Use official Playwright MCP server in .vscode/mcp.json (#203)

[nnoce14]

Updates .vscode/mcp.json to use the official Playwright MCP server (@playwright/mcp@0.0.70) per https://playwright.dev/docs/getting-started-mcp. This enables local MCP clients to run Playwright MCP for agent-driven browser automation.\n\nNo application code changes.\n\nTesting steps:\n1. Start UI: pnpm --filter @apps/ui-community dev\n2. Start MCP server: npx @playwright/mcp@0.0.70 --port 8931\n3. Configure your MCP client to use http://localhost:8931/mcp or rely on .vscode/mcp.json\n\nCo-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Summary by Sourcery

Integrate the official Playwright MCP server into the repo and CI, including shared MCP configuration and supporting scripts.

New Features:

• Add npm scripts and a committed MCP config to run the official Playwright MCP server for local development and agents.
• Introduce a Node utility to install the repo MCP config into the user’s Copilot config directory.
• Document Playwright MCP usage and workflows for developers and automation under .github/mcp.

Enhancements:

• Update the Copilot setup GitHub Actions workflow to cache Playwright binaries via pnpm lockfile, install MCP config, and start a Playwright MCP HTTP server during runs.
• Bump the pnpm version used in CI to 10.30.1.
• Configure VS Code MCP settings to point to the official Playwright MCP server.
• Increase the Node.js heap size limit for SonarScanner to avoid out-of-memory failures in CI.
• Pin Playwright as a dev dependency and override axios to a newer version for the workspace.

CI:

• Adjust Playwright cache key to use pnpm-lock.yaml and add steps to bootstrap and validate a running Playwright MCP server in the Copilot setup workflow.

Documentation:

• Add README guidance explaining how to run and integrate the Playwright MCP server for local development and CI.

[sourcery-ai]

Reviewer's Guide

Integrates the official Playwright MCP server for both local development and CI by adding MCP npm scripts and config, wiring it into the Copilot setup workflow, documenting usage, bumping pnpm and Playwright tooling, increasing SonarScanner Node memory, and updating axios via overrides.

Sequence diagram for CI workflow starting and validating Playwright MCP server

sequenceDiagram
  participant CI as GitHub_Actions_workflow
  participant Pnpm as pnpm_CLI
  participant Installer as install-config_js
  participant FS as Filesystem
  participant MCP as Playwright_MCP_server
  participant Net as Network_checks_curl_ss

  CI->>Pnpm: run mcp:install-config -- --force
  Pnpm->>Installer: node .github/mcp/install-config.js --force
  Installer->>FS: check exists .copilot/mcp-config.json
  FS-->>Installer: exists
  Installer->>FS: ensure ~/.copilot directory
  Installer->>FS: optional backup existing mcp-config.json (skipped with --force)
  Installer->>FS: copy repo config to ~/.copilot/mcp-config.json
  Installer-->>CI: exit 0

  CI->>Pnpm: run mcp:start (background)
  Pnpm->>MCP: start @playwright/mcp@0.0.70 --port 8931 --headless
  MCP-->>CI: listening on :8931

  CI->>Net: poll port 8931 using ss up to 30s
  Net-->>CI: port open

  CI->>Net: optional curl http://localhost:8931/
  Net-->>CI: success or fallback to port check

  CI-->>CI: proceed to tests and SonarCloud analysis

Loading

Class diagram for install-config.js MCP config installer

classDiagram
  class InstallConfigScript {
    - boolean force
    - string source
    + printUsage()
    + exists(path)
    + main()
  }

  class FsPromises {
    + access(path)
    + mkdir(path, options)
    + copyFile(src, dest)
  }

  class PathModule {
    + resolve(cwd, target)
    + join(base, segment)
  }

  class OsModule {
    + homedir()
  }

  class ProcessObject {
    + argv
    + exit(code)
  }

  InstallConfigScript --> FsPromises : uses
  InstallConfigScript --> PathModule : uses
  InstallConfigScript --> OsModule : uses
  InstallConfigScript --> ProcessObject : uses

  class McpConfigFiles {
    + string repoConfigPath
    + string userConfigDir
    + string userConfigPath
    + string backupPath
  }

