LibreChat/packages/api
Dustin Healy 624a6d8f4b fix(mcp): gate apps per-request on app connections and embedded UI resources
Resolve the allowlist-derived appsEnabled value when creating app-level connections in
ConnectionsRepository so a tenant/role/user override that toggles apps is honored instead of the
boot YAML default.

Gate ui:// resources embedded in tool results on the same per-request setting so a disabled scope
renders them as plain resource text rather than a sandboxed app, resolving appsEnabled lazily only
when a result actually carries a renderable UI resource.

Fail closed in canonicalizeUri when a URI does not stabilize within the decode cap so traversal
encoded more deeply than the cap cannot satisfy a template guard a fully-decoding server resolves
as a parent-directory path.
2026-06-29 11:07:55 -07:00
..
src fix(mcp): gate apps per-request on app connections and embedded UI resources 2026-06-29 11:07:55 -07:00
types 🔬 ci: Add TypeScript Type Checks to Backend Workflow and Fix All Type Errors (#12451) 2026-03-28 21:06:39 -04:00
.gitignore
babel.config.cjs
jest.config.mjs fix(ci): add @modelcontextprotocol/ext-apps to jest transformIgnorePatterns and fix import sort 2026-06-23 15:46:38 -07:00
jest.setup.cjs 🌱 fix: Inject Code-Tool Files Into Graph Sessions on First Call (+ read_file Sandbox Fallback) (#12831) 2026-04-27 08:56:39 +09:00
package.json fix(mcp): harden MCP Apps host security and CJS compatibility 2026-06-28 21:56:28 -07:00
tsconfig-paths-bootstrap.mjs
tsconfig.build.json 🧑‍💻 refactor: Secure Field Selection for 2FA & API Build Sourcemap (#9087) 2025-08-15 18:55:49 -04:00
tsconfig.json 📦 chore: npm audit fixes and Mongoose 8.23 TypeScript follow-ups (#12996) 2026-05-07 09:47:40 -04:00
tsconfig.spec.json 📦 chore: Update TypeScript Config for TS v7 (#12794) 2026-04-23 12:51:03 -04:00
tsdown.config.mjs 🪟 fix: Cross-Platform Absolute-Path Check in tsdown neverBundle Predicates (#13700) 2026-06-13 11:04:46 -04:00