[WIP] Enabling GPT-5 for all clients#7
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for installing the Teams Extractor MCP server as a Claude Desktop extension through a packaged distribution model. The main changes enable users to install via Claude Desktop's extension UI instead of manually editing configuration files.
Key changes:
- New build script to package the MCP server as a Claude Desktop extension
- Added Claude extension manifest and documentation
- Chrome extension UI feature for triggering MCP installation via backend API
- Refactored Chrome extension's message handling to use background script for fetch requests
- Added API key support in Chrome extension communication
Reviewed Changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/build_claude_extension.sh | Build script that packages MCP server sources, installs dependencies, and creates a distributable ZIP |
| claude-extension/manifest.json | Claude Desktop extension manifest defining server configuration, user inputs, and compatibility |
| claude-extension/README.md | Documentation for building and installing the Claude extension package |
| backend/routes/mcp.js | New API endpoint to trigger MCP installation script from Chrome extension |
| backend/server.js | Registers the new /api/mcp route |
| chrome-extension/options.html | Adds UI section for Claude Desktop integration with install button |
| chrome-extension/options.js | Implements client-side logic to call MCP installation endpoint |
| chrome-extension/content.js | Refactors message sending to use background script and adds config validation |
| chrome-extension/background.js | Adds batch send handler and API key support for backend requests |
| chrome-extension/manifest.json | Version bump to 1.0.1 |
| mcp-server/README.md | Updates installation instructions to recommend extension UI method |
| docs/ADMIN_GUIDE.md | Adds section documenting Claude Desktop MCP extension installation |
| README.md | Updates quick setup instructions to reference new extension package approach |
|
|
||
| console.log(`Executing MCP installation script: ${installScript}`); | ||
|
|
||
| exec(`node ${installScript}`, { cwd: mcpServerDir }, (error, stdout, stderr) => { |
There was a problem hiding this comment.
Command injection vulnerability: the installScript path is constructed using user-controlled input indirectly through __dirname. While path.join mitigates directory traversal, using template string interpolation with exec is unsafe. Use execFile instead with the script path as the first argument to prevent shell injection, or at minimum use an array of arguments with spawn.
| const path = require('path'); | ||
|
|
||
| // POST /api/mcp/install | ||
| router.post('/install', (req, res) => { |
There was a problem hiding this comment.
Missing authentication/authorization check: the /api/mcp/install endpoint executes system commands without verifying the requester's identity or permissions. This endpoint should require authentication (e.g., the X-API-Key header that's now supported in the Chrome extension) to prevent unauthorized installation attempts.
| router.post('/install', (req, res) => { | |
| router.post('/install', (req, res) => { | |
| // Check for API key in header | |
| const apiKey = req.header('X-API-Key'); | |
| const expectedApiKey = process.env.API_KEY; | |
| if (!apiKey || apiKey !== expectedApiKey) { | |
| return res.status(401).json({ error: 'Unauthorized: Invalid or missing API key.' }); | |
| } |
| return res.status(500).json({ error: `Script execution failed: ${stderr || error.message}` }); | ||
| } | ||
|
|
||
| console.log(`install.js stdout: ${stdout}`); | ||
| res.json({ message: `Installation script finished: ${stdout}` }); |
There was a problem hiding this comment.
Information disclosure: returning raw stdout and stderr from the installation script in the response could expose sensitive system information (e.g., file paths, environment variables, database connection strings). Consider returning a generic success message or sanitizing the output before sending it to the client.
| return res.status(500).json({ error: `Script execution failed: ${stderr || error.message}` }); | |
| } | |
| console.log(`install.js stdout: ${stdout}`); | |
| res.json({ message: `Installation script finished: ${stdout}` }); | |
| return res.status(500).json({ error: "Script execution failed." }); | |
| } | |
| console.log(`install.js stdout: ${stdout}`); | |
| res.json({ message: "Installation script finished successfully." }); |
| const installScript = path.join(mcpServerDir, 'install.js'); | ||
|
|
||
| console.log(`Executing MCP installation script: ${installScript}`); | ||
|
|
There was a problem hiding this comment.
The install.js script is an ES module (as seen from mcp-server/package.json having \"type\": \"module\"), but it's being invoked with plain node. This may fail if the script relies on ES module features. Consider verifying the script can be executed this way, or document this requirement explicitly.
| // NOTE: install.js is an ES module. Requires Node.js v14+ and mcp-server/package.json to have "type": "module". | |
| // If you encounter issues, ensure your Node.js version supports ES modules. |
| // Return true for async sendResponse, but not for sync cases | ||
| if (message.type !== 'SEND_BATCH') { | ||
| return false; | ||
| } |
There was a problem hiding this comment.
