feat(app,app-bridge): guard requests sent before handshake completes#623
Merged
feat(app,app-bridge): guard requests sent before handshake completes#623
Conversation
…620) * feat(app,app-bridge): guard requests sent before handshake completes Calling host-bound methods before the ui/initialize → ui/notifications/initialized handshake completes can race the handshake on strict hosts and leave the iframe permanently hidden. App (View side): - All 8 host-bound methods (callServerTool, readServerResource, listServerResources, sendMessage, updateModelContext, openLink, downloadFile, requestDisplayMode) now check that connect() has sent the initialized notification. - New AppOptions.strict (default false): console.error when false, throw when true. AppOptions is now exported. - useApp() forwards strict to the App constructor. - Flag resets on reconnect. AppBridge (Host side): - replaceRequestHandler is overridden to wrap every host-bound handler with a console.warn if the request arrives before ui/notifications/initialized. Never throws. ui/initialize and ping use setRequestHandler directly and are exempt; notifications are unaffected. - Catches Views that hand-roll postMessage without the SDK. - Flag resets on reconnect. Refs anthropics/claude-ai-mcp#61, anthropics/claude-ai-mcp#149. * fix(docs): drop AppOptions from intentionallyNotExported now that it is exported
Contributor
PreviewPreview deployments for this PR have been cleaned up. |
ochafik
added a commit
that referenced
this pull request
Apr 21, 2026
Conflict resolution: - src/app.ts: kept both _registeredTools (#72) and _initializedSent/_assertInitialized (#623) private fields. - typedoc.config.mjs: dropped AppOptions (now exported per #623), kept RequestHandlerExtra (#72) → ["MethodSchema", "RequestHandlerExtra"]. - .husky/pre-commit: took main's --diff-filter=d (both sides had equivalent fixes for staged-deletion re-add failure). Guard application to #72's new App methods: - sendToolListChanged: added _assertInitialized guard. - registerTool's notify() helper: gated on _initializedSent instead of transport so enable/disable/update during the handshake window doesn't fire a premature list_changed notification. - registerTool itself is intentionally NOT guarded — it's a pre-connect setup method (analogous to setting ontoolresult). AppBridge: #72 adds no setRequestHandler/replaceRequestHandler calls; the existing override auto-covers any new replaceRequestHandler users.
This was referenced Apr 21, 2026
ochafik
added a commit
that referenced
this pull request
Apr 21, 2026
…#629) Mirrors the outbound-side guard from #623: registering a toolinput / toolinputpartial / toolresult / toolcancelled handler after the ui/initialize handshake has completed now logs a console.warn (or throws under { strict: true }), since the host may have already fired the notification by then. hostcontextchanged is exempt — late listeners for repeating events are legitimate. Covers both the on* setters and addEventListener.
This was referenced Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-land of #620 against
main— #620 was squash-merged intoochafik/build-hook-fixes, but #621 had already squash-merged tomainfrom an earlier tip, so #620's commit never reachedmain.See #620 for full description and discussion. #622 stacks on this.