From cc45641d7e7f45051e9a555c1dfee2e1afb0f7cb Mon Sep 17 00:00:00 2001 From: Dustin Healy <54083382+dustinhealy@users.noreply.github.com> Date: Tue, 23 Jun 2026 20:27:30 -0700 Subject: [PATCH] =?UTF-8?q?fix(mcp):=20address=20Codex=20P1/P2=20findings?= =?UTF-8?q?=20=E2=80=94=20visibility=20filter,=20header=20clobber,=20base?= =?UTF-8?q?=20path,=20inline=20text?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit App-only tools (visibility: ['app']) were not filtered in MCPServerInspector.getToolFunctions, so initializeMCPs → getAppToolFunctions → mergeAppTools was silently exposing them to the LLM tool cache at startup, bypassing the filter that updateMCPServerTools correctly applies. Applied the same visibility guard that updateMCPServerTools uses. appToolCall was calling processMCPEnv without customUserVars for DB-sourced servers, then setRequestHeaders — overwriting the connection's already-correctly-resolved headers with unresolved {{MCP_API_KEY}} placeholders. Skipped the re-resolve for DB-sourced servers since the connection carries valid headers from the original callTool setup. callMCPAppTool and readMCPResource used hardcoded /api/... paths without the apiBaseUrl() prefix; subdirectory deployments would miss those routes. apiBaseUrl was already imported for getMCPSandboxUrl — extended it to both API calls for consistency. MCPAppCard (carousel) and MCPAppView (ToolCall) both checked toolName && serverName first when deciding to use the app bridge, but parsers.ts now sets those fields on all UIResources including inline ui:// resources with text content. Resources with text were therefore silently routed through the app bridge instead of being rendered directly as srcDoc iframes. Added !resource.text / !app.text guard so inline HTML resources take the correct path. --- .../Chat/Messages/Content/ToolCall.tsx | 13 ++++++++++++ .../Messages/Content/UIResourceCarousel.tsx | 2 +- client/src/utils/mcpApps.ts | 4 ++-- packages/api/src/mcp/MCPManager.ts | 21 ++++++++++++------- .../src/mcp/registry/MCPServerInspector.ts | 11 ++++++++++ 5 files changed, 40 insertions(+), 11 deletions(-) diff --git a/client/src/components/Chat/Messages/Content/ToolCall.tsx b/client/src/components/Chat/Messages/Content/ToolCall.tsx index f8e83978aa..3325a34b05 100644 --- a/client/src/components/Chat/Messages/Content/ToolCall.tsx +++ b/client/src/components/Chat/Messages/Content/ToolCall.tsx @@ -70,6 +70,19 @@ const MCPAppView = React.memo(function MCPAppView({ useAppBridge(iframeRef, app, toolArgs, toolResult, handleSizeChanged); + if (app.text && (app.mimeType ?? 'text/html').includes('html')) { + return ( +
+