LibreChat/api
Dustin Healy 87341c67c0 fix(mcp): carry apps flag through the request resolver and canonicalize resource-read auth
resolveMCPAllowlists now returns appsEnabled from the merged tenant-scoped config, so a
tenant/role/user override of mcpSettings.apps reaches the registry's per-request resolution and
callTool attaches no UI resource for users whose tenant disabled apps.

Authorize app-driven resource reads in the canonical (fully percent-decoded) space the server
resolves and reject any relative path segment, so a percent-encoded traversal such as %2e%2e%2f can
no longer match an advertised template. Exact resources/list matches are unaffected.

Trim narrating comments across the MCP Apps changes so the code is self-documenting.
2026-06-29 00:52:58 -07:00
..
app 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00
cache 🪂 feat: Graceful HTTP shutdown on SIGTERM/SIGINT (#13211) 2026-05-20 13:33:53 -04:00
config 🪵 refactor: Bound Log Traversal And Remove Legacy api/config Logger (#13813) 2026-06-17 12:31:32 -04:00
db ⚖️ feat: Add Operational Prometheus Metrics (#13265) 2026-05-22 20:47:41 -04:00
models 🗑️ chore: Remove Action Test Suite and Update Mock Implementations (#12268) 2026-03-21 14:28:55 -04:00
server fix(mcp): carry apps flag through the request resolver and canonicalize resource-read auth 2026-06-29 00:52:58 -07:00
strategies 🌐 fix: Centralize Outbound Proxy Handling (#13726) 2026-06-14 10:47:49 -04:00
test 🏷️ fix: Scope File Search entity_id to Agent Knowledge-Base Files Only (#13693) 2026-06-20 10:18:25 -04:00
utils 📖 feat: Add Claude Fable 5 Support (#13628) 2026-06-09 16:22:39 -04:00
jest.config.js fix(ci): add @modelcontextprotocol/ext-apps to jest transformIgnorePatterns and fix import sort 2026-06-23 15:46:38 -07:00
jsconfig.json
package.json 📦 chore: Bump @librechat/agents to v3.2.44 2026-06-21 08:39:10 -04:00
typedefs.js 🧬 chore: Align LibreChat With Agents LangChain Upgrade (#12922) 2026-05-03 12:46:01 -04:00