allow setting options at mcp install time

[j4ys0n]

No description provided.

[j4ys0n]

Automated review 🤖

Summary of Changes
This PR refactors InstallPackageRequest to support passing MCP server metadata (e.g., displayName, secretNames, catalogId) at install time by extracting shared fields into a new PackageInstallServerMetadata type and spreading them into addServer calls across all transport types (stdio, streamable_http, python). Version bumped to 1.11.7. Tests updated to validate metadata forwarding for Python, Node stdio, and streamable HTTP packages.

Key Changes & Positives

• Introduces PackageInstallServerMetadata type to avoid duplication and improve type safety when forwarding server metadata to addServer 🟢
• Centralizes metadata extraction via buildServerMetadataInput() method in PackageService, reducing redundancy across transport-specific code paths 🟢
• Extends existing tests to verify metadata propagation for all three runtime/transport combinations, improving confidence in correctness 🟢

Potential Issues & Recommendations

1. Issue / Risk: secretName field is removed from InstallPackageRequest but PackageInstallServerMetadata retains it; if callers previously passed secretName alone (not secretNames), behavior may break due to missing deprecation handling.

   • Impact: Existing clients relying on secretName in InstallPackageRequest will silently omit it unless migrated to secretNames.
   • Recommendation: Add runtime validation or deprecation warning for secretName usage; document migration path in changelog.
   • Status: 🟡 Needs review

2. Issue / Risk: buildServerMetadataInput copies all AddServerInput subset fields unconditionally; if request omits optional fields (e.g., catalogProvider), undefined values may override defaults in downstream addServer logic.

   • Impact: Could unintentionally clear server metadata previously set via other means (e.g., catalog sync).
   • Recommendation: Filter out undefined values before spreading (pickBy or manual nullish coalescing) to preserve existing defaults.
   • Status: 🟡 Needs review

Language/Framework Checks

• TypeScript: Pick<AddServerInput, ...> correctly typed; PackageInstallServerMetadata used consistently in buildServerMetadataInput and spread into addServer calls in src/services/packages.ts lines 394, 513, 576.
• Test assertions in test/packages-python.spec.ts validate nested object structures (e.g., secretFields) with correct types.

Security & Privacy

• No security-sensitive changes; secretNames and secretFields are forwarded as-is, preserving existing secret-handling semantics.

Tests

• Tests now cover metadata forwarding for all three transport types (stdio, streamable_http, python); ensure secretFields schema validation (e.g., required, inputType) is enforced upstream in AddServerInput.

Approval Recommendation
Approve with caveats

• Add deprecation handling or migration guidance for secretName → secretNames
• Clarify behavior when optional metadata fields are omitted (e.g., catalogProvider: undefined) to avoid overwriting existing defaults

[Copilot]

Pull request overview

This PR enables passing through MCP server “metadata” options at package install time so that newly installed servers can be created with richer configuration (display name/description, secret metadata, URLs, catalog info, startup timeout), and expands tests to cover these new fields.

Changes:

• Forward server metadata fields from PackageService.installPackage into MCPService.addServer for python, node stdio, and streamable HTTP installs.
• Extend packages-python.spec.ts to assert metadata forwarding behavior across runtimes/transports.
• Bump package.json version from 1.11.6 to 1.11.7.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
test/packages-python.spec.ts	Adds assertions/tests ensuring install-time server metadata is forwarded for python/node/streamable HTTP installs.
src/services/packages.ts	Introduces a typed metadata subset and spreads it into mcpService.addServer calls.
package.json	Patch version bump for release.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

installPackage now forwards user-provided secretNames/secretFields (and other metadata) into MCPService.addServer, but for platform servers addServer doesn't apply the external-server validations (max secret fields, field name pattern, etc.). Since this input comes from the install request, it should be validated/normalized in PackageService (e.g., cap the number of secret fields and enforce the same field.name pattern used in MCPService.addServer) before persisting it on the server record.

[Copilot]

The test is using a custom inline type assertion for addServerInput, which weakens type-safety for fields like catalogProvider (should be 'glama' | 'manual') and secretFields[].inputType (literal 'password'). Prefer typing this as AddServerInput (or Pick<AddServerInput, ...>) via a type-only import from src/services/mcp to keep the test aligned with the real API shape.

[Copilot]

This spec file/describe block is scoped to “python runtime support”, but these newly added cases also cover node stdio and streamable HTTP installs. Consider moving these new tests into a more appropriately named suite/file (or splitting describe blocks) so future changes to node/HTTP install behavior are discoverable.