WIP: fix tests

WIP: appConfig

fix: update memory configuration retrieval to use getAppConfig based on user role

fix: update comment for AppConfig interface to clarify purpose

.env.example

@@ -15,6 +15,20 @@ HOST=localhost
 PORT=3080
 
 MONGO_URI=mongodb://127.0.0.1:27017/LibreChat
+#The maximum number of connections in the connection pool. */
+MONGO_MAX_POOL_SIZE=
+#The minimum number of connections in the connection pool. */
+MONGO_MIN_POOL_SIZE=
+#The maximum number of connections that may be in the process of being established concurrently by the connection pool. */
+MONGO_MAX_CONNECTING=
+#The maximum number of milliseconds that a connection can remain idle in the pool before being removed and closed. */
+MONGO_MAX_IDLE_TIME_MS=
+#The maximum time in milliseconds that a thread can wait for a connection to become available. */
+MONGO_WAIT_QUEUE_TIMEOUT_MS=
+# Set to false to disable automatic index creation for all models associated with this connection. */
+MONGO_AUTO_INDEX=
+# Set to `false` to disable Mongoose automatically calling `createCollection()` on every model created on this connection. */
+MONGO_AUTO_CREATE=
 
 DOMAIN_CLIENT=http://localhost:3080
 DOMAIN_SERVER=http://localhost:3080
@@ -465,6 +479,21 @@ OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE="user.read" # example for Scope Needed for
 # Set to true to use the OpenID Connect end session endpoint for logout
 OPENID_USE_END_SESSION_ENDPOINT=
 
+#========================#
+# SharePoint Integration #
+#========================#
+# Requires Entra ID (OpenID) authentication to be configured
+
+# Enable SharePoint file picker in chat and agent panels
+# ENABLE_SHAREPOINT_FILEPICKER=true
+
+# SharePoint tenant base URL (e.g., https://yourtenant.sharepoint.com)
+# SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
+
+# Microsoft Graph API And SharePoint scopes for file picker
+# SHAREPOINT_PICKER_SHAREPOINT_SCOPE==https://yourtenant.sharepoint.com/AllSites.Read
+# SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
+#========================#
 
 # SAML
 # Note: If OpenID is enabled, SAML authentication will be automatically disabled.
@@ -492,6 +521,21 @@ SAML_IMAGE_URL=
 # SAML_USE_AUTHN_RESPONSE_SIGNED=
 
 
+#===============================================#
+# Microsoft Graph API / Entra ID Integration  #
+#===============================================#
+
+# Enable Entra ID people search integration in permissions/sharing system
+# When enabled, the people picker will search both local database and Entra ID
+USE_ENTRA_ID_FOR_PEOPLE_SEARCH=false
+
+# When enabled, entra id groups owners will be considered as members of the group
+ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
+
+# Microsoft Graph API scopes needed for people/group search
+# Default scopes provide access to user profiles and group memberships
+OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All
+
 # LDAP
 LDAP_URL=
 LDAP_BIND_DN=
@@ -698,3 +742,16 @@ OPENWEATHER_API_KEY=
 # JINA_API_KEY=your_jina_api_key
 # or
 # COHERE_API_KEY=your_cohere_api_key
+
+#======================#
+# MCP Configuration    #
+#======================#
+
+# Treat 401/403 responses as OAuth requirement when no oauth metadata found
+# MCP_OAUTH_ON_AUTH_ERROR=true
+
+# Timeout for OAuth detection requests in milliseconds
+# MCP_OAUTH_DETECTION_TIMEOUT=5000
+
+# Cache connection status checks for this many milliseconds to avoid expensive verification
+# MCP_CONNECTION_CHECK_TTL=60000

.github/CONTRIBUTING.md

@@ -147,7 +147,7 @@ Apply the following naming conventions to branches, labels, and other Git-relate
 ## 8. Module Import Conventions
 
 - `npm` packages first, 
-     - from shortest line (top) to longest (bottom)
+     - from longest line (top) to shortest (bottom)
 
 - Followed by typescript types (pertains to data-provider and client workspaces)
      - longest line (top) to shortest (bottom)
@@ -157,6 +157,8 @@ Apply the following naming conventions to branches, labels, and other Git-relate
      - longest line (top) to shortest (bottom)
      - imports with alias `~` treated the same as relative import with respect to line length
 
+**Note:** ESLint will automatically enforce these import conventions when you run `npm run lint --fix` or through pre-commit hooks.
+
 ---
 
 Please ensure that you adapt this summary to fit the specific context and nuances of your project.

.github/workflows/data-provider.yml

@@ -1,4 +1,4 @@
-name: Node.js Package
+name: Publish `librechat-data-provider` to NPM
 
 on:
   push:
@@ -6,6 +6,12 @@ on:
       - main
     paths:
       - 'packages/data-provider/package.json'
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for manual trigger'
+        required: false
+        default: 'Manual publish requested'
 
 jobs:
   build:
@@ -14,7 +20,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 20
       - run: cd packages/data-provider && npm ci
       - run: cd packages/data-provider && npm run build
 
@@ -25,7 +31,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 20
           registry-url: 'https://registry.npmjs.org'
       - run: cd packages/data-provider && npm ci
       - run: cd packages/data-provider && npm run build

.github/workflows/helmcharts.yml

@@ -4,12 +4,13 @@ name: Build Helm Charts on Tag
 on:
   push:
     tags:
-      - "*"
+      - "chart-*"
 
 jobs:
   release:
     permissions:
       contents: write
+      packages: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -26,15 +27,49 @@ jobs:
         uses: azure/setup-helm@v4
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      
       - name: Build Subchart Deps
         run: |
-          cd helm/librechat-rag-api
-          helm dependency build 
+          cd helm/librechat
+          helm dependency build  
+          cd ../librechat-rag-api
+          helm dependency build      
 
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+      - name: Get Chart Version
+        id: chart-version
+        run: |
+          CHART_VERSION=$(echo "${{ github.ref_name }}" | cut -d'-' -f2)
+          echo "CHART_VERSION=${CHART_VERSION}" >> "$GITHUB_OUTPUT"
+
+      # Log in to GitHub Container Registry
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
         with:
-          charts_dir: helm
-          skip_existing: true
-        env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Run Helm OCI Charts Releaser
+      # This is for the librechat chart
+      - name: Release Helm OCI Charts for librechat
+        uses: appany/helm-oci-chart-releaser@v0.4.2
+        with:
+          name: librechat
+          repository: ${{ github.actor }}/librechat-chart
+          tag: ${{ steps.chart-version.outputs.CHART_VERSION }}
+          path: helm/librechat
+          registry: ghcr.io
+          registry_username: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+      
+      # this is for the librechat-rag-api chart
+      - name: Release Helm OCI Charts for librechat-rag-api
+        uses: appany/helm-oci-chart-releaser@v0.4.2
+        with:
+          name: librechat-rag-api
+          repository: ${{ github.actor }}/librechat-chart
+          tag: ${{ steps.chart-version.outputs.CHART_VERSION }}
+          path: helm/librechat-rag-api
+          registry: ghcr.io
+          registry_username: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -13,6 +13,9 @@ pids
 *.seed
 .git
 
+# CI/CD data
+test-image*
+
 # Directory for instrumented libs generated by jscoverage/JSCover
 lib-cov
 
@@ -134,3 +137,4 @@ helm/**/.values.yaml
 /.openai/
 /.tabnine/
 /.codeium
+*.local.md

.vscode/launch.json

@@ -8,7 +8,8 @@
       "skipFiles": ["<node_internals>/**"],
       "program": "${workspaceFolder}/api/server/index.js",
       "env": {
-        "NODE_ENV": "production"
+        "NODE_ENV": "production",
+        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
       },
       "console": "integratedTerminal",
       "envFile": "${workspaceFolder}/.env"

Dockerfile

@@ -1,4 +1,4 @@
-# v0.8.0-rc1
+# v0.8.0-rc2
 
 # Base node image
 FROM node:20-alpine AS node
@@ -19,7 +19,12 @@ WORKDIR /app
 
 USER node
 
-COPY --chown=node:node . .
+COPY --chown=node:node package.json package-lock.json ./
+COPY --chown=node:node api/package.json ./api/package.json
+COPY --chown=node:node client/package.json ./client/package.json
+COPY --chown=node:node packages/data-provider/package.json ./packages/data-provider/package.json
+COPY --chown=node:node packages/data-schemas/package.json ./packages/data-schemas/package.json
+COPY --chown=node:node packages/api/package.json ./packages/api/package.json
 
 RUN \
     # Allow mounting of these files, which have no default
@@ -29,7 +34,11 @@ RUN \
     npm config set fetch-retry-maxtimeout 600000 ; \
     npm config set fetch-retries 5 ; \
     npm config set fetch-retry-mintimeout 15000 ; \
-    npm install --no-audit; \
+    npm ci --no-audit
+
+COPY --chown=node:node . .
+
+RUN \
     # React client build
     NODE_OPTIONS="--max-old-space-size=2048" npm run frontend; \
     npm prune --production; \
@@ -47,4 +56,4 @@ CMD ["npm", "run", "backend"]
 # WORKDIR /usr/share/nginx/html
 # COPY --from=node /app/client/dist /usr/share/nginx/html
 # COPY client/nginx.conf /etc/nginx/conf.d/default.conf
-# ENTRYPOINT ["nginx", "-g", "daemon off;"]
+# ENTRYPOINT ["nginx", "-g", "daemon off;"]

Dockerfile.multi

@@ -1,5 +1,5 @@
 # Dockerfile.multi
-# v0.8.0-rc1
+# v0.8.0-rc2
 
 # Base for all builds
 FROM node:20-alpine AS base-min

api/app/clients/BaseClient.js

@@ -11,6 +11,7 @@ const {
   Constants,
 } = require('librechat-data-provider');
 const { getMessages, saveMessage, updateMessage, saveConvo, getConvo } = require('~/models');
+const { getAppConfig } = require('~/server/services/Config');
 const { checkBalance } = require('~/models/balanceMethods');
 const { truncateToolCallOutputs } = require('./prompts');
 const { getFiles } = require('~/models/File');
@@ -37,6 +38,8 @@ class BaseClient {
     this.conversationId;
     /** @type {string} */
     this.responseMessageId;
+    /** @type {string} */
+    this.parentMessageId;
     /** @type {TAttachment[]} */
     this.attachments;
     /** The key for the usage object's input tokens
@@ -110,13 +113,15 @@ class BaseClient {
    * If a correction to the token usage is needed, the method should return an object with the corrected token counts.
    * Should only be used if `recordCollectedUsage` was not used instead.
    * @param {string} [model]
+   * @param {AppConfig['balance']} [balance]
    * @param {number} promptTokens
    * @param {number} completionTokens
    * @returns {Promise<void>}
    */
-  async recordTokenUsage({ model, promptTokens, completionTokens }) {
+  async recordTokenUsage({ model, balance, promptTokens, completionTokens }) {
     logger.debug('[BaseClient] `recordTokenUsage` not implemented.', {
       model,
+      balance,
       promptTokens,
       completionTokens,
     });
@@ -565,6 +570,7 @@ class BaseClient {
   }
 
   async sendMessage(message, opts = {}) {
+    const appConfig = await getAppConfig({ role: this.options.req?.user?.role });
     /** @type {Promise<TMessage>} */
     let userMessagePromise;
     const { user, head, isEdited, conversationId, responseMessageId, saveOptions, userMessage } =
@@ -614,15 +620,19 @@ class BaseClient {
       this.currentMessages.push(userMessage);
     }
 
+    /**
+     * When the userMessage is pushed to currentMessages, the parentMessage is the userMessageId.
+     * this only matters when buildMessages is utilizing the parentMessageId, and may vary on implementation
+     */
+    const parentMessageId = isEdited ? head : userMessage.messageId;
+    this.parentMessageId = parentMessageId;
     let {
       prompt: payload,
       tokenCountMap,
       promptTokens,
     } = await this.buildMessages(
       this.currentMessages,
-      // When the userMessage is pushed to currentMessages, the parentMessage is the userMessageId.
-      // this only matters when buildMessages is utilizing the parentMessageId, and may vary on implementation
-      isEdited ? head : userMessage.messageId,
+      parentMessageId,
       this.getBuildMessagesOptions(opts),
       opts,
     );
@@ -647,7 +657,7 @@ class BaseClient {
       }
     }
 
-    const balance = this.options.req?.app?.locals?.balance;
+    const balance = appConfig?.balance;
     if (
       balance?.enabled &&
       supportsBalanceCheck[this.options.endpointType ?? this.options.endpoint]
@@ -746,6 +756,7 @@ class BaseClient {
         completionTokens = responseMessage.tokenCount;
         await this.recordTokenUsage({
           usage,
+          balance,
           promptTokens,
           completionTokens,
           model: responseMessage.model,

api/app/clients/OpenAIClient.js

@@ -34,13 +34,14 @@ const {
 const { extractBaseURL, getModelMaxTokens, getModelMaxOutputTokens } = require('~/utils');
 const { encodeAndFormat } = require('~/server/services/Files/images/encode');
 const { addSpaceIfNeeded, sleep } = require('~/server/utils');
+const { getAppConfig } = require('~/server/services/Config');
 const { spendTokens } = require('~/models/spendTokens');
 const { handleOpenAIErrors } = require('./tools/util');
-const { createLLM, RunManager } = require('./llm');
 const { summaryBuffer } = require('./memory');
 const { runTitleChain } = require('./chains');
 const { tokenSplit } = require('./document');
 const BaseClient = require('./BaseClient');
+const { createLLM } = require('./llm');
 const { logger } = require('~/config');
 
 class OpenAIClient extends BaseClient {
@@ -618,10 +619,6 @@ class OpenAIClient extends BaseClient {
     temperature = 0.2,
     max_tokens,
     streaming,
-    context,
-    tokenBuffer,
-    initialMessageCount,
-    conversationId,
   }) {
     const modelOptions = {
       modelName: modelName ?? model,
@@ -653,8 +650,10 @@ class OpenAIClient extends BaseClient {
     if (headers && typeof headers === 'object' && !Array.isArray(headers)) {
       configOptions.baseOptions = {
         headers: resolveHeaders({
-          ...headers,
-          ...configOptions?.baseOptions?.headers,
+          headers: {
+            ...headers,
+            ...configOptions?.baseOptions?.headers,
+          },
         }),
       };
     }
@@ -664,22 +663,12 @@ class OpenAIClient extends BaseClient {
       configOptions.httpsAgent = new HttpsProxyAgent(this.options.proxy);
     }
 
-    const { req, res, debug } = this.options;
-    const runManager = new RunManager({ req, res, debug, abortController: this.abortController });
-    this.runManager = runManager;
-
     const llm = createLLM({
       modelOptions,
       configOptions,
       openAIApiKey: this.apiKey,
       azure: this.azure,
       streaming,
-      callbacks: runManager.createCallbacks({
-        context,
-        tokenBuffer,
-        conversationId: this.conversationId ?? conversationId,
-        initialMessageCount,
-      }),
     });
 
     return llm;
@@ -700,6 +689,7 @@ class OpenAIClient extends BaseClient {
    *                            In case of failure, it will return the default title, "New Chat".
    */
   async titleConvo({ text, conversationId, responseText = '' }) {
+    const appConfig = await getAppConfig({ role: this.options.req?.user?.role });
     this.conversationId = conversationId;
 
     if (this.options.attachments) {
@@ -728,8 +718,7 @@ class OpenAIClient extends BaseClient {
       max_tokens: 16,
     };
 
-    /** @type {TAzureConfig | undefined} */
-    const azureConfig = this.options?.req?.app?.locals?.[EModelEndpoint.azureOpenAI];
+    const azureConfig = appConfig?.endpoints?.[EModelEndpoint.azureOpenAI];
 
     const resetTitleOptions = !!(
       (this.azure && azureConfig) ||
@@ -749,7 +738,7 @@ class OpenAIClient extends BaseClient {
         groupMap,
       });
 
-      this.options.headers = resolveHeaders(headers);
+      this.options.headers = resolveHeaders({ headers });
       this.options.reverseProxyUrl = baseURL ?? null;
       this.langchainProxy = extractBaseURL(this.options.reverseProxyUrl);
       this.apiKey = azureOptions.azureOpenAIApiKey;
@@ -1118,6 +1107,7 @@ ${convo}
   }
 
   async chatCompletion({ payload, onProgress, abortController = null }) {
+    const appConfig = await getAppConfig({ role: this.options.req?.user?.role });
     let error = null;
     let intermediateReply = [];
     const errorCallback = (err) => (error = err);
@@ -1163,8 +1153,7 @@ ${convo}
         opts.fetchOptions.agent = new HttpsProxyAgent(this.options.proxy);
       }
 
-      /** @type {TAzureConfig | undefined} */
-      const azureConfig = this.options?.req?.app?.locals?.[EModelEndpoint.azureOpenAI];
+      const azureConfig = appConfig?.endpoints?.[EModelEndpoint.azureOpenAI];
 
       if (
         (this.azure && this.isVisionModel && azureConfig) ||
@@ -1181,7 +1170,7 @@ ${convo}
           modelGroupMap,
           groupMap,
         });
-        opts.defaultHeaders = resolveHeaders(headers);
+        opts.defaultHeaders = resolveHeaders({ headers });
         this.langchainProxy = extractBaseURL(baseURL);
         this.apiKey = azureOptions.azureOpenAIApiKey;
 
