web+cli+docs: Wave 4 — deep-link auto-connect + programmatic MCP App review (rollup of #1576–#1578, #1665, #1666)#1676
Conversation
Closes #1576 Adds `?serverUrl=<url>&transport=http|sse&autoConnect=<token>` URL-driven auto-connect so a driver can reach a connected inspector with one navigate. - `clients/web/src/utils/deepLink.ts`: `parseDeepLink()` (http(s)-only serverUrl; `autoConnect` CSRF-gated on the per-launch API token), `deepLinkParseStatus()`, `deepLinkConfigEquals()`, `DEEP_LINK_SERVER_ID` (stable `deep-link` row so reloads reconnect to the same catalog row). - App.tsx: ensure/connect effects (two-phase upsert-then-connect against the hydrated list), `serversRef` read in `onToggleConnection`, `connectErrorMessage` / `recordConnectError` recording connection-level failures. - InspectorView header: `data-testid="connection-status"` with `data-status`, `data-error-message`, `data-deeplink` so drivers can `waitForSelector` and read failure reasons without scraping toasts. - Docs: deep-link scheme + `data-*` contract in clients/web/README.md. Re-implemented informed by PR #1510 (33fac3f); adapted to the post-#1417 lifted-tab architecture and dropping the non-existent `normalizeServerUrl` import in favor of `URL.href` canonicalization. Coverage gate green (deepLink.ts 97.8/95.1/100/97.4). Part of the #1579 decomposition (Wave 4). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
…p from the URL (#1577) Closes #1577 Extends the deep link (#1576) to land on a rendered MCP App: - `&openApp=<toolName>` — once connected and the tool appears in the app list, InspectorView switches to the Apps tab and pre-selects it. - `&appArgs=<base64url(JSON)>` — pre-fills the tool form; values are merged **over** `collectSchemaDefaults()` so required-with-default fields don't disable "Open App". - `&autoOpen=<token>` — token-gated auto-click of "Open App". Adapted to the current architecture (differs from PR #1510's reference): - Tab state is lifted to App.tsx (#1417), so the openApp effect lives in InspectorView and drives `onActiveTabChange("Apps")` + `onAppsUiChange` seed + `onSelectApp`, guarded by `deepLinkOpenAppRef` to fire once. - AppsScreen owns the `running`/iframe state, so `autoOpen` is threaded to it as a prop; a fire-once effect defers the open one microtask past the synchronous effect body (satisfying `react-hooks/set-state-in-effect`, matching App.tsx's connect effect). `resetAppChannels` memoized so the effect's deps don't churn. Tests: InspectorView (tab-switch + pre-select + appArgs-over-defaults merge + non-app openApp ignored), AppsScreen (autoOpen fires once with seeded values; no-selection stays idle). README documents the params. Coverage gate green. Part of the #1579 decomposition (Wave 4). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
…1666) Closes #1666 #1575 shipped `--print-handoff` with an interim deep-link shape (hardcoded `transport: "http"`, marked `TODO(#1576)`). Now that #1576 owns the canonical `?serverUrl&transport&autoConnect` format, `--print-handoff` emits exactly it: - New `deepLinkTransport(serverUrl, transport)` helper derives `http`|`sse` from the resolved server — explicit `--transport` wins, else auto-detect from the URL path (`/sse` → sse), else default `http`. Unlike the core resolver it defaults instead of throwing (the handoff is best-effort; the web parser defaults an unknown transport to http too). - `buildHandoff` takes the transport, emits the normalized serverUrl + derived transport in the query, and keeps `autoConnect=<token>` (which #1576 adopted as the canonical CSRF gate, so the interim guess was already correct). - Removed the `TODO(#1576)` marker; updated the doc comment + CLI README. Tests: handoff emits `transport=http` for `/mcp`, `transport=sse` for `/sse` and for explicit `--transport sse`; `deepLinkTransport` unit tests cover the explicit/auto/default/stdio/unparseable branches. CLI coverage gate green (cli.ts 100/92.8/100/100). Part of the #1579 decomposition (Wave 4). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
