sunpeak 0.20.47 → 0.20.49

package/bin/commands/inspect.mjs

@@ -44,6 +44,7 @@ function parseArgs(args) {
     name: undefined,
     env: undefined,
     cwd: undefined,
+    headers: undefined,
   };
 
   for (let i = 0; i < args.length; i++) {
@@ -66,6 +67,10 @@ function parseArgs(args) {
       }
     } else if (arg === '--cwd' && i + 1 < args.length) {
       opts.cwd = args[++i];
+    } else if ((arg === '--header' || arg === '-H') && i + 1 < args.length) {
+      opts.headers = opts.headers || {};
+      const [name, value] = parseHttpHeader(args[++i]);
+      setHttpHeader(opts.headers, name, value);
     } else if (arg === '--help' || arg === '-h') {
       printHelp();
       process.exit(0);
@@ -89,16 +94,52 @@ Options:
   --name <string>            App name in inspector chrome
   --env <KEY=VALUE>          Environment variable for stdio servers (repeatable)
   --cwd <path>               Working directory for stdio servers
+  --header, -H <Name: value> HTTP header for HTTP MCP servers (repeatable)
   --help, -h                 Show this help
 
 Examples:
   sunpeak inspect --server http://localhost:8000/mcp
+  sunpeak inspect --server http://localhost:8000/mcp -H "Authorization: Bearer $TOKEN"
   sunpeak inspect --server "python my_server.py"
   sunpeak inspect --server "python server.py" --env API_KEY=sk-123 --cwd ./backend
   sunpeak inspect --server http://localhost:8000/mcp --simulations tests/simulations
 `);
 }
 
+function setHttpHeader(headers, name, value) {
+  const lowerName = name.toLowerCase();
+  for (const existingName of Object.keys(headers)) {
+    if (existingName.toLowerCase() === lowerName) {
+      delete headers[existingName];
+    }
+  }
+  headers[name] = value;
+}
+
+function parseHttpHeader(raw) {
+  if (typeof raw !== 'string') {
+    throw new Error('Invalid --header value. Expected "Name: value".');
+  }
+  const separator = raw.indexOf(':');
+  if (separator <= 0) {
+    throw new Error('Invalid --header value. Expected "Name: value".');
+  }
+
+  const name = raw.slice(0, separator).trim();
+  const value = raw.slice(separator + 1).trim();
+  if (!/^[!#$%&'*+.^_`|~0-9A-Za-z-]+$/.test(name)) {
+    throw new Error(`Invalid HTTP header name: ${name || '(empty)'}`);
+  }
+  if (/[\u0000-\u001f\u007f]/.test(value)) {
+    throw new Error(`Invalid HTTP header value for ${name}: control characters are not allowed`);
+  }
+  return [name, value];
+}
+
+function hasAuthorizationHeader(headers) {
+  return Object.keys(headers || {}).some((name) => name.toLowerCase() === 'authorization');
+}
+
 /**
  * Create an in-memory OAuth client provider for the inspector.
  * The provider stores tokens, client info, and code verifier in memory.
@@ -503,6 +544,9 @@ function isAuthError(err) {
   // StreamableHTTPError includes a status code in its message.
   // Check for the specific "401" HTTP status pattern, not substring matches.
   const msg = err.message || '';
+  if (/"statusCode"\s*:\s*401\b/.test(msg)) return true;
+  if (/\bstatus(?:Code)?\s*[:=]\s*401\b/i.test(msg)) return true;
+  if (/\bHTTP\s+401\b/i.test(msg)) return true;
   if (msg.includes('invalid_token')) return true;
 
