chore: remove obsolete .browser-echo-mcp.json file, update pnpm-lock.yaml to use new package URLs, and adjust example app package.json files to reference updated browser-echo packages

regenrek · regenrek · commit ff6133554edf · 2025-08-22T18:10:10.000+02:00
diff --git a/.browser-echo-mcp.json b/.browser-echo-mcp.json
diff --git a/.cursor/mcp.json b/.cursor/mcp.json
@@ -2,7 +2,7 @@
   "mcpServers": {
     "browser-echo": {
       "command": "npx",
-      "args": ["https://pkg.pr.new/instructa/browser-echo/@browser-echo/mcp@f6031a3"]
+      "args": ["https://pkg.pr.new/instructa/browser-echo/@browser-echo/mcp@70c8792"]
     }
   }
 }
diff --git a/example/next-app/package.json b/example/next-app/package.json
@@ -14,8 +14,8 @@
     "react-dom": "19.1.1"
   },
   "devDependencies": {
-    "@browser-echo/mcp": "workspace:*",
-    "@browser-echo/next": "workspace:*",
+    "@browser-echo/mcp": "https://pkg.pr.new/instructa/browser-echo/@browser-echo/mcp@70c8792",
+    "@browser-echo/next": "https://pkg.pr.new/instructa/browser-echo/@browser-echo/next@70c8792",
     "@eslint/eslintrc": "^3",
     "@tailwindcss/postcss": "^4.1.12",
     "@types/node": "^24.3.0",
diff --git a/example/nuxt-app/package.json b/example/nuxt-app/package.json
@@ -16,6 +16,6 @@
   },
   "packageManager": "pnpm@10.12.1+sha512.f0dda8580f0ee9481c5c79a1d927b9164f2c478e90992ad268bbb2465a736984391d6333d2c327913578b2804af33474ca554ba29c04a8b13060a717675ae3ac",
   "devDependencies": {
-    "@browser-echo/nuxt": "workspace:*"
+    "@browser-echo/nuxt": "https://pkg.pr.new/instructa/browser-echo/@browser-echo/nuxt@70c8792"
   }
 }
diff --git a/example/react-vite-app/package.json b/example/react-vite-app/package.json
@@ -14,7 +14,7 @@
     "react-dom": "^19.1.1"
   },
   "devDependencies": {
-    "@browser-echo/vite": "workspace:*",
+    "@browser-echo/vite": "https://pkg.pr.new/instructa/browser-echo/@browser-echo/vite@70c8792",
     "@eslint/js": "^9.17.0",
     "@types/react": "^19.1.10",
     "@types/react-dom": "^19.1.7",
diff --git a/example/tanstack-app/package.json b/example/tanstack-app/package.json
@@ -18,7 +18,7 @@
     "zod": "^4.0.17"
   },
   "devDependencies": {
-    "@browser-echo/vite": "workspace:*",
+    "@browser-echo/vite": "https://pkg.pr.new/instructa/browser-echo/@browser-echo/vite@70c8792",
     "@types/node": "^24.3.0",
     "@types/react": "^19.1.10",
     "@types/react-dom": "^19.1.7",
diff --git a/example/vue-vite-app/package.json b/example/vue-vite-app/package.json
@@ -12,7 +12,7 @@
     "vue": "^3.5.18"
   },
   "devDependencies": {
-    "@browser-echo/vite": "workspace:*",
+    "@browser-echo/vite": "https://pkg.pr.new/instructa/browser-echo/@browser-echo/vite@70c8792",
     "@vitejs/plugin-vue": "^6.0.1",
     "typescript": "~5.9.2",
     "vite": "^7.1.3",
diff --git a/example/vue-vite-app/vite.config.ts b/example/vue-vite-app/vite.config.ts
@@ -6,10 +6,7 @@ import browserEcho from '@browser-echo/vite'
 export default defineConfig({
   plugins: [vue(), browserEcho(
     {
-      stackMode: 'condensed',
-      mcp: {
-        suppressTerminal: true
-      }
+      stackMode: 'condensed'
     },
   )],
 })
diff --git a/packages/mcp/README.md b/packages/mcp/README.md
@@ -399,6 +399,9 @@ publishLogEntry({
 - `BROWSER_ECHO_BUFFER_SIZE` — Max entries in memory (default: `1000`)
 - `BROWSER_ECHO_MCP_URL` — MCP server URL for framework forwarding (if set, frameworks bypass discovery)
 - `BROWSER_ECHO_INGEST_PORT` — Force a fixed ingest port in stdio mode (default: ephemeral)
+- `BROWSER_ECHO_ALLOW_TMP_DISCOVERY=1` — Opt-in to writing tmp discovery file; a token is generated and enforced via `x-be-token`
+- `BROWSER_ECHO_PROJECT_ROOT=/abs/path` — Explicit project root to embed in discovery metadata for correct scoping
+- `BROWSER_ECHO_ALLOW_PORT_SCAN=1` — Opt-in for the Vite plugin to use port scanning when discovery is unavailable
 
