LibreChat/packages/api
Dustin Healy 3816864392 fix(mcp): address Codex P1/P2 findings — CSP, permissions, toolArgs propagation
Six findings from the Codex review pass on ac2812ba2:

Apply restrictive default CSP when _meta.ui.csp is omitted: buildCspMeta
now uses an empty object fallback so sandboxed apps without explicit CSP
declarations still get default-src 'none' / connect-src 'none' rather than
running with no Content-Security-Policy at all.

Add media-src to buildCspPolicy: resourceDomains now covers audio and video
loads; omitting it previously caused default-src 'none' to block media even
when the server declared approved CDN domains.

Propagate toolArgs through UIResource so inline \ui{} marker renders call
sendToolInput: callTool passes toolArguments into formatToolContent metadata,
parsers stores it on both explicit and synthetic UIResources, and MCPUIResource
and MCPAppCard now forward it to useAppBridge instead of always passing
undefined.

Update outer iframe allow attribute with resolved permissions from
resources/read: the sandboxready handler now re-applies buildAllowAttribute
with the fetched permissions before sendSandboxResourceReady, so
camera/mic/geo permissions declared only in _meta.ui are not blocked at
the browser permission-policy boundary.

Guard appToolCall against Graph API token placeholder servers: uses
mcpOptionsContainGraphTokenPlaceholder to detect unresolvable
{{LIBRECHAT_GRAPH_ACCESS_TOKEN}} placeholders and throws InvalidRequest
with a clear message, matching the existing OBO guard pattern.

Honor app-reported heights in UIResourceCarousel cards: MCPAppCard now
accepts an onHeightChange callback; UIResourceCarousel tracks per-card
dynamic heights and applies them to the outer card container instead of
the fixed 360px value.
2026-06-23 19:06:40 -07:00
..
src fix(mcp): address Codex P1/P2 findings — CSP, permissions, toolArgs propagation 2026-06-23 19:06:40 -07:00
types 🔬 ci: Add TypeScript Type Checks to Backend Workflow and Fix All Type Errors (#12451) 2026-03-28 21:06:39 -04:00
.gitignore 🧠 feat: User Memories for Conversational Context (#7760) 2025-06-07 18:52:22 -04:00
babel.config.cjs 🧠 feat: User Memories for Conversational Context (#7760) 2025-06-07 18:52:22 -04:00
jest.config.mjs fix(ci): add @modelcontextprotocol/ext-apps to jest transformIgnorePatterns and fix import sort 2026-06-23 15:46:38 -07:00
jest.setup.cjs 🌱 fix: Inject Code-Tool Files Into Graph Sessions on First Call (+ read_file Sandbox Fallback) (#12831) 2026-04-27 08:56:39 +09:00
package.json fix(mcp): address second round of Codex review findings 2026-06-23 18:18:51 -07:00
tsconfig-paths-bootstrap.mjs 🧠 feat: User Memories for Conversational Context (#7760) 2025-06-07 18:52:22 -04:00
tsconfig.build.json 🧑‍💻 refactor: Secure Field Selection for 2FA & API Build Sourcemap (#9087) 2025-08-15 18:55:49 -04:00
tsconfig.json 📦 chore: npm audit fixes and Mongoose 8.23 TypeScript follow-ups (#12996) 2026-05-07 09:47:40 -04:00
tsconfig.spec.json 📦 chore: Update TypeScript Config for TS v7 (#12794) 2026-04-23 12:51:03 -04:00
tsdown.config.mjs 🪟 fix: Cross-Platform Absolute-Path Check in tsdown neverBundle Predicates (#13700) 2026-06-13 11:04:46 -04:00