Merge pull request #8 from MCPJam/feat/inspector-pr-2103-regression-tools

feat: regression tools for inspector PR #2103 mcpProfile

Author: chelojimenez

src/host-probe-capture.ts

@@ -71,16 +71,17 @@ export function captureRuntime(): HostProbeSnapshot["runtime"] {
 }
 
 export async function runCspProbes(
-  urls: string[],
+  probes: Array<{ url: string; expectation: "declared" | "canary" }>,
 ): Promise<NonNullable<HostProbeSnapshot["runtime"]["cspProbes"]>> {
   const results: NonNullable<HostProbeSnapshot["runtime"]["cspProbes"]> = [];
-  for (const url of urls) {
+  for (const { url, expectation } of probes) {
     try {
       await fetch(url, { mode: "no-cors" });
-      results.push({ url, ok: true, errorName: null });
+      results.push({ url, expectation, ok: true, errorName: null });
     } catch (e) {
       results.push({
         url,
+        expectation,
         ok: false,
         errorName: e instanceof Error ? e.name : String(e),
       });

src/host-probe-types.ts

@@ -39,7 +39,13 @@ export interface HostProbeSnapshot {
       metaCsp: string | null;
       permissionsPolicy: string | null;
     };
-    cspProbes?: Array<{ url: string; ok: boolean; errorName: string | null }>;
+    cspProbes?: Array<{
+      url: string;
+      /** "declared" = URL is in resource's _meta.ui.csp; "canary" = NOT in declared list. */
+      expectation: "declared" | "canary";
+      ok: boolean;
+      errorName: string | null;
+    }>;
   };
   deltas: Array<{ at: string; hostContext: Partial<McpUiHostContext> }>;
   errors: Array<{ where: string; message: string }>;

src/host-probe.ts

@@ -132,10 +132,21 @@ reuploadBtn.addEventListener("click", () => {
 
 probeBtn.addEventListener("click", async () => {
   probeBtn.disabled = true;
+  // The declared URLs MUST match the resource's `_meta.ui.csp.connectDomains`
+  // (see src/index.ts host-probe resource registration). Keeping these in
+  // lockstep is what lets `assert-host-probe-csp` distinguish:
+  //   - declared+blocked  → host over-restricted (or deny override active)
+  //   - canary+allowed    → host LOOSENED declared CSP (SEP-1865 violation)
   const cspProbes = await runCspProbes([
-    "https://api.openai.com/v1/models",
-    "https://api.anthropic.com/v1/messages",
-    "https://cdn.jsdelivr.net/npm/lodash@4.17.21/package.json",
+    { url: "https://api.openai.com/v1/models", expectation: "declared" },
+    { url: "https://api.anthropic.com/v1/messages", expectation: "declared" },
+    {
+      url: "https://cdn.jsdelivr.net/npm/lodash@4.17.21/package.json",
+      expectation: "declared",
+    },
+    // Canary: not in declared connectDomains. If this succeeds, the host
+    // failed to enforce CSP — strict regression.
+    { url: "https://canary.invalid.example/", expectation: "canary" },
   ]);
   if (snapshot) {
     snapshot.runtime.cspProbes = cspProbes;