 ---
 
diff --git a/packages/mcp/src/server.ts b/packages/mcp/src/server.ts
@@ -223,7 +223,7 @@ export async function startHttpServer(
   await new Promise<void>((resolve) => nodeServer.listen(opts.port, opts.host, () => resolve()));
 
   // Advertise discovery so providers can auto-detect this server locally
-  await advertiseDiscovery(opts.host, opts.port, opts.logsRoute, { projectRoot: process.cwd(), scope: 'http' });
+  await advertiseDiscovery(opts.host, opts.port, opts.logsRoute, { projectRoot: process.env.BROWSER_ECHO_PROJECT_ROOT || process.cwd(), scope: 'http' });
 
   // eslint-disable-next-line no-console
   console.log(`MCP (Streamable HTTP) listening → http://${opts.host}:${opts.port}${opts.endpoint}`);
@@ -315,39 +315,60 @@ export async function startIngestOnlyServer(
     }
   }
 
-  // Only the primary (5179) should advertise to OS tmp to avoid discovery flapping
+  // Advertise discovery for stdio transport. By default, only write project-local discovery.
   const requestedPort = opts.port;
   const isAggregator = requestedPort !== 0 && actualPort === requestedPort;
-  await advertiseDiscovery(opts.host, actualPort, opts.logsRoute, { projectRoot: process.cwd(), scope: 'stdio', aggregator: isAggregator });
+  await advertiseDiscovery(opts.host, actualPort, opts.logsRoute, { projectRoot: process.env.BROWSER_ECHO_PROJECT_ROOT || process.cwd(), scope: 'stdio', aggregator: isAggregator });
 
   // eslint-disable-next-line no-console
   console.error(`Log ingest endpoint        → http://${opts.host}:${actualPort}${opts.logsRoute}`);
 }
 
 async function advertiseDiscovery(host: string, port: number, logsRoute: `/${string}`, meta?: { projectRoot?: string; token?: string; scope?: 'http' | 'stdio'; aggregator?: boolean }) {
   try {
-    const { writeFileSync } = await import('node:fs');
+    const { writeFileSync, chmodSync } = await import('node:fs');
     const { join } = await import('node:path');
     const { tmpdir } = await import('node:os');
 
     const baseUrl = `http://${host}:${port}`;
-    const payload = JSON.stringify({
+    const allowTmp = process.env.BROWSER_ECHO_ALLOW_TMP_DISCOVERY === '1';
+    const token = allowTmp ? (process.env.BROWSER_ECHO_DISCOVERY_TOKEN || randomUUID()) : undefined;
+    if (allowTmp) {
+      try { process.env.BROWSER_ECHO_DISCOVERY_TOKEN = token as string; } catch {}
+      try { process.env.BROWSER_ECHO_REQUIRE_TOKEN = process.env.BROWSER_ECHO_REQUIRE_TOKEN || '1'; } catch {}
+    }
+    const payloadLocal = JSON.stringify({
+      url: baseUrl,
+      routeLogs: logsRoute,
+      timestamp: Date.now(),
+      pid: typeof process !== 'undefined' ? process.pid : undefined,
+      projectRoot: meta?.projectRoot || process.cwd()
+    });
+    const payloadTmp = JSON.stringify({
       url: baseUrl,
       routeLogs: logsRoute,
       timestamp: Date.now(),
       pid: typeof process !== 'undefined' ? process.pid : undefined,
       projectRoot: meta?.projectRoot || process.cwd(),
-      token: meta?.token || undefined
+      token
     });
 
