LibreChat/api
Dustin Healy f101d73f72 fix(mcp): resolve apps per request, tighten resource templates, extract app controller
Resolve mcpSettings.apps per request through the tenant-scoped allowlist resolver (inheriting the
YAML base when omitted) and consult it in callTool: when a tenant/role/user has apps disabled, the
tool result is returned with no UI resource attached, so those users no longer get a broken iframe
that the gated app endpoints reject. The OAuth-path connection advertises the resolved value.

Constrain query and query-continuation URI-template operators to their declared variable names
instead of the whole query string, so a template like file://items{?id} no longer authorizes
unrelated query parameters such as ?admin=true. The path-traversal guard still applies.

Move the MCP Apps per-endpoint validation and orchestration into packages/api as TypeScript
service functions (readAppResource, listAppResources, listAppResourceTemplates, callAppTool)
exported from @librechat/api, delegating through a structural manager interface to avoid a circular
import. The /api controllers become thin adapters; resolveAppContext, the sandbox file serve, and
the requireMCPAppsEnabled middleware stay in /api as request-bound glue.
2026-06-28 23:52:37 -07:00
..
app 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00
cache 🪂 feat: Graceful HTTP shutdown on SIGTERM/SIGINT (#13211) 2026-05-20 13:33:53 -04:00
config 🪵 refactor: Bound Log Traversal And Remove Legacy api/config Logger (#13813) 2026-06-17 12:31:32 -04:00
db ⚖️ feat: Add Operational Prometheus Metrics (#13265) 2026-05-22 20:47:41 -04:00
models 🗑️ chore: Remove Action Test Suite and Update Mock Implementations (#12268) 2026-03-21 14:28:55 -04:00
server fix(mcp): resolve apps per request, tighten resource templates, extract app controller 2026-06-28 23:52:37 -07:00
strategies 🌐 fix: Centralize Outbound Proxy Handling (#13726) 2026-06-14 10:47:49 -04:00
test 🏷️ fix: Scope File Search entity_id to Agent Knowledge-Base Files Only (#13693) 2026-06-20 10:18:25 -04:00
utils 📖 feat: Add Claude Fable 5 Support (#13628) 2026-06-09 16:22:39 -04:00
jest.config.js fix(ci): add @modelcontextprotocol/ext-apps to jest transformIgnorePatterns and fix import sort 2026-06-23 15:46:38 -07:00
jsconfig.json
package.json 📦 chore: Bump @librechat/agents to v3.2.44 2026-06-21 08:39:10 -04:00
typedefs.js 🧬 chore: Align LibreChat With Agents LangChain Upgrade (#12922) 2026-05-03 12:46:01 -04:00