#1665) Closes #1665 `--use-stored-auth` previously injected the stored access token blindly, so an expired token failed even with a valid refresh_token on disk. Now, when a `refresh_token` is stored, the CLI runs the OAuth refresh grant and injects the fresh access token, persisting the rotation. - New exported `refreshStoredAuthToken(serverUrl, statePath, deps?)`: reuses the SDK's `refreshAuthorization` (not a hand-rolled token request) with the stored `clientInformation` + `serverMetadata` (discovered via core `getAuthorizationServerUrl` + SDK `discoverAuthorizationServerMetadata` when the metadata wasn't persisted). Rotated tokens are written back through `serializeOAuthPersistBlob` under the same `{servers,idpSessions}` key, so web and CLI stay consistent. Missing refresh_token/clientInformation or a failed grant throw `CliExitCodeError(AUTH_REQUIRED)` with a clear message + envelope code (`no_stored_token` / `refresh_failed`). - `--use-stored-auth` prefers refresh when a refresh_token is present (covers both absent and expired access tokens — the stored blob has no expiry, so the refresh token is the durable credential); falls back to injecting the stored access token otherwise (unchanged). - `deps` are injectable so the refresh/discovery are unit-tested without a live token endpoint; an e2e test drives the real SDK path against a mock token endpoint and asserts the refreshed token is injected + the rotation persisted. - CLI README updated (removed the "blind injection" caveat). CLI coverage gate green (cli.ts 100/92/100/100). Part of the #1579 decomposition (Wave 4, CLI lane). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
Closes #1578 Adds docs/mcp-app-review.md — the CLI-first → one-shot-web recipe for automated MCP App review: `--app-info` probe → deep-link navigate → rendered widget, plus OAuth-gated servers (stored-auth handoff, now honoring refresh_token per #1665), SSH port-forward (both ports), and HTTP proxy support. Adapted from PR #1510's reference doc to only document what actually merged and to match the current implementation: - Correct driver contract: `data-testid="connection-status"` + `data-status` /`data-error-message`/`data-deeplink`, `data-testid="open-app"`, and the `data-app-status="ready"` app lifecycle (not the reference's stale selectors). - The zero-click `autoOpen` path (#1577) alongside the click-to-open variant. - `--use-stored-auth` now refreshes a stored refresh_token (#1665), so the "token is not refreshed" caveat is replaced. The per-client READMEs (web deep-link scheme + data-* contract, CLI handoff + refresh + proxy) were updated in their own Wave 4 PRs; this adds the root README pointer to docs/. Proxy/undici is already documented in the CLI README. Part of the #1579 decomposition (Wave 4, docs — lands last). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
…tale-config connect - The ensure-phase addServer catch now records non-409 failures (read-only catalog, backend 5xx) on data-error-message instead of swallowing every error and leaving the deep link permanently stuck at the guard with no signal (review finding #1). - Split the update and connect phases across renders (new deepLinkUpdateRef): connect only once servers reflects the updated config, so onToggleConnection (which reads serversRef, synced by an earlier passive effect) builds the client from the fresh transport rather than the pre-update config (finding #2 — the exact case deepLinkConfigEquals was added for). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
- Refresh failure now falls back to injecting a still-present stored access token instead of hard-exiting 3, so a transient auth-server hiccup doesn't regress a previously-working invocation (review #1). Only a failure with no access token to fall back on surfaces as exit 3. - Persist rotated tokens via the shared writeStoreFile (0o600 + mkdir -p) instead of a raw writeFile, so the secrets file keeps owner-only perms identical to the web backend (review #2). - Missing clientInformation now throws the distinct no_client_information envelope code rather than reusing no_stored_token (review #5a). - Docs: --wait-for-auth no longer claims parity with --use-stored-auth (it injects the freshly-landed token without refreshing); noted the always-refresh rotation/concurrency caveat (review #3, #4). - Tests: discovery-returns-undefined metadata path, no_client_information code, and an e2e refresh-failure → access-token fallback. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
…verUrl - The JSDoc referenced a non-existent `resolveServerConfig`; name the real `resolveServerConfigs` (core/mcp/node/config.ts) in plain text (it isn't imported here, so an @link wouldn't resolve). - Hoist the doubly-computed `normalizeServerUrl(serverUrl)` in buildHandoff to a single `normalizedUrl` reused for the query param and the serverUrl field. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