-    const files = meta?.scope === 'http'
-      ? [ join(tmpdir(), 'browser-echo-mcp.json') ]
-      : meta?.aggregator
-        ? [ join(process.cwd(), '.browser-echo-mcp.json'), join(tmpdir(), 'browser-echo-mcp.json') ]
-        : [ join(process.cwd(), '.browser-echo-mcp.json') ];
+    let files: string[] = [];
+    if (meta?.scope === 'http') {
+      // HTTP transport: write project-local; mirror to tmp only when explicitly enabled
+      files = [ join(process.cwd(), '.browser-echo-mcp.json') ];
+      if (allowTmp) files.push(join(tmpdir(), 'browser-echo-mcp.json'));
+    } else {
+      // STDIO transport writes only to project-local by default; optionally mirror to tmp when explicitly enabled
+      files = [ join(process.cwd(), '.browser-echo-mcp.json') ];
+      if (allowTmp) files.push(join(tmpdir(), 'browser-echo-mcp.json'));
+    }
 
     for (const f of files) {
-      try { writeFileSync(f, payload); } catch {}
+      const isTmp = f === join(tmpdir(), 'browser-echo-mcp.json');
+      try { writeFileSync(f, isTmp ? payloadTmp : payloadLocal); } catch {}
+      // Restrict permissions when writing token-bearing tmp file
+      if (isTmp) { try { chmodSync(f, 0o600); } catch {} }
     }
   } catch {
     // best-effort only
diff --git a/packages/vite/README.md b/packages/vite/README.md
@@ -186,6 +186,16 @@ browserEcho({
 - `BROWSER_ECHO_SUPPRESS_TERMINAL=1` — Force suppress terminal output
 - `BROWSER_ECHO_SUPPRESS_TERMINAL=0` — Force show terminal output
 
+#### Discovery and Isolation (Advanced)
+
+- `BROWSER_ECHO_ALLOW_PORT_SCAN=1` — Opt-in to port scanning when no discovery file or explicit URL is found (default: disabled)
+- `BROWSER_ECHO_ALLOW_TMP_DISCOVERY=1` — Opt-in to writing tmp discovery file for cross-process discovery; generates a token and enforces it (default: disabled)
+- `BROWSER_ECHO_PROJECT_ROOT=/abs/path` — Explicit project root used by the MCP server when writing discovery metadata; ensures correct scoping
+
+Notes:
+- By default, the plugin only trusts project-local discovery files (at `.browser-echo-mcp.json`). Tmp discovery is ignored unless the `projectRoot` in the file matches the current project.
+- When `BROWSER_ECHO_ALLOW_TMP_DISCOVERY=1` is set on the MCP server, a token is written to the tmp discovery file and enforced via the `x-be-token` header.
+
 ## File Logging (Vite-only feature)
 
 Enable optional file logging to write browser logs to disk:
diff --git a/packages/vite/src/index.ts b/packages/vite/src/index.ts
@@ -1,8 +1,8 @@
 // Avoid exporting Vite types to prevent cross-version type mismatches in consumers
 import ansis from 'ansis';
 import type { BrowserLogLevel } from '@browser-echo/core';
-import { mkdirSync, appendFileSync, existsSync, readFileSync, unlinkSync } from 'node:fs';
-import { dirname, join as joinPath } from 'node:path';
+import { mkdirSync, appendFileSync, existsSync, readFileSync, unlinkSync, realpathSync } from 'node:fs';
+import { dirname, join as joinPath, relative as relativePath, isAbsolute as isAbsolutePath, sep as pathSep } from 'node:path';
 import { tmpdir } from 'node:os';
 
 export interface BrowserLogsToTerminalOptions {
@@ -107,10 +107,12 @@ function attachMiddleware(server: any, options: ResolvedOptions) {
   const logFilePath = joinPath(options.fileLog.dir, `dev-${sessionStamp}.log`);
   if (options.fileLog.enabled) { try { mkdirSync(dirname(logFilePath), { recursive: true }); } catch {} }
 