  InstallConfigScript --> McpConfigFiles : reads_writes

Loading

File-Level Changes

Change	Details	Files
Add Playwright MCP scripts and configuration for local and editor/stdio usage.	Introduce npm scripts to start the Playwright MCP server over HTTP via pnpm dlx with fixed port and flags. Add npm scripts to start Playwright MCP under alias and via stdio for editor integration. Wire a Node.js script to install the repo MCP config into the user Copilot config directory, handling backups and force overwrites. Commit a shared .copilot/mcp-config.json and .vscode/mcp.json so local MCP clients and Copilot can use the Playwright MCP server by default.	package.json .github/mcp/install-config.js .copilot/mcp-config.json .vscode/mcp.json pnpm-lock.yaml
Integrate Playwright MCP into CI via the Copilot setup workflow.	Install the repo MCP config on CI runners via the new mcp:install-config script. Start the Playwright MCP HTTP server in the background using the new npm script, with logging and port-wait loop. Add a separate readiness check step using curl and socket inspection, failing fast with log tail if MCP never becomes ready.	.github/workflows/copilot-setup-steps.yml
Document Playwright MCP usage for developers and automation.	Add README under .github/mcp describing how to install MCP config, start Playwright MCP, run the dev stack, and optionally verify via a login script. Provide guidance for CI/automation and recommendations around HTTP vs stdio usage and avoiding implicit user config overwrites.	.github/mcp/README.md
Update supporting tooling and limits for CI stability and performance.	Bump pnpm-action version used in Copilot setup workflow to 10.30.1. Change the Playwright cache key to hash pnpm-lock.yaml instead of package-lock.json for more accurate caching with pnpm. Add Playwright as a devDependency and pin axios to a newer version via package.json overrides. Increase SonarScanner Node.js heap size to 4096 MB to avoid out-of-memory failures during analysis.	.github/workflows/copilot-setup-steps.yml package.json sonar-project.properties pnpm-lock.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[nnoce14]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The MCP scripts use npx @playwright/mcp@latest while playwright is pinned to 1.59.0; consider aligning these versions or documenting the rationale to avoid subtle incompatibilities over time.
• The mcp:playwright:start script allows all hosts and origins (--allowed-hosts='*' --allowed-origins='*'); if this is intended only for local development, consider tightening these or clearly scoping them to dev-only usage to reduce accidental exposure.
• The new MCP-related scripts and config (under .github/mcp and .copilot) are wired from the root package.json; if MCP usage is only relevant for a subset of packages, consider localizing these scripts/configs to that workspace to keep the root tooling surface minimal.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The MCP scripts use `npx @playwright/mcp@latest` while `playwright` is pinned to `1.59.0`; consider aligning these versions or documenting the rationale to avoid subtle incompatibilities over time.
- The `mcp:playwright:start` script allows all hosts and origins (`--allowed-hosts='*' --allowed-origins='*'`); if this is intended only for local development, consider tightening these or clearly scoping them to dev-only usage to reduce accidental exposure.
- The new MCP-related scripts and config (under `.github/mcp` and `.copilot`) are wired from the root `package.json`; if MCP usage is only relevant for a subset of packages, consider localizing these scripts/configs to that workspace to keep the root tooling surface minimal.

## Individual Comments

### Comment 1
<location path="package.json" line_range="21" />
<code_context>
     "proxy:start": "portless proxy start -p 1355 --https",
+    "mcp:playwright:start": "npx @playwright/mcp@latest --port 8931 --headless --ignore-https-errors --allowed-hosts='*' --allowed-origins='*'",
+    "mcp:playwright:stdio": "npx @playwright/mcp@latest",
+    "mcp:install-config": "mkdir -p ~/.copilot && cp ./.copilot/mcp-config.json ~/.copilot/mcp-config.json",
     "format": "turbo run format",
     "gen": "graphql-codegen --config codegen.yml",
</code_context>
<issue_to_address>
**issue (bug_risk):** The `mcp:install-config` script is not cross-platform and may overwrite existing local config without warning.