   // Connection errors (ECONNREFUSED, ETIMEDOUT, etc.) are never auth errors.
@@ -693,11 +737,15 @@ async function assertHttpServerUrlAllowed(
 
 async function resolveHttpRedirectsForMcp(
   serverArg,
-  { enforcePublicHttpUrl = false, fetchFn = fetch, lookupFn = dnsLookup } = {}
+  { enforcePublicHttpUrl = false, fetchFn = fetch, lookupFn = dnsLookup, requestInit } = {}
 ) {
   if (!enforcePublicHttpUrl) {
     try {
-      const probeResponse = await fetchFn(serverArg, { method: 'HEAD', redirect: 'follow' });
+      const probeResponse = await fetchFn(serverArg, {
+        ...(requestInit ?? {}),
+        method: 'HEAD',
+        redirect: 'follow',
+      });
       await probeResponse.body?.cancel?.();
       return probeResponse.url && probeResponse.url !== serverArg ? probeResponse.url : serverArg;
     } catch {
@@ -710,7 +758,11 @@ async function resolveHttpRedirectsForMcp(
   for (let i = 0; i < maxRedirects; i++) {
     let probeResponse;
     try {
-      probeResponse = await fetchFn(currentUrl, { method: 'HEAD', redirect: 'manual' });
+      probeResponse = await fetchFn(currentUrl, {
+        ...(requestInit ?? {}),
+        method: 'HEAD',
+        redirect: 'manual',
+      });
     } catch {
       return currentUrl;
     }
@@ -733,7 +785,7 @@ async function resolveHttpRedirectsForMcp(
 /**
  * Create an MCP client connection.
  * @param {string} serverArg - URL or command string
- * @param {{ type?: 'none' | 'bearer' | 'oauth', bearerToken?: string, authProvider?: import('@modelcontextprotocol/sdk/client/auth.js').OAuthClientProvider, env?: Record<string, string>, cwd?: string, enforcePublicHttpUrl?: boolean }} [authConfig]
+ * @param {{ type?: 'none' | 'bearer' | 'oauth', bearerToken?: string, authProvider?: import('@modelcontextprotocol/sdk/client/auth.js').OAuthClientProvider, headers?: Record<string, string>, env?: Record<string, string>, cwd?: string, enforcePublicHttpUrl?: boolean }} [authConfig]
  * @returns {Promise<{ client: import('@modelcontextprotocol/sdk/client/index.js').Client, transport: import('@modelcontextprotocol/sdk/types.js').Transport, serverUrl?: string, stderrOutput?: string[] }>}
  */
 async function createMcpConnection(serverArg, authConfig) {
@@ -749,10 +801,18 @@ async function createMcpConnection(serverArg, authConfig) {
     const { StreamableHTTPClientTransport } =
       await import('@modelcontextprotocol/sdk/client/streamableHttp.js');
 
+    const requestHeaders = { ...(authConfig?.headers ?? {}) };
+    if (authConfig?.type === 'bearer' && authConfig.bearerToken) {
+      requestHeaders.Authorization = `Bearer ${authConfig.bearerToken}`;
+    }
+
     // Follow redirects (e.g. /mcp → /mcp/) before creating the transport.
     // The MCP SDK transport doesn't follow redirects on its own.
     const finalUrl = await resolveHttpRedirectsForMcp(serverArg, {
       enforcePublicHttpUrl: !!authConfig?.enforcePublicHttpUrl,
+      ...(Object.keys(requestHeaders).length > 0
+        ? { requestInit: { headers: requestHeaders } }
+        : {}),
     });
 
