worldmonitor

eliott/worldmonitor

Fork 0

mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00

Commit Graph

Author	SHA1	Message	Date
Elie Habib	5ba0d8db83	fix(mcp): SSE transport support for /sse MCP servers (#1848 ) * fix(mcp): add SSE transport support for /sse MCP servers (Cloudflare Radar etc.) Servers like radar.mcp.cloudflare.com/sse use the HTTP+SSE transport, not the newer streamable HTTP transport. The proxy was POSTing JSON-RPC directly to the /sse endpoint (which only accepts GET), causing a hang/502. SseSession opens the SSE GET stream, waits for the `endpoint` event to get the POST URL, then dispatches JSON-RPC requests there while reading responses from the same stream. Also: return 422 instead of 502 for upstream MCP errors so Cloudflare proxy does not replace the JSON error body with its own HTML error page. * fix(mcp): harden SSE transport against SSRF, early stream close, and path over-match P1: re-validate the endpoint URL from the SSE stream against BLOCKED_HOST_PATTERNS and protocol allowlist before assigning _endpointUrl, preventing a malicious MCP server from redirecting the proxy to RFC1918 / metadata addresses. P2 (stream close): when reader.read() returns done=true before an endpoint event arrives, reject _endpointDeferred so connect() throws a descriptive error instead of hanging forever (hits misconfigured servers, auth failures wrapped in SSE, etc). P2 (path match): narrow isSseTransport() to suffix-only match; removing the p.includes('/sse/') arm prevents misclassifying valid streamable HTTP endpoints such as https://host/mcp/sse/proxy as legacy SSE transport.	2026-03-19 03:42:48 +04:00
Elie Habib	2268df2bfc	feat(mcp): add MCP data panel for user-connected servers (#1835 ) * feat(cii): add displacement signal and extend ACLED window for post-conflict accuracy ACLED's 7-day window scores post-ceasefire countries (e.g. Lebanon) near zero despite ongoing destruction, because battle events dried up after the November 2024 ceasefire. Two fixes: 1. Displacement signal (UNHCR): reads displacement:summary:v1:YEAR from Redis and maps ISO3→ISO2 codes. Log-scaled boost (max +20pts) means Lebanon (~1.2M displaced) gets ~12pts, Syria (~7M) gets ~18pts, and peaceful countries get 0. This signal persists long after a ceasefire because UNHCR data updates annually, not per-battle. 2. ACLED 30-day window with time decay: extends from 7 to 30 days. Events 0-7 days old: weight 1.0 \| Events 8-30 days old: weight 0.4. Captures conflict tail without over-weighting stale events. Together these make CII reflect structural reality (displaced populations, reconstruction crisis) rather than just last-week's ACLED event count. * fix(cii): add displacedByIso3 to emptyAux fallback * fix(cii): rescale displacement boost and paginate 30-day ACLED query P1: The previous formula Math.log10(n)4 capped at 100K displaced (log10(100000)=5, 54=20), making 100K and 10M identical. Rescaled to (log10(n)-5)8+4 anchored at the 100K threshold: 100K→+4 \| 500K→+10 \| 1M→+12 \| 5M→+18 \| 10M→+20, floor 0. P2: A single 30-day fetch with limit:1500 silently drops tail events once the global count exceeds the cap, which cuts post-conflict countries (low recent, higher older activity) exactly when they need the signal most. Split into two independent cached queries: - days 0-7: limit 1000 (full weight, same as before) - days 8-30: limit 1000 (0.4 weight, separate Redis cache key) Each window gets its own event budget; no shared-function changes. feat(mcp): add MCP data panel to let users connect any MCP server Users can now connect an MCP server directly from the dashboard via a new "Connect MCP" block alongside "Create with AI". The modal fetches available tools from the server, lets the user pick a tool + configure args + refresh interval, then renders a live auto-refreshing panel. - api/mcp-proxy.js: Vercel edge proxy implementing MCP streamable-HTTP protocol (initialize + tools/list / tools/call, SSE + JSON responses) - src/services/mcp-store.ts: localStorage CRUD for McpPanelSpec configs - src/components/McpConnectModal.ts: connection wizard (URL, auth header, tool selection, args, title, refresh interval) - src/components/McpDataPanel.ts: auto-refreshing panel with configure (⚙) and refresh-now (↻) buttons; renders text or formatted JSON from tool result - panel-layout.ts: loads persisted MCP panels on boot, adds "Connect MCP" block, addMcpPanel() integration - event-handlers.ts: handles mcp- panel close (confirm + delete) and wm:mcp-configure event for re-opening the modal - CSS: mcp-connect-modal, mcp-data-panel, shared btn/btn-primary/etc classes - i18n: mcp.* keys in en.json - tests: mcp-proxy.js added to ALLOWED_LEGACY_ENDPOINTS allowlist * fix(mcp): add common.cancel i18n key used by McpConnectModal * feat(mcp): add Quick Connect presets for Brave, Exa, Tavily, Context7, Web Fetch * fix(mcp): replace search-heavy presets with diverse tool presets (GitHub, Slack, Radar, Maps, Postgres, Fetch) * feat(mcp): add 10 quick-connect presets Add Linear, Sentry, Datadog, Stripe, Overpass (OSM), Perplexity, Polygon.io, Notion, Airtable, and Shodan to MCP_PRESETS, bringing the total to 16 diverse integrations. Make preset list scrollable (max-height 260px) to accommodate the longer list. * fix(mcp): SSRF protection, CRLF sanitization, auth hint styling - Block private IP ranges (RFC1918, link-local, cloud metadata 169.254.x.x) in mcp-proxy validateServerUrl; remove dead localhost-allow logic - Strip CRLF from forwarded header keys/values to prevent header injection - Use mcp-status-info class (amber) for auth notes instead of mcp-status-loading - Simplify redundant JSON.parse guard in preset click handler * fix(mcp): correct protocol version and send notifications/initialized - Bump MCP_PROTOCOL_VERSION from 2024-11-05 to 2025-03-26: the current transport (direct POST, JSON or SSE response) is Streamable HTTP defined in the 2025-03-26 revision. The 2024-11-05 HTTP transport requires opening an SSE endpoint first to discover the JSON-RPC URL, which this proxy does not do. Advertising the wrong version caused compliant 2024-11-05 servers to fail during connection. - Add sendInitialized() helper that fires notifications/initialized after a successful initialize handshake. MCP lifecycle requires this notification before any tool traffic; servers that enforce it would reject every tools/list or tools/call from this proxy. Called in both mcpListTools() and mcpCallTool(). Response is awaited but treated as fire-and-forget so non-compliant servers do not break.	2026-03-19 02:35:35 +04:00

