Refactor docker-compose.yml for consistency and add new services; update librechat.yaml with additional model references and configuration adjustments.

- Introduced `inferMimeType` utility to improve MIME type detection for uploaded files, including support for HEIC and HEIF formats.
- Updated DragDropModal to utilize the new inference logic for validating file types, ensuring compatibility with various document upload providers.
- Added comprehensive tests for `inferMimeType` to cover various scenarios, including handling of unknown extensions and preserving browser-provided types.

.github/workflows/dev-staging-images.yml

@@ -0,0 +1,66 @@
+name: Docker Dev Staging Images Build
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - target: api-build
+            file: Dockerfile.multi
+            image_name: lc-dev-staging-api
+          - target: node
+            file: Dockerfile
+            image_name: lc-dev-staging
+
+    steps:
+      # Check out the repository
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # Set up QEMU
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      # Set up Docker Buildx
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Log in to GitHub Container Registry
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Login to Docker Hub
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Prepare the environment
+      - name: Prepare environment
+        run: |
+          cp .env.example .env
+
+      # Build and push Docker images for each target
+      - name: Build and push Docker images
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ${{ matrix.file }}
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}:${{ github.sha }}
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}:latest
+            ${{ secrets.DOCKERHUB_USERNAME }}/${{ matrix.image_name }}:${{ github.sha }}
+            ${{ secrets.DOCKERHUB_USERNAME }}/${{ matrix.image_name }}:latest
+          platforms: linux/amd64,linux/arm64
+          target: ${{ matrix.target }}
+

.gitignore

@@ -67,7 +67,7 @@ bower_components/
 .flooignore
 
 #config file
-librechat.yaml
+#librechat.yaml
 librechat.yml
 
 # Environment

api/app/clients/BaseClient.js

@@ -2,6 +2,7 @@ const crypto = require('crypto');
 const fetch = require('node-fetch');
 const { logger } = require('@librechat/data-schemas');
 const {
+  countTokens,
   getBalanceConfig,
   extractFileContext,
   encodeAndFormatAudios,
@@ -23,7 +24,6 @@ const { getMessages, saveMessage, updateMessage, saveConvo, getConvo } = require
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { checkBalance } = require('~/models/balanceMethods');
 const { truncateToolCallOutputs } = require('./prompts');
-const countTokens = require('~/server/utils/countTokens');
 const { getFiles } = require('~/models/File');
 const TextStream = require('./TextStream');
 

api/app/clients/tools/structured/TavilySearch.js

@@ -1,4 +1,5 @@
 const { z } = require('zod');
+const { ProxyAgent, fetch } = require('undici');
 const { tool } = require('@langchain/core/tools');
 const { getApiKey } = require('./credentials');
 
@@ -19,13 +20,19 @@ function createTavilySearchTool(fields = {}) {
         ...kwargs,
       };
 
-      const response = await fetch('https://api.tavily.com/search', {
+      const fetchOptions = {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
         },
         body: JSON.stringify(requestBody),
-      });
+      };
+
+      if (process.env.PROXY) {
+        fetchOptions.dispatcher = new ProxyAgent(process.env.PROXY);
+      }
+
+      const response = await fetch('https://api.tavily.com/search', fetchOptions);
 
       const json = await response.json();
       if (!response.ok) {

api/app/clients/tools/structured/TavilySearchResults.js

@@ -1,4 +1,5 @@
 const { z } = require('zod');
+const { ProxyAgent, fetch } = require('undici');
 const { Tool } = require('@langchain/core/tools');
 const { getEnvironmentVariable } = require('@langchain/core/utils/env');
 
@@ -102,13 +103,19 @@ class TavilySearchResults extends Tool {
       ...this.kwargs,
     };
 
-    const response = await fetch('https://api.tavily.com/search', {
+    const fetchOptions = {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
       },
       body: JSON.stringify(requestBody),
-    });
+    };
+
+    if (process.env.PROXY) {
+      fetchOptions.dispatcher = new ProxyAgent(process.env.PROXY);
+    }
+
+    const response = await fetch('https://api.tavily.com/search', fetchOptions);
 
     const json = await response.json();
     if (!response.ok) {

api/app/clients/tools/structured/specs/TavilySearchResults.spec.js

@@ -1,6 +1,7 @@
+const { fetch, ProxyAgent } = require('undici');
 const TavilySearchResults = require('../TavilySearchResults');
 
-jest.mock('node-fetch');
+jest.mock('undici');
 jest.mock('@langchain/core/utils/env');
 
 describe('TavilySearchResults', () => {
@@ -13,6 +14,7 @@ describe('TavilySearchResults', () => {
 
   beforeEach(() => {
     jest.resetModules();
+    jest.clearAllMocks();
     process.env = {
       ...originalEnv,
       TAVILY_API_KEY: mockApiKey,
@@ -20,7 +22,6 @@ describe('TavilySearchResults', () => {
   });
 
   afterEach(() => {
-    jest.clearAllMocks();
     process.env = originalEnv;
   });
 
@@ -35,4 +36,49 @@ describe('TavilySearchResults', () => {
     });
     expect(instance.apiKey).toBe(mockApiKey);
   });
+
+  describe('proxy support', () => {
+    const mockResponse = {
+      ok: true,
+      json: jest.fn().mockResolvedValue({ results: [] }),
+    };
+
+    beforeEach(() => {
+      fetch.mockResolvedValue(mockResponse);
+    });
+
+    it('should use ProxyAgent when PROXY env var is set', async () => {
+      const proxyUrl = 'http://proxy.example.com:8080';
+      process.env.PROXY = proxyUrl;
+
+      const mockProxyAgent = { type: 'proxy-agent' };
+      ProxyAgent.mockImplementation(() => mockProxyAgent);
+
+      const instance = new TavilySearchResults({ TAVILY_API_KEY: mockApiKey });
+      await instance._call({ query: 'test query' });
+
+      expect(ProxyAgent).toHaveBeenCalledWith(proxyUrl);
+      expect(fetch).toHaveBeenCalledWith(
+        'https://api.tavily.com/search',
+        expect.objectContaining({
+          dispatcher: mockProxyAgent,
+        }),
+      );
+    });
+
+    it('should not use ProxyAgent when PROXY env var is not set', async () => {
+      delete process.env.PROXY;
+
+      const instance = new TavilySearchResults({ TAVILY_API_KEY: mockApiKey });
+      await instance._call({ query: 'test query' });
+
+      expect(ProxyAgent).not.toHaveBeenCalled();
+      expect(fetch).toHaveBeenCalledWith(
+        'https://api.tavily.com/search',
+        expect.not.objectContaining({
+          dispatcher: expect.anything(),
+        }),
+      );
+    });
+  });
 });

api/models/Prompt.js

@@ -1,4 +1,5 @@
 const { ObjectId } = require('mongodb');
+const { escapeRegExp } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const {
   Constants,
@@ -14,7 +15,6 @@ const {
 } = require('./Project');
 const { removeAllPermissions } = require('~/server/services/PermissionService');
 const { PromptGroup, Prompt, AclEntry } = require('~/db/models');
-const { escapeRegExp } = require('~/server/utils');
 
 /**
  * Create a pipeline for the aggregation to get prompt groups

api/models/tx.js

@@ -141,6 +141,7 @@ const tokenValues = Object.assign(
     'command-r': { prompt: 0.5, completion: 1.5 },
     'command-r-plus': { prompt: 3, completion: 15 },
     'command-text': { prompt: 1.5, completion: 2.0 },
+    'deepseek-chat': { prompt: 0.28, completion: 0.42 },
     'deepseek-reasoner': { prompt: 0.28, completion: 0.42 },
     'deepseek-r1': { prompt: 0.4, completion: 2.0 },
     'deepseek-v3': { prompt: 0.2, completion: 0.8 },
@@ -173,6 +174,9 @@ const tokenValues = Object.assign(
     'grok-3-mini': { prompt: 0.3, completion: 0.5 },
     'grok-3-mini-fast': { prompt: 0.6, completion: 4 },
     'grok-4': { prompt: 3.0, completion: 15.0 },
+    'grok-4-fast': { prompt: 0.2, completion: 0.5 },
+    'grok-4-1-fast': { prompt: 0.2, completion: 0.5 }, // covers reasoning & non-reasoning variants
+    'grok-code-fast': { prompt: 0.2, completion: 1.5 },
     codestral: { prompt: 0.3, completion: 0.9 },
     'ministral-3b': { prompt: 0.04, completion: 0.04 },
     'ministral-8b': { prompt: 0.1, completion: 0.1 },
@@ -243,6 +247,10 @@ const cacheTokenValues = {
   'claude-sonnet-4': { write: 3.75, read: 0.3 },
   'claude-opus-4': { write: 18.75, read: 1.5 },
   'claude-opus-4-5': { write: 6.25, read: 0.5 },
+  // DeepSeek models - cache hit: $0.028/1M, cache miss: $0.28/1M
+  deepseek: { write: 0.28, read: 0.028 },
+  'deepseek-chat': { write: 0.28, read: 0.028 },
+  'deepseek-reasoner': { write: 0.28, read: 0.028 },
 };
 
 /**

api/models/tx.spec.js

@@ -766,6 +766,78 @@ describe('Deepseek Model Tests', () => {
     const result = tokenValues[valueKey].prompt && multiplier === tokenValues[valueKey].prompt;
     expect(result).toBe(true);
   });
+
+  it('should return correct pricing for deepseek-chat', () => {
+    expect(getMultiplier({ model: 'deepseek-chat', tokenType: 'prompt' })).toBe(
+      tokenValues['deepseek-chat'].prompt,
+    );
+    expect(getMultiplier({ model: 'deepseek-chat', tokenType: 'completion' })).toBe(
+      tokenValues['deepseek-chat'].completion,
+    );
+    expect(tokenValues['deepseek-chat'].prompt).toBe(0.28);
+    expect(tokenValues['deepseek-chat'].completion).toBe(0.42);
+  });
+
+  it('should return correct pricing for deepseek-reasoner', () => {
+    expect(getMultiplier({ model: 'deepseek-reasoner', tokenType: 'prompt' })).toBe(
+      tokenValues['deepseek-reasoner'].prompt,
+    );
+    expect(getMultiplier({ model: 'deepseek-reasoner', tokenType: 'completion' })).toBe(
+      tokenValues['deepseek-reasoner'].completion,
+    );
+    expect(tokenValues['deepseek-reasoner'].prompt).toBe(0.28);
+    expect(tokenValues['deepseek-reasoner'].completion).toBe(0.42);
+  });
+
+  it('should handle DeepSeek model name variations with provider prefixes', () => {
+    const modelVariations = [
+      'deepseek/deepseek-chat',
+      'openrouter/deepseek-chat',
+      'deepseek/deepseek-reasoner',
+    ];
+
+    modelVariations.forEach((model) => {
+      const promptMultiplier = getMultiplier({ model, tokenType: 'prompt' });
+      const completionMultiplier = getMultiplier({ model, tokenType: 'completion' });
+      expect(promptMultiplier).toBe(0.28);
+      expect(completionMultiplier).toBe(0.42);
+    });
+  });
+
+  it('should return correct cache multipliers for DeepSeek models', () => {
+    expect(getCacheMultiplier({ model: 'deepseek-chat', cacheType: 'write' })).toBe(
+      cacheTokenValues['deepseek-chat'].write,
+    );
+    expect(getCacheMultiplier({ model: 'deepseek-chat', cacheType: 'read' })).toBe(
+      cacheTokenValues['deepseek-chat'].read,
+    );
+    expect(getCacheMultiplier({ model: 'deepseek-reasoner', cacheType: 'write' })).toBe(
+      cacheTokenValues['deepseek-reasoner'].write,
+    );
+    expect(getCacheMultiplier({ model: 'deepseek-reasoner', cacheType: 'read' })).toBe(
+      cacheTokenValues['deepseek-reasoner'].read,
+    );
+  });
+
+  it('should return correct cache pricing values for DeepSeek models', () => {
+    expect(cacheTokenValues['deepseek-chat'].write).toBe(0.28);
+    expect(cacheTokenValues['deepseek-chat'].read).toBe(0.028);
+    expect(cacheTokenValues['deepseek-reasoner'].write).toBe(0.28);
+    expect(cacheTokenValues['deepseek-reasoner'].read).toBe(0.028);
+    expect(cacheTokenValues['deepseek'].write).toBe(0.28);
+    expect(cacheTokenValues['deepseek'].read).toBe(0.028);
+  });
+
+  it('should handle DeepSeek cache multipliers with model variations', () => {
+    const modelVariations = ['deepseek/deepseek-chat', 'openrouter/deepseek-reasoner'];
+
+    modelVariations.forEach((model) => {
+      const writeMultiplier = getCacheMultiplier({ model, cacheType: 'write' });
+      const readMultiplier = getCacheMultiplier({ model, cacheType: 'read' });
+      expect(writeMultiplier).toBe(0.28);
+      expect(readMultiplier).toBe(0.028);
+    });
+  });
 });
 
 describe('Qwen3 Model Tests', () => {
@@ -1205,6 +1277,39 @@ describe('Grok Model Tests - Pricing', () => {
       );
     });
 
+    test('should return correct prompt and completion rates for Grok 4 Fast model', () => {
+      expect(getMultiplier({ model: 'grok-4-fast', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4-fast'].prompt,
+      );
+      expect(getMultiplier({ model: 'grok-4-fast', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4-fast'].completion,
+      );
+    });
+
+    test('should return correct prompt and completion rates for Grok 4.1 Fast models', () => {
+      expect(getMultiplier({ model: 'grok-4-1-fast-reasoning', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4-1-fast'].prompt,
+      );
+      expect(getMultiplier({ model: 'grok-4-1-fast-reasoning', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4-1-fast'].completion,
+      );
+      expect(getMultiplier({ model: 'grok-4-1-fast-non-reasoning', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4-1-fast'].prompt,
+      );
+      expect(getMultiplier({ model: 'grok-4-1-fast-non-reasoning', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4-1-fast'].completion,
+      );
+    });
+
+    test('should return correct prompt and completion rates for Grok Code Fast model', () => {
+      expect(getMultiplier({ model: 'grok-code-fast-1', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-code-fast'].prompt,
+      );
+      expect(getMultiplier({ model: 'grok-code-fast-1', tokenType: 'completion' })).toBe(
+        tokenValues['grok-code-fast'].completion,
+      );
+    });
+
     test('should return correct prompt and completion rates for Grok 3 models with prefixes', () => {
       expect(getMultiplier({ model: 'xai/grok-3', tokenType: 'prompt' })).toBe(
         tokenValues['grok-3'].prompt,
@@ -1240,6 +1345,39 @@ describe('Grok Model Tests - Pricing', () => {
         tokenValues['grok-4'].completion,
       );
     });
+
+    test('should return correct prompt and completion rates for Grok 4 Fast model with prefixes', () => {
+      expect(getMultiplier({ model: 'xai/grok-4-fast', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4-fast'].prompt,
+      );
+      expect(getMultiplier({ model: 'xai/grok-4-fast', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4-fast'].completion,
+      );
+    });
+
+    test('should return correct prompt and completion rates for Grok 4.1 Fast models with prefixes', () => {
+      expect(getMultiplier({ model: 'xai/grok-4-1-fast-reasoning', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4-1-fast'].prompt,
+      );
+      expect(getMultiplier({ model: 'xai/grok-4-1-fast-reasoning', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4-1-fast'].completion,
+      );
+      expect(getMultiplier({ model: 'xai/grok-4-1-fast-non-reasoning', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4-1-fast'].prompt,
+      );
+      expect(
+        getMultiplier({ model: 'xai/grok-4-1-fast-non-reasoning', tokenType: 'completion' }),
+      ).toBe(tokenValues['grok-4-1-fast'].completion);
+    });
+
+    test('should return correct prompt and completion rates for Grok Code Fast model with prefixes', () => {
+      expect(getMultiplier({ model: 'xai/grok-code-fast-1', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-code-fast'].prompt,
+      );
+      expect(getMultiplier({ model: 'xai/grok-code-fast-1', tokenType: 'completion' })).toBe(
+        tokenValues['grok-code-fast'].completion,
+      );
+    });
   });
 });
 

api/package.json

@@ -47,7 +47,7 @@
     "@langchain/google-genai": "^0.2.13",
     "@langchain/google-vertexai": "^0.2.13",
     "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^3.0.32",
+    "@librechat/agents": "^3.0.36",
     "@librechat/api": "*",
     "@librechat/data-schemas": "*",
     "@microsoft/microsoft-graph-client": "^3.0.7",
@@ -92,7 +92,7 @@
     "multer": "^2.0.2",
     "nanoid": "^3.3.7",
     "node-fetch": "^2.7.0",
-    "nodemailer": "^7.0.9",
+    "nodemailer": "^7.0.11",
     "ollama": "^0.5.0",
     "openai": "5.8.2",
     "openid-client": "^6.5.0",

api/server/controllers/agents/request.js

@@ -1,6 +1,10 @@
-const { sendEvent } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { Constants } = require('librechat-data-provider');
+const {
+  sendEvent,
+  sanitizeFileForTransmit,
+  sanitizeMessageForTransmit,
+} = require('@librechat/api');
 const {
   handleAbortError,
   createAbortController,
@@ -224,13 +228,13 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
     conversation.title =
       conversation && !conversation.title ? null : conversation?.title || 'New Chat';
 
-    // Process files if needed
+    // Process files if needed (sanitize to remove large text fields before transmission)
     if (req.body.files && client.options?.attachments) {
       userMessage.files = [];
       const messageFiles = new Set(req.body.files.map((file) => file.file_id));
-      for (let attachment of client.options.attachments) {
+      for (const attachment of client.options.attachments) {
         if (messageFiles.has(attachment.file_id)) {
-          userMessage.files.push({ ...attachment });
+          userMessage.files.push(sanitizeFileForTransmit(attachment));
         }
       }
       delete userMessage.image_urls;
@@ -245,7 +249,7 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
         final: true,
         conversation,
         title: conversation.title,
-        requestMessage: userMessage,
+        requestMessage: sanitizeMessageForTransmit(userMessage),
         responseMessage: finalResponse,
       });
       res.end();
@@ -273,7 +277,7 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
         final: true,
         conversation,
         title: conversation.title,
-        requestMessage: userMessage,
+        requestMessage: sanitizeMessageForTransmit(userMessage),
         responseMessage: finalResponse,
         error: { message: 'Request was aborted during completion' },
       });

api/server/controllers/assistants/chatV1.js

@@ -1,7 +1,7 @@
 const { v4 } = require('uuid');
 const { sleep } = require('@librechat/agents');
 const { logger } = require('@librechat/data-schemas');
-const { sendEvent, getBalanceConfig, getModelMaxTokens } = require('@librechat/api');
+const { sendEvent, getBalanceConfig, getModelMaxTokens, countTokens } = require('@librechat/api');
 const {
   Time,
   Constants,
@@ -33,7 +33,6 @@ const { getTransactions } = require('~/models/Transaction');
 const { checkBalance } = require('~/models/balanceMethods');
 const { getConvo } = require('~/models/Conversation');
 const getLogStores = require('~/cache/getLogStores');
-const { countTokens } = require('~/server/utils');
 const { getOpenAIClient } = require('./helpers');
 
 /**

api/server/controllers/assistants/chatV2.js

@@ -1,7 +1,7 @@
 const { v4 } = require('uuid');
 const { sleep } = require('@librechat/agents');
 const { logger } = require('@librechat/data-schemas');
-const { sendEvent, getBalanceConfig, getModelMaxTokens } = require('@librechat/api');
+const { sendEvent, getBalanceConfig, getModelMaxTokens, countTokens } = require('@librechat/api');
 const {
   Time,
   Constants,
@@ -30,7 +30,6 @@ const { getTransactions } = require('~/models/Transaction');
 const { checkBalance } = require('~/models/balanceMethods');
 const { getConvo } = require('~/models/Conversation');
 const getLogStores = require('~/cache/getLogStores');
-const { countTokens } = require('~/server/utils');
 const { getOpenAIClient } = require('./helpers');
 
 /**

api/server/experimental.js

@@ -16,6 +16,7 @@ const {
   isEnabled,
   ErrorController,
   performStartupChecks,
+  handleJsonParseError,
   initializeFileStorage,
 } = require('@librechat/api');
 const { connectDb, indexSync } = require('~/db');
@@ -245,6 +246,7 @@ if (cluster.isMaster) {
     app.use(noIndex);
     app.use(express.json({ limit: '3mb' }));
     app.use(express.urlencoded({ extended: true, limit: '3mb' }));
+    app.use(handleJsonParseError);
     app.use(mongoSanitize());
     app.use(cors());
     app.use(cookieParser());
@@ -290,7 +292,6 @@ if (cluster.isMaster) {
     app.use('/api/presets', routes.presets);
     app.use('/api/prompts', routes.prompts);
     app.use('/api/categories', routes.categories);
-    app.use('/api/tokenizer', routes.tokenizer);
     app.use('/api/endpoints', routes.endpoints);
     app.use('/api/balance', routes.balance);
     app.use('/api/models', routes.models);

api/server/index.js

@@ -14,6 +14,7 @@ const {
   isEnabled,
   ErrorController,
   performStartupChecks,
+  handleJsonParseError,
   initializeFileStorage,
 } = require('@librechat/api');
 const { connectDb, indexSync } = require('~/db');
@@ -81,6 +82,7 @@ const startServer = async () => {
   app.use(noIndex);
   app.use(express.json({ limit: '3mb' }));
   app.use(express.urlencoded({ extended: true, limit: '3mb' }));
+  app.use(handleJsonParseError);
   app.use(mongoSanitize());
   app.use(cors());
   app.use(cookieParser());
@@ -126,7 +128,6 @@ const startServer = async () => {
   app.use('/api/presets', routes.presets);
   app.use('/api/prompts', routes.prompts);
   app.use('/api/categories', routes.categories);
-  app.use('/api/tokenizer', routes.tokenizer);
   app.use('/api/endpoints', routes.endpoints);
   app.use('/api/balance', routes.balance);
   app.use('/api/models', routes.models);

api/server/middleware/abortMiddleware.js

@@ -1,5 +1,5 @@
 const { logger } = require('@librechat/data-schemas');
-const { countTokens, isEnabled, sendEvent } = require('@librechat/api');
+const { countTokens, isEnabled, sendEvent, sanitizeMessageForTransmit } = require('@librechat/api');
 const { isAssistantsEndpoint, ErrorTypes, Constants } = require('librechat-data-provider');
 const { truncateText, smartTruncateText } = require('~/app/clients/prompts');
 const clearPendingReq = require('~/cache/clearPendingReq');
@@ -290,7 +290,7 @@ const createAbortController = (req, res, getAbortData, getReqData) => {
       title: conversation && !conversation.title ? null : conversation?.title || 'New Chat',
       final: true,
       conversation,
-      requestMessage: userMessage,
+      requestMessage: sanitizeMessageForTransmit(userMessage),
       responseMessage: responseMessage,
     };
   };

api/server/middleware/buildEndpointOption.js

@@ -61,18 +61,24 @@ async function buildEndpointOption(req, res, next) {
 
     try {
       currentModelSpec.preset.spec = spec;
-      if (currentModelSpec.iconURL != null && currentModelSpec.iconURL !== '') {
-        currentModelSpec.preset.iconURL = currentModelSpec.iconURL;
-      }
       parsedBody = parseCompactConvo({
         endpoint,
         endpointType,
         conversation: currentModelSpec.preset,
       });
+      if (currentModelSpec.iconURL != null && currentModelSpec.iconURL !== '') {
+        parsedBody.iconURL = currentModelSpec.iconURL;
+      }
     } catch (error) {
       logger.error(`Error parsing model spec for endpoint ${endpoint}`, error);
       return handleError(res, { text: 'Error parsing model spec' });
     }
+  } else if (parsedBody.spec && appConfig.modelSpecs?.list) {
+    // Non-enforced mode: if spec is selected, derive iconURL from model spec
+    const modelSpec = appConfig.modelSpecs.list.find((s) => s.name === parsedBody.spec);
+    if (modelSpec?.iconURL) {
+      parsedBody.iconURL = modelSpec.iconURL;
+    }
   }
 
   try {

api/server/middleware/error.js

@@ -1,7 +1,7 @@
 const crypto = require('crypto');
 const { logger } = require('@librechat/data-schemas');
 const { parseConvo } = require('librechat-data-provider');
-const { sendEvent, handleError } = require('@librechat/api');
+const { sendEvent, handleError, sanitizeMessageForTransmit } = require('@librechat/api');
 const { saveMessage, getMessages } = require('~/models/Message');
 const { getConvo } = require('~/models/Conversation');
 
@@ -71,7 +71,7 @@ const sendError = async (req, res, options, callback) => {
 
     return sendEvent(res, {
       final: true,
-      requestMessage: query?.[0] ? query[0] : requestMessage,
+      requestMessage: sanitizeMessageForTransmit(query?.[0] ?? requestMessage),
       responseMessage: errorMessage,
       conversation: convo,
     });

api/server/routes/index.js

@@ -1,7 +1,6 @@
 const accessPermissions = require('./accessPermissions');
 const assistants = require('./assistants');
 const categories = require('./categories');
-const tokenizer = require('./tokenizer');
 const endpoints = require('./endpoints');
 const staticRoute = require('./static');
 const messages = require('./messages');
@@ -53,7 +52,6 @@ module.exports = {
   messages,
   memories,
   endpoints,
-  tokenizer,
   assistants,
   categories,
   staticRoute,

api/server/routes/messages.js

@@ -1,7 +1,7 @@
 const express = require('express');
-const { unescapeLaTeX } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { ContentTypes } = require('librechat-data-provider');
+const { unescapeLaTeX, countTokens } = require('@librechat/api');
 const {
   saveConvo,
   getMessage,
@@ -14,7 +14,6 @@ const { findAllArtifacts, replaceArtifactContent } = require('~/server/services/
 const { requireJwtAuth, validateMessageReq } = require('~/server/middleware');
 const { cleanUpPrimaryKeyValue } = require('~/lib/utils/misc');
 const { getConvosQueried } = require('~/models/Conversation');
-const { countTokens } = require('~/server/utils');
 const { Message } = require('~/db/models');
 
 const router = express.Router();

api/server/routes/prompts.js

@@ -5,6 +5,7 @@ const {
   markPublicPromptGroups,
   buildPromptGroupFilter,
   formatPromptGroupsResponse,
+  safeValidatePromptGroupUpdate,
   createEmptyPromptGroupsResponse,
   filterAccessibleIdsBySharedLogic,
 } = require('@librechat/api');
@@ -344,7 +345,16 @@ const patchPromptGroup = async (req, res) => {
     if (req.user.role === SystemRoles.ADMIN) {
       delete filter.author;
     }
-    const promptGroup = await updatePromptGroup(filter, req.body);
+
+    const validationResult = safeValidatePromptGroupUpdate(req.body);
+    if (!validationResult.success) {
+      return res.status(400).send({
+        error: 'Invalid request body',
+        details: validationResult.error.errors,
+      });
+    }
+
+    const promptGroup = await updatePromptGroup(filter, validationResult.data);
     res.status(200).send(promptGroup);
   } catch (error) {
     logger.error(error);

api/server/routes/prompts.test.js

@@ -544,6 +544,169 @@ describe('Prompt Routes - ACL Permissions', () => {
     });
   });
 
+  describe('PATCH /api/prompts/groups/:groupId - Update Prompt Group Security', () => {
+    let testGroup;
+
+    beforeEach(async () => {
+      // Create a prompt group
+      testGroup = await PromptGroup.create({
+        name: 'Security Test Group',
+        category: 'security-test',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Grant owner permissions
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+    });
+
+    afterEach(async () => {
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('should allow updating allowed fields (name, category, oneliner)', async () => {
+      const updateData = {
+        name: 'Updated Group Name',
+        category: 'updated-category',
+        oneliner: 'Updated description',
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(updateData)
+        .expect(200);
+
+      expect(response.body.name).toBe(updateData.name);
+      expect(response.body.category).toBe(updateData.category);
+      expect(response.body.oneliner).toBe(updateData.oneliner);
+    });
+
+    it('should reject request with author field (400 Bad Request)', async () => {
+      const maliciousUpdate = {
+        name: 'Legit Update',
+        author: testUsers.noAccess._id.toString(), // Try to change ownership
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(maliciousUpdate)
+        .expect(400);
+
+      // Verify the request was rejected
+      expect(response.body.error).toBe('Invalid request body');
+      expect(response.body.details).toBeDefined();
+    });
+
+    it('should reject request with authorName field (400 Bad Request)', async () => {
+      const maliciousUpdate = {
+        name: 'Legit Update',
+        authorName: 'Malicious Author Name',
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(maliciousUpdate)
+        .expect(400);
+
+      // Verify the request was rejected
+      expect(response.body.error).toBe('Invalid request body');
+    });
+
+    it('should reject request with _id field (400 Bad Request)', async () => {
+      const newId = new ObjectId();
+      const maliciousUpdate = {
+        name: 'Legit Update',
+        _id: newId.toString(),
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(maliciousUpdate)
+        .expect(400);
+
+      // Verify the request was rejected
+      expect(response.body.error).toBe('Invalid request body');
+    });
+
+    it('should reject request with productionId field (400 Bad Request)', async () => {
+      const newProductionId = new ObjectId();
+      const maliciousUpdate = {
+        name: 'Legit Update',
+        productionId: newProductionId.toString(),
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(maliciousUpdate)
+        .expect(400);
+
+      // Verify the request was rejected
+      expect(response.body.error).toBe('Invalid request body');
+    });
+
+    it('should reject request with createdAt field (400 Bad Request)', async () => {
+      const maliciousDate = new Date('2020-01-01');
+      const maliciousUpdate = {
+        name: 'Legit Update',
+        createdAt: maliciousDate.toISOString(),
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(maliciousUpdate)
+        .expect(400);
+
+      // Verify the request was rejected
+      expect(response.body.error).toBe('Invalid request body');
+    });
+
+    it('should reject request with __v field (400 Bad Request)', async () => {
+      const maliciousUpdate = {
+        name: 'Legit Update',
+        __v: 999,
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(maliciousUpdate)
+        .expect(400);
+
+      // Verify the request was rejected
+      expect(response.body.error).toBe('Invalid request body');
+    });
+
+    it('should reject request with multiple sensitive fields (400 Bad Request)', async () => {
+      const maliciousUpdate = {
+        name: 'Legit Update',
+        author: testUsers.noAccess._id.toString(),
+        authorName: 'Hacker',
+        _id: new ObjectId().toString(),
+        productionId: new ObjectId().toString(),
+        createdAt: new Date('2020-01-01').toISOString(),
+        __v: 999,
+      };
+
+      const response = await request(app)
+        .patch(`/api/prompts/groups/${testGroup._id}`)
+        .send(maliciousUpdate)
+        .expect(400);
+
+      // Verify the request was rejected with validation errors
+      expect(response.body.error).toBe('Invalid request body');
+      expect(response.body.details).toBeDefined();
+      expect(Array.isArray(response.body.details)).toBe(true);
+    });
+  });
+
   describe('Pagination', () => {
     beforeEach(async () => {
       // Create multiple prompt groups for pagination testing

api/server/routes/tokenizer.js

@@ -1,19 +0,0 @@
-const express = require('express');
-const { logger } = require('@librechat/data-schemas');
-const requireJwtAuth = require('~/server/middleware/requireJwtAuth');
-const { countTokens } = require('~/server/utils');
-
-const router = express.Router();
-
-router.post('/', requireJwtAuth, async (req, res) => {
-  try {
-    const { arg } = req.body;
-    const count = await countTokens(arg?.text ?? arg);
-    res.send({ count });
-  } catch (e) {
-    logger.error('[/tokenizer] Error counting tokens', e);
-    res.status(500).json('Error counting tokens');
-  }
-});
-
-module.exports = router;

api/server/services/Endpoints/assistants/initalize.js

@@ -1,5 +1,6 @@
 const OpenAI = require('openai');
 const { ProxyAgent } = require('undici');
+const { isUserProvided } = require('@librechat/api');
 const { ErrorTypes, EModelEndpoint } = require('librechat-data-provider');
 const {
   getUserKeyValues,
@@ -7,7 +8,6 @@ const {
   checkUserKeyExpiry,
 } = require('~/server/services/UserService');
 const OAIClient = require('~/app/clients/OpenAIClient');
-const { isUserProvided } = require('~/server/utils');
 
 const initializeClient = async ({ req, res, endpointOption, version, initAppClient = false }) => {
   const { PROXY, OPENAI_ORGANIZATION, ASSISTANTS_API_KEY, ASSISTANTS_BASE_URL } = process.env;

api/server/services/Endpoints/index.js

@@ -12,14 +12,13 @@ const initGoogle = require('~/server/services/Endpoints/google/initialize');
  * @returns {boolean} - True if the provider is a known custom provider, false otherwise
  */
 function isKnownCustomProvider(provider) {
-  return [Providers.XAI, Providers.OLLAMA, Providers.DEEPSEEK, Providers.OPENROUTER].includes(
+  return [Providers.XAI, Providers.DEEPSEEK, Providers.OPENROUTER].includes(
     provider?.toLowerCase() || '',
   );
 }
 
 const providerConfigMap = {
   [Providers.XAI]: initCustom,
-  [Providers.OLLAMA]: initCustom,
   [Providers.DEEPSEEK]: initCustom,
   [Providers.OPENROUTER]: initCustom,
   [EModelEndpoint.openAI]: initOpenAI,

api/server/services/ModelService.js

@@ -1,11 +1,14 @@
 const axios = require('axios');
-const { Providers } = require('@librechat/agents');
 const { logger } = require('@librechat/data-schemas');
 const { HttpsProxyAgent } = require('https-proxy-agent');
-const { logAxiosError, inputSchema, processModelData } = require('@librechat/api');
-const { EModelEndpoint, defaultModels, CacheKeys } = require('librechat-data-provider');
+const { logAxiosError, inputSchema, processModelData, isUserProvided } = require('@librechat/api');
+const {
+  CacheKeys,
+  defaultModels,
+  KnownEndpoints,
+  EModelEndpoint,
+} = require('librechat-data-provider');
 const { OllamaClient } = require('~/app/clients/OllamaClient');
-const { isUserProvided } = require('~/server/utils');
 const getLogStores = require('~/cache/getLogStores');
 const { extractBaseURL } = require('~/utils');
 
@@ -68,7 +71,7 @@ const fetchModels = async ({
     return models;
   }
 
-  if (name && name.toLowerCase().startsWith(Providers.OLLAMA)) {
+  if (name && name.toLowerCase().startsWith(KnownEndpoints.ollama)) {
     try {
       return await OllamaClient.fetchModels(baseURL, { headers, user: userObject });
     } catch (ollamaError) {
@@ -103,7 +106,7 @@ const fetchModels = async ({
       options.headers['OpenAI-Organization'] = process.env.OPENAI_ORGANIZATION;
     }
 
-    const url = new URL(`${baseURL}${azure ? '' : '/models'}`);
+    const url = new URL(`${baseURL.replace(/\/+$/, '')}${azure ? '' : '/models'}`);
     if (user && userIdQuery) {
       url.searchParams.append('user', user);
     }

api/server/services/ModelService.spec.js

@@ -436,6 +436,68 @@ describe('fetchModels with Ollama specific logic', () => {
   });
 });
 
+describe('fetchModels URL construction with trailing slashes', () => {
+  beforeEach(() => {
+    axios.get.mockResolvedValue({
+      data: {
+        data: [{ id: 'model-1' }, { id: 'model-2' }],
+      },
+    });
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should not create double slashes when baseURL has a trailing slash', async () => {
+    await fetchModels({
+      user: 'user123',
+      apiKey: 'testApiKey',
+      baseURL: 'https://api.test.com/v1/',
+      name: 'TestAPI',
+    });
+
+    expect(axios.get).toHaveBeenCalledWith('https://api.test.com/v1/models', expect.any(Object));
+  });
+
+  it('should handle baseURL without trailing slash normally', async () => {
+    await fetchModels({
+      user: 'user123',
+      apiKey: 'testApiKey',
+      baseURL: 'https://api.test.com/v1',
+      name: 'TestAPI',
+    });
+
+    expect(axios.get).toHaveBeenCalledWith('https://api.test.com/v1/models', expect.any(Object));
+  });
+
+  it('should handle baseURL with multiple trailing slashes', async () => {
+    await fetchModels({
+      user: 'user123',
+      apiKey: 'testApiKey',
+      baseURL: 'https://api.test.com/v1///',
+      name: 'TestAPI',
+    });
+
+    expect(axios.get).toHaveBeenCalledWith('https://api.test.com/v1/models', expect.any(Object));
+  });
+
+  it('should correctly append query params after stripping trailing slashes', async () => {
+    await fetchModels({
+      user: 'user123',
+      apiKey: 'testApiKey',
+      baseURL: 'https://api.test.com/v1/',
+      name: 'TestAPI',
+      userIdQuery: true,
+    });
+
+    expect(axios.get).toHaveBeenCalledWith(
+      'https://api.test.com/v1/models?user=user123',
+      expect.any(Object),
+    );
+  });
+});
+
 describe('splitAndTrim', () => {
   it('should split a string by commas and trim each value', () => {
     const input = ' model1, model2 , model3,model4 ';

api/server/services/PermissionService.js

@@ -292,7 +292,7 @@ const ensurePrincipalExists = async function (principal) {
     let existingUser = await findUser({ idOnTheSource: principal.idOnTheSource });
 
     if (!existingUser) {
-      existingUser = await findUser({ email: principal.email.toLowerCase() });
+      existingUser = await findUser({ email: principal.email });
     }
 
     if (existingUser) {

api/server/services/Threads/manage.js

@@ -1,5 +1,6 @@
 const path = require('path');
 const { v4 } = require('uuid');
+const { countTokens, escapeRegExp } = require('@librechat/api');
 const {
   Constants,
   ContentTypes,
@@ -8,7 +9,6 @@ const {
 } = require('librechat-data-provider');
 const { retrieveAndProcessFile } = require('~/server/services/Files/process');
 const { recordMessage, getMessages } = require('~/models/Message');
-const { countTokens, escapeRegExp } = require('~/server/utils');
 const { spendTokens } = require('~/models/spendTokens');
 const { saveConvo } = require('~/models/Conversation');
 

api/server/utils/countTokens.js

@@ -1,37 +0,0 @@
-const { Tiktoken } = require('tiktoken/lite');
-const { logger } = require('@librechat/data-schemas');
-const p50k_base = require('tiktoken/encoders/p50k_base.json');
-const cl100k_base = require('tiktoken/encoders/cl100k_base.json');
-
-/**
- * Counts the number of tokens in a given text using a specified encoding model.
- *
- * This function utilizes the 'Tiktoken' library to encode text based on the selected model.
- * It supports two models, 'text-davinci-003' and 'gpt-3.5-turbo', each with its own encoding strategy.
- * For 'text-davinci-003', the 'p50k_base' encoder is used, whereas for other models, the 'cl100k_base' encoder is applied.
- * In case of an error during encoding, the error is logged, and the function returns 0.
- *
- * @async
- * @param {string} text - The text to be tokenized. Defaults to an empty string if not provided.
- * @param {string} modelName - The name of the model used for tokenizing. Defaults to 'gpt-3.5-turbo'.
- * @returns {Promise<number>} The number of tokens in the provided text. Returns 0 if an error occurs.
- * @throws Logs the error to a logger and rethrows if any error occurs during tokenization.
- */
-const countTokens = async (text = '', modelName = 'gpt-3.5-turbo') => {
-  let encoder = null;
-  try {
-    const model = modelName.includes('text-davinci-003') ? p50k_base : cl100k_base;
-    encoder = new Tiktoken(model.bpe_ranks, model.special_tokens, model.pat_str);
-    const tokens = encoder.encode(text);
-    encoder.free();
-    return tokens.length;
-  } catch (e) {
-    logger.error('[countTokens]', e);
-    if (encoder) {
-      encoder.free();
-    }
-    return 0;
-  }
-};
-
-module.exports = countTokens;

api/server/utils/handleText.js

@@ -10,14 +10,6 @@ const {
 const { sendEvent } = require('@librechat/api');
 const partialRight = require('lodash/partialRight');
 
-/** Helper function to escape special characters in regex
- * @param {string} string - The string to escape.
- * @returns {string} The escaped string.
- */
-function escapeRegExp(string) {
-  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-
 const addSpaceIfNeeded = (text) => (text.length > 0 && !text.endsWith(' ') ? text + ' ' : text);
 
 const base = { message: true, initial: true };
@@ -181,7 +173,6 @@ function generateConfig(key, baseURL, endpoint) {
 module.exports = {
   handleText,
   formatSteps,
-  escapeRegExp,
   formatAction,
   isUserProvided,
   generateConfig,

api/server/utils/index.js

@@ -1,5 +1,4 @@
 const removePorts = require('./removePorts');
-const countTokens = require('./countTokens');
 const handleText = require('./handleText');
 const sendEmail = require('./sendEmail');
 const queue = require('./queue');
@@ -7,7 +6,6 @@ const files = require('./files');
 
 module.exports = {
   ...handleText,
-  countTokens,
   removePorts,
   sendEmail,
   ...files,

api/strategies/socialLogin.test.js

@@ -172,6 +172,7 @@ describe('socialLogin', () => {
 
       /** Verify both searches happened */
       expect(findUser).toHaveBeenNthCalledWith(1, { googleId: googleId });
+      /** Email passed as-is; findUser implementation handles case normalization */
       expect(findUser).toHaveBeenNthCalledWith(2, { email: email });
       expect(findUser).toHaveBeenCalledTimes(2);
 

api/utils/tokens.spec.js

@@ -665,7 +665,7 @@ describe('Meta Models Tests', () => {
 
     test('should match Deepseek model variations', () => {
       expect(getModelMaxTokens('deepseek-chat')).toBe(
-        maxTokensMap[EModelEndpoint.openAI]['deepseek'],
+        maxTokensMap[EModelEndpoint.openAI]['deepseek-chat'],
       );
       expect(getModelMaxTokens('deepseek-coder')).toBe(
         maxTokensMap[EModelEndpoint.openAI]['deepseek'],
@@ -677,6 +677,20 @@ describe('Meta Models Tests', () => {
         maxTokensMap[EModelEndpoint.openAI]['deepseek.r1'],
       );
     });
+
+    test('should return 128000 context tokens for all DeepSeek models', () => {
+      expect(getModelMaxTokens('deepseek-chat')).toBe(128000);
+      expect(getModelMaxTokens('deepseek-reasoner')).toBe(128000);
+      expect(getModelMaxTokens('deepseek-r1')).toBe(128000);
+      expect(getModelMaxTokens('deepseek-v3')).toBe(128000);
+      expect(getModelMaxTokens('deepseek.r1')).toBe(128000);
+    });
+
+    test('should handle DeepSeek models with provider prefixes', () => {
+      expect(getModelMaxTokens('deepseek/deepseek-chat')).toBe(128000);
+      expect(getModelMaxTokens('openrouter/deepseek-reasoner')).toBe(128000);
+      expect(getModelMaxTokens('openai/deepseek-v3')).toBe(128000);
+    });
   });
 
   describe('matchModelName', () => {
@@ -705,11 +719,42 @@ describe('Meta Models Tests', () => {
     });
 
     test('should match Deepseek model variations', () => {
-      expect(matchModelName('deepseek-chat')).toBe('deepseek');
+      expect(matchModelName('deepseek-chat')).toBe('deepseek-chat');
       expect(matchModelName('deepseek-coder')).toBe('deepseek');
     });
   });
 
+  describe('DeepSeek Max Output Tokens', () => {
+    const { getModelMaxOutputTokens } = require('@librechat/api');
+
+    test('should return correct max output tokens for deepseek-chat', () => {
+      expect(getModelMaxOutputTokens('deepseek-chat')).toBe(8000);
+      expect(getModelMaxOutputTokens('deepseek-chat', EModelEndpoint.openAI)).toBe(8000);
+      expect(getModelMaxOutputTokens('deepseek-chat', EModelEndpoint.custom)).toBe(8000);
+    });
+
+    test('should return correct max output tokens for deepseek-reasoner', () => {
+      expect(getModelMaxOutputTokens('deepseek-reasoner')).toBe(64000);
+      expect(getModelMaxOutputTokens('deepseek-reasoner', EModelEndpoint.openAI)).toBe(64000);
+      expect(getModelMaxOutputTokens('deepseek-reasoner', EModelEndpoint.custom)).toBe(64000);
+    });
+
+    test('should return correct max output tokens for deepseek-r1', () => {
+      expect(getModelMaxOutputTokens('deepseek-r1')).toBe(64000);
+      expect(getModelMaxOutputTokens('deepseek-r1', EModelEndpoint.openAI)).toBe(64000);
+    });
+
+    test('should return correct max output tokens for deepseek base pattern', () => {
+      expect(getModelMaxOutputTokens('deepseek')).toBe(8000);
+      expect(getModelMaxOutputTokens('deepseek-v3')).toBe(8000);
+    });
+
+    test('should handle DeepSeek models with provider prefixes for max output tokens', () => {
+      expect(getModelMaxOutputTokens('deepseek/deepseek-chat')).toBe(8000);
+      expect(getModelMaxOutputTokens('openrouter/deepseek-reasoner')).toBe(64000);
+    });
+  });
+
   describe('processModelData with Meta models', () => {
     test('should process Meta model data correctly', () => {
       const input = {
@@ -778,6 +823,16 @@ describe('Grok Model Tests - Tokens', () => {
       expect(getModelMaxTokens('grok-4-0709')).toBe(256000);
     });
 
+    test('should return correct tokens for Grok 4 Fast and Grok 4.1 Fast models', () => {
+      expect(getModelMaxTokens('grok-4-fast')).toBe(2000000);
+      expect(getModelMaxTokens('grok-4-1-fast-reasoning')).toBe(2000000);
+      expect(getModelMaxTokens('grok-4-1-fast-non-reasoning')).toBe(2000000);
+    });
+
+    test('should return correct tokens for Grok Code Fast model', () => {
+      expect(getModelMaxTokens('grok-code-fast-1')).toBe(256000);
+    });
+
     test('should handle partial matches for Grok models with prefixes', () => {
       // Vision models should match before general models
       expect(getModelMaxTokens('xai/grok-2-vision-1212')).toBe(32768);
@@ -797,6 +852,12 @@ describe('Grok Model Tests - Tokens', () => {
       expect(getModelMaxTokens('xai/grok-3-mini-fast')).toBe(131072);
       // Grok 4 model
       expect(getModelMaxTokens('xai/grok-4-0709')).toBe(256000);
+      // Grok 4 Fast and 4.1 Fast models
+      expect(getModelMaxTokens('xai/grok-4-fast')).toBe(2000000);
+      expect(getModelMaxTokens('xai/grok-4-1-fast-reasoning')).toBe(2000000);
+      expect(getModelMaxTokens('xai/grok-4-1-fast-non-reasoning')).toBe(2000000);
+      // Grok Code Fast model
+      expect(getModelMaxTokens('xai/grok-code-fast-1')).toBe(256000);
     });
   });
 
@@ -820,6 +881,12 @@ describe('Grok Model Tests - Tokens', () => {
       expect(matchModelName('grok-3-mini-fast')).toBe('grok-3-mini-fast');
       // Grok 4 model
       expect(matchModelName('grok-4-0709')).toBe('grok-4');
+      // Grok 4 Fast and 4.1 Fast models
+      expect(matchModelName('grok-4-fast')).toBe('grok-4-fast');
+      expect(matchModelName('grok-4-1-fast-reasoning')).toBe('grok-4-1-fast');
+      expect(matchModelName('grok-4-1-fast-non-reasoning')).toBe('grok-4-1-fast');
+      // Grok Code Fast model
+      expect(matchModelName('grok-code-fast-1')).toBe('grok-code-fast');
     });
 
     test('should match Grok model variations with prefixes', () => {
@@ -841,6 +908,12 @@ describe('Grok Model Tests - Tokens', () => {
       expect(matchModelName('xai/grok-3-mini-fast')).toBe('grok-3-mini-fast');
       // Grok 4 model
       expect(matchModelName('xai/grok-4-0709')).toBe('grok-4');
+      // Grok 4 Fast and 4.1 Fast models
+      expect(matchModelName('xai/grok-4-fast')).toBe('grok-4-fast');
+      expect(matchModelName('xai/grok-4-1-fast-reasoning')).toBe('grok-4-1-fast');
+      expect(matchModelName('xai/grok-4-1-fast-non-reasoning')).toBe('grok-4-1-fast');
+      // Grok Code Fast model
+      expect(matchModelName('xai/grok-code-fast-1')).toBe('grok-code-fast');
     });
   });
 });

client/package.json

@@ -64,6 +64,7 @@
     "copy-to-clipboard": "^3.3.3",
     "cross-env": "^7.0.3",
     "date-fns": "^3.3.1",
+    "dompurify": "^3.3.0",
     "downloadjs": "^1.4.7",
     "export-from-json": "^1.7.2",
     "filenamify": "^6.0.0",

client/src/components/Chat/Input/Files/DragDropModal.tsx

@@ -2,6 +2,7 @@ import React, { useMemo } from 'react';
 import { useRecoilValue } from 'recoil';
 import { OGDialog, OGDialogTemplate } from '@librechat/client';
 import {
+  inferMimeType,
   EToolResources,
   EModelEndpoint,
   defaultAgentCapabilities,
@@ -56,18 +57,26 @@ const DragDropModal = ({ onOptionSelect, setShowModal, files, isVisible }: DragD
     const _options: FileOption[] = [];
     const currentProvider = provider || endpoint;
 
+    /** Helper to get inferred MIME type for a file */
+    const getFileType = (file: File) => inferMimeType(file.name, file.type);
+
     // Check if provider supports document upload
     if (isDocumentSupportedProvider(endpointType) || isDocumentSupportedProvider(currentProvider)) {
       const isGoogleProvider = currentProvider === EModelEndpoint.google;
       const validFileTypes = isGoogleProvider
-        ? files.every(
-            (file) =>
-              file.type?.startsWith('image/') ||
-              file.type?.startsWith('video/') ||
-              file.type?.startsWith('audio/') ||
-              file.type === 'application/pdf',
-          )
-        : files.every((file) => file.type?.startsWith('image/') || file.type === 'application/pdf');
+        ? files.every((file) => {
+            const type = getFileType(file);
+            return (
+              type?.startsWith('image/') ||
+              type?.startsWith('video/') ||
+              type?.startsWith('audio/') ||
+              type === 'application/pdf'
+            );
+          })
+        : files.every((file) => {
+            const type = getFileType(file);
+            return type?.startsWith('image/') || type === 'application/pdf';
+          });
 
       _options.push({
         label: localize('com_ui_upload_provider'),
@@ -81,7 +90,7 @@ const DragDropModal = ({ onOptionSelect, setShowModal, files, isVisible }: DragD
         label: localize('com_ui_upload_image_input'),
         value: undefined,
         icon: <ImageUpIcon className="icon-md" />,
-        condition: files.every((file) => file.type?.startsWith('image/')),
+        condition: files.every((file) => getFileType(file)?.startsWith('image/')),
       });
     }
     if (capabilities.fileSearchEnabled && fileSearchAllowedByAgent) {

client/src/components/Chat/Input/Files/__tests__/DragDropModal.spec.tsx

@@ -1,4 +1,8 @@
-import { EModelEndpoint, isDocumentSupportedProvider } from 'librechat-data-provider';
+import {
+  EModelEndpoint,
+  isDocumentSupportedProvider,
+  inferMimeType,
+} from 'librechat-data-provider';
 
 describe('DragDropModal - Provider Detection', () => {
   describe('endpointType priority over currentProvider', () => {
@@ -118,4 +122,59 @@ describe('DragDropModal - Provider Detection', () => {
       ).toBe(true);
     });
   });
+
+  describe('HEIC/HEIF file type inference', () => {
+    it('should infer image/heic for .heic files when browser returns empty type', () => {
+      const fileName = 'photo.heic';
+      const browserType = '';
+
+      const inferredType = inferMimeType(fileName, browserType);
+      expect(inferredType).toBe('image/heic');
+    });
+
+    it('should infer image/heif for .heif files when browser returns empty type', () => {
+      const fileName = 'photo.heif';
+      const browserType = '';
+
+      const inferredType = inferMimeType(fileName, browserType);
+      expect(inferredType).toBe('image/heif');
+    });
+
+    it('should handle uppercase .HEIC extension', () => {
+      const fileName = 'IMG_1234.HEIC';
+      const browserType = '';
+
+      const inferredType = inferMimeType(fileName, browserType);
+      expect(inferredType).toBe('image/heic');
+    });
+
+    it('should preserve browser-provided type when available', () => {
+      const fileName = 'photo.jpg';
+      const browserType = 'image/jpeg';
+
+      const inferredType = inferMimeType(fileName, browserType);
+      expect(inferredType).toBe('image/jpeg');
+    });
+
+    it('should not override browser type even if extension differs', () => {
+      const fileName = 'renamed.heic';
+      const browserType = 'image/png';
+
+      const inferredType = inferMimeType(fileName, browserType);
+      expect(inferredType).toBe('image/png');
+    });
+
+    it('should correctly identify HEIC as image type for upload options', () => {
+      const heicType = inferMimeType('photo.heic', '');
+      expect(heicType.startsWith('image/')).toBe(true);
+    });
+
+    it('should return empty string for unknown extension with no browser type', () => {
+      const fileName = 'file.xyz';
+      const browserType = '';
+
+      const inferredType = inferMimeType(fileName, browserType);
+      expect(inferredType).toBe('');
+    });
+  });
 });

client/src/components/Chat/Messages/Content/Parts/OpenAIImageGen/OpenAIImageGen.tsx

@@ -145,8 +145,7 @@ export default function OpenAIImageGen({
         clearInterval(intervalRef.current);
       }
     };
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [initialProgress, quality]);
+  }, [isSubmitting, initialProgress, quality]);
 
   useEffect(() => {
     if (initialProgress >= 1 || cancelled) {

client/src/components/Chat/Messages/HoverButtons.tsx

@@ -45,6 +45,9 @@ const extractMessageContent = (message: TMessage): string => {
   if (Array.isArray(message.content)) {
     return message.content
       .map((part) => {
+        if (part == null) {
+          return '';
+        }
         if (typeof part === 'string') {
           return part;
         }

client/src/components/MCP/CustomUserVarsSection.tsx

@@ -1,6 +1,7 @@
 import React, { useMemo } from 'react';
+import DOMPurify from 'dompurify';
 import { useForm, Controller } from 'react-hook-form';
-import { Input, Label, Button, TooltipAnchor, CircleHelpIcon } from '@librechat/client';
+import { Input, Label, Button } from '@librechat/client';
 import { useMCPAuthValuesQuery } from '~/data-provider/Tools/queries';
 import { useLocalize } from '~/hooks';
 
@@ -27,21 +28,40 @@ interface AuthFieldProps {
 function AuthField({ name, config, hasValue, control, errors }: AuthFieldProps) {
   const localize = useLocalize();
 
+  const sanitizer = useMemo(() => {
+    const instance = DOMPurify();
+    instance.addHook('afterSanitizeAttributes', (node) => {
+      if (node.tagName && node.tagName === 'A') {
+        node.setAttribute('target', '_blank');
+        node.setAttribute('rel', 'noopener noreferrer');
+      }
+    });
+    return instance;
+  }, []);
+
+  const sanitizedDescription = useMemo(() => {
+    if (!config.description) {
+      return '';
+    }
+    try {
+      return sanitizer.sanitize(config.description, {
+        ALLOWED_TAGS: ['a', 'strong', 'b', 'em', 'i', 'br', 'code'],
+        ALLOWED_ATTR: ['href', 'class', 'target', 'rel'],
+        ALLOW_DATA_ATTR: false,
+        ALLOW_ARIA_ATTR: false,
+      });
+    } catch (error) {
+      console.error('Sanitization failed', error);
+      return config.description;
+    }
+  }, [config.description, sanitizer]);
+
   return (
     <div className="space-y-2">
       <div className="flex items-center justify-between">
-        <TooltipAnchor
-          enableHTML={true}
-          description={config.description || ''}
-          render={
-            <div className="flex items-center gap-2">
-              <Label htmlFor={name} className="text-sm font-medium">
-                {config.title}
-              </Label>
-              <CircleHelpIcon className="h-6 w-6 cursor-help text-text-secondary transition-colors hover:text-text-primary" />
-            </div>
-          }
-        />
+        <Label htmlFor={name} className="text-sm font-medium">
+          {config.title}
+        </Label>
         {hasValue ? (
           <div className="flex min-w-fit items-center gap-2 whitespace-nowrap rounded-full border border-border-light px-2 py-0.5 text-xs font-medium text-text-secondary">
             <div className="h-1.5 w-1.5 rounded-full bg-green-500" />
@@ -66,12 +86,18 @@ function AuthField({ name, config, hasValue, control, errors }: AuthFieldProps)
             placeholder={
               hasValue
                 ? localize('com_ui_mcp_update_var', { 0: config.title })
-                : `${localize('com_ui_mcp_enter_var', { 0: config.title })} ${localize('com_ui_optional')}`
+                : localize('com_ui_mcp_enter_var', { 0: config.title })
             }
             className="w-full rounded border border-border-medium bg-transparent px-2 py-1 text-text-primary placeholder:text-text-secondary focus:outline-none sm:text-sm"
           />
         )}
       />
+      {sanitizedDescription && (
+        <p
+          className="text-xs text-text-secondary [&_a]:text-blue-500 [&_a]:hover:underline"
+          dangerouslySetInnerHTML={{ __html: sanitizedDescription }}
+        />
+      )}
       {errors[name] && <p className="text-xs text-red-500">{errors[name]?.message}</p>}
     </div>
   );

client/src/components/Nav/SettingsTabs/General/General.tsx

@@ -41,9 +41,11 @@ const toggleSwitchConfigs = [
 export const ThemeSelector = ({
   theme,
   onChange,
+  portal = true,
 }: {
   theme: string;
   onChange: (value: string) => void;
+  portal?: boolean;
 }) => {
   const localize = useLocalize();
 
@@ -67,6 +69,7 @@ export const ThemeSelector = ({
         testId="theme-selector"
         className="z-50"
         aria-labelledby={labelId}
+        portal={portal}
       />
     </div>
   );

client/src/components/Share/ShareView.tsx

@@ -227,9 +227,13 @@ function ShareHeader({
                 <OGDialogTitle>{settingsLabel}</OGDialogTitle>
               </OGDialogHeader>
               <div className="flex flex-col gap-4 pt-2 text-sm">
-                <ThemeSelector theme={theme} onChange={onThemeChange} />
+                <div className="relative focus-within:z-[100]">
+                  <ThemeSelector theme={theme} onChange={onThemeChange} portal={false} />
+                </div>
                 <div className="bg-border-medium/60 h-px w-full" />
-                <LangSelector langcode={langcode} onChange={onLangChange} portal={false} />
+                <div className="relative focus-within:z-[100]">
+                  <LangSelector langcode={langcode} onChange={onLangChange} portal={false} />
+                </div>
               </div>
             </OGDialogContent>
           </OGDialog>

client/src/hooks/Chat/useChatFunctions.ts

@@ -168,6 +168,7 @@ export default function useChatFunctions({
 
     const endpointsConfig = queryClient.getQueryData<TEndpointsConfig>([QueryKeys.endpoints]);
     const endpointType = getEndpointField(endpointsConfig, endpoint, 'type');
+    const iconURL = conversation?.iconURL;
 
     /** This becomes part of the `endpointOption` */
     const convo = parseCompactConvo({
@@ -248,9 +249,9 @@ export default function useChatFunctions({
       conversationId,
       unfinished: false,
       isCreatedByUser: false,
-      iconURL: convo?.iconURL,
       model: convo?.model,
       error: false,
+      iconURL,
     };
 
     if (isAssistantsEndpoint(endpoint)) {

client/src/hooks/Conversations/useExportConversation.ts

@@ -73,7 +73,9 @@ export default function useExportConversation({
     }
 
     return message.content
+      .filter((content) => content != null)
       .map((content) => getMessageContent(message.sender || '', content))
+      .filter((text) => text.length > 0)
       .map((text) => {
         return formatText(text[0], text[1]);
       })
@@ -103,7 +105,7 @@ export default function useExportConversation({
     if (content.type === ContentTypes.TEXT) {
       // TEXT
       const textPart = content[ContentTypes.TEXT];
-      const text = typeof textPart === 'string' ? textPart : textPart.value;
+      const text = typeof textPart === 'string' ? textPart : (textPart?.value ?? '');
       return [sender, text];
     }
 
@@ -365,12 +367,10 @@ export default function useExportConversation({
       data['messages'] = messages;
     }
 
-    exportFromJSON({
-      data: data,
-      fileName: filename,
-      extension: 'json',
-      exportType: exportFromJSON.types.json,
-    });
+    /** Use JSON.stringify without indentation to minimize file size for deeply nested recursive exports */
+    const jsonString = JSON.stringify(data);
+    const blob = new Blob([jsonString], { type: 'application/json;charset=utf-8' });
+    download(blob, `${filename}.json`, 'application/json');
   };
 
   const exportConversation = () => {

client/src/hooks/SSE/useContentHandler.ts

@@ -33,9 +33,8 @@ export default function useContentHandler({ setMessages, getMessages }: TUseCont
 
       const _messages = getMessages();
       const messages =
-        _messages
-          ?.filter((m) => m.messageId !== messageId)
-          .map((msg) => ({ ...msg, thread_id })) ?? [];
+        _messages?.filter((m) => m.messageId !== messageId).map((msg) => ({ ...msg, thread_id })) ??
+        [];
       const userMessage = messages[messages.length - 1] as TMessage | undefined;
 
       const { initialResponse } = submission;
@@ -66,14 +65,17 @@ export default function useContentHandler({ setMessages, getMessages }: TUseCont
 
       response.content[index] = { type, [type]: part } as TMessageContentParts;
 
+      const lastContentPart = response.content[response.content.length - 1];
+      const initialContentPart = initialResponse.content?.[0];
       if (
         type !== ContentTypes.TEXT &&
-        initialResponse.content &&
-        ((response.content[response.content.length - 1].type === ContentTypes.TOOL_CALL &&
-          response.content[response.content.length - 1][ContentTypes.TOOL_CALL].progress === 1) ||
-          response.content[response.content.length - 1].type === ContentTypes.IMAGE_FILE)
+        initialContentPart != null &&
+        lastContentPart != null &&
+        ((lastContentPart.type === ContentTypes.TOOL_CALL &&
+          lastContentPart[ContentTypes.TOOL_CALL]?.progress === 1) ||
+          lastContentPart.type === ContentTypes.IMAGE_FILE)
       ) {
-        response.content.push(initialResponse.content[0]);
+        response.content.push(initialContentPart);
       }
 
       setMessages([...messages, response]);

client/src/hooks/SSE/useEventHandlers.ts

@@ -87,12 +87,14 @@ const createErrorMessage = ({
   let isValidContentPart = false;
   if (latestContent.length > 0) {
     const latestContentPart = latestContent[latestContent.length - 1];
-    const latestPartValue = latestContentPart?.[latestContentPart.type ?? ''];
-    isValidContentPart =
-      latestContentPart.type !== ContentTypes.TEXT ||
-      (latestContentPart.type === ContentTypes.TEXT && typeof latestPartValue === 'string')
-        ? true
-        : latestPartValue?.value !== '';
+    if (latestContentPart != null) {
+      const latestPartValue = latestContentPart[latestContentPart.type ?? ''];
+      isValidContentPart =
+        latestContentPart.type !== ContentTypes.TEXT ||
+        (latestContentPart.type === ContentTypes.TEXT && typeof latestPartValue === 'string')
+          ? true
+          : latestPartValue?.value !== '';
+    }
   }
   if (
     latestMessage?.conversationId &&
@@ -455,141 +457,145 @@ export default function useEventHandlers({
         isTemporary = false,
       } = submission;
 
-      if (responseMessage?.attachments && responseMessage.attachments.length > 0) {
-        // Process each attachment through the attachmentHandler
-        responseMessage.attachments.forEach((attachment) => {
-          const attachmentData = {
-            ...attachment,
-            messageId: responseMessage.messageId,
-          };
+      try {
+        if (responseMessage?.attachments && responseMessage.attachments.length > 0) {
+          // Process each attachment through the attachmentHandler
+          responseMessage.attachments.forEach((attachment) => {
+            const attachmentData = {
+              ...attachment,
+              messageId: responseMessage.messageId,
+            };
 
-          attachmentHandler({
-            data: attachmentData,
-            submission: submission as EventSubmission,
+            attachmentHandler({
+              data: attachmentData,
+              submission: submission as EventSubmission,
+            });
           });
-        });
-      }
+        }
 
-      setShowStopButton(false);
-      setCompleted((prev) => new Set(prev.add(submission.initialResponse.messageId)));
+        setCompleted((prev) => new Set(prev.add(submission.initialResponse.messageId)));
 
-      const currentMessages = getMessages();
-      /* Early return if messages are empty; i.e., the user navigated away */
-      if (!currentMessages || currentMessages.length === 0) {
-        setIsSubmitting(false);
-        return;
-      }
+        const currentMessages = getMessages();
+        /* Early return if messages are empty; i.e., the user navigated away */
+        if (!currentMessages || currentMessages.length === 0) {
+          return;
+        }
 
-      /* a11y announcements */
-      announcePolite({ message: 'end', isStatus: true });
-      announcePolite({ message: getAllContentText(responseMessage) });
+        /* a11y announcements */
+        announcePolite({ message: 'end', isStatus: true });
+        announcePolite({ message: getAllContentText(responseMessage) });
 
-      const isNewConvo = conversation.conversationId !== submissionConvo.conversationId;
+        const isNewConvo = conversation.conversationId !== submissionConvo.conversationId;
 
-      const setFinalMessages = (id: string | null, _messages: TMessage[]) => {
-        setMessages(_messages);
-        queryClient.setQueryData<TMessage[]>([QueryKeys.messages, id], _messages);
-      };
+        const setFinalMessages = (id: string | null, _messages: TMessage[]) => {
+          setMessages(_messages);
+          queryClient.setQueryData<TMessage[]>([QueryKeys.messages, id], _messages);
+        };
 
-      const hasNoResponse =
-        responseMessage?.content?.[0]?.['text']?.value ===
-          submission.initialResponse?.content?.[0]?.['text']?.value ||
-        !!responseMessage?.content?.[0]?.['tool_call']?.auth;
+        const hasNoResponse =
+          responseMessage?.content?.[0]?.['text']?.value ===
+            submission.initialResponse?.content?.[0]?.['text']?.value ||
+          !!responseMessage?.content?.[0]?.['tool_call']?.auth;
+
+        /** Handle edge case where stream is cancelled before any response, which creates a blank page */
+        if (!conversation.conversationId && hasNoResponse) {
+          const currentConvoId =
+            (submissionConvo.conversationId ?? conversation.conversationId) || Constants.NEW_CONVO;
+          if (isNewConvo && submissionConvo.conversationId) {
+            removeConvoFromAllQueries(queryClient, submissionConvo.conversationId);
+          }
+
+          const isNewChat =
+            location.pathname === `/c/${Constants.NEW_CONVO}` &&
+            currentConvoId === Constants.NEW_CONVO;
+
+          setFinalMessages(currentConvoId, isNewChat ? [] : [...messages]);
+          setDraft({ id: currentConvoId, value: requestMessage?.text });
+          if (isNewChat) {
+            navigate(`/c/${Constants.NEW_CONVO}`, { replace: true, state: { focusChat: true } });
+          }
+          return;
+        }
+
+        /* Update messages; if assistants endpoint, client doesn't receive responseMessage */
+        let finalMessages: TMessage[] = [];
+        if (runMessages) {
+          finalMessages = [...runMessages];
+        } else if (isRegenerate && responseMessage) {
+          finalMessages = [...messages, responseMessage];
+        } else if (requestMessage != null && responseMessage != null) {
+          finalMessages = [...messages, requestMessage, responseMessage];
+        }
+        if (finalMessages.length > 0) {
+          setFinalMessages(conversation.conversationId, finalMessages);
+        } else if (
+          isAssistantsEndpoint(submissionConvo.endpoint) &&
+          (!submissionConvo.conversationId ||
+            submissionConvo.conversationId === Constants.NEW_CONVO)
+        ) {
+          queryClient.setQueryData<TMessage[]>(
+            [QueryKeys.messages, conversation.conversationId],
+            [...currentMessages],
+          );
+        }
 
-      /** Handle edge case where stream is cancelled before any response, which creates a blank page */
-      if (!conversation.conversationId && hasNoResponse) {
-        const currentConvoId =
-          (submissionConvo.conversationId ?? conversation.conversationId) || Constants.NEW_CONVO;
         if (isNewConvo && submissionConvo.conversationId) {
           removeConvoFromAllQueries(queryClient, submissionConvo.conversationId);
         }
 
-        const isNewChat =
-          location.pathname === `/c/${Constants.NEW_CONVO}` &&
-          currentConvoId === Constants.NEW_CONVO;
-
-        setFinalMessages(currentConvoId, isNewChat ? [] : [...messages]);
-        setDraft({ id: currentConvoId, value: requestMessage?.text });
-        setIsSubmitting(false);
-        if (isNewChat) {
-          navigate(`/c/${Constants.NEW_CONVO}`, { replace: true, state: { focusChat: true } });
+        /* Refresh title */
+        if (
+          genTitle &&
+          isNewConvo &&
+          !isTemporary &&
+          requestMessage &&
+          requestMessage.parentMessageId === Constants.NO_PARENT
+        ) {
+          setTimeout(() => {
+            genTitle.mutate({ conversationId: conversation.conversationId as string });
+          }, 2500);
         }
-        return;
-      }
 
-      /* Update messages; if assistants endpoint, client doesn't receive responseMessage */
-      let finalMessages: TMessage[] = [];
-      if (runMessages) {
-        finalMessages = [...runMessages];
-      } else if (isRegenerate && responseMessage) {
-        finalMessages = [...messages, responseMessage];
-      } else if (requestMessage != null && responseMessage != null) {
-        finalMessages = [...messages, requestMessage, responseMessage];
-      }
-      if (finalMessages.length > 0) {
-        setFinalMessages(conversation.conversationId, finalMessages);
-      } else if (
-        isAssistantsEndpoint(submissionConvo.endpoint) &&
-        (!submissionConvo.conversationId || submissionConvo.conversationId === Constants.NEW_CONVO)
-      ) {
-        queryClient.setQueryData<TMessage[]>(
-          [QueryKeys.messages, conversation.conversationId],
-          [...currentMessages],
-        );
-      }
-
-      if (isNewConvo && submissionConvo.conversationId) {
-        removeConvoFromAllQueries(queryClient, submissionConvo.conversationId);
-      }
-
-      /* Refresh title */
-      if (
-        genTitle &&
-        isNewConvo &&
-        !isTemporary &&
-        requestMessage &&
-        requestMessage.parentMessageId === Constants.NO_PARENT
-      ) {
-        setTimeout(() => {
-          genTitle.mutate({ conversationId: conversation.conversationId as string });
-        }, 2500);
-      }
-
-      if (setConversation && isAddedRequest !== true) {
-        setConversation((prevState) => {
-          const update = {
-            ...prevState,
-            ...(conversation as TConversation),
-          };
-          if (prevState?.model != null && prevState.model !== submissionConvo.model) {
-            update.model = prevState.model;
-          }
-          const cachedConvo = queryClient.getQueryData<TConversation>([
-            QueryKeys.conversation,
-            conversation.conversationId,
-          ]);
-          if (!cachedConvo) {
-            queryClient.setQueryData([QueryKeys.conversation, conversation.conversationId], update);
-          }
-          return update;
-        });
-
-        if (conversation.conversationId && submission.ephemeralAgent) {
-          applyAgentTemplate({
-            targetId: conversation.conversationId,
-            sourceId: submissionConvo.conversationId,
-            ephemeralAgent: submission.ephemeralAgent,
-            specName: submission.conversation?.spec,
-            startupConfig: queryClient.getQueryData<TStartupConfig>([QueryKeys.startupConfig]),
+        if (setConversation && isAddedRequest !== true) {
+          setConversation((prevState) => {
+            const update = {
+              ...prevState,
+              ...(conversation as TConversation),
+            };
+            if (prevState?.model != null && prevState.model !== submissionConvo.model) {
+              update.model = prevState.model;
+            }
+            const cachedConvo = queryClient.getQueryData<TConversation>([
+              QueryKeys.conversation,
+              conversation.conversationId,
+            ]);
+            if (!cachedConvo) {
+              queryClient.setQueryData(
+                [QueryKeys.conversation, conversation.conversationId],
+                update,
+              );
+            }
+            return update;
           });
-        }
 
-        if (location.pathname === `/c/${Constants.NEW_CONVO}`) {
-          navigate(`/c/${conversation.conversationId}`, { replace: true });
+          if (conversation.conversationId && submission.ephemeralAgent) {
+            applyAgentTemplate({
+              targetId: conversation.conversationId,
+              sourceId: submissionConvo.conversationId,
+              ephemeralAgent: submission.ephemeralAgent,
+              specName: submission.conversation?.spec,
+              startupConfig: queryClient.getQueryData<TStartupConfig>([QueryKeys.startupConfig]),
+            });
+          }
+
+          if (location.pathname === `/c/${Constants.NEW_CONVO}`) {
+            navigate(`/c/${conversation.conversationId}`, { replace: true });
+          }
         }
+      } finally {
+        setShowStopButton(false);
+        setIsSubmitting(false);
       }
-
-      setIsSubmitting(false);
     },
     [
       navigate,
@@ -722,26 +728,37 @@ export default function useEventHandlers({
         messages[messages.length - 2] != null
       ) {
         let requestMessage = messages[messages.length - 2];
-        const responseMessage = messages[messages.length - 1];
-        if (requestMessage.messageId !== responseMessage.parentMessageId) {
+        const _responseMessage = messages[messages.length - 1];
+        if (requestMessage.messageId !== _responseMessage.parentMessageId) {
           // the request message is the parent of response, which we search for backwards
           for (let i = messages.length - 3; i >= 0; i--) {
-            if (messages[i].messageId === responseMessage.parentMessageId) {
+            if (messages[i].messageId === _responseMessage.parentMessageId) {
               requestMessage = messages[i];
               break;
             }
           }
         }
-        finalHandler(
-          {
-            conversation: {
-              conversationId,
+        /** Sanitize content array to remove undefined parts from interrupted streaming */
+        const responseMessage = {
+          ..._responseMessage,
+          content: _responseMessage.content?.filter((part) => part != null),
+        };
+        try {
+          finalHandler(
+            {
+              conversation: {
+                conversationId,
+              },
+              requestMessage,
+              responseMessage,
             },
-            requestMessage,
-            responseMessage,
-          },
-          submission,
-        );
+            submission,
+          );
+        } catch (error) {
+          console.error('Error in finalHandler during abort:', error);
+          setShowStopButton(false);
+          setIsSubmitting(false);
+        }
         return;
       } else if (!isAssistantsEndpoint(endpoint)) {
         const convoId = conversationId || `_${v4()}`;
@@ -809,13 +826,14 @@ export default function useEventHandlers({
       }
     },
     [
-      finalHandler,
-      newConversation,
-      setIsSubmitting,
       token,
-      cancelHandler,
       getMessages,
       setMessages,
+      finalHandler,
+      cancelHandler,
+      newConversation,
+      setIsSubmitting,
+      setShowStopButton,
     ],
   );
 

client/src/hooks/SSE/useSSE.ts

@@ -124,7 +124,13 @@ export default function useSSE(
       if (data.final != null) {
         clearDraft(submission.conversation?.conversationId);
         const { plugins } = data;
-        finalHandler(data, { ...submission, plugins } as EventSubmission);
+        try {
+          finalHandler(data, { ...submission, plugins } as EventSubmission);
+        } catch (error) {
+          console.error('Error in finalHandler:', error);
+          setIsSubmitting(false);
+          setShowStopButton(false);
+        }
         (startupConfig?.balance?.enabled ?? false) && balanceQuery.refetch();
         console.log('final', data);
         return;
@@ -187,14 +193,20 @@ export default function useSSE(
       setCompleted((prev) => new Set(prev.add(streamKey)));
       const latestMessages = getMessages();
       const conversationId = latestMessages?.[latestMessages.length - 1]?.conversationId;
-      return await abortConversation(
-        conversationId ??
-          userMessage.conversationId ??
-          submission.conversation?.conversationId ??
-          '',
-        submission as EventSubmission,
-        latestMessages,
-      );
+      try {
+        await abortConversation(
+          conversationId ??
+            userMessage.conversationId ??
+            submission.conversation?.conversationId ??
+            '',
+          submission as EventSubmission,
+          latestMessages,
+        );
+      } catch (error) {
+        console.error('Error during abort:', error);
+        setIsSubmitting(false);
+        setShowStopButton(false);
+      }
     });
 
     sse.addEventListener('error', async (e: MessageEvent) => {

client/src/hooks/SSE/useStepHandler.ts

@@ -313,6 +313,10 @@ export default function useStepHandler({
             ? messageDelta.delta.content[0]
             : messageDelta.delta.content;
 
+          if (contentPart == null) {
+            return;
+          }
+
           const currentIndex = calculateContentIndex(
             runStep.index,
             initialContent,
@@ -345,6 +349,10 @@ export default function useStepHandler({
             ? reasoningDelta.delta.content[0]
             : reasoningDelta.delta.content;
 
+          if (contentPart == null) {
+            return;
+          }
+
           const currentIndex = calculateContentIndex(
             runStep.index,
             initialContent,

client/src/utils/files.ts

@@ -9,9 +9,9 @@ import {
 import {
   megabyte,
   QueryKeys,
+  inferMimeType,
   excelMimeTypes,
   EToolResources,
-  codeTypeMapping,
   fileConfig as defaultFileConfig,
 } from 'librechat-data-provider';
 import type { TFile, EndpointFileConfig, FileConfig } from 'librechat-data-provider';
@@ -257,14 +257,7 @@ export const validateFiles = ({
 
   for (let i = 0; i < fileList.length; i++) {
     let originalFile = fileList[i];
-    let fileType = originalFile.type;
-    const extension = originalFile.name.split('.').pop() ?? '';
-    const knownCodeType = codeTypeMapping[extension];
-
-    // Infer MIME type for Known Code files when the type is empty or a mismatch
-    if (knownCodeType && (!fileType || fileType !== knownCodeType)) {
-      fileType = knownCodeType;
-    }
+    const fileType = inferMimeType(originalFile.name, originalFile.type);
 
     // Check if the file type is still empty after the extension check
     if (!fileType) {

client/src/utils/messages.ts

@@ -44,7 +44,7 @@ export const getAllContentText = (message?: TMessage | null): string => {
 
   if (message.content && message.content.length > 0) {
     return message.content
-      .filter((part) => part.type === ContentTypes.TEXT)
+      .filter((part) => part != null && part.type === ContentTypes.TEXT)
       .map((part) => {
         if (!('text' in part)) return '';
         const text = part.text;

config/add-balance.js

@@ -1,6 +1,6 @@
 const path = require('path');
 const mongoose = require('mongoose');
-const { isEnabled, getBalanceConfig } = require('@librechat/api');
+const { getBalanceConfig } = require('@librechat/api');
 const { User } = require('@librechat/data-schemas').createModels(mongoose);
 require('module-alias')({ base: path.resolve(__dirname, '..', 'api') });
 const { createTransaction } = require('~/models/Transaction');
@@ -33,15 +33,12 @@ const connect = require('./connect');
     // console.purple(`[DEBUG] Args Length: ${process.argv.length}`);
   }
 
-  if (!process.env.CHECK_BALANCE) {
+  const appConfig = await getAppConfig();
+  const balanceConfig = getBalanceConfig(appConfig);
+
+  if (!balanceConfig?.enabled) {
     console.red(
-      'Error: CHECK_BALANCE environment variable is not set! Configure it to use it: `CHECK_BALANCE=true`',
-    );
-    silentExit(1);
-  }
-  if (isEnabled(process.env.CHECK_BALANCE) === false) {
-    console.red(
-      'Error: CHECK_BALANCE environment variable is set to `false`! Please configure: `CHECK_BALANCE=true`',
+      'Error: Balance is not enabled. Use librechat.yaml to enable it',
     );
     silentExit(1);
   }
@@ -80,8 +77,6 @@ const connect = require('./connect');
    */
   let result;
   try {
-    const appConfig = await getAppConfig();
-    const balanceConfig = getBalanceConfig(appConfig);
     result = await createTransaction({
       user: user._id,
       tokenType: 'credits',

config/set-balance.js

@@ -1,6 +1,6 @@
 const path = require('path');
 const mongoose = require('mongoose');
-const { isEnabled } = require('@librechat/api');
+const { getBalanceConfig } = require('@librechat/api');
 const { User, Balance } = require('@librechat/data-schemas').createModels(mongoose);
 require('module-alias')({ base: path.resolve(__dirname, '..', 'api') });
 const { askQuestion, silentExit } = require('./helpers');
@@ -31,15 +31,10 @@ const connect = require('./connect');
     // console.purple(`[DEBUG] Args Length: ${process.argv.length}`);
   }
 
-  if (!process.env.CHECK_BALANCE) {
+  const balanceConfig = getBalanceConfig();
+  if (!balanceConfig?.enabled) {
     console.red(
-      'Error: CHECK_BALANCE environment variable is not set! Configure it to use it: `CHECK_BALANCE=true`',
-    );
-    silentExit(1);
-  }
-  if (isEnabled(process.env.CHECK_BALANCE) === false) {
-    console.red(
-      'Error: CHECK_BALANCE environment variable is set to `false`! Please configure: `CHECK_BALANCE=true`',
+      'Error: Balance is not enabled. Use librechat.yaml to enable it',
     );
     silentExit(1);
   }

deploy-compose.swarm.yml

@@ -0,0 +1,259 @@
+version: "3.8"
+
+services:
+  api:
+    # build:
+    #   context: .
+    #   dockerfile: Dockerfile.multi
+    #   target: api-build
+    image: ghcr.io/danny-avila/librechat-dev-api:latest
+    # ports:
+    #   - 3080:3080
+    # Note: depends_on is ignored in Docker Swarm mode
+    # Services start in parallel, so API must handle connection retries
+    # depends_on:
+    #   - mongodb
+    #   - rag_api
+    networks:
+      - net
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    env_file:
+      - stack.env
+    environment:
+      - HOST=0.0.0.0
+      - NODE_ENV=production
+      - MONGO_URI=mongodb://mongodb:27017/LibreChat
+      - MEILI_HOST=http://meilisearch:7700
+      - RAG_PORT=${RAG_PORT:-8000}
+      - RAG_API_URL=http://rag_api:${RAG_PORT:-8000}
+    volumes:
+      - type: bind
+        source: /home/trav/dkr/LibreChat/librechat.yaml
+        target: /app/librechat.yaml
+      - /home/trav/dkr/LibreChat/images:/app/client/public/images
+      - /home/trav/dkr/LibreChat/uploads:/app/uploads
+      - /home/trav/dkr/LibreChat/logs:/app/api/logs
+      - /home/trav/claude-scripts:/mnt/claude-scripts
+      - /home/trav/dkr:/mnt/dkr
+      - /home/trav/biz-bud:/mnt/biz-bud
+      - /home/trav/portainer:/mnt/portainer
+      - /home/trav/repos:/mnt/repos
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:3080/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 20s
+        max_attempts: 10
+        window: 2m
+      update_config:
+        parallelism: 1
+        delay: 20s
+        failure_action: rollback
+      placement:
+        constraints:
+          - node.hostname == little
+
+  client:
+    image: nginx:1.27.0-alpine
+    # ports:
+    #   - 80:80
+    #   - 443:443
+    # Note: depends_on is ignored in Docker Swarm mode
+    # depends_on:
+    #   - api
+    networks:
+      - net
+      - badge-net
+    volumes:
+      - /home/trav/dkr/LibreChat/client/nginx.conf:/etc/nginx/conf.d/default.conf
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 15s
+        max_attempts: 10
+        window: 2m
+      update_config:
+        parallelism: 1
+        delay: 15s
+        failure_action: rollback
+      placement:
+        constraints:
+          - node.hostname == little
+
+  mongodb:
+    # ports:  # Uncomment this to access mongodb from outside docker, not safe in deployment
+    #   - 27018:27017
+    image: mongo
+    networks:
+      - net
+    volumes:
+      - librechat-mongodb:/data/db
+    command: mongod --noauth
+    healthcheck:
+      test: ["CMD-SHELL", "mongosh --eval 'db.adminCommand(\"ping\")' --quiet || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 20s
+        max_attempts: 15
+        window: 3m
+      update_config:
+        parallelism: 1
+        delay: 20s
+        failure_action: rollback
+      placement:
+        constraints:
+          - node.hostname == little
+
+  meilisearch:
+    image: getmeili/meilisearch:v1.12.3
+    networks:
+      - net
+    # ports: # Uncomment this to access meilisearch from outside docker
+    #   - 7700:7700 # if exposing these ports, make sure your master key is not the default value
+    env_file:
+      - stack.env
+    environment:
+      - MEILI_HOST=http://meilisearch:7700
+      - MEILI_NO_ANALYTICS=true
+    volumes:
+      - librechat-meili_data:/meili_data
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:7700/health || wget --spider -q http://localhost:7700/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 20s
+        max_attempts: 15
+        window: 3m
+      update_config:
+        parallelism: 1
+        delay: 20s
+        failure_action: rollback
+      placement:
+        constraints:
+          - node.hostname == little
+
+  vectordb:
+    image: pgvector/pgvector:0.8.0-pg15-trixie
+    environment:
+      POSTGRES_DB: mydatabase
+      POSTGRES_USER: myuser
+      POSTGRES_PASSWORD: mypassword
+    networks:
+      - net
+    volumes:
+      - librechat-pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U myuser -d mydatabase"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 20s
+        max_attempts: 15
+        window: 3m
+      update_config:
+        parallelism: 1
+        delay: 20s
+        failure_action: rollback
+      placement:
+        constraints:
+          - node.hostname == little
+
+  rag_api:
+    image: ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest
+    environment:
+      - DB_HOST=vectordb
+      - RAG_PORT=${RAG_PORT:-8000}
+    networks:
+      - net
+    # Note: depends_on is ignored in Docker Swarm mode
+    # depends_on:
+    #   - vectordb
+    env_file:
+      - stack.env
+    healthcheck:
+      test: ["CMD-SHELL", "python3 -c \"import urllib.request; urllib.request.urlopen('http://localhost:8000/health')\""]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 40s
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 20s
+        max_attempts: 15
+        window: 3m
+      update_config:
+        parallelism: 1
+        delay: 20s
+        failure_action: rollback
+      placement:
+        constraints:
+          - node.hostname == little
+
+  metrics:
+    image: ghcr.io/virtuos/librechat_exporter:main
+    # Note: depends_on is ignored in Docker Swarm mode
+    # depends_on:
+    #   - mongodb
+    # ports:
+    #   - "8000:8000"
+    networks:
+      - net
+      - observability_observability
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 15s
+        max_attempts: 10
+        window: 2m
+      update_config:
+        parallelism: 1
+        delay: 15s
+        failure_action: rollback
+      placement:
+        constraints:
+          - node.hostname == little
+
+volumes:
+  librechat-pgdata:
+    name: librechat-pgdata
+  librechat-mongodb:
+    name: librechat-mongodb
+  librechat-meili_data:
+    name: librechat-meili_data
+
+networks:
+  net:
+    driver: overlay
+    attachable: true
+  badge-net:
+    external: true
+  observability_observability:
+    external: true

docker-compose.yml

@@ -3,7 +3,7 @@
 
 services:
   api:
-    container_name: LibreChat
+    container_name: librechat
     ports:
       - "${PORT}:${PORT}"
     depends_on:
@@ -24,17 +24,36 @@ services:
       - type: bind
         source: ./.env
         target: /app/.env
+      - ./librechat.yaml:/app/librechat.yaml
       - ./images:/app/client/public/images
       - ./uploads:/app/uploads
       - ./logs:/app/logs
+    networks:
+      - chat-net
+  client:
+    image: nginx:1.27.0-alpine
+    container_name: librechat-nginx
+    expose:
+      - 80
+      - 443
+    depends_on:
+      - api
+    networks:
+      - chat-net
+      - edge-little
+    restart: always
+    volumes:
+      - ./client/nginx.conf:/etc/nginx/conf.d/default.conf
   mongodb:
-    container_name: chat-mongodb
+    container_name: librechat-mongodb
     image: mongo
     restart: always
     user: "${UID}:${GID}"
     volumes:
       - ./data-node:/data/db
     command: mongod --noauth
+    networks:
+      - chat-net
   meilisearch:
     container_name: chat-meilisearch
     image: getmeili/meilisearch:v1.12.3
@@ -46,8 +65,10 @@ services:
       - MEILI_MASTER_KEY=${MEILI_MASTER_KEY}
     volumes:
       - ./meili_data_v1.12:/meili_data
+    networks:
+      - chat-net
   vectordb:
-    container_name: vectordb
+    container_name: librechat-vectordb
     image: pgvector/pgvector:0.8.0-pg15-trixie
     environment:
       POSTGRES_DB: mydatabase
@@ -55,9 +76,11 @@ services:
       POSTGRES_PASSWORD: mypassword
     restart: always
     volumes:
-      - pgdata2:/var/lib/postgresql/data
+      - librechat-pgdata:/var/lib/postgresql/data
+    networks:
+      - chat-net
   rag_api:
-    container_name: rag_api
+    container_name: librechat-rag_api
     image: ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest
     environment:
       - DB_HOST=vectordb
@@ -65,8 +88,17 @@ services:
     restart: always
     depends_on:
       - vectordb
+    networks:
+      - chat-net
     env_file:
       - .env
 
 volumes:
-  pgdata2:
+  librechat-pgdata:
+    external: true
+networks:
+  chat-net:
+    driver: bridge
+    name: chat-net
+  edge-little:
+    external: true

eslint.config.mjs

@@ -269,6 +269,16 @@ export default [
         project: './packages/data-provider/tsconfig.json',
       },
     },
+    rules: {
+      '@typescript-eslint/no-unused-vars': [
+        'warn',
+        {
+          argsIgnorePattern: '^_',
+          varsIgnorePattern: '^_',
+          caughtErrorsIgnorePattern: '^_',
+        },
+      ],
+    },
   },
   {
     files: ['./api/demo/**/*.ts'],

librechat.yaml

@@ -0,0 +1,584 @@
+# For more information, see the Configuration Guide:
+# https://www.librechat.ai/docs/configuration/librechat_yaml
+
+# Configuration version (required)
+version: 1.3.1
+
+# Cache settings: Set to true to enable caching
+cache: true
+
+# File storage configuration
+# Single strategy for all file types (legacy format, still supported)
+fileStrategy: "s3"
+
+# Granular file storage strategies (new format - recommended)
+# Allows different storage strategies for different file types
+# fileStrategy:
+#   avatar: "s3"        # Storage for user/agent avatar images
+#   image: "firebase"   # Storage for uploaded images in chats
+#   document: "local"   # Storage for document uploads (PDFs, text files, etc.)
+
+# Available strategies: "local", "s3", "firebase"
+# If not specified, defaults to "local" for all file types
+# You can mix and match strategies based on your needs:
+# - Use S3 for avatars for fast global access
+# - Use Firebase for images with automatic optimization
+# - Use local storage for documents for privacy/compliance
+
+ocr:
+  apiKey: "YO2bXkUHLxlJdsXactjlLK4PRZMrBaCo"
+  strategy: "mistral_ocr"
+  mistralModel: "mistral-ocr-latest"
+
+# Custom interface configuration
+interface:
+  customWelcome: 'Welcome to LibreChat! Enjoy your experience.'
+  # Enable/disable file search as a chatarea selection (default: true)
+  # Note: This setting does not disable the Agents File Search Capability.
+  # To disable the Agents Capability, see the Agents Endpoint configuration instead.
+  fileSearch: true
+  # Privacy policy settings
+  privacyPolicy:
+    externalUrl: 'https://librechat.ai/privacy-policy'
+    openNewTab: true
+
+  # Terms of service
+  termsOfService:
+    externalUrl: 'https://librechat.ai/tos'
+    openNewTab: true
+    modalAcceptance: true
+    modalTitle: 'Terms of Service for LibreChat'
+    modalContent: |
+      # Terms and Conditions for LibreChat
+
+      *Effective Date: February 18, 2024*
+
+      Welcome to LibreChat, the informational website for the open-source AI chat platform, available at https://librechat.ai. These Terms of Service ("Terms") govern your use of our website and the services we offer. By accessing or using the Website, you agree to be bound by these Terms and our Privacy Policy, accessible at https://librechat.ai//privacy.
+
+      ## 1. Ownership
+
+      Upon purchasing a package from LibreChat, you are granted the right to download and use the code for accessing an admin panel for LibreChat. While you own the downloaded code, you are expressly prohibited from reselling, redistributing, or otherwise transferring the code to third parties without explicit permission from LibreChat.
+
+      ## 2. User Data
+
+      We collect personal data, such as your name, email address, and payment information, as described in our Privacy Policy. This information is collected to provide and improve our services, process transactions, and communicate with you.
+
+      ## 3. Non-Personal Data Collection
+
+      The Website uses cookies to enhance user experience, analyze site usage, and facilitate certain functionalities. By using the Website, you consent to the use of cookies in accordance with our Privacy Policy.
+
+      ## 4. Use of the Website
+
+      You agree to use the Website only for lawful purposes and in a manner that does not infringe the rights of, restrict, or inhibit anyone else's use and enjoyment of the Website. Prohibited behavior includes harassing or causing distress or inconvenience to any person, transmitting obscene or offensive content, or disrupting the normal flow of dialogue within the Website.
+
+      ## 5. Governing Law
+
+      These Terms shall be governed by and construed in accordance with the laws of the United States, without giving effect to any principles of conflicts of law.
+
+      ## 6. Changes to the Terms
+
+      We reserve the right to modify these Terms at any time. We will notify users of any changes by email. Your continued use of the Website after such changes have been notified will constitute your consent to such changes.
+
+      ## 7. Contact Information
+
+      If you have any questions about these Terms, please contact us at contact@librechat.ai.
+
+      By using the Website, you acknowledge that you have read these Terms of Service and agree to be bound by them.
+
+  modelSelect: true
+  parameters: true
+  sidePanel: true
+  presets: true
+  prompts: true
+  bookmarks: true
+  multiConvo: true
+  agents: true
+  peoplePicker:
+    users: true
+    groups: true
+    roles: true
+  marketplace:
+    use: true
+  fileCitations: true
+  # Temporary chat retention period in hours (default: 720, min: 1, max: 8760)
+  # temporaryChatRetention: 1
+
+# Example Cloudflare turnstile (optional)
+#turnstile:
+#  siteKey: "your-site-key-here"
+#  options:
+#    language: "auto"    # "auto" or an ISO 639-1 language code (e.g. en)
+#    size: "normal"      # Options: "normal", "compact", "flexible", or "invisible"
+
+# Example Registration Object Structure (optional)
+registration:
+  socialLogins: ['openid']
+  # allowedDomains:
+  # - "gmail.com"
+
+# Example Balance settings
+# balance:
+#   enabled: false
+#   startBalance: 20000
+#   autoRefillEnabled: false
+#   refillIntervalValue: 30
+#   refillIntervalUnit: 'days'
+#   refillAmount: 10000
+
+# Example Transactions settings
+# Controls whether to save transaction records to the database
+# Default is true (enabled)
+transactions:
+  enabled: true
+# Note: If balance.enabled is true, transactions will always be enabled
+# regardless of this setting to ensure balance tracking works correctly
+
+speech:
+  speechTab:
+    conversationMode: true
+    advancedMode: true
+    speechToText:
+      engineSTT: "external"
+      languageSTT: "English (US)"
+      autoTranscribeAudio: true
+      decibelValue: -45
+      autoSendText: 0
+    textToSpeech:
+      engineTTS: "external"
+      voice: "alloy"
+      languageTTS: "en"
+      automaticPlayback: true
+      playbackRate: 1.0
+      cacheTTS: true
+  tts:
+    elevenlabs:
+      apiKey: '${TTS_API_KEY}'
+      model: 'eleven_multilingual_v2'
+      voices: ['pNInz6obpgDQGcFmaJgB', 'EXAVITQu4vr4xnSDxMaL', 'JBFqnCBsd6RMkjVDRZzb', 'Xb7hH8MSUJpSbSDYk0k2']
+      # Adam, Sarah, George, Alice
+  stt:
+    openai:
+      apiKey: '${STT_API_KEY}'
+      model: 'whisper-1'
+# rateLimits:
+#   fileUploads:
+#     ipMax: 100
+#     ipWindowInMinutes: 60  # Rate limit window for file uploads per IP
+#     userMax: 50
+#     userWindowInMinutes: 60  # Rate limit window for file uploads per user
+#   conversationsImport:
+#     ipMax: 100
+#     ipWindowInMinutes: 60  # Rate limit window for conversation imports per IP
+#     userMax: 50
+#     userWindowInMinutes: 60  # Rate limit window for conversation imports per user
+
+# Example Actions Object Structure
+actions:
+  allowedDomains:
+    - 'swapi.dev'
+    - 'librechat.ai'
+    - 'google.com'
+    - 'sidepiece.rip'
+    - 'baked.rocks'
+    - 'raindrop.com'
+    - 'raindrop.services'
+
+# Example MCP Servers Object Structure
+mcpServers:
+  pieces:
+    type: "streamable-http"
+    url: https://pieces-mcp.baked.rocks/mcp
+    timeout: 60000
+    startup: false
+  xpipe:
+    type: "streamable-http"
+    url: https://xpipe-mcp.baked.rocks/mcp
+    timeout: 60000
+    startup: false
+  firecrawl:
+    type: stdio
+    command: npx
+    args:
+      - -y
+      - firecrawl-mcp
+    env:
+      FIRECRAWL_API_KEY: dummy-key
+      FIRECRAWL_API_URL: http://crawl.toy
+  context7:
+    type: "streamable-http"
+    url: https://mcp.context7.com/mcp
+    timeout: 60000
+    startup: false
+    headers:
+      CONTEXT7_API_KEY: ctx7sk-f6f1b998-88a2-4e78-9d21-433545326e6c
+# everything:
+#   # type: sse # type can optionally be omitted
+#   url: http://localhost:3001/sse
+#   timeout: 60000  # 1 minute timeout for this server, this is the default timeout for MCP servers.
+# puppeteer:
+#   type: stdio
+#   command: npx
+#   args:
+#     - -y
+#     - "@modelcontextprotocol/server-puppeteer"
+#   timeout: 300000  # 5 minutes timeout for this server
+  filesystem:
+    type: stdio
+    command: npx
+    args:
+      - -y
+      - "@modelcontextprotocol/server-filesystem"
+      - /mnt/claude-scripts
+      - /mnt/apps
+      - /mnt/biz-bud
+      - /mnt/portainer
+      - /mnt/repos
+    # iconPath: /app/client/public/assets/logo.svg  # Fixed: use container path if logo exists
+# mcp-obsidian:
+#   command: npx
+#   args:
+#     - -y
+#     - "mcp-obsidian"
+#     - /path/to/obsidian/vault
+  sequential-thinking:
+    url: https://server.smithery.ai/@smithery-ai/server-sequential-thinking/mcp
+    timeout: 60000
+
+# Definition of custom endpoints
+endpoints:
+  assistants:
+    disableBuilder: false # Disable Assistants Builder Interface by setting to `true`
+    pollIntervalMs: 3000  # Polling interval for checking assistant updates
+    timeoutMs: 180000  # Timeout for assistant operations
+  #   # Should only be one or the other, either `supportedIds` or `excludedIds`
+  #   supportedIds: ["asst_supportedAssistantId1", "asst_supportedAssistantId2"]
+  #   # excludedIds: ["asst_excludedAssistantId"]
+  #   # Only show assistants that the user created or that were created externally (e.g. in Assistants playground).
+    privateAssistants: false # Does not work with `supportedIds` or `excludedIds`
+  #   # (optional) Models that support retrieval, will default to latest known OpenAI models that support the feature
+    retrievalModels: ["openai/gpt-5.1"]
+  #   # (optional) Assistant Capabilities available to all users. Omit the ones you wish to exclude. Defaults to list below.
+    capabilities: ["code_interpreter", "retrieval", "actions", "tools", "image_vision"]
+  agents:
+  #   # (optional) Default recursion depth for agents, defaults to 25
+    recursionLimit: 50
+  #   # (optional) Max recursion depth for agents, defaults to 25
+    maxRecursionLimit: 100
+  #   # (optional) Disable the builder interface for agents
+    disableBuilder: false
+  #   # (optional) Maximum total citations to include in agent responses, defaults to 30
+    maxCitations: 30
+  #   # (optional) Maximum citations per file to include in agent responses, defaults to 7
+    maxCitationsPerFile: 7
+  #   # (optional) Minimum relevance score for sources to be included in responses, defaults to 0.45 (45% relevance threshold)
+  #   # Set to 0.0 to show all sources (no filtering), or higher like 0.7 for stricter filtering
+    minRelevanceScore: 0.4
+  #   # (optional) Agent Capabilities available to all users. Omit the ones you wish to exclude. Defaults to list below.
+    capabilities: ["execute_code", "file_search", "actions", "tools", "web_search", "ocr", "artifacts", "chain", "context"]
+    allowedProviders:
+      - litellm
+  custom:
+    # Groq Example
+    - name: 'litellm'
+      apiKey: 'sk-1234'
+      baseURL: 'http://llm.toy'
+      models:
+        default:
+          - 'claude-sonnet-4-5'
+          - 'claude-opus-4-5'
+          - 'claude-haiku-4-5'
+          - 'rerank-v3.5'
+          - 'deepgram/base'
+          - 'deepgram/nova-3'
+          - 'deepgram/nova-3-general'
+          - 'deepgram/whisper'
+          - 'deepgram/whisper-base'
+          - 'deepgram/whisper-large'
+          - 'deepgram/whisper-medium'
+          - 'deepgram/whisper-small'
+          - 'deepgram/whisper-tiny'
+          - 'elevenlabs/scribe_v1'
+          - 'fireworks_ai/glm-4p7'
+          - 'gemini/imagen-4.0-ultra-generate-001'
+          - 'ollama/gpt-oss:20b'
+          - 'gpt-5.2'
+          - 'gemini/gemini-3-pro-preview'
+          - 'gemini/gemini-3-flash-preview'
+          - 'gpt-realtime-mini'
+          - 'text-embedding-3-large'
+          - 'text-embedding-3-small'
+          - 'fireworks_ai/deepseek-v3p2'
+          - 'fireworks_ai/kimi-k2-instruct'
+          - 'gpt-realtime'
+          - 'tts-1'
+          - 'tts-1-hd'
+          - 'whisper-1'
+          - 'fireworks_ai/qwen3-vl-235b-a22b-instruct'
+          - 'fireworks_ai/gpt-oss-120b'
+          - 'fireworks_ai/minimax-m2p1'
+          - 'gemini/imagen-4.0-generate-001'
+          - 'gemini/imagen-4.0-fast-generate-001'
+          - 'fireworks_ai/glm-4p6'
+          - 'fireworks_ai/kimi-k2-thinking'
+          - 'fireworks_ai/qwen3-vl-235b-a22b-thinking'
+        fetch: false
+      titleConvo: true
+      titleModel: 'fireworks_ai/gpt-oss-120b'
+      modelDisplayLabel: 'LLM'
+      # Summarize setting: Set to true to enable summarization.
+      summarize: true
+      # Summary Model: Specify the model to use if summarization is enabled.
+      summaryModel: "fireworks_ai/qwen3-vl-235b-a22b-instruct"  # Defaults to "gpt-3.5-turbo" if omitted.
+      # Force Prompt setting: If true, sends a `prompt` parameter instead of `messages`.
+      forcePrompt: false
+      dropParams: ['stop', 'user', 'frequency_penalty', 'presence_penalty']
+
+    # - name: 'groq'
+    #   apiKey: '${GROQ_API_KEY}'
+    #   baseURL: 'https://api.groq.com/openai/v1/'
+    #   models:
+    #     default:
+    #       - 'llama3-70b-8192'
+    #       - 'llama3-8b-8192'
+    #       - 'llama2-70b-4096'
+    #       - 'mixtral-8x7b-32768'
+    #       - 'gemma-7b-it'
+    #     fetch: false
+    #   titleConvo: true
+    #   titleModel: 'mixtral-8x7b-32768'
+    #   modelDisplayLabel: 'groq'
+
+    # # Mistral AI Example
+    # - name: 'Mistral' # Unique name for the endpoint
+    #   # For `apiKey` and `baseURL`, you can use environment variables that you define.
+    #   # recommended environment variables:
+    #   apiKey: '${MISTRAL_API_KEY}'
+    #   baseURL: 'https://api.mistral.ai/v1'
+
+    #   # Models configuration
+    #   models:
+    #     # List of default models to use. At least one value is required.
+    #     default: ['mistral-tiny', 'mistral-small', 'mistral-medium']
+    #     # Fetch option: Set to true to fetch models from API.
+    #     fetch: true # Defaults to false.
+
+    #   # Optional configurations
+
+    #   # Title Conversation setting
+    #   titleConvo: true # Set to true to enable title conversation
+
+    #   # Title Method: Choose between "completion" or "functions".
+    #   # titleMethod: "completion"  # Defaults to "completion" if omitted.
+
+    #   # Title Model: Specify the model to use for titles.
+    #   titleModel: 'mistral-tiny' # Defaults to "gpt-3.5-turbo" if omitted.
+
+    #   # Summarize setting: Set to true to enable summarization.
+    #   # summarize: false
+
+    #   # Summary Model: Specify the model to use if summarization is enabled.
+    #   # summaryModel: "mistral-tiny"  # Defaults to "gpt-3.5-turbo" if omitted.
+
+    #   # Force Prompt setting: If true, sends a `prompt` parameter instead of `messages`.
+    #   # forcePrompt: false
+
+    #   # The label displayed for the AI model in messages.
+    #   modelDisplayLabel: 'Mistral' # Default is "AI" when not set.
+
+    #   # Add additional parameters to the request. Default params will be overwritten.
+    #   # addParams:
+    #   # safe_prompt: true # This field is specific to Mistral AI: https://docs.mistral.ai/api/
+
+    #   # Drop Default params parameters from the request. See default params in guide linked below.
+    #   # NOTE: For Mistral, it is necessary to drop the following parameters or you will encounter a 422 Error:
+    #   dropParams: ['stop', 'user', 'frequency_penalty', 'presence_penalty']
+
+    # # OpenRouter Example
+    # - name: 'OpenRouter'
+    #   # For `apiKey` and `baseURL`, you can use environment variables that you define.
+    #   # recommended environment variables:
+    #   apiKey: '${OPENROUTER_KEY}'
+    #   baseURL: 'https://openrouter.ai/api/v1'
+    #   headers:
+    #       x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}'
+    #   models:
+    #     default: ['meta-llama/llama-3-70b-instruct']
+    #     fetch: true
+    #   titleConvo: true
+    #   titleModel: 'meta-llama/llama-3-70b-instruct'
+    #   # Recommended: Drop the stop parameter from the request as Openrouter models use a variety of stop tokens.
+    #   dropParams: ['stop']
+    #   modelDisplayLabel: 'OpenRouter'
+
+    # # Helicone Example
+    # - name: 'Helicone'
+    #   # For `apiKey` and `baseURL`, you can use environment variables that you define.
+    #   # recommended environment variables:
+    #   apiKey: '${HELICONE_KEY}'
+    #   baseURL: 'https://ai-gateway.helicone.ai'
+    #   headers:
+    #       x-librechat-body-parentmessageid: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}'
+    #   models:
+    #     default: ['gpt-4o-mini', 'claude-4.5-sonnet', 'llama-3.1-8b-instruct', 'gemini-2.5-flash-lite']
+    #     fetch: true
+    #   titleConvo: true
+    #   titleModel: 'gpt-4o-mini'
+    #   modelDisplayLabel: 'Helicone'
+    #   iconURL: https://marketing-assets-helicone.s3.us-west-2.amazonaws.com/helicone.png
+
+    # # Portkey AI Example
+    # - name: 'Portkey'
+    #   apiKey: 'dummy'
+    #   baseURL: 'https://api.portkey.ai/v1'
+    #   headers:
+    #     x-portkey-api-key: '${PORTKEY_API_KEY}'
+    #     x-portkey-virtual-key: '${PORTKEY_OPENAI_VIRTUAL_KEY}'
+    #   models:
+    #     default: ['gpt-4o-mini', 'gpt-4o', 'chatgpt-4o-latest']
+    #     fetch: true
+    #   titleConvo: true
+    #   titleModel: 'current_model'
+    #   summarize: false
+    #   summaryModel: 'current_model'
+    #   forcePrompt: false
+    #   modelDisplayLabel: 'Portkey'
+    #   iconURL: https://images.crunchbase.com/image/upload/c_pad,f_auto,q_auto:eco,dpr_1/rjqy7ghvjoiu4cd1xjbf
+# Example modelSpecs configuration showing grouping options
+# The 'group' field organizes model specs in the UI selector:
+# - If 'group' matches an endpoint name (e.g., "openAI", "groq"), the spec appears nested under that endpoint
+# - If 'group' is a custom name (doesn't match any endpoint), it creates a separate collapsible section
+# - If 'group' is omitted, the spec appears as a standalone item at the top level
+# modelSpecs:
+#   list:
+#     # Example 1: Nested under an endpoint (grouped with openAI endpoint)
+#     - name: "gpt-4o"
+#       label: "GPT-4 Optimized"
+#       description: "Most capable GPT-4 model with multimodal support"
+#       group: "openAI"  # String value matching the endpoint name
+#       preset:
+#         endpoint: "openAI"
+#         model: "gpt-4o"
+#
+#     # Example 2: Nested under a custom endpoint (grouped with groq endpoint)
+#     - name: "llama3-70b-8192"
+#       label: "Llama 3 70B"
+#       description: "Fastest inference available - great for quick responses"
+#       group: "groq"  # String value matching your custom endpoint name from endpoints.custom
+#       preset:
+#         endpoint: "groq"
+#         model: "llama3-70b-8192"
+#
+#     # Example 3: Custom group (creates a separate collapsible section)
+#     - name: "coding-assistant"
+#       label: "Coding Assistant"
+#       description: "Specialized for coding tasks"
+#       group: "my-assistants"  # Custom string - doesn't match any endpoint, so creates its own group
+#       preset:
+#         endpoint: "openAI"
+#         model: "gpt-4o"
+#         instructions: "You are an expert coding assistant..."
+#         temperature: 0.3
+#
+#     - name: "writing-assistant"
+#       label: "Writing Assistant"
+#       description: "Specialized for creative writing"
+#       group: "my-assistants"  # Same custom group name - both specs appear in same section
+#       preset:
+#         endpoint: "anthropic"
+#         model: "claude-sonnet-4"
+#         instructions: "You are a creative writing expert..."
+#
+#     # Example 4: Standalone (no group - appears at top level)
+#     - name: "general-assistant"
+#       label: "General Assistant"
+#       description: "General purpose assistant"
+#       # No 'group' field - appears as standalone item at top level (not nested)
+#       preset:
+#         endpoint: "openAI"
+#         model: "gpt-4o-mini"
+
+fileConfig:
+  endpoints:
+    assistants:
+      fileLimit: 5
+      fileSizeLimit: 10  # Maximum size for an individual file in MB
+      totalSizeLimit: 50  # Maximum total size for all files in a single request in MB
+      supportedMimeTypes:
+        - "image/.*"
+        - "application/pdf"
+    openAI:
+      disabled: true  # Disables file uploading to the OpenAI endpoint
+    default:
+      totalSizeLimit: 100
+      fileSizeLimit: 100
+      fileLimit: 10
+    # bifrost:
+    #   fileLimit: 25
+    #   fileSizeLimit: 50
+  serverFileSizeLimit: 1000  # Global server file size limit in MB
+  fileTokenLimit: 100000
+  avatarSizeLimit: 2  # Limit for user avatar image size in MB
+  imageGeneration: # Image Gen settings, either percentage or px
+    percentage: 100
+    px: 1024
+  ocr:
+    supportedMimeTypes:
+      - "^image/(jpeg|gif|png|webp|heic|heif)$"
+      - "^application/pdf$"
+      - "^application/vnd\\.openxmlformats-officedocument\\.(wordprocessingml\\.document|presentationml\\.presentation|spreadsheetml\\.sheet)$"
+      - "^application/vnd\\.ms-(word|powerpoint|excel)$"
+      - "^application/epub\\+zip$"
+  text:
+    supportedMimeTypes:
+      - "^text/(plain|markdown|csv|json|xml|html|css|javascript|typescript|x-python|x-java|x-csharp|x-php|x-ruby|x-go|x-rust|x-kotlin|x-swift|x-scala|x-perl|x-lua|x-shell|x-sql|x-yaml|x-toml)$"
+  stt:
+    supportedMimeTypes:
+      - "^audio/(mp3|mpeg|mpeg3|wav|wave|x-wav|ogg|vorbis|mp4|x-m4a|flac|x-flac|webm)$"
+  # Client-side image resizing to prevent upload errors
+  clientImageResize:
+    enabled: true  # Enable/disable client-side image resizing (default: false)
+    maxWidth: 1900  # Maximum width for resized images (default: 1900)
+    maxHeight: 1900  # Maximum height for resized images (default: 1900)
+    quality: 0.92  # JPEG quality for compression (0.0-1.0, default: 0.92)
+# See the Custom Configuration Guide for more information on Assistants Config:
+# https://www.librechat.ai/docs/configuration/librechat_yaml/object_structure/assistants_endpoint
+
+# Web Search Configuration (optional)
+webSearch:
+  rerankerType: 'cohere'
+  # Jina Reranking Configuration
+  # jinaApiKey: '${JINA_API_KEY}'  # Your Jina API key
+  # jinaApiUrl: '${JINA_API_URL}'  # Custom Jina API URL (optional, defaults to https://api.jina.ai/v1/rerank)
+  # Other rerankers
+  cohereApiKey: '${COHERE_API_KEY}'
+  # Search providers
+  searchProvider: "searxng"
+  # serperApiKey: '${SERPER_API_KEY}'
+  searxngInstanceUrl: '${SEARXNG_INSTANCE_URL}'
+  # searxngApiKey: '${SEARXNG_API_KEY}'
+  # Content scrapers
+  scraperProvider: "firecrawl"
+  firecrawlApiKey: '${FIRECRAWL_API_KEY}'
+  firecrawlApiUrl: '${FIRECRAWL_API_URL}'
+  firecrawlVersion: "${FIRECRAWL_VERSION}"
+# Memory configuration for user memories
+memory:
+  # (optional) Disable memory functionality
+  disabled: false
+  # (optional) Restrict memory keys to specific values to limit memory storage and improve consistency
+  validKeys: ["preferences", "work_info", "personal_info", "skills", "interests", "context"]
+  # (optional) Maximum token limit for memory storage (not yet implemented for token counting)
+  tokenLimit: 10000
+  # (optional) Enable personalization features (defaults to true if memory is configured)
+  # When false, users will not see the Personalization tab in settings
+  personalize: true
+  # Memory agent configuration - either use an existing agent by ID or define inline
+  agent:
+    # Option 1: Use existing agent by ID
+    # id: "your-memory-agent-id"
+    # Option 2: Define agent inline
+    provider: "litellm"
+    model: "fireworks_ai/qwen3-vl-30b-a3b-instruct"
+    instructions: "You are a memory management assistant. Store and manage user information accurately and do not embellish the information."
+    # model_parameters:
+    #   temperature: 0.1

packages/api/package.json

@@ -84,7 +84,7 @@
     "@azure/storage-blob": "^12.27.0",
     "@keyv/redis": "^4.3.3",
     "@langchain/core": "^0.3.79",
-    "@librechat/agents": "^3.0.32",
+    "@librechat/agents": "^3.0.36",
     "@librechat/data-schemas": "*",
     "@modelcontextprotocol/sdk": "^1.21.0",
     "axios": "^1.12.1",

packages/api/src/agents/run.ts

@@ -16,9 +16,9 @@ import { resolveHeaders, createSafeUser } from '~/utils/env';
 
 const customProviders = new Set([
   Providers.XAI,
-  Providers.OLLAMA,
   Providers.DEEPSEEK,
   Providers.OPENROUTER,
+  KnownEndpoints.ollama,
 ]);
 
 export function getReasoningKey(

packages/api/src/auth/openid.spec.ts

@@ -394,6 +394,34 @@ describe('findOpenIDUser', () => {
       expect(mockFindUser).toHaveBeenCalledWith({ email: 'user@example.com' });
     });
 
+    it('should pass email to findUser for case-insensitive lookup (findUser handles normalization)', async () => {
+      const mockUser: IUser = {
+        _id: 'user123',
+        provider: 'openid',
+        openidId: 'openid_456',
+        email: 'user@example.com',
+        username: 'testuser',
+      } as IUser;
+
+      mockFindUser
+        .mockResolvedValueOnce(null) // Primary condition fails
+        .mockResolvedValueOnce(mockUser); // Email search succeeds
+
+      const result = await findOpenIDUser({
+        openidId: 'openid_123',
+        findUser: mockFindUser,
+        email: 'User@Example.COM',
+      });
+
+      /** Email is passed as-is; findUser implementation handles normalization */
+      expect(mockFindUser).toHaveBeenNthCalledWith(2, { email: 'User@Example.COM' });
+      expect(result).toEqual({
+        user: mockUser,
+        error: null,
+        migration: false,
+      });
+    });
+
     it('should handle findUser throwing an error', async () => {
       mockFindUser.mockRejectedValueOnce(new Error('Database error'));
 

packages/api/src/endpoints/google/llm.ts

@@ -121,9 +121,12 @@ export function getSafetySettings(
 export function getGoogleConfig(
   credentials: string | t.GoogleCredentials | undefined,
   options: t.GoogleConfigOptions = {},
+  acceptRawApiKey = false,
 ) {
   let creds: t.GoogleCredentials = {};
-  if (typeof credentials === 'string') {
+  if (acceptRawApiKey && typeof credentials === 'string') {
+    creds[AuthKeys.GOOGLE_API_KEY] = credentials;
+  } else if (typeof credentials === 'string') {
     try {
       creds = JSON.parse(credentials);
     } catch (err: unknown) {

packages/api/src/endpoints/openai/config.google.spec.ts

@@ -69,6 +69,26 @@ describe('getOpenAIConfig - Google Compatibility', () => {
         expect(result.tools).toEqual([]);
       });
 
+      it('should filter out googleSearch when web_search is only in modelOptions (not explicitly in addParams/defaultParams)', () => {
+        const apiKey = JSON.stringify({ GOOGLE_API_KEY: 'test-google-key' });
+        const endpoint = 'Gemini (Custom)';
+        const options = {
+          modelOptions: {
+            model: 'gemini-2.0-flash-exp',
+            web_search: true,
+          },
+          customParams: {
+            defaultParamsEndpoint: 'google',
+          },
+          reverseProxyUrl: 'https://generativelanguage.googleapis.com/v1beta/openai',
+        };
+
+        const result = getOpenAIConfig(apiKey, options, endpoint);
+
+        /** googleSearch should be filtered out since web_search was not explicitly added via addParams or defaultParams */
+        expect(result.tools).toEqual([]);
+      });
+
       it('should handle web_search with mixed Google and OpenAI params in addParams', () => {
         const apiKey = JSON.stringify({ GOOGLE_API_KEY: 'test-google-key' });
         const endpoint = 'Gemini (Custom)';

packages/api/src/endpoints/openai/config.spec.ts

@@ -26,7 +26,7 @@ describe('getOpenAIConfig', () => {
 
   it('should apply model options', () => {
     const modelOptions = {
-      model: 'gpt-5',
+      model: 'gpt-4',
       temperature: 0.7,
       max_tokens: 1000,
     };
@@ -34,14 +34,11 @@ describe('getOpenAIConfig', () => {
     const result = getOpenAIConfig(mockApiKey, { modelOptions });
 
     expect(result.llmConfig).toMatchObject({
-      model: 'gpt-5',
+      model: 'gpt-4',
       temperature: 0.7,
-      modelKwargs: {
-        max_completion_tokens: 1000,
-      },
+      maxTokens: 1000,
     });
     expect((result.llmConfig as Record<string, unknown>).max_tokens).toBeUndefined();
-    expect((result.llmConfig as Record<string, unknown>).maxTokens).toBeUndefined();
   });
 
   it('should separate known and unknown params from addParams', () => {
@@ -286,7 +283,7 @@ describe('getOpenAIConfig', () => {
 
   it('should ignore non-boolean web_search values in addParams', () => {
     const modelOptions = {
-      model: 'gpt-5',
+      model: 'gpt-4',
       web_search: true,
     };
 
@@ -399,7 +396,7 @@ describe('getOpenAIConfig', () => {
 
   it('should handle verbosity parameter in modelKwargs', () => {
     const modelOptions = {
-      model: 'gpt-5',
+      model: 'gpt-4',
       temperature: 0.7,
       verbosity: Verbosity.high,
     };
@@ -407,7 +404,7 @@ describe('getOpenAIConfig', () => {
     const result = getOpenAIConfig(mockApiKey, { modelOptions });
 
     expect(result.llmConfig).toMatchObject({
-      model: 'gpt-5',
+      model: 'gpt-4',
       temperature: 0.7,
     });
     expect(result.llmConfig.modelKwargs).toEqual({
@@ -417,7 +414,7 @@ describe('getOpenAIConfig', () => {
 
   it('should allow addParams to override verbosity in modelKwargs', () => {
     const modelOptions = {
-      model: 'gpt-5',
+      model: 'gpt-4',
       verbosity: Verbosity.low,
     };
 
@@ -451,7 +448,7 @@ describe('getOpenAIConfig', () => {
 
   it('should nest verbosity under text when useResponsesApi is enabled', () => {
     const modelOptions = {
-      model: 'gpt-5',
+      model: 'gpt-4',
       temperature: 0.7,
       verbosity: Verbosity.low,
       useResponsesApi: true,
@@ -460,7 +457,7 @@ describe('getOpenAIConfig', () => {
     const result = getOpenAIConfig(mockApiKey, { modelOptions });
 
     expect(result.llmConfig).toMatchObject({
-      model: 'gpt-5',
+      model: 'gpt-4',
       temperature: 0.7,
       useResponsesApi: true,
     });
@@ -496,7 +493,6 @@ describe('getOpenAIConfig', () => {
   it('should move maxTokens to modelKwargs.max_completion_tokens for GPT-5+ models', () => {
     const modelOptions = {
       model: 'gpt-5',
-      temperature: 0.7,
       max_tokens: 2048,
     };
 
@@ -504,7 +500,6 @@ describe('getOpenAIConfig', () => {
 
     expect(result.llmConfig).toMatchObject({
       model: 'gpt-5',
-      temperature: 0.7,
     });
     expect(result.llmConfig.maxTokens).toBeUndefined();
     expect(result.llmConfig.modelKwargs).toEqual({
@@ -1684,7 +1679,7 @@ describe('getOpenAIConfig', () => {
       it('should not override existing modelOptions with defaultParams', () => {
         const result = getOpenAIConfig(mockApiKey, {
           modelOptions: {
-            model: 'gpt-5',
+            model: 'gpt-4',
             temperature: 0.9,
           },
           customParams: {
@@ -1697,7 +1692,7 @@ describe('getOpenAIConfig', () => {
         });
 
         expect(result.llmConfig.temperature).toBe(0.9);
-        expect(result.llmConfig.modelKwargs?.max_completion_tokens).toBe(1000);
+        expect(result.llmConfig.maxTokens).toBe(1000);
       });
 
       it('should allow addParams to override defaultParams', () => {
@@ -1845,7 +1840,7 @@ describe('getOpenAIConfig', () => {
       it('should preserve order: defaultParams < addParams < modelOptions', () => {
         const result = getOpenAIConfig(mockApiKey, {
           modelOptions: {
-            model: 'gpt-5',
+            model: 'gpt-4',
             temperature: 0.9,
           },
           customParams: {
@@ -1863,7 +1858,7 @@ describe('getOpenAIConfig', () => {
 
         expect(result.llmConfig.temperature).toBe(0.9);
         expect(result.llmConfig.topP).toBe(0.8);
-        expect(result.llmConfig.modelKwargs?.max_completion_tokens).toBe(500);
+        expect(result.llmConfig.maxTokens).toBe(500);
       });
     });
   });

packages/api/src/endpoints/openai/config.ts

@@ -77,23 +77,29 @@ export function getOpenAIConfig(
       headers = Object.assign(headers ?? {}, transformed.configOptions?.defaultHeaders);
     }
   } else if (isGoogle) {
-    const googleResult = getGoogleConfig(apiKey, {
-      modelOptions,
-      reverseProxyUrl: baseURL ?? undefined,
-      authHeader: true,
-      addParams,
-      dropParams,
-      defaultParams,
-    });
+    const googleResult = getGoogleConfig(
+      apiKey,
+      {
+        modelOptions,
+        reverseProxyUrl: baseURL ?? undefined,
+        authHeader: true,
+        addParams,
+        dropParams,
+        defaultParams,
+      },
+      true,
+    );
     /** Transform handles addParams/dropParams - it knows about OpenAI params */
     const transformed = transformToOpenAIConfig({
       addParams,
       dropParams,
+      defaultParams,
+      tools: googleResult.tools,
       llmConfig: googleResult.llmConfig,
       fromEndpoint: EModelEndpoint.google,
     });
     llmConfig = transformed.llmConfig;
-    tools = googleResult.tools;
+    tools = transformed.tools;
   } else {
     const openaiResult = getOpenAILLMConfig({
       azure,

packages/api/src/endpoints/openai/llm.spec.ts

@@ -0,0 +1,602 @@
+import {
+  Verbosity,
+  EModelEndpoint,
+  ReasoningEffort,
+  ReasoningSummary,
+} from 'librechat-data-provider';
+import { getOpenAILLMConfig, extractDefaultParams, applyDefaultParams } from './llm';
+import type * as t from '~/types';
+
+describe('getOpenAILLMConfig', () => {
+  describe('Basic Configuration', () => {
+    it('should create a basic configuration with required fields', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('apiKey', 'test-api-key');
+      expect(result.llmConfig).toHaveProperty('model', 'gpt-4');
+      expect(result.llmConfig).toHaveProperty('streaming', true);
+      expect(result.tools).toEqual([]);
+    });
+
+    it('should handle model options including temperature and penalties', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          temperature: 0.7,
+          frequency_penalty: 0.5,
+          presence_penalty: 0.3,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('temperature', 0.7);
+      expect(result.llmConfig).toHaveProperty('frequencyPenalty', 0.5);
+      expect(result.llmConfig).toHaveProperty('presencePenalty', 0.3);
+    });
+
+    it('should handle max_tokens conversion to maxTokens', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          max_tokens: 4096,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('maxTokens', 4096);
+      expect(result.llmConfig).not.toHaveProperty('max_tokens');
+    });
+  });
+
+  describe('OpenAI Reasoning Models (o1/o3/gpt-5)', () => {
+    const reasoningModels = [
+      'o1',
+      'o1-mini',
+      'o1-preview',
+      'o1-pro',
+      'o3',
+      'o3-mini',
+      'gpt-5',
+      'gpt-5-pro',
+      'gpt-5-turbo',
+    ];
+
+    const excludedParams = [
+      'frequencyPenalty',
+      'presencePenalty',
+      'temperature',
+      'topP',
+      'logitBias',
+      'n',
+      'logprobs',
+    ];
+
+    it.each(reasoningModels)(
+      'should exclude unsupported parameters for reasoning model: %s',
+      (model) => {
+        const result = getOpenAILLMConfig({
+          apiKey: 'test-api-key',
+          streaming: true,
+          modelOptions: {
+            model,
+            temperature: 0.7,
+            frequency_penalty: 0.5,
+            presence_penalty: 0.3,
+            topP: 0.9,
+            logitBias: { '50256': -100 },
+            n: 2,
+            logprobs: true,
+          } as Partial<t.OpenAIParameters>,
+        });
+
+        excludedParams.forEach((param) => {
+          expect(result.llmConfig).not.toHaveProperty(param);
+        });
+
+        expect(result.llmConfig).toHaveProperty('model', model);
+        expect(result.llmConfig).toHaveProperty('streaming', true);
+      },
+    );
+
+    it('should preserve maxTokens for reasoning models', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'o1',
+          max_tokens: 4096,
+          temperature: 0.7,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('maxTokens', 4096);
+      expect(result.llmConfig).not.toHaveProperty('temperature');
+    });
+
+    it('should preserve other valid parameters for reasoning models', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'o1',
+          max_tokens: 8192,
+          stop: ['END'],
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('maxTokens', 8192);
+      expect(result.llmConfig).toHaveProperty('stop', ['END']);
+    });
+
+    it('should handle GPT-5 max_tokens conversion to max_completion_tokens', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-5',
+          max_tokens: 8192,
+          stop: ['END'],
+        },
+      });
+
+      expect(result.llmConfig.modelKwargs).toHaveProperty('max_completion_tokens', 8192);
+      expect(result.llmConfig).not.toHaveProperty('maxTokens');
+      expect(result.llmConfig).toHaveProperty('stop', ['END']);
+    });
+
+    it('should combine user dropParams with reasoning exclusion params', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'o3-mini',
+          temperature: 0.7,
+          stop: ['END'],
+        },
+        dropParams: ['stop'],
+      });
+
+      expect(result.llmConfig).not.toHaveProperty('temperature');
+      expect(result.llmConfig).not.toHaveProperty('stop');
+    });
+
+    it('should NOT exclude parameters for non-reasoning models', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4-turbo',
+          temperature: 0.7,
+          frequency_penalty: 0.5,
+          presence_penalty: 0.3,
+          topP: 0.9,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('temperature', 0.7);
+      expect(result.llmConfig).toHaveProperty('frequencyPenalty', 0.5);
+      expect(result.llmConfig).toHaveProperty('presencePenalty', 0.3);
+      expect(result.llmConfig).toHaveProperty('topP', 0.9);
+    });
+
+    it('should NOT exclude parameters for gpt-5.x versioned models (they support sampling params)', () => {
+      const versionedModels = ['gpt-5.1', 'gpt-5.1-turbo', 'gpt-5.2', 'gpt-5.5-preview'];
+
+      versionedModels.forEach((model) => {
+        const result = getOpenAILLMConfig({
+          apiKey: 'test-api-key',
+          streaming: true,
+          modelOptions: {
+            model,
+            temperature: 0.7,
+            frequency_penalty: 0.5,
+            presence_penalty: 0.3,
+            topP: 0.9,
+          },
+        });
+
+        expect(result.llmConfig).toHaveProperty('temperature', 0.7);
+        expect(result.llmConfig).toHaveProperty('frequencyPenalty', 0.5);
+        expect(result.llmConfig).toHaveProperty('presencePenalty', 0.3);
+        expect(result.llmConfig).toHaveProperty('topP', 0.9);
+      });
+    });
+
+    it('should NOT exclude parameters for gpt-5-chat (it supports sampling params)', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-5-chat',
+          temperature: 0.7,
+          frequency_penalty: 0.5,
+          presence_penalty: 0.3,
+          topP: 0.9,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('temperature', 0.7);
+      expect(result.llmConfig).toHaveProperty('frequencyPenalty', 0.5);
+      expect(result.llmConfig).toHaveProperty('presencePenalty', 0.3);
+      expect(result.llmConfig).toHaveProperty('topP', 0.9);
+    });
+
+    it('should handle reasoning models with reasoning_effort parameter', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        endpoint: EModelEndpoint.openAI,
+        modelOptions: {
+          model: 'o1',
+          reasoning_effort: ReasoningEffort.high,
+          temperature: 0.7,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('reasoning_effort', ReasoningEffort.high);
+      expect(result.llmConfig).not.toHaveProperty('temperature');
+    });
+  });
+
+  describe('OpenAI Web Search Models', () => {
+    it('should exclude parameters for gpt-4o search models', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4o-search-preview',
+          temperature: 0.7,
+          top_p: 0.9,
+          seed: 42,
+        } as Partial<t.OpenAIParameters>,
+      });
+
+      expect(result.llmConfig).not.toHaveProperty('temperature');
+      expect(result.llmConfig).not.toHaveProperty('top_p');
+      expect(result.llmConfig).not.toHaveProperty('seed');
+    });
+
+    it('should preserve max_tokens for search models', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4o-search',
+          max_tokens: 4096,
+          temperature: 0.7,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('maxTokens', 4096);
+      expect(result.llmConfig).not.toHaveProperty('temperature');
+    });
+  });
+
+  describe('Web Search Functionality', () => {
+    it('should enable web search with Responses API', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          web_search: true,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('useResponsesApi', true);
+      expect(result.tools).toContainEqual({ type: 'web_search' });
+    });
+
+    it('should handle web search with OpenRouter', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        useOpenRouter: true,
+        modelOptions: {
+          model: 'gpt-4',
+          web_search: true,
+        },
+      });
+
+      expect(result.llmConfig.modelKwargs).toHaveProperty('plugins', [{ id: 'web' }]);
+      expect(result.llmConfig).toHaveProperty('include_reasoning', true);
+    });
+
+    it('should disable web search via dropParams', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          web_search: true,
+        },
+        dropParams: ['web_search'],
+      });
+
+      expect(result.tools).not.toContainEqual({ type: 'web_search' });
+    });
+  });
+
+  describe('GPT-5 max_tokens Handling', () => {
+    it('should convert maxTokens to max_completion_tokens for GPT-5 models', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-5',
+          max_tokens: 8192,
+        },
+      });
+
+      expect(result.llmConfig.modelKwargs).toHaveProperty('max_completion_tokens', 8192);
+      expect(result.llmConfig).not.toHaveProperty('maxTokens');
+    });
+
+    it('should convert maxTokens to max_output_tokens for GPT-5 with Responses API', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-5',
+          max_tokens: 8192,
+        },
+        addParams: {
+          useResponsesApi: true,
+        },
+      });
+
+      expect(result.llmConfig.modelKwargs).toHaveProperty('max_output_tokens', 8192);
+      expect(result.llmConfig).not.toHaveProperty('maxTokens');
+    });
+  });
+
+  describe('Reasoning Parameters', () => {
+    it('should handle reasoning_effort for OpenAI endpoint', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        endpoint: EModelEndpoint.openAI,
+        modelOptions: {
+          model: 'o1',
+          reasoning_effort: ReasoningEffort.high,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('reasoning_effort', ReasoningEffort.high);
+    });
+
+    it('should use reasoning object for non-OpenAI endpoints', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        endpoint: 'custom',
+        modelOptions: {
+          model: 'o1',
+          reasoning_effort: ReasoningEffort.high,
+          reasoning_summary: ReasoningSummary.concise,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('reasoning');
+      expect(result.llmConfig.reasoning).toEqual({
+        effort: ReasoningEffort.high,
+        summary: ReasoningSummary.concise,
+      });
+    });
+
+    it('should use reasoning object when useResponsesApi is true', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        endpoint: EModelEndpoint.openAI,
+        modelOptions: {
+          model: 'o1',
+          reasoning_effort: ReasoningEffort.medium,
+          reasoning_summary: ReasoningSummary.detailed,
+        },
+        addParams: {
+          useResponsesApi: true,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('reasoning');
+      expect(result.llmConfig.reasoning).toEqual({
+        effort: ReasoningEffort.medium,
+        summary: ReasoningSummary.detailed,
+      });
+    });
+  });
+
+  describe('Default and Add Parameters', () => {
+    it('should apply default parameters when fields are undefined', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+        },
+        defaultParams: {
+          temperature: 0.5,
+          topP: 0.9,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('temperature', 0.5);
+      expect(result.llmConfig).toHaveProperty('topP', 0.9);
+    });
+
+    it('should NOT override existing values with default parameters', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          temperature: 0.8,
+        },
+        defaultParams: {
+          temperature: 0.5,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('temperature', 0.8);
+    });
+
+    it('should apply addParams and override defaults', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+        },
+        defaultParams: {
+          temperature: 0.5,
+        },
+        addParams: {
+          temperature: 0.9,
+          seed: 42,
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('temperature', 0.9);
+      expect(result.llmConfig).toHaveProperty('seed', 42);
+    });
+
+    it('should handle unknown params via modelKwargs', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+        },
+        addParams: {
+          custom_param: 'custom_value',
+        },
+      });
+
+      expect(result.llmConfig.modelKwargs).toHaveProperty('custom_param', 'custom_value');
+    });
+  });
+
+  describe('Drop Parameters', () => {
+    it('should drop specified parameters', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          temperature: 0.7,
+          topP: 0.9,
+        },
+        dropParams: ['temperature'],
+      });
+
+      expect(result.llmConfig).not.toHaveProperty('temperature');
+      expect(result.llmConfig).toHaveProperty('topP', 0.9);
+    });
+  });
+
+  describe('OpenRouter Configuration', () => {
+    it('should include include_reasoning for OpenRouter', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        useOpenRouter: true,
+        modelOptions: {
+          model: 'gpt-4',
+        },
+      });
+
+      expect(result.llmConfig).toHaveProperty('include_reasoning', true);
+    });
+  });
+
+  describe('Verbosity Handling', () => {
+    it('should add verbosity to modelKwargs', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          verbosity: Verbosity.high,
+        },
+      });
+
+      expect(result.llmConfig.modelKwargs).toHaveProperty('verbosity', Verbosity.high);
+    });
+
+    it('should convert verbosity to text object with Responses API', () => {
+      const result = getOpenAILLMConfig({
+        apiKey: 'test-api-key',
+        streaming: true,
+        modelOptions: {
+          model: 'gpt-4',
+          verbosity: Verbosity.low,
+        },
+        addParams: {
+          useResponsesApi: true,
+        },
+      });
+
+      expect(result.llmConfig.modelKwargs).toHaveProperty('text', { verbosity: Verbosity.low });
+      expect(result.llmConfig.modelKwargs).not.toHaveProperty('verbosity');
+    });
+  });
+});
+
+describe('extractDefaultParams', () => {
+  it('should extract default values from param definitions', () => {
+    const paramDefinitions = [
+      { key: 'temperature', default: 0.7 },
+      { key: 'maxTokens', default: 4096 },
+      { key: 'noDefault' },
+    ];
+
+    const result = extractDefaultParams(paramDefinitions);
+
+    expect(result).toEqual({
+      temperature: 0.7,
+      maxTokens: 4096,
+    });
+  });
+
+  it('should return undefined for undefined or non-array input', () => {
+    expect(extractDefaultParams(undefined)).toBeUndefined();
+    expect(extractDefaultParams(null as unknown as undefined)).toBeUndefined();
+  });
+
+  it('should handle empty array', () => {
+    const result = extractDefaultParams([]);
+    expect(result).toEqual({});
+  });
+});
+
+describe('applyDefaultParams', () => {
+  it('should apply defaults only when field is undefined', () => {
+    const target: Record<string, unknown> = {
+      temperature: 0.8,
+      maxTokens: undefined,
+    };
+
+    const defaults = {
+      temperature: 0.5,
+      maxTokens: 4096,
+      topP: 0.9,
+    };
+
+    applyDefaultParams(target, defaults);
+
+    expect(target).toEqual({
+      temperature: 0.8,
+      maxTokens: 4096,
+      topP: 0.9,
+    });
+  });
+});

packages/api/src/endpoints/openai/llm.ts

@@ -259,9 +259,35 @@ export function getOpenAILLMConfig({
   }
 
   /**
-   * Note: OpenAI Web Search models do not support any known parameters besides `max_tokens`
+   * Note: OpenAI reasoning models (o1/o3/gpt-5) do not support temperature and other sampling parameters
+   * Exception: gpt-5-chat and versioned models like gpt-5.1 DO support these parameters
    */
-  if (modelOptions.model && /gpt-4o.*search/.test(modelOptions.model as string)) {
+  if (
+    modelOptions.model &&
+    /\b(o[13]|gpt-5)(?!\.|-chat)(?:-|$)/.test(modelOptions.model as string)
+  ) {
+    const reasoningExcludeParams = [
+      'frequencyPenalty',
+      'presencePenalty',
+      'temperature',
+      'topP',
+      'logitBias',
+      'n',
+      'logprobs',
+    ];
+
+    const updatedDropParams = dropParams || [];
+    const combinedDropParams = [...new Set([...updatedDropParams, ...reasoningExcludeParams])];
+
+    combinedDropParams.forEach((param) => {
+      if (param in llmConfig) {
+        delete llmConfig[param as keyof t.OAIClientOptions];
+      }
+    });
+  } else if (modelOptions.model && /gpt-4o.*search/.test(modelOptions.model as string)) {
+    /**
+     * Note: OpenAI Web Search models do not support any known parameters besides `max_tokens`
+     */
     const searchExcludeParams = [
       'frequency_penalty',
       'presence_penalty',

packages/api/src/endpoints/openai/transform.ts

@@ -1,28 +1,48 @@
 import { EModelEndpoint } from 'librechat-data-provider';
+import type { GoogleAIToolType } from '@langchain/google-common';
 import type { ClientOptions } from '@librechat/agents';
 import type * as t from '~/types';
 import { knownOpenAIParams } from './llm';
 
 const anthropicExcludeParams = new Set(['anthropicApiUrl']);
-const googleExcludeParams = new Set(['safetySettings', 'location', 'baseUrl', 'customHeaders']);
+const googleExcludeParams = new Set([
+  'safetySettings',
+  'location',
+  'baseUrl',
+  'customHeaders',
+  'thinkingConfig',
+  'thinkingBudget',
+  'includeThoughts',
+]);
+
+/** Google-specific tool types that have no OpenAI-compatible equivalent */
+const googleToolsToFilter = new Set(['googleSearch']);
+
+export type ConfigTools = Array<Record<string, unknown>> | Array<GoogleAIToolType>;
 
 /**
  * Transforms a Non-OpenAI LLM config to an OpenAI-conformant config.
  * Non-OpenAI parameters are moved to modelKwargs.
  * Also extracts configuration options that belong in configOptions.
  * Handles addParams and dropParams for parameter customization.
+ * Filters out provider-specific tools that have no OpenAI equivalent.
  */
 export function transformToOpenAIConfig({
+  tools,
   addParams,
   dropParams,
+  defaultParams,
   llmConfig,
   fromEndpoint,
 }: {
+  tools?: ConfigTools;
   addParams?: Record<string, unknown>;
   dropParams?: string[];
+  defaultParams?: Record<string, unknown>;
   llmConfig: ClientOptions;
   fromEndpoint: string;
 }): {
+  tools: ConfigTools;
   llmConfig: t.OAIClientOptions;
   configOptions: Partial<t.OpenAIConfiguration>;
 } {
@@ -58,18 +78,9 @@ export function transformToOpenAIConfig({
       hasModelKwargs = true;
       continue;
     } else if (isGoogle && key === 'authOptions') {
-      // Handle Google authOptions
       modelKwargs = Object.assign({}, modelKwargs, value as Record<string, unknown>);
       hasModelKwargs = true;
       continue;
-    } else if (
-      isGoogle &&
-      (key === 'thinkingConfig' || key === 'thinkingBudget' || key === 'includeThoughts')
-    ) {
-      // Handle Google thinking configuration
-      modelKwargs = Object.assign({}, modelKwargs, { [key]: value });
-      hasModelKwargs = true;
-      continue;
     }
 
     if (knownOpenAIParams.has(key)) {
@@ -121,7 +132,34 @@ export function transformToOpenAIConfig({
     }
   }
 
+  /**
+   * Filter out provider-specific tools that have no OpenAI equivalent.
+   * Exception: If web_search was explicitly enabled via addParams or defaultParams,
+   * preserve googleSearch tools (pass through in Google-native format).
+   */
+  const webSearchExplicitlyEnabled =
+    addParams?.web_search === true || defaultParams?.web_search === true;
+
+  const filterGoogleTool = (tool: unknown): boolean => {
+    if (!isGoogle) {
+      return true;
+    }
+    if (typeof tool !== 'object' || tool === null) {
+      return false;
+    }
+    const toolKeys = Object.keys(tool as Record<string, unknown>);
+    const isGoogleSpecificTool = toolKeys.some((key) => googleToolsToFilter.has(key));
+    /** Preserve googleSearch if web_search was explicitly enabled */
+    if (isGoogleSpecificTool && webSearchExplicitlyEnabled) {
+      return true;
+    }
+    return !isGoogleSpecificTool;
+  };
+
+  const filteredTools = Array.isArray(tools) ? tools.filter(filterGoogleTool) : [];
+
   return {
+    tools: filteredTools,
     llmConfig: openAIConfig as t.OAIClientOptions,
     configOptions,
   };

packages/api/src/middleware/index.ts

@@ -1,3 +1,4 @@
 export * from './access';
 export * from './error';
 export * from './balance';
+export * from './json';

packages/api/src/middleware/json.spec.ts

@@ -0,0 +1,158 @@
+import { handleJsonParseError } from './json';
+import type { Request, Response, NextFunction } from 'express';
+
+describe('handleJsonParseError', () => {
+  let req: Partial<Request>;
+  let res: Partial<Response>;
+  let next: NextFunction;
+  let jsonSpy: jest.Mock;
+  let statusSpy: jest.Mock;
+
+  beforeEach(() => {
+    req = {
+      path: '/api/test',
+      method: 'POST',
+      ip: '127.0.0.1',
+    };
+
+    jsonSpy = jest.fn();
+    statusSpy = jest.fn().mockReturnValue({ json: jsonSpy });
+
+    res = {
+      status: statusSpy,
+      json: jsonSpy,
+    };
+
+    next = jest.fn();
+  });
+
+  describe('JSON parse errors', () => {
+    it('should handle JSON SyntaxError with 400 status', () => {
+      const err = new SyntaxError('Unexpected token < in JSON at position 0') as SyntaxError & {
+        status?: number;
+        body?: unknown;
+      };
+      err.status = 400;
+      err.body = {};
+
+      handleJsonParseError(err, req as Request, res as Response, next);
+
+      expect(statusSpy).toHaveBeenCalledWith(400);
+      expect(jsonSpy).toHaveBeenCalledWith({
+        error: 'Invalid JSON format',
+        message: 'The request body contains malformed JSON',
+      });
+      expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should not reflect user input in error message', () => {
+      const maliciousInput = '<script>alert("xss")</script>';
+      const err = new SyntaxError(
+        `Unexpected token < in JSON at position 0: ${maliciousInput}`,
+      ) as SyntaxError & {
+        status?: number;
+        body?: unknown;
+      };
+      err.status = 400;
+      err.body = maliciousInput;
+
+      handleJsonParseError(err, req as Request, res as Response, next);
+
+      expect(statusSpy).toHaveBeenCalledWith(400);
+      const errorResponse = jsonSpy.mock.calls[0][0];
+      expect(errorResponse.message).not.toContain(maliciousInput);
+      expect(errorResponse.message).toBe('The request body contains malformed JSON');
+      expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should handle JSON parse error with HTML tags in body', () => {
+      const err = new SyntaxError('Invalid JSON') as SyntaxError & {
+        status?: number;
+        body?: unknown;
+      };
+      err.status = 400;
+      err.body = '<html><body><h1>XSS</h1></body></html>';
+
+      handleJsonParseError(err, req as Request, res as Response, next);
+
+      expect(statusSpy).toHaveBeenCalledWith(400);
+      const errorResponse = jsonSpy.mock.calls[0][0];
+      expect(errorResponse.message).not.toContain('<html>');
+      expect(errorResponse.message).not.toContain('<script>');
+      expect(next).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('non-JSON errors', () => {
+    it('should pass through non-SyntaxError errors', () => {
+      const err = new Error('Some other error');
+
+      handleJsonParseError(err, req as Request, res as Response, next);
+
+      expect(next).toHaveBeenCalledWith(err);
+      expect(statusSpy).not.toHaveBeenCalled();
+      expect(jsonSpy).not.toHaveBeenCalled();
+    });
+
+    it('should pass through SyntaxError without status 400', () => {
+      const err = new SyntaxError('Some syntax error') as SyntaxError & { status?: number };
+      err.status = 500;
+
+      handleJsonParseError(err, req as Request, res as Response, next);
+
+      expect(next).toHaveBeenCalledWith(err);
+      expect(statusSpy).not.toHaveBeenCalled();
+    });
+
+    it('should pass through SyntaxError without body property', () => {
+      const err = new SyntaxError('Some syntax error') as SyntaxError & { status?: number };
+      err.status = 400;
+
+      handleJsonParseError(err, req as Request, res as Response, next);
+
+      expect(next).toHaveBeenCalledWith(err);
+      expect(statusSpy).not.toHaveBeenCalled();
+    });
+
+    it('should pass through TypeError', () => {
+      const err = new TypeError('Type error');
+
+      handleJsonParseError(err, req as Request, res as Response, next);
+
+      expect(next).toHaveBeenCalledWith(err);
+      expect(statusSpy).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('security verification', () => {
+    it('should return generic error message for all JSON parse errors', () => {
+      const testCases = [
+        'Unexpected token < in JSON',
+        'Unexpected end of JSON input',
+        'Invalid or unexpected token',
+        '<script>alert(1)</script>',
+        '"><img src=x onerror=alert(1)>',
+      ];
+
+      testCases.forEach((errorMsg) => {
+        const err = new SyntaxError(errorMsg) as SyntaxError & {
+          status?: number;
+          body?: unknown;
+        };
+        err.status = 400;
+        err.body = errorMsg;
+
+        jsonSpy.mockClear();
+        statusSpy.mockClear();
+        (next as jest.Mock).mockClear();
+
+        handleJsonParseError(err, req as Request, res as Response, next);
+
+        const errorResponse = jsonSpy.mock.calls[0][0];
+        // Verify the generic message is always returned, not the user input
+        expect(errorResponse.message).toBe('The request body contains malformed JSON');
+        expect(errorResponse.error).toBe('Invalid JSON format');
+      });
+    });
+  });
+});

packages/api/src/middleware/json.ts

@@ -0,0 +1,40 @@
+import { logger } from '@librechat/data-schemas';
+import type { Request, Response, NextFunction } from 'express';
+
+/**
+ * Middleware to handle JSON parsing errors from express.json()
+ * Prevents user input from being reflected in error messages (XSS prevention)
+ *
+ * This middleware should be placed immediately after express.json() middleware.
+ *
+ * @param err - Error object from express.json()
+ * @param req - Express request object
+ * @param res - Express response object
+ * @param next - Express next function
+ *
+ * @example
+ * app.use(express.json({ limit: '3mb' }));
+ * app.use(handleJsonParseError);
+ */
+export function handleJsonParseError(
+  err: Error & { status?: number; body?: unknown },
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): void {
+  if (err instanceof SyntaxError && err.status === 400 && 'body' in err) {
+    logger.warn('[JSON Parse Error] Invalid JSON received', {
+      path: req.path,
+      method: req.method,
+      ip: req.ip,
+    });
+
+    res.status(400).json({
+      error: 'Invalid JSON format',
+      message: 'The request body contains malformed JSON',
+    });
+    return;
+  }
+
+  next(err);
+}

packages/api/src/prompts/format.ts

@@ -2,6 +2,7 @@ import { SystemCategories } from 'librechat-data-provider';
 import type { IPromptGroupDocument as IPromptGroup } from '@librechat/data-schemas';
 import type { Types } from 'mongoose';
 import type { PromptGroupsListResponse } from '~/types';
+import { escapeRegExp } from '~/utils/common';
 
 /**
  * Formats prompt groups for the paginated /groups endpoint response
@@ -101,7 +102,6 @@ export function buildPromptGroupFilter({
 
   // Handle name filter - convert to regex for case-insensitive search
   if (name) {
-    const escapeRegExp = (str: string) => str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
     filter.name = new RegExp(escapeRegExp(name), 'i');
   }
 

packages/api/src/prompts/index.ts

@@ -1,2 +1,3 @@
 export * from './format';
 export * from './migration';
+export * from './schemas';

packages/api/src/prompts/schemas.spec.ts

@@ -0,0 +1,222 @@
+import {
+  updatePromptGroupSchema,
+  validatePromptGroupUpdate,
+  safeValidatePromptGroupUpdate,
+} from './schemas';
+
+describe('updatePromptGroupSchema', () => {
+  describe('allowed fields', () => {
+    it('should accept valid name field', () => {
+      const result = updatePromptGroupSchema.safeParse({ name: 'Test Group' });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.name).toBe('Test Group');
+      }
+    });
+
+    it('should accept valid oneliner field', () => {
+      const result = updatePromptGroupSchema.safeParse({ oneliner: 'A short description' });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.oneliner).toBe('A short description');
+      }
+    });
+
+    it('should accept valid category field', () => {
+      const result = updatePromptGroupSchema.safeParse({ category: 'testing' });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.category).toBe('testing');
+      }
+    });
+
+    it('should accept valid projectIds array', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        projectIds: ['proj1', 'proj2'],
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.projectIds).toEqual(['proj1', 'proj2']);
+      }
+    });
+
+    it('should accept valid removeProjectIds array', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        removeProjectIds: ['proj1'],
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.removeProjectIds).toEqual(['proj1']);
+      }
+    });
+
+    it('should accept valid command field', () => {
+      const result = updatePromptGroupSchema.safeParse({ command: 'my-command-123' });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.command).toBe('my-command-123');
+      }
+    });
+
+    it('should accept null command field', () => {
+      const result = updatePromptGroupSchema.safeParse({ command: null });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.command).toBeNull();
+      }
+    });
+
+    it('should accept multiple valid fields', () => {
+      const input = {
+        name: 'Updated Name',
+        category: 'new-category',
+        oneliner: 'New description',
+      };
+      const result = updatePromptGroupSchema.safeParse(input);
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data).toEqual(input);
+      }
+    });
+
+    it('should accept empty object', () => {
+      const result = updatePromptGroupSchema.safeParse({});
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe('security - strips sensitive fields', () => {
+    it('should reject author field', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Test',
+        author: '507f1f77bcf86cd799439011',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject authorName field', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Test',
+        authorName: 'Malicious Author',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject _id field', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Test',
+        _id: '507f1f77bcf86cd799439011',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject productionId field', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Test',
+        productionId: '507f1f77bcf86cd799439011',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject createdAt field', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Test',
+        createdAt: new Date().toISOString(),
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject updatedAt field', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Test',
+        updatedAt: new Date().toISOString(),
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject __v field', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Test',
+        __v: 999,
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject multiple sensitive fields in a single request', () => {
+      const result = updatePromptGroupSchema.safeParse({
+        name: 'Legit Name',
+        author: '507f1f77bcf86cd799439011',
+        authorName: 'Hacker',
+        _id: 'newid123',
+        productionId: 'prodid456',
+        createdAt: '2020-01-01T00:00:00.000Z',
+        __v: 999,
+      });
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe('validation rules', () => {
+    it('should reject empty name', () => {
+      const result = updatePromptGroupSchema.safeParse({ name: '' });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject name exceeding max length', () => {
+      const result = updatePromptGroupSchema.safeParse({ name: 'a'.repeat(256) });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject oneliner exceeding max length', () => {
+      const result = updatePromptGroupSchema.safeParse({ oneliner: 'a'.repeat(501) });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject category exceeding max length', () => {
+      const result = updatePromptGroupSchema.safeParse({ category: 'a'.repeat(101) });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject command with invalid characters (uppercase)', () => {
+      const result = updatePromptGroupSchema.safeParse({ command: 'MyCommand' });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject command with invalid characters (spaces)', () => {
+      const result = updatePromptGroupSchema.safeParse({ command: 'my command' });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject command with invalid characters (special)', () => {
+      const result = updatePromptGroupSchema.safeParse({ command: 'my_command!' });
+      expect(result.success).toBe(false);
+    });
+  });
+});
+
+describe('validatePromptGroupUpdate', () => {
+  it('should return validated data for valid input', () => {
+    const input = { name: 'Test', category: 'testing' };
+    const result = validatePromptGroupUpdate(input);
+    expect(result).toEqual(input);
+  });
+
+  it('should throw ZodError for invalid input', () => {
+    expect(() => validatePromptGroupUpdate({ author: 'malicious-id' })).toThrow();
+  });
+});
+
+describe('safeValidatePromptGroupUpdate', () => {
+  it('should return success true for valid input', () => {
+    const result = safeValidatePromptGroupUpdate({ name: 'Test' });
+    expect(result.success).toBe(true);
+  });
+
+  it('should return success false for invalid input with errors', () => {
+    const result = safeValidatePromptGroupUpdate({ author: 'malicious-id' });
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error.errors.length).toBeGreaterThan(0);
+    }
+  });
+});

packages/api/src/prompts/schemas.ts

@@ -0,0 +1,53 @@
+import { z } from 'zod';
+import { Constants } from 'librechat-data-provider';
+
+/**
+ * Schema for validating prompt group update payloads.
+ * Only allows fields that users should be able to modify.
+ * Sensitive fields like author, authorName, _id, productionId, etc. are excluded.
+ */
+export const updatePromptGroupSchema = z
+  .object({
+    /** The name of the prompt group */
+    name: z.string().min(1).max(255).optional(),
+    /** Short description/oneliner for the prompt group */
+    oneliner: z.string().max(500).optional(),
+    /** Category for organizing prompt groups */
+    category: z.string().max(100).optional(),
+    /** Project IDs to add for sharing */
+    projectIds: z.array(z.string()).optional(),
+    /** Project IDs to remove from sharing */
+    removeProjectIds: z.array(z.string()).optional(),
+    /** Command shortcut for the prompt group */
+    command: z
+      .string()
+      .max(Constants.COMMANDS_MAX_LENGTH as number)
+      .regex(/^[a-z0-9-]*$/, {
+        message: 'Command must only contain lowercase alphanumeric characters and hyphens',
+      })
+      .optional()
+      .nullable(),
+  })
+  .strict();
+
+export type TUpdatePromptGroupSchema = z.infer<typeof updatePromptGroupSchema>;
+
+/**
+ * Validates and sanitizes a prompt group update payload.
+ * Returns only the allowed fields, stripping any sensitive fields.
+ * @param data - The raw request body to validate
+ * @returns The validated and sanitized payload
+ * @throws ZodError if validation fails
+ */
+export function validatePromptGroupUpdate(data: unknown): TUpdatePromptGroupSchema {
+  return updatePromptGroupSchema.parse(data);
+}
+
+/**
+ * Safely validates a prompt group update payload without throwing.
+ * @param data - The raw request body to validate
+ * @returns A SafeParseResult with either the validated data or validation errors
+ */
+export function safeValidatePromptGroupUpdate(data: unknown) {
+  return updatePromptGroupSchema.safeParse(data);
+}

packages/api/src/utils/common.ts

@@ -48,3 +48,12 @@ export function optionalChainWithEmptyCheck(
   }
   return values[values.length - 1];
 }
+
+/**
+ * Escapes special characters in a string for use in a regular expression.
+ * @param str - The string to escape.
+ * @returns The escaped string safe for use in RegExp.
+ */
+export function escapeRegExp(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

packages/api/src/utils/index.ts

@@ -17,7 +17,8 @@ export * from './promise';
 export * from './sanitizeTitle';
 export * from './tempChatRetention';
 export * from './text';
-export { default as Tokenizer } from './tokenizer';
+export { default as Tokenizer, countTokens } from './tokenizer';
 export * from './yaml';
 export * from './http';
 export * from './tokens';
+export * from './message';

packages/api/src/utils/message.spec.ts

@@ -0,0 +1,122 @@
+import { sanitizeFileForTransmit, sanitizeMessageForTransmit } from './message';
+
+describe('sanitizeFileForTransmit', () => {
+  it('should remove text field from file', () => {
+    const file = {
+      file_id: 'test-123',
+      filename: 'test.txt',
+      text: 'This is a very long text content that should be stripped',
+      bytes: 1000,
+    };
+
+    const result = sanitizeFileForTransmit(file);
+
+    expect(result.file_id).toBe('test-123');
+    expect(result.filename).toBe('test.txt');
+    expect(result.bytes).toBe(1000);
+    expect(result).not.toHaveProperty('text');
+  });
+
+  it('should remove _id and __v fields', () => {
+    const file = {
+      file_id: 'test-123',
+      _id: 'mongo-id',
+      __v: 0,
+      filename: 'test.txt',
+    };
+
+    const result = sanitizeFileForTransmit(file);
+
+    expect(result.file_id).toBe('test-123');
+    expect(result).not.toHaveProperty('_id');
+    expect(result).not.toHaveProperty('__v');
+  });
+
+  it('should not modify original file object', () => {
+    const file = {
+      file_id: 'test-123',
+      text: 'original text',
+    };
+
+    sanitizeFileForTransmit(file);
+
+    expect(file.text).toBe('original text');
+  });
+});
+
+describe('sanitizeMessageForTransmit', () => {
+  it('should remove fileContext from message', () => {
+    const message = {
+      messageId: 'msg-123',
+      text: 'Hello world',
+      fileContext: 'This is a very long context that should be stripped',
+    };
+
+    const result = sanitizeMessageForTransmit(message);
+
+    expect(result.messageId).toBe('msg-123');
+    expect(result.text).toBe('Hello world');
+    expect(result).not.toHaveProperty('fileContext');
+  });
+
+  it('should sanitize files array', () => {
+    const message = {
+      messageId: 'msg-123',
+      files: [
+        { file_id: 'file-1', text: 'long text 1', filename: 'a.txt' },
+        { file_id: 'file-2', text: 'long text 2', filename: 'b.txt' },
+      ],
+    };
+
+    const result = sanitizeMessageForTransmit(message);
+
+    expect(result.files).toHaveLength(2);
+    expect(result.files?.[0].file_id).toBe('file-1');
+    expect(result.files?.[0].filename).toBe('a.txt');
+    expect(result.files?.[0]).not.toHaveProperty('text');
+    expect(result.files?.[1]).not.toHaveProperty('text');
+  });
+
+  it('should handle null/undefined message', () => {
+    expect(sanitizeMessageForTransmit(null as unknown as object)).toBeNull();
+    expect(sanitizeMessageForTransmit(undefined as unknown as object)).toBeUndefined();
+  });
+
+  it('should handle message without files', () => {
+    const message = {
+      messageId: 'msg-123',
+      text: 'Hello',
+    };
+
+    const result = sanitizeMessageForTransmit(message);
+
+    expect(result.messageId).toBe('msg-123');
+    expect(result.text).toBe('Hello');
+  });
+
+  it('should create new array reference for empty files array (immutability)', () => {
+    const message = {
+      messageId: 'msg-123',
+      files: [] as { file_id: string }[],
+    };
+
+    const result = sanitizeMessageForTransmit(message);
+
+    expect(result.files).toEqual([]);
+    // New array reference ensures full immutability even for empty arrays
+    expect(result.files).not.toBe(message.files);
+  });
+
+  it('should not modify original message object', () => {
+    const message = {
+      messageId: 'msg-123',
+      fileContext: 'original context',
+      files: [{ file_id: 'file-1', text: 'original text' }],
+    };
+
+    sanitizeMessageForTransmit(message);
+
+    expect(message.fileContext).toBe('original context');
+    expect(message.files[0].text).toBe('original text');
+  });
+});

packages/api/src/utils/message.ts

@@ -0,0 +1,68 @@
+import type { TFile, TMessage } from 'librechat-data-provider';
+
+/** Fields to strip from files before client transmission */
+const FILE_STRIP_FIELDS = ['text', '_id', '__v'] as const;
+
+/** Fields to strip from messages before client transmission */
+const MESSAGE_STRIP_FIELDS = ['fileContext'] as const;
+
+/**
+ * Strips large/unnecessary fields from a file object before transmitting to client.
+ * Use this within existing loops when building file arrays to avoid extra iterations.
+ *
+ * @param file - The file object to sanitize
+ * @returns A new file object without the stripped fields
+ *
+ * @example
+ * // Use in existing file processing loop:
+ * for (const attachment of client.options.attachments) {
+ *   if (messageFiles.has(attachment.file_id)) {
+ *     userMessage.files.push(sanitizeFileForTransmit(attachment));
+ *   }
+ * }
+ */
+export function sanitizeFileForTransmit<T extends Partial<TFile>>(
+  file: T,
+): Omit<T, (typeof FILE_STRIP_FIELDS)[number]> {
+  const sanitized = { ...file };
+  for (const field of FILE_STRIP_FIELDS) {
+    delete sanitized[field as keyof typeof sanitized];
+  }
+  return sanitized;
+}
+
+/**
+ * Sanitizes a message object before transmitting to client.
+ * Removes large fields like `fileContext` and strips `text` from embedded files.
+ *
+ * @param message - The message object to sanitize
+ * @returns A new message object safe for client transmission
+ *
+ * @example
+ * sendEvent(res, {
+ *   final: true,
+ *   requestMessage: sanitizeMessageForTransmit(userMessage),
+ *   responseMessage: response,
+ * });
+ */
+export function sanitizeMessageForTransmit<T extends Partial<TMessage>>(
+  message: T,
+): Omit<T, (typeof MESSAGE_STRIP_FIELDS)[number]> {
+  if (!message) {
+    return message as Omit<T, (typeof MESSAGE_STRIP_FIELDS)[number]>;
+  }
+
+  const sanitized = { ...message };
+
+  // Remove message-level fields
+  for (const field of MESSAGE_STRIP_FIELDS) {
+    delete sanitized[field as keyof typeof sanitized];
+  }
+
+  // Always create a new array when files exist to maintain full immutability
+  if (Array.isArray(sanitized.files)) {
+    sanitized.files = sanitized.files.map((file) => sanitizeFileForTransmit(file));
+  }
+
+  return sanitized;
+}

packages/api/src/utils/text.spec.ts

@@ -0,0 +1,851 @@
+import { processTextWithTokenLimit, TokenCountFn } from './text';
+import Tokenizer, { countTokens } from './tokenizer';
+
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    debug: jest.fn(),
+    warn: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+/**
+ * OLD IMPLEMENTATION (Binary Search) - kept for comparison testing
+ * This is the original algorithm that caused CPU spikes
+ */
+async function processTextWithTokenLimitOLD({
+  text,
+  tokenLimit,
+  tokenCountFn,
+}: {
+  text: string;
+  tokenLimit: number;
+  tokenCountFn: TokenCountFn;
+}): Promise<{ text: string; tokenCount: number; wasTruncated: boolean }> {
+  const originalTokenCount = await tokenCountFn(text);
+
+  if (originalTokenCount <= tokenLimit) {
+    return {
+      text,
+      tokenCount: originalTokenCount,
+      wasTruncated: false,
+    };
+  }
+
+  let low = 0;
+  let high = text.length;
+  let bestText = '';
+
+  while (low <= high) {
+    const mid = Math.floor((low + high) / 2);
+    const truncatedText = text.substring(0, mid);
+    const tokenCount = await tokenCountFn(truncatedText);
+
+    if (tokenCount <= tokenLimit) {
+      bestText = truncatedText;
+      low = mid + 1;
+    } else {
+      high = mid - 1;
+    }
+  }
+
+  const finalTokenCount = await tokenCountFn(bestText);
+
+  return {
+    text: bestText,
+    tokenCount: finalTokenCount,
+    wasTruncated: true,
+  };
+}
+
+/**
+ * Creates a wrapper around Tokenizer.getTokenCount that tracks call count
+ */
+const createRealTokenCounter = () => {
+  let callCount = 0;
+  const tokenCountFn = (text: string): number => {
+    callCount++;
+    return Tokenizer.getTokenCount(text, 'cl100k_base');
+  };
+  return {
+    tokenCountFn,
+    getCallCount: () => callCount,
+    resetCallCount: () => {
+      callCount = 0;
+    },
+  };
+};
+
+/**
+ * Creates a wrapper around the async countTokens function that tracks call count
+ */
+const createCountTokensCounter = () => {
+  let callCount = 0;
+  const tokenCountFn = async (text: string): Promise<number> => {
+    callCount++;
+    return countTokens(text);
+  };
+  return {
+    tokenCountFn,
+    getCallCount: () => callCount,
+    resetCallCount: () => {
+      callCount = 0;
+    },
+  };
+};
+
+describe('processTextWithTokenLimit', () => {
+  /**
+   * Creates a mock token count function that simulates realistic token counting.
+   * Roughly 4 characters per token (common for English text).
+   * Tracks call count to verify efficiency.
+   */
+  const createMockTokenCounter = () => {
+    let callCount = 0;
+    const tokenCountFn = (text: string): number => {
+      callCount++;
+      return Math.ceil(text.length / 4);
+    };
+    return {
+      tokenCountFn,
+      getCallCount: () => callCount,
+      resetCallCount: () => {
+        callCount = 0;
+      },
+    };
+  };
+
+  /** Creates a string of specified character length */
+  const createTextOfLength = (charLength: number): string => {
+    return 'a'.repeat(charLength);
+  };
+
+  /** Creates realistic text content with varied token density */
+  const createRealisticText = (approximateTokens: number): string => {
+    const words = [
+      'the',
+      'quick',
+      'brown',
+      'fox',
+      'jumps',
+      'over',
+      'lazy',
+      'dog',
+      'lorem',
+      'ipsum',
+      'dolor',
+      'sit',
+      'amet',
+      'consectetur',
+      'adipiscing',
+      'elit',
+      'sed',
+      'do',
+      'eiusmod',
+      'tempor',
+      'incididunt',
+      'ut',
+      'labore',
+      'et',
+      'dolore',
+      'magna',
+      'aliqua',
+      'enim',
+      'ad',
+      'minim',
+      'veniam',
+      'authentication',
+      'implementation',
+      'configuration',
+      'documentation',
+    ];
+    const result: string[] = [];
+    for (let i = 0; i < approximateTokens; i++) {
+      result.push(words[i % words.length]);
+    }
+    return result.join(' ');
+  };
+
+  describe('tokenCountFn flexibility (sync and async)', () => {
+    it('should work with synchronous tokenCountFn', async () => {
+      const syncTokenCountFn = (text: string): number => Math.ceil(text.length / 4);
+      const text = 'Hello, world! This is a test message.';
+      const tokenLimit = 5;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: syncTokenCountFn,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+    });
+
+    it('should work with asynchronous tokenCountFn', async () => {
+      const asyncTokenCountFn = async (text: string): Promise<number> => {
+        await new Promise((resolve) => setTimeout(resolve, 1));
+        return Math.ceil(text.length / 4);
+      };
+      const text = 'Hello, world! This is a test message.';
+      const tokenLimit = 5;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: asyncTokenCountFn,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+    });
+
+    it('should produce equivalent results with sync and async tokenCountFn', async () => {
+      const syncTokenCountFn = (text: string): number => Math.ceil(text.length / 4);
+      const asyncTokenCountFn = async (text: string): Promise<number> => Math.ceil(text.length / 4);
+      const text = 'a'.repeat(8000);
+      const tokenLimit = 1000;
+
+      const syncResult = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: syncTokenCountFn,
+      });
+
+      const asyncResult = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: asyncTokenCountFn,
+      });
+
+      expect(syncResult.tokenCount).toBe(asyncResult.tokenCount);
+      expect(syncResult.wasTruncated).toBe(asyncResult.wasTruncated);
+      expect(syncResult.text.length).toBe(asyncResult.text.length);
+    });
+  });
+
+  describe('when text is under the token limit', () => {
+    it('should return original text unchanged', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = 'Hello, world!';
+      const tokenLimit = 100;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.text).toBe(text);
+      expect(result.wasTruncated).toBe(false);
+    });
+
+    it('should return correct token count', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = 'Hello, world!';
+      const tokenLimit = 100;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.tokenCount).toBe(Math.ceil(text.length / 4));
+    });
+
+    it('should only call tokenCountFn once when under limit', async () => {
+      const { tokenCountFn, getCallCount } = createMockTokenCounter();
+      const text = 'Hello, world!';
+      const tokenLimit = 100;
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(getCallCount()).toBe(1);
+    });
+  });
+
+  describe('when text is exactly at the token limit', () => {
+    it('should return original text unchanged', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = createTextOfLength(400);
+      const tokenLimit = 100;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.text).toBe(text);
+      expect(result.wasTruncated).toBe(false);
+      expect(result.tokenCount).toBe(tokenLimit);
+    });
+  });
+
+  describe('when text exceeds the token limit', () => {
+    it('should truncate text to fit within limit', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = createTextOfLength(8000);
+      const tokenLimit = 1000;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+      expect(result.text.length).toBeLessThan(text.length);
+    });
+
+    it('should truncate text to be close to but not exceed the limit', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = createTextOfLength(8000);
+      const tokenLimit = 1000;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+      expect(result.tokenCount).toBeGreaterThan(tokenLimit * 0.9);
+    });
+  });
+
+  describe('efficiency - tokenCountFn call count', () => {
+    it('should call tokenCountFn at most 7 times for large text (vs ~17 for binary search)', async () => {
+      const { tokenCountFn, getCallCount } = createMockTokenCounter();
+      const text = createTextOfLength(400000);
+      const tokenLimit = 50000;
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(getCallCount()).toBeLessThanOrEqual(7);
+    });
+
+    it('should typically call tokenCountFn only 2-3 times for standard truncation', async () => {
+      const { tokenCountFn, getCallCount } = createMockTokenCounter();
+      const text = createTextOfLength(40000);
+      const tokenLimit = 5000;
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(getCallCount()).toBeLessThanOrEqual(3);
+    });
+
+    it('should call tokenCountFn only once when text is under limit', async () => {
+      const { tokenCountFn, getCallCount } = createMockTokenCounter();
+      const text = createTextOfLength(1000);
+      const tokenLimit = 10000;
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(getCallCount()).toBe(1);
+    });
+
+    it('should handle very large text (100k+ tokens) efficiently', async () => {
+      const { tokenCountFn, getCallCount } = createMockTokenCounter();
+      const text = createTextOfLength(500000);
+      const tokenLimit = 100000;
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(getCallCount()).toBeLessThanOrEqual(7);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should handle empty text', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = '';
+      const tokenLimit = 100;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.text).toBe('');
+      expect(result.tokenCount).toBe(0);
+      expect(result.wasTruncated).toBe(false);
+    });
+
+    it('should handle token limit of 1', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = createTextOfLength(1000);
+      const tokenLimit = 1;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+    });
+
+    it('should handle text that is just slightly over the limit', async () => {
+      const { tokenCountFn } = createMockTokenCounter();
+      const text = createTextOfLength(404);
+      const tokenLimit = 100;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+    });
+  });
+
+  describe('correctness with variable token density', () => {
+    it('should handle text with varying token density', async () => {
+      const variableDensityTokenCounter = (text: string): number => {
+        const shortWords = (text.match(/\s+/g) || []).length;
+        return Math.ceil(text.length / 4) + shortWords;
+      };
+
+      const text = 'This is a test with many short words and some longer concatenated words too';
+      const tokenLimit = 10;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: variableDensityTokenCounter,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+    });
+  });
+
+  describe('direct comparison with OLD binary search implementation', () => {
+    it('should produce equivalent results to the old implementation', async () => {
+      const oldCounter = createMockTokenCounter();
+      const newCounter = createMockTokenCounter();
+      const text = createTextOfLength(8000);
+      const tokenLimit = 1000;
+
+      const oldResult = await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      const newResult = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      expect(newResult.wasTruncated).toBe(oldResult.wasTruncated);
+      expect(newResult.tokenCount).toBeLessThanOrEqual(tokenLimit);
+      expect(oldResult.tokenCount).toBeLessThanOrEqual(tokenLimit);
+    });
+
+    it('should use significantly fewer tokenCountFn calls than old implementation (400k chars)', async () => {
+      const oldCounter = createMockTokenCounter();
+      const newCounter = createMockTokenCounter();
+      const text = createTextOfLength(400000);
+      const tokenLimit = 50000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+
+      console.log(
+        `[400k chars] OLD implementation: ${oldCalls} calls, NEW implementation: ${newCalls} calls`,
+      );
+      console.log(`[400k chars] Reduction: ${((1 - newCalls / oldCalls) * 100).toFixed(1)}%`);
+
+      expect(newCalls).toBeLessThan(oldCalls);
+      expect(newCalls).toBeLessThanOrEqual(7);
+    });
+
+    it('should use significantly fewer tokenCountFn calls than old implementation (500k chars, 100k token limit)', async () => {
+      const oldCounter = createMockTokenCounter();
+      const newCounter = createMockTokenCounter();
+      const text = createTextOfLength(500000);
+      const tokenLimit = 100000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+
+      console.log(
+        `[500k chars] OLD implementation: ${oldCalls} calls, NEW implementation: ${newCalls} calls`,
+      );
+      console.log(`[500k chars] Reduction: ${((1 - newCalls / oldCalls) * 100).toFixed(1)}%`);
+
+      expect(newCalls).toBeLessThan(oldCalls);
+    });
+
+    it('should achieve at least 70% reduction in tokenCountFn calls', async () => {
+      const oldCounter = createMockTokenCounter();
+      const newCounter = createMockTokenCounter();
+      const text = createTextOfLength(500000);
+      const tokenLimit = 100000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+      const reduction = 1 - newCalls / oldCalls;
+
+      console.log(
+        `Efficiency improvement: ${(reduction * 100).toFixed(1)}% fewer tokenCountFn calls`,
+      );
+
+      expect(reduction).toBeGreaterThanOrEqual(0.7);
+    });
+
+    it('should simulate the reported scenario (122k tokens, 100k limit)', async () => {
+      const oldCounter = createMockTokenCounter();
+      const newCounter = createMockTokenCounter();
+      const text = createTextOfLength(489564);
+      const tokenLimit = 100000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+
+      console.log(`[User reported scenario: ~122k tokens]`);
+      console.log(`OLD implementation: ${oldCalls} tokenCountFn calls`);
+      console.log(`NEW implementation: ${newCalls} tokenCountFn calls`);
+      console.log(`Reduction: ${((1 - newCalls / oldCalls) * 100).toFixed(1)}%`);
+
+      expect(newCalls).toBeLessThan(oldCalls);
+      expect(newCalls).toBeLessThanOrEqual(7);
+    });
+  });
+
+  describe('direct comparison with REAL tiktoken tokenizer', () => {
+    beforeEach(() => {
+      Tokenizer.freeAndResetAllEncoders();
+    });
+
+    it('should produce valid truncation with real tokenizer', async () => {
+      const counter = createRealTokenCounter();
+      const text = createRealisticText(5000);
+      const tokenLimit = 1000;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: counter.tokenCountFn,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+      expect(result.text.length).toBeLessThan(text.length);
+    });
+
+    it('should use fewer tiktoken calls than old implementation (realistic text)', async () => {
+      const oldCounter = createRealTokenCounter();
+      const newCounter = createRealTokenCounter();
+      const text = createRealisticText(15000);
+      const tokenLimit = 5000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      Tokenizer.freeAndResetAllEncoders();
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+
+      console.log(`[Real tiktoken ~15k tokens] OLD: ${oldCalls} calls, NEW: ${newCalls} calls`);
+      console.log(`[Real tiktoken] Reduction: ${((1 - newCalls / oldCalls) * 100).toFixed(1)}%`);
+
+      expect(newCalls).toBeLessThan(oldCalls);
+    });
+
+    it('should handle the reported user scenario with real tokenizer (~120k tokens)', async () => {
+      const oldCounter = createRealTokenCounter();
+      const newCounter = createRealTokenCounter();
+      const text = createRealisticText(120000);
+      const tokenLimit = 100000;
+
+      const startOld = performance.now();
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+      const timeOld = performance.now() - startOld;
+
+      Tokenizer.freeAndResetAllEncoders();
+
+      const startNew = performance.now();
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+      const timeNew = performance.now() - startNew;
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+
+      console.log(`\n[REAL TIKTOKEN - User reported scenario: ~120k tokens]`);
+      console.log(`OLD implementation: ${oldCalls} tiktoken calls, ${timeOld.toFixed(0)}ms`);
+      console.log(`NEW implementation: ${newCalls} tiktoken calls, ${timeNew.toFixed(0)}ms`);
+      console.log(`Call reduction: ${((1 - newCalls / oldCalls) * 100).toFixed(1)}%`);
+      console.log(`Time reduction: ${((1 - timeNew / timeOld) * 100).toFixed(1)}%`);
+      console.log(
+        `Result: truncated=${result.wasTruncated}, tokens=${result.tokenCount}/${tokenLimit}\n`,
+      );
+
+      expect(newCalls).toBeLessThan(oldCalls);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+      expect(newCalls).toBeLessThanOrEqual(7);
+    });
+
+    it('should achieve at least 70% reduction with real tokenizer', async () => {
+      const oldCounter = createRealTokenCounter();
+      const newCounter = createRealTokenCounter();
+      const text = createRealisticText(50000);
+      const tokenLimit = 10000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      Tokenizer.freeAndResetAllEncoders();
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+      const reduction = 1 - newCalls / oldCalls;
+
+      console.log(
+        `[Real tiktoken 50k tokens] OLD: ${oldCalls}, NEW: ${newCalls}, Reduction: ${(reduction * 100).toFixed(1)}%`,
+      );
+
+      expect(reduction).toBeGreaterThanOrEqual(0.7);
+    });
+  });
+
+  describe('using countTokens async function from @librechat/api', () => {
+    beforeEach(() => {
+      Tokenizer.freeAndResetAllEncoders();
+    });
+
+    it('countTokens should return correct token count', async () => {
+      const text = 'Hello, world!';
+      const count = await countTokens(text);
+
+      expect(count).toBeGreaterThan(0);
+      expect(typeof count).toBe('number');
+    });
+
+    it('countTokens should handle empty string', async () => {
+      const count = await countTokens('');
+      expect(count).toBe(0);
+    });
+
+    it('should work with processTextWithTokenLimit using countTokens', async () => {
+      const counter = createCountTokensCounter();
+      const text = createRealisticText(5000);
+      const tokenLimit = 1000;
+
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: counter.tokenCountFn,
+      });
+
+      expect(result.wasTruncated).toBe(true);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+      expect(result.text.length).toBeLessThan(text.length);
+    });
+
+    it('should use fewer countTokens calls than old implementation', async () => {
+      const oldCounter = createCountTokensCounter();
+      const newCounter = createCountTokensCounter();
+      const text = createRealisticText(15000);
+      const tokenLimit = 5000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      Tokenizer.freeAndResetAllEncoders();
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+
+      console.log(`[countTokens ~15k tokens] OLD: ${oldCalls} calls, NEW: ${newCalls} calls`);
+      console.log(`[countTokens] Reduction: ${((1 - newCalls / oldCalls) * 100).toFixed(1)}%`);
+
+      expect(newCalls).toBeLessThan(oldCalls);
+    });
+
+    it('should handle user reported scenario with countTokens (~120k tokens)', async () => {
+      const oldCounter = createCountTokensCounter();
+      const newCounter = createCountTokensCounter();
+      const text = createRealisticText(120000);
+      const tokenLimit = 100000;
+
+      const startOld = performance.now();
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+      const timeOld = performance.now() - startOld;
+
+      Tokenizer.freeAndResetAllEncoders();
+
+      const startNew = performance.now();
+      const result = await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+      const timeNew = performance.now() - startNew;
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+
+      console.log(`\n[countTokens - User reported scenario: ~120k tokens]`);
+      console.log(`OLD implementation: ${oldCalls} countTokens calls, ${timeOld.toFixed(0)}ms`);
+      console.log(`NEW implementation: ${newCalls} countTokens calls, ${timeNew.toFixed(0)}ms`);
+      console.log(`Call reduction: ${((1 - newCalls / oldCalls) * 100).toFixed(1)}%`);
+      console.log(`Time reduction: ${((1 - timeNew / timeOld) * 100).toFixed(1)}%`);
+      console.log(
+        `Result: truncated=${result.wasTruncated}, tokens=${result.tokenCount}/${tokenLimit}\n`,
+      );
+
+      expect(newCalls).toBeLessThan(oldCalls);
+      expect(result.tokenCount).toBeLessThanOrEqual(tokenLimit);
+      expect(newCalls).toBeLessThanOrEqual(7);
+    });
+
+    it('should achieve at least 70% reduction with countTokens', async () => {
+      const oldCounter = createCountTokensCounter();
+      const newCounter = createCountTokensCounter();
+      const text = createRealisticText(50000);
+      const tokenLimit = 10000;
+
+      await processTextWithTokenLimitOLD({
+        text,
+        tokenLimit,
+        tokenCountFn: oldCounter.tokenCountFn,
+      });
+
+      Tokenizer.freeAndResetAllEncoders();
+
+      await processTextWithTokenLimit({
+        text,
+        tokenLimit,
+        tokenCountFn: newCounter.tokenCountFn,
+      });
+
+      const oldCalls = oldCounter.getCallCount();
+      const newCalls = newCounter.getCallCount();
+      const reduction = 1 - newCalls / oldCalls;
+
+      console.log(
+        `[countTokens 50k tokens] OLD: ${oldCalls}, NEW: ${newCalls}, Reduction: ${(reduction * 100).toFixed(1)}%`,
+      );
+
+      expect(reduction).toBeGreaterThanOrEqual(0.7);
+    });
+  });
+});

packages/api/src/utils/text.ts

@@ -1,11 +1,39 @@
 import { logger } from '@librechat/data-schemas';
 
+/** Token count function that can be sync or async */
+export type TokenCountFn = (text: string) => number | Promise<number>;
+
+/**
+ * Safety buffer multiplier applied to character position estimates during truncation.
+ *
+ * We use 98% (0.98) rather than 100% to intentionally undershoot the target on the first attempt.
+ * This is necessary because:
+ * - Token density varies across text (some regions may have more tokens per character than the average)
+ * - The ratio-based estimate assumes uniform token distribution, which is rarely true
+ * - Undershooting is safer than overshooting: exceeding the limit requires another iteration,
+ *   while being slightly under is acceptable
+ * - In practice, this buffer reduces refinement iterations from 2-3 down to 0-1 in most cases
+ *
+ * @example
+ * // If text has 1000 chars and 250 tokens (4 chars/token average), targeting 100 tokens:
+ * // Without buffer: estimate = 1000 * (100/250) = 400 chars → might yield 105 tokens (over!)
+ * // With 0.98 buffer: estimate = 400 * 0.98 = 392 chars → likely yields 97-99 tokens (safe)
+ */
+const TRUNCATION_SAFETY_BUFFER = 0.98;
+
 /**
  * Processes text content by counting tokens and truncating if it exceeds the specified limit.
+ * Uses ratio-based estimation to minimize expensive tokenCountFn calls.
+ *
  * @param text - The text content to process
  * @param tokenLimit - The maximum number of tokens allowed
- * @param tokenCountFn - Function to count tokens
+ * @param tokenCountFn - Function to count tokens (can be sync or async)
  * @returns Promise resolving to object with processed text, token count, and truncation status
+ *
+ * @remarks
+ * This function uses a ratio-based estimation algorithm instead of binary search.
+ * Binary search would require O(log n) tokenCountFn calls (~17 for 100k chars),
+ * while this approach typically requires only 2-3 calls for a 90%+ reduction in CPU usage.
  */
 export async function processTextWithTokenLimit({
   text,
@@ -14,7 +42,7 @@ export async function processTextWithTokenLimit({
 }: {
   text: string;
   tokenLimit: number;
-  tokenCountFn: (text: string) => number;
+  tokenCountFn: TokenCountFn;
 }): Promise<{ text: string; tokenCount: number; wasTruncated: boolean }> {
   const originalTokenCount = await tokenCountFn(text);
 
@@ -26,40 +54,34 @@ export async function processTextWithTokenLimit({
     };
   }
 
-  /**
-   * Doing binary search here to find the truncation point efficiently
-   * (May be a better way to go about this)
-   */
-  let low = 0;
-  let high = text.length;
-  let bestText = '';
-
   logger.debug(
     `[textTokenLimiter] Text content exceeds token limit: ${originalTokenCount} > ${tokenLimit}, truncating...`,
   );
 
-  while (low <= high) {
-    const mid = Math.floor((low + high) / 2);
-    const truncatedText = text.substring(0, mid);
-    const tokenCount = await tokenCountFn(truncatedText);
+  const ratio = tokenLimit / originalTokenCount;
+  let charPosition = Math.floor(text.length * ratio * TRUNCATION_SAFETY_BUFFER);
 
-    if (tokenCount <= tokenLimit) {
-      bestText = truncatedText;
-      low = mid + 1;
-    } else {
-      high = mid - 1;
-    }
+  let truncatedText = text.substring(0, charPosition);
+  let tokenCount = await tokenCountFn(truncatedText);
+
+  const maxIterations = 5;
+  let iterations = 0;
+
+  while (tokenCount > tokenLimit && iterations < maxIterations && charPosition > 0) {
+    const overageRatio = tokenLimit / tokenCount;
+    charPosition = Math.floor(charPosition * overageRatio * TRUNCATION_SAFETY_BUFFER);
+    truncatedText = text.substring(0, charPosition);
+    tokenCount = await tokenCountFn(truncatedText);
+    iterations++;
   }
 
-  const finalTokenCount = await tokenCountFn(bestText);
-
   logger.warn(
-    `[textTokenLimiter] Text truncated from ${originalTokenCount} to ${finalTokenCount} tokens (limit: ${tokenLimit})`,
+    `[textTokenLimiter] Text truncated from ${originalTokenCount} to ${tokenCount} tokens (limit: ${tokenLimit})`,
   );
 
   return {
-    text: bestText,
-    tokenCount: finalTokenCount,
+    text: truncatedText,
+    tokenCount,
     wasTruncated: true,
   };
 }

packages/api/src/utils/tokenizer.ts

@@ -75,4 +75,14 @@ class Tokenizer {
 
 const TokenizerSingleton = new Tokenizer();
 
+/**
+ * Counts the number of tokens in a given text using tiktoken.
+ * This is an async wrapper around Tokenizer.getTokenCount for compatibility.
+ * @param text - The text to be tokenized. Defaults to an empty string if not provided.
+ * @returns The number of tokens in the provided text.
+ */
+export async function countTokens(text = ''): Promise<number> {
+  return TokenizerSingleton.getTokenCount(text, 'cl100k_base');
+}
+
 export default TokenizerSingleton;

packages/api/src/utils/tokens.ts

@@ -140,6 +140,7 @@ const anthropicModels = {
 
 const deepseekModels = {
   deepseek: 128000,
+  'deepseek-chat': 128000,
   'deepseek-reasoner': 128000,
   'deepseek-r1': 128000,
   'deepseek-v3': 128000,
@@ -280,6 +281,9 @@ const xAIModels = {
   'grok-3-mini': 131072,
   'grok-3-mini-fast': 131072,
   'grok-4': 256000, // 256K context
+  'grok-4-fast': 2000000, // 2M context
+  'grok-4-1-fast': 2000000, // 2M context (covers reasoning & non-reasoning variants)
+  'grok-code-fast': 256000, // 256K context
 };
 
 const aggregateModels = {
@@ -344,11 +348,21 @@ const anthropicMaxOutputs = {
   'claude-3-7-sonnet': 128000,
 };
 
+/** Outputs from https://api-docs.deepseek.com/quick_start/pricing */
+const deepseekMaxOutputs = {
+  deepseek: 8000, // deepseek-chat default: 4K, max: 8K
+  'deepseek-chat': 8000,
+  'deepseek-reasoner': 64000, // default: 32K, max: 64K
+  'deepseek-r1': 64000,
+  'deepseek-v3': 8000,
+  'deepseek.r1': 64000,
+};
+
 export const maxOutputTokensMap = {
   [EModelEndpoint.anthropic]: anthropicMaxOutputs,
   [EModelEndpoint.azureOpenAI]: modelMaxOutputs,
-  [EModelEndpoint.openAI]: modelMaxOutputs,
-  [EModelEndpoint.custom]: modelMaxOutputs,
+  [EModelEndpoint.openAI]: { ...modelMaxOutputs, ...deepseekMaxOutputs },
+  [EModelEndpoint.custom]: { ...modelMaxOutputs, ...deepseekMaxOutputs },
 };
 
 /**

packages/client/package.json

@@ -51,7 +51,7 @@
     "@tanstack/react-virtual": "^3.0.0",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "dompurify": "^3.2.6",
+    "dompurify": "^3.3.0",
     "framer-motion": "^12.23.6",
     "i18next": "^24.2.2 || ^25.3.2",
     "i18next-browser-languagedetector": "^8.2.0",

packages/data-provider/specs/parsers.spec.ts

@@ -1,6 +1,7 @@
-import { replaceSpecialVars } from '../src/parsers';
+import { replaceSpecialVars, parseCompactConvo } from '../src/parsers';
 import { specialVariables } from '../src/config';
-import type { TUser } from '../src/types';
+import { EModelEndpoint } from '../src/schemas';
+import type { TUser, TConversation } from '../src/types';
 
 // Mock dayjs module with consistent date/time values regardless of environment
 jest.mock('dayjs', () => {
@@ -123,3 +124,138 @@ describe('replaceSpecialVars', () => {
     expect(result).toContain('Test User'); // current_user
   });
 });
+
+describe('parseCompactConvo', () => {
+  describe('iconURL security sanitization', () => {
+    test('should strip iconURL from OpenAI endpoint conversation input', () => {
+      const maliciousIconURL = 'https://evil-tracker.example.com/pixel.png?user=victim';
+      const conversation: Partial<TConversation> = {
+        model: 'gpt-4',
+        iconURL: maliciousIconURL,
+        endpoint: EModelEndpoint.openAI,
+      };
+
+      const result = parseCompactConvo({
+        endpoint: EModelEndpoint.openAI,
+        conversation,
+      });
+
+      expect(result).not.toBeNull();
+      expect(result?.iconURL).toBeUndefined();
+      expect(result?.model).toBe('gpt-4');
+    });
+
+    test('should strip iconURL from agents endpoint conversation input', () => {
+      const maliciousIconURL = 'https://evil-tracker.example.com/pixel.png';
+      const conversation: Partial<TConversation> = {
+        agent_id: 'agent_123',
+        iconURL: maliciousIconURL,
+        endpoint: EModelEndpoint.agents,
+      };
+
+      const result = parseCompactConvo({
+        endpoint: EModelEndpoint.agents,
+        conversation,
+      });
+
+      expect(result).not.toBeNull();
+      expect(result?.iconURL).toBeUndefined();
+      expect(result?.agent_id).toBe('agent_123');
+    });
+
+    test('should strip iconURL from anthropic endpoint conversation input', () => {
+      const maliciousIconURL = 'https://tracker.malicious.com/beacon.gif';
+      const conversation: Partial<TConversation> = {
+        model: 'claude-3-opus',
+        iconURL: maliciousIconURL,
+        endpoint: EModelEndpoint.anthropic,
+      };
+
+      const result = parseCompactConvo({
+        endpoint: EModelEndpoint.anthropic,
+        conversation,
+      });
+
+      expect(result).not.toBeNull();
+      expect(result?.iconURL).toBeUndefined();
+      expect(result?.model).toBe('claude-3-opus');
+    });
+
+    test('should strip iconURL from google endpoint conversation input', () => {
+      const maliciousIconURL = 'https://tracking.example.com/spy.png';
+      const conversation: Partial<TConversation> = {
+        model: 'gemini-pro',
+        iconURL: maliciousIconURL,
+        endpoint: EModelEndpoint.google,
+      };
+
+      const result = parseCompactConvo({
+        endpoint: EModelEndpoint.google,
+        conversation,
+      });
+
+      expect(result).not.toBeNull();
+      expect(result?.iconURL).toBeUndefined();
+      expect(result?.model).toBe('gemini-pro');
+    });
+
+    test('should strip iconURL from assistants endpoint conversation input', () => {
+      const maliciousIconURL = 'https://evil.com/track.png';
+      const conversation: Partial<TConversation> = {
+        assistant_id: 'asst_123',
+        iconURL: maliciousIconURL,
+        endpoint: EModelEndpoint.assistants,
+      };
+
+      const result = parseCompactConvo({
+        endpoint: EModelEndpoint.assistants,
+        conversation,
+      });
+
+      expect(result).not.toBeNull();
+      expect(result?.iconURL).toBeUndefined();
+      expect(result?.assistant_id).toBe('asst_123');
+    });
+
+    test('should preserve other conversation properties while stripping iconURL', () => {
+      const conversation: Partial<TConversation> = {
+        model: 'gpt-4',
+        iconURL: 'https://malicious.com/track.png',
+        endpoint: EModelEndpoint.openAI,
+        temperature: 0.7,
+        top_p: 0.9,
+        promptPrefix: 'You are a helpful assistant.',
+        maxContextTokens: 4000,
+      };
+
+      const result = parseCompactConvo({
+        endpoint: EModelEndpoint.openAI,
+        conversation,
+      });
+
+      expect(result).not.toBeNull();
+      expect(result?.iconURL).toBeUndefined();
+      expect(result?.model).toBe('gpt-4');
+      expect(result?.temperature).toBe(0.7);
+      expect(result?.top_p).toBe(0.9);
+      expect(result?.promptPrefix).toBe('You are a helpful assistant.');
+      expect(result?.maxContextTokens).toBe(4000);
+    });
+
+    test('should handle conversation without iconURL (no error)', () => {
+      const conversation: Partial<TConversation> = {
+        model: 'gpt-4',
+        endpoint: EModelEndpoint.openAI,
+      };
+
+      const result = parseCompactConvo({
+        endpoint: EModelEndpoint.openAI,
+        conversation,
+      });
+
+      expect(result).not.toBeNull();
+      expect(result?.iconURL).toBeUndefined();
+      expect(result?.model).toBe('gpt-4');
+    });
+  });
+});

packages/data-provider/src/config.ts

@@ -1133,6 +1133,7 @@ export const supportsBalanceCheck = {
   [EModelEndpoint.azureAssistants]: true,
   [EModelEndpoint.azureOpenAI]: true,
   [EModelEndpoint.bedrock]: true,
+  [EModelEndpoint.google]: true,
 };
 
 export const visionModels = [

packages/data-provider/src/file-config.ts

@@ -200,6 +200,27 @@ export const codeTypeMapping: { [key: string]: string } = {
   tsv: 'text/tab-separated-values',
 };
 
+/** Maps image extensions to MIME types for formats browsers may not recognize */
+export const imageTypeMapping: { [key: string]: string } = {
+  heic: 'image/heic',
+  heif: 'image/heif',
+};
+
+/**
+ * Infers the MIME type from a file's extension when the browser doesn't recognize it
+ * @param fileName - The name of the file including extension
+ * @param currentType - The current MIME type reported by the browser (may be empty)
+ * @returns The inferred MIME type if browser didn't provide one, otherwise the original type
+ */
+export function inferMimeType(fileName: string, currentType: string): string {
+  if (currentType) {
+    return currentType;
+  }
+
+  const extension = fileName.split('.').pop()?.toLowerCase() ?? '';
+  return codeTypeMapping[extension] || imageTypeMapping[extension] || currentType;
+}
+
 export const retrievalMimeTypes = [
   /^(text\/(x-c|x-c\+\+|x-h|html|x-java|markdown|x-php|x-python|x-script\.python|x-ruby|x-tex|plain|vtt|xml))$/,
   /^(application\/(json|pdf|vnd\.openxmlformats-officedocument\.(wordprocessingml\.document|presentationml\.presentation)))$/,

packages/data-provider/src/parsers.ts

@@ -326,7 +326,7 @@ export const parseCompactConvo = ({
   possibleValues?: TPossibleValues;
   // TODO: POC for default schema
   // defaultSchema?: Partial<EndpointSchema>,
-}) => {
+}): Omit<s.TConversation, 'iconURL'> | null => {
   if (!endpoint) {
     throw new Error(`undefined endpoint: ${endpoint}`);
   }
@@ -343,7 +343,11 @@ export const parseCompactConvo = ({
     throw new Error(`Unknown endpointType: ${endpointType}`);
   }
 
-  const convo = schema.parse(conversation) as s.TConversation | null;
+  // Strip iconURL from input before parsing - it should only be derived server-side
+  // from model spec configuration, not accepted from client requests
+  const { iconURL: _clientIconURL, ...conversationWithoutIconURL } = conversation;
+
+  const convo = schema.parse(conversationWithoutIconURL) as s.TConversation | null;
   // const { models, secondaryModels } = possibleValues ?? {};
   const { models } = possibleValues ?? {};
 

packages/data-provider/src/schemas.ts

@@ -41,7 +41,6 @@ export enum Providers {
   BEDROCK = 'bedrock',
   MISTRALAI = 'mistralai',
   MISTRAL = 'mistral',
-  OLLAMA = 'ollama',
   DEEPSEEK = 'deepseek',
   OPENROUTER = 'openrouter',
   XAI = 'xai',
@@ -59,7 +58,6 @@ export const documentSupportedProviders = new Set<string>([
   Providers.VERTEXAI,
   Providers.MISTRALAI,
   Providers.MISTRAL,
-  Providers.OLLAMA,
   Providers.DEEPSEEK,
   Providers.OPENROUTER,
   Providers.XAI,
@@ -71,7 +69,6 @@ const openAILikeProviders = new Set<string>([
   EModelEndpoint.custom,
   Providers.MISTRALAI,
   Providers.MISTRAL,
-  Providers.OLLAMA,
   Providers.DEEPSEEK,
   Providers.OPENROUTER,
   Providers.XAI,

packages/data-schemas/src/methods/token.spec.ts

@@ -418,6 +418,41 @@ describe('Token Methods - Detailed Tests', () => {
 
       expect(updated).toBeNull();
     });
+
+    test('should update expiresAt when expiresIn is provided', async () => {
+      const beforeUpdate = Date.now();
+      const newExpiresIn = 7200;
+
+      const updated = await methods.updateToken(
+        { token: 'update-token' },
+        { expiresIn: newExpiresIn },
+      );
+
+      const afterUpdate = Date.now();
+
+      expect(updated).toBeDefined();
+      expect(updated?.expiresAt).toBeDefined();
+
+      const expectedMinExpiry = beforeUpdate + newExpiresIn * 1000;
+      const expectedMaxExpiry = afterUpdate + newExpiresIn * 1000;
+
+      expect(updated!.expiresAt.getTime()).toBeGreaterThanOrEqual(expectedMinExpiry);
+      expect(updated!.expiresAt.getTime()).toBeLessThanOrEqual(expectedMaxExpiry);
+    });
+
+    test('should not modify expiresAt when expiresIn is not provided', async () => {
+      const original = await Token.findOne({ token: 'update-token' });
+      const originalExpiresAt = original!.expiresAt.getTime();
+
+      const updated = await methods.updateToken(
+        { token: 'update-token' },
+        { email: 'changed@example.com' },
+      );
+
+      expect(updated).toBeDefined();
+      expect(updated?.email).toBe('changed@example.com');
+      expect(updated!.expiresAt.getTime()).toBe(originalExpiresAt);
+    });
   });
 
   describe('deleteTokens', () => {
@@ -617,4 +652,171 @@ describe('Token Methods - Detailed Tests', () => {
       expect(remainingTokens.find((t) => t.token === 'email-verify-token-2')).toBeUndefined();
     });
   });
+
+  describe('Email Normalization', () => {
+    let normUserId: mongoose.Types.ObjectId;
+
+    beforeEach(async () => {
+      normUserId = new mongoose.Types.ObjectId();
+
+      // Create token with lowercase email (as stored in DB)
+      await Token.create({
+        token: 'norm-token-1',
+        userId: normUserId,
+        email: 'john.doe@example.com',
+        createdAt: new Date(),
+        expiresAt: new Date(Date.now() + 3600000),
+      });
+    });
+
+    describe('findToken email normalization', () => {
+      test('should find token by email with different case (case-insensitive)', async () => {
+        const foundUpper = await methods.findToken({ email: 'JOHN.DOE@EXAMPLE.COM' });
+        const foundMixed = await methods.findToken({ email: 'John.Doe@Example.COM' });
+        const foundLower = await methods.findToken({ email: 'john.doe@example.com' });
+
+        expect(foundUpper).toBeDefined();
+        expect(foundUpper?.token).toBe('norm-token-1');
+
+        expect(foundMixed).toBeDefined();
+        expect(foundMixed?.token).toBe('norm-token-1');
+
+        expect(foundLower).toBeDefined();
+        expect(foundLower?.token).toBe('norm-token-1');
+      });
+
+      test('should find token by email with leading/trailing whitespace', async () => {
+        const foundWithSpaces = await methods.findToken({ email: '  john.doe@example.com  ' });
+        const foundWithTabs = await methods.findToken({ email: '\tjohn.doe@example.com\t' });
+
+        expect(foundWithSpaces).toBeDefined();
+        expect(foundWithSpaces?.token).toBe('norm-token-1');
+
+        expect(foundWithTabs).toBeDefined();
+        expect(foundWithTabs?.token).toBe('norm-token-1');
+      });
+
+      test('should find token by email with both case difference and whitespace', async () => {
+        const found = await methods.findToken({ email: '  JOHN.DOE@EXAMPLE.COM  ' });
+
+        expect(found).toBeDefined();
+        expect(found?.token).toBe('norm-token-1');
+      });
+
+      test('should find token with combined email and other criteria', async () => {
+        const found = await methods.findToken({
+          userId: normUserId.toString(),
+          email: 'John.Doe@Example.COM',
+        });
+
+        expect(found).toBeDefined();
+        expect(found?.token).toBe('norm-token-1');
+      });
+    });
+
+    describe('deleteTokens email normalization', () => {
+      test('should delete token by email with different case', async () => {
+        const result = await methods.deleteTokens({ email: 'JOHN.DOE@EXAMPLE.COM' });
+
+        expect(result.deletedCount).toBe(1);
+
+        const remaining = await Token.find({});
+        expect(remaining).toHaveLength(0);
+      });
+
+      test('should delete token by email with whitespace', async () => {
+        const result = await methods.deleteTokens({ email: '  john.doe@example.com  ' });
+
+        expect(result.deletedCount).toBe(1);
+
+        const remaining = await Token.find({});
+        expect(remaining).toHaveLength(0);
+      });
+
+      test('should delete token by email with case and whitespace combined', async () => {
+        const result = await methods.deleteTokens({ email: '  John.Doe@EXAMPLE.COM  ' });
+
+        expect(result.deletedCount).toBe(1);
+
+        const remaining = await Token.find({});
+        expect(remaining).toHaveLength(0);
+      });
+
+      test('should only delete matching token when using normalized email', async () => {
+        // Create additional token with different email
+        await Token.create({
+          token: 'norm-token-2',
+          userId: new mongoose.Types.ObjectId(),
+          email: 'jane.doe@example.com',
+          createdAt: new Date(),
+          expiresAt: new Date(Date.now() + 3600000),
+        });
+
+        const result = await methods.deleteTokens({ email: 'JOHN.DOE@EXAMPLE.COM' });
+
+        expect(result.deletedCount).toBe(1);
+
+        const remaining = await Token.find({});
+        expect(remaining).toHaveLength(1);
+        expect(remaining[0].email).toBe('jane.doe@example.com');
+      });
+    });
+
+    describe('Email verification flow with normalization', () => {
+      test('should handle OpenID provider email case mismatch scenario', async () => {
+        /**
+         * Simulate the exact bug scenario:
+         * 1. User registers with email stored as lowercase
+         * 2. OpenID provider returns email with different casing
+         * 3. System should still find and delete the correct token
+         */
+        const userId = new mongoose.Types.ObjectId();
+
+        // Token created during registration (email stored lowercase)
+        await Token.create({
+          token: 'verification-token',
+          userId: userId,
+          email: 'user@company.com',
+          createdAt: new Date(),
+          expiresAt: new Date(Date.now() + 86400000),
+        });
+
+        // OpenID provider returns email with different case
+        const emailFromProvider = 'User@Company.COM';
+
+        // Should find the token despite case mismatch
+        const found = await methods.findToken({ email: emailFromProvider });
+        expect(found).toBeDefined();
+        expect(found?.token).toBe('verification-token');
+
+        // Should delete the token despite case mismatch
+        const deleted = await methods.deleteTokens({ email: emailFromProvider });
+        expect(deleted.deletedCount).toBe(1);
+      });
+
+      test('should handle resend verification email with case mismatch', async () => {
+        const userId = new mongoose.Types.ObjectId();
+
+        // Old verification token
+        await Token.create({
+          token: 'old-verification',
+          userId: userId,
+          email: 'john.smith@enterprise.com',
+          createdAt: new Date(Date.now() - 3600000),
+          expiresAt: new Date(Date.now() + 82800000),
+        });
+
+        // User requests resend with different email casing
+        const userInputEmail = '  John.Smith@ENTERPRISE.COM  ';
+
+        // Delete old tokens for this email
+        const deleted = await methods.deleteTokens({ email: userInputEmail });
+        expect(deleted.deletedCount).toBe(1);
+
+        // Verify token was actually deleted
+        const remaining = await Token.find({ userId });
+        expect(remaining).toHaveLength(0);
+      });
+    });
+  });
 });

packages/data-schemas/src/methods/token.ts

@@ -35,7 +35,13 @@ export function createTokenMethods(mongoose: typeof import('mongoose')) {
   ): Promise<IToken | null> {
     try {
       const Token = mongoose.models.Token;
-      return await Token.findOneAndUpdate(query, updateData, { new: true });
+
+      const dataToUpdate = { ...updateData };
+      if (updateData?.expiresIn !== undefined) {
+        dataToUpdate.expiresAt = new Date(Date.now() + updateData.expiresIn * 1000);
+      }
+
+      return await Token.findOneAndUpdate(query, dataToUpdate, { new: true });
     } catch (error) {
       logger.debug('An error occurred while updating token:', error);
       throw error;
@@ -44,6 +50,7 @@ export function createTokenMethods(mongoose: typeof import('mongoose')) {
 
   /**
    * Deletes all Token documents that match the provided token, user ID, or email.
+   * Email is automatically normalized to lowercase for case-insensitive matching.
    */
   async function deleteTokens(query: TokenQuery): Promise<TokenDeleteResult> {
     try {
@@ -57,7 +64,7 @@ export function createTokenMethods(mongoose: typeof import('mongoose')) {
         conditions.push({ token: query.token });
       }
       if (query.email !== undefined) {
-        conditions.push({ email: query.email });
+        conditions.push({ email: query.email.trim().toLowerCase() });
       }
       if (query.identifier !== undefined) {
         conditions.push({ identifier: query.identifier });
@@ -81,6 +88,7 @@ export function createTokenMethods(mongoose: typeof import('mongoose')) {
 
   /**
    * Finds a Token document that matches the provided query.
+   * Email is automatically normalized to lowercase for case-insensitive matching.
    */
   async function findToken(query: TokenQuery, options?: QueryOptions): Promise<IToken | null> {
     try {
@@ -94,7 +102,7 @@ export function createTokenMethods(mongoose: typeof import('mongoose')) {
         conditions.push({ token: query.token });
       }
       if (query.email) {
-        conditions.push({ email: query.email });
+        conditions.push({ email: query.email.trim().toLowerCase() });
       }
       if (query.identifier) {
         conditions.push({ identifier: query.identifier });

packages/data-schemas/src/methods/user.methods.spec.ts

@@ -0,0 +1,623 @@
+import mongoose from 'mongoose';
+import { MongoMemoryServer } from 'mongodb-memory-server';
+import type * as t from '~/types';
+import { createUserMethods } from './user';
+import userSchema from '~/schema/user';
+import balanceSchema from '~/schema/balance';
+
+/** Mocking crypto for generateToken */
+jest.mock('~/crypto', () => ({
+  signPayload: jest.fn().mockResolvedValue('mocked-token'),
+}));
+
+let mongoServer: MongoMemoryServer;
+let User: mongoose.Model<t.IUser>;
+let Balance: mongoose.Model<t.IBalance>;
+let methods: ReturnType<typeof createUserMethods>;
+
+beforeAll(async () => {
+  mongoServer = await MongoMemoryServer.create();
+  const mongoUri = mongoServer.getUri();
+  await mongoose.connect(mongoUri);
+
+  /** Register models */
+  User = mongoose.models.User || mongoose.model<t.IUser>('User', userSchema);
+  Balance = mongoose.models.Balance || mongoose.model<t.IBalance>('Balance', balanceSchema);
+
+  /** Initialize methods */
+  methods = createUserMethods(mongoose);
+});
+
+afterAll(async () => {
+  await mongoose.disconnect();
+  await mongoServer.stop();
+});
+
+beforeEach(async () => {
+  await mongoose.connection.dropDatabase();
+});
+
+describe('User Methods - Database Tests', () => {
+  describe('findUser', () => {
+    test('should find user by exact email', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      const found = await methods.findUser({ email: 'test@example.com' });
+
+      expect(found).toBeDefined();
+      expect(found?.email).toBe('test@example.com');
+    });
+
+    test('should find user by email with different case (case-insensitive)', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com', // stored lowercase by schema
+        provider: 'local',
+      });
+
+      /** Test various case combinations - all should find the same user */
+      const foundUpper = await methods.findUser({ email: 'TEST@EXAMPLE.COM' });
+      const foundMixed = await methods.findUser({ email: 'Test@Example.COM' });
+      const foundLower = await methods.findUser({ email: 'test@example.com' });
+
+      expect(foundUpper).toBeDefined();
+      expect(foundUpper?.email).toBe('test@example.com');
+
+      expect(foundMixed).toBeDefined();
+      expect(foundMixed?.email).toBe('test@example.com');
+
+      expect(foundLower).toBeDefined();
+      expect(foundLower?.email).toBe('test@example.com');
+    });
+
+    test('should find user by email with leading/trailing whitespace (trimmed)', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      const foundWithSpaces = await methods.findUser({ email: '  test@example.com  ' });
+      const foundWithTabs = await methods.findUser({ email: '\ttest@example.com\t' });
+
+      expect(foundWithSpaces).toBeDefined();
+      expect(foundWithSpaces?.email).toBe('test@example.com');
+
+      expect(foundWithTabs).toBeDefined();
+      expect(foundWithTabs?.email).toBe('test@example.com');
+    });
+
+    test('should find user by email with both case difference and whitespace', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'john.doe@example.com',
+        provider: 'local',
+      });
+
+      const found = await methods.findUser({ email: '  John.Doe@EXAMPLE.COM  ' });
+
+      expect(found).toBeDefined();
+      expect(found?.email).toBe('john.doe@example.com');
+    });
+
+    test('should normalize email in $or conditions', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'openid',
+        openidId: 'openid-123',
+      });
+
+      const found = await methods.findUser({
+        $or: [{ openidId: 'different-id' }, { email: 'TEST@EXAMPLE.COM' }],
+      });
+
+      expect(found).toBeDefined();
+      expect(found?.email).toBe('test@example.com');
+    });
+
+    test('should find user by non-email criteria without affecting them', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'openid',
+        openidId: 'openid-123',
+      });
+
+      const found = await methods.findUser({ openidId: 'openid-123' });
+
+      expect(found).toBeDefined();
+      expect(found?.openidId).toBe('openid-123');
+    });
+
+    test('should apply field selection correctly', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+        username: 'testuser',
+      });
+
+      const found = await methods.findUser({ email: 'test@example.com' }, 'email name');
+
+      expect(found).toBeDefined();
+      expect(found?.email).toBe('test@example.com');
+      expect(found?.name).toBe('Test User');
+      expect(found?.username).toBeUndefined();
+      expect(found?.provider).toBeUndefined();
+    });
+
+    test('should return null for non-existent user', async () => {
+      const found = await methods.findUser({ email: 'nonexistent@example.com' });
+
+      expect(found).toBeNull();
+    });
+  });
+
+  describe('createUser', () => {
+    test('should create a user and return ObjectId by default', async () => {
+      const result = await methods.createUser({
+        name: 'New User',
+        email: 'new@example.com',
+        provider: 'local',
+      });
+
+      expect(result).toBeInstanceOf(mongoose.Types.ObjectId);
+
+      const user = await User.findById(result);
+      expect(user).toBeDefined();
+      expect(user?.name).toBe('New User');
+      expect(user?.email).toBe('new@example.com');
+    });
+
+    test('should create a user and return user object when returnUser is true', async () => {
+      const result = await methods.createUser(
+        {
+          name: 'New User',
+          email: 'new@example.com',
+          provider: 'local',
+        },
+        undefined,
+        true,
+        true,
+      );
+
+      expect(result).toHaveProperty('_id');
+      expect(result).toHaveProperty('name', 'New User');
+      expect(result).toHaveProperty('email', 'new@example.com');
+    });
+
+    test('should store email as lowercase regardless of input case', async () => {
+      await methods.createUser({
+        name: 'New User',
+        email: 'NEW@EXAMPLE.COM',
+        provider: 'local',
+      });
+
+      const user = await User.findOne({ email: 'new@example.com' });
+      expect(user).toBeDefined();
+      expect(user?.email).toBe('new@example.com');
+    });
+
+    test('should create user with TTL when disableTTL is false', async () => {
+      const result = await methods.createUser(
+        {
+          name: 'TTL User',
+          email: 'ttl@example.com',
+          provider: 'local',
+        },
+        undefined,
+        false,
+        true,
+      );
+
+      expect(result).toHaveProperty('expiresAt');
+      const expiresAt = (result as t.IUser).expiresAt;
+      expect(expiresAt).toBeInstanceOf(Date);
+
+      /** Should expire in approximately 1 week */
+      const oneWeekMs = 604800 * 1000;
+      const expectedExpiry = Date.now() + oneWeekMs;
+      expect(expiresAt!.getTime()).toBeGreaterThan(expectedExpiry - 10000);
+      expect(expiresAt!.getTime()).toBeLessThan(expectedExpiry + 10000);
+    });
+
+    test('should create balance record when balanceConfig is provided', async () => {
+      const userId = await methods.createUser(
+        {
+          name: 'Balance User',
+          email: 'balance@example.com',
+          provider: 'local',
+        },
+        {
+          enabled: true,
+          startBalance: 1000,
+        },
+      );
+
+      const balance = await Balance.findOne({ user: userId });
+      expect(balance).toBeDefined();
+      expect(balance?.tokenCredits).toBe(1000);
+    });
+  });
+
+  describe('updateUser', () => {
+    test('should update user fields', async () => {
+      const user = await User.create({
+        name: 'Original Name',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      const updated = await methods.updateUser(user._id?.toString() ?? '', {
+        name: 'Updated Name',
+      });
+
+      expect(updated).toBeDefined();
+      expect(updated?.name).toBe('Updated Name');
+      expect(updated?.email).toBe('test@example.com');
+    });
+
+    test('should remove expiresAt field on update', async () => {
+      const user = await User.create({
+        name: 'TTL User',
+        email: 'ttl@example.com',
+        provider: 'local',
+        expiresAt: new Date(Date.now() + 604800 * 1000),
+      });
+
+      const updated = await methods.updateUser(user._id?.toString() || '', {
+        name: 'No longer TTL',
+      });
+
+      expect(updated).toBeDefined();
+      expect(updated?.expiresAt).toBeUndefined();
+    });
+
+    test('should return null for non-existent user', async () => {
+      const fakeId = new mongoose.Types.ObjectId();
+      const result = await methods.updateUser(fakeId.toString(), { name: 'Test' });
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('getUserById', () => {
+    test('should get user by ID', async () => {
+      const user = await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      const found = await methods.getUserById(user._id?.toString() || '');
+
+      expect(found).toBeDefined();
+      expect(found?.name).toBe('Test User');
+    });
+
+    test('should apply field selection', async () => {
+      const user = await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+        username: 'testuser',
+      });
+
+      const found = await methods.getUserById(user._id?.toString() || '', 'name email');
+
+      expect(found).toBeDefined();
+      expect(found?.name).toBe('Test User');
+      expect(found?.email).toBe('test@example.com');
+      expect(found?.username).toBeUndefined();
+    });
+
+    test('should return null for non-existent ID', async () => {
+      const fakeId = new mongoose.Types.ObjectId();
+      const found = await methods.getUserById(fakeId.toString());
+
+      expect(found).toBeNull();
+    });
+  });
+
+  describe('deleteUserById', () => {
+    test('should delete user by ID', async () => {
+      const user = await User.create({
+        name: 'To Delete',
+        email: 'delete@example.com',
+        provider: 'local',
+      });
+
+      const result = await methods.deleteUserById(user._id?.toString() || '');
+
+      expect(result.deletedCount).toBe(1);
+      expect(result.message).toBe('User was deleted successfully.');
+
+      const found = await User.findById(user._id);
+      expect(found).toBeNull();
+    });
+
+    test('should return zero count for non-existent user', async () => {
+      const fakeId = new mongoose.Types.ObjectId();
+      const result = await methods.deleteUserById(fakeId.toString());
+
+      expect(result.deletedCount).toBe(0);
+      expect(result.message).toBe('No user found with that ID.');
+    });
+  });
+
+  describe('countUsers', () => {
+    test('should count all users', async () => {
+      await User.create([
+        { name: 'User 1', email: 'user1@example.com', provider: 'local' },
+        { name: 'User 2', email: 'user2@example.com', provider: 'local' },
+        { name: 'User 3', email: 'user3@example.com', provider: 'openid' },
+      ]);
+
+      const count = await methods.countUsers();
+
+      expect(count).toBe(3);
+    });
+
+    test('should count users with filter', async () => {
+      await User.create([
+        { name: 'User 1', email: 'user1@example.com', provider: 'local' },
+        { name: 'User 2', email: 'user2@example.com', provider: 'local' },
+        { name: 'User 3', email: 'user3@example.com', provider: 'openid' },
+      ]);
+
+      const count = await methods.countUsers({ provider: 'local' });
+
+      expect(count).toBe(2);
+    });
+
+    test('should return zero for empty collection', async () => {
+      const count = await methods.countUsers();
+
+      expect(count).toBe(0);
+    });
+  });
+
+  describe('searchUsers', () => {
+    beforeEach(async () => {
+      await User.create([
+        { name: 'John Doe', email: 'john@example.com', username: 'johnd', provider: 'local' },
+        { name: 'Jane Smith', email: 'jane@example.com', username: 'janes', provider: 'local' },
+        {
+          name: 'Bob Johnson',
+          email: 'bob@example.com',
+          username: 'bobbyj',
+          provider: 'local',
+        },
+        {
+          name: 'Alice Wonder',
+          email: 'alice@test.com',
+          username: 'alice',
+          provider: 'openid',
+        },
+      ]);
+    });
+
+    test('should search by name', async () => {
+      const results = await methods.searchUsers({ searchPattern: 'John' });
+
+      expect(results).toHaveLength(2); // John Doe and Bob Johnson
+    });
+
+    test('should search by email', async () => {
+      const results = await methods.searchUsers({ searchPattern: 'example.com' });
+
+      expect(results).toHaveLength(3);
+    });
+
+    test('should search by username', async () => {
+      const results = await methods.searchUsers({ searchPattern: 'alice' });
+
+      expect(results).toHaveLength(1);
+      expect((results[0] as unknown as t.IUser)?.username).toBe('alice');
+    });
+
+    test('should be case-insensitive', async () => {
+      const results = await methods.searchUsers({ searchPattern: 'JOHN' });
+
+      expect(results.length).toBeGreaterThan(0);
+    });
+
+    test('should respect limit', async () => {
+      const results = await methods.searchUsers({ searchPattern: 'example', limit: 2 });
+
+      expect(results).toHaveLength(2);
+    });
+
+    test('should return empty array for empty search pattern', async () => {
+      const results = await methods.searchUsers({ searchPattern: '' });
+
+      expect(results).toEqual([]);
+    });
+
+    test('should return empty array for whitespace-only pattern', async () => {
+      const results = await methods.searchUsers({ searchPattern: '   ' });
+
+      expect(results).toEqual([]);
+    });
+
+    test('should apply field selection', async () => {
+      const results = await methods.searchUsers({
+        searchPattern: 'john',
+        fieldsToSelect: 'name email',
+      });
+
+      expect(results.length).toBeGreaterThan(0);
+      expect(results[0]).toHaveProperty('name');
+      expect(results[0]).toHaveProperty('email');
+      expect(results[0]).not.toHaveProperty('username');
+    });
+
+    test('should sort by relevance (exact match first)', async () => {
+      const results = await methods.searchUsers({ searchPattern: 'alice' });
+
+      /** 'alice' username should score highest due to exact match */
+      expect((results[0] as unknown as t.IUser).username).toBe('alice');
+    });
+  });
+
+  describe('toggleUserMemories', () => {
+    test('should enable memories for user', async () => {
+      const user = await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      const updated = await methods.toggleUserMemories(user._id?.toString() || '', true);
+
+      expect(updated).toBeDefined();
+      expect(updated?.personalization?.memories).toBe(true);
+    });
+
+    test('should disable memories for user', async () => {
+      const user = await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+        personalization: { memories: true },
+      });
+
+      const updated = await methods.toggleUserMemories(user._id?.toString() || '', false);
+
+      expect(updated).toBeDefined();
+      expect(updated?.personalization?.memories).toBe(false);
+    });
+
+    test('should update personalization.memories field', async () => {
+      const user = await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      /** Toggle memories to true */
+      const updated = await methods.toggleUserMemories(user._id?.toString() || '', true);
+
+      expect(updated?.personalization).toBeDefined();
+      expect(updated?.personalization?.memories).toBe(true);
+
+      /** Toggle back to false */
+      const updatedAgain = await methods.toggleUserMemories(user._id?.toString() || '', false);
+      expect(updatedAgain?.personalization?.memories).toBe(false);
+    });
+
+    test('should return null for non-existent user', async () => {
+      const fakeId = new mongoose.Types.ObjectId();
+      const result = await methods.toggleUserMemories(fakeId.toString(), true);
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('Email Normalization Edge Cases', () => {
+    test('should handle email with multiple spaces', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      const found = await methods.findUser({ email: '    test@example.com    ' });
+
+      expect(found).toBeDefined();
+      expect(found?.email).toBe('test@example.com');
+    });
+
+    test('should handle mixed case with international characters', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'user@example.com',
+        provider: 'local',
+      });
+
+      const found = await methods.findUser({ email: 'USER@EXAMPLE.COM' });
+
+      expect(found).toBeDefined();
+    });
+
+    test('should handle email normalization in complex $or queries', async () => {
+      const user1 = await User.create({
+        name: 'User One',
+        email: 'user1@example.com',
+        provider: 'openid',
+        openidId: 'openid-1',
+      });
+
+      await User.create({
+        name: 'User Two',
+        email: 'user2@example.com',
+        provider: 'openid',
+        openidId: 'openid-2',
+      });
+
+      /** Search with mixed case email in $or */
+      const found = await methods.findUser({
+        $or: [{ openidId: 'nonexistent' }, { email: 'USER1@EXAMPLE.COM' }],
+      });
+
+      expect(found).toBeDefined();
+      expect(found?._id?.toString()).toBe(user1._id?.toString());
+    });
+
+    test('should not normalize non-string email values', async () => {
+      await User.create({
+        name: 'Test User',
+        email: 'test@example.com',
+        provider: 'local',
+      });
+
+      /** Using regex for email (should not be normalized) */
+      const found = await methods.findUser({ email: /test@example\.com/i });
+
+      expect(found).toBeDefined();
+      expect(found?.email).toBe('test@example.com');
+    });
+
+    test('should handle OpenID provider migration scenario', async () => {
+      /** Simulate user stored with lowercase email */
+      await User.create({
+        name: 'John Doe',
+        email: 'john.doe@company.com',
+        provider: 'openid',
+        openidId: 'old-provider-id',
+      });
+
+      /**
+       * New OpenID provider returns email with different casing
+       * This simulates the exact bug reported in the GitHub issue
+       */
+      const emailFromNewProvider = 'John.Doe@Company.COM';
+
+      const found = await methods.findUser({ email: emailFromNewProvider });
+
+      expect(found).toBeDefined();
+      expect(found?.email).toBe('john.doe@company.com');
+      expect(found?.name).toBe('John Doe');
+    });
+
+    test('should handle SAML provider email normalization', async () => {
+      await User.create({
+        name: 'SAML User',
+        email: 'saml.user@enterprise.com',
+        provider: 'saml',
+        samlId: 'saml-123',
+      });
+
+      /** SAML providers sometimes return emails in different formats */
+      const found = await methods.findUser({ email: '  SAML.USER@ENTERPRISE.COM  ' });
+
+      expect(found).toBeDefined();
+      expect(found?.provider).toBe('saml');
+    });
+  });
+});

packages/data-schemas/src/methods/user.ts

@@ -4,15 +4,37 @@ import { signPayload } from '~/crypto';
 
 /** Factory function that takes mongoose instance and returns the methods */
 export function createUserMethods(mongoose: typeof import('mongoose')) {
+  /**
+   * Normalizes email fields in search criteria to lowercase and trimmed.
+   * Handles both direct email fields and $or arrays containing email conditions.
+   */
+  function normalizeEmailInCriteria<T extends FilterQuery<IUser>>(criteria: T): T {
+    const normalized = { ...criteria };
+    if (typeof normalized.email === 'string') {
+      normalized.email = normalized.email.trim().toLowerCase();
+    }
+    if (Array.isArray(normalized.$or)) {
+      normalized.$or = normalized.$or.map((condition) => {
+        if (typeof condition.email === 'string') {
+          return { ...condition, email: condition.email.trim().toLowerCase() };
+        }
+        return condition;
+      });
+    }
+    return normalized;
+  }
+
   /**
    * Search for a single user based on partial data and return matching user document as plain object.
+   * Email fields in searchCriteria are automatically normalized to lowercase for case-insensitive matching.
    */
   async function findUser(
     searchCriteria: FilterQuery<IUser>,
     fieldsToSelect?: string | string[] | null,
   ): Promise<IUser | null> {
     const User = mongoose.models.User;
-    const query = User.findOne(searchCriteria);
+    const normalizedCriteria = normalizeEmailInCriteria(searchCriteria);
+    const query = User.findOne(normalizedCriteria);
     if (fieldsToSelect) {
       query.select(fieldsToSelect);
     }

packages/data-schemas/src/types/token.ts

@@ -34,6 +34,7 @@ export interface TokenUpdateData {
   identifier?: string;
   token?: string;
   expiresAt?: Date;
+  expiresIn?: number;
   metadata?: Map<string, unknown>;
 }
 

stack.env

@@ -0,0 +1,797 @@
+#=====================================================================#
+#                       LibreChat Configuration                       #
+#=====================================================================#
+# Please refer to the reference documentation for assistance          #
+# with configuring your LibreChat environment.                        #
+#                                                                     #
+# https://www.librechat.ai/docs/configuration/dotenv                  #
+#=====================================================================#
+
+#==================================================#
+#               Server Configuration               #
+#==================================================#
+
+HOST=localhost
+PORT=3080
+
+MONGO_URI=mongodb://127.0.0.1:27017/LibreChat
+#The maximum number of connections in the connection pool. */
+MONGO_MAX_POOL_SIZE=
+#The minimum number of connections in the connection pool. */
+MONGO_MIN_POOL_SIZE=
+#The maximum number of connections that may be in the process of being established concurrently by the connection pool. */
+MONGO_MAX_CONNECTING=
+#The maximum number of milliseconds that a connection can remain idle in the pool before being removed and closed. */
+MONGO_MAX_IDLE_TIME_MS=
+#The maximum time in milliseconds that a thread can wait for a connection to become available. */
+MONGO_WAIT_QUEUE_TIMEOUT_MS=
+# Set to false to disable automatic index creation for all models associated with this connection. */
+MONGO_AUTO_INDEX=
+# Set to `false` to disable Mongoose automatically calling `createCollection()` on every model created on this connection. */
+MONGO_AUTO_CREATE=
+
+DOMAIN_CLIENT=https://chat.baked.rocks
+DOMAIN_SERVER=https://chat.baked.rocks
+
+NO_INDEX=true
+# Use the address that is at most n number of hops away from the Express application.
+# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
+# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
+# Defaulted to 1.
+TRUST_PROXY=1
+
+# Minimum password length for user authentication
+# Default: 8
+# Note: When using LDAP authentication, you may want to set this to 1 
+# to bypass local password validation, as LDAP servers handle their own
+# password policies.
+# MIN_PASSWORD_LENGTH=8
+
+#===============#
+# JSON Logging  #
+#===============#
+
+# Use when process console logs in cloud deployment like GCP/AWS
+CONSOLE_JSON=false
+
+#===============#
+# Debug Logging #
+#===============#
+
+DEBUG_LOGGING=true
+DEBUG_CONSOLE=false
+
+#=============#
+# Permissions #
+#=============#
+
+# UID=1000
+# GID=1000
+
+#===============#
+# Configuration #
+#===============#
+# Use an absolute path, a relative path, or a URL
+# Note: Using mounted file from deploy-compose.swarm.yml instead of remote URL
+
+CONFIG_PATH=/app/librechat.yaml
+
+#===================================================#
+#                     Endpoints                     #
+#===================================================#
+
+ENDPOINTS=openAI,assistants,google,anthropic,custom,fireworks,openrouter,deepseek,perplexity,groq,cohere,mistral,agents
+
+PROXY=
+
+#===================================#
+# Known Endpoints - librechat.yaml  #
+#===================================#
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
+
+# ANYSCALE_API_KEY=
+# APIPIE_API_KEY=
+# COHERE_API_KEY=user_provided  # Duplicate removed - see line 779 for actual value
+DEEPSEEK_API_KEY=user_provided
+# DATABRICKS_API_KEY=
+FIREWORKS_API_KEY=user_provided
+GROQ_API_KEY=user_provided
+# HUGGINGFACE_TOKEN=
+MISTRAL_API_KEY=user_provided
+OPENROUTER_KEY=user_provided
+PERPLEXITY_API_KEY=user_provided
+# SHUTTLEAI_API_KEY=
+# TOGETHERAI_API_KEY=
+# UNIFY_API_KEY=
+# XAI_API_KEY=
+
+#============#
+# Anthropic  #
+#============#
+
+ANTHROPIC_API_KEY=user_provided
+# ANTHROPIC_MODELS=claude-opus-4-20250514,claude-sonnet-4-20250514,claude-3-7-sonnet-20250219,claude-3-5-sonnet-20241022,claude-3-5-haiku-20241022,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307
+# ANTHROPIC_REVERSE_PROXY=
+
+#============#
+# Azure      #
+#============#
+
+# Note: these variables are DEPRECATED
+# Use the `librechat.yaml` configuration for `azureOpenAI` instead
+# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
+
+# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
+# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
+# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
+# AZURE_API_KEY= # Deprecated
+# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
+# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_VERSION= # Deprecated
+# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
+# PLUGINS_USE_AZURE="true" # Deprecated
+
+#=================#
+#   AWS Bedrock   #
+#=================#
+
+# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
+# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
+# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
+# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
+
+# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
+# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
+
+# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
+
+# Notes on specific models:
+# The following models are not support due to not supporting streaming:
+# ai21.j2-mid-v1
+
+# The following models are not support due to not supporting conversation history:
+# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
+
+#============#
+# Google     #
+#============#
+
+GOOGLE_KEY=user_provided
+
+# GOOGLE_REVERSE_PROXY=
+# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
+# GOOGLE_AUTH_HEADER=true
+
+# Gemini API (AI Studio)
+# GOOGLE_MODELS=gemini-2.5-pro,gemini-2.5-flash,gemini-2.5-flash-lite,gemini-2.0-flash,gemini-2.0-flash-lite
+
+# Vertex AI
+# GOOGLE_MODELS=gemini-2.5-pro,gemini-2.5-flash,gemini-2.5-flash-lite,gemini-2.0-flash-001,gemini-2.0-flash-lite-001
+
+# GOOGLE_TITLE_MODEL=gemini-2.0-flash-lite-001
+
+# GOOGLE_LOC=us-central1
+
+# Google Safety Settings
+# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
+#
+# For Vertex AI:
+# To use the BLOCK_NONE setting, you need either:
+# (a) Access through an allowlist via your Google account team, or
+# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
+#
+# For Gemini API (AI Studio):
+# BLOCK_NONE is available by default, no special account requirements.
+#
+# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
+#
+# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
+
+#============#
+# OpenAI     #
+#============#
+
+OPENAI_API_KEY=user_provided
+# OPENAI_MODELS=gpt-5,gpt-5-codex,gpt-5-mini,gpt-5-nano,o3-pro,o3,o4-mini,gpt-4.1,gpt-4.1-mini,gpt-4.1-nano,o3-mini,o1-pro,o1,gpt-4o,gpt-4o-mini
+
+DEBUG_OPENAI=false
+
+# TITLE_CONVO=false
+# OPENAI_TITLE_MODEL=gpt-4o-mini
+
+# OPENAI_SUMMARIZE=true
+# OPENAI_SUMMARY_MODEL=gpt-4o-mini
+
+# OPENAI_FORCE_PROMPT=true
+
+# OPENAI_REVERSE_PROXY=
+
+# OPENAI_ORGANIZATION=
+
+#====================#
+#   Assistants API   #
+#====================#
+
+ASSISTANTS_API_KEY=user_provided
+# ASSISTANTS_BASE_URL=
+# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
+
+#==========================#
+#   Azure Assistants API   #
+#==========================#
+
+# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
+# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
+
+# More info, including how to enable use of Assistants with Azure here:
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
+
+#============#
+# Plugins    #
+#============#
+
+# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
+
+DEBUG_PLUGINS=true
+
+CREDS_KEY=59381de7f30d104c84654a5553bceb358b3fa030b7db15a0d5ebf4d752a64eb2
+CREDS_IV=4d446a524e0710eff791135f510c17d5
+
+# Azure AI Search
+#-----------------
+AZURE_AI_SEARCH_SERVICE_ENDPOINT=
+AZURE_AI_SEARCH_INDEX_NAME=
+AZURE_AI_SEARCH_API_KEY=
+
+AZURE_AI_SEARCH_API_VERSION=
+AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
+AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
+AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
+
+# OpenAI Image Tools Customization
+#----------------
+IMAGE_GEN_OAI_API_KEY=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 # Create or reuse OpenAI API key for image generation tool
+# IMAGE_GEN_OAI_BASEURL= # Custom OpenAI base URL for image generation tool
+# IMAGE_GEN_OAI_AZURE_API_VERSION= # Custom Azure OpenAI deployments
+# IMAGE_GEN_OAI_DESCRIPTION=
+# IMAGE_GEN_OAI_DESCRIPTION_WITH_FILES=Custom description for image generation tool when files are present
+# IMAGE_GEN_OAI_DESCRIPTION_NO_FILES=Custom description for image generation tool when no files are present
+# IMAGE_EDIT_OAI_DESCRIPTION=Custom description for image editing tool
+# IMAGE_GEN_OAI_PROMPT_DESCRIPTION=Custom prompt description for image generation tool
+# IMAGE_EDIT_OAI_PROMPT_DESCRIPTION=Custom prompt description for image editing tool
+
+# DALL·E
+#----------------
+# DALLE_API_KEY=
+# DALLE3_API_KEY=
+# DALLE2_API_KEY=
+# DALLE3_SYSTEM_PROMPT=
+# DALLE2_SYSTEM_PROMPT=
+# DALLE_REVERSE_PROXY=
+# DALLE3_BASEURL=
+# DALLE2_BASEURL=
+
+# DALL·E (via Azure OpenAI)
+# Note: requires some of the variables above to be set
+#----------------
+# DALLE3_AZURE_API_VERSION=
+# DALLE2_AZURE_API_VERSION=
+
+# Flux
+#-----------------
+FLUX_API_BASE_URL=https://api.us1.bfl.ai
+# FLUX_API_BASE_URL = 'https://api.bfl.ml';
+
+# Get your API key at https://api.us1.bfl.ai/auth/profile
+# FLUX_API_KEY=
+
+# Google
+#-----------------
+GOOGLE_SEARCH_API_KEY=
+GOOGLE_CSE_ID=
+
+# YOUTUBE
+#-----------------
+YOUTUBE_API_KEY=
+
+# Stable Diffusion
+#-----------------
+SD_WEBUI_URL=http://host.docker.internal:7860
+
+# Tavily
+#-----------------
+TAVILY_API_KEY=
+
+# Traversaal
+#-----------------
+TRAVERSAAL_API_KEY=
+
+# WolframAlpha
+#-----------------
+WOLFRAM_APP_ID=
+
+# Zapier
+#-----------------
+ZAPIER_NLA_API_KEY=
+
+#==================================================#
+#                      Search                      #
+#==================================================#
+
+SEARCH=true
+MEILI_NO_ANALYTICS=true
+MEILI_HOST=http://0.0.0.0:7700
+MEILI_MASTER_KEY=5e3490d4b8da39d3195132ccf9a77f71
+
+# Optional: Disable indexing, useful in a multi-node setup
+# where only one instance should perform an index sync.
+# MEILI_NO_SYNC=true
+
+#==================================================#
+#          Speech to Text & Text to Speech         #
+#==================================================#
+
+STT_API_KEY=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
+TTS_API_KEY=sk_9a8e3153ba1e3133a4d87cd0dafa723e24d997ab3a0b8870
+
+#==================================================#
+#                        RAG                       #
+#==================================================#
+# More info: https://www.librechat.ai/docs/configuration/rag_api
+RAG_API_URL=http://host.docker.internal:8000
+# RAG_OPENAI_BASEURL=
+RAG_OPENAI_API_KEY=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
+# RAG_USE_FULL_CONTEXT=
+EMBEDDINGS_PROVIDER=openai
+EMBEDDINGS_MODEL=text-embedding-3-small
+
+#===================================================#
+#                    User System                    #
+#===================================================#
+
+#========================#
+# Moderation             #
+#========================#
+
+OPENAI_MODERATION=false
+OPENAI_MODERATION_API_KEY=
+# OPENAI_MODERATION_REVERSE_PROXY=
+
+BAN_VIOLATIONS=true
+BAN_DURATION=1000 * 60 * 60 * 2
+BAN_INTERVAL=20
+
+LOGIN_VIOLATION_SCORE=1
+REGISTRATION_VIOLATION_SCORE=1
+CONCURRENT_VIOLATION_SCORE=1
+MESSAGE_VIOLATION_SCORE=1
+NON_BROWSER_VIOLATION_SCORE=20
+TTS_VIOLATION_SCORE=0
+STT_VIOLATION_SCORE=0
+FORK_VIOLATION_SCORE=0
+IMPORT_VIOLATION_SCORE=0
+FILE_UPLOAD_VIOLATION_SCORE=0
+
+LOGIN_MAX=20
+LOGIN_WINDOW=5
+REGISTER_MAX=20
+REGISTER_WINDOW=60
+
+LIMIT_CONCURRENT_MESSAGES=true
+CONCURRENT_MESSAGE_MAX=3
+
+LIMIT_MESSAGE_IP=true
+MESSAGE_IP_MAX=40
+MESSAGE_IP_WINDOW=1
+
+LIMIT_MESSAGE_USER=false
+MESSAGE_USER_MAX=40
+MESSAGE_USER_WINDOW=1
+
+ILLEGAL_MODEL_REQ_SCORE=5
+
+#========================#
+# Balance                #
+#========================#
+
+# CHECK_BALANCE=false
+# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
+
+#========================#
+# Registration and Login #
+#========================#
+
+ALLOW_EMAIL_LOGIN=true
+ALLOW_REGISTRATION=true
+ALLOW_SOCIAL_LOGIN=true
+ALLOW_SOCIAL_REGISTRATION=true
+ALLOW_PASSWORD_RESET=false
+# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
+ALLOW_UNVERIFIED_EMAIL_LOGIN=true
+
+SESSION_EXPIRY=1000 * 60 * 15
+REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
+
+JWT_SECRET=4a7accae9dd0409750bc9e0b1c24a3ad7d19abad0e138a6d93d29dd3f82357b2
+JWT_REFRESH_SECRET=a49727968071ad906c812ae7015453c8142168b1afd6694205e7da8aca614eb0
+
+# Discord
+DISCORD_CLIENT_ID=
+DISCORD_CLIENT_SECRET=
+DISCORD_CALLBACK_URL=/oauth/discord/callback
+
+# Facebook
+FACEBOOK_CLIENT_ID=
+FACEBOOK_CLIENT_SECRET=
+FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
+
+# GitHub
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_CALLBACK_URL=/oauth/github/callback
+# GitHub Enterprise
+# GITHUB_ENTERPRISE_BASE_URL=
+# GITHUB_ENTERPRISE_USER_AGENT=
+
+# Google
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_CALLBACK_URL=/oauth/google/callback
+
+# Apple
+APPLE_CLIENT_ID=
+APPLE_TEAM_ID=
+APPLE_KEY_ID=
+APPLE_PRIVATE_KEY_PATH=
+APPLE_CALLBACK_URL=/oauth/apple/callback
+
+# OpenID
+OPENID_CLIENT_ID=WAKWgswi861g5ffBXaUTvFwSKr0PbtjiAadXthOR
+OPENID_CLIENT_SECRET=fF1p5Le8bcyyag0Itwn91ZydlxwSnqCN2de1pudASxIA4c8phsYGztXdGUjCQes9TGS20YfkmhaP6OabsZY4CptsFGj47RhgjgfowyPljsblrOyJ6yQv8MQsk7p24qpg
+OPENID_ISSUER=https://auth.baked.rocks/application/o/librechat/.well-known/openid-configuration
+OPENID_SESSION_SECRET=5685643423f66ee9ad0c743b45c0caaee6c3377463a12c74dc9da2cb1cb19d0f
+OPENID_SCOPE=openid profile email
+OPENID_CALLBACK_URL=/oauth/openid/callback
+OPENID_REQUIRED_ROLE=
+OPENID_REQUIRED_ROLE_TOKEN_KIND=
+OPENID_REQUIRED_ROLE_PARAMETER_PATH=
+OPENID_ADMIN_ROLE=
+OPENID_ADMIN_ROLE_PARAMETER_PATH=
+OPENID_ADMIN_ROLE_TOKEN_KIND=
+# Set to determine which user info property returned from OpenID Provider to store as the User's username
+OPENID_USERNAME_CLAIM=email
+# Set to determine which user info property returned from OpenID Provider to store as the User's name
+OPENID_NAME_CLAIM=name
+# Optional audience parameter for OpenID authorization requests
+OPENID_AUDIENCE=
+OPENID_GENERATE_NONCE=true
+OPENID_USE_END_SESSION_ENDPOINT=true
+OPENID_BUTTON_LABEL=Login with Magick
+OPENID_IMAGE_URL=https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
+# Set to true to automatically redirect to the OpenID provider when a user visits the login page
+# This will bypass the login form completely for users, only use this if OpenID is your only authentication method
+OPENID_AUTO_REDIRECT=false
+# Set to true to use PKCE (Proof Key for Code Exchange) for OpenID authentication
+OPENID_USE_PKCE=false
+#Set to true to reuse openid tokens for authentication management instead of using the mongodb session and the custom refresh token.
+OPENID_REUSE_TOKENS=
+#By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint.
+#If a signing key matching the kid is found, this will be cached and the next time this kid is requested the signing key will be served from the cache.
+#Default is true.
+OPENID_JWKS_URL_CACHE_ENABLED=true
+# 600000 ms eq to 10 minutes leave empty to disable caching
+OPENID_JWKS_URL_CACHE_TIME=6000000
+#Set to true to trigger token exchange flow to acquire access token for the userinfo endpoint.
+OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=
+# example for Scope Needed for Microsoft Graph API
+OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE=user.read
+# Set to true to use the OpenID Connect end session endpoint for logout
+OPENID_USE_END_SESSION_ENDPOINT=true
+
+#========================#
+# SharePoint Integration #
+#========================#
+# Requires Entra ID (OpenID) authentication to be configured
+
+# Enable SharePoint file picker in chat and agent panels
+# ENABLE_SHAREPOINT_FILEPICKER=true
+
+# SharePoint tenant base URL (e.g., https://yourtenant.sharepoint.com)
+# SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
+
+# Microsoft Graph API And SharePoint scopes for file picker
+# SHAREPOINT_PICKER_SHAREPOINT_SCOPE==https://yourtenant.sharepoint.com/AllSites.Read
+# SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
+#========================#
+
+# SAML
+# Note: If OpenID is enabled, SAML authentication will be automatically disabled.
+SAML_ENTRY_POINT=
+SAML_ISSUER=
+SAML_CERT=
+SAML_CALLBACK_URL=/oauth/saml/callback
+SAML_SESSION_SECRET=
+
+# Attribute mappings (optional)
+SAML_EMAIL_CLAIM=
+SAML_USERNAME_CLAIM=
+SAML_GIVEN_NAME_CLAIM=
+SAML_FAMILY_NAME_CLAIM=
+SAML_PICTURE_CLAIM=
+SAML_NAME_CLAIM=
+
+# Logint buttion settings (optional)
+SAML_BUTTON_LABEL=
+SAML_IMAGE_URL=
+
+# Whether the SAML Response should be signed.
+# - If "true", the entire `SAML Response` will be signed.
+# - If "false" or unset, only the `SAML Assertion` will be signed (default behavior).
+# SAML_USE_AUTHN_RESPONSE_SIGNED=
+
+
+#===============================================#
+# Microsoft Graph API / Entra ID Integration  #
+#===============================================#
+
+# Enable Entra ID people search integration in permissions/sharing system
+# When enabled, the people picker will search both local database and Entra ID
+USE_ENTRA_ID_FOR_PEOPLE_SEARCH=false
+
+# When enabled, entra id groups owners will be considered as members of the group
+ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
+
+# Microsoft Graph API scopes needed for people/group search
+# Default scopes provide access to user profiles and group memberships
+OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All
+
+# LDAP
+LDAP_URL=
+LDAP_BIND_DN=
+LDAP_BIND_CREDENTIALS=
+LDAP_USER_SEARCH_BASE=
+#LDAP_SEARCH_FILTER="mail="
+LDAP_CA_CERT_PATH=
+# LDAP_TLS_REJECT_UNAUTHORIZED=
+# LDAP_STARTTLS=
+# LDAP_LOGIN_USES_USERNAME=true
+# LDAP_ID=
+# LDAP_USERNAME=
+# LDAP_EMAIL=
+# LDAP_FULL_NAME=
+
+#========================#
+# Email Password Reset   #
+#========================#
+
+EMAIL_SERVICE=
+EMAIL_HOST=
+EMAIL_PORT=25
+EMAIL_ENCRYPTION=
+EMAIL_ENCRYPTION_HOSTNAME=
+EMAIL_ALLOW_SELFSIGNED=
+EMAIL_USERNAME=
+EMAIL_PASSWORD=
+EMAIL_FROM_NAME=
+EMAIL_FROM=noreply@librechat.ai
+
+#========================#
+#      Mailgun API       #
+#========================#
+
+MAILGUN_API_KEY=5092859788e1304d7b28901fe41bd6a7-51afd2db-b4b55a79
+MAILGUN_DOMAIN=thingswithstuff.io
+EMAIL_FROM=tinkerer@thingswithstuff.io
+EMAIL_FROM_NAME="LibreChat"
+
+# # Optional: For EU region
+# MAILGUN_HOST=https://api.eu.mailgun.net
+
+#========================#
+# Firebase CDN           #
+#========================#
+
+FIREBASE_API_KEY=
+FIREBASE_AUTH_DOMAIN=
+FIREBASE_PROJECT_ID=
+FIREBASE_STORAGE_BUCKET=
+FIREBASE_MESSAGING_SENDER_ID=
+FIREBASE_APP_ID=
+
+#========================#
+# S3 AWS Bucket          #
+#========================#
+
+AWS_ENDPOINT_URL=https://io.baked.rocks
+AWS_ACCESS_KEY_ID=root
+AWS_SECRET_ACCESS_KEY=squirtle123
+AWS_REGION=us-east-1
+AWS_BUCKET_NAME=librechat
+
+#========================#
+# Azure Blob Storage     #
+#========================#
+
+AZURE_STORAGE_CONNECTION_STRING=
+AZURE_STORAGE_PUBLIC_ACCESS=false
+AZURE_CONTAINER_NAME=files
+
+#========================#
+# Shared Links           #
+#========================#
+
+ALLOW_SHARED_LINKS=true
+ALLOW_SHARED_LINKS_PUBLIC=true
+
+#==============================#
+# Static File Cache Control    #
+#==============================#
+
+# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
+# NODE_ENV must be set to production for these to take effect
+# STATIC_CACHE_MAX_AGE=172800
+# STATIC_CACHE_S_MAX_AGE=86400
+
+# If you have another service in front of your LibreChat doing compression, disable express based compression here
+# DISABLE_COMPRESSION=true
+
+# If you have gzipped version of uploaded image images in the same folder, this will enable gzip scan and serving of these images
+# Note: The images folder will be scanned on startup and a ma kept in memory. Be careful for large number of images.
+# ENABLE_IMAGE_OUTPUT_GZIP_SCAN=true
+
+#===================================================#
+#                        UI                         #
+#===================================================#
+
+APP_TITLE=LibreChat
+# CUSTOM_FOOTER="My custom footer"
+HELP_AND_FAQ_URL=https://librechat.ai
+
+# SHOW_BIRTHDAY_ICON=true
+
+# Google tag manager id
+#ANALYTICS_GTM_ID=user provided google tag manager id
+
+# limit conversation file imports to a certain number of bytes in size to avoid the container
+# maxing out memory limitations by unremarking this line and supplying a file size in bytes
+# such as the below example of 250 mib
+# CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES=262144000
+
+
+#===============#
+# REDIS Options #
+#===============#
+
+# Enable Redis for caching and session storage
+USE_REDIS=false
+
+# Single Redis instance
+REDIS_URI=redis://192.168.50.210:6379/3
+
+# Redis cluster (multiple nodes)
+# REDIS_URI=redis://127.0.0.1:7001,redis://127.0.0.1:7002,redis://127.0.0.1:7003
+
+# Redis with TLS/SSL encryption and CA certificate
+# REDIS_URI=rediss://127.0.0.1:6380
+# REDIS_CA=/path/to/ca-cert.pem
+
+# Elasticache may need to use an alternate dnsLookup for TLS connections.  see "Special Note: Aws Elasticache Clusters with TLS" on this webpage: https://www.npmjs.com/package/ioredis
+# Enable alternative dnsLookup for redis
+# REDIS_USE_ALTERNATIVE_DNS_LOOKUP=true
+
+# Redis authentication (if required)
+# REDIS_USERNAME=your_redis_username
+# REDIS_PASSWORD=your_redis_password
+
+# Redis key prefix configuration
+# Use environment variable name for dynamic prefix (recommended for cloud deployments)
+# REDIS_KEY_PREFIX_VAR=K_REVISION
+# Or use static prefix directly
+# REDIS_KEY_PREFIX=librechat
+
+# Redis connection limits
+# REDIS_MAX_LISTENERS=40
+
+# Redis ping interval in seconds (0 = disabled, >0 = enabled)
+# When set to a positive integer, Redis clients will ping the server at this interval to keep connections alive
+# When unset or 0, no pinging is performed (recommended for most use cases)
+# REDIS_PING_INTERVAL=300
+
+# Force specific cache namespaces to use in-memory storage even when Redis is enabled
+# Comma-separated list of CacheKeys (e.g., ROLES,MESSAGES)
+FORCED_IN_MEMORY_CACHE_NAMESPACES=APP_CONFIG,CONFIG_STORE
+
+# Leader Election Configuration (for multi-instance deployments with Redis)
+# Duration in seconds that the leader lease is valid before it expires (default: 25)
+# LEADER_LEASE_DURATION=25
+# Interval in seconds at which the leader renews its lease (default: 10)
+# LEADER_RENEW_INTERVAL=10
+# Maximum number of retry attempts when renewing the lease fails (default: 3)
+# LEADER_RENEW_ATTEMPTS=3
+# Delay in seconds between retry attempts when renewing the lease (default: 0.5)
+# LEADER_RENEW_RETRY_DELAY=0.5
+
+#==================================================#
+#                      Others                      #
+#==================================================#
+#   You should leave the following commented out   #
+
+# NODE_ENV=
+
+# E2E_USER_EMAIL=
+# E2E_USER_PASSWORD=
+
+#=====================================================#
+#                  Cache Headers                      #
+#=====================================================#
+#   Headers that control caching of the index.html    #
+#   Default configuration prevents caching to ensure  #
+#   users always get the latest version. Customize    #
+#   only if you understand caching implications.      #
+
+# INDEX_CACHE_CONTROL=no-cache, no-store, must-revalidate
+# INDEX_PRAGMA=no-cache
+# INDEX_EXPIRES=0
+
+# no-cache: Forces validation with server before using cached version
+# no-store: Prevents storing the response entirely
+# must-revalidate: Prevents using stale content when offline
+
+#=====================================================#
+#                  OpenWeather                        #
+#=====================================================#
+OPENWEATHER_API_KEY=abac030ace40794a6b3afcd59faf676e
+
+#====================================#
+# LibreChat Code Interpreter API     #
+#====================================#
+
+# https://code.librechat.ai
+# LIBRECHAT_CODE_API_KEY=your-key
+
+#======================#
+# Web Search           #
+#======================#
+
+# Note: All of the following variable names can be customized.
+# Omit values to allow user to provide them.
+
+# For more information on configuration values, see:
+# https://librechat.ai/docs/features/web_search
+
+# Search Provider (Required)
+# SERPER_API_KEY=your_serper_api_key
+SEARXNG_INSTANCE_URL=https://searxng.sidepiece.rip
+SEARXNG_API_KEY=squirtle123456
+
+# Scraper (Required)
+FIRECRAWL_API_KEY=dummy-key
+# Optional: Custom Firecrawl API URL
+FIRECRAWL_API_URL=http://crawl.lab
+FIRECRAWL_VERSION=v2
+# Reranker (Required)
+# JINA_API_KEY=your_jina_api_key
+# or
+COHERE_API_KEY=Zx9TS3woEdUrFNpJv7ysM7yN3Bm85Wpq0KTdCUKp
+
+#======================#
+# MCP Configuration    #
+#======================#
+
+# Treat 401/403 responses as OAuth requirement when no oauth metadata found
+# MCP_OAUTH_ON_AUTH_ERROR=true
+
+# Timeout for OAuth detection requests in milliseconds
+# MCP_OAUTH_DETECTION_TIMEOUT=5000
+
+# Cache connection status checks for this many milliseconds to avoid expensive verification
+# MCP_CONNECTION_CHECK_TTL=60000
+
+# Skip code challenge method validation (e.g., for AWS Cognito that supports S256 but doesn't advertise it)
+# When set to true, forces S256 code challenge even if not advertised in .well-known/openid-configuration
+# MCP_SKIP_CODE_CHALLENGE_CHECK=false