- replaced test for Reject button with the one used in the regular sampling test, which gets the button by role. This test appeared to be failing because formatting puts the name between the button elements with some whitespace. The way to look is with a regex

The `stdin: 'ignore'` option was not working because spawn-rx expects
an Observable for its stdin option, not a string. This caused tsx watch
and vite dev server to hang waiting for stdin on Windows.

Use Node's native `stdio: ['ignore', 'pipe', 'pipe']` option instead,
which spawn-rx passes through correctly to child_process.spawn.

Fixes #550

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

* fix(client): circular function call leads to memory leak

* allow children validation

Configure Dependabot to automatically detect updates to the actions used in
GitHub Actions (e.g., `actions/checkout`) and create pull requests for them.

For example, `actions/checkout@v4` is likely updatable, as v6 is already available:
https://github.com/modelcontextprotocol/inspector/blob/9f3b4ff/.github/workflows/main.yml#L15

This PR enables Dependabot to update such GitHub Actions dependencies.

Updates to outdated actions packages in `.github/workflows` are intentionally not included in this PR,
as they will be updated by the initial Dependabot run as part of verifying its behavior.

Based on experience, checking for updates on a weekly interval should work well.

Bumps the npm_and_yarn group with 2 updates in the / directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) and [diff](https://github.com/kpdecker/jsdiff).


Updates `@modelcontextprotocol/sdk` from 1.25.2 to 1.26.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@v1.25.2...v1.26.0)

Updates `diff` from 4.0.2 to 4.0.4
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4)

Updates `hono` from 4.11.3 to 4.11.7
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.3...v4.11.7)

---
updated-dependencies:
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.26.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: diff
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.11.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ator to Streamable test server). Cleanup up some port usage to avoid potential issues (always use port 0 for servers). Added stdout/stderr to cli status assertion failures to make CLI test failures easier to debug from test output.

Fixed test failures induced by MCP SDK update

* Fix MCP Apps rendering issue and add comprehensive logging

- Fixed AppRenderer useEffect dependency array to include resourceContent
  This ensures the component re-evaluates when resource content arrives
- Added detailed console logging throughout the app lifecycle:
  * Resource fetch and response tracking in App.tsx
  * Setup conditions and AppBridge creation in AppRenderer.tsx
  * HTML parsing and iframe rendering steps
  * PostMessageTransport and AppBridge connection status
  * App tool filtering and selection in AppsTab.tsx
- Refactored AppsTab selectedTool rendering for better tracking

The issue was that resourceContent prop updates weren't triggering
the AppRenderer setup effect. Now the effect properly responds to
both resourceUri and resourceContent changes.

Co-authored-by: Cliff Hall <cliffhall@users.noreply.github.com>

* Fix MCP Apps iframe rendering issue

The app was getting stuck on 'Loading MCP App...' because the iframe was
hidden (display: none) until the oninitialized event fired. However, the
PostMessage handshake requires the iframe to be visible to complete.

This fix:
- Sets loading to false immediately after writing HTML to the iframe
- Makes the iframe visible before establishing PostMessage transport
- Allows the AppBridge initialization handshake to complete successfully
- Removes redundant setLoading(false) from oninitialized callback

The iframe is now visible and ready for PostMessage communication before
the AppBridge connect() call, enabling proper initialization.

Co-authored-by: Cliff Hall <cliffhall@users.noreply.github.com>

* Fix MCP Apps HTML extraction to match spec

The AppRenderer was incorrectly checking for a 'type' field in resource
contents, but TextResourceContents objects only have uri, mimeType, and
text fields according to the MCP specification.

Fixed by checking for the presence of the 'text' field directly instead
of checking a non-existent 'type' field. This allows the HTML content
to be properly extracted and rendered in the iframe.

Co-authored-by: Cliff Hall <cliffhall@users.noreply.github.com>

* Add comprehensive tests for MCP Apps support

- Add tests for AppsTab component (13 tests)
- Add tests for AppRenderer component (17 tests)
- Update jest.config.cjs to handle ES modules from @modelcontextprotocol/ext-apps
- All 478 tests pass successfully

Co-authored-by: Cliff Hall <cliffhall@users.noreply.github.com>

* Add MCP Apps support to Inspector

- Add AppsTab component for detecting and listing MCP apps
- Add AppRenderer component with full AppBridge integration
- Implement UI resource fetching and sandboxed iframe rendering
- Add PostMessage transport for bidirectional JSON-RPC communication
- Include comprehensive test coverage (30 new tests)
- Auto-populate apps when tab becomes active
- Support theme awareness and configurable permissions

Co-authored-by: Cliff Hall <cliffhall@users.noreply.github.com>

* Prefer structuredContent over content field in tool responses

Some MCP servers return different data in structuredContent vs content fields.
This change ensures that when structuredContent is present, it is used
exclusively for display instead of showing both fields.

Changes:
- Modified ToolResults.tsx to only show content when structuredContent is absent
- Removed unused checkContentCompatibility function
- Updated test cases to reflect new behavior

Co-authored-by: Cliff Hall <cliffhall@users.noreply.github.com>

* Revert "Prefer structuredContent over content field in tool responses"

This reverts commit 3b054b4.

Claude did not do the right thing.

* feat: integrate @mcp-ui/client for MCP application rendering

This commit implements the integration of `@mcp-ui/client` to handle the
rendering of Model Context Protocol (MCP) applications within the inspector.
It includes refactoring the rendering logic, improving resource fetching
in the main application state, and setting up a secure sandbox environment.

Changes per file:

- client/package.json:
  - Added `@mcp-ui/client` as a dependency.