@@ -1222,7 +1211,9 @@ ${convo}
       }
 
       if (this.isOmni === true && modelOptions.max_tokens != null) {
-        modelOptions.max_completion_tokens = modelOptions.max_tokens;
+        const paramName =
+          modelOptions.useResponsesApi === true ? 'max_output_tokens' : 'max_completion_tokens';
+        modelOptions[paramName] = modelOptions.max_tokens;
         delete modelOptions.max_tokens;
       }
       if (this.isOmni === true && modelOptions.temperature != null) {

api/app/clients/callbacks/createStartHandler.js

@@ -1,95 +0,0 @@
-const { promptTokensEstimate } = require('openai-chat-tokens');
-const { EModelEndpoint, supportsBalanceCheck } = require('librechat-data-provider');
-const { formatFromLangChain } = require('~/app/clients/prompts');
-const { getBalanceConfig } = require('~/server/services/Config');
-const { checkBalance } = require('~/models/balanceMethods');
-const { logger } = require('~/config');
-
-const createStartHandler = ({
-  context,
-  conversationId,
-  tokenBuffer = 0,
-  initialMessageCount,
-  manager,
-}) => {
-  return async (_llm, _messages, runId, parentRunId, extraParams) => {
-    const { invocation_params } = extraParams;
-    const { model, functions, function_call } = invocation_params;
-    const messages = _messages[0].map(formatFromLangChain);
-
-    logger.debug(`[createStartHandler] handleChatModelStart: ${context}`, {
-      model,
-      function_call,
-    });
-
-    if (context !== 'title') {
-      logger.debug(`[createStartHandler] handleChatModelStart: ${context}`, {
-        functions,
-      });
-    }
-
-    const payload = { messages };
-    let prelimPromptTokens = 1;
-
-    if (functions) {
-      payload.functions = functions;
-      prelimPromptTokens += 2;
-    }
-
-    if (function_call) {
-      payload.function_call = function_call;
-      prelimPromptTokens -= 5;
-    }
-
-    prelimPromptTokens += promptTokensEstimate(payload);
-    logger.debug('[createStartHandler]', {
-      prelimPromptTokens,
-      tokenBuffer,
-    });
-    prelimPromptTokens += tokenBuffer;
-
-    try {
-      const balance = await getBalanceConfig();
-      if (balance?.enabled && supportsBalanceCheck[EModelEndpoint.openAI]) {
-        const generations =
-          initialMessageCount && messages.length > initialMessageCount
-            ? messages.slice(initialMessageCount)
-            : null;
-        await checkBalance({
-          req: manager.req,
-          res: manager.res,
-          txData: {
-            user: manager.user,
-            tokenType: 'prompt',
-            amount: prelimPromptTokens,
-            debug: manager.debug,
-            generations,
-            model,
-            endpoint: EModelEndpoint.openAI,
-          },
-        });
-      }
-    } catch (err) {
-      logger.error(`[createStartHandler][${context}] checkBalance error`, err);
-      manager.abortController.abort();
-      if (context === 'summary' || context === 'plugins') {
-        manager.addRun(runId, { conversationId, error: err.message });
-        throw new Error(err);
-      }
-      return;
-    }
-
-    manager.addRun(runId, {
-      model,
-      messages,
-      functions,
-      function_call,
-      runId,
-      parentRunId,
-      conversationId,
-      prelimPromptTokens,
-    });
-  };
-};
-
-module.exports = createStartHandler;

api/app/clients/callbacks/index.js

@@ -1,5 +0,0 @@
-const createStartHandler = require('./createStartHandler');
-
-module.exports = {
-  createStartHandler,
-};

api/app/clients/llm/RunManager.js

@@ -1,105 +0,0 @@
-const { createStartHandler } = require('~/app/clients/callbacks');
-const { spendTokens } = require('~/models/spendTokens');
-const { logger } = require('~/config');
-
-class RunManager {
-  constructor(fields) {
-    const { req, res, abortController, debug } = fields;
-    this.abortController = abortController;
-    this.user = req.user.id;
-    this.req = req;
-    this.res = res;
-    this.debug = debug;
-    this.runs = new Map();
-    this.convos = new Map();
-  }
-
-  addRun(runId, runData) {
-    if (!this.runs.has(runId)) {
-      this.runs.set(runId, runData);
-      if (runData.conversationId) {
-        this.convos.set(runData.conversationId, runId);
-      }
-      return runData;
-    } else {
-      const existingData = this.runs.get(runId);
-      const update = { ...existingData, ...runData };
-      this.runs.set(runId, update);
-      if (update.conversationId) {
-        this.convos.set(update.conversationId, runId);
-      }
-      return update;
-    }
-  }
-
-  removeRun(runId) {
-    if (this.runs.has(runId)) {
-      this.runs.delete(runId);
-    } else {
-      logger.error(`[api/app/clients/llm/RunManager] Run with ID ${runId} does not exist.`);
-    }
-  }
-
-  getAllRuns() {
-    return Array.from(this.runs.values());
-  }
-
-  getRunById(runId) {
-    return this.runs.get(runId);
-  }
-
-  getRunByConversationId(conversationId) {
-    const runId = this.convos.get(conversationId);
-    return { run: this.runs.get(runId), runId };
-  }
-
-  createCallbacks(metadata) {
-    return [
-      {
-        handleChatModelStart: createStartHandler({ ...metadata, manager: this }),
-        handleLLMEnd: async (output, runId, _parentRunId) => {
-          const { llmOutput, ..._output } = output;
-          logger.debug(`[RunManager] handleLLMEnd: ${JSON.stringify(metadata)}`, {
-            runId,
-            _parentRunId,
-            llmOutput,
-          });
-
-          if (metadata.context !== 'title') {
-            logger.debug('[RunManager] handleLLMEnd:', {
-              output: _output,
-            });
-          }
-
-          const { tokenUsage } = output.llmOutput;
-          const run = this.getRunById(runId);
-          this.removeRun(runId);
-
-          const txData = {
-            user: this.user,
-            model: run?.model ?? 'gpt-3.5-turbo',
-            ...metadata,
-          };
-
-          await spendTokens(txData, tokenUsage);
-        },
-        handleLLMError: async (err) => {
-          logger.error(`[RunManager] handleLLMError: ${JSON.stringify(metadata)}`, err);
-          if (metadata.context === 'title') {
-            return;
-          } else if (metadata.context === 'plugins') {
-            throw new Error(err);
-          }
-          const { conversationId } = metadata;
-          const { run } = this.getRunByConversationId(conversationId);
-          if (run && run.error) {
-            const { error } = run;
-            throw new Error(error);
-          }
-        },
-      },
-    ];
-  }
-}
-
-module.exports = RunManager;

api/app/clients/llm/index.js

@@ -1,9 +1,7 @@
 const createLLM = require('./createLLM');
-const RunManager = require('./RunManager');
 const createCoherePayload = require('./createCoherePayload');
 
 module.exports = {
   createLLM,
-  RunManager,
   createCoherePayload,
 };

api/app/clients/specs/AnthropicClient.test.js

@@ -245,7 +245,7 @@ describe('AnthropicClient', () => {
     });
 
     describe('Claude 4 model headers', () => {
-      it('should add "prompt-caching" beta header for claude-sonnet-4 model', () => {
+      it('should add "prompt-caching" and "context-1m" beta headers for claude-sonnet-4 model', () => {
         const client = new AnthropicClient('test-api-key');
         const modelOptions = {
           model: 'claude-sonnet-4-20250514',
@@ -255,10 +255,30 @@ describe('AnthropicClient', () => {
         expect(anthropicClient._options.defaultHeaders).toBeDefined();
         expect(anthropicClient._options.defaultHeaders).toHaveProperty('anthropic-beta');
         expect(anthropicClient._options.defaultHeaders['anthropic-beta']).toBe(
-          'prompt-caching-2024-07-31',
+          'prompt-caching-2024-07-31,context-1m-2025-08-07',
         );
       });
 
+      it('should add "prompt-caching" and "context-1m" beta headers for claude-sonnet-4 model formats', () => {
+        const client = new AnthropicClient('test-api-key');
+        const modelVariations = [
+          'claude-sonnet-4-20250514',
+          'claude-sonnet-4-latest',
+          'anthropic/claude-sonnet-4-20250514',
+        ];
+
+        modelVariations.forEach((model) => {
+          const modelOptions = { model };
+          client.setOptions({ modelOptions, promptCache: true });
+          const anthropicClient = client.getClient(modelOptions);
+          expect(anthropicClient._options.defaultHeaders).toBeDefined();
+          expect(anthropicClient._options.defaultHeaders).toHaveProperty('anthropic-beta');
+          expect(anthropicClient._options.defaultHeaders['anthropic-beta']).toBe(
+            'prompt-caching-2024-07-31,context-1m-2025-08-07',
+          );
+        });
+      });
+
       it('should add "prompt-caching" beta header for claude-opus-4 model', () => {
         const client = new AnthropicClient('test-api-key');
         const modelOptions = {
@@ -273,20 +293,6 @@ describe('AnthropicClient', () => {
         );
       });
 
-      it('should add "prompt-caching" beta header for claude-4-sonnet model', () => {
-        const client = new AnthropicClient('test-api-key');
-        const modelOptions = {
-          model: 'claude-4-sonnet-20250514',
-        };
-        client.setOptions({ modelOptions, promptCache: true });
-        const anthropicClient = client.getClient(modelOptions);
-        expect(anthropicClient._options.defaultHeaders).toBeDefined();
-        expect(anthropicClient._options.defaultHeaders).toHaveProperty('anthropic-beta');
-        expect(anthropicClient._options.defaultHeaders['anthropic-beta']).toBe(
-          'prompt-caching-2024-07-31',
-        );
-      });
-
       it('should add "prompt-caching" beta header for claude-4-opus model', () => {
         const client = new AnthropicClient('test-api-key');
         const modelOptions = {

api/app/clients/specs/BaseClient.test.js

@@ -2,6 +2,14 @@ const { Constants } = require('librechat-data-provider');
 const { initializeFakeClient } = require('./FakeClient');
 
 jest.mock('~/db/connect');
+jest.mock('~/server/services/Config', () => ({
+  getAppConfig: jest.fn().mockResolvedValue({
+    // Default app config for tests
+    paths: { uploads: '/tmp' },
+    fileStrategy: 'local',
+    memory: { disabled: false },
+  }),
+}));
 jest.mock('~/models', () => ({
   User: jest.fn(),
   Key: jest.fn(),

api/app/clients/tools/index.js

@@ -1,4 +1,4 @@
-const availableTools = require('./manifest.json');
+const manifest = require('./manifest');
 
 // Structured Tools
 const DALLE3 = require('./structured/DALLE3');
@@ -13,23 +13,8 @@ const TraversaalSearch = require('./structured/TraversaalSearch');
 const createOpenAIImageTools = require('./structured/OpenAIImageTools');
 const TavilySearchResults = require('./structured/TavilySearchResults');
 
-/** @type {Record<string, TPlugin | undefined>} */
-const manifestToolMap = {};
-
-/** @type {Array<TPlugin>} */
-const toolkits = [];
-
-availableTools.forEach((tool) => {
-  manifestToolMap[tool.pluginKey] = tool;
-  if (tool.toolkit === true) {
-    toolkits.push(tool);
-  }
-});
-
 module.exports = {
-  toolkits,
-  availableTools,
-  manifestToolMap,
+  ...manifest,
   // Structured Tools
   DALLE3,
   FluxAPI,

api/app/clients/tools/manifest.js

@@ -0,0 +1,20 @@
+const availableTools = require('./manifest.json');
+
+/** @type {Record<string, TPlugin | undefined>} */
+const manifestToolMap = {};
+
+/** @type {Array<TPlugin>} */
+const toolkits = [];
+
+availableTools.forEach((tool) => {
+  manifestToolMap[tool.pluginKey] = tool;
+  if (tool.toolkit === true) {
+    toolkits.push(tool);
+  }
+});
+
+module.exports = {
+  toolkits,
+  availableTools,
+  manifestToolMap,
+};

api/app/clients/tools/structured/DALLE3.js

@@ -5,10 +5,10 @@ const fetch = require('node-fetch');
 const { v4: uuidv4 } = require('uuid');
 const { ProxyAgent } = require('undici');
 const { Tool } = require('@langchain/core/tools');
+const { logger } = require('@librechat/data-schemas');
+const { getImageBasename } = require('@librechat/api');
 const { FileContext, ContentTypes } = require('librechat-data-provider');
-const { getImageBasename } = require('~/server/services/Files/images');
 const extractBaseURL = require('~/utils/extractBaseURL');
-const logger = require('~/config/winston');
 
 const displayMessage =
   "DALL-E displayed an image. All generated images are already plainly visible, so don't repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.";

api/app/clients/tools/structured/OpenAIImageTools.js

@@ -1,69 +1,16 @@
-const { z } = require('zod');
 const axios = require('axios');
 const { v4 } = require('uuid');
 const OpenAI = require('openai');
 const FormData = require('form-data');
 const { ProxyAgent } = require('undici');
 const { tool } = require('@langchain/core/tools');
-const { logAxiosError } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
+const { logAxiosError, oaiToolkit } = require('@librechat/api');
 const { ContentTypes, EImageOutputType } = require('librechat-data-provider');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
-const { extractBaseURL } = require('~/utils');
+const extractBaseURL = require('~/utils/extractBaseURL');
 const { getFiles } = require('~/models/File');
 
-/** Default descriptions for image generation tool  */
-const DEFAULT_IMAGE_GEN_DESCRIPTION = `
-Generates high-quality, original images based solely on text, not using any uploaded reference images.
-
-When to use \`image_gen_oai\`:
-- To create entirely new images from detailed text descriptions that do NOT reference any image files.
-
-When NOT to use \`image_gen_oai\`:
-- If the user has uploaded any images and requests modifications, enhancements, or remixing based on those uploads → use \`image_edit_oai\` instead.
-
-Generated image IDs will be returned in the response, so you can refer to them in future requests made to \`image_edit_oai\`.
-`.trim();
-
-/** Default description for image editing tool  */
-const DEFAULT_IMAGE_EDIT_DESCRIPTION =
-  `Generates high-quality, original images based on text and one or more uploaded/referenced images.
-
-When to use \`image_edit_oai\`:
-- The user wants to modify, extend, or remix one **or more** uploaded images, either:
-- Previously generated, or in the current request (both to be included in the \`image_ids\` array).
-- Always when the user refers to uploaded images for editing, enhancement, remixing, style transfer, or combining elements.
-- Any current or existing images are to be used as visual guides.
-- If there are any files in the current request, they are more likely than not expected as references for image edit requests.
-
-When NOT to use \`image_edit_oai\`:
-- Brand-new generations that do not rely on an existing image → use \`image_gen_oai\` instead.
-
-Both generated and referenced image IDs will be returned in the response, so you can refer to them in future requests made to \`image_edit_oai\`.
-`.trim();
-
-/** Default prompt descriptions  */
-const DEFAULT_IMAGE_GEN_PROMPT_DESCRIPTION = `Describe the image you want in detail. 
-      Be highly specific—break your idea into layers: 
-      (1) main concept and subject,
-      (2) composition and position,
-      (3) lighting and mood,
-      (4) style, medium, or camera details,
-      (5) important features (age, expression, clothing, etc.),
-      (6) background.
-      Use positive, descriptive language and specify what should be included, not what to avoid. 
-      List number and characteristics of people/objects, and mention style/technical requirements (e.g., "DSLR photo, 85mm lens, golden hour").
-      Do not reference any uploaded images—use for new image creation from text only.`;
-
-const DEFAULT_IMAGE_EDIT_PROMPT_DESCRIPTION = `Describe the changes, enhancements, or new ideas to apply to the uploaded image(s).
-      Be highly specific—break your request into layers: 
-      (1) main concept or transformation,
-      (2) specific edits/replacements or composition guidance,
-      (3) desired style, mood, or technique,
-      (4) features/items to keep, change, or add (such as objects, people, clothing, lighting, etc.).
-      Use positive, descriptive language and clarify what should be included or changed, not what to avoid.
-      Always base this prompt on the most recently uploaded reference images.`;
-
 const displayMessage =
   "The tool displayed an image. All generated images are already plainly visible, so don't repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.";
 
@@ -91,22 +38,6 @@ function returnValue(value) {
   return value;
 }
 
-const getImageGenDescription = () => {
-  return process.env.IMAGE_GEN_OAI_DESCRIPTION || DEFAULT_IMAGE_GEN_DESCRIPTION;
-};
-
-const getImageEditDescription = () => {
-  return process.env.IMAGE_EDIT_OAI_DESCRIPTION || DEFAULT_IMAGE_EDIT_DESCRIPTION;
-};
-
-const getImageGenPromptDescription = () => {
-  return process.env.IMAGE_GEN_OAI_PROMPT_DESCRIPTION || DEFAULT_IMAGE_GEN_PROMPT_DESCRIPTION;
-};
-
-const getImageEditPromptDescription = () => {
-  return process.env.IMAGE_EDIT_OAI_PROMPT_DESCRIPTION || DEFAULT_IMAGE_EDIT_PROMPT_DESCRIPTION;
-};
-
 function createAbortHandler() {
   return function () {
     logger.debug('[ImageGenOAI] Image generation aborted');
@@ -121,7 +52,9 @@ function createAbortHandler() {
  * @param {string} fields.IMAGE_GEN_OAI_API_KEY - The OpenAI API key
  * @param {boolean} [fields.override] - Whether to override the API key check, necessary for app initialization
  * @param {MongoFile[]} [fields.imageFiles] - The images to be used for editing
- * @returns {Array} - Array of image tools
+ * @param {string} [fields.imageOutputType] - The image output type configuration
+ * @param {string} [fields.fileStrategy] - The file storage strategy
+ * @returns {Array<ReturnType<tool>>} - Array of image tools
  */
 function createOpenAIImageTools(fields = {}) {
   /** @type {boolean} Used to initialize the Tool without necessary variables. */
@@ -131,8 +64,8 @@ function createOpenAIImageTools(fields = {}) {
     throw new Error('This tool is only available for agents.');
   }
   const { req } = fields;
-  const imageOutputType = req?.app.locals.imageOutputType || EImageOutputType.PNG;
-  const appFileStrategy = req?.app.locals.fileStrategy;
+  const imageOutputType = fields.imageOutputType || EImageOutputType.PNG;
+  const appFileStrategy = fields.fileStrategy;
 
   const getApiKey = () => {
     const apiKey = process.env.IMAGE_GEN_OAI_API_KEY ?? '';
@@ -285,46 +218,7 @@ Error Message: ${error.message}`);
       ];
       return [response, { content, file_ids }];
     },
-    {
-      name: 'image_gen_oai',
-      description: getImageGenDescription(),
-      schema: z.object({
-        prompt: z.string().max(32000).describe(getImageGenPromptDescription()),
-        background: z
-          .enum(['transparent', 'opaque', 'auto'])
-          .optional()
-          .describe(
-            'Sets transparency for the background. Must be one of transparent, opaque or auto (default). When transparent, the output format should be png or webp.',
-          ),
-        /*
-        n: z
-          .number()
-          .int()
-          .min(1)
-          .max(10)
-          .optional()
-          .describe('The number of images to generate. Must be between 1 and 10.'),
-        output_compression: z
-          .number()
-          .int()
-          .min(0)
-          .max(100)
-          .optional()
-          .describe('The compression level (0-100%) for webp or jpeg formats. Defaults to 100.'),
-           */
-        quality: z
-          .enum(['auto', 'high', 'medium', 'low'])
-          .optional()
-          .describe('The quality of the image. One of auto (default), high, medium, or low.'),
-        size: z
-          .enum(['auto', '1024x1024', '1536x1024', '1024x1536'])
-          .optional()
-          .describe(
-            'The size of the generated image. One of 1024x1024, 1536x1024 (landscape), 1024x1536 (portrait), or auto (default).',
-          ),
-      }),
-      responseFormat: 'content_and_artifact',
-    },
+    oaiToolkit.image_gen_oai,
   );
 
   /**
@@ -517,48 +411,7 @@ Error Message: ${error.message || 'Unknown error'}`);
         }
       }
     },
-    {
-      name: 'image_edit_oai',
-      description: getImageEditDescription(),
-      schema: z.object({
-        image_ids: z
-          .array(z.string())
-          .min(1)
-          .describe(
-            `
-IDs (image ID strings) of previously generated or uploaded images that should guide the edit.
-
-Guidelines:
-- If the user's request depends on any prior image(s), copy their image IDs into the \`image_ids\` array (in the same order the user refers to them).  
-- Never invent or hallucinate IDs; only use IDs that are still visible in the conversation context.
-- If no earlier image is relevant, omit the field entirely.
-`.trim(),
-          ),
-        prompt: z.string().max(32000).describe(getImageEditPromptDescription()),
-        /*
-        n: z
-          .number()
-          .int()
-          .min(1)
-          .max(10)
-          .optional()
-          .describe('The number of images to generate. Must be between 1 and 10. Defaults to 1.'),
-        */
-        quality: z
-          .enum(['auto', 'high', 'medium', 'low'])
-          .optional()
-          .describe(
-            'The quality of the image. One of auto (default), high, medium, or low. High/medium/low only supported for gpt-image-1.',
-          ),
-        size: z
-          .enum(['auto', '1024x1024', '1536x1024', '1024x1536', '256x256', '512x512'])
-          .optional()
-          .describe(
-            'The size of the generated images. For gpt-image-1: auto (default), 1024x1024, 1536x1024, 1024x1536. For dall-e-2: 256x256, 512x512, 1024x1024.',
-          ),
-      }),
-      responseFormat: 'content_and_artifact',
-    },
+    oaiToolkit.image_edit_oai,
   );
 
   return [imageGenTool, imageEditTool];

api/app/clients/tools/structured/YouTube.js

@@ -1,9 +1,9 @@
-const { z } = require('zod');
+const { ytToolkit } = require('@librechat/api');
 const { tool } = require('@langchain/core/tools');
 const { youtube } = require('@googleapis/youtube');
+const { logger } = require('@librechat/data-schemas');
 const { YoutubeTranscript } = require('youtube-transcript');
 const { getApiKey } = require('./credentials');
-const { logger } = require('~/config');
 
 function extractVideoId(url) {
   const rawIdRegex = /^[a-zA-Z0-9_-]{11}$/;
@@ -29,7 +29,7 @@ function parseTranscript(transcriptResponse) {
     .map((entry) => entry.text.trim())
     .filter((text) => text)
     .join(' ')
-    .replaceAll(''', '\'');
+    .replaceAll(''', "'");
 }
 
 function createYouTubeTools(fields = {}) {
@@ -42,160 +42,94 @@ function createYouTubeTools(fields = {}) {
     auth: apiKey,
   });
 
