feat: expansion — MCP server, React lib, Action inline-prompt detection (+undici CVE)#36
Merged
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
New publishable package exposing 10 MCP tools wrapping @tokenometer/core (estimate_cost, estimate_cost_matrix, count_tokens_empirical, get_model_info, list_models, get_rates_version, estimate_vision_cost, budget_check, measure_latency, count_tokens_empirical_matrix). Stdio transport for Claude Desktop / Cursor / Zed; missing provider keys surface as structured key_missing errors instead of throwing. Joins the fixed group with tokenometer + @tokenometer/core so rate data stays version-aligned. Workflow detects unpublished version and publishes alongside the CLI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Initial release of @tokenometer/react@0.1.0 — drop-in React hooks and components for LLM cost dashboards. Hooks: useTokenCount, useTokenCountEmpirical, useCostMatrix, useBudget, useDebouncedTokenCount, useModelList, usePricing. Components: TokenCounter, ModelCostMatrix, BudgetMeter, CostBreakdown, ModelSelector, LiveTokenizer, PricingTable, VisionCostEstimator. Headless-first; opt-in styled wrappers via @tokenometer/react/styled (inline styles + CSS vars, no Tailwind leak). SSR / RSC compatible via "use client" banner. Peer deps: react >=18, react-dom >=18, @tokenometer/core >=1.0.1. Bundled with tsup (ESM + CJS + .d.ts). Tested with vitest + jsdom + @testing-library/react. Workspace-level vitest project so the jsdom env applies only to this package. The web playground gets a new /components route exercising every component as living docs and manual QA surface. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Extends the Action so that on a PR it scans changed source files
(default: src/**/*.{ts,tsx,js,jsx,py}) for inline LLM prompts and
appends a Code-Embedded Prompts section to the sticky comment with
per-prompt before/after tokens + USD delta.
Detection modes via the new code-detection input:
- off (default; backwards-compatible — existing users see no change)
- annotations: scan for // @tokenometer-prompt model=... markers
- sdk-regex: built-in patterns for OpenAI / Anthropic / Google /
Mistral / Cohere SDK call sites
- both
Non-literal prompts (variables, unbound template interpolation) are
skipped with a warning rather than false-flagged. Base/head matching
is location-primary via a stable matchId, with a Levenshtein-ratio
fallback within the same file.
New inputs: code-paths, code-detection, prompt-marker-comment,
comment-mode (single | split), top-n-prompts.
New outputs: code-cost-delta, total-cost-delta. The budget gate now
uses total-cost-delta so cost regressions in code-embedded prompts
fail the build. Existing cost-delta semantics are unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds .test.tsx to the root include glob and environmentMatchGlobs so packages/react/** runs with the jsdom environment. The new vitest.workspace.ts makes the per-package config authoritative, but the root config still serves as a sensible default for ad-hoc `npx vitest` invocations. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- packages/action/tests/fixtures/sdk-openai.ts: rephrase fixture prompt away from a topical-sounding term to keep test data neutral. - packages/mcp/src/server.test.ts: replace `delete process.env.X` with `Reflect.deleteProperty(process.env, 'X')` to satisfy Biome's performance/noDelete rule while still actually unsetting the key (assigning `undefined` would coerce to the string "undefined" and defeat the test). - packages/action/package.json: bump 1.0.2 -> 1.1.0 for the new code-detection capability shipped in this PR. - packages/action/dist/index.cjs: rebuilt bundle against current deps. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
faraa2m
force-pushed
the
feat/expansion-mcp-react-action
branch
from
4843bfa to
11d0972
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three new deliverables shipped together as a single PR for merge-commit history preservation.
1.
@tokenometer/mcp— Model Context Protocol server@tokenometer/coreso any MCP client (Claude Desktop, Cursor, Zed) can call tokenometer nativelyestimate_cost,estimate_cost_matrix,count_tokens_empirical,count_tokens_empirical_matrix,get_model_info,list_models,get_rates_version,estimate_vision_cost,budget_check,measure_latencykey_missingerror, tools still advertisedtokenometer+@tokenometer/coreso rate data ships in lockstep2.
@tokenometer/react@0.1.0— React component libraryuseTokenCount,useTokenCountEmpirical,useCostMatrix,useBudget,useDebouncedTokenCount,useModelList,usePricing<TokenCounter>,<ModelCostMatrix>,<BudgetMeter>,<CostBreakdown>,<ModelSelector>,<LiveTokenizer>,<PricingTable>,<VisionCostEstimator>@tokenometer/react/styledwrappers (inline styles + CSS vars, no Tailwind leak)"use client"banner; peer deps react >= 18, react-dom >= 18/componentsroute exercising every component3.
@tokenometer/action@1.1.0— Inline-prompt detectioncode-detectioninput:off(default, backwards-compat),annotations,sdk-regex,both// @tokenometer-prompt model=claude-opus-4-7above a string literalcode-cost-delta,total-cost-delta; budget gate uses totalcost-deltasemantics unchangedAlso includes
chore(action): patch undici CVE GHSA-vrm6-8vpv-qv8q + v9p9-hfj2-hcw8 (v1.0.2)(was on a separatesecurity/undici-cve-v1.0.2branch — folded in here per request)Test plan
npm run lint— clean (Biome)npm run typecheck— cleannpm test— 324/325 pass (1 e2e skipped: gated ondist/index.jsexisting)npm run build— all 7 packages emit dist.d.tsvia tsup with"use client"bannerecho '{"jsonrpc":"2.0","id":1,"method":"initialize"...}' | node packages/mcp/dist/index.js)claude_desktop_config.jsonand exerciseestimate_cost/list_models/budget_check@tokenometer/reacttarball into a freshcreate-next-appand Vite project; verify<TokenCounter>renders, no duplicate React warningscode-detection: both, verify Code-Embedded Prompts section renders correctlyNotes for reviewer
security/undici-cve-v1.0.2. If that PR is still open, this PR supersedes it.🤖 Generated with Claude Code