-  // Dynamic MCP ingest resolution (explicit → env → discovery file → port scan)
+  // Dynamic MCP ingest resolution (explicit → env → discovery file → optional port scan)
   let resolvedBase = options.mcp.url ? options.mcp.url.replace(/\/$/, '') : '';
   let resolvedIngest = resolvedBase ? `${resolvedBase}${options.mcp.routeLogs}` : '';
   let lastAnnouncement = '';
+  let resolvedToken = '';
+  let resolvedSource = '' as 'explicit' | 'env' | 'local' | 'tmp' | 'scan' | '';
 
   const refreshMs = Math.max(1_000, Number(options.discoveryRefreshMs || 30_000) | 0);
 
@@ -131,7 +133,7 @@ function attachMiddleware(server: any, options: ResolvedOptions) {
     } catch { return false; }
   }
 
-  function readDiscoveryFile(): { url: string; routeLogs?: string; ts?: number; token?: string; pid?: number } | null {
+  function readDiscoveryFile(): { url: string; routeLogs?: string; ts?: number; token?: string; pid?: number; projectRoot?: string; sourcePath: string } | null {
     try {
       const candidates = [
         joinPath(process.cwd(), '.browser-echo-mcp.json'),
@@ -147,13 +149,26 @@ function attachMiddleware(server: any, options: ResolvedOptions) {
           const ts = typeof data?.timestamp === 'number' ? data.timestamp : undefined;
           const token = data?.token ? String(data.token) : undefined;
           const pid = typeof data?.pid === 'number' ? data.pid : undefined;
-          if (url) return { url, routeLogs, ts, token, pid };
+          const projectRoot = data?.projectRoot ? String(data.projectRoot) : undefined;
+          if (url) return { url, routeLogs, ts, token, pid, projectRoot, sourcePath: p };
         } catch {}
       }
     } catch {}
     return null;
   }
 
