🏗️ feat: Dynamic MCP Server Infrastructure with Access Control (#10787)

* Feature: Dynamic MCP Server with Full UI Management

* 🚦 feat: Add MCP Connection Status icons to MCPBuilder panel (#10805)

* feature: Add MCP server connection status icons to MCPBuilder panel

* refactor: Simplify MCPConfigDialog rendering in MCPBuilderPanel

---------

Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
Co-authored-by: Danny Avila <danny@librechat.ai>

* fix: address code review feedback for MCP server management

- Fix OAuth secret preservation to avoid mutating input parameter
  by creating a merged config copy in ServerConfigsDB.update()

- Improve error handling in getResourcePermissionsMap to propagate
  critical errors instead of silently returning empty Map

- Extract duplicated MCP server filter logic by exposing selectableServers
  from useMCPServerManager hook and using it in MCPSelect component

* test: Update PermissionService tests to throw errors on invalid resource types

- Changed the test for handling invalid resource types to ensure it throws an error instead of returning an empty permissions map.
- Updated the expectation to check for the specific error message when an invalid resource type is provided.

* feat: Implement retry logic for MCP server creation to handle race conditions

- Enhanced the createMCPServer method to include retry logic with exponential backoff for handling duplicate key errors during concurrent server creation.
- Updated tests to verify that all concurrent requests succeed and that unique server names are generated.
- Added a helper function to identify MongoDB duplicate key errors, improving error handling during server creation.

* refactor: StatusIcon to use CircleCheck for connected status

- Replaced the PlugZap icon with CircleCheck in the ConnectedStatusIcon component to better represent the connected state.
- Ensured consistent icon usage across the component for improved visual clarity.

* test: Update AccessControlService tests to throw errors on invalid resource types

- Modified the test for invalid resource types to ensure it throws an error with a specific message instead of returning an empty permissions map.
- This change enhances error handling and improves test coverage for the AccessControlService.

* fix: Update error message for missing server name in MCP server retrieval

- Changed the error message returned when the server name is not provided from 'MCP ID is required' to 'Server name is required' for better clarity and accuracy in the API response.

---------

Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
Co-authored-by: Danny Avila <danny@librechat.ai>

packages/api/src/mcp/registry/db/ServerConfigsDB.ts

@@ -1,7 +1,14 @@
-/* eslint-disable @typescript-eslint/no-unused-vars */
-import { AllMethods, createMethods, logger } from '@librechat/data-schemas';
+import { Types } from 'mongoose';
+import {
+  AccessRoleIds,
+  PermissionBits,
+  PrincipalType,
+  ResourceType,
+} from 'librechat-data-provider';
+import { AllMethods, MCPServerDocument, createMethods, logger } from '@librechat/data-schemas';
 import type { IServerConfigsRepositoryInterface } from '~/mcp/registry/ServerConfigsRepositoryInterface';
-import type { ParsedServerConfig } from '~/mcp/types';
+import { AccessControlService } from '~/acl/accessControlService';
+import type { ParsedServerConfig, AddServerResult } from '~/mcp/types';
 
 /**
  * DB backed config storage
@@ -10,35 +17,211 @@ import type { ParsedServerConfig } from '~/mcp/types';
  */
 export class ServerConfigsDB implements IServerConfigsRepositoryInterface {
   private _dbMethods: AllMethods;
+  private _aclService: AccessControlService;
+  private _mongoose: typeof import('mongoose');
+
   constructor(mongoose: typeof import('mongoose')) {
     if (!mongoose) {
       throw new Error('ServerConfigsDB requires mongoose instance');
     }
+    this._mongoose = mongoose;
     this._dbMethods = createMethods(mongoose);
+    this._aclService = new AccessControlService(mongoose);
   }
 
