mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-02 04:12:36 +00:00
Reimplement the MCP Apps ui-meta helpers (RESOURCE_MIME_TYPE, getToolUiResourceUri, isToolVisibilityModelOnly, isToolVisibilityAppOnly) in packages/api/src/mcp/apps.ts so @librechat/api no longer imports the ESM-only @modelcontextprotocol/ext-apps from its CommonJS build. ext-apps remains a client-only dependency, removing the require(ESM) boundary that throws ERR_REQUIRE_ESM on Node versions without synchronous require(esm) support. Add an mcpSettings.apps toggle (enabled unless explicitly false). Thread enableApps through connection creation so the io.modelcontextprotocol/ui capability is advertised only when apps are enabled, and gate the resource and app-tool-call routes with a requireMCPAppsEnabled middleware. Authorize app-driven resources/read against the resources and templates a server advertises, so a sandboxed app cannot proxy arbitrary uris. ui:// resources stay allowed and the check fails closed. Render MCP apps in shared and search transcripts display-only by withholding the host-bound bridge handlers and capabilities in read-only views, so an embedded app cannot call tools or read resources with the viewer's auth while the stored tool result still renders. |
||
|---|---|---|
| .. | ||
| __tests__ | ||
| agents | ||
| assistants | ||
| auth | ||
| AuthController.js | ||
| AuthController.spec.js | ||
| Balance.js | ||
| Balance.spec.js | ||
| ContextProjectionController.js | ||
| EndpointController.js | ||
| FavoritesController.js | ||
| FavoritesController.spec.js | ||
| mcp.js | ||
| mcpApps.js | ||
| ModelController.js | ||
| PermissionsController.js | ||
| PluginController.js | ||
| PluginController.spec.js | ||
| SkillStatesController.js | ||
| TokenConfigController.js | ||
| tools.js | ||
| TwoFactorController.js | ||
| UserController.js | ||
| UserController.spec.js | ||