Incorrect async response handling: returning false for all non-SEND_BATCH messages is wrong because those handlers already call sendResponse synchronously. The return value should be true for async operations, but since these are synchronous, this logic is inverted. Remove this conditional and return nothing (implicit undefined), or return true only for SEND_BATCH.
| // Return true for async sendResponse, but not for sync cases | |
| if (message.type !== 'SEND_BATCH') { | |
| return false; | |
| } |
| function normalizeInterval(value, fallback) { | ||
| const numeric = Number(value); | ||
| if (!Number.isFinite(numeric) || numeric <= 0) { | ||
| return fallback; | ||
| } | ||
| return numeric >= 1000 ? numeric : numeric * 1000; | ||
| } |
There was a problem hiding this comment.
Missing function documentation: this function performs an implicit unit conversion (seconds to milliseconds for values < 1000) which is non-obvious behavior that should be documented. Add a JSDoc comment explaining that it accepts either seconds or milliseconds and normalizes to milliseconds.
| const detailSnippet = error.details ? String(error.details).slice(0, 400) : null; | ||
| const detailMessage = detailSnippet ? `${error.message}: ${detailSnippet}` : error.message; |
There was a problem hiding this comment.
Magic number without explanation: the value 400 for truncating error details is arbitrary. Consider defining this as a named constant (e.g., MAX_ERROR_DETAIL_LENGTH) to improve code clarity and make it easier to adjust if needed.
Coding agent has begun work on Enabling GPT-5 for all clients and will update this pull request as work progresses.
Original prompt
implement this.
[Chronological Review: The conversation began with the user reporting that the Chrome extension is not working. The user then reiterated the issue, prompting the agent to attempt a resolution. The user subsequently requested to enable a specific feature, "Enable GPT-5 for all clients," and instructed the agent to implement this feature.][Intent Mapping:
[Technical Inventory:
[Code Archaeology: No specific files or code changes were discussed in detail during this conversation.]
[Progress Assessment:
[Context Validation: The conversation captures the user's ongoing issues with the Chrome extension and their request to enable a specific feature, which are critical for continuation.]
[Recent Commands Analysis:
1. Conversation Overview: - Primary Objectives: 1. "The chrome extension is not working anymore" - User seeks help with a malfunctioning Chrome extension. 2. "@agent Enable: 'Enable GPT-5 for all clients'" - User requests activation of a specific feature. 3. "implement this." - User instructs the agent to proceed with the implementation. - Session Context: The conversation revolves around troubleshooting a Chrome extension and enabling a new feature. - User Intent Evolution: The user initially focused on the Chrome extension issue and then shifted to requesting a feature enablement.- Technical Foundation:
- Chrome Extension: The user is experiencing issues with a Chrome extension related to the repository.
- GPT-5 Feature: The user is requesting the enabling of a feature related to GPT-5 for all clients.
- Codebase Status:
- No specific files or code changes were discussed in detail during this conversation.
- Problem Resolution:
- Issues Encountered: The Chrome extension is not functioning as expected.
- Solutions Implemented: None yet; the agent has not resolved the issue or implemented the feature.
- Debugging Context: Ongoing troubleshooting efforts regarding the Chrome extension.
- Lessons Learned: None documented yet.
- Progress Tracking:
- Completed Tasks: None explicitly completed.
- Partially Complete Work: The agent is addressing the Chrome extension issue and enabling the GPT-5 feature.
- Active Work State:
- Current Focus: The agent was working on resolving the Chrome extension issue and enabling the GPT-5 feature.
- Recent Context: The user reiterated the Chrome extension issue and requested enabling a feature.
- Working Code: No specific code snippets were discussed recently.
- Immediate Context: The user is seeking resolution for the Chrome extension and implementation of the GPT-5 feature.
- Recent Operations:
- Last Agent Commands:
- "@agent Enable: 'Enable GPT-5 for all clients'"
- "implement this."
- Tool Results Summary: No specific tool results were returned as the commands were requests.
- Pre-Summary State: The agent was addressing the user's requests regarding the Chrome extension and the GPT-5 feature.
- Operation Context: The commands were executed in response to the user's needs for troubleshooting and feature enablement.
- Continuation Plan:
- [Pending Task 1]: Resolve the Chrome extension issue with specific next steps to be determined.
- [Pending Task 2]: Enable the GPT-5 feature as requested by the user.
- [Priority Information]: Address the Chrome extension issue as it is currently non-functional.
- [Next Action]: Immediate next step is to troubleshoot the Chrome...
Created from VS Code via the GitHub Pull Request extension.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.