LibreChat/packages/api
Dustin Healy 2905c1563b fix(mcp): honor per-request apps flag in discovery and tighten app resource routing
Use the appsEnabled value resolved by resolveAllowlists in the tool-discovery connection path so
an OAuth/reinitialize fallback discovery does not advertise the UI extension for a user whose
effective config disabled apps.

Constrain simple URI-template expansions to exclude query delimiters so a value like q={q} cannot
match q=foo&admin=true and authorize an undeclared parameter on app resources/read.

Route app requests that carry a config-tier override through a request-scoped connection so iframe
reads and tool calls reach the overridden server instead of the cached base app connection.
2026-06-29 12:09:16 -07:00
..
src fix(mcp): honor per-request apps flag in discovery and tighten app resource routing 2026-06-29 12:09:16 -07:00
types
.gitignore
babel.config.cjs
jest.config.mjs fix(ci): add @modelcontextprotocol/ext-apps to jest transformIgnorePatterns and fix import sort 2026-06-23 15:46:38 -07:00
jest.setup.cjs
package.json fix(mcp): harden MCP Apps host security and CJS compatibility 2026-06-28 21:56:28 -07:00
tsconfig-paths-bootstrap.mjs
tsconfig.build.json
tsconfig.json
tsconfig.spec.json
tsdown.config.mjs