-  const searchTool = tool(
-    async ({ query, maxResults = 5 }) => {
-      const response = await youtubeClient.search.list({
-        part: 'snippet',
-        q: query,
-        type: 'video',
-        maxResults: maxResults || 5,
-      });
-      const result = response.data.items.map((item) => ({
-        title: item.snippet.title,
-        description: item.snippet.description,
-        url: `https://www.youtube.com/watch?v=${item.id.videoId}`,
-      }));
-      return JSON.stringify(result, null, 2);
-    },
-    {
-      name: 'youtube_search',
-      description: `Search for YouTube videos by keyword or phrase.
-- Required: query (search terms to find videos)
-- Optional: maxResults (number of videos to return, 1-50, default: 5)
-- Returns: List of videos with titles, descriptions, and URLs
-- Use for: Finding specific videos, exploring content, research
-Example: query="cooking pasta tutorials" maxResults=3`,
-      schema: z.object({
-        query: z.string().describe('Search query terms'),
-        maxResults: z.number().int().min(1).max(50).optional().describe('Number of results (1-50)'),
-      }),
-    },
-  );
+  const searchTool = tool(async ({ query, maxResults = 5 }) => {
+    const response = await youtubeClient.search.list({
+      part: 'snippet',
+      q: query,
+      type: 'video',
+      maxResults: maxResults || 5,
+    });
+    const result = response.data.items.map((item) => ({
+      title: item.snippet.title,
+      description: item.snippet.description,
+      url: `https://www.youtube.com/watch?v=${item.id.videoId}`,
+    }));
+    return JSON.stringify(result, null, 2);
+  }, ytToolkit.youtube_search);
 
-  const infoTool = tool(
-    async ({ url }) => {
-      const videoId = extractVideoId(url);
-      if (!videoId) {
-        throw new Error('Invalid YouTube URL or video ID');
-      }
+  const infoTool = tool(async ({ url }) => {
+    const videoId = extractVideoId(url);
+    if (!videoId) {
+      throw new Error('Invalid YouTube URL or video ID');
+    }
 
-      const response = await youtubeClient.videos.list({
-        part: 'snippet,statistics',
-        id: videoId,
-      });
+    const response = await youtubeClient.videos.list({
+      part: 'snippet,statistics',
+      id: videoId,
+    });
 
-      if (!response.data.items?.length) {
-        throw new Error('Video not found');
-      }
-      const video = response.data.items[0];
+    if (!response.data.items?.length) {
+      throw new Error('Video not found');
+    }
+    const video = response.data.items[0];
 
-      const result = {
-        title: video.snippet.title,
-        description: video.snippet.description,
-        views: video.statistics.viewCount,
-        likes: video.statistics.likeCount,
-        comments: video.statistics.commentCount,
-      };
-      return JSON.stringify(result, null, 2);
-    },
-    {
-      name: 'youtube_info',
-      description: `Get detailed metadata and statistics for a specific YouTube video.
-- Required: url (full YouTube URL or video ID)
-- Returns: Video title, description, view count, like count, comment count
-- Use for: Getting video metrics and basic metadata
-- DO NOT USE FOR VIDEO SUMMARIES, USE TRANSCRIPTS FOR COMPREHENSIVE ANALYSIS
-- Accepts both full URLs and video IDs
-Example: url="https://youtube.com/watch?v=abc123" or url="abc123"`,
-      schema: z.object({
-        url: z.string().describe('YouTube video URL or ID'),
-      }),
-    },
-  );
+    const result = {
+      title: video.snippet.title,
+      description: video.snippet.description,
+      views: video.statistics.viewCount,
+      likes: video.statistics.likeCount,
+      comments: video.statistics.commentCount,
+    };
+    return JSON.stringify(result, null, 2);
+  }, ytToolkit.youtube_info);
 
-  const commentsTool = tool(
-    async ({ url, maxResults = 10 }) => {
-      const videoId = extractVideoId(url);
-      if (!videoId) {
-        throw new Error('Invalid YouTube URL or video ID');
-      }
+  const commentsTool = tool(async ({ url, maxResults = 10 }) => {
+    const videoId = extractVideoId(url);
+    if (!videoId) {
+      throw new Error('Invalid YouTube URL or video ID');
+    }
 
-      const response = await youtubeClient.commentThreads.list({
-        part: 'snippet',
-        videoId,
-        maxResults: maxResults || 10,
-      });
+    const response = await youtubeClient.commentThreads.list({
+      part: 'snippet',
+      videoId,
+      maxResults: maxResults || 10,
+    });
 
-      const result = response.data.items.map((item) => ({
-        author: item.snippet.topLevelComment.snippet.authorDisplayName,
-        text: item.snippet.topLevelComment.snippet.textDisplay,
-        likes: item.snippet.topLevelComment.snippet.likeCount,
-      }));
-      return JSON.stringify(result, null, 2);
-    },
-    {
-      name: 'youtube_comments',
-      description: `Retrieve top-level comments from a YouTube video.
-- Required: url (full YouTube URL or video ID)
-- Optional: maxResults (number of comments, 1-50, default: 10)
-- Returns: Comment text, author names, like counts
-- Use for: Sentiment analysis, audience feedback, engagement review
-Example: url="abc123" maxResults=20`,
-      schema: z.object({
-        url: z.string().describe('YouTube video URL or ID'),
-        maxResults: z
-          .number()
-          .int()
-          .min(1)
-          .max(50)
-          .optional()
-          .describe('Number of comments to retrieve'),
-      }),
-    },
-  );
+    const result = response.data.items.map((item) => ({
+      author: item.snippet.topLevelComment.snippet.authorDisplayName,
+      text: item.snippet.topLevelComment.snippet.textDisplay,
+      likes: item.snippet.topLevelComment.snippet.likeCount,
+    }));
+    return JSON.stringify(result, null, 2);
+  }, ytToolkit.youtube_comments);
 
-  const transcriptTool = tool(
-    async ({ url }) => {
-      const videoId = extractVideoId(url);
-      if (!videoId) {
-        throw new Error('Invalid YouTube URL or video ID');
+  const transcriptTool = tool(async ({ url }) => {
+    const videoId = extractVideoId(url);
+    if (!videoId) {
+      throw new Error('Invalid YouTube URL or video ID');
+    }
+
+    try {
+      try {
+        const transcript = await YoutubeTranscript.fetchTranscript(videoId, { lang: 'en' });
+        return parseTranscript(transcript);
+      } catch (e) {
+        logger.error(e);
       }
 
       try {
-        try {
-          const transcript = await YoutubeTranscript.fetchTranscript(videoId, { lang: 'en' });
-          return parseTranscript(transcript);
-        } catch (e) {
-          logger.error(e);
-        }
-
-        try {
-          const transcript = await YoutubeTranscript.fetchTranscript(videoId, { lang: 'de' });
-          return parseTranscript(transcript);
-        } catch (e) {
-          logger.error(e);
-        }
-
-        const transcript = await YoutubeTranscript.fetchTranscript(videoId);
+        const transcript = await YoutubeTranscript.fetchTranscript(videoId, { lang: 'de' });
         return parseTranscript(transcript);
-      } catch (error) {
-        throw new Error(`Failed to fetch transcript: ${error.message}`);
+      } catch (e) {
+        logger.error(e);
       }
-    },
-    {
-      name: 'youtube_transcript',
-      description: `Fetch and parse the transcript/captions of a YouTube video.
-- Required: url (full YouTube URL or video ID)
-- Returns: Full video transcript as plain text
-- Use for: Content analysis, summarization, translation reference
-- This is the "Go-to" tool for analyzing actual video content
-- Attempts to fetch English first, then German, then any available language
-Example: url="https://youtube.com/watch?v=abc123"`,
-      schema: z.object({
-        url: z.string().describe('YouTube video URL or ID'),
-      }),
-    },
-  );
+
+      const transcript = await YoutubeTranscript.fetchTranscript(videoId);
+      return parseTranscript(transcript);
+    } catch (error) {
+      throw new Error(`Failed to fetch transcript: ${error.message}`);
+    }
+  }, ytToolkit.youtube_transcript);
 
   return [searchTool, infoTool, commentsTool, transcriptTool];
 }

api/app/clients/tools/structured/specs/DALLE3-proxy.spec.js

@@ -1,43 +1,9 @@
 const DALLE3 = require('../DALLE3');
 const { ProxyAgent } = require('undici');
 
+jest.mock('tiktoken');
 const processFileURL = jest.fn();
 
-jest.mock('~/server/services/Files/images', () => ({
-  getImageBasename: jest.fn().mockImplementation((url) => {
-    const parts = url.split('/');
-    const lastPart = parts.pop();
-    const imageExtensionRegex = /\.(jpg|jpeg|png|gif|bmp|tiff|svg)$/i;
-    if (imageExtensionRegex.test(lastPart)) {
-      return lastPart;
-    }
-    return '';
-  }),
-}));
-
-jest.mock('fs', () => {
-  return {
-    existsSync: jest.fn(),
-    mkdirSync: jest.fn(),
-    promises: {
-      writeFile: jest.fn(),
-      readFile: jest.fn(),
-      unlink: jest.fn(),
-    },
-  };
-});
-
-jest.mock('path', () => {
-  return {
-    resolve: jest.fn(),
-    join: jest.fn(),
-    relative: jest.fn(),
-    extname: jest.fn().mockImplementation((filename) => {
-      return filename.slice(filename.lastIndexOf('.'));
-    }),
-  };
-});
-
 describe('DALLE3 Proxy Configuration', () => {
   let originalEnv;
 

api/app/clients/tools/structured/specs/DALLE3.spec.js

@@ -1,9 +1,8 @@
 const OpenAI = require('openai');
+const { logger } = require('@librechat/data-schemas');
 const DALLE3 = require('../DALLE3');
-const logger = require('~/config/winston');
 
 jest.mock('openai');
-
 jest.mock('@librechat/data-schemas', () => {
   return {
     logger: {
@@ -26,25 +25,6 @@ jest.mock('tiktoken', () => {
 
 const processFileURL = jest.fn();
 
-jest.mock('~/server/services/Files/images', () => ({
-  getImageBasename: jest.fn().mockImplementation((url) => {
-    // Split the URL by '/'
-    const parts = url.split('/');
-
-    // Get the last part of the URL
-    const lastPart = parts.pop();
-
-    // Check if the last part of the URL matches the image extension regex
-    const imageExtensionRegex = /\.(jpg|jpeg|png|gif|bmp|tiff|svg)$/i;
-    if (imageExtensionRegex.test(lastPart)) {
-      return lastPart;
-    }
-
-    // If the regex test fails, return an empty string
-    return '';
-  }),
-}));
-
 const generate = jest.fn();
 OpenAI.mockImplementation(() => ({
   images: {

api/app/clients/tools/util/fileSearch.js

@@ -3,6 +3,7 @@ const axios = require('axios');
 const { tool } = require('@langchain/core/tools');
 const { logger } = require('@librechat/data-schemas');
 const { Tools, EToolResources } = require('librechat-data-provider');
+const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
 const { generateShortLivedToken } = require('~/server/services/AuthService');
 const { getFiles } = require('~/models/File');
 
@@ -22,14 +23,24 @@ const primeFiles = async (options) => {
   const file_ids = tool_resources?.[EToolResources.file_search]?.file_ids ?? [];
   const agentResourceIds = new Set(file_ids);
   const resourceFiles = tool_resources?.[EToolResources.file_search]?.files ?? [];
-  const dbFiles = (
-    (await getFiles(
-      { file_id: { $in: file_ids } },
-      null,
-      { text: 0 },
-      { userId: req?.user?.id, agentId },
-    )) ?? []
-  ).concat(resourceFiles);
+
+  // Get all files first
+  const allFiles = (await getFiles({ file_id: { $in: file_ids } }, null, { text: 0 })) ?? [];
+
+  // Filter by access if user and agent are provided
+  let dbFiles;
+  if (req?.user?.id && agentId) {
+    dbFiles = await filterFilesByAgentAccess({
+      files: allFiles,
+      userId: req.user.id,
+      role: req.user.role,
+      agentId,
+    });
+  } else {
+    dbFiles = allFiles;
+  }
+
+  dbFiles = dbFiles.concat(resourceFiles);
 
   let toolContext = `- Note: Semantic search is available through the ${Tools.file_search} tool but no files are currently loaded. Request the user to upload documents to search through.`;
 
@@ -114,11 +125,13 @@ const createFileSearchTool = async ({ req, files, entity_id }) => {
       }
 
       const formattedResults = validResults
-        .flatMap((result) =>
+        .flatMap((result, fileIndex) =>
           result.data.map(([docInfo, distance]) => ({
             filename: docInfo.metadata.source.split('/').pop(),
             content: docInfo.page_content,
             distance,
+            file_id: files[fileIndex]?.file_id,
+            page: docInfo.metadata.page || null,
           })),
         )
         // TODO: results should be sorted by relevance, not distance
@@ -128,18 +141,37 @@ const createFileSearchTool = async ({ req, files, entity_id }) => {
 
       const formattedString = formattedResults
         .map(
-          (result) =>
-            `File: ${result.filename}\nRelevance: ${1.0 - result.distance.toFixed(4)}\nContent: ${
+          (result, index) =>
+            `File: ${result.filename}\nAnchor: \\ue202turn0file${index} (${result.filename})\nRelevance: ${(1.0 - result.distance).toFixed(4)}\nContent: ${
               result.content
             }\n`,
         )
         .join('\n---\n');
 
-      return formattedString;
+      const sources = formattedResults.map((result) => ({
+        type: 'file',
+        fileId: result.file_id,
+        content: result.content,
+        fileName: result.filename,
+        relevance: 1.0 - result.distance,
+        pages: result.page ? [result.page] : [],
+        pageRelevance: result.page ? { [result.page]: 1.0 - result.distance } : {},
+      }));
+
+      return [formattedString, { [Tools.file_search]: { sources } }];
     },
     {
       name: Tools.file_search,
-      description: `Performs semantic search across attached "${Tools.file_search}" documents using natural language queries. This tool analyzes the content of uploaded files to find relevant information, quotes, and passages that best match your query. Use this to extract specific information or find relevant sections within the available documents.`,
+      responseFormat: 'content_and_artifact',
+      description: `Performs semantic search across attached "${Tools.file_search}" documents using natural language queries. This tool analyzes the content of uploaded files to find relevant information, quotes, and passages that best match your query. Use this to extract specific information or find relevant sections within the available documents.
+
+**CITE FILE SEARCH RESULTS:**
+Use anchor markers immediately after statements derived from file content. Reference the filename in your text:
+- File citation: "The document.pdf states that... \\ue202turn0file0"  
+- Page reference: "According to report.docx... \\ue202turn0file1"
+- Multi-file: "Multiple sources confirm... \\ue200\\ue202turn0file0\\ue202turn0file1\\ue201"
+
+**ALWAYS mention the filename in your text before the citation marker. NEVER use markdown links or footnotes.**`,
       schema: z.object({
         query: z
           .string()

api/app/clients/tools/util/handleTools.js

@@ -121,16 +121,19 @@ const getAuthFields = (toolKey) => {
 
 /**
  *
- * @param {object} object
- * @param {string} object.user
- * @param {Pick<Agent, 'id' | 'provider' | 'model'>} [object.agent]
- * @param {string} [object.model]
- * @param {EModelEndpoint} [object.endpoint]
- * @param {LoadToolOptions} [object.options]
- * @param {boolean} [object.useSpecs]
- * @param {Array<string>} object.tools
- * @param {boolean} [object.functions]
- * @param {boolean} [object.returnMap]
+ * @param {object} params
+ * @param {string} params.user
+ * @param {Pick<Agent, 'id' | 'provider' | 'model'>} [params.agent]
+ * @param {string} [params.model]
+ * @param {EModelEndpoint} [params.endpoint]
+ * @param {LoadToolOptions} [params.options]
+ * @param {boolean} [params.useSpecs]
+ * @param {Array<string>} params.tools
+ * @param {boolean} [params.functions]
+ * @param {boolean} [params.returnMap]
+ * @param {AppConfig['webSearch']} [params.webSearch]
+ * @param {AppConfig['fileStrategy']} [params.fileStrategy]
+ * @param {AppConfig['imageOutputType']} [params.imageOutputType]
  * @returns {Promise<{ loadedTools: Tool[], toolContextMap: Object<string, any> } | Record<string,Tool>>}
  */
 const loadTools = async ({
@@ -142,6 +145,9 @@ const loadTools = async ({
   options = {},
   functions = true,
   returnMap = false,
+  webSearch,
+  fileStrategy,
+  imageOutputType,
 }) => {
   const toolConstructors = {
     flux: FluxAPI,
@@ -200,6 +206,8 @@ const loadTools = async ({
         ...authValues,
         isAgent: !!agent,
         req: options.req,
+        imageOutputType,
+        fileStrategy,
         imageFiles,
       });
     },
@@ -215,7 +223,7 @@ const loadTools = async ({
   const imageGenOptions = {
     isAgent: !!agent,
     req: options.req,
-    fileStrategy: options.fileStrategy,
+    fileStrategy,
     processFileURL: options.processFileURL,
     returnMetadata: options.returnMetadata,
     uploadImageBuffer: options.uploadImageBuffer,
@@ -272,11 +280,10 @@ const loadTools = async ({
       };
       continue;
     } else if (tool === Tools.web_search) {
-      const webSearchConfig = options?.req?.app?.locals?.webSearch;
       const result = await loadWebSearchAuth({
         userId: user,
         loadAuthValues,
-        webSearchConfig,
+        webSearchConfig: webSearch,
       });
       const { onSearchResults, onGetHighlights } = options?.[Tools.web_search] ?? {};
       requestedTools[tool] = async () => {

api/app/clients/tools/util/handleTools.test.js

@@ -9,6 +9,27 @@ const mockPluginService = {
 
 jest.mock('~/server/services/PluginService', () => mockPluginService);
 
+jest.mock('~/server/services/Config', () => ({
+  getAppConfig: jest.fn().mockResolvedValue({
+    // Default app config for tool tests
+    paths: { uploads: '/tmp' },
+    fileStrategy: 'local',
+    filteredTools: [],
+    includedTools: [],
+  }),
+  getCachedTools: jest.fn().mockResolvedValue({
+    // Default cached tools for tests
+    dalle: {
+      type: 'function',
+      function: {
+        name: 'dalle',
+        description: 'DALL-E image generation',
+        parameters: {},
+      },
+    },
+  }),
+}));
+
 const { BaseLLM } = require('@langchain/openai');
 const { Calculator } = require('@langchain/community/tools/calculator');
 

api/cache/cacheConfig.js

@@ -52,7 +52,8 @@ const cacheConfig = {
   REDIS_CONNECT_TIMEOUT: math(process.env.REDIS_CONNECT_TIMEOUT, 10000),
   /** Queue commands when disconnected */
   REDIS_ENABLE_OFFLINE_QUEUE: isEnabled(process.env.REDIS_ENABLE_OFFLINE_QUEUE ?? 'true'),
-
+  /** Enable redis cluster without the need of multiple URIs */
+  USE_REDIS_CLUSTER: isEnabled(process.env.USE_REDIS_CLUSTER ?? 'false'),
   CI: isEnabled(process.env.CI),
   DEBUG_MEMORY_CACHE: isEnabled(process.env.DEBUG_MEMORY_CACHE),
 

api/cache/cacheConfig.spec.js

@@ -14,6 +14,7 @@ describe('cacheConfig', () => {
     delete process.env.REDIS_KEY_PREFIX_VAR;
     delete process.env.REDIS_KEY_PREFIX;
     delete process.env.USE_REDIS;
+    delete process.env.USE_REDIS_CLUSTER;
     delete process.env.REDIS_PING_INTERVAL;
     delete process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES;
 