-  public async add(serverName: string, config: ParsedServerConfig, userId?: string): Promise<void> {
-    logger.debug('ServerConfigsDB add not yet implemented');
-    return;
+  /**
+   * Checks if user has access to an MCP server via an agent they can VIEW.
+   * @param serverName - The MCP server name to check
+   * @param userId - The user ID (optional - if not provided, checks publicly accessible agents)
+   * @returns true if user has VIEW access to at least one agent that has this MCP server
+   */
+  private async hasAccessViaAgent(serverName: string, userId?: string): Promise<boolean> {
+    let accessibleAgentIds: Types.ObjectId[];
+
+    if (!userId) {
+      // Get publicly accessible agents
+      accessibleAgentIds = await this._aclService.findPubliclyAccessibleResources({
+        resourceType: ResourceType.AGENT,
+        requiredPermissions: PermissionBits.VIEW,
+      });
+    } else {
+      // Get user-accessible agents
+      accessibleAgentIds = await this._aclService.findAccessibleResources({
+        userId,
+        requiredPermissions: PermissionBits.VIEW,
+        resourceType: ResourceType.AGENT,
+      });
+    }
+
+    if (accessibleAgentIds.length === 0) {
+      return false;
+    }
+
+    // Check if any accessible agent has this MCP server
+    const Agent = this._mongoose.model('Agent');
+    const exists = await Agent.exists({
+      _id: { $in: accessibleAgentIds },
+      mcpServerNames: serverName,
+    });
+
+    return exists !== null;
   }
 
+  /**
+   * Creates a new MCP server and grants owner permissions to the user.
+   * @param serverName - Temporary server name (not persisted) will be replaced by the nano id generated by the db method
+   * @param config - Server configuration to store
+   * @param userId - ID of the user creating the server (required)
+   * @returns The created server result with serverName and config (including dbId)
+   * @throws Error if userId is not provided
+   */
+  public async add(
+    serverName: string,
+    config: ParsedServerConfig,
+    userId?: string,
+  ): Promise<AddServerResult> {
+    logger.debug(
+      `[ServerConfigsDB.add] Starting Creating server with temp servername: ${serverName} for the user with the ID ${userId}`,
+    );
+    if (!userId) {
+      throw new Error(
+        '[ServerConfigsDB.add] User ID is required to create a database-stored MCP server.',
+      );
+    }
+    const createdServer = await this._dbMethods.createMCPServer({ config: config, author: userId });
+    await this._aclService.grantPermission({
+      principalType: PrincipalType.USER,
+      principalId: userId,
+      resourceType: ResourceType.MCPSERVER,
+      resourceId: createdServer._id,
+      accessRoleId: AccessRoleIds.MCPSERVER_OWNER,
+      grantedBy: userId,
+    });
+    return {
+      serverName: createdServer.serverName,
+      config: this.mapDBServerToParsedConfig(createdServer),
+    };
+  }
+
+  /**
+   *
+   * @param serverName mcp server unique identifier "serverName"
+   * @param config new Configuration to update
+   * @param userId user id required to update DB server config
+   */
   public async update(
     serverName: string,
     config: ParsedServerConfig,
     userId?: string,
   ): Promise<void> {
-    logger.debug('ServerConfigsDB update not yet implemented');
-    return;
+    if (!userId) {
+      throw new Error(
+        '[ServerConfigsDB.update] User ID is required to update a database-stored MCP server.',
+      );
+    }
+
+    // Preserve sensitive fields (like oauth.client_secret) that may not be sent from the client
+    // Create a copy to avoid mutating the input parameter
+    let mergedConfig = config;
+    const existingServer = await this._dbMethods.findMCPServerById(serverName);
+    if (existingServer?.config?.oauth?.client_secret && !config.oauth?.client_secret) {
+      mergedConfig = {
+        ...config,
+        oauth: {
+          ...config.oauth,
+          client_secret: existingServer.config.oauth.client_secret,
+        },
+      };
+    }
+
+    // specific user permissions for action permission will be handled in the controller calling the  update method of the registry
+    await this._dbMethods.updateMCPServer(serverName, { config: mergedConfig });
   }
 
+  /**
+   * Deletes an MCP server and removes all associated ACL entries.
+   * @param serverName - The serverName of the server to remove
+   * @param userId - User performing the deletion (for logging)
+   */
   public async remove(serverName: string, userId?: string): Promise<void> {
-    logger.debug('ServerConfigsDB remove not yet implemented');
-    return;
+    logger.debug(`[ServerConfigsDB.remove] removing ${serverName}. UserId: ${userId}`);
+    const deletedServer = await this._dbMethods.deleteMCPServer(serverName);
+    if (deletedServer && deletedServer._id) {
+      logger.debug(`[ServerConfigsDB.remove] removing all permissions entries of ${serverName}.`);
+      await this._aclService.removeAllPermissions({
+        resourceType: ResourceType.MCPSERVER,
+        resourceId: deletedServer._id!,
+      });
+      return;
+    }
+    logger.warn(`[ServerConfigsDB.remove] server with serverName ${serverName} does not exist`);
   }
 
+  /**
+   * Retrieves a single MCP server configuration by its serverName.
+   * @param serverName - The serverName of the server to retrieve
+   * @param userId - the user id provide the scope of the request. If the user Id is not provided, only publicly visible servers are returned.
+   * @returns The parsed server config or undefined if not found. If accessed via agent, consumeOnly will be true.
+   */
   public async get(serverName: string, userId?: string): Promise<ParsedServerConfig | undefined> {
-    logger.debug('ServerConfigsDB get not yet implemented');
-    return;
+    const server = await this._dbMethods.findMCPServerById(serverName);
+    if (!server) return undefined;
+
+    // Check public access if no userId
+    if (!userId) {
+      const directlyAccessibleMCPIds = (
+        await this._aclService.findPubliclyAccessibleResources({
+          resourceType: ResourceType.MCPSERVER,
+          requiredPermissions: PermissionBits.VIEW,
+        })
+      ).map((id) => id.toString());
+      if (directlyAccessibleMCPIds.indexOf(server._id.toString()) > -1) {
+        return this.mapDBServerToParsedConfig(server);
+      }
+
+      // Check access via publicly accessible agents
+      const hasAgentAccess = await this.hasAccessViaAgent(serverName);
+      if (hasAgentAccess) {
+        logger.debug(
+          `[ServerConfigsDB.get] accessing ${serverName} via public agent (consumeOnly)`,
+        );
+        return {
+          ...this.mapDBServerToParsedConfig(server),
+          consumeOnly: true,
+        };
+      }
+
+      return undefined;
+    }
+
+    // Check direct user access
+    const userHasDirectAccess = await this._aclService.checkPermission({
+      userId,
+      resourceType: ResourceType.MCPSERVER,
+      requiredPermission: PermissionBits.VIEW,
+      resourceId: server._id,
+    });
+
+    if (userHasDirectAccess) {
+      logger.debug(
+        `[ServerConfigsDB.get] getting ${serverName} for user with the UserId: ${userId}`,
+      );
+      return this.mapDBServerToParsedConfig(server);
+    }
+
+    // Check agent access (user can VIEW an agent that has this MCP server)
+    const hasAgentAccess = await this.hasAccessViaAgent(serverName, userId);
+    if (hasAgentAccess) {
+      logger.debug(
+        `[ServerConfigsDB.get] user ${userId} accessing ${serverName} via agent (consumeOnly)`,
+      );
+      return {
+        ...this.mapDBServerToParsedConfig(server),
+        consumeOnly: true,
+      };
+    }
+
+    return undefined;
   }
 
   /**
@@ -47,13 +230,109 @@ export class ServerConfigsDB implements IServerConfigsRepositoryInterface {
    * @returns record of parsed configs
    */
   public async getAll(userId?: string): Promise<Record<string, ParsedServerConfig>> {
-    // TODO: Implement DB-backed config retrieval
-    logger.debug('[ServerConfigsDB] getAll not yet implemented', { userId });
-    return {};
+    // 1. Get directly accessible MCP IDs
+    let directlyAccessibleMCPIds: Types.ObjectId[] = [];
+    if (!userId) {
+      logger.debug(`[ServerConfigsDB.getAll] fetching all publicly shared mcp servers`);
+      directlyAccessibleMCPIds = await this._aclService.findPubliclyAccessibleResources({
+        resourceType: ResourceType.MCPSERVER,
+        requiredPermissions: PermissionBits.VIEW,
+      });
+    } else {
+      logger.debug(
+        `[ServerConfigsDB.getAll] fetching mcp servers directly shared with the user with ID: ${userId}`,
+      );
+      directlyAccessibleMCPIds = await this._aclService.findAccessibleResources({
+        userId,
+        requiredPermissions: PermissionBits.VIEW,
+        resourceType: ResourceType.MCPSERVER,
+      });
+    }
+
+    // 2. Get agent-accessible MCP server names
+    let agentMCPServerNames: string[] = [];
+    let accessibleAgentIds: Types.ObjectId[] = [];
+
+    if (!userId) {
+      // Get publicly accessible agents
+      accessibleAgentIds = await this._aclService.findPubliclyAccessibleResources({
+        resourceType: ResourceType.AGENT,
+        requiredPermissions: PermissionBits.VIEW,
+      });
+    } else {
+      // Get user-accessible agents
+      accessibleAgentIds = await this._aclService.findAccessibleResources({
+        userId,
+        requiredPermissions: PermissionBits.VIEW,
+        resourceType: ResourceType.AGENT,
+      });
+    }
+
+    if (accessibleAgentIds.length > 0) {
+      // Efficient query: get agents with non-empty mcpServerNames
+      const Agent = this._mongoose.model('Agent');
+      const agentsWithMCP = await Agent.find(
+        {
+          _id: { $in: accessibleAgentIds },
+          mcpServerNames: { $exists: true, $not: { $size: 0 } },
+        },
+        { mcpServerNames: 1 },
+      ).lean();
+
+      // Flatten and dedupe server names
+      agentMCPServerNames = [
+        ...new Set(
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          agentsWithMCP.flatMap((a: any) => a.mcpServerNames || []),
+        ),
+      ];
+    }
+
+    // 3. Fetch directly accessible MCP servers
+    const directResults = await this._dbMethods.getListMCPServersByIds({
+      ids: directlyAccessibleMCPIds,
+    });
+
+    // 4. Build result with direct access servers
+    const parsedConfigs: Record<string, ParsedServerConfig> = {};
+    const directServerNames = new Set<string>();
+
+    for (const s of directResults.data || []) {
+      parsedConfigs[s.serverName] = this.mapDBServerToParsedConfig(s);
+      directServerNames.add(s.serverName);
+    }
+
+    // 5. Fetch agent-accessible servers (excluding already direct)
+    const agentOnlyServerNames = agentMCPServerNames.filter((name) => !directServerNames.has(name));
+
+    if (agentOnlyServerNames.length > 0) {
+      const agentServers = await this._dbMethods.getListMCPServersByNames({
+        names: agentOnlyServerNames,
+      });
+
+      for (const s of agentServers.data || []) {
+        parsedConfigs[s.serverName] = {
+          ...this.mapDBServerToParsedConfig(s),
+          consumeOnly: true,
+        };
+      }
+    }
+
+    return parsedConfigs;
   }
 
+  /** No-op for DB storage; logs a warning if called. */
   public async reset(): Promise<void> {
     logger.warn('Attempt to reset the DB config storage');
     return;
   }
+
+  /** Maps a MongoDB server document to the ParsedServerConfig format. */
+  private mapDBServerToParsedConfig(serverDBDoc: MCPServerDocument): ParsedServerConfig {
+    return {
+      ...serverDBDoc.config,
+      dbId: (serverDBDoc._id as Types.ObjectId).toString(),
+      updatedAt: serverDBDoc.updatedAt?.getTime(),
+    };
+  }
 }