This script relies on `mkdir -p`, `cp`, and `~`, so it will fail on Windows and non-POSIX shells. It also overwrites `~/.copilot/mcp-config.json` on every run, clobbering any local changes. If this is intended for general contributor use, consider a portable implementation (e.g., a small Node script) and add logic to preserve or back up an existing config instead of blindly overwriting it.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[nnoce14]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The workflows and package.json scripts use @playwright/mcp@latest; consider pinning a specific version to avoid unexpected CI or local failures when a breaking release ships.
• In .github/mcp/install-config.js you're mixing fs/promises with synchronous fs calls; consolidating on the async API (e.g., fs.access instead of existsSync) would keep the script consistent and easier to reason about.
• The "Wait for MCP readiness" step in copilot-setup-steps.yml exits successfully even if the MCP never becomes reachable; consider failing the job explicitly when the loop times out so downstream steps don't run against an unavailable server.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The workflows and package.json scripts use `@playwright/mcp@latest`; consider pinning a specific version to avoid unexpected CI or local failures when a breaking release ships.
- In `.github/mcp/install-config.js` you're mixing `fs/promises` with synchronous `fs` calls; consolidating on the async API (e.g., `fs.access` instead of `existsSync`) would keep the script consistent and easier to reason about.
- The "Wait for MCP readiness" step in `copilot-setup-steps.yml` exits successfully even if the MCP never becomes reachable; consider failing the job explicitly when the loop times out so downstream steps don't run against an unavailable server.

## Individual Comments

### Comment 1
<location path=".github/workflows/copilot-setup-steps.yml" line_range="96-103" />
<code_context>
+        env:
+          PLAYWRIGHT_BROWSERS_PATH: /home/runner/.cache/ms-playwright
+
+      - name: Wait for MCP readiness
+        run: |
+          for i in $(seq 1 30); do
+            if curl -sS http://localhost:8931/ >/dev/null 2>&1 || ss -ltn | grep -q ':8931'; then
+              echo "Playwright MCP seems ready"
+              break
+            fi
+            sleep 1
+          done
+
</code_context>
<issue_to_address>
**issue (bug_risk):** Consider failing the job if MCP never becomes ready instead of silently continuing.

Right now the loop exits successfully even if MCP never starts listening, so later steps may run against an unavailable service. Consider exiting with a non‑zero status after the loop when readiness is not detected so this failure is surfaced immediately.
</issue_to_address>

### Comment 2
<location path=".github/mcp/install-config.js" line_range="21-22" />
<code_context>
+  const a = argv[i];
+  if (a === '--force' || a === '-f') {
+    force = true;
+  } else if (a === '--source' || a === '-s') {
+    source = argv[i + 1];
+    i++;
+  } else if (a === '--help' || a === '-h') {
</code_context>
<issue_to_address>
**issue:** Validate that `--source` is followed by a value to avoid unexpected behavior.

If `--source`/`-s` is last or the next arg is another flag, `argv[i + 1]` will be `undefined` and `path.resolve(process.cwd(), source)` will fall back to the cwd instead of a user-specified path. Please guard against this by ensuring `argv[i + 1]` exists and isn’t another flag (starts with `-`), and exit with an error if the value is missing.
</issue_to_address>

### Comment 3
<location path="package.json" line_range="19" />
<code_context>
     "start": "turbo run build && concurrently --kill-others-on-fail \"pnpm run start:api\" \"pnpm run start:ui-community\"",
     "proxy:stop": "portless proxy stop || true",
     "proxy:start": "portless proxy start -p 1355 --https",
+    "mcp:playwright:start": "npx @playwright/mcp@latest --port 8931 --headless --ignore-https-errors --allowed-hosts='*' --allowed-origins='*'",
+    "mcp:playwright:stdio": "npx @playwright/mcp@latest",
+    "mcp:install-config": "node .github/mcp/install-config.js",
</code_context>
<issue_to_address>
**🚨 question (security):** Revisit `--allowed-hosts='*'` and `--allowed-origins='*'` to ensure the MCP exposure surface is intentional.

Using fully wildcarded hosts and origins is convenient but expands the attack surface if this port is ever exposed beyond a trusted local context (e.g., shared dev machines or forwarded ports). If this is intended for local use only, consider narrowing to localhost/specific origins or add a brief note explaining why `*` is acceptable here.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[nnoce14]

@sourcery-ai review

[SourceryAI]

Hey - I've left some high level feedback:

• The GitHub Actions step that starts the Playwright MCP server duplicates the pnpm dlx @playwright/mcp@0.0.70 ... command already defined in the mcp:playwright:start script; consider calling the npm script from the workflow so the command stays in sync in one place.
• In the Wait for MCP readiness step, the error branch echoes 'MCP log (last 200 lines):' but still uses sed -n '1,200p' mcp.log; update this to tail the file or use the correct sed range so the message matches the behavior.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The GitHub Actions step that starts the Playwright MCP server duplicates the `pnpm dlx @playwright/mcp@0.0.70 ...` command already defined in the `mcp:playwright:start` script; consider calling the npm script from the workflow so the command stays in sync in one place.
- In the `Wait for MCP readiness` step, the error branch echoes 'MCP log (last 200 lines):' but still uses `sed -n '1,200p' mcp.log`; update this to tail the file or use the correct sed range so the message matches the behavior.

---

Hi @nnoce14! 👋

Thanks for trying out Sourcery by commenting with @sourcery-ai review! 🚀

Install the sourcery-ai bot to get automatic code reviews on every pull request ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The Playwright MCP invocation flags and version (@playwright/mcp@0.0.70, port 8931, headless, allowed-hosts/origins) are duplicated across the GitHub workflow and the package.json scripts; consider centralizing this via a single npm script (and possibly a shared config/constant) so future updates don’t drift between CI and local tooling.
• The MCP config installer (.github/mcp/install-config.js) currently exits on any unknown CLI flag, which can make it brittle when invoked from wrappers; consider either ignoring unknown flags or printing a more permissive help message that allows passthrough arguments to avoid accidental failures.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The Playwright MCP invocation flags and version (`@playwright/mcp@0.0.70`, port 8931, headless, allowed-hosts/origins) are duplicated across the GitHub workflow and the `package.json` scripts; consider centralizing this via a single npm script (and possibly a shared config/constant) so future updates don’t drift between CI and local tooling.
- The MCP config installer (`.github/mcp/install-config.js`) currently exits on any unknown CLI flag, which can make it brittle when invoked from wrappers; consider either ignoring unknown flags or printing a more permissive help message that allows passthrough arguments to avoid accidental failures.

## Individual Comments

### Comment 1
<location path=".github/workflows/copilot-setup-steps.yml" line_range="109-92" />
<code_context>
+          done
+          if [ "$ready" -ne 1 ]; then
+            echo "Playwright MCP did not become ready after 30s"
+            echo "MCP log (last 200 lines):"
+            sed -n '1,200p' mcp.log || true
+            exit 1
+          fi
</code_context>
<issue_to_address>
**nitpick (bug_risk):** The log message says "last 200 lines" but the command prints the first 200 lines.

Here you print `"MCP log (last 200 lines):"` but use `sed -n '1,200p' mcp.log`, which prints the first 200 lines. If you want the tail (which is usually more helpful on failure), use `tail -n 200 mcp.log || true` or update the `sed` range/message so they match.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[nnoce14]

@sourcery-ai review

[sourcery-ai]

Hey - I've left some high level feedback:

• The MCP scripts hardcode @playwright/mcp@0.0.70 while the PR description and expected usage reference @playwright/mcp@latest; consider centralizing this version (e.g., via an npm alias or a single env/config value) to avoid drift between scripts, docs, and .vscode/mcp.json.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The MCP scripts hardcode `@playwright/mcp@0.0.70` while the PR description and expected usage reference `@playwright/mcp@latest`; consider centralizing this version (e.g., via an npm alias or a single env/config value) to avoid drift between scripts, docs, and `.vscode/mcp.json`.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}