@@ -101,6 +102,38 @@ describe('cacheConfig', () => {
     });
   });
 
+  describe('USE_REDIS_CLUSTER configuration', () => {
+    test('should default to false when USE_REDIS_CLUSTER is not set', () => {
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.USE_REDIS_CLUSTER).toBe(false);
+    });
+
+    test('should be false when USE_REDIS_CLUSTER is set to false', () => {
+      process.env.USE_REDIS_CLUSTER = 'false';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.USE_REDIS_CLUSTER).toBe(false);
+    });
+
+    test('should be true when USE_REDIS_CLUSTER is set to true', () => {
+      process.env.USE_REDIS_CLUSTER = 'true';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.USE_REDIS_CLUSTER).toBe(true);
+    });
+
+    test('should work with USE_REDIS enabled and REDIS_URI set', () => {
+      process.env.USE_REDIS_CLUSTER = 'true';
+      process.env.USE_REDIS = 'true';
+      process.env.REDIS_URI = 'redis://localhost:6379';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.USE_REDIS_CLUSTER).toBe(true);
+      expect(cacheConfig.USE_REDIS).toBe(true);
+      expect(cacheConfig.REDIS_URI).toBe('redis://localhost:6379');
+    });
+  });
+
   describe('REDIS_CA file reading', () => {
     test('should be null when REDIS_CA is not set', () => {
       const { cacheConfig } = require('./cacheConfig');

api/cache/redisClients.js

@@ -38,7 +38,7 @@ if (cacheConfig.USE_REDIS) {
       const targetError = 'READONLY';
       if (err.message.includes(targetError)) {
         logger.warn('ioredis reconnecting due to READONLY error');
-        return true;
+        return 2; // Return retry delay instead of boolean
       }
       return false;
     },
@@ -48,26 +48,29 @@ if (cacheConfig.USE_REDIS) {
   };
 
   ioredisClient =
-    urls.length === 1
+    urls.length === 1 && !cacheConfig.USE_REDIS_CLUSTER
       ? new IoRedis(cacheConfig.REDIS_URI, redisOptions)
-      : new IoRedis.Cluster(cacheConfig.REDIS_URI, {
-          redisOptions,
-          clusterRetryStrategy: (times) => {
-            if (
-              cacheConfig.REDIS_RETRY_MAX_ATTEMPTS > 0 &&
-              times > cacheConfig.REDIS_RETRY_MAX_ATTEMPTS
-            ) {
-              logger.error(
-                `ioredis cluster giving up after ${cacheConfig.REDIS_RETRY_MAX_ATTEMPTS} reconnection attempts`,
-              );
-              return null;
-            }
-            const delay = Math.min(times * 100, cacheConfig.REDIS_RETRY_MAX_DELAY);
-            logger.info(`ioredis cluster reconnecting... attempt ${times}, delay ${delay}ms`);
-            return delay;
+      : new IoRedis.Cluster(
+          urls.map((url) => ({ host: url.hostname, port: parseInt(url.port, 10) || 6379 })),
+          {
+            redisOptions,
+            clusterRetryStrategy: (times) => {
+              if (
+                cacheConfig.REDIS_RETRY_MAX_ATTEMPTS > 0 &&
+                times > cacheConfig.REDIS_RETRY_MAX_ATTEMPTS
+              ) {
+                logger.error(
+                  `ioredis cluster giving up after ${cacheConfig.REDIS_RETRY_MAX_ATTEMPTS} reconnection attempts`,
+                );
+                return null;
+              }
+              const delay = Math.min(times * 100, cacheConfig.REDIS_RETRY_MAX_DELAY);
+              logger.info(`ioredis cluster reconnecting... attempt ${times}, delay ${delay}ms`);
+              return delay;
+            },
+            enableOfflineQueue: cacheConfig.REDIS_ENABLE_OFFLINE_QUEUE,
           },
-          enableOfflineQueue: cacheConfig.REDIS_ENABLE_OFFLINE_QUEUE,
-        });
+        );
 
   ioredisClient.on('error', (err) => {
     logger.error('ioredis client error:', err);
@@ -145,10 +148,10 @@ if (cacheConfig.USE_REDIS) {
   };
 
   keyvRedisClient =
-    urls.length === 1
+    urls.length === 1 && !cacheConfig.USE_REDIS_CLUSTER
       ? createClient({ url: cacheConfig.REDIS_URI, ...redisOptions })
       : createCluster({
-          rootNodes: cacheConfig.REDIS_URI.split(',').map((url) => ({ url })),
+          rootNodes: urls.map((url) => ({ url: url.href })),
           defaults: redisOptions,
         });
 

api/config/index.js

@@ -1,27 +1,13 @@
+const { MCPManager, FlowStateManager } = require('@librechat/api');
 const { EventSource } = require('eventsource');
 const { Time } = require('librechat-data-provider');
-const { MCPManager, FlowStateManager } = require('@librechat/api');
 const logger = require('./winston');
 
 global.EventSource = EventSource;
 
 /** @type {MCPManager} */
-let mcpManager = null;
 let flowManager = null;
 
-/**
- * @param {string} [userId] - Optional user ID, to avoid disconnecting the current user.
- * @returns {MCPManager}
- */
-function getMCPManager(userId) {
-  if (!mcpManager) {
-    mcpManager = MCPManager.getInstance();
-  } else {
-    mcpManager.checkIdleConnections(userId);
-  }
-  return mcpManager;
-}
-
 /**
  * @param {Keyv} flowsCache
  * @returns {FlowStateManager}
@@ -37,6 +23,7 @@ function getFlowStateManager(flowsCache) {
 
 module.exports = {
   logger,
-  getMCPManager,
+  createMCPManager: MCPManager.createInstance,
+  getMCPManager: MCPManager.getInstance,
   getFlowStateManager,
 };

api/db/connect.js

@@ -1,11 +1,34 @@
 require('dotenv').config();
+const { isEnabled } = require('@librechat/api');
+const { logger } = require('@librechat/data-schemas');
+
 const mongoose = require('mongoose');
 const MONGO_URI = process.env.MONGO_URI;
 
 if (!MONGO_URI) {
   throw new Error('Please define the MONGO_URI environment variable');
 }
+/** The maximum number of connections in the connection pool. */
+const maxPoolSize = parseInt(process.env.MONGO_MAX_POOL_SIZE) || undefined;
+/** The minimum number of connections in the connection pool. */
+const minPoolSize = parseInt(process.env.MONGO_MIN_POOL_SIZE) || undefined;
+/** The maximum number of connections that may be in the process of being established concurrently by the connection pool. */
+const maxConnecting = parseInt(process.env.MONGO_MAX_CONNECTING) || undefined;
+/** The maximum number of milliseconds that a connection can remain idle in the pool before being removed and closed. */
+const maxIdleTimeMS = parseInt(process.env.MONGO_MAX_IDLE_TIME_MS) || undefined;
+/** The maximum time in milliseconds that a thread can wait for a connection to become available. */
+const waitQueueTimeoutMS = parseInt(process.env.MONGO_WAIT_QUEUE_TIMEOUT_MS) || undefined;
+/** Set to false to disable automatic index creation for all models associated with this connection. */
+const autoIndex =
+  process.env.MONGO_AUTO_INDEX != undefined
+    ? isEnabled(process.env.MONGO_AUTO_INDEX) || false
+    : undefined;
 
+/** Set to `false` to disable Mongoose automatically calling `createCollection()` on every model created on this connection. */
+const autoCreate =
+  process.env.MONGO_AUTO_CREATE != undefined
+    ? isEnabled(process.env.MONGO_AUTO_CREATE) || false
+    : undefined;
 /**
  * Global is used here to maintain a cached connection across hot reloads
  * in development. This prevents connections growing exponentially
@@ -26,13 +49,21 @@ async function connectDb() {
   if (!cached.promise || disconnected) {
     const opts = {
       bufferCommands: false,
+      ...(maxPoolSize ? { maxPoolSize } : {}),
+      ...(minPoolSize ? { minPoolSize } : {}),
+      ...(maxConnecting ? { maxConnecting } : {}),
+      ...(maxIdleTimeMS ? { maxIdleTimeMS } : {}),
+      ...(waitQueueTimeoutMS ? { waitQueueTimeoutMS } : {}),
+      ...(autoIndex != undefined ? { autoIndex } : {}),
+      ...(autoCreate != undefined ? { autoCreate } : {}),
       // useNewUrlParser: true,
       // useUnifiedTopology: true,
       // bufferMaxEntries: 0,
       // useFindAndModify: true,
       // useCreateIndex: true
     };
-
+    logger.info('Mongo Connection options');
+    logger.info(JSON.stringify(opts, null, 2));
     mongoose.set('strictQuery', true);
     cached.promise = mongoose.connect(MONGO_URI, opts).then((mongoose) => {
       return mongoose;

api/jest.config.js

@@ -3,6 +3,7 @@ module.exports = {
   clearMocks: true,
   roots: ['<rootDir>'],
   coverageDirectory: 'coverage',
+  testTimeout: 30000, // 30 seconds timeout for all tests
   setupFiles: [
     './test/jestSetup.js',
     './test/__mocks__/logger.js',

api/models/Agent.js

@@ -1,18 +1,17 @@
 const mongoose = require('mongoose');
 const crypto = require('node:crypto');
 const { logger } = require('@librechat/data-schemas');
-const { SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
+const { ResourceType, SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
 const { GLOBAL_PROJECT_NAME, EPHEMERAL_AGENT_ID, mcp_delimiter } =
   require('librechat-data-provider').Constants;
-const { CONFIG_STORE, STARTUP_CONFIG } = require('librechat-data-provider').CacheKeys;
 const {
-  getProjectByName,
-  addAgentIdsToProject,
-  removeAgentIdsFromProject,
   removeAgentFromAllProjects,
+  removeAgentIdsFromProject,
+  addAgentIdsToProject,
+  getProjectByName,
 } = require('./Project');
+const { removeAllPermissions } = require('~/server/services/PermissionService');
 const { getCachedTools } = require('~/server/services/Config');
-const getLogStores = require('~/cache/getLogStores');
 const { getActions } = require('./Action');
 const { Agent } = require('~/db/models');
 
@@ -23,7 +22,7 @@ const { Agent } = require('~/db/models');
  * @throws {Error} If the agent creation fails.
  */
 const createAgent = async (agentData) => {
-  const { author, ...versionData } = agentData;
+  const { author: _author, ...versionData } = agentData;
   const timestamp = new Date();
   const initialAgentData = {
     ...agentData,
@@ -34,7 +33,9 @@ const createAgent = async (agentData) => {
         updatedAt: timestamp,
       },
     ],
+    category: agentData.category || 'general',
   };
+
   return (await Agent.create(initialAgentData)).toObject();
 };
 
@@ -131,29 +132,7 @@ const loadAgent = async ({ req, agent_id, endpoint, model_parameters }) => {
   }
 
   agent.version = agent.versions ? agent.versions.length : 0;
-
-  if (agent.author.toString() === req.user.id) {
-    return agent;
-  }
-
-  if (!agent.projectIds) {
-    return null;
-  }
-
-  const cache = getLogStores(CONFIG_STORE);
-  /** @type {TStartupConfig} */
-  const cachedStartupConfig = await cache.get(STARTUP_CONFIG);
-  let { instanceProjectId } = cachedStartupConfig ?? {};
-  if (!instanceProjectId) {
-    instanceProjectId = (await getProjectByName(GLOBAL_PROJECT_NAME, '_id'))._id.toString();
-  }
-
-  for (const projectObjectId of agent.projectIds) {
-    const projectId = projectObjectId.toString();
-    if (projectId === instanceProjectId) {
-      return agent;
-    }
-  }
+  return agent;
 };
 
 /**
@@ -183,7 +162,7 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
     'actionsHash', // Exclude actionsHash from direct comparison
   ];
 
-  const { $push, $pull, $addToSet, ...directUpdates } = updateData;
+  const { $push: _$push, $pull: _$pull, $addToSet: _$addToSet, ...directUpdates } = updateData;
 
   if (Object.keys(directUpdates).length === 0 && !actionsHash) {
     return null;
@@ -202,54 +181,116 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
 
   let isMatch = true;
   for (const field of importantFields) {
-    if (!wouldBeVersion[field] && !lastVersion[field]) {
+    const wouldBeValue = wouldBeVersion[field];
+    const lastVersionValue = lastVersion[field];
+
+    // Skip if both are undefined/null
+    if (!wouldBeValue && !lastVersionValue) {
       continue;
     }
 
-    if (Array.isArray(wouldBeVersion[field]) && Array.isArray(lastVersion[field])) {
-      if (wouldBeVersion[field].length !== lastVersion[field].length) {
+    // Handle arrays
+    if (Array.isArray(wouldBeValue) || Array.isArray(lastVersionValue)) {
+      // Normalize: treat undefined/null as empty array for comparison
+      let wouldBeArr;
+      if (Array.isArray(wouldBeValue)) {
+        wouldBeArr = wouldBeValue;
+      } else if (wouldBeValue == null) {
+        wouldBeArr = [];
+      } else {
+        wouldBeArr = [wouldBeValue];
+      }
+
+      let lastVersionArr;
+      if (Array.isArray(lastVersionValue)) {
+        lastVersionArr = lastVersionValue;
+      } else if (lastVersionValue == null) {
+        lastVersionArr = [];
+      } else {
+        lastVersionArr = [lastVersionValue];
+      }
+
+      if (wouldBeArr.length !== lastVersionArr.length) {
         isMatch = false;
         break;
       }
 
       // Special handling for projectIds (MongoDB ObjectIds)
       if (field === 'projectIds') {
-        const wouldBeIds = wouldBeVersion[field].map((id) => id.toString()).sort();
-        const versionIds = lastVersion[field].map((id) => id.toString()).sort();
+        const wouldBeIds = wouldBeArr.map((id) => id.toString()).sort();
+        const versionIds = lastVersionArr.map((id) => id.toString()).sort();
 
         if (!wouldBeIds.every((id, i) => id === versionIds[i])) {
           isMatch = false;
           break;
         }
       }
-      // Handle arrays of objects like tool_kwargs
-      else if (typeof wouldBeVersion[field][0] === 'object' && wouldBeVersion[field][0] !== null) {
-        const sortedWouldBe = [...wouldBeVersion[field]].map((item) => JSON.stringify(item)).sort();
-        const sortedVersion = [...lastVersion[field]].map((item) => JSON.stringify(item)).sort();
+      // Handle arrays of objects
+      else if (
+        wouldBeArr.length > 0 &&
+        typeof wouldBeArr[0] === 'object' &&
+        wouldBeArr[0] !== null
+      ) {
+        const sortedWouldBe = [...wouldBeArr].map((item) => JSON.stringify(item)).sort();
+        const sortedVersion = [...lastVersionArr].map((item) => JSON.stringify(item)).sort();
 
         if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
           isMatch = false;
           break;
         }
       } else {
-        const sortedWouldBe = [...wouldBeVersion[field]].sort();
-        const sortedVersion = [...lastVersion[field]].sort();
+        const sortedWouldBe = [...wouldBeArr].sort();
+        const sortedVersion = [...lastVersionArr].sort();
 
         if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
           isMatch = false;
           break;
         }
       }
-    } else if (field === 'model_parameters') {
-      const wouldBeParams = wouldBeVersion[field] || {};
-      const lastVersionParams = lastVersion[field] || {};
-      if (JSON.stringify(wouldBeParams) !== JSON.stringify(lastVersionParams)) {
+    }
+    // Handle objects
+    else if (typeof wouldBeValue === 'object' && wouldBeValue !== null) {
+      const lastVersionObj =
+        typeof lastVersionValue === 'object' && lastVersionValue !== null ? lastVersionValue : {};
+
+      // For empty objects, normalize the comparison
+      const wouldBeKeys = Object.keys(wouldBeValue);
+      const lastVersionKeys = Object.keys(lastVersionObj);
+
+      // If both are empty objects, they're equal
+      if (wouldBeKeys.length === 0 && lastVersionKeys.length === 0) {
+        continue;
+      }
+
+      // Otherwise do a deep comparison
+      if (JSON.stringify(wouldBeValue) !== JSON.stringify(lastVersionObj)) {
+        isMatch = false;
+        break;
+      }
+    }
+    // Handle primitive values
+    else {
+      // For primitives, handle the case where one is undefined and the other is a default value
+      if (wouldBeValue !== lastVersionValue) {
+        // Special handling for boolean false vs undefined
+        if (
+          typeof wouldBeValue === 'boolean' &&
+          wouldBeValue === false &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
+        // Special handling for empty string vs undefined
+        if (
+          typeof wouldBeValue === 'string' &&
+          wouldBeValue === '' &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
         isMatch = false;
         break;
       }
-    } else if (wouldBeVersion[field] !== lastVersion[field]) {
-      isMatch = false;
-      break;
     }
   }
 
@@ -278,7 +319,14 @@ const updateAgent = async (searchParameter, updateData, options = {}) => {
 
   const currentAgent = await Agent.findOne(searchParameter);
   if (currentAgent) {
-    const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
+    const {
+      __v,
+      _id,
+      id: __id,
+      versions,
+      author: _author,
+      ...versionData
+    } = currentAgent.toObject();
     const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
     let actionsHash = null;
@@ -316,17 +364,10 @@ const updateAgent = async (searchParameter, updateData, options = {}) => {
     if (shouldCreateVersion) {
       const duplicateVersion = isDuplicateVersion(updateData, versionData, versions, actionsHash);
       if (duplicateVersion && !forceVersion) {
-        const error = new Error(
-          'Duplicate version: This would create a version identical to an existing one',
-        );
-        error.statusCode = 409;
-        error.details = {
-          duplicateVersion,
-          versionIndex: versions.findIndex(
-            (v) => JSON.stringify(duplicateVersion) === JSON.stringify(v),
-          ),
-        };
-        throw error;
+        // No changes detected, return the current agent without creating a new version
+        const agentObj = currentAgent.toObject();
+        agentObj.version = versions.length;
+        return agentObj;
       }
     }
 
@@ -465,12 +506,117 @@ const deleteAgent = async (searchParameter) => {
   const agent = await Agent.findOneAndDelete(searchParameter);
   if (agent) {
     await removeAgentFromAllProjects(agent.id);
+    await removeAllPermissions({
+      resourceType: ResourceType.AGENT,
+      resourceId: agent._id,
+    });
   }
   return agent;
 };
 