     if (authConfig?.enforcePublicHttpUrl) {
@@ -763,11 +823,6 @@ async function createMcpConnection(serverArg, authConfig) {
     if (authConfig?.enforcePublicHttpUrl) {
       transportOpts.requestInit = { redirect: 'manual' };
     }
-
-    const requestHeaders = {};
-    if (authConfig?.type === 'bearer' && authConfig.bearerToken) {
-      requestHeaders.Authorization = `Bearer ${authConfig.bearerToken}`;
-    }
     if (Object.keys(requestHeaders).length > 0) {
       transportOpts.requestInit = {
         ...(transportOpts.requestInit ?? {}),
@@ -2907,6 +2962,9 @@ export const _securityTestExports = {
   normalizeModelId,
   normalizeModelProviderModelId,
   quoteSecurityInteractiveArg,
+  parseHttpHeader,
+  hasAuthorizationHeader,
+  isAuthError,
   readRequestBody,
   resolveHttpRedirectsForMcp,
   shouldAllowPrivateServerUrls,
@@ -2970,6 +3028,7 @@ function readRequestBody(req, { maxBytes = Infinity } = {}) {
  * @param {object} [opts.viteCssConfig] - Vite css config override (e.g., lightningcss customAtRules)
  * @param {Record<string, string>} [opts.env] - Extra environment variables for stdio server processes
  * @param {string} [opts.cwd] - Working directory for stdio server processes
+ * @param {Record<string, string>} [opts.headers] - Extra HTTP headers for HTTP MCP server requests
  */
 export async function inspectServer(opts) {
   const {
@@ -2990,6 +3049,7 @@ export async function inspectServer(opts) {
     viteCssConfig,
     env: serverEnv,
     cwd: serverCwd,
+    headers: serverHeaders,
   } = opts;
 
   // Load favicon from sunpeak package for the inspector UI.
@@ -3017,6 +3077,7 @@ export async function inspectServer(opts) {
   const connectionOpts = {};
   if (serverEnv) connectionOpts.env = serverEnv;
   if (serverCwd) connectionOpts.cwd = serverCwd;
+  if (serverHeaders) connectionOpts.headers = serverHeaders;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     try {
       mcpConnection = await createMcpConnection(resolvedServerUrl, connectionOpts);
@@ -3029,7 +3090,11 @@ export async function inspectServer(opts) {
       }
 
       // If the server requires OAuth, negotiate it and retry once.
-      if (isAuthError(err) && resolvedServerUrl.startsWith('http')) {
+      if (
+        isAuthError(err) &&
+        resolvedServerUrl.startsWith('http') &&
+        !hasAuthorizationHeader(connectionOpts.headers)
+      ) {
         console.log('Server requires authentication. Negotiating OAuth...');
         try {
           const authProvider = await negotiateOAuth(resolvedServerUrl);
@@ -3416,5 +3481,6 @@ export async function inspect(args) {
     name: opts.name,
     env: opts.env,
     cwd: opts.cwd,
+    headers: opts.headers,
   });
 }

package/bin/lib/inspect/inspect-config.d.mts

@@ -15,6 +15,14 @@ export interface InspectConfigOptions {
   use?: Record<string, unknown>;
   /** Visual regression testing configuration */
   visual?: VisualConfig;
+  /** HTTP headers for HTTP MCP server requests */
+  headers?: Record<string, string>;
+  /** Server startup timeout in ms */
+  timeout?: number;
+  /** Environment variables for stdio servers */
+  env?: Record<string, string>;
+  /** Working directory for stdio servers */
+  cwd?: string;
 }
 
 /**

package/bin/lib/inspect/inspect-config.mjs

@@ -30,6 +30,7 @@ import { resolveSunpeakBin } from '../resolve-bin.mjs';
  * @param {number} [options.timeout] - Server startup timeout in ms (default: 60000)
  * @param {Record<string, string>} [options.env] - Environment variables for stdio servers
  * @param {string} [options.cwd] - Working directory for stdio servers
+ * @param {Record<string, string>} [options.headers] - HTTP headers for HTTP MCP server requests
  * @returns {import('@playwright/test').PlaywrightTestConfig}
  */
 export function defineInspectConfig(options) {
@@ -44,6 +45,7 @@ export function defineInspectConfig(options) {
     timeout,
     env,
     cwd,
+    headers,
   } = options;
 
