Re-enable inspector auto-open & reloads post security fixes #513
Conversation
felixweinberger
force-pushed
the
fweinberger/auto-open
branch
from
93593a4 to
fb710a7
Compare
There was a problem hiding this comment.
The order of operations seems to have changed slightly. If the inspector is already running on the destination port, it should fail and stop.
Instead, it reports it, exists, but then auto opens anyway. In this case I was running an older version to compare functionality and it gives me that in the browser.
- Unified start.js to handle both dev and production modes with --dev flag - Generate session token in parent process, pass via MCP_PROXY_TOKEN env var - Enable browser auto-open even when authentication is enabled by including token in URL - Auto-reloads now work seamlessly with persistent tokens across hot reloads - Simplified npm scripts - dev and dev:windows now use the same unified script - Better developer experience with consistent token handling The token is generated once per session and remains stable through server/client reloads, making development smoother while maintaining security. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
…organization - Extracted 4 functions: startDevServer, startProdServer, startDevClient, startProdClient - Eliminated deep nesting in main() function - Each function has a single responsibility - Main function now clearly shows the flow: parse args → start server → start client - No functional changes, purely organizational refactoring 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Removed outdated statement about auto-open being disabled with authentication - Clarified that browser automatically opens with token pre-filled in URL - Updated MCP_AUTO_OPEN_ENABLED description to note it works with authentication The README now accurately reflects the improved developer experience where authentication no longer prevents the browser from auto-opening. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
felixweinberger
force-pushed
the
fweinberger/auto-open
branch
2 times, most recently
from
32066eb to
d5028bc
Compare
felixweinberger
force-pushed
the
fweinberger/auto-open
branch
from
d5028bc to
837ee74
Compare
felixweinberger
force-pushed
the
fweinberger/auto-open
branch
2 times, most recently
from
08c2f49 to
698d245
Compare
|
@cliffhall thank you for drawing attention to this! I spent a good chunk of time digging into this and I believe I now have a good understanding of what you're seeing here. I believe this is because the older version you were running in your terminal was still binding to all interfaces (i.e. Counterintuitively, these might not actually conflict - at least they don't on my machine (macOS running Node 22.16). The reason seems to be that the wildcard If however you try to run 2 instances of this checkout side by side, one will fail. This is also true for the old one - but the new and the old don't conflict (in either direction!).
So I actually think this is expected - the old version was listening on the same port but a different protocol version (IPv6 vs IPv4) so the conflicts weren't appearing as they normally should. However while investigating this I also realized client was still listening on all interfaces by default |
Motivation and Context
We recently landed several security related changes to the inspector, including introduction of a proxy token to prevent potential remote code execution attacks.
However this introduced some friction in Dev UX, where:
npm run startornpm run devThis PR proposes changes to restore the previous UX while retaining the security fixes. We achieve this by:
start.jsinstead of within the server (unless the server is started on its own, in which case we still generate the token directly)How Has This Been Tested?
npm run buildandnpm run startand test connections, reloads, auto-start.npm run devand test connections and test connections, reloads, auto-start.Dev:
CleanShot.2025-06-16.at.14.36.18-converted.2.mp4
Prod:
CleanShot.2025-06-16.at.14.47.03.mp4
Breaking Changes
None.
Types of changes
Checklist
Additional context