LibreChat/client/src/hooks
Dustin Healy 90b2d7a1ab fix(mcp): harden sandbox security and fix stale closures, error states
Addresses security and correctness findings from a second review pass.

Sandbox hardening: trustedOrigin is now derived from document.referrer at
startup so notifyReady uses the known parent origin instead of the wildcard
'*'. toDomainList validates every entry against a strict host-pattern regex
before joining, preventing CSP injection via malicious server metadata.
serveMCPSandbox now sets Content-Security-Policy: frame-ancestors 'self' and
X-Frame-Options: SAMEORIGIN so the sandbox proxy cannot be framed by
third-party origins.

Server-side guards: appToolCall now validates that toolName is actually
registered on serverName before forwarding to tools/call. The
knownToolNamesCache is populated alongside modelOnlyToolCache in
populateToolCaches, scoped per user/server key. isModelOnlyTool was inlined
into appToolCall now that the single caching pass populates both sets.
readResource gained the updateUserLastActivity call so resource fetches also
prevent idle timeout. 500 responses now return generic messages; McpError
InvalidRequest (-32600) surfaces as 400 with the message.

Client: useAppBridge uses refs for onSizeChanged, toolArgs, and toolResult so
the stable bridge effect closure always reads current values without
triggering a remount. MCPAppView tracks timedOut separately from loaded so a
bridge failure after 10 s shows an error message instead of a blank iframe.
Added com_ui_mcp_app_failed_to_load translation key. Redundant
as string | undefined casts on toolName removed in ToolCall, MCPUIResource,
and UIResourceCarousel.
2026-06-23 18:35:27 -07:00
..
__tests__ 📌 feat: Add Pin Support for Model Specs (#11219) 2026-04-09 18:37:25 -04:00
Agents 🔌 fix: Preserve Ephemeral MCP Selections Across Model Switches (#13697) 2026-06-11 18:13:41 -04:00
Artifacts 🗃️ refactor: Keep Code Artifacts Manual-Open (#12961) 2026-05-05 22:05:21 -04:00
Assistants 🧬 refactor: Derive Latest Message From Cache (#13294) 2026-05-24 16:20:27 -04:00
Audio 👷 ci: Type-check the Client Workspace (#13560) 2026-06-06 18:40:31 -04:00
Chat 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00
Config 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00
Conversations ⬆️ chore: Bump TypeScript to 5.9.3 (+ typescript-eslint 8.60.1) (#13584) 2026-06-07 22:20:44 -04:00
Endpoint 🚫 fix: Hide Empty Agents Endpoint from Model Selector (#13624) 2026-06-09 12:10:41 -04:00
Files 🔗 feat: Snapshot Files for Shared-Link Attachments (#13740) 2026-06-20 23:05:13 -04:00
Generic 📐 fix: Sidebar Chat List Width Tracking and Stale Row Measurements (#13655) 2026-06-10 13:27:18 -04:00
Input 🔇 fix: Suppress Expected Speech Synthesis Cancellation Errors (#13627) 2026-06-09 16:31:41 -04:00
MCP fix(mcp): harden sandbox security and fix stale closures, error states 2026-06-23 18:35:27 -07:00
Mermaid 🧜‍♂️ fix: Preserve Mermaid foreignObject HTML in Sanitized SVG (#12819) 2026-04-29 09:37:38 +09:00
Messages 🧵 fix: Reject Preliminary Parent Follow-Ups (#13619) 2026-06-09 12:06:51 -04:00
Nav 🌉 chore: Gate Skills UI by Agent Capability Checks (#12793) 2026-04-25 04:02:01 -04:00
Plugins 📌 feat: Seed Default Pinned Tools and MCP Dropdown via Interface Config (#13865) 2026-06-20 13:40:10 -04:00
Prompts 📁 refactor: Prompts UI (#11570) 2026-03-22 16:56:22 -04:00
Roles
Sharing 🔗 fix: Surface Share Permissions Load Error as Alert Button With Tooltip (#13833) 2026-06-18 13:37:49 -04:00
Skills 🎚️ feat: Per-User Skill Active/Inactive Toggle with Ownership-Aware Defaults (#12692) 2026-04-25 04:02:00 -04:00
SSE 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00
ApiErrorBoundaryContext.tsx
AuthContext.tsx 🧑‍🎨 refactor: Prompts/Sidebar styles for improved UI Consistency (#12426) 2026-04-09 00:02:31 -04:00
index.ts 📜 feat: Skills UI + Initial E2E CRUD / Sharing (#12580) 2026-04-25 04:02:00 -04:00
ScreenshotContext.tsx
useChatBadges.ts
useDocumentTitle.ts
useFavorites.ts 📌 feat: Add Pin Support for Model Specs (#11219) 2026-04-09 18:37:25 -04:00
useFocusTrap.ts 📁 refactor: Prompts UI (#11570) 2026-03-22 16:56:22 -04:00
useGenerationsByLatest.ts 🪦 refactor: Remove Legacy Code (#10533) 2025-12-11 16:36:12 -05:00
useInfiniteScroll.ts
useIsActiveItem.ts 📌 feat: Add Pin Support for Model Specs (#11219) 2026-04-09 18:37:25 -04:00
useLocalize.ts ⚙️ refactor: Lazy load locale resources (#13640) 2026-06-10 08:48:58 -04:00
useLocalizedConfig.ts ⚙️ feat: Add configurable trust checkbox labels for MCP Server Dialog (#10820) 2025-12-11 16:38:40 -05:00
useLocalStorage.tsx
useLocalStorageAlt.tsx
useNewConvo.ts 🔌 fix: Preserve Ephemeral MCP Selections Across Model Switches (#13697) 2026-06-11 18:13:41 -04:00
usePersonalizationAccess.ts
useRenderChangeLog.ts refactor: Optimize Message Re-renders (#12097) 2026-03-06 00:03:32 -05:00
useResourcePermissions.ts 💻 feat: Deeper MCP UI integration in the Chat UI (#9669) 2025-12-11 16:41:11 -05:00
useRoleSelector.ts 🔨 fix: Custom Role Permissions (#12528) 2026-04-03 13:24:11 -04:00
useScrollToRef.ts
useSkillFavorites.ts 📜 feat: Skills UI + Initial E2E CRUD / Sharing (#12580) 2026-04-25 04:02:00 -04:00
useTimeout.tsx
useTimeTick.ts feat: Show Message Timestamps on Hover (#13709) 2026-06-14 09:39:52 -04:00
useVirtualGrid.ts
useWakeLock.ts feat: Prevent Screen Sleep During Response Generation (#10597) 2025-11-21 09:14:32 -05:00