Author

SHA1

Message

Date

Elie Habib

5ba0d8db83

fix(mcp): SSE transport support for /sse MCP servers (#1848 )

* fix(mcp): add SSE transport support for /sse MCP servers (Cloudflare Radar etc.)

Servers like radar.mcp.cloudflare.com/sse use the HTTP+SSE transport, not the
newer streamable HTTP transport. The proxy was POSTing JSON-RPC directly to the
/sse endpoint (which only accepts GET), causing a hang/502.

SseSession opens the SSE GET stream, waits for the `endpoint` event to get the
POST URL, then dispatches JSON-RPC requests there while reading responses from
the same stream.

Also: return 422 instead of 502 for upstream MCP errors so Cloudflare proxy
does not replace the JSON error body with its own HTML error page.

* fix(mcp): harden SSE transport against SSRF, early stream close, and path over-match

P1: re-validate the endpoint URL from the SSE stream against BLOCKED_HOST_PATTERNS
and protocol allowlist before assigning _endpointUrl, preventing a malicious MCP
server from redirecting the proxy to RFC1918 / metadata addresses.

P2 (stream close): when reader.read() returns done=true before an endpoint event
arrives, reject _endpointDeferred so connect() throws a descriptive error instead
of hanging forever (hits misconfigured servers, auth failures wrapped in SSE, etc).

P2 (path match): narrow isSseTransport() to suffix-only match; removing the
p.includes('/sse/') arm prevents misclassifying valid streamable HTTP endpoints
such as https://host/mcp/sse/proxy as legacy SSE transport.

2026-03-19 03:42:48 +04:00

Elie Habib

2268df2bfc

feat(mcp): add MCP data panel for user-connected servers (#1835 )

* feat(cii): add displacement signal and extend ACLED window for post-conflict accuracy

ACLED's 7-day window scores post-ceasefire countries (e.g. Lebanon) near
zero despite ongoing destruction, because battle events dried up after the
November 2024 ceasefire. Two fixes:

1. Displacement signal (UNHCR): reads displacement:summary:v1:YEAR from
   Redis and maps ISO3→ISO2 codes. Log-scaled boost (max +20pts) means
   Lebanon (~1.2M displaced) gets ~12pts, Syria (~7M) gets ~18pts, and
   peaceful countries get 0. This signal persists long after a ceasefire
   because UNHCR data updates annually, not per-battle.

