LibreChat/api
Dustin Healy 87341c67c0 fix(mcp): carry apps flag through the request resolver and canonicalize resource-read auth
resolveMCPAllowlists now returns appsEnabled from the merged tenant-scoped config, so a
tenant/role/user override of mcpSettings.apps reaches the registry's per-request resolution and
callTool attaches no UI resource for users whose tenant disabled apps.

Authorize app-driven resource reads in the canonical (fully percent-decoded) space the server
resolves and reject any relative path segment, so a percent-encoded traversal such as %2e%2e%2f can
no longer match an advertised template. Exact resources/list matches are unaffected.

Trim narrating comments across the MCP Apps changes so the code is self-documenting.
2026-06-29 00:52:58 -07:00
..
app 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00
cache
config 🪵 refactor: Bound Log Traversal And Remove Legacy api/config Logger (#13813) 2026-06-17 12:31:32 -04:00
db
models
server fix(mcp): carry apps flag through the request resolver and canonicalize resource-read auth 2026-06-29 00:52:58 -07:00
strategies
test 🏷️ fix: Scope File Search entity_id to Agent Knowledge-Base Files Only (#13693) 2026-06-20 10:18:25 -04:00
utils
jest.config.js fix(ci): add @modelcontextprotocol/ext-apps to jest transformIgnorePatterns and fix import sort 2026-06-23 15:46:38 -07:00
jsconfig.json
package.json 📦 chore: Bump @librechat/agents to v3.2.44 2026-06-21 08:39:10 -04:00
typedefs.js