+/**
+ * Get agents by accessible IDs with optional cursor-based pagination.
+ * @param {Object} params - The parameters for getting accessible agents.
+ * @param {Array} [params.accessibleIds] - Array of agent ObjectIds the user has ACL access to.
+ * @param {Object} [params.otherParams] - Additional query parameters (including author filter).
+ * @param {number} [params.limit] - Number of agents to return (max 100). If not provided, returns all agents.
+ * @param {string} [params.after] - Cursor for pagination - get agents after this cursor. // base64 encoded JSON string with updatedAt and _id.
+ * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
+ */
+const getListAgentsByAccess = async ({
+  accessibleIds = [],
+  otherParams = {},
+  limit = null,
+  after = null,
+}) => {
+  const isPaginated = limit !== null && limit !== undefined;
+  const normalizedLimit = isPaginated ? Math.min(Math.max(1, parseInt(limit) || 20), 100) : null;
+
+  // Build base query combining ACL accessible agents with other filters
+  const baseQuery = { ...otherParams, _id: { $in: accessibleIds } };
+
+  // Add cursor condition
+  if (after) {
+    try {
+      const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
+      const { updatedAt, _id } = cursor;
+
+      const cursorCondition = {
+        $or: [
+          { updatedAt: { $lt: new Date(updatedAt) } },
+          { updatedAt: new Date(updatedAt), _id: { $gt: new mongoose.Types.ObjectId(_id) } },
+        ],
+      };
+
+      // Merge cursor condition with base query
+      if (Object.keys(baseQuery).length > 0) {
+        baseQuery.$and = [{ ...baseQuery }, cursorCondition];
+        // Remove the original conditions from baseQuery to avoid duplication
+        Object.keys(baseQuery).forEach((key) => {
+          if (key !== '$and') delete baseQuery[key];
+        });
+      } else {
+        Object.assign(baseQuery, cursorCondition);
+      }
+    } catch (error) {
+      logger.warn('Invalid cursor:', error.message);
+    }
+  }
+
+  let query = Agent.find(baseQuery, {
+    id: 1,
+    _id: 1,
+    name: 1,
+    avatar: 1,
+    author: 1,
+    projectIds: 1,
+    description: 1,
+    updatedAt: 1,
+    category: 1,
+    support_contact: 1,
+    is_promoted: 1,
+  }).sort({ updatedAt: -1, _id: 1 });
+
+  // Only apply limit if pagination is requested
+  if (isPaginated) {
+    query = query.limit(normalizedLimit + 1);
+  }
+
+  const agents = await query.lean();
+
+  const hasMore = isPaginated ? agents.length > normalizedLimit : false;
+  const data = (isPaginated ? agents.slice(0, normalizedLimit) : agents).map((agent) => {
+    if (agent.author) {
+      agent.author = agent.author.toString();
+    }
+    return agent;
+  });
+
+  // Generate next cursor only if paginated
+  let nextCursor = null;
+  if (isPaginated && hasMore && data.length > 0) {
+    const lastAgent = agents[normalizedLimit - 1];
+    nextCursor = Buffer.from(
+      JSON.stringify({
+        updatedAt: lastAgent.updatedAt.toISOString(),
+        _id: lastAgent._id.toString(),
+      }),
+    ).toString('base64');
+  }
+
+  return {
+    object: 'list',
+    data,
+    first_id: data.length > 0 ? data[0].id : null,
+    last_id: data.length > 0 ? data[data.length - 1].id : null,
+    has_more: hasMore,
+    after: nextCursor,
+  };
+};
+
 /**
  * Get all agents.
+ * @deprecated Use getListAgentsByAccess for ACL-aware agent listing
  * @param {Object} searchParameter - The search parameters to find matching agents.
  * @param {string} searchParameter.author - The user ID of the agent's author.
  * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
@@ -489,13 +635,15 @@ const getListAgents = async (searchParameter) => {
   const agents = (
     await Agent.find(query, {
       id: 1,
-      _id: 0,
+      _id: 1,
       name: 1,
       avatar: 1,
       author: 1,
       projectIds: 1,
       description: 1,
+      // @deprecated - isCollaborative replaced by ACL permissions
       isCollaborative: 1,
+      category: 1,
     }).lean()
   ).map((agent) => {
     if (agent.author?.toString() !== author) {
@@ -661,6 +809,14 @@ const generateActionMetadataHash = async (actionIds, actions) => {
 
   return hashHex;
 };
+/**
+ * Counts the number of promoted agents.
+ * @returns  {Promise<number>} - The count of promoted agents
+ */
+const countPromotedAgents = async () => {
+  const count = await Agent.countDocuments({ is_promoted: true });
+  return count;
+};
 
 /**
  * Load a default agent based on the endpoint
@@ -678,6 +834,8 @@ module.exports = {
   revertAgentVersion,
   updateAgentProjects,
   addAgentResourceFile,
+  getListAgentsByAccess,
   removeAgentResourceFiles,
   generateActionMetadataHash,
+  countPromotedAgents,
 };

api/models/Agent.spec.js

@@ -14,6 +14,7 @@ const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
 const { agentSchema } = require('@librechat/data-schemas');
 const { MongoMemoryServer } = require('mongodb-memory-server');
+const { AccessRoleIds, ResourceType, PrincipalType } = require('librechat-data-provider');
 const {
   getAgent,
   loadAgent,
@@ -21,13 +22,16 @@ const {
   updateAgent,
   deleteAgent,
   getListAgents,
+  getListAgentsByAccess,
+  revertAgentVersion,
   updateAgentProjects,
   addAgentResourceFile,
   removeAgentResourceFiles,
   generateActionMetadataHash,
-  revertAgentVersion,
 } = require('./Agent');
+const permissionService = require('~/server/services/PermissionService');
 const { getCachedTools } = require('~/server/services/Config');
+const { AclEntry } = require('~/db/models');
 
 /**
  * @type {import('mongoose').Model<import('@librechat/data-schemas').IAgent>}
@@ -407,12 +411,26 @@ describe('models/Agent', () => {
 
   describe('Agent CRUD Operations', () => {
     let mongoServer;
+    let AccessRole;
 
     beforeAll(async () => {
       mongoServer = await MongoMemoryServer.create();
       const mongoUri = mongoServer.getUri();
       Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
       await mongoose.connect(mongoUri);
+
+      // Initialize models
+      const dbModels = require('~/db/models');
+      AccessRole = dbModels.AccessRole;
+
+      // Create necessary access roles for agents
+      await AccessRole.create({
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        name: 'Owner',
+        description: 'Full control over agents',
+        resourceType: ResourceType.AGENT,
+        permBits: 15, // VIEW | EDIT | DELETE | SHARE
+      });
     }, 20000);
 
     afterAll(async () => {
@@ -468,6 +486,51 @@ describe('models/Agent', () => {
       expect(agentAfterDelete).toBeNull();
     });
 
+    test('should remove ACL entries when deleting an agent', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Agent With Permissions',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+      });
+
+      // Grant permissions (simulating sharing)
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: authorId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        grantedBy: authorId,
+      });
+
+      // Verify ACL entry exists
+      const aclEntriesBefore = await AclEntry.find({
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+      });
+      expect(aclEntriesBefore).toHaveLength(1);
+
+      // Delete the agent
+      await deleteAgent({ id: agentId });
+
+      // Verify agent is deleted
+      const agentAfterDelete = await getAgent({ id: agentId });
+      expect(agentAfterDelete).toBeNull();
+
+      // Verify ACL entries are removed
+      const aclEntriesAfter = await AclEntry.find({
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+      });
+      expect(aclEntriesAfter).toHaveLength(0);
+    });
+
     test('should list agents by author', async () => {
       const authorId = new mongoose.Types.ObjectId();
       const otherAuthorId = new mongoose.Types.ObjectId();
@@ -879,45 +942,31 @@ describe('models/Agent', () => {
       expect(emptyParamsAgent.model_parameters).toEqual({});
     });
 
-    test('should detect duplicate versions and reject updates', async () => {
-      const originalConsoleError = console.error;
-      console.error = jest.fn();
+    test('should not create new version for duplicate updates', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const testCases = generateVersionTestCases();
 
-      try {
-        const authorId = new mongoose.Types.ObjectId();
-        const testCases = generateVersionTestCases();
+      for (const testCase of testCases) {
+        const testAgentId = `agent_${uuidv4()}`;
 
-        for (const testCase of testCases) {
-          const testAgentId = `agent_${uuidv4()}`;
+        await createAgent({
+          id: testAgentId,
+          provider: 'test',
+          model: 'test-model',
+          author: authorId,
+          ...testCase.initial,
+        });
 
-          await createAgent({
-            id: testAgentId,
-            provider: 'test',
-            model: 'test-model',
-            author: authorId,
-            ...testCase.initial,
-          });
+        const updatedAgent = await updateAgent({ id: testAgentId }, testCase.update);
+        expect(updatedAgent.versions).toHaveLength(2); // No new version created
 
-          await updateAgent({ id: testAgentId }, testCase.update);
+        // Update with duplicate data should succeed but not create a new version
+        const duplicateUpdate = await updateAgent({ id: testAgentId }, testCase.duplicate);
 
-          let error;
-          try {
-            await updateAgent({ id: testAgentId }, testCase.duplicate);
-          } catch (e) {
-            error = e;
-          }
+        expect(duplicateUpdate.versions).toHaveLength(2); // No new version created
 
-          expect(error).toBeDefined();
-          expect(error.message).toContain('Duplicate version');
-          expect(error.statusCode).toBe(409);
-          expect(error.details).toBeDefined();
-          expect(error.details.duplicateVersion).toBeDefined();
-
-          const agent = await getAgent({ id: testAgentId });
-          expect(agent.versions).toHaveLength(2);
-        }
-      } finally {
-        console.error = originalConsoleError;
+        const agent = await getAgent({ id: testAgentId });
+        expect(agent.versions).toHaveLength(2);
       }
     });
 
@@ -1093,20 +1142,13 @@ describe('models/Agent', () => {
       expect(secondUpdate.versions).toHaveLength(3);
 
       // Update without forceVersion and no changes should not create a version
-      let error;
-      try {
-        await updateAgent(
-          { id: agentId },
-          { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
-          { updatingUserId: authorId.toString(), forceVersion: false },
-        );
-      } catch (e) {
-        error = e;
-      }
+      const duplicateUpdate = await updateAgent(
+        { id: agentId },
+        { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
+        { updatingUserId: authorId.toString(), forceVersion: false },
+      );
 
-      expect(error).toBeDefined();
-      expect(error.message).toContain('Duplicate version');
-      expect(error.statusCode).toBe(409);
+      expect(duplicateUpdate.versions).toHaveLength(3); // No new version created
     });
 
     test('should handle isDuplicateVersion with arrays containing null/undefined values', async () => {
@@ -1258,6 +1300,335 @@ describe('models/Agent', () => {
       expect(secondUpdate.versions).toHaveLength(3);
     });
 
+    test('should detect changes in support_contact fields', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with initial support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Agent with Support Contact',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Support',
+          email: 'initial@support.com',
+        },
+      });
+
+      // Update support_contact name only
+      const firstUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'initial@support.com',
+          },
+        },
+      );
+
+      expect(firstUpdate.versions).toHaveLength(2);
+      expect(firstUpdate.support_contact.name).toBe('Updated Support');
+      expect(firstUpdate.support_contact.email).toBe('initial@support.com');
+
+      // Update support_contact email only
+      const secondUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'updated@support.com',
+          },
+        },
+      );
+
+      expect(secondUpdate.versions).toHaveLength(3);
+      expect(secondUpdate.support_contact.email).toBe('updated@support.com');
+
+      // Try to update with same support_contact - should be detected as duplicate but return successfully
+      const duplicateUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'updated@support.com',
+          },
+        },
+      );
+
+      // Should not create a new version
+      expect(duplicateUpdate.versions).toHaveLength(3);
+      expect(duplicateUpdate.version).toBe(3);
+      expect(duplicateUpdate.support_contact.email).toBe('updated@support.com');
+    });
+
+    test('should handle support_contact from empty to populated', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent without support_contact
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Agent without Support',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+      });
+
+      // Verify support_contact is undefined since it wasn't provided
+      expect(agent.support_contact).toBeUndefined();
+
+      // Update to add support_contact
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Support Team',
+            email: 'support@example.com',
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Support Team');
+      expect(updated.support_contact.email).toBe('support@example.com');
+    });
+
+    test('should handle support_contact edge cases in isDuplicateVersion', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Edge Case Agent',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Support',
+          email: 'support@test.com',
+        },
+      });
+
+      // Update to empty support_contact
+      const emptyUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {},
+        },
+      );
+
+      expect(emptyUpdate.versions).toHaveLength(2);
+      expect(emptyUpdate.support_contact).toEqual({});
+
+      // Update back to populated support_contact
+      const repopulated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Support',
+            email: 'support@test.com',
+          },
+        },
+      );
+
+      expect(repopulated.versions).toHaveLength(3);
+
+      // Verify all versions have correct support_contact
+      const finalAgent = await getAgent({ id: agentId });
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({});
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+    });
+
+    test('should preserve support_contact in version history', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent
+      await createAgent({
+        id: agentId,
+        name: 'Version History Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Contact',
+          email: 'initial@test.com',
+        },
+      });
+
+      // Multiple updates with different support_contact values
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Second Contact',
+            email: 'second@test.com',
+          },
+        },
+      );
+
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Third Contact',
+            email: 'third@test.com',
+          },
+        },
+      );
+
+      const finalAgent = await getAgent({ id: agentId });
+
+      // Verify version history
+      expect(finalAgent.versions).toHaveLength(3);
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Initial Contact',
+        email: 'initial@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({
+        name: 'Second Contact',
+        email: 'second@test.com',
+      });
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+
+      // Current state should match last version
+      expect(finalAgent.support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+    });
+
+    test('should handle partial support_contact updates', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with full support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Partial Update Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Original Name',
+          email: 'original@email.com',
+        },
+      });
+
+      // MongoDB's findOneAndUpdate will replace the entire support_contact object
+      // So we need to verify that partial updates still work correctly
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Name',
+            email: '', // Empty email
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Name');
+      expect(updated.support_contact.email).toBe('');
+
+      // Verify isDuplicateVersion works with partial changes - should return successfully without creating new version
+      const duplicateUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Name',
+            email: '',
+          },
+        },
+      );
+
+      // Should not create a new version since content is the same
+      expect(duplicateUpdate.versions).toHaveLength(2);
+      expect(duplicateUpdate.version).toBe(2);
+      expect(duplicateUpdate.support_contact.name).toBe('New Name');
+      expect(duplicateUpdate.support_contact.email).toBe('');
+    });
+
+    // Edge Cases
+    describe.each([
+      {
+        operation: 'add',
+        name: 'empty file_id',
+        needsAgent: true,
+        params: { tool_resource: 'file_search', file_id: '' },
+        shouldResolve: true,
+      },
+      {
+        operation: 'add',
+        name: 'non-existent agent',
+        needsAgent: false,
+        params: { tool_resource: 'file_search', file_id: 'file123' },
+        shouldResolve: false,
+        error: 'Agent not found for adding resource file',
+      },
+    ])('addAgentResourceFile with $name', ({ needsAgent, params, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          await expect(addAgentResourceFile({ agent_id, ...params })).resolves.toBeDefined();
+        } else {
+          await expect(addAgentResourceFile({ agent_id, ...params })).rejects.toThrow(error);
+        }
+      });
+    });
+
+    describe.each([
+      {
+        name: 'empty files array',
+        files: [],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent tool_resource',
+        files: [{ tool_resource: 'non_existent_tool', file_id: 'file123' }],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent agent',
+        files: [{ tool_resource: 'file_search', file_id: 'file123' }],
+        needsAgent: false,
+        shouldResolve: false,
+        error: 'Agent not found for removing resource files',
+      },
+    ])('removeAgentResourceFiles with $name', ({ files, needsAgent, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          const result = await removeAgentResourceFiles({ agent_id, files });
+          expect(result).toBeDefined();
+          if (agent) {
+            expect(result.id).toBe(agent.id);
+          }
+        } else {
+          await expect(removeAgentResourceFiles({ agent_id, files })).rejects.toThrow(error);
+        }
+      });
+    });
+
     describe('Edge Cases', () => {
       test('should handle extremely large version history', async () => {
         const agentId = `agent_${uuidv4()}`;
@@ -1633,7 +2004,7 @@ describe('models/Agent', () => {
       expect(result.version).toBe(1);
     });
 
-    test('should return null when user is not author and agent has no projectIds', async () => {
+    test('should return agent even when user is not author (permissions checked at route level)', async () => {
       const authorId = new mongoose.Types.ObjectId();
       const userId = new mongoose.Types.ObjectId();
       const agentId = `agent_${uuidv4()}`;
@@ -1654,7 +2025,11 @@ describe('models/Agent', () => {
         model_parameters: { model: 'gpt-4' },
       });
 
-      expect(result).toBeFalsy();
+      // With the new permission system, loadAgent returns the agent regardless of permissions
+      // Permission checks are handled at the route level via middleware
+      expect(result).toBeTruthy();
+      expect(result.id).toBe(agentId);
+      expect(result.name).toBe('Test Agent');
     });
 
     test('should handle ephemeral agent with no MCP servers', async () => {
@@ -1762,7 +2137,7 @@ describe('models/Agent', () => {
         }
       });
 
-      test('should handle loadAgent with agent from different project', async () => {
+      test('should return agent from different project (permissions checked at route level)', async () => {
         const authorId = new mongoose.Types.ObjectId();
         const userId = new mongoose.Types.ObjectId();
         const agentId = `agent_${uuidv4()}`;
@@ -1785,7 +2160,11 @@ describe('models/Agent', () => {
           model_parameters: { model: 'gpt-4' },
         });
 
-        expect(result).toBeFalsy();
+        // With the new permission system, loadAgent returns the agent regardless of permissions
+        // Permission checks are handled at the route level via middleware
+        expect(result).toBeTruthy();
+        expect(result.id).toBe(agentId);
+        expect(result.name).toBe('Project Agent');
       });
     });
   });
@@ -2400,11 +2779,18 @@ describe('models/Agent', () => {
         agent_ids: ['agent1', 'agent2'],
       });
 
-      await updateAgent({ id: agentId }, { agent_ids: ['agent1', 'agent2', 'agent3'] });
+      const updatedAgent = await updateAgent(
+        { id: agentId },
+        { agent_ids: ['agent1', 'agent2', 'agent3'] },
+      );
+      expect(updatedAgent.versions).toHaveLength(2);
 
-      await expect(
-        updateAgent({ id: agentId }, { agent_ids: ['agent1', 'agent2', 'agent3'] }),
-      ).rejects.toThrow('Duplicate version');
+      // Update with same agent_ids should succeed but not create a new version
+      const duplicateUpdate = await updateAgent(
+        { id: agentId },
+        { agent_ids: ['agent1', 'agent2', 'agent3'] },
+      );
+      expect(duplicateUpdate.versions).toHaveLength(2); // No new version created
     });
 
     test('should handle agent_ids field alongside other fields', async () => {
@@ -2543,9 +2929,10 @@ describe('models/Agent', () => {
       expect(updated.versions).toHaveLength(2);
       expect(updated.agent_ids).toEqual([]);
 
-      await expect(updateAgent({ id: agentId }, { agent_ids: [] })).rejects.toThrow(
-        'Duplicate version',
-      );
+      // Update with same empty agent_ids should succeed but not create a new version
+      const duplicateUpdate = await updateAgent({ id: agentId }, { agent_ids: [] });
+      expect(duplicateUpdate.versions).toHaveLength(2); // No new version created
+      expect(duplicateUpdate.agent_ids).toEqual([]);
     });
 
     test('should handle agent without agent_ids field', async () => {
@@ -2570,6 +2957,299 @@ describe('models/Agent', () => {
   });
 });
 