+  function isInsideProject(root: string | undefined, cwd: string): boolean {
+    if (!root) return true;
+    try {
+      const realRoot = realpathSync(root);
+      const realCwd = realpathSync(cwd);
+      const rel = relativePath(realRoot, realCwd);
+      return rel === '' || (!rel.startsWith('..' + pathSep) && !isAbsolutePath(rel));
+    } catch {
+      return false;
+    }
+  }
+
   async function resolveMcp() {
     if (!options.discoverMcp) return;
     // 1) Explicit (already normalized)
@@ -162,48 +177,64 @@ function attachMiddleware(server: any, options: ResolvedOptions) {
       const base = explicit.replace(/\/$/, '');
       resolvedBase = base;
       resolvedIngest = `${base}${options.mcp.routeLogs}`;
+      resolvedToken = '';
+      resolvedSource = process.env.BROWSER_ECHO_MCP_URL ? 'env' : 'explicit';
       announce(`${options.tag} forwarding logs to MCP ingest at ${resolvedIngest}`);
       return;
     }
-    // 2) Discovery file (fresh within 60s)
+    // 2) Discovery file (prefer local; tmp is only trusted if projectRoot matches)
     const disc = readDiscoveryFile();
     if (disc && disc.url) {
-      const ageOk = !disc.ts || (Date.now() - Number(disc.ts)) < 60_000;
-      if (ageOk) {
-        const base = String(disc.url).replace(/\/$/, '');
-        const routeLogs = (disc.routeLogs as `/${string}`) || options.mcp.routeLogs;
+      const base = String(disc.url).replace(/\/$/, '');
+      const routeLogs = (disc.routeLogs as `/${string}`) || options.mcp.routeLogs;
+      // Determine source type based on actual path
+      const tmpPath = joinPath(tmpdir(), 'browser-echo-mcp.json');
+      const fromTmp = disc.sourcePath === tmpPath;
+      const currentCwd = process.cwd();
+      const matchesProject = isInsideProject(disc.projectRoot, currentCwd);
+      if (!matchesProject && fromTmp) {
+        announce(`${options.tag} ignoring tmp discovery due to project mismatch`);
+      } else {
         // Validate aliveness: prefer health ping; optionally check PID
         const healthy = await tryPingHealth(base, 300);
         let pidOk = true;
         try { if (disc.pid && disc.pid > 0) { process.kill(disc.pid, 0); pidOk = true; } } catch { pidOk = false; }
         if (healthy || pidOk) {
           resolvedBase = base;
           resolvedIngest = `${base}${routeLogs}`;
-          announce(`${options.tag} forwarding logs to MCP ingest at ${resolvedIngest}`);
+          resolvedToken = disc.token || '';
+          resolvedSource = fromTmp ? 'tmp' : 'local';
+          announce(`${options.tag} forwarding logs to MCP ingest at ${resolvedIngest} (source: ${resolvedSource})`);
           return;
         }
-        // purge stale tmp discovery to speed up re-discovery
-        try { const stale = joinPath(tmpdir(), 'browser-echo-mcp.json'); if (existsSync(stale)) unlinkSync(stale); } catch {}
+        // If unhealthy, do not port-scan by default
       }
     }
-    // 3) Port scan common ports
-    for (const port of options.discoveryPorts || []) {
-      for (const host of [`http://127.0.0.1:${port}`, `http://localhost:${port}`]) {
-        if (await tryPingHealth(host)) {
-          resolvedBase = host;
-          resolvedIngest = `${host}${options.mcp.routeLogs}`;
-          announce(`${options.tag} forwarding logs to MCP ingest at ${resolvedIngest}`);
-          return;
+    // 3) Port scan is disabled by default for isolation; enable only if explicitly opted-in
+    const allowScan = process.env.BROWSER_ECHO_ALLOW_PORT_SCAN === '1';
+    if (allowScan) {
+      for (const port of options.discoveryPorts || []) {
+        for (const host of [`http://127.0.0.1:${port}`, `http://localhost:${port}`]) {
+          if (await tryPingHealth(host)) {
+            resolvedBase = host;
+            resolvedIngest = `${host}${options.mcp.routeLogs}`;
+            resolvedToken = '';
+            resolvedSource = 'scan';
+            announce(`${options.tag} forwarding logs to MCP ingest at ${resolvedIngest}`);
+            return;
+          }
         }
       }
     }
-    // 4) Not found
+    // 4) Not found or unhealthy
     if (resolvedIngest) {
       // lost connection → inform once
       announce(`${options.tag} no MCP detected; logging locally. To forward, set BROWSER_ECHO_MCP_URL or start MCP.`);
     }
     resolvedBase = '';
     resolvedIngest = '';
+    resolvedToken = '';
+    resolvedSource = '';
   }
 
   // Kick off periodic discovery
@@ -228,7 +259,7 @@ function attachMiddleware(server: any, options: ResolvedOptions) {
           // do not await
           fetch(targetIngest, {
             method: 'POST',
-            headers: { 'content-type': 'application/json', ...options.mcp.headers },
+            headers: { 'content-type': 'application/json', ...options.mcp.headers, ...(resolvedToken ? { 'x-be-token': resolvedToken } : {}) },
             body: JSON.stringify(payload),
             keepalive: true,
             cache: 'no-store'
diff --git a/packages/vite/test/discovery.isolation.test.ts b/packages/vite/test/discovery.isolation.test.ts
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/scripts/cleanup.ts b/scripts/cleanup.ts

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`"mcpServers": {`
`3`	`3`	`"browser-echo": {`
`4`	`4`	`"command": "npx",`
`5`		`- "args": ["https://pkg.pr.new/instructa/browser-echo/@browser-echo/mcp@f6031a3"]`
	`5`	`+ "args": ["https://pkg.pr.new/instructa/browser-echo/@browser-echo/mcp@70c8792"]`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,6 @@`
`16`	`16`	`},`
`17`	`17`	`"packageManager": "pnpm@10.12.1+sha512.f0dda8580f0ee9481c5c79a1d927b9164f2c478e90992ad268bbb2465a736984391d6333d2c327913578b2804af33474ca554ba29c04a8b13060a717675ae3ac",`
`18`	`18`	`"devDependencies": {`
`19`		`- "@browser-echo/nuxt": "workspace:*"`
	`19`	`+ "@browser-echo/nuxt": "https://pkg.pr.new/instructa/browser-echo/@browser-echo/nuxt@70c8792"`
`20`	`20`	`}`
`21`	`21`	`}`