npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

snapback-mcp-server

v2.0.1

Published

SnapBack MCP Server - Streamable HTTP transport for AI assistant integration

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

vybezcodetelvybezcodetel

Keywords

Readme

Security Features (P0 Fixes Implemented)

P0-1: Error Logging with Context - All errors logged with request ID and full context for debugging ✅ P0-4: API Key Validation - Strict validation of sb_live_* and sb_test_* prefixes, prevents injection ✅ P0-7: Path Injection Prevention - Validates workspace paths, blocks traversal attacks (../) ✅ P0-8: CORS Security - Multi-origin support, wildcard blocked in production ✅ P1-3: Request Size Limits - 10MB max payload, protects against DoS attacks

Test Coverage: 16/16 tests passing, 100% branch coverage on validation logic

What This Does

Wraps the CLI-based MCP server (packages/mcp) in an Express HTTP server that can be deployed to Fly.io or other cloud providers. This allows Claude Desktop, Cursor, and other AI tools to connect to SnapBack over HTTPS instead of requiring local installation.

Architecture

Claude Desktop / Cursor
        ↓ HTTPS
    Fly.io App
        ↓
    apps/mcp-server (Express)
        ↓ Stdio
    packages/mcp (CLI)
        ↓
    SnapBack Logic

Local Development

Build

pnpm build

Run

# Development
PORT=8080 NODE_ENV=development node dist/index.js

# With API key
SNAPBACK_API_KEY=sb_live_test_key PORT=8080 node dist/index.js

Test Health

curl http://localhost:8080/health

Test MCP Call

curl -X POST http://localhost:8080/mcp \
  -H "Content-Type: application/json" \
  -d '{
    "workspace": "/path/to/your/workspace",
    "apiKey": "sb_live_test_key",
    "args": {
      "method": "tools/list",
      "params": {}
    }
  }'

Deployment to Fly.io

Quick Deploy (Recommended)

From the monorepo root:

# Full deployment with pre-flight checks and verification
pnpm --filter=snapback-mcp-server deploy

# Dry run (validates without deploying)
pnpm --filter=snapback-mcp-server deploy:dry-run

The deploy script automatically:

  • ✅ Validates Fly CLI is installed and authenticated
  • ✅ Checks for uncommitted changes
  • ✅ Builds and validates the bundle
  • ✅ Deploys to Fly.io
  • ✅ Verifies health and /bridge/push endpoints after deployment

Alternative Deploy Methods

# Quick deploy (skips pre-flight checks)
pnpm --filter=snapback-mcp-server deploy:quick

# Force immediate deployment (no rolling update)
pnpm --filter=snapback-mcp-server deploy:force

# Check deployment status
pnpm --filter=snapback-mcp-server deploy:status

# View live logs
pnpm --filter=snapback-mcp-server deploy:logs

# View releases for rollback
pnpm --filter=snapback-mcp-server deploy:rollback

First-Time Setup

If deploying for the first time:

# 1. Login to Fly.io
fly auth login

# 2. Create the app (only once)
fly apps create snapback-mcp

# 3. Set secrets
fly secrets set SNAPBACK_API_KEY=sb_live_your_key -a snapback-mcp
fly secrets set CORS_ORIGIN=https://your-domain.com -a snapback-mcp

# 4. Deploy
pnpm --filter=snapback-mcp-server deploy

CI/CD Deployment

Automatic deployments are triggered on push to main when changes are detected in:

  • apps/mcp-server/**
  • packages/mcp/**, packages/core/**, packages/intelligence/**

Required GitHub Secret: FLY_API_TOKEN

Generate a token: fly tokens create deploy -x 999999h

Verify Deployment

# Health check
curl https://snapback-mcp.fly.dev/health

# Bridge endpoint test
curl -X POST https://snapback-mcp.fly.dev/bridge/push \
  -H "Content-Type: application/json" \
  -d '{"workspaceId":"ws_00000000000000000000000000000000","observations":[]}'

Expected responses:

{"status":"healthy","uptime":123.456,"timestamp":"2025-01-06T...","version":"2.0.0"}
{"received":true,"observationsCount":0,"changesCount":0}

Rollback

If something goes wrong:

# List recent releases
fly releases -a snapback-mcp

# Rollback to a previous version
fly releases rollback v123 -a snapback-mcp

Configuration

Environment Variables

| Variable | Default | Description | |----------|---------|-------------| | PORT | 8080 | Server port | | NODE_ENV | development | Environment (production/development) | | SNAPBACK_API_KEY | (required) | API key for authentication | | CORS_ORIGIN | * | Allowed CORS origins (comma-separated) | | LOG_LEVEL | info | Logging level |

Fly.io Secrets

Set via fly secrets set KEY=value:

fly secrets set SNAPBACK_API_KEY=sb_live_xxx
fly secrets set CORS_ORIGIN=https://your-app.com

View secrets:

fly secrets list

API Endpoints

GET /health

Health check endpoint.

Response:

{
  "status": "healthy",
  "uptime": 123.456,
  "timestamp": "2024-12-30T...",
  "version": "1.0.0"
}

POST /mcp

Main MCP endpoint - handles JSON-RPC requests.

Request:

{
  "workspace": "/path/to/workspace",
  "apiKey": "sb_live_xxx",
  "args": {
    "method": "tools/list",
    "params": {}
  }
}

Response: JSON-RPC response from MCP server

GET /tools

List available tools.

Response:

{
  "tools": [
    {
      "name": "snapback.analyze",
      "tier": "free",
      "description": "..."
    },
    ...
  ],
  "count": 11
}

Security

  • Authentication: Required apiKey parameter (validated against SNAPBACK_API_KEY)
  • HTTPS Only: Fly.io auto-configures HTTPS on port 443
  • CORS: Configurable via CORS_ORIGIN environment variable
  • Non-root user: Container runs as unprivileged user
  • Request timeouts: 30-second timeout on MCP calls
  • Rate limiting: Consider adding in production (not yet implemented)

Monitoring

Logs

fly logs

Metrics

# CPU/Memory usage
fly scale show

# App status
fly status

Scaling

Edit fly.toml:

[scaling]
min_count = 1
max_count = 5

Then deploy:

fly deploy

Troubleshooting

"Connection refused"

Ensure Fly.io app is running:

fly status

"Unauthorized"

Check that API key is set:

fly secrets list

Should show SNAPBACK_API_KEY.

"MCP server timeout"

Default timeout is 30 seconds. Check workspace size and API key validity.

Logs show errors

View detailed logs:

fly logs --follow

Integration with VS Code Extension

Quick Setup (2 steps)

  1. Get your API key from deployment output (look for sb_live_...)
  2. Configure VS Code settings:
{
  "snapback.mcp.enabled": true,
  "snapback.mcp.serverUrl": "https://snapback-mcp.fly.dev",
  "snapback.mcp.authType": "apikey"
}
  1. Store your API key securely using VS Code command palette:
    • Press Cmd+Shift+P / Ctrl+Shift+P
    • Run: SnapBack: Set MCP Auth Token (Secure)
    • Paste your API key: sb_live_...

Configuration Options

| Setting | Default | Description | |---------|---------|-------------| | snapback.mcp.enabled | true | Enable MCP integration | | snapback.mcp.serverUrl | https://mcp.snapback.dev | Remote MCP server URL | | snapback.mcp.authType | bearer | Authentication type (bearer or apikey) | | snapback.mcp.timeout | 5000 | Request timeout in milliseconds |

Programmatic Usage

The VS Code extension automatically uses RemoteMCPClient when serverUrl is configured:

const client = new RemoteMCPClient({
  serverUrl: 'https://snapback-mcp.fly.dev',
  apiKey: 'sb_live_...',
  authType: 'apikey',
  timeout: 5000,
  maxRetries: 3,
});

await client.connect();

See apps/vscode/src/services/RemoteMCPClient.ts for implementation details.

Health Check

Verify the server is accessible:

curl https://snapback-mcp.fly.dev/health

Expected response:

{"status":"healthy","uptime":123.45,"timestamp":"2025-12-31T...","version":"1.0.0"}

Cost

Fly.io free tier includes:

  • 3 shared-cpu-1x VMs (256MB each)
  • 160GB bandwidth/month

This MCP server easily fits within free tier for individual/small team use.

References