+describe('Support Contact Field', () => {
+  let mongoServer;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
+    await mongoose.connect(mongoUri);
+  }, 20000);
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await Agent.deleteMany({});
+  });
+
+  it('should not create subdocument with ObjectId for support_contact', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {
+        name: 'Support Team',
+        email: 'support@example.com',
+      },
+    };
+
+    // Create agent
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is stored correctly
+    expect(agent.support_contact).toBeDefined();
+    expect(agent.support_contact.name).toBe('Support Team');
+    expect(agent.support_contact.email).toBe('support@example.com');
+
+    // Verify no _id field is created in support_contact
+    expect(agent.support_contact._id).toBeUndefined();
+
+    // Fetch from database to double-check
+    const dbAgent = await Agent.findOne({ id: agentData.id });
+    expect(dbAgent.support_contact).toBeDefined();
+    expect(dbAgent.support_contact.name).toBe('Support Team');
+    expect(dbAgent.support_contact.email).toBe('support@example.com');
+    expect(dbAgent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle empty support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_empty_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {},
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify empty support_contact is stored as empty object
+    expect(agent.support_contact).toEqual({});
+    expect(agent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle missing support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_no_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is undefined when not provided
+    expect(agent.support_contact).toBeUndefined();
+  });
+
+  describe('getListAgentsByAccess - Security Tests', () => {
+    let userA, userB;
+    let agentA1, agentA2, agentA3;
+
+    beforeEach(async () => {
+      Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
+      await Agent.deleteMany({});
+      await AclEntry.deleteMany({});
+
+      // Create two users
+      userA = new mongoose.Types.ObjectId();
+      userB = new mongoose.Types.ObjectId();
+
+      // Create agents for user A
+      agentA1 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent A1',
+        description: 'User A agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+      });
+
+      agentA2 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent A2',
+        description: 'User A agent 2',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+      });
+
+      agentA3 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent A3',
+        description: 'User A agent 3',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+      });
+    });
+
+    test('should return empty list when user has no accessible agents (empty accessibleIds)', async () => {
+      // User B has no agents and no shared agents
+      const result = await getListAgentsByAccess({
+        accessibleIds: [],
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+      expect(result.first_id).toBeNull();
+      expect(result.last_id).toBeNull();
+    });
+
+    test('should not return other users agents when accessibleIds is empty', async () => {
+      // User B trying to list agents with empty accessibleIds should not see User A's agents
+      const result = await getListAgentsByAccess({
+        accessibleIds: [],
+        otherParams: { author: userB },
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+    });
+
+    test('should only return agents in accessibleIds list', async () => {
+      // Give User B access to only one of User A's agents
+      const accessibleIds = [agentA1._id];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0].id).toBe(agentA1.id);
+      expect(result.data[0].name).toBe('Agent A1');
+    });
+
+    test('should return multiple accessible agents when provided', async () => {
+      // Give User B access to two of User A's agents
+      const accessibleIds = [agentA1._id, agentA3._id];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(2);
+      const returnedIds = result.data.map((agent) => agent.id);
+      expect(returnedIds).toContain(agentA1.id);
+      expect(returnedIds).toContain(agentA3.id);
+      expect(returnedIds).not.toContain(agentA2.id);
+    });
+
+    test('should respect other query parameters while enforcing accessibleIds', async () => {
+      // Give access to all agents but filter by name
+      const accessibleIds = [agentA1._id, agentA2._id, agentA3._id];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: { name: 'Agent A2' },
+      });
+
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0].id).toBe(agentA2.id);
+    });
+
+    test('should handle pagination correctly with accessibleIds filter', async () => {
+      // Create more agents
+      const moreAgents = [];
+      for (let i = 4; i <= 10; i++) {
+        const agent = await createAgent({
+          id: `agent_${uuidv4().slice(0, 12)}`,
+          name: `Agent A${i}`,
+          description: `User A agent ${i}`,
+          provider: 'openai',
+          model: 'gpt-4',
+          author: userA,
+        });
+        moreAgents.push(agent);
+      }
+
+      // Give access to all agents
+      const allAgentIds = [agentA1, agentA2, agentA3, ...moreAgents].map((a) => a._id);
+
+      // First page
+      const page1 = await getListAgentsByAccess({
+        accessibleIds: allAgentIds,
+        otherParams: {},
+        limit: 5,
+      });
+
+      expect(page1.data).toHaveLength(5);
+      expect(page1.has_more).toBe(true);
+      expect(page1.after).toBeTruthy();
+
+      // Second page
+      const page2 = await getListAgentsByAccess({
+        accessibleIds: allAgentIds,
+        otherParams: {},
+        limit: 5,
+        after: page1.after,
+      });
+
+      expect(page2.data).toHaveLength(5);
+      expect(page2.has_more).toBe(false);
+
+      // Verify no overlap between pages
+      const page1Ids = page1.data.map((a) => a.id);
+      const page2Ids = page2.data.map((a) => a.id);
+      const intersection = page1Ids.filter((id) => page2Ids.includes(id));
+      expect(intersection).toHaveLength(0);
+    });
+
+    test('should return empty list when accessibleIds contains non-existent IDs', async () => {
+      // Try with non-existent agent IDs
+      const fakeIds = [new mongoose.Types.ObjectId(), new mongoose.Types.ObjectId()];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds: fakeIds,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+    });
+
+    test('should handle undefined accessibleIds as empty array', async () => {
+      // When accessibleIds is undefined, it should be treated as empty array
+      const result = await getListAgentsByAccess({
+        accessibleIds: undefined,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+    });
+
+    test('should combine accessibleIds with author filter correctly', async () => {
+      // Create an agent for User B
+      const agentB1 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent B1',
+        description: 'User B agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userB,
+      });
+
+      // Give User B access to one of User A's agents
+      const accessibleIds = [agentA1._id, agentB1._id];
+
+      // Filter by author should further restrict the results
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: { author: userB },
+      });
+
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0].id).toBe(agentB1.id);
+      expect(result.data[0].author).toBe(userB.toString());
+    });
+  });
+});
+
 function createBasicAgent(overrides = {}) {
   const defaults = {
     id: `agent_${uuidv4()}`,

api/models/Conversation.js

@@ -1,6 +1,6 @@
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
+const { getAppConfig } = require('~/server/services/Config/app');
 const { getMessages, deleteMessages } = require('./Message');
 const { Conversation } = require('~/db/models');
 
@@ -102,8 +102,10 @@ module.exports = {
 
       if (req?.body?.isTemporary) {
         try {
-          const customConfig = await getCustomConfig();
-          update.expiredAt = createTempChatExpirationDate(customConfig);
+          const appConfig = await getAppConfig({
+            role: req.user.role,
+          });
+          update.expiredAt = createTempChatExpirationDate(appConfig?.interfaceConfig);
         } catch (err) {
           logger.error('Error creating temporary chat expiration date:', err);
           logger.info(`---\`saveConvo\` context: ${metadata?.context}`);

api/models/Conversation.spec.js

@@ -13,9 +13,9 @@ const {
   saveConvo,
   getConvo,
 } = require('./Conversation');
-jest.mock('~/server/services/Config/getCustomConfig');
+jest.mock('~/server/services/Config/app');
 jest.mock('./Message');
-const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
+const { getAppConfig } = require('~/server/services/Config/app');
 const { getMessages, deleteMessages } = require('./Message');
 
 const { Conversation } = require('~/db/models');
@@ -118,9 +118,9 @@ describe('Conversation Operations', () => {
 
   describe('isTemporary conversation handling', () => {
     it('should save a conversation with expiredAt when isTemporary is true', async () => {
-      // Mock custom config with 24 hour retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with 24 hour retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 24,
         },
       });
@@ -167,9 +167,9 @@ describe('Conversation Operations', () => {
     });
 
     it('should use custom retention period from config', async () => {
-      // Mock custom config with 48 hour retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with 48 hour retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 48,
         },
       });
@@ -194,9 +194,9 @@ describe('Conversation Operations', () => {
     });
 
     it('should handle minimum retention period (1 hour)', async () => {
-      // Mock custom config with less than minimum retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with less than minimum retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 0.5, // Half hour - should be clamped to 1 hour
         },
       });
@@ -221,9 +221,9 @@ describe('Conversation Operations', () => {
     });
 
     it('should handle maximum retention period (8760 hours)', async () => {
-      // Mock custom config with more than maximum retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with more than maximum retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 10000, // Should be clamped to 8760 hours
         },
       });
@@ -247,9 +247,9 @@ describe('Conversation Operations', () => {
       );
     });
 
-    it('should handle getCustomConfig errors gracefully', async () => {
-      // Mock getCustomConfig to throw an error
-      getCustomConfig.mockRejectedValue(new Error('Config service unavailable'));
+    it('should handle getAppConfig errors gracefully', async () => {
+      // Mock getAppConfig to throw an error
+      getAppConfig.mockRejectedValue(new Error('Config service unavailable'));
 
       mockReq.body = { isTemporary: true };
 
@@ -261,8 +261,8 @@ describe('Conversation Operations', () => {
     });
 
     it('should use default retention when config is not provided', async () => {
-      // Mock getCustomConfig to return empty config
-      getCustomConfig.mockResolvedValue({});
+      // Mock getAppConfig to return empty config
+      getAppConfig.mockResolvedValue({});
 
       mockReq.body = { isTemporary: true };
 
@@ -285,8 +285,8 @@ describe('Conversation Operations', () => {
 
     it('should update expiredAt when saving existing temporary conversation', async () => {
       // First save a temporary conversation
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 24,
         },
       });

api/models/File.js

@@ -1,7 +1,5 @@
 const { logger } = require('@librechat/data-schemas');
-const { EToolResources, FileContext, Constants } = require('librechat-data-provider');
-const { getProjectByName } = require('./Project');
-const { getAgent } = require('./Agent');
+const { EToolResources, FileContext } = require('librechat-data-provider');
 const { File } = require('~/db/models');
 
 /**
@@ -14,124 +12,17 @@ const findFileById = async (file_id, options = {}) => {
   return await File.findOne({ file_id, ...options }).lean();
 };
 
-/**
- * Checks if a user has access to multiple files through a shared agent (batch operation)
- * @param {string} userId - The user ID to check access for
- * @param {string[]} fileIds - Array of file IDs to check
- * @param {string} agentId - The agent ID that might grant access
- * @returns {Promise<Map<string, boolean>>} Map of fileId to access status
- */
-const hasAccessToFilesViaAgent = async (userId, fileIds, agentId, checkCollaborative = true) => {
-  const accessMap = new Map();
-
-  // Initialize all files as no access
-  fileIds.forEach((fileId) => accessMap.set(fileId, false));
-
-  try {
-    const agent = await getAgent({ id: agentId });
-
-    if (!agent) {
-      return accessMap;
-    }
-
-    // Check if user is the author - if so, grant access to all files
-    if (agent.author.toString() === userId) {
-      fileIds.forEach((fileId) => accessMap.set(fileId, true));
-      return accessMap;
-    }
-
-    // Check if agent is shared with the user via projects
-    if (!agent.projectIds || agent.projectIds.length === 0) {
-      return accessMap;
-    }
-
-    // Check if agent is in global project
-    const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, '_id');
-    if (
-      !globalProject ||
-      !agent.projectIds.some((pid) => pid.toString() === globalProject._id.toString())
-    ) {
-      return accessMap;
-    }
-
-    // Agent is globally shared - check if it's collaborative
-    if (checkCollaborative && !agent.isCollaborative) {
-      return accessMap;
-    }
-
-    // Check which files are actually attached
-    const attachedFileIds = new Set();
-    if (agent.tool_resources) {
-      for (const [_resourceType, resource] of Object.entries(agent.tool_resources)) {
-        if (resource?.file_ids && Array.isArray(resource.file_ids)) {
-          resource.file_ids.forEach((fileId) => attachedFileIds.add(fileId));
-        }
-      }
-    }
-
-    // Grant access only to files that are attached to this agent
-    fileIds.forEach((fileId) => {
-      if (attachedFileIds.has(fileId)) {
-        accessMap.set(fileId, true);
-      }
-    });
-
-    return accessMap;
-  } catch (error) {
-    logger.error('[hasAccessToFilesViaAgent] Error checking file access:', error);
-    return accessMap;
-  }
-};
-
 /**
  * Retrieves files matching a given filter, sorted by the most recently updated.
  * @param {Object} filter - The filter criteria to apply.
  * @param {Object} [_sortOptions] - Optional sort parameters.
  * @param {Object|String} [selectFields={ text: 0 }] - Fields to include/exclude in the query results.
  *                                                   Default excludes the 'text' field.
- * @param {Object} [options] - Additional options
- * @param {string} [options.userId] - User ID for access control
- * @param {string} [options.agentId] - Agent ID that might grant access to files
  * @returns {Promise<Array<MongoFile>>} A promise that resolves to an array of file documents.
  */
-const getFiles = async (filter, _sortOptions, selectFields = { text: 0 }, options = {}) => {
+const getFiles = async (filter, _sortOptions, selectFields = { text: 0 }) => {
   const sortOptions = { updatedAt: -1, ..._sortOptions };
-  const files = await File.find(filter).select(selectFields).sort(sortOptions).lean();
-
-  // If userId and agentId are provided, filter files based on access
-  if (options.userId && options.agentId) {
-    // Collect file IDs that need access check
-    const filesToCheck = [];
-    const ownedFiles = [];
-
-    for (const file of files) {
-      if (file.user && file.user.toString() === options.userId) {
-        ownedFiles.push(file);
-      } else {
-        filesToCheck.push(file);
-      }
-    }
-
-    if (filesToCheck.length === 0) {
-      return ownedFiles;
-    }
-
-    // Batch check access for all non-owned files
-    const fileIds = filesToCheck.map((f) => f.file_id);
-    const accessMap = await hasAccessToFilesViaAgent(
-      options.userId,
-      fileIds,
-      options.agentId,
-      false,
-    );
-
-    // Filter files based on access
-    const accessibleFiles = filesToCheck.filter((file) => accessMap.get(file.file_id));
-
-    return [...ownedFiles, ...accessibleFiles];
-  }
-
-  return files;
+  return await File.find(filter).select(selectFields).sort(sortOptions).lean();
 };
 
 /**
@@ -285,5 +176,4 @@ module.exports = {
   deleteFiles,
   deleteFileByFilter,
   batchUpdateFiles,
-  hasAccessToFilesViaAgent,
 };

api/models/File.spec.js

@@ -1,17 +1,23 @@
 const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
-const { fileSchema } = require('@librechat/data-schemas');
-const { agentSchema } = require('@librechat/data-schemas');
-const { projectSchema } = require('@librechat/data-schemas');
+const { createModels } = require('@librechat/data-schemas');
 const { MongoMemoryServer } = require('mongodb-memory-server');
-const { GLOBAL_PROJECT_NAME } = require('librechat-data-provider').Constants;
+const {
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+} = require('librechat-data-provider');
+const { grantPermission } = require('~/server/services/PermissionService');
 const { getFiles, createFile } = require('./File');
-const { getProjectByName } = require('./Project');
+const { seedDefaultRoles } = require('~/models');
 const { createAgent } = require('./Agent');
 
 let File;
 let Agent;
-let Project;
+let AclEntry;
+let User;
+let modelsToCleanup = [];
 
 describe('File Access Control', () => {
   let mongoServer;
@@ -19,13 +25,41 @@ describe('File Access Control', () => {
   beforeAll(async () => {
     mongoServer = await MongoMemoryServer.create();
     const mongoUri = mongoServer.getUri();
-    File = mongoose.models.File || mongoose.model('File', fileSchema);
-    Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
-    Project = mongoose.models.Project || mongoose.model('Project', projectSchema);
     await mongoose.connect(mongoUri);
+
+    // Initialize all models
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    const dbModels = require('~/db/models');
+    Object.assign(mongoose.models, dbModels);
+
+    File = dbModels.File;
+    Agent = dbModels.Agent;
+    AclEntry = dbModels.AclEntry;
+    User = dbModels.User;
+
+    // Seed default roles
+    await seedDefaultRoles();
   });
 
   afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
     await mongoose.disconnect();
     await mongoServer.stop();
   });
@@ -33,16 +67,33 @@ describe('File Access Control', () => {
   beforeEach(async () => {
     await File.deleteMany({});
     await Agent.deleteMany({});
-    await Project.deleteMany({});
+    await AclEntry.deleteMany({});
+    await User.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
   });
 
   describe('hasAccessToFilesViaAgent', () => {
     it('should efficiently check access for multiple files at once', async () => {
-      const userId = new mongoose.Types.ObjectId().toString();
-      const authorId = new mongoose.Types.ObjectId().toString();
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
       const agentId = uuidv4();
       const fileIds = [uuidv4(), uuidv4(), uuidv4(), uuidv4()];
 
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
       // Create files
       for (const fileId of fileIds) {
         await createFile({
@@ -54,13 +105,12 @@ describe('File Access Control', () => {
       }
 
       // Create agent with only first two files attached
-      await createAgent({
+      const agent = await createAgent({
         id: agentId,
         name: 'Test Agent',
         author: authorId,
         model: 'gpt-4',
         provider: 'openai',
-        isCollaborative: true,
         tool_resources: {
           file_search: {
             file_ids: [fileIds[0], fileIds[1]],
@@ -68,15 +118,24 @@ describe('File Access Control', () => {
         },
       });
 
-      // Get or create global project
-      const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, '_id');
-
-      // Share agent globally
-      await Agent.updateOne({ id: agentId }, { $push: { projectIds: globalProject._id } });
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
 
       // Check access for all files
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(userId, fileIds, agentId);
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId: agent.id, // Use agent.id which is the custom UUID
+      });
 
       // Should have access only to the first two files
       expect(accessMap.get(fileIds[0])).toBe(true);
@@ -86,10 +145,18 @@ describe('File Access Control', () => {
     });
 
     it('should grant access to all files when user is the agent author', async () => {
-      const authorId = new mongoose.Types.ObjectId().toString();
+      const authorId = new mongoose.Types.ObjectId();
       const agentId = uuidv4();
       const fileIds = [uuidv4(), uuidv4(), uuidv4()];
 
+      // Create author user
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
       // Create agent
       await createAgent({
         id: agentId,
@@ -105,8 +172,13 @@ describe('File Access Control', () => {
       });
 
       // Check access as the author
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(authorId, fileIds, agentId);
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: authorId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId,
+      });
 
       // Author should have access to all files
       expect(accessMap.get(fileIds[0])).toBe(true);
@@ -115,31 +187,58 @@ describe('File Access Control', () => {
     });
 
     it('should handle non-existent agent gracefully', async () => {
-      const userId = new mongoose.Types.ObjectId().toString();
+      const userId = new mongoose.Types.ObjectId();
       const fileIds = [uuidv4(), uuidv4()];
 
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(userId, fileIds, 'non-existent-agent');
+      // Create user
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId: 'non-existent-agent',
+      });
 
       // Should have no access to any files
       expect(accessMap.get(fileIds[0])).toBe(false);
       expect(accessMap.get(fileIds[1])).toBe(false);
     });
 
-    it('should deny access when agent is not collaborative', async () => {
-      const userId = new mongoose.Types.ObjectId().toString();
-      const authorId = new mongoose.Types.ObjectId().toString();
+    it('should deny access when user only has VIEW permission', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
       const agentId = uuidv4();
       const fileIds = [uuidv4(), uuidv4()];
 
-      // Create agent with files but isCollaborative: false
-      await createAgent({
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent with files
+      const agent = await createAgent({
         id: agentId,
-        name: 'Non-Collaborative Agent',
+        name: 'View-Only Agent',
         author: authorId,
         model: 'gpt-4',
         provider: 'openai',
-        isCollaborative: false,
         tool_resources: {
           file_search: {
             file_ids: fileIds,
@@ -147,17 +246,26 @@ describe('File Access Control', () => {
         },
       });
 
-      // Get or create global project
-      const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, '_id');
-
-      // Share agent globally
-      await Agent.updateOne({ id: agentId }, { $push: { projectIds: globalProject._id } });
+      // Grant only VIEW permission to user on the agent
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_VIEWER,
+        grantedBy: authorId,
+      });
 