   if (!server) {
@@ -65,6 +67,9 @@ export function defineInspectConfig(options) {
         })
       : []),
     ...(cwd ? [cwd.includes(' ') ? `--cwd "${cwd}"` : `--cwd ${cwd}`] : []),
+    ...(headers
+      ? Object.entries(headers).map(([k, v]) => `--header ${shellQuote(`${k}: ${v}`)}`)
+      : []),
     ...(simulationsDir ? [`--simulations ${simulationsDir}`] : []),
     `--port ${port}`,
     ...(name ? [`--name "${name}"`] : []),
@@ -83,3 +88,7 @@ export function defineInspectConfig(options) {
     },
   });
 }
+
+function shellQuote(value) {
+  return `'${String(value).replace(/'/g, "'\\''")}'`;
+}

package/bin/lib/inspect/inspect-server.d.mts

@@ -29,4 +29,6 @@ export function inspectServer(opts: {
   env?: Record<string, string>;
   /** Working directory for stdio server processes. */
   cwd?: string;
+  /** HTTP headers for HTTP MCP server requests. */
+  headers?: Record<string, string>;
 }): Promise<void>;

package/bin/lib/test/test-config.d.mts

@@ -12,6 +12,10 @@ export interface ServerConfig {
   url?: string;
   /** Environment variables for the server process. */
   env?: Record<string, string>;
+  /** Working directory for the server process. */
+  cwd?: string;
+  /** HTTP headers for HTTP MCP server requests. */
+  headers?: Record<string, string>;
 }
 
 /**
@@ -55,6 +59,8 @@ export interface TestConfigOptions {
   use?: Record<string, unknown>;
   /** Visual regression testing configuration. */
   visual?: VisualConfig;
+  /** Server startup timeout in ms. */
+  timeout?: number;
 }
 
 /**

package/bin/lib/test/test-config.mjs

@@ -28,6 +28,7 @@ import { resolveSunpeakBin } from '../resolve-bin.mjs';
  * @param {string} [options.server.url] - HTTP server URL (alternative to command)
  * @param {Record<string, string>} [options.server.env] - Environment variables
  * @param {string} [options.server.cwd] - Working directory for the server process
+ * @param {Record<string, string>} [options.server.headers] - HTTP headers for HTTP MCP server requests
  * @param {string[]} [options.hosts] - Host shells to test (default: ['chatgpt', 'claude'])
  * @param {string} [options.testDir] - Test directory
  * @param {string} [options.simulationsDir] - Simulations directory for mock data
@@ -126,6 +127,12 @@ function buildInspectCommand({ server, port, sandboxPort, simulationsDir }) {
     parts.push(server.cwd.includes(' ') ? `--cwd "${server.cwd}"` : `--cwd ${server.cwd}`);
   }
 
+  if (server.headers) {
+    for (const [key, value] of Object.entries(server.headers)) {
+      parts.push(`--header ${shellQuote(`${key}: ${value}`)}`);
+    }
+  }
+
   if (simulationsDir) {
     parts.push(`--simulations ${simulationsDir}`);
   }
@@ -134,3 +141,7 @@ function buildInspectCommand({ server, port, sandboxPort, simulationsDir }) {
 
   return parts.join(' ');
 }
+
+function shellQuote(value) {
+  return `'${String(value).replace(/'/g, "'\\''")}'`;
+}

package/bin/sunpeak.js

@@ -131,6 +131,7 @@ Inspector (works with any MCP server):
   sunpeak inspect          Inspect any MCP server in the inspector
     --server, -s <url|cmd> MCP server URL or stdio command (required)
     --simulations <dir>    Simulation JSON directory
+    --header, -H <header>  HTTP header for HTTP MCP servers (repeatable)
 
   sunpeak --version        Show version number
   Resources: ${resources.join(', ')} (comma/space separated)

package/dist/chatgpt/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const require_chunk = require("../chunk-Cek0wNdY.cjs");
-const require_inspector = require("../inspector-Chhc2GNO.cjs");
+const require_inspector = require("../inspector-BGnxpdOn.cjs");
 const require_inspector_url = require("../inspector-url-BxScdDag.cjs");
 const require_discovery = require("../discovery-31_n0zcu.cjs");
 //#region src/chatgpt/index.ts

