LibreChat/packages
Dustin Healy cc45641d7e fix(mcp): address Codex P1/P2 findings — visibility filter, header clobber, base path, inline text
App-only tools (visibility: ['app']) were not filtered in MCPServerInspector.getToolFunctions,
so initializeMCPs → getAppToolFunctions → mergeAppTools was silently exposing them to the LLM
tool cache at startup, bypassing the filter that updateMCPServerTools correctly applies.
Applied the same visibility guard that updateMCPServerTools uses.

appToolCall was calling processMCPEnv without customUserVars for DB-sourced servers, then
setRequestHeaders — overwriting the connection's already-correctly-resolved headers with
unresolved {{MCP_API_KEY}} placeholders. Skipped the re-resolve for DB-sourced servers
since the connection carries valid headers from the original callTool setup.

callMCPAppTool and readMCPResource used hardcoded /api/... paths without the apiBaseUrl()
prefix; subdirectory deployments would miss those routes. apiBaseUrl was already imported for
getMCPSandboxUrl — extended it to both API calls for consistency.

MCPAppCard (carousel) and MCPAppView (ToolCall) both checked toolName && serverName first
when deciding to use the app bridge, but parsers.ts now sets those fields on all UIResources
including inline ui:// resources with text content. Resources with text were therefore silently
routed through the app bridge instead of being rendered directly as srcDoc iframes.
Added !resource.text / !app.text guard so inline HTML resources take the correct path.
2026-06-23 20:27:30 -07:00
..
api fix(mcp): address Codex P1/P2 findings — visibility filter, header clobber, base path, inline text 2026-06-23 20:27:30 -07:00
client 👐 a11y: Bump @ariakit/react, Improve a11y of Token Usage, Archived Chats, Reduce Table Layout Shifts (#13874) 2026-06-21 12:53:24 -04:00
data-provider fix(mcp): address Codex P2 findings — resource ID collision, isError flag, sandbox base path 2026-06-23 19:46:47 -07:00
data-schemas 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00