2. ACLED 30-day window with time decay: extends from 7 to 30 days.
   Events 0-7 days old: weight 1.0 | Events 8-30 days old: weight 0.4.
   Captures conflict tail without over-weighting stale events.

Together these make CII reflect structural reality (displaced populations,
reconstruction crisis) rather than just last-week's ACLED event count.

* fix(cii): add displacedByIso3 to emptyAux fallback

* fix(cii): rescale displacement boost and paginate 30-day ACLED query

P1: The previous formula Math.log10(n)*4 capped at 100K displaced
(log10(100000)=5, 5*4=20), making 100K and 10M identical. Rescaled
to (log10(n)-5)*8+4 anchored at the 100K threshold:
  100K→+4 | 500K→+10 | 1M→+12 | 5M→+18 | 10M→+20, floor 0.

P2: A single 30-day fetch with limit:1500 silently drops tail events
once the global count exceeds the cap, which cuts post-conflict
countries (low recent, higher older activity) exactly when they need
the signal most. Split into two independent cached queries:
  - days 0-7:  limit 1000 (full weight, same as before)
  - days 8-30: limit 1000 (0.4 weight, separate Redis cache key)
Each window gets its own event budget; no shared-function changes.

* feat(mcp): add MCP data panel to let users connect any MCP server

Users can now connect an MCP server directly from the dashboard via a new
"Connect MCP" block alongside "Create with AI". The modal fetches available
tools from the server, lets the user pick a tool + configure args + refresh
interval, then renders a live auto-refreshing panel.

- api/mcp-proxy.js: Vercel edge proxy implementing MCP streamable-HTTP
  protocol (initialize + tools/list / tools/call, SSE + JSON responses)
- src/services/mcp-store.ts: localStorage CRUD for McpPanelSpec configs
- src/components/McpConnectModal.ts: connection wizard (URL, auth header,
  tool selection, args, title, refresh interval)
- src/components/McpDataPanel.ts: auto-refreshing panel with configure (⚙)
  and refresh-now (↻) buttons; renders text or formatted JSON from tool result
- panel-layout.ts: loads persisted MCP panels on boot, adds "Connect MCP"
  block, addMcpPanel() integration
- event-handlers.ts: handles mcp- panel close (confirm + delete) and
  wm:mcp-configure event for re-opening the modal
- CSS: mcp-connect-modal, mcp-data-panel, shared btn/btn-primary/etc classes
- i18n: mcp.* keys in en.json
- tests: mcp-proxy.js added to ALLOWED_LEGACY_ENDPOINTS allowlist

* fix(mcp): add common.cancel i18n key used by McpConnectModal

* feat(mcp): add Quick Connect presets for Brave, Exa, Tavily, Context7, Web Fetch

* fix(mcp): replace search-heavy presets with diverse tool presets (GitHub, Slack, Radar, Maps, Postgres, Fetch)

* feat(mcp): add 10 quick-connect presets

Add Linear, Sentry, Datadog, Stripe, Overpass (OSM), Perplexity,
Polygon.io, Notion, Airtable, and Shodan to MCP_PRESETS, bringing
the total to 16 diverse integrations. Make preset list scrollable
(max-height 260px) to accommodate the longer list.

* fix(mcp): SSRF protection, CRLF sanitization, auth hint styling

- Block private IP ranges (RFC1918, link-local, cloud metadata 169.254.x.x)
  in mcp-proxy validateServerUrl; remove dead localhost-allow logic
- Strip CRLF from forwarded header keys/values to prevent header injection
- Use mcp-status-info class (amber) for auth notes instead of mcp-status-loading
- Simplify redundant JSON.parse guard in preset click handler

* fix(mcp): correct protocol version and send notifications/initialized

- Bump MCP_PROTOCOL_VERSION from 2024-11-05 to 2025-03-26: the current
  transport (direct POST, JSON or SSE response) is Streamable HTTP
  defined in the 2025-03-26 revision. The 2024-11-05 HTTP transport
  requires opening an SSE endpoint first to discover the JSON-RPC URL,
  which this proxy does not do. Advertising the wrong version caused
  compliant 2024-11-05 servers to fail during connection.

- Add sendInitialized() helper that fires notifications/initialized
  after a successful initialize handshake. MCP lifecycle requires this
  notification before any tool traffic; servers that enforce it would
  reject every tools/list or tools/call from this proxy. Called in
  both mcpListTools() and mcpCallTool(). Response is awaited but
  treated as fire-and-forget so non-compliant servers do not break.

2026-03-19 02:35:35 +04:00

2 Commits