       // Check access for files
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(userId, fileIds, agentId);
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId,
+      });
 
-      // Should have no access to any files when isCollaborative is false
+      // Should have no access to any files when only VIEW permission
       expect(accessMap.get(fileIds[0])).toBe(false);
       expect(accessMap.get(fileIds[1])).toBe(false);
     });
@@ -172,18 +280,28 @@ describe('File Access Control', () => {
       const sharedFileId = `file_${uuidv4()}`;
       const inaccessibleFileId = `file_${uuidv4()}`;
 
-      // Create/get global project using getProjectByName which will upsert
-      const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME);
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
 
       // Create agent with shared file
-      await createAgent({
+      const agent = await createAgent({
         id: agentId,
         name: 'Shared Agent',
         provider: 'test',
         model: 'test-model',
         author: authorId,
-        projectIds: [globalProject._id],
-        isCollaborative: true,
         tool_resources: {
           file_search: {
             file_ids: [sharedFileId],
@@ -191,6 +309,16 @@ describe('File Access Control', () => {
         },
       });
 
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
       // Create files
       await createFile({
         file_id: ownedFileId,
@@ -220,14 +348,22 @@ describe('File Access Control', () => {
         bytes: 300,
       });
 
-      // Get files with access control
-      const files = await getFiles(
+      // Get all files first
+      const allFiles = await getFiles(
         { file_id: { $in: [ownedFileId, sharedFileId, inaccessibleFileId] } },
         null,
         { text: 0 },
-        { userId: userId.toString(), agentId },
       );
 
+      // Then filter by access control
+      const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
+      const files = await filterFilesByAgentAccess({
+        files: allFiles,
+        userId: userId,
+        role: SystemRoles.USER,
+        agentId,
+      });
+
       expect(files).toHaveLength(2);
       expect(files.map((f) => f.file_id)).toContain(ownedFileId);
       expect(files.map((f) => f.file_id)).toContain(sharedFileId);
@@ -261,4 +397,166 @@ describe('File Access Control', () => {
       expect(files).toHaveLength(2);
     });
   });
+
+  describe('Role-based file permissions', () => {
+    it('should optimize permission checks when role is provided', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4()];
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+        role: 'ADMIN', // User has ADMIN role
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create files
+      for (const fileId of fileIds) {
+        await createFile({
+          file_id: fileId,
+          user: authorId,
+          filename: `${fileId}.txt`,
+          filepath: `/uploads/${fileId}.txt`,
+          type: 'text/plain',
+          bytes: 100,
+        });
+      }
+
+      // Create agent with files
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: fileIds,
+          },
+        },
+      });
+
+      // Grant permission to ADMIN role
+      await grantPermission({
+        principalType: PrincipalType.ROLE,
+        principalId: 'ADMIN',
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
+      // Check access with role provided (should avoid DB query)
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMapWithRole = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: 'ADMIN',
+        fileIds,
+        agentId: agent.id,
+      });
+
+      // User should have access through their ADMIN role
+      expect(accessMapWithRole.get(fileIds[0])).toBe(true);
+      expect(accessMapWithRole.get(fileIds[1])).toBe(true);
+
+      // Check access without role (will query DB to get user's role)
+      const accessMapWithoutRole = await hasAccessToFilesViaAgent({
+        userId: userId,
+        fileIds,
+        agentId: agent.id,
+      });
+
+      // Should have same result
+      expect(accessMapWithoutRole.get(fileIds[0])).toBe(true);
+      expect(accessMapWithoutRole.get(fileIds[1])).toBe(true);
+    });
+
+    it('should deny access when user role changes', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileId = uuidv4();
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+        role: 'EDITOR',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create file
+      await createFile({
+        file_id: fileId,
+        user: authorId,
+        filename: 'test.txt',
+        filepath: '/uploads/test.txt',
+        type: 'text/plain',
+        bytes: 100,
+      });
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant permission to EDITOR role only
+      await grantPermission({
+        principalType: PrincipalType.ROLE,
+        principalId: 'EDITOR',
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+
+      // Check with EDITOR role - should have access
+      const accessAsEditor = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: 'EDITOR',
+        fileIds: [fileId],
+        agentId: agent.id,
+      });
+      expect(accessAsEditor.get(fileId)).toBe(true);
+
+      // Simulate role change to USER - should lose access
+      const accessAsUser = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds: [fileId],
+        agentId: agent.id,
+      });
+      expect(accessAsUser.get(fileId)).toBe(false);
+    });
+  });
 });

api/models/Message.js

@@ -1,7 +1,7 @@
 const { z } = require('zod');
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
+const { getAppConfig } = require('~/server/services/Config/app');
 const { Message } = require('~/db/models');
 
 const idSchema = z.string().uuid();
@@ -57,8 +57,10 @@ async function saveMessage(req, params, metadata) {
 
     if (req?.body?.isTemporary) {
       try {
-        const customConfig = await getCustomConfig();
-        update.expiredAt = createTempChatExpirationDate(customConfig);
+        const appConfig = await getAppConfig({
+          role: req.user.role,
+        });
+        update.expiredAt = createTempChatExpirationDate(appConfig?.interfaceConfig);
       } catch (err) {
         logger.error('Error creating temporary chat expiration date:', err);
         logger.info(`---\`saveMessage\` context: ${metadata?.context}`);

api/models/Message.spec.js

@@ -13,8 +13,8 @@ const {
   deleteMessagesSince,
 } = require('./Message');
 
-jest.mock('~/server/services/Config/getCustomConfig');
-const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
+jest.mock('~/server/services/Config/app');
+const { getAppConfig } = require('~/server/services/Config/app');
 
 /**
  * @type {import('mongoose').Model<import('@librechat/data-schemas').IMessage>}
@@ -326,9 +326,9 @@ describe('Message Operations', () => {
     });
 
     it('should save a message with expiredAt when isTemporary is true', async () => {
-      // Mock custom config with 24 hour retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with 24 hour retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 24,
         },
       });
@@ -375,9 +375,9 @@ describe('Message Operations', () => {
     });
 
     it('should use custom retention period from config', async () => {
-      // Mock custom config with 48 hour retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with 48 hour retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 48,
         },
       });
@@ -402,9 +402,9 @@ describe('Message Operations', () => {
     });
 
     it('should handle minimum retention period (1 hour)', async () => {
-      // Mock custom config with less than minimum retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with less than minimum retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 0.5, // Half hour - should be clamped to 1 hour
         },
       });
@@ -429,9 +429,9 @@ describe('Message Operations', () => {
     });
 
     it('should handle maximum retention period (8760 hours)', async () => {
-      // Mock custom config with more than maximum retention
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      // Mock app config with more than maximum retention
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 10000, // Should be clamped to 8760 hours
         },
       });
@@ -455,9 +455,9 @@ describe('Message Operations', () => {
       );
     });
 
-    it('should handle getCustomConfig errors gracefully', async () => {
-      // Mock getCustomConfig to throw an error
-      getCustomConfig.mockRejectedValue(new Error('Config service unavailable'));
+    it('should handle getAppConfig errors gracefully', async () => {
+      // Mock getAppConfig to throw an error
+      getAppConfig.mockRejectedValue(new Error('Config service unavailable'));
 
       mockReq.body = { isTemporary: true };
 
@@ -469,8 +469,8 @@ describe('Message Operations', () => {
     });
 
     it('should use default retention when config is not provided', async () => {
-      // Mock getCustomConfig to return empty config
-      getCustomConfig.mockResolvedValue({});
+      // Mock getAppConfig to return empty config
+      getAppConfig.mockResolvedValue({});
 
       mockReq.body = { isTemporary: true };
 
@@ -493,8 +493,8 @@ describe('Message Operations', () => {
 
     it('should not update expiredAt on message update', async () => {
       // First save a temporary message
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 24,
         },
       });
@@ -520,8 +520,8 @@ describe('Message Operations', () => {
 
     it('should preserve expiredAt when saving existing temporary message', async () => {
       // First save a temporary message
-      getCustomConfig.mockResolvedValue({
-        interface: {
+      getAppConfig.mockResolvedValue({
+        interfaceConfig: {
           temporaryChatRetention: 24,
         },
       });

api/models/Prompt.js

@@ -1,12 +1,18 @@
 const { ObjectId } = require('mongodb');
 const { logger } = require('@librechat/data-schemas');
-const { SystemRoles, SystemCategories, Constants } = require('librechat-data-provider');
 const {
-  getProjectByName,
-  addGroupIdsToProject,
-  removeGroupIdsFromProject,
+  Constants,
+  SystemRoles,
+  ResourceType,
+  SystemCategories,
+} = require('librechat-data-provider');
+const {
   removeGroupFromAllProjects,
+  removeGroupIdsFromProject,
+  addGroupIdsToProject,
+  getProjectByName,
 } = require('./Project');
+const { removeAllPermissions } = require('~/server/services/PermissionService');
 const { PromptGroup, Prompt } = require('~/db/models');
 const { escapeRegExp } = require('~/server/utils');
 
@@ -100,10 +106,6 @@ const getAllPromptGroups = async (req, filter) => {
   try {
     const { name, ...query } = filter;
 
-    if (!query.author) {
-      throw new Error('Author is required');
-    }
-
     let searchShared = true;
     let searchSharedOnly = false;
     if (name) {
@@ -153,10 +155,6 @@ const getPromptGroups = async (req, filter) => {
     const validatedPageNumber = Math.max(parseInt(pageNumber, 10), 1);
     const validatedPageSize = Math.max(parseInt(pageSize, 10), 1);
 
-    if (!query.author) {
-      throw new Error('Author is required');
-    }
-
     let searchShared = true;
     let searchSharedOnly = false;
     if (name) {
@@ -221,12 +219,16 @@ const getPromptGroups = async (req, filter) => {
  * @returns {Promise<TDeletePromptGroupResponse>}
  */
 const deletePromptGroup = async ({ _id, author, role }) => {
-  const query = { _id, author };
-  const groupQuery = { groupId: new ObjectId(_id), author };
-  if (role === SystemRoles.ADMIN) {
-    delete query.author;
-    delete groupQuery.author;
+  // Build query - with ACL, author is optional
+  const query = { _id };
+  const groupQuery = { groupId: new ObjectId(_id) };
+
+  // Legacy: Add author filter if provided (backward compatibility)
+  if (author && role !== SystemRoles.ADMIN) {
+    query.author = author;
+    groupQuery.author = author;
   }
+
   const response = await PromptGroup.deleteOne(query);
 
   if (!response || response.deletedCount === 0) {
@@ -235,13 +237,140 @@ const deletePromptGroup = async ({ _id, author, role }) => {
 
   await Prompt.deleteMany(groupQuery);
   await removeGroupFromAllProjects(_id);
+
+  try {
+    await removeAllPermissions({ resourceType: ResourceType.PROMPTGROUP, resourceId: _id });
+  } catch (error) {
+    logger.error('Error removing promptGroup permissions:', error);
+  }
+
   return { message: 'Prompt group deleted successfully' };
 };
 
+/**
+ * Get prompt groups by accessible IDs with optional cursor-based pagination.
+ * @param {Object} params - The parameters for getting accessible prompt groups.
+ * @param {Array} [params.accessibleIds] - Array of prompt group ObjectIds the user has ACL access to.
+ * @param {Object} [params.otherParams] - Additional query parameters (including author filter).
+ * @param {number} [params.limit] - Number of prompt groups to return (max 100). If not provided, returns all prompt groups.
+ * @param {string} [params.after] - Cursor for pagination - get prompt groups after this cursor. // base64 encoded JSON string with updatedAt and _id.
+ * @returns {Promise<Object>} A promise that resolves to an object containing the prompt groups data and pagination info.
+ */
+async function getListPromptGroupsByAccess({
+  accessibleIds = [],
+  otherParams = {},
+  limit = null,
+  after = null,
+}) {
+  const isPaginated = limit !== null && limit !== undefined;
+  const normalizedLimit = isPaginated ? Math.min(Math.max(1, parseInt(limit) || 20), 100) : null;
+
+  // Build base query combining ACL accessible prompt groups with other filters
+  const baseQuery = { ...otherParams, _id: { $in: accessibleIds } };
+
+  // Add cursor condition
+  if (after) {
+    try {
+      const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
+      const { updatedAt, _id } = cursor;
+
+      const cursorCondition = {
+        $or: [
+          { updatedAt: { $lt: new Date(updatedAt) } },
+          { updatedAt: new Date(updatedAt), _id: { $gt: new ObjectId(_id) } },
+        ],
+      };
+
+      // Merge cursor condition with base query
+      if (Object.keys(baseQuery).length > 0) {
+        baseQuery.$and = [{ ...baseQuery }, cursorCondition];
+        // Remove the original conditions from baseQuery to avoid duplication
+        Object.keys(baseQuery).forEach((key) => {
+          if (key !== '$and') delete baseQuery[key];
+        });
+      } else {
+        Object.assign(baseQuery, cursorCondition);
+      }
+    } catch (error) {
+      logger.warn('Invalid cursor:', error.message);
+    }
+  }
+
+  // Build aggregation pipeline
+  const pipeline = [{ $match: baseQuery }, { $sort: { updatedAt: -1, _id: 1 } }];
+
+  // Only apply limit if pagination is requested
+  if (isPaginated) {
+    pipeline.push({ $limit: normalizedLimit + 1 });
+  }
+
+  // Add lookup for production prompt
+  pipeline.push(
+    {
+      $lookup: {
+        from: 'prompts',
+        localField: 'productionId',
+        foreignField: '_id',
+        as: 'productionPrompt',
+      },
+    },
+    { $unwind: { path: '$productionPrompt', preserveNullAndEmptyArrays: true } },
+    {
+      $project: {
+        name: 1,
+        numberOfGenerations: 1,
+        oneliner: 1,
+        category: 1,
+        projectIds: 1,
+        productionId: 1,
+        author: 1,
+        authorName: 1,
+        createdAt: 1,
+        updatedAt: 1,
+        'productionPrompt.prompt': 1,
+      },
+    },
+  );
+
+  const promptGroups = await PromptGroup.aggregate(pipeline).exec();
+
+  const hasMore = isPaginated ? promptGroups.length > normalizedLimit : false;
+  const data = (isPaginated ? promptGroups.slice(0, normalizedLimit) : promptGroups).map(
+    (group) => {
+      if (group.author) {
+        group.author = group.author.toString();
+      }
+      return group;
+    },
+  );
+
+  // Generate next cursor only if paginated
+  let nextCursor = null;
+  if (isPaginated && hasMore && data.length > 0) {
+    const lastGroup = promptGroups[normalizedLimit - 1];
+    nextCursor = Buffer.from(
+      JSON.stringify({
+        updatedAt: lastGroup.updatedAt.toISOString(),
+        _id: lastGroup._id.toString(),
+      }),
+    ).toString('base64');
+  }
+
+  return {
+    object: 'list',
+    data,
+    first_id: data.length > 0 ? data[0]._id.toString() : null,
+    last_id: data.length > 0 ? data[data.length - 1]._id.toString() : null,
+    has_more: hasMore,
+    after: nextCursor,
+  };
+}
+
 module.exports = {
   getPromptGroups,
   deletePromptGroup,
   getAllPromptGroups,
+  getListPromptGroupsByAccess,
   /**
    * Create a prompt and its respective group
    * @param {TCreatePromptRecord} saveData
@@ -430,6 +559,16 @@ module.exports = {
       .lean();
 
     if (remainingPrompts.length === 0) {
+      // Remove all ACL entries for the promptGroup when deleting the last prompt
+      try {
+        await removeAllPermissions({
+          resourceType: ResourceType.PROMPTGROUP,
+          resourceId: groupId,
+        });
+      } catch (error) {
+        logger.error('Error removing promptGroup permissions:', error);
+      }
+
       await PromptGroup.deleteOne({ _id: groupId });
       await removeGroupFromAllProjects(groupId);
 

