Fix dev apps form: union types, textarea support, JSON parsing#3597
Fix dev apps form: union types, textarea support, JSON parsing#3597
Conversation
marvin-context-protocol
Bot
added
bug
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0cd95719b6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if stripped and stripped[0] in ("{", "["): | ||
| try: | ||
| parsed = json.loads(stripped) | ||
| if isinstance(parsed, (dict, list)): | ||
| v = parsed |
There was a problem hiding this comment.
str
/api/launch now parses every value that starts with { or [ into a dict/list without consulting the tool's inputSchema. That breaks any dev-app tool that intentionally accepts raw JSON text as a string (for example, passthrough request bodies, templates, or a str | dict union using the string arm), because entering {"k":1} now changes the argument type before the tool is called.
Useful? React with 👍 / 👎.
| if candidate in types: | ||
| json_type = candidate | ||
| break |
There was a problem hiding this comment.
When an anyOf/oneOf schema has several non-null branches, this loop picks a single preferred type and throws the rest away. _model_from_schema() then gives Form.from_model() a one-type field, so unions like int | str | None or bool | str | None now render as number/checkbox controls and the string branch is no longer enterable from fastmcp dev apps.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1d20fc5221
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| raw_json_args = data.pop("_json_args", None) | ||
| if raw_json_args is not None: | ||
| tool_args = json.loads(raw_json_args) if raw_json_args.strip() else {} |
There was a problem hiding this comment.
_json_args as an implicit tool parameter
Any UI tool that legitimately exposes a parameter named _json_args now breaks in form mode. api_launch() always pops that key and switches into the JSON-tab path, so the real argument is stripped and the rest of the submitted form is ignored. FastMCP already supports leading-underscore tool parameters elsewhere, so this introduces a new reserved-name regression for existing tools.
Useful? React with 👍 / 👎.
| if raw_json_args is not None: | ||
| tool_args = json.loads(raw_json_args) if raw_json_args.strip() else {} |
There was a problem hiding this comment.
The new JSON tab assumes _json_args is a JSON object and lets json.loads() failures propagate. A malformed payload like {"x":,} now turns /api/launch into a 500, and valid non-object JSON such as [] or "x" is forwarded into client.callTool(..., arguments: toolArgs) even though MCP tool arguments are object-shaped. Because this tab is the escape hatch for complex inputs, normal editing mistakes now fail as server errors instead of a user-facing validation error.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e363dc2ab0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| types = [t.get("type") for t in non_null if "type" in t] | ||
| # Prefer object/array (need textarea for JSON editing), | ||
| # then string (most versatile text input), then scalars. | ||
| for candidate in ( |
There was a problem hiding this comment.
Textarea params
When a tool argument is declared as Textarea | None = None, FastMCP emits an anyOf where the string branch carries "format": "textarea". This branch-flattening keeps only the branch type, and the later textarea check only inspects prop["format"], so _model_from_schema() rebuilds the field as a plain str without the multiline UI hint. In fastmcp dev apps, the new fastmcp.types.Textarea helper therefore stops working for the common optional/defaulted case and falls back to a single-line input.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 106b08e654
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if stripped and stripped[0] in ("{", "["): | ||
| try: | ||
| parsed = json.loads(stripped) | ||
| if isinstance(parsed, (dict, list)): | ||
| v = parsed | ||
| except (json.JSONDecodeError, TypeError): | ||
| pass |
There was a problem hiding this comment.
For parameters whose schema resolves to object or array, _model_from_schema() now intentionally renders them as textareas and relies on api_launch() to turn the submitted string back into a structured value. In form mode, though, this block silently swallows json.loads() failures and leaves the raw string in place, so inputs like {foo: 1} still launch the app with a str where the tool schema requires a dict/list. That makes the new form support for complex arguments fail at invocation time instead of surfacing a validation error to the user.
Useful? React with 👍 / 👎.
Co-authored-by: Claude Opus 4.6 <[email protected]> Co-authored-by: Jeremiah Lowin <[email protected]> Co-authored-by: Marvin Context Protocol <41898282+Marvin Context [email protected]> Co-authored-by: voidborne-d <[email protected]> Co-authored-by: marvin-context-protocol[bot] <225465937+marvin-context-protocol[bot]@users.noreply.github.com> Co-authored-by: Claude <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: d 🔹 <[email protected]> Co-authored-by: Jeremiah Lowin <[email protected]> Co-authored-by: nightcityblade <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: Bill Easton <[email protected]> Co-authored-by: Sumanshu Nankana <[email protected]> Co-authored-by: Eric Robinson <[email protected]> Co-authored-by: Martim Santos <[email protected]> Co-authored-by: d 🔹 <[email protected]> Co-authored-by: Matthieu B <[email protected]> Co-authored-by: Sascha Buehrle <[email protected]> Co-authored-by: Hakancan <[email protected]> Co-authored-by: nightcityblade <[email protected]> Co-authored-by: Matt Hallowell <[email protected]> Co-authored-by: nate nowack <[email protected]> Co-authored-by: Bill Easton <[email protected]> Co-authored-by: Marcus Shu <[email protected]> Co-authored-by: Rushabh Doshi <[email protected]> Co-authored-by: AIKAWA Shigechika <[email protected]> Co-authored-by: Jeremy Simon <[email protected]> Co-authored-by: Miguel Miranda Dias <[email protected]> Co-authored-by: Anthony James Padavano <[email protected]> Co-authored-by: Mostafa Kamal <[email protected]> Fix auto-close MRE script posting comment without closing (#3386) Fix WorkOS token scope verification bypass 🤖 Generated with Codex (#3407) Fix initialize McpError fallthrough 🤖 Generated with Codex (#3413) Fix transform arg collisions with passthrough params (#3431) Fix get_* returning None when latest version is disabled (#3439) Fix get_* returning None when latest version is disabled (#3421) Fix server lifespan overlap teardown (#3415) Fix $ref output schema object detection regression (#3420) resolved annotations (#3429) Fix async partial callables rejected by iscoroutinefunction (#3438) Fix async partial callables rejected by iscoroutinefunction (#3423) fix: add version to components (#3458) fix: use intent-based flag for OIDC scope patch in load_access_token (#3465) Fixes #3461 fix: normalize Google scope shorthands and surface valid_scopes (#3477) fix: resolve ty 0.0.23 type-checking errors and bump pin (#3481) fix: shield lifespan teardown from cancellation (#3480) fix: forward custom_route endpoints from mounted servers (#3462) fix updates _get_additional_http_routes() to traverse providers, Fixes #3457 fix: remove hardcoded version from CLI help text (#3456) fix: monty 0.0.8 compatibility, drop external_functions from constructor (#3468) fix: task test teardown hanging 5s per test (#3499) Closes #3498 fix: validate workspace path is a directory before cursor install (#3440) Fixes #3426 fix: handle re.error from malformed URI templates in build_regex (#3501) fix: reject empty/OIDC-only required_scopes in AzureProvider (#3503) fix: restrict $ref resolution to local refs only (SSRF/LFI) (#3502) fix warnings and timeouts (#3504) close upgrade check issue when build passes (#3505) Closes #3484 fix: URL-encode path params to prevent SSRF/path traversal (GHSA-vv7q-7jx5-f767) (#3507) fix: prevent path traversal in skill download (#3493) fix: prefer IdP-granted scopes over client-requested scopes in OAuthProxy (#3492) fix: remove unrelated transform and http.py changes from PR scope fix: remove forced follow_redirects from httpx_client_factory calls (#3496) fix: stop passing follow_redirects to httpx_client_factory fix: restore follow_redirects=True for custom httpx client factories Closes #3509 fix: CSRF double-submit cookie check in consent flow (#3519) fix: validate server names in install commands (#3522) fix: use raw strings for regex in pytest.raises match (#3523) fix: reject refresh tokens used as Bearer access tokens (#3524) fix: route ResourcesAsTools/PromptsAsTools through server middleware (#3495) fix: resolve Pyright "Module is not callable" on @tool, @resource, @prompt decorators (#3540) fix: filter warnings by message in KEY_PREFIX test (#3549) fix: suppress output schema for ToolResult subclass annotations (#3548) fix: increase sleep duration in proxy cache tests (#3567) fix: store absolute token expiry to prevent stale expires_in on reload (#3572) fix: preserve tool properties named 'title' during schema compression (#3582) Fix loopback redirect URI port matching per RFC 8252 §7.3 (#3589) Fix app tool routing: visibility check and middleware propagation (#3591) Fix query parameter serialization to respect OpenAPI explode/style settings (#3595) Fix dev apps form: union types, textarea support, JSON parsing (#3597) fix(google): replace deprecated /oauth2/v1/tokeninfo with /oauth2/v3/userinfo (#3603) fix: resolve EntraOBOToken dependency injection through MultiAuth (#3609) fix(docs): correct misleading stateless_http header (#3622) fix: filesystem provider import machinery (#3626) Closes #3625 (issues 2, 3, 6) fix: recover StdioTransport after subprocess exits (#3630) fix(server): preserve mounted tool task metadata (#3632) fix: scope deprecation warning filter to FastMCPDeprecationWarning (#3649) fix imports, add PrefabAppConfig (#3650) fix: resolve CurrentFastMCP/ctx.fastmcp to child server in mounted background tasks (#3651) Fix blocking docs issues: chart imports, Select API, Rx consistency (#3652) closed by default (#3657) Fix prompt caching middleware missing wrap/unwrap round-trip (#3666) fix: serialize object query params per OpenAPI style/explode rules (#3662) Fixes #2857 fix: HTTP request headers not accessible in background task workers (#3631) fix: restore HTTP headers in worker execution path for background tasks (#3681) fix: strip discriminator after dereferencing schemas (#3682) fix: remove stale ty:ignore directives for ty 0.0.26 (#3684) Fix docs gaps in app provider pages (#3690) fix: dev apps log panel UX improvements (#3698) fix dev server empty string args (#3700)
1 participant
The
fastmcp dev appspicker form had several issues that made it hard to work with tools that accept multiline strings, union-typed parameters, or complex arguments.Union types fell back to plain string inputs. Parameters like
data: str | dict[str, Any] | Noneproduce ananyOfschema with no top-leveltype._model_from_schemawas doingprop.get("type", "string")which silently defaulted everything tostr. Now it resolvesanyOf/oneOfschemas by picking the most specific non-null type —object/arraytypes get textarea rendering for JSON editing, andstringis preferred over scalars soint | strunions still get a usable text input.The
json_schema_extratextarea check was broken. Pydantic mergesjson_schema_extraflat into the property schema, so{"ui": {"type": "textarea"}}appears atprop["ui"], not nested underprop["json_schema_extra"].Form values were always strings.
api_launchnow tries to parse string values that look like JSON objects/arrays so dict/list arguments arrive as their intended types.This PR also introduces
fastmcp.types.Textarea— a type alias for annotating tool parameters that should render as multiline inputs:Picker UI improvements: