feat: pins MCP composer version and adds new setting to configure it

[ogabrielluiz]

Summary by CodeRabbit

• New Features
  • Added a configurable setting to choose the MCP Composer version used by the app; it now launches the matching versioned binary automatically.
  • Supports flexible version inputs (PEP 440 specifiers or bare versions, which are normalized).
  • Provides a sensible default version out of the box for immediate use.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Updates configure MCP Composer to use a versioned executable name derived from settings. Adds a new mcp_composer_version setting with validation, and adjusts both API and service layers to fetch settings and construct mcp-composer{version}. Adds a comment for secret handling in OAuth env mapping.

Changes

Cohort / File(s)	Summary of Changes
MCP Composer invocation src/backend/base/langflow/api/v1/mcp_projects.py, src/lfx/src/lfx/services/mcp_composer/service.py	Both paths now read settings via get_settings_service().settings and build the MCP Composer command as mcp-composer{settings.mcp_composer_version} when enabled/used. Service also adds an allowlist secret comment for oauth_client_secret in env setup.
Settings src/lfx/src/lfx/services/settings/base.py	Introduces public setting mcp_composer_version (default "=0.1.0.7") with pre-validation that normalizes bare versions to a PEP 440 specifier (prefix "="), passes through existing specifiers, and defaults when empty.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant API as mcp_projects.install_mcp_config
  participant Settings as SettingsService
  participant OS as System Process

  Client->>API: install_mcp_config(use_mcp_composer=True)
  API->>Settings: get_settings_service().settings
  Settings-->>API: settings (mcp_composer_version)
  API->>API: Build cmd "mcp-composer{version}"
  API->>OS: Spawn composer process with env
  OS-->>API: Process result
  API-->>Client: Return outcome

Loading

sequenceDiagram
  autonumber
  participant Service as mcp_composer.service._start_project_composer_process
  participant Settings as SettingsService
  participant OS as System Process

  Service->>Settings: get_settings_service().settings
  Settings-->>Service: settings (mcp_composer_version)
  Service->>Service: Build exec "mcp-composer{version}"
  Note right of Service: OAuth env includes client_secret <!-- allowlist secret -->
  Service->>OS: Start process with env
  OS-->>Service: PID/handle

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: adds api key functionality onto mcp composer #9498 — Also modifies install_mcp_config, focusing on API-key generation and config merging alongside MCP invocation logic.
• refactor: Update MCP composer auth to just api and oauth #9487 — Alters install_mcp_config by removing the MCP Composer branch and OAuth env handling, overlapping with current MCP invocation changes.

Suggested labels

enhancement, needs-docs

Suggested reviewers

• lucaseduoli
• mfortman11
• jordanrfrazier

Pre-merge checks and finishing touches

❌ Failed checks (1 error, 2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Test Coverage For New Implementations	❌ Error	The PR introduces new configurable behavior for selecting a versioned MCP Composer executable and adds a settings validation method, yet no new or modified test files appear in the diff, so there are no unit or integration tests covering this functionality or the validator logic. Without tests that confirm the configured version is honored or that bare version inputs are normalized correctly, the test coverage expectations for new features are unmet.	Please add tests that exercise the new mcp_composer_version setting, including validation behavior and ensuring the versioned executable name is used in the relevant services, following the project’s test naming conventions.
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Test Quality And Coverage	⚠️ Warning	I inspected the updated settings and service codepaths introducing the configurable mcp_composer_version and searched the repository for any new or modified tests referencing this setting or the version-aware execution, but found no additions or adjustments covering the new logic. Without tests ensuring that bare versions are normalized, specifiers pass through, and the versioned executable name is constructed correctly, the main functionality introduced by this PR remains unvalidated. Consequently, the current test suite does not cover the newly implemented behavior.	Please add tests exercising the settings normalization logic for mcp_composer_version as well as service-level tests confirming that the appropriate versioned MCP Composer executable name is derived, so the new functionality is verified.
Test File Naming And Structure	❓ Inconclusive	No test files were added or modified in this pull request, so I cannot evaluate naming, structure, or coverage against the required patterns; without relevant test changes the custom check cannot be completed.	Please add or reference the relevant test files so their naming, structure, and coverage can be reviewed, or confirm that existing tests already satisfy the required patterns and remain unchanged.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title accurately reflects the primary change by stating that the feature adds a new setting to configure and pin the MCP Composer version, which directly corresponds to the code changes introducing the mcp_composer_version setting and using it to construct the versioned executable name.
Excessive Mock Usage Warning	✅ Passed	No test files were modified in this pull request, so there is no new or changed mocking behavior to evaluate; consequently, the criteria for the Excessive Mock Usage Warning are not met and no warning is warranted.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/lfx/src/lfx/services/settings/base.py (2)

354-380: Consider moving the re import to module level.

The validator logic correctly handles bare versions and existing specifiers. However, importing re inside the validator function (line 373) is slightly inefficient, even though validators only run at initialization time.

Consider moving the import to the module level for better practice:

 import asyncio
 import contextlib
 import json
 import os
+import re
 from pathlib import Path
 from shutil import copy2
 from typing import Any, Literal

Then remove the local import from the validator:

         # If it's a bare version number, add ~= prefix
         # This regex matches version numbers like 0.1.0.7, 1.2.3, etc.
-        import re
-
         if re.match(r"^\d+(\.\d+)*", value):

---

288-290: Approve code changes

• Default ~=0.1.0.7 matches the latest PyPI release (0.1.0.7).
• Optional: move the import re statement to module scope to avoid repeated imports in the validator.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 75d1f8a and 424c4b5.

📒 Files selected for processing (3)

• src/backend/base/langflow/api/v1/mcp_projects.py (1 hunks)
• src/lfx/src/lfx/services/mcp_composer/service.py (2 hunks)
• src/lfx/src/lfx/services/settings/base.py (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

{src/backend/**/*.py,tests/**/*.py,Makefile}

📄 CodeRabbit inference engine (.cursor/rules/backend_development.mdc)

{src/backend/**/*.py,tests/**/*.py,Makefile}: Run make format_backend to format Python code before linting or committing changes
Run make lint to perform linting checks on backend Python code

Files:

• src/backend/base/langflow/api/v1/mcp_projects.py

🧬 Code graph analysis (2)

src/backend/base/langflow/api/v1/mcp_projects.py (1)

src/backend/base/langflow/services/deps.py (1)

• get_settings_service (111-124)

src/lfx/src/lfx/services/mcp_composer/service.py (1)

src/backend/base/langflow/services/deps.py (1)

• get_settings_service (111-124)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)

• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 6/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 9/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 8/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 7/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 5/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 3/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 1/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 2/9
• GitHub Check: Run Frontend Tests / Playwright Tests - Shard 4/9
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 2
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 4
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 3
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 1
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 5
• GitHub Check: Run Backend Tests / Integration Tests - Python 3.10
• GitHub Check: Test Starter Templates
• GitHub Check: Update Starter Projects
• GitHub Check: Optimize new Python code in this PR

🔇 Additional comments (3)

src/backend/base/langflow/api/v1/mcp_projects.py (1)

632-635: LGTM! Versioned MCP Composer command construction.

The implementation correctly fetches the configured version and constructs the MCP Composer command name. The resulting format (e.g., mcp-composer~=0.1.0.7) is valid for uvx and follows PEP 440 version specifier syntax.

src/lfx/src/lfx/services/mcp_composer/service.py (2)

420-423: LGTM! Consistent versioned command construction.

The implementation correctly mirrors the pattern used in mcp_projects.py, ensuring consistency across the codebase.

---

451-451: LGTM! Security scanning directive added.

The pragma comment is a standard directive for security scanning tools to prevent false positives when handling OAuth client secrets in environment variable mappings.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 23.41%. Comparing base (99facaa) to head (e8f0c88).
⚠️ Report is 22 commits behind head on main.

Files with missing lines	Patch %	Lines
src/backend/base/langflow/api/v1/mcp_projects.py	0.00%	1 Missing ⚠️

❌ Your patch status has failed because the patch coverage (0.00%) is below the target coverage (40.00%). You can increase the patch coverage or adjust the target coverage.
❌ Your project status has failed because the head coverage (8.83%) is below the target coverage (10.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10163      +/-   ##
==========================================
- Coverage   24.16%   23.41%   -0.75%     
==========================================
  Files        1087     1075      -12     
  Lines       40072    39963     -109     
  Branches     5546     5530      -16     
==========================================
- Hits         9682     9358     -324     
- Misses      30219    30444     +225     
+ Partials      171      161      -10     

Flag	Coverage Δ
backend	47.08% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/backend/base/langflow/api/v1/mcp_projects.py	22.49% <0.00%> (-0.04%)	⬇️

... and 87 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[lucaseduoli]

LGTM!