api/models/Prompt.spec.js

@@ -0,0 +1,564 @@
+const mongoose = require('mongoose');
+const { ObjectId } = require('mongodb');
+const { logger } = require('@librechat/data-schemas');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const {
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+  PermissionBits,
+} = require('librechat-data-provider');
+
+// Mock the config/connect module to prevent connection attempts during tests
+jest.mock('../../config/connect', () => jest.fn().mockResolvedValue(true));
+
+const dbModels = require('~/db/models');
+
+// Disable console for tests
+logger.silent = true;
+
+let mongoServer;
+let Prompt, PromptGroup, AclEntry, AccessRole, User, Group, Project;
+let promptFns, permissionService;
+let testUsers, testGroups, testRoles;
+
+beforeAll(async () => {
+  // Set up MongoDB memory server
+  mongoServer = await MongoMemoryServer.create();
+  const mongoUri = mongoServer.getUri();
+  await mongoose.connect(mongoUri);
+
+  // Initialize models
+  Prompt = dbModels.Prompt;
+  PromptGroup = dbModels.PromptGroup;
+  AclEntry = dbModels.AclEntry;
+  AccessRole = dbModels.AccessRole;
+  User = dbModels.User;
+  Group = dbModels.Group;
+  Project = dbModels.Project;
+
+  promptFns = require('~/models/Prompt');
+  permissionService = require('~/server/services/PermissionService');
+
+  // Create test data
+  await setupTestData();
+});
+
+afterAll(async () => {
+  await mongoose.disconnect();
+  await mongoServer.stop();
+  jest.clearAllMocks();
+});
+
+async function setupTestData() {
+  // Create access roles for promptGroups
+  testRoles = {
+    viewer: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+      name: 'Viewer',
+      description: 'Can view promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW,
+    }),
+    editor: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+      name: 'Editor',
+      description: 'Can view and edit promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW | PermissionBits.EDIT,
+    }),
+    owner: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+      name: 'Owner',
+      description: 'Full control over promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits:
+        PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE,
+    }),
+  };
+
+  // Create test users
+  testUsers = {
+    owner: await User.create({
+      name: 'Prompt Owner',
+      email: 'owner@example.com',
+      role: SystemRoles.USER,
+    }),
+    editor: await User.create({
+      name: 'Prompt Editor',
+      email: 'editor@example.com',
+      role: SystemRoles.USER,
+    }),
+    viewer: await User.create({
+      name: 'Prompt Viewer',
+      email: 'viewer@example.com',
+      role: SystemRoles.USER,
+    }),
+    admin: await User.create({
+      name: 'Admin User',
+      email: 'admin@example.com',
+      role: SystemRoles.ADMIN,
+    }),
+    noAccess: await User.create({
+      name: 'No Access User',
+      email: 'noaccess@example.com',
+      role: SystemRoles.USER,
+    }),
+  };
+
+  // Create test groups
+  testGroups = {
+    editors: await Group.create({
+      name: 'Prompt Editors',
+      description: 'Group with editor access',
+    }),
+    viewers: await Group.create({
+      name: 'Prompt Viewers',
+      description: 'Group with viewer access',
+    }),
+  };
+
+  await Project.create({
+    name: 'Global',
+    description: 'Global project',
+    promptGroupIds: [],
+  });
+}
+
+describe('Prompt ACL Permissions', () => {
+  describe('Creating Prompts with Permissions', () => {
+    it('should grant owner permissions when creating a prompt', async () => {
+      // First create a group
+      const testGroup = await PromptGroup.create({
+        name: 'Test Group',
+        category: 'testing',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new mongoose.Types.ObjectId(),
+      });
+
+      const promptData = {
+        prompt: {
+          prompt: 'Test prompt content',
+          name: 'Test Prompt',
+          type: 'text',
+          groupId: testGroup._id,
+        },
+        author: testUsers.owner._id,
+      };
+
+      await promptFns.savePrompt(promptData);
+
+      // Manually grant permissions as would happen in the route
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Check ACL entry
+      const aclEntry = await AclEntry.findOne({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+      });
+
+      expect(aclEntry).toBeTruthy();
+      expect(aclEntry.permBits).toBe(testRoles.owner.permBits);
+    });
+  });
+
+  describe('Accessing Prompts', () => {
+    let testPromptGroup;
+
+    beforeEach(async () => {
+      // Create a prompt group
+      testPromptGroup = await PromptGroup.create({
+        name: 'Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create a prompt
+      await Prompt.create({
+        prompt: 'Test prompt for access control',
+        name: 'Access Test Prompt',
+        author: testUsers.owner._id,
+        groupId: testPromptGroup._id,
+        type: 'text',
+      });
+
+      // Grant owner permissions
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('owner should have full access to their prompt', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      expect(hasAccess).toBe(true);
+
+      const canEdit = await permissionService.checkPermission({
+        userId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(canEdit).toBe(true);
+    });
+
+    it('user with viewer role should only have view access', async () => {
+      // Grant viewer permissions
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      const canView = await permissionService.checkPermission({
+        userId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      const canEdit = await permissionService.checkPermission({
+        userId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(canView).toBe(true);
+      expect(canEdit).toBe(false);
+    });
+
+    it('user without permissions should have no access', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.noAccess._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      expect(hasAccess).toBe(false);
+    });
+
+    it('admin should have access regardless of permissions', async () => {
+      // Admin users should work through normal permission system
+      // The middleware layer handles admin bypass, not the permission service
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.admin._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      // Without explicit permissions, even admin won't have access at this layer
+      expect(hasAccess).toBe(false);
+
+      // The actual admin bypass happens in the middleware layer (`canAccessPromptViaGroup`/`canAccessPromptGroupResource`)
+      // which checks req.user.role === SystemRoles.ADMIN
+    });
+  });
+
+  describe('Group-based Access', () => {
+    let testPromptGroup;
+
+    beforeEach(async () => {
+      // Create a prompt group first
+      testPromptGroup = await PromptGroup.create({
+        name: 'Group Access Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      await Prompt.create({
+        prompt: 'Group access test prompt',
+        name: 'Group Test',
+        author: testUsers.owner._id,
+        groupId: testPromptGroup._id,
+        type: 'text',
+      });
+
+      // Add users to groups
+      await User.findByIdAndUpdate(testUsers.editor._id, {
+        $push: { groups: testGroups.editors._id },
+      });
+
+      await User.findByIdAndUpdate(testUsers.viewer._id, {
+        $push: { groups: testGroups.viewers._id },
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await AclEntry.deleteMany({});
+      await User.updateMany({}, { $set: { groups: [] } });
+    });
+
+    it('group members should inherit group permissions', async () => {
+      // Create a prompt group
+      const testPromptGroup = await PromptGroup.create({
+        name: 'Group Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      const { addUserToGroup } = require('~/models');
+      await addUserToGroup(testUsers.editor._id, testGroups.editors._id);
+
+      const prompt = await promptFns.savePrompt({
+        author: testUsers.owner._id,
+        prompt: {
+          prompt: 'Group test prompt',
+          name: 'Group Test',
+          groupId: testPromptGroup._id,
+          type: 'text',
+        },
+      });
+
+      // Check if savePrompt returned an error
+      if (!prompt || !prompt.prompt) {
+        throw new Error(`Failed to save prompt: ${prompt?.message || 'Unknown error'}`);
+      }
+
+      // Grant edit permissions to the group
+      await permissionService.grantPermission({
+        principalType: PrincipalType.GROUP,
+        principalId: testGroups.editors._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Check if group member has access
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.editor._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(hasAccess).toBe(true);
+
+      // Check that non-member doesn't have access
+      const nonMemberAccess = await permissionService.checkPermission({
+        userId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(nonMemberAccess).toBe(false);
+    });
+  });
+
+  describe('Public Access', () => {
+    let publicPromptGroup, privatePromptGroup;
+
+    beforeEach(async () => {
+      // Create separate prompt groups for public and private access
+      publicPromptGroup = await PromptGroup.create({
+        name: 'Public Access Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      privatePromptGroup = await PromptGroup.create({
+        name: 'Private Access Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create prompts in their respective groups
+      await Prompt.create({
+        prompt: 'Public prompt',
+        name: 'Public',
+        author: testUsers.owner._id,
+        groupId: publicPromptGroup._id,
+        type: 'text',
+      });
+
+      await Prompt.create({
+        prompt: 'Private prompt',
+        name: 'Private',
+        author: testUsers.owner._id,
+        groupId: privatePromptGroup._id,
+        type: 'text',
+      });
+
+      // Grant public view access to publicPromptGroup
+      await permissionService.grantPermission({
+        principalType: PrincipalType.PUBLIC,
+        principalId: null,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: publicPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Grant only owner access to privatePromptGroup
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: privatePromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('public prompt should be accessible to any user', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.noAccess._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: publicPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+        includePublic: true,
+      });
+
+      expect(hasAccess).toBe(true);
+    });
+
+    it('private prompt should not be accessible to unauthorized users', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.noAccess._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: privatePromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+        includePublic: true,
+      });
+
+      expect(hasAccess).toBe(false);
+    });
+  });
+
+  describe('Prompt Deletion', () => {
+    let testPromptGroup;
+
+    it('should remove ACL entries when prompt is deleted', async () => {
+      testPromptGroup = await PromptGroup.create({
+        name: 'Deletion Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      const prompt = await promptFns.savePrompt({
+        author: testUsers.owner._id,
+        prompt: {
+          prompt: 'To be deleted',
+          name: 'Delete Test',
+          groupId: testPromptGroup._id,
+          type: 'text',
+        },
+      });
+
+      // Check if savePrompt returned an error
+      if (!prompt || !prompt.prompt) {
+        throw new Error(`Failed to save prompt: ${prompt?.message || 'Unknown error'}`);
+      }
+
+      const testPromptId = prompt.prompt._id;
+      const promptGroupId = testPromptGroup._id;
+
+      // Grant permission
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Verify ACL entry exists
+      const beforeDelete = await AclEntry.find({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+      });
+      expect(beforeDelete).toHaveLength(1);
+
+      // Delete the prompt
+      await promptFns.deletePrompt({
+        promptId: testPromptId,
+        groupId: promptGroupId,
+        author: testUsers.owner._id,
+        role: SystemRoles.USER,
+      });
+
+      // Verify ACL entries are removed
+      const aclEntries = await AclEntry.find({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+      });
+
+      expect(aclEntries).toHaveLength(0);
+    });
+  });
+
+  describe('Backwards Compatibility', () => {
+    it('should handle prompts without ACL entries gracefully', async () => {
+      // Create a prompt group first
+      const promptGroup = await PromptGroup.create({
+        name: 'Legacy Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create a prompt without ACL entries (legacy prompt)
+      const legacyPrompt = await Prompt.create({
+        prompt: 'Legacy prompt without ACL',
+        name: 'Legacy',
+        author: testUsers.owner._id,
+        groupId: promptGroup._id,
+        type: 'text',
+      });
+
+      // The system should handle this gracefully
+      const prompt = await promptFns.getPrompt({ _id: legacyPrompt._id });
+      expect(prompt).toBeTruthy();
+      expect(prompt._id.toString()).toBe(legacyPrompt._id.toString());
+    });
+  });
+});

api/models/PromptGroupMigration.spec.js

@@ -0,0 +1,280 @@
+const mongoose = require('mongoose');
+const { ObjectId } = require('mongodb');
+const { logger } = require('@librechat/data-schemas');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const {
+  Constants,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+  PrincipalModel,
+  PermissionBits,
+} = require('librechat-data-provider');
+
+// Mock the config/connect module to prevent connection attempts during tests
+jest.mock('../../config/connect', () => jest.fn().mockResolvedValue(true));
+
+// Disable console for tests
+logger.silent = true;
+
+describe('PromptGroup Migration Script', () => {
+  let mongoServer;
+  let Prompt, PromptGroup, AclEntry, AccessRole, User, Project;
+  let migrateToPromptGroupPermissions;
+  let testOwner, testProject;
+  let ownerRole, viewerRole;
+
+  beforeAll(async () => {
+    // Set up MongoDB memory server
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize models
+    const dbModels = require('~/db/models');
+    Prompt = dbModels.Prompt;
+    PromptGroup = dbModels.PromptGroup;
+    AclEntry = dbModels.AclEntry;
+    AccessRole = dbModels.AccessRole;
+    User = dbModels.User;
+    Project = dbModels.Project;
+
+    // Create test user
+    testOwner = await User.create({
+      name: 'Test Owner',
+      email: 'owner@test.com',
+      role: 'USER',
+    });
+
+    // Create test project with the proper name
+    const projectName = Constants.GLOBAL_PROJECT_NAME || 'instance';
+    testProject = await Project.create({
+      name: projectName,
+      description: 'Global project',
+      promptGroupIds: [],
+    });
+
+    // Create promptGroup access roles
+    ownerRole = await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+      name: 'Owner',
+      description: 'Full control over promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits:
+        PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE,
+    });
+
+    viewerRole = await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+      name: 'Viewer',
+      description: 'Can view promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW,
+    });
+
+    await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+      name: 'Editor',
+      description: 'Can view and edit promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW | PermissionBits.EDIT,
+    });
+
+    // Import migration function
+    const migration = require('../../config/migrate-prompt-permissions');
+    migrateToPromptGroupPermissions = migration.migrateToPromptGroupPermissions;
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    // Clean up before each test
+    await Prompt.deleteMany({});
+    await PromptGroup.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Reset the project's promptGroupIds array
+    testProject.promptGroupIds = [];
+    await testProject.save();
+  });
+
+  it('should categorize promptGroups correctly in dry run', async () => {
+    // Create global prompt group (in Global project)
+    const globalPromptGroup = await PromptGroup.create({
+      name: 'Global Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Create private prompt group (not in any project)
+    await PromptGroup.create({
+      name: 'Private Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Add global group to project's promptGroupIds array
+    testProject.promptGroupIds = [globalPromptGroup._id];
+    await testProject.save();
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: true });
+
+    expect(result.dryRun).toBe(true);
+    expect(result.summary.total).toBe(2);
+    expect(result.summary.globalViewAccess).toBe(1);
+    expect(result.summary.privateGroups).toBe(1);
+  });
+
+  it('should grant appropriate permissions during migration', async () => {
+    // Create prompt groups
+    const globalPromptGroup = await PromptGroup.create({
+      name: 'Global Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    const privatePromptGroup = await PromptGroup.create({
+      name: 'Private Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Add global group to project's promptGroupIds array
+    testProject.promptGroupIds = [globalPromptGroup._id];
+    await testProject.save();
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: false });
+
+    expect(result.migrated).toBe(2);
+    expect(result.errors).toBe(0);
+    expect(result.ownerGrants).toBe(2);
+    expect(result.publicViewGrants).toBe(1);
+
+    // Check global promptGroup permissions
+    const globalOwnerEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: globalPromptGroup._id,
+      principalType: PrincipalType.USER,
+      principalId: testOwner._id,
+    });
+    expect(globalOwnerEntry).toBeTruthy();
+    expect(globalOwnerEntry.permBits).toBe(ownerRole.permBits);
+
+    const globalPublicEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: globalPromptGroup._id,
+      principalType: PrincipalType.PUBLIC,
+    });
+    expect(globalPublicEntry).toBeTruthy();
+    expect(globalPublicEntry.permBits).toBe(viewerRole.permBits);
+
+    // Check private promptGroup permissions
+    const privateOwnerEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: privatePromptGroup._id,
+      principalType: PrincipalType.USER,
+      principalId: testOwner._id,
+    });
+    expect(privateOwnerEntry).toBeTruthy();
+    expect(privateOwnerEntry.permBits).toBe(ownerRole.permBits);
+
+    const privatePublicEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: privatePromptGroup._id,
+      principalType: PrincipalType.PUBLIC,
+    });
+    expect(privatePublicEntry).toBeNull();
+  });
+
+  it('should skip promptGroups that already have ACL entries', async () => {
+    // Create prompt groups
+    const promptGroup1 = await PromptGroup.create({
+      name: 'Group 1',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    const promptGroup2 = await PromptGroup.create({
+      name: 'Group 2',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Grant permission to one promptGroup manually (simulating it already has ACL)
+    await AclEntry.create({
+      principalType: PrincipalType.USER,
+      principalId: testOwner._id,
+      principalModel: PrincipalModel.USER,
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: promptGroup1._id,
+      permBits: ownerRole.permBits,
+      roleId: ownerRole._id,
+      grantedBy: testOwner._id,
+      grantedAt: new Date(),
+    });
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: false });
+
+    // Should only migrate promptGroup2, skip promptGroup1
+    expect(result.migrated).toBe(1);
+    expect(result.errors).toBe(0);
+
+    // Verify promptGroup2 now has permissions
+    const group2Entry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: promptGroup2._id,
+    });
+    expect(group2Entry).toBeTruthy();
+  });
+
+  it('should handle promptGroups with prompts correctly', async () => {
+    // Create a promptGroup with some prompts
+    const promptGroup = await PromptGroup.create({
+      name: 'Group with Prompts',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Create some prompts in this group
+    await Prompt.create({
+      prompt: 'First prompt',
+      author: testOwner._id,
+      groupId: promptGroup._id,
+      type: 'text',
+    });
+
+    await Prompt.create({
+      prompt: 'Second prompt',
+      author: testOwner._id,
+      groupId: promptGroup._id,
+      type: 'text',
+    });
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: false });
+
+    expect(result.migrated).toBe(1);
+    expect(result.errors).toBe(0);
+
+    // Verify the promptGroup has permissions
+    const groupEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: promptGroup._id,
+    });
+    expect(groupEntry).toBeTruthy();
+
+    // Verify no prompt-level permissions were created
+    const promptEntries = await AclEntry.find({
+      resourceType: 'prompt',
+    });
+    expect(promptEntries).toHaveLength(0);
+  });
+});

api/models/Role.js

@@ -2,7 +2,6 @@ const {
   CacheKeys,
   SystemRoles,
   roleDefaults,
-  PermissionTypes,
   permissionsSchema,
   removeNullishValues,
 } = require('librechat-data-provider');
@@ -17,7 +16,7 @@ const { Role } = require('~/db/models');
  *
  * @param {string} roleName - The name of the role to find or create.
  * @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
- * @returns {Promise<Object>} A plain object representing the role document.
+ * @returns {Promise<IRole>} Role document.
  */
 const getRoleByName = async function (roleName, fieldsToSelect = null) {
   const cache = getLogStores(CacheKeys.ROLES);
@@ -73,8 +72,9 @@ const updateRoleByName = async function (roleName, updates) {
  * Updates access permissions for a specific role and multiple permission types.
  * @param {string} roleName - The role to update.
  * @param {Object.<PermissionTypes, Object.<Permissions, boolean>>} permissionsUpdate - Permissions to update and their values.
+ * @param {IRole} [roleData] - Optional role data to use instead of fetching from the database.
  */
-async function updateAccessPermissions(roleName, permissionsUpdate) {
+async function updateAccessPermissions(roleName, permissionsUpdate, roleData) {
   // Filter and clean the permission updates based on our schema definition.
   const updates = {};
   for (const [permissionType, permissions] of Object.entries(permissionsUpdate)) {
@@ -87,7 +87,7 @@ async function updateAccessPermissions(roleName, permissionsUpdate) {
   }
 
   try {
-    const role = await getRoleByName(roleName);
+    const role = roleData ?? (await getRoleByName(roleName));
     if (!role) {
       return;
     }
@@ -114,7 +114,6 @@ async function updateAccessPermissions(roleName, permissionsUpdate) {
       }
     }
 
-    // Process the current updates
     for (const [permissionType, permissions] of Object.entries(updates)) {
       const currentTypePermissions = currentPermissions[permissionType] || {};
       updatedPermissions[permissionType] = { ...currentTypePermissions };

api/models/Transaction.js

@@ -1,5 +1,4 @@
 const { logger } = require('@librechat/data-schemas');
-const { getBalanceConfig } = require('~/server/services/Config');
 const { getMultiplier, getCacheMultiplier } = require('./tx');
 const { Transaction, Balance } = require('~/db/models');
 
@@ -187,9 +186,10 @@ async function createAutoRefillTransaction(txData) {
 
 /**
  * Static method to create a transaction and update the balance
- * @param {txData} txData - Transaction data.
+ * @param {txData} _txData - Transaction data.
  */
-async function createTransaction(txData) {
+async function createTransaction(_txData) {
+  const { balance, ...txData } = _txData;
   if (txData.rawAmount != null && isNaN(txData.rawAmount)) {
     return;
   }
@@ -199,8 +199,6 @@ async function createTransaction(txData) {
   calculateTokenValue(transaction);
 
   await transaction.save();
-
-  const balance = await getBalanceConfig();
   if (!balance?.enabled) {
     return;
   }
@@ -221,9 +219,10 @@ async function createTransaction(txData) {
 
 /**
  * Static method to create a structured transaction and update the balance
- * @param {txData} txData - Transaction data.
+ * @param {txData} _txData - Transaction data.
  */
-async function createStructuredTransaction(txData) {
+async function createStructuredTransaction(_txData) {
+  const { balance, ...txData } = _txData;
   const transaction = new Transaction({
     ...txData,
     endpointTokenConfig: txData.endpointTokenConfig,
@@ -233,7 +232,6 @@ async function createStructuredTransaction(txData) {
 
   await transaction.save();
 
-  const balance = await getBalanceConfig();
   if (!balance?.enabled) {
     return;
   }

api/models/Transaction.spec.js

@@ -1,14 +1,11 @@
 const mongoose = require('mongoose');
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const { spendTokens, spendStructuredTokens } = require('./spendTokens');
-const { getBalanceConfig } = require('~/server/services/Config');
+
 const { getMultiplier, getCacheMultiplier } = require('./tx');
 const { createTransaction } = require('./Transaction');
 const { Balance } = require('~/db/models');
 
-// Mock the custom config module so we can control the balance flag.
-jest.mock('~/server/services/Config');
-
 let mongoServer;
 beforeAll(async () => {
   mongoServer = await MongoMemoryServer.create();
@@ -23,8 +20,6 @@ afterAll(async () => {
 
 beforeEach(async () => {
   await mongoose.connection.dropDatabase();
-  // Default: enable balance updates in tests.
-  getBalanceConfig.mockResolvedValue({ enabled: true });
 });
 
 describe('Regular Token Spending Tests', () => {
@@ -41,6 +36,7 @@ describe('Regular Token Spending Tests', () => {
       model,
       context: 'test',
       endpointTokenConfig: null,
+      balance: { enabled: true },
     };
 
     const tokenUsage = {
@@ -74,6 +70,7 @@ describe('Regular Token Spending Tests', () => {
       model,
       context: 'test',
       endpointTokenConfig: null,
+      balance: { enabled: true },
     };
 
     const tokenUsage = {
@@ -104,6 +101,7 @@ describe('Regular Token Spending Tests', () => {
       model,
       context: 'test',
       endpointTokenConfig: null,
+      balance: { enabled: true },
     };
 
     const tokenUsage = {};
@@ -128,6 +126,7 @@ describe('Regular Token Spending Tests', () => {
       model,
       context: 'test',
       endpointTokenConfig: null,
+      balance: { enabled: true },
     };
 
     const tokenUsage = { promptTokens: 100 };
@@ -143,8 +142,7 @@ describe('Regular Token Spending Tests', () => {
   });
 
   test('spendTokens should not update balance when balance feature is disabled', async () => {
-    // Arrange: Override the config to disable balance updates.
-    getBalanceConfig.mockResolvedValue({ balance: { enabled: false } });
+    // