filename === tool name). Otherwise the named fixture overwrites
+    // it in place below.
+    const reusesSlot = items.some(({ file }) => file.replace(/\.json$/, '') === toolName);
+    if (discovered && !reusesSlot) {
+      delete simulations[toolName];
+    }
+
+    for (const { file, fixture } of items) {
+      const simName = file.replace(/\.json$/, '');
+      const sim = discovered
+        ? { ...discovered, name: simName }
+        : {
+            name: simName,
+            tool: { name: toolName, inputSchema: { type: 'object' } },
+          };
+      if (fixture.toolInput !== undefined) sim.toolInput = fixture.toolInput;
+      if (fixture.toolResult !== undefined) sim.toolResult = fixture.toolResult;
+      if (fixture.serverTools !== undefined) sim.serverTools = fixture.serverTools;
+      if (fixture.userMessage !== undefined) sim.userMessage = fixture.userMessage;
+      if (fixture.hostContext !== undefined) sim.hostContext = fixture.hostContext;
+      simulations[simName] = sim;
+    }
+  }
 }
 
 const MODEL_PROVIDERS = new Set(['openai', 'anthropic']);
@@ -2875,6 +2910,7 @@ export const _securityTestExports = {
   readRequestBody,
   resolveHttpRedirectsForMcp,
   shouldAllowPrivateServerUrls,
+  tryAnonymousOAuth,
 };
 
 /**

package/bin/commands/test-init.mjs

@@ -596,8 +596,10 @@ ${serverBlock}
       {
         compilerOptions: {
           target: 'ES2022',
+          lib: ['ESNext', 'DOM'],
           module: 'ESNext',
           moduleResolution: 'bundler',
+          types: ['node'],
           strict: true,
           esModuleInterop: true,
         },

package/bin/lib/eval/eval-runner.mjs

@@ -220,12 +220,16 @@ export async function runSingleEval({
 }) {
   const { generateText } = await import('ai');
   const system = formatEvalAppContextForModel(appContext);
+  const providerOptions = model?.provider?.startsWith('openai.')
+    ? { openai: { strictJsonSchema: false } }
+    : undefined;
 
   const result = await generateText({
     model,
     tools,
     prompt,
     ...(system ? { system } : {}),
+    ...(providerOptions ? { providerOptions } : {}),
     maxSteps,
     temperature,
     maxRetries: 0, // We manage runs ourselves; AI SDK retries compound rate limits

package/bin/lib/eval/model-registry.mjs

@@ -47,12 +47,9 @@ export async function resolveModel(modelId) {
     // @ai-sdk/openai v3 defaults to the Responses API, which requires strict
     // JSON Schema (additionalProperties: false at every level, all properties
     // required) — incompatible with arbitrary MCP server schemas. Use .chat()
-    // (Chat Completions API) when available and disable structured outputs,
-    // because reasoning models also enable strict function schemas by default.
-    const settings = { structuredOutputs: false };
-    return typeof openai.chat === 'function'
-      ? openai.chat(modelId, settings)
-      : openai(modelId, settings);
+    // (Chat Completions API) when available. The eval runner disables strict
+    // JSON Schema through per-call provider options.
+    return typeof openai.chat === 'function' ? openai.chat(modelId) : openai(modelId);
   }
   if (pkg === '@ai-sdk/anthropic') {
     const { anthropic } = provider;

package/dist/chatgpt/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const require_chunk = require("../chunk-Cek0wNdY.cjs");
-const require_inspector = require("../inspector-DOmiG64-.cjs");
+const require_inspector = require("../inspector-Chhc2GNO.cjs");
 const require_inspector_url = require("../inspector-url-BxScdDag.cjs");
 const require_discovery = require("../discovery-31_n0zcu.cjs");
 //#region src/chatgpt/index.ts

package/dist/chatgpt/index.js

@@ -1,5 +1,5 @@
 import { Ct as __exportAll } from "../protocol-bhrz2H_E.js";
-import { _ as extractResourceCSP, f as ThemeProvider, g as IframeResource, p as useThemeContext, r as resolveServerToolResult, t as Inspector, v as McpAppHost, y as SCREEN_WIDTHS } from "../inspector-C6n8zap3.js";
+import { _ as extractResourceCSP, f as ThemeProvider, g as IframeResource, p as useThemeContext, r as resolveServerToolResult, t as Inspector, v as McpAppHost, y as SCREEN_WIDTHS } from "../inspector-BSha-CAW.js";
 import { t as createInspectorUrl } from "../inspector-url-xUMGbWis.js";
 import { c as toPascalCase, i as findResourceKey, n as extractSimulationKey, r as findResourceDirs, s as getComponentName, t as extractResourceKey } from "../discovery-DOVner--.js";
 //#region src/chatgpt/index.ts

package/dist/claude/index.cjs

@@ -1,4 +1,4 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 require("../chunk-Cek0wNdY.cjs");
-const require_inspector = require("../inspector-DOmiG64-.cjs");
+const require_inspector = require("../inspector-Chhc2GNO.cjs");
 exports.Inspector = require_inspector.Inspector;

package/dist/claude/index.js

@@ -1,2 +1,2 @@
-import { t as Inspector } from "../inspector-C6n8zap3.js";
+import { t as Inspector } from "../inspector-BSha-CAW.js";
 export { Inspector };