DeepLink.autoOpen is a non-optional boolean, so the `?? false` was dead once openApp was truthy. Collapse to Boolean(deepLink?.openApp && deepLink.autoOpen) — still false when there's no deep link, still gated on openApp so a malformed autoOpen-without-openApp link can't fire. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
- Root README no longer links to docs/mcp-server-configuration.md (not yet ported to v2); keep only the mcp-app-review.md pointer (review #3). - Collapse the Local-fixture parenthetical onto one line so prettier no longer renders '- resource preset …' as a mid-sentence bullet (review #5). Findings #1/#2 (documents unmerged #1576/#1577/#1665 behavior) and #4 (the web-README #deep-link-auto-connect anchor) resolve in the Wave 4 rollup, which lands this doc together with those code PRs — the reviewer noted the same. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
# Conflicts: # clients/cli/__tests__/stored-auth.test.ts
|
@claude review |
|
Claude finished @cliffhall's task in 2m 17s —— View job Review: Wave 4 rollup (#1676)
Reviewed the full cumulative diff. This is a well-executed rollup — the security gating is thoughtfully documented, the CLI refresh path reuses the SDK rather than hand-rolling a token request, and the machine-readable Strengths
Minor observations (non-blocking)1. Deep-link connect is skipped when the deep-link server is already deepLinkConnectRef.current = true;
if (activeServerId !== deepLink.serverId) {
void onToggleConnection(deepLink.serverId).catch(...);
}If 2. Double snapshot read on the refresh path. In 3. 4. Doc/verification note. The PR body states None of these rise to a change request. Nice work threading the deep-link phases and the stored-auth refresh together cleanly. |
…eServerId Gate the deep-link connect phase on 'not already connected' rather than on activeServerId identity: if a prior session restored activeServerId to the 'deep-link' id while disconnected, the old guard marked the ref consumed and never connected, so reloading the same deep-link URL silently didn't auto- connect. onToggleConnection only disconnects when the id is active AND status is connected, so the new condition also avoids toggling a live connection off. Also documents (rollup review #3) that pre-selecting a deep-linked app deliberately bypasses AppsScreen.handleSelect's no-input auto-launch — a URL must not fire a tool call without the token-gated autoOpen. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
|
Thanks for the thorough rollup review. Addressed the one correctness edge case in
Dispositions on the rest:
Leaving this rollup unmerged for maintainer review. |
Closes #1576
Closes #1577
Closes #1578
Closes #1665
Closes #1666
Wave 4 rollup — deep-link auto-connect + programmatic MCP App review path
Tracking issue: #1675. Rollup of the five Wave 4 sub-issues from the #1579 decomposition of PR #1510, so the whole programmatic-review surface (URL deep-link → rendered widget, stored-auth handoff with refresh) can be smoke-tested and merged as one cumulative diff against
v2/main. Each sub-issue shipped and was reviewed on its own branch (@claude review→ LGTM), then merged base→tip into this branch.Included (base→tip)
?serverUrl&transport&autoConnect.parseDeepLink()(http(s)-only serverUrl;autoConnectCSRF-gated on the per-launch API token; stabledeep-linkcatalog row). App.tsx phase-split ensure→update→connect effect;connectErrorMessage. InspectorView headerdata-testid="connection-status"withdata-status/data-error-message/data-deeplink.openApp/appArgs/autoOpen. Once connected + the tool appears, switch to Apps, pre-select, pre-fillappArgsmerged over schema defaults; token-gatedautoOpenfires "Open App" (AppsScreen ownsrunning, soautoOpenthreads to it, fire-once).--print-handoffwith web: deep-link auto-connect (?serverUrl&transport&autoConnect) + machine-readable connection status #1576's canonical deep-link format (derivedtransport, normalizedserverUrl,autoConnectgate; dropped the interimTODO(#1576)).--use-stored-authhonorsrefresh_token— SDK refresh grant + rotation persisted viawriteStoreFile(0o600), with fallback to the stored access token when refresh fails.docs/mcp-app-review.mdCLI-first → one-shot-web recipe + per-client README updates.Verification
npm run cigreen on this branch (validate → coverage ≥90 per-file gate → smoke → Storybook). Coverage gate passes for every touched file (deepLink.ts,InspectorView.tsx,AppsScreen.tsx,cli.ts).@claude reviewloop to LGTM; those per-issue PRs are superseded by this rollup.Per AGENTS.md the
Closeslines won't auto-fire onv2/main— the sub-issues are closed and their board cards moved to Done on merge of this rollup; #1675 stays In Review behind it.🤖 Generated with Claude Code