LibreChat/packages
Dustin Healy 2905c1563b fix(mcp): honor per-request apps flag in discovery and tighten app resource routing
Use the appsEnabled value resolved by resolveAllowlists in the tool-discovery connection path so
an OAuth/reinitialize fallback discovery does not advertise the UI extension for a user whose
effective config disabled apps.

Constrain simple URI-template expansions to exclude query delimiters so a value like q={q} cannot
match q=foo&admin=true and authorize an undeclared parameter on app resources/read.

Route app requests that carry a config-tier override through a request-scoped connection so iframe
reads and tool calls reach the overridden server instead of the cached base app connection.
2026-06-29 12:09:16 -07:00
..
api fix(mcp): honor per-request apps flag in discovery and tighten app resource routing 2026-06-29 12:09:16 -07:00
client 👐 a11y: Bump @ariakit/react, Improve a11y of Token Usage, Archived Chats, Reduce Table Layout Shifts (#13874) 2026-06-21 12:53:24 -04:00
data-provider fix(mcp): harden MCP Apps host security and CJS compatibility 2026-06-28 21:56:28 -07:00
data-schemas 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00