package/dist/hooks/tool-data-store.d.ts

@@ -0,0 +1,26 @@
+import { App } from '@modelcontextprotocol/ext-apps';
+export interface ToolData<TInput = unknown, TOutput = unknown> {
+    input: TInput | null;
+    inputPartial: TInput | null;
+    output: TOutput | null;
+    isError: boolean;
+    isLoading: boolean;
+    isCancelled: boolean;
+    cancelReason: string | null;
+}
+export interface ToolDataStore<TInput = unknown, TOutput = unknown> {
+    data: ToolData<TInput, TOutput>;
+    listeners: Set<() => void>;
+}
+declare module '@modelcontextprotocol/ext-apps' {
+    interface App {
+        /** @internal Eager store attached by AppProvider before connect(). */
+        __toolDataStore?: ToolDataStore;
+    }
+}
+/**
+ * Initialize the tool-data store on an App instance and wire its event
+ * listeners. Idempotent - returns the existing store if one is already
+ * attached.
+ */
+export declare function initToolDataStore(app: App): ToolDataStore;

package/dist/hooks/use-tool-data.d.ts

@@ -1,12 +1,6 @@
-export interface ToolData<TInput = unknown, TOutput = unknown> {
-    input: TInput | null;
-    inputPartial: TInput | null;
-    output: TOutput | null;
-    isError: boolean;
-    isLoading: boolean;
-    isCancelled: boolean;
-    cancelReason: string | null;
-}
+import { initToolDataStore, ToolData } from './tool-data-store';
+export type { ToolData };
+export { initToolDataStore };
 /**
  * Reactive access to tool input and output data from the MCP Apps host.
  *

package/dist/host/chatgpt/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 require("../../chunk-Cek0wNdY.cjs");
-const require_use_app = require("../../use-app-DUdnDLP5.cjs");
+const require_use_app = require("../../use-app-xaiN0HAd.cjs");
 let react = require("react");
 //#region src/host/chatgpt/openai-types.ts
 /**

package/dist/host/chatgpt/index.js

@@ -1,4 +1,4 @@
-import { t as useApp } from "../../use-app-Duar2Ipu.js";
+import { t as useApp } from "../../use-app-CtKy52kw.js";
 import { useCallback } from "react";
 //#region src/host/chatgpt/openai-types.ts
 /**

package/dist/index.cjs

@@ -1,8 +1,8 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const require_chunk = require("./chunk-Cek0wNdY.cjs");
 const require_protocol = require("./protocol-Cafvpf0x.cjs");
-const require_use_app = require("./use-app-DUdnDLP5.cjs");
-const require_inspector = require("./inspector-DOmiG64-.cjs");
+const require_use_app = require("./use-app-xaiN0HAd.cjs");
+const require_inspector = require("./inspector-Chhc2GNO.cjs");
 const require_host_index = require("./host/index.cjs");
 const require_inspector_index = require("./inspector/index.cjs");
 const require_chatgpt_index = require("./chatgpt/index.cjs");
@@ -455,9 +455,22 @@ function useHostContext() {
 //#region src/hooks/use-tool-data.ts
 var stores = /* @__PURE__ */ new WeakMap();
 function getStore(app, defaultInput, defaultOutput) {
+	const eager = app.__toolDataStore;
+	if (eager) {
+		if (defaultInput !== void 0 && eager.data.input === null) eager.data = {
+			...eager.data,
+			input: defaultInput
+		};
+		if (defaultOutput !== void 0 && eager.data.output === null) eager.data = {
+			...eager.data,
+			output: defaultOutput,
+			isLoading: false
+		};
+		return eager;
+	}
 	let store = stores.get(app);
 	if (!store) {
-		store = {
+		const lazy = {
 			data: {
 				input: defaultInput ?? null,
 				inputPartial: null,
@@ -469,43 +482,44 @@ function getStore(app, defaultInput, defaultOutput) {
 			},
 			listeners: /* @__PURE__ */ new Set()
 		};
-		stores.set(app, store);
+		stores.set(app, lazy);
+		store = lazy;
 		const notify = () => {
-			for (const fn of store.listeners) fn();
+			for (const fn of lazy.listeners) fn();
 		};
-		app.ontoolinput = (_params) => {
-			store.data = {
-				...store.data,
+		app.addEventListener("toolinput", (_params) => {
+			lazy.data = {
+				...lazy.data,
 				input: _params.arguments,
 				inputPartial: null
 			};
 			notify();
-		};
-		app.ontoolinputpartial = (_params) => {
-			store.data = {
-				...store.data,
+		});
+		app.addEventListener("toolinputpartial", (_params) => {
+			lazy.data = {
+				...lazy.data,
 				inputPartial: _params.arguments
 			};
 			notify();
-		};
-		app.ontoolresult = (_params) => {
-			store.data = {
-				...store.data,
+		});
+		app.addEventListener("toolresult", (_params) => {
+			lazy.data = {
+				...lazy.data,
 				output: _params.structuredContent ?? _params.content,
 				isError: _params.isError ?? false,
 				isLoading: false
 			};
 			notify();
-		};
-		app.ontoolcancelled = (_params) => {
-			store.data = {
-				...store.data,
+		});
+		app.addEventListener("toolcancelled", (_params) => {
+			lazy.data = {
+				...lazy.data,
 				isCancelled: true,
 				cancelReason: _params.reason ?? null,
 				isLoading: false
 			};
 			notify();
-		};
+		});
 	}
 	return store;
 }