GitShow/modelcontextprotocol/inspector
modelcontextprotocol

inspector

Visual testing tool for MCP servers

by modelcontextprotocol
Star on GitHubForkWebsitenpm

TypeScript

10.2k stars1.4k forks139 contributorsActive · 6h agoSince 20240.22.0

Meet the team

See all 139 on GitHub →
olaservo
olaservo413 contributions
cliffhall
cliffhall405 contributions
jspahrsummers
jspahrsummers135 contributions
ashwin-ant
ashwin-ant133 contributions
richardkmichael
richardkmichael49 contributions
msabramo
msabramo49 contributions
felixweinberger
felixweinberger47 contributions
jerome3o-anthropic
jerome3o-anthropic42 contributions

Languages

View on GitHub →
TypeScript91.3%
JavaScript7.6%
HTML0.7%
CSS0.3%
Dockerfile0.1%

Commit activity

Last 12 weeks · 27 commits

Full graph →

Community health

5 of 6 standards met

Community profile →
87
✓README✓License✓Contributing✓Code of Conduct○Issue Template✓PR Template

Recent PRs & issues

Active · Last activity 6h ago
See all on GitHub →
cliffhall
Wave 1 rollup: integrated 1579-wave-1 branch + integration verificationOpenIssue

Wave 1 rollup — integration branch This issue is the rollup / integration point for Wave 1 of the #1579 decomposition. Rather than merging each Wave-1 PR individually into , they are integrated onto a single branch * (base: ), verified together, and reviewed as a unit. is NOT touched until the rollup is approved. What's on Original Wave 1 (10): #1556 core / (PR #1584) #1557 test-servers + (PR #1587) #1558 web sandbox CSP builder (PR #1588) #1559 web hostContext utilities (PR #1591) #1560 web enhancements (PR #1586) #1561 core redact fetch-log headers (PR #1585) #1562 auth + callback state reject (PR #1589) #1563 core // (PR #1590) #1564 cli exit-code map + JSON error envelopes (PR #1583) #1548 web parity + async hydration (PR #1592) Wave 1 follow-ups (surfaced during review/smoke): #1595 docs: complete version-board/label table (PR #1537) #1596 test-stability: eliminate web-suite timeout flakiness (PR #1597) #1593 core: redact fetch-log bodies + URL query strings (PR #1598) #1594 test-infra: gate under coverage (PR #1599) Verification posted here Each PR above already went through: exhaustive review to clean + an individual smoke-test/AGENTS.md audit on its own issue. This rollup issue additionally receives the integrated verification run against : 1. root (all clients) + web (e2e) on the merged branch; 2. every individual issue's smoke test replayed* against , proving the features work together. Refs: tracking #1579.

cliffhall · 6h ago
cliffhall
test(web): eliminate timeout flakiness in the web test suiteOpenPR

Closes #1596 What Deterministically fixes the recurring 5s-timeout flakes in the suite that surfaced under v8-instrumented, concurrent load. Test-only — no product source changed. No test was skipped/disabled, no global timeout was inflated, and the per-file coverage gate (≥90 on all four dimensions) still holds for every touched file. Per-test root cause + fix Common root cause (modals/forms/screens): schedules a real between keystrokes. Under CPU contention those event-loop yields balloon, so multi-field interactions accumulated past the 5s per-test timeout — exactly the "clustered at the default 5s timeout under load" symptom. Fix: removes the per-keystroke real-timer dependence (keystrokes dispatch synchronously), making the suites load-independent. ServerConfigModal, ServerImportConfigModal, ServerImportJsonModal, ResourcesScreen, InspectorView (localStorage/History): on every . The debounced validation in the import modals was already awaited via /, so it needed no change beyond fast typing. PromptArgumentsForm* (completions): the tests slept on the wall clock just past the 300ms completion debounce (), which races the debounce timer under load. Replaced every such sleep with awaited conditions (/) on the real rendered outcome plus ; they now resolve as soon as the debounce fires and the response settles, and never depend on machine speed. Negative assertions (stale-option clearing, cancelled debounce) rely on the component's synchronous state/timer teardown rather than a timed window, so they're deterministic. A scoped 3s timeout (commented) covers the legitimate debounce + async settle under heavy load. inspectorClient integration ("should track stderr logs for stdio transport"): the child process's stderr is piped out-of-band from the tool's JSON-RPC response, so reading synchronously right after resolved raced the stderr chunk. Wrapped the assertion in so it polls until the line lands. Verification All green with zero intermittent failures: (web) — 191 files / 2438 tests. (web) — run 6×: 4 sequential + 2 concurrent under load* (two full coverage runs in parallel, the issue's suggested load harness). Every run: 229 files / 3237 tests passed, coverage gate clean (0 threshold errors). (web) standalone — 38 files / 799 tests. 🤖 Generated with Claude Code https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX

cliffhall · 6h ago
cliffhall
docs: add CONTRIBUTORS.md issues-only policy (#1517)OpenPR

Closes #1517. Closes #1595. Summary Adds a root documenting the contribution policy: we accept issues, not pull requests. Maintainers handle design and implementation through the prompt-driven workflow described in . Contributors who have already built a change locally are asked to share the prompt they used, not a diff. The doc covers every requirement from the issue: Policy statement — issues only; external PRs are not merged; maintainers own design/implementation. How to report a bug / request a feature — open a well-scoped issue on the right version board. Includes a version → base-branch → project-board → label table (v1 / v1.5 / v2) plus a "Label by version" note mirroring the convention in . _(Added in the latest commit — the table is now actually present; see #1595.)_ If you've already fixed it locally — don't send a diff; share the prompt(s), before/after behavior, and how you verified. What makes a good issue / prompt submission — reproduction or use case, expected vs. actual, affected client (Web / TUI / CLI), and exact prompt text. Rationale — explains the prompt-driven workflow so the policy reads as intentional, with a welcoming tone. Cross-reference — adds a "Contributing" section to linking to . (There is no root in this repo, so is the cross-reference point — the issue allows "README.md and/or AGENTS.md".) Notes Docs-only change to root files; no client code is touched, so the build/test gates don't apply (no root-level prettier scope covers these files either; the markdown was formatted with manually). The optional follow-up (a redirect / PR template to steer would-be PR authors) is left for a separate issue if desired. 🤖 Generated with Claude Code https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX

cliffhall · 6h ago

Recent fixes

View closed PRs →
cliffhall
test(web): gate src/lib/** under the vitest coverage include globsMergedPR

Closes #1594 Broadens the web vitest so the per-file ≥90 four-dimension gate () applies to every module under , not just . Change : replace the single-file include entry (added by #1588 as a targeted workaround) with the glob , matching the form of the existing / entries. : annotate the provably-dead fallback in with a justified — always returns a non-empty array, so is never . New tests: (covers , including the internal wrapper) and (covers the header value helpers, previously imported by nothing). Newly-gated coverage (lines / branches / functions / statements) branch coverage rose from 92.3 → 100 via the . Verification ✅ (197 files, 2557 tests) (web) ✅ passes with the broadened include ✅ (39 files, 809 tests) 🤖 Generated with Claude Code https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX

cliffhall · 6h ago
cliffhall
feat(core): redact sensitive fields in fetch-log bodies + URL query stringsMergedPR

Closes #1593 Follow-up to the header-redaction slice (#1585). records , , , and per request; before this change only was redacted, so the secrets that ride in OAuth token exchanges still leaked verbatim through the request/response body and the URL query string. This extends redaction to cover both, alongside the existing header logic (which is untouched). What is redacted Known-sensitive field / param names (case-insensitive), reusing the sentinel style: , , , , , , , , , . How — masks values in bodies (re-serialized via ) and JSON bodies (recursive walk over nested objects/arrays, values-only, structure preserved). JSON is also sniffed when the content-type is missing. Best-effort: empty, non-string, scalar-JSON, and unparseable bodies are returned unchanged — it never throws. — masks sensitive query params while keeping the path, non-sensitive params, and any trailing readable; repeated sensitive params collapse to one redacted value. Returns the URL unchanged when there is nothing to redact. Applied to the request success entry, the request error-path entry, and the async response-body callback, all before the entry reaches any sink (in-memory log, pino, session storage). Live outbound requests are byte-identical — only the logged copy is redacted (verified by asserting the outbound is unchanged). Tests Added coverage for form + JSON body redaction (request and async response), URL-query redaction on both success and error paths, non-sensitive passthrough, malformed-body no-throw, nested-object/array recursion, fragment/case-insensitive/repeated-param handling, and live-object untouched. Unit tests for / directly. per-file coverage for : 98.27% stmts / 98.55% branch / 100% funcs / 98.18% lines** (gate is 90 on all four). Web , full gate, and all pass. 🤖 Generated with Claude Code https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX

cliffhall · 6h ago
Structured data for AI agents

Repository: modelcontextprotocol/inspector. Description: Visual testing tool for MCP servers Stars: 10248, Forks: 1394. Primary language: TypeScript. Languages: TypeScript (91.3%), JavaScript (7.6%), HTML (0.7%), CSS (0.3%), Dockerfile (0.1%). Homepage: https://modelcontextprotocol.io Latest release: 0.22.0 (3w ago). Open PRs: 100, open issues: 226. Last activity: 6h ago. Community health: 87%. Top contributors: olaservo, cliffhall, jspahrsummers, ashwin-ant, richardkmichael, msabramo, felixweinberger, jerome3o-anthropic, pulkitsharma07, pcarleton and others.

·@ofershap

Replace github.com with gitshow.dev