fix(deps): update dependency zod to v4

packages/mcp-server/README.md

@@ -90,7 +90,7 @@ Use the standard MCP configuration with:
 - **Natural Language**: Describe diagrams in plain text - flowcharts, architecture diagrams, etc.
 - **Edit Support**: Modify existing diagrams with natural language instructions
 - **Export**: Save diagrams as `.drawio` files
-- **Self-contained**: Embedded server, works offline (except draw.io UI which loads from `embed.diagrams.net` by default, configurable via `DRAWIO_BASE_URL`)
+- **Self-contained**: Embedded server, works offline (except draw.io UI which loads from embed.diagrams.net)
 
 ## Available Tools
 
@@ -130,33 +130,6 @@ Use the standard MCP configuration with:
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `PORT` | `6002` | Port for the embedded HTTP server |
-| `DRAWIO_BASE_URL` | `https://embed.diagrams.net` | Base URL for the draw.io embed. Set this to use a self-hosted draw.io instance for private deployments. |
-
-### Private Deployment (Self-hosted draw.io)
-
-For security-sensitive environments that require private deployment of draw.io:
-
-```json
-{
-  "mcpServers": {
-    "drawio": {
-      "command": "npx",
-      "args": ["@next-ai-drawio/mcp-server@latest"],
-      "env": { 
-        "DRAWIO_BASE_URL": "https://drawio.your-company.com"
-      }
-    }
-  }
-}
-```
-
-You can deploy your own draw.io instance using the official Docker image:
-
-```bash
-docker run -d -p 8080:8080 jgraph/drawio
-```
-
-Then set `DRAWIO_BASE_URL=http://localhost:8080` (or your server's URL).
 
 ## Troubleshooting
 

packages/mcp-server/package-lock.json

@@ -1,18 +1,18 @@
 {
     "name": "@next-ai-drawio/mcp-server",
-    "version": "0.1.6",
+    "version": "0.1.11",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@next-ai-drawio/mcp-server",
-            "version": "0.1.6",
+            "version": "0.1.11",
             "license": "Apache-2.0",
             "dependencies": {
                 "@modelcontextprotocol/sdk": "^1.0.4",
                 "linkedom": "^0.18.0",
                 "open": "^11.0.0",
-                "zod": "^3.24.0"
+                "zod": "^4.0.0"
             },
             "bin": {
                 "next-ai-drawio-mcp": "dist/index.js"
@@ -2051,9 +2051,9 @@
             }
         },
         "node_modules/zod": {
-            "version": "3.25.76",
-            "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz",
-            "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==",
+            "version": "4.3.4",
+            "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.4.tgz",
+            "integrity": "sha512-Zw/uYiiyF6pUT1qmKbZziChgNPRu+ZRneAsMUDU6IwmXdWt5JwcUfy2bvLOCUtz5UniaN/Zx5aFttZYbYc7O/A==",
             "license": "MIT",
             "peer": true,
             "funding": {

packages/mcp-server/package.json

@@ -39,7 +39,7 @@
         "@modelcontextprotocol/sdk": "^1.0.4",
         "linkedom": "^0.18.0",
         "open": "^11.0.0",
-        "zod": "^3.24.0"
+        "zod": "^4.0.0"
     },
     "devDependencies": {
         "@types/node": "^24.0.0",

packages/mcp-server/src/http-server.ts

@@ -13,28 +13,6 @@ import {
 } from "./history.js"
 import { log } from "./logger.js"
 
-// Configurable draw.io embed URL for private deployments
-const DRAWIO_BASE_URL =
-    process.env.DRAWIO_BASE_URL || "https://embed.diagrams.net"
-
-// Extract origin (scheme + host + port) from URL for postMessage security check
-function getOrigin(url: string): string {
-    try {
-        const parsed = new URL(url)
-        return `${parsed.protocol}//${parsed.host}`
-    } catch {
-        return url // Fallback if parsing fails
-    }
-}
-
-const DRAWIO_ORIGIN = getOrigin(DRAWIO_BASE_URL)
-
-// Normalize URL for iframe src - ensure no double slashes
-function normalizeUrl(url: string): string {
-    // Remove trailing slash to avoid double slashes
-    return url.replace(/\/$/, '')
-}
-
 interface SessionState {
     xml: string
     version: number
@@ -425,7 +403,7 @@ function getHtmlPage(sessionId: string): string {
             </div>
             <div id="status" class="status disconnected">Connecting...</div>
         </div>
-        <iframe id="drawio" src="${normalizeUrl(DRAWIO_BASE_URL)}/?embed=1&proto=json&spin=1&libraries=1"></iframe>
+        <iframe id="drawio" src="https://embed.diagrams.net/?embed=1&proto=json&spin=1&libraries=1"></iframe>
     </div>
     <button id="history-btn" title="History" ${sessionId ? "" : "disabled"}>
         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -455,7 +433,7 @@ function getHtmlPage(sessionId: string): string {
         let pendingAiSvg = false;
 
         window.addEventListener('message', (e) => {
-            if (e.origin !== '${DRAWIO_ORIGIN}') return;
+            if (e.origin !== 'https://embed.diagrams.net') return;
             try {
                 const msg = JSON.parse(e.data);
                 if (msg.event === 'init') {