LibreChat/client
Dustin Healy 3816864392 fix(mcp): address Codex P1/P2 findings — CSP, permissions, toolArgs propagation
Six findings from the Codex review pass on ac2812ba2:

Apply restrictive default CSP when _meta.ui.csp is omitted: buildCspMeta
now uses an empty object fallback so sandboxed apps without explicit CSP
declarations still get default-src 'none' / connect-src 'none' rather than
running with no Content-Security-Policy at all.

Add media-src to buildCspPolicy: resourceDomains now covers audio and video
loads; omitting it previously caused default-src 'none' to block media even
when the server declared approved CDN domains.

Propagate toolArgs through UIResource so inline \ui{} marker renders call
sendToolInput: callTool passes toolArguments into formatToolContent metadata,
parsers stores it on both explicit and synthetic UIResources, and MCPUIResource
and MCPAppCard now forward it to useAppBridge instead of always passing
undefined.

Update outer iframe allow attribute with resolved permissions from
resources/read: the sandboxready handler now re-applies buildAllowAttribute
with the fetched permissions before sendSandboxResourceReady, so
camera/mic/geo permissions declared only in _meta.ui are not blocked at
the browser permission-policy boundary.

Guard appToolCall against Graph API token placeholder servers: uses
mcpOptionsContainGraphTokenPlaceholder to detect unresolvable
{{LIBRECHAT_GRAPH_ACCESS_TOKEN}} placeholders and throws InvalidRequest
with a clear message, matching the existing OBO guard pattern.

Honor app-reported heights in UIResourceCarousel cards: MCPAppCard now
accepts an onHeightChange callback; UIResourceCarousel tracks per-card
dynamic heights and applies them to the outer card container instead of
the fixed 360px value.
2026-06-23 19:06:40 -07:00
..
public fix(mcp): address Codex P1/P2 findings — CSP, permissions, toolArgs propagation 2026-06-23 19:06:40 -07:00
scripts
src fix(mcp): address Codex P1/P2 findings — CSP, permissions, toolArgs propagation 2026-06-23 19:06:40 -07:00
sw 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00
test
babel.config.cjs
check_updates.sh
index.html 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00
jest.config.cjs feat: MCP Apps support (squashed for rebase) 2026-06-21 23:55:17 -07:00
nginx.conf
package.json refactor: replace @mcp-ui/client with @modelcontextprotocol/ext-apps/app-bridge 2026-06-23 13:55:56 -07:00
postcss.config.cjs
tailwind.config.cjs
tsconfig.json 👷 ci: Type-check the Client Workspace (#13560) 2026-06-06 18:40:31 -04:00
vite.config.ts 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00