Improve local MCP auth flow, tool metadata, and sandbox validation#24
Conversation
vladimir-tikhonov-nutrient
changed the title
vladimir-tikhonov-nutrient
force-pushed
the
fix/stdio-oauth-startup-cli-flags
branch
2 times, most recently
from
b82acfb to
0ebee4d
Compare
vladimir-tikhonov-nutrient
force-pushed
the
fix/stdio-oauth-startup-cli-flags
branch
from
0ebee4d to
d314c2a
Compare
package.json
Outdated
| "format": "prettier --write .", | ||
| "lint": "eslint .", | ||
| "mcpb:validate": "npx -y @anthropic-ai/mcpb validate manifest.json", | ||
| "mcpb:pack": "pnpm run build && node scripts/build-mcpb.mjs", |
There was a problem hiding this comment.
Archive Details
name: nutrient-dws-mcp-server
version: 0.0.5
filename: nutrient-dws-mcp-server-0.0.5.mcpb
package size: 4.0MB
unpacked size: 12.5MB
shasum: 4eba71d63d171b8c886222723b5e17b990b6c7cb
total files: 2786
ignored (.mcpbignore) files: 1297
Output: /Users/tomas/work/nutrient-dws-mcp-server/dist/nutrient-dws.mcpb
File: nutrient-dws.mcpb
Size: 4081.28 KB
WARNING: Not signed
Can we publish without signing? Would be definitely faster than looking into managing the certificates.
There was a problem hiding this comment.
I dunno honestly. Signing is not mentioned in any of the docs as a requirement. Will see what they say when we submit it
There was a problem hiding this comment.
Sadly, I think we will have to sign. At least that was true for the first iteration of Claude connectors (prior to Cowork).
I was blocked at the point because we never had a legit Nutrient certificate. I think this was partially solved, but the signing flow looks horrible.
https://pspdfkit.slack.com/archives/C9K2P0Y1F/p1752793348862119
There was a problem hiding this comment.
Will try to implement signing in the next PR, waiting for 1p access here - https://pspdfkit.slack.com/archives/C9K2P0Y1F/p1774432177734159
vladimir-tikhonov-nutrient
force-pushed
the
fix/stdio-oauth-startup-cli-flags
branch
from
63f362b to
01bff16
Compare
vladimir-tikhonov-nutrient
deleted the
fix/stdio-oauth-startup-cli-flags
branch
3 participants
Summary
Prepares the local MCP server for Anthropic directory submission (SERVER-2412, SERVER-2420).
Auth and safety fixes
Unknown CLI flags like
--sandbox-dirwere silently ignored, causing the server to fall back to unrestricted mode without any indication.parseSandboxPathnow rejects unrecognized flags at startup with a clear error.The stdio transport called
getToken()eagerly before accepting connections. In Claude Desktop this caused duplicate browser tabs (one per spawned process) and made the server invisible if the user skipped the OAuth prompt. Auth is now deferred to the first tool call that actually needs a Nutrient API token, and concurrent in-process requests share a single refresh or browser flow.Directory submission requirements
Every tool now carries the safety annotations required by Anthropic's directory review (
readOnlyHint,destructiveHint,title), with a regression test that fails if a tool is added without them.The README is restructured to match the submission checklist: Description, Features, Installation, Usage Examples (with expected behavior), Data Handling, Privacy Policy, and Support sections. A
manifest.jsonand MCPB packaging script are included for the local extension bundle format.Unrelated
Fixes a pre-existing lint error in the benchmark harness (
console→globalThis.console).