package/dist/chatgpt/index.js

@@ -1,5 +1,5 @@
 import { Ct as __exportAll } from "../protocol-bhrz2H_E.js";
-import { _ as extractResourceCSP, f as ThemeProvider, g as IframeResource, p as useThemeContext, r as resolveServerToolResult, t as Inspector, v as McpAppHost, y as SCREEN_WIDTHS } from "../inspector-BSha-CAW.js";
+import { _ as extractResourceCSP, f as ThemeProvider, g as IframeResource, p as useThemeContext, r as resolveServerToolResult, t as Inspector, v as McpAppHost, y as SCREEN_WIDTHS } from "../inspector-DvduUVNG.js";
 import { t as createInspectorUrl } from "../inspector-url-xUMGbWis.js";
 import { c as toPascalCase, i as findResourceKey, n as extractSimulationKey, r as findResourceDirs, s as getComponentName, t as extractResourceKey } from "../discovery-DOVner--.js";
 //#region src/chatgpt/index.ts

package/dist/claude/index.cjs

@@ -1,4 +1,4 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 require("../chunk-Cek0wNdY.cjs");
-const require_inspector = require("../inspector-Chhc2GNO.cjs");
+const require_inspector = require("../inspector-BGnxpdOn.cjs");
 exports.Inspector = require_inspector.Inspector;

package/dist/claude/index.js

@@ -1,2 +1,2 @@
-import { t as Inspector } from "../inspector-BSha-CAW.js";
+import { t as Inspector } from "../inspector-DvduUVNG.js";
 export { Inspector };

package/dist/host/chatgpt/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 require("../../chunk-Cek0wNdY.cjs");
-const require_use_app = require("../../use-app-xaiN0HAd.cjs");
+const require_use_app = require("../../use-app-fizR-zbu.cjs");
 let react = require("react");
 //#region src/host/chatgpt/openai-types.ts
 /**

package/dist/host/chatgpt/index.js

@@ -1,4 +1,4 @@
-import { t as useApp } from "../../use-app-CtKy52kw.js";
+import { t as useApp } from "../../use-app-CmrLc3wz.js";
 import { useCallback } from "react";
 //#region src/host/chatgpt/openai-types.ts
 /**

package/dist/index.cjs

@@ -1,15 +1,15 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const require_chunk = require("./chunk-Cek0wNdY.cjs");
 const require_protocol = require("./protocol-Cafvpf0x.cjs");
-const require_use_app = require("./use-app-xaiN0HAd.cjs");
-const require_inspector = require("./inspector-Chhc2GNO.cjs");
+const require_use_app = require("./use-app-fizR-zbu.cjs");
+const require_inspector = require("./inspector-BGnxpdOn.cjs");
 const require_host_index = require("./host/index.cjs");
 const require_inspector_index = require("./inspector/index.cjs");
 const require_chatgpt_index = require("./chatgpt/index.cjs");
 let react = require("react");
 react = require_chunk.__toESM(react, 1);
 let react_jsx_runtime = require("react/jsx-runtime");
-//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.7.2_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__react-_f5b843da9146ebea748e10ad8dfce46a/node_modules/@modelcontextprotocol/ext-apps/dist/src/react/index.js
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.7.3_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__react-_198afb8973c94867da191e43eebfe140/node_modules/@modelcontextprotocol/ext-apps/dist/src/react/index.js
 ((K) => typeof require < "u" ? require : typeof Proxy < "u" ? new Proxy(K, { get: (Q, X) => (typeof require < "u" ? require : Q)[X] }) : K)(function(K) {
 	if (typeof require < "u") return require.apply(this, arguments);
 	throw Error("Dynamic require of \"" + K + "\" is not supported");