- client/src/components/AppRenderer.tsx:
  - Refactored to use `McpUiAppRenderer` from `@mcp-ui/client`.
  - Implemented HTML parsing logic for MCP resource responses.
  - Configured host context (theme) and sandbox URL for the renderer.
  - Replaced iframe-based manual rendering with the official component.

- client/src/App.tsx:
  - Added `fetchingResources` state to prevent duplicate concurrent resource requests.
  - Enhanced `readResource` with better error handling and state tracking.
  - Optimized resource content mapping to better support application state.

- client/src/components/AppsTab.tsx:
  - Updated to use `getToolUiResourceUri` utility from `@modelcontextprotocol/ext-apps`
    instead of manual metadata property access.
  - Simplified tool filtering and selection logic.

- client/public/sandbox_proxy.html:
  - Added a sandbox proxy page to facilitate secure communication between
    the inspector and the rendered MCP applications.

- client/bin/client.js:
  - Added server rewrites to ensure `sandbox_proxy.html` is served correctly.
  - Implemented specific `Cache-Control` headers for `sandbox_proxy.html` to
    prevent stale cached versions.

- client/vite.config.ts:
  - Explicitly configured `publicDir: "public"` to ensure the sandbox proxy
    is included in the build output.

- client/src/components/__tests__/AppRenderer.test.tsx:
  - Updated tests to mock the new `@mcp-ui/client` component.
  - Adjusted assertions to verify correct props are passed to the renderer.
  - Enhanced mock MCP client to include required methods like `getServerCapabilities`.

* Potential fix for code scanning alert no. 37: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update package-lock.json
 - npm install
 - npm audit fix

* Potential fix for code scanning alert no. 38: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 39: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* prettier

* Update client/src/components/AppsTab.tsx

Co-authored-by: Ola Hungerford <olahungerford@gmail.com>

* prettier

* In AppsTab.test.tsx, fetch button by aria-label

* relative imports

* Remove sanitization logic from sandbox_proxy.html. It's breaking the app rendering. Will sort out what best practices for this HTML is later

* In sandbox_proxy.html,formatting
In AppsTab.tsx
  - Add app window
    - when an app is selected,
      - show input form for apps that have an input schema
      - button shows app
      - if app is shown, show maximize button
        - if maximized,
          - show minimize button
          - hide app list
* In AppsTab.test.tsx
  - test new layout and controls
* In AppRenderer.tsx
    - accept toolInput
    - pass to McpUiAppRenderer

* In AppsTab.tsx, if an app has no inputSchema, just show it, otherwise show the form and the "back to form" button when showing the app.

* In AppsTab.test.tsx
  - test new behavior

* In ListPane.tsx
  - remove the Clear button

* In ListPane.test.tsx
  - remove test for clear button

* In AppRenderer.tsx,
  - remove onReadResource and resourceContent, not needed since mcpClient is being passed

* In App.tsx and AppsTab.tsx,
  - remove the passing of these variables

* In AppRenderer.test.tsx, and AppsTab.test.tsx
  - remove tests that fail after having removed onReadResource and resourceContent

* Serving the sandbox_proxy.html from a separate port, using the proxy instead of the webclient server.

* In App.tsx
  - pass the path to the sandbox endpoint on the proxy to the AppsTab

* In AppsTab.tsx
  - accept the sandboxPath property and pass it to the AppRenderer

* In AppRenderer.tsx
  - accept the sandboxPath property and pass it to the McpUiAppRenderer

* In client.js
  - remove the rewrite and header config for sandbox_proxy.html

* In server/src/index.ts
  - add a /sandbox endpoint that reads and returns the sandbox_proxy.html file with no-cache header

* In server/package.json
  - add shx for cross-platform copy function
  - in build script, copy static folder to build folder

* Moved sandbox_proxy.html from client/public to server/static

* In client.js
  - return to original state

* In vite.config.ts
  - return to original state

* Potential fix for code scanning alert no. 41: Missing rate limiting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* In AppRenderer.tsx
  - add open link handler that handles link requests from the UI. Makes sure that the URL starts with http or https

* In sandbox_proxy.html
  - refactor to match [basic-host](https://github.com/modelcontextprotocol/ext-apps/tree/main/examples/basic-host) example
  - creates an nested iframe for security.
  - in this implementation, for simplicity the sandbox.ts is inlined in sandbox_proxy.html as javascript

* prettier

* In AppRenderer.tsx
  - add support for handling McpUiMessageRequest messages from the UI
  - show message in a toast

* Add logging message handler to AppRenderer

In App.tsx
  - pass an onNotification function to the AppsTab that adds a notification to the notification array

In AppsTab.tsx
  - Accept the onNotification function and pass it to the AppRenderer

In AppRenderer.tsx
  - Accept the onNotification function
  - added an handleLoggingMessage function that takes a LoggingMessageNotificationParams object, wraps it with a method and params prop to make it a ServerNotification shape, and pass it to the onNotification function
   - pass handleLoggingMessage to McpUiAppRenderer

* In ResourcesTab.test.tsx
  - fix @ import that wasn't resolving

* In AppRenderer.tsx
  - remove fetch and evaluation of resourceUri, as the mcpClient handles that (review request)

* In AppRenderer.test.tsx
  - remove test for no resourceUri found

* Merge branch 'main' into full-apps-support-final

Resolved Conflicts:
- package-lock.json

* Fixed mismatch with sanboxRateLimiter and the express version

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Cliff Hall <cliffhall@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Ola Hungerford <olahungerford@gmail.com>

- Updated all package.json files to version 0.20.0
- Updated workspace dependencies in root package.json
- Updated package-lock.json
- Verified version consistency with check-version-consistency script

Co-authored-by: Ola Hungerford <olaservo@users.noreply.github.com>

…20260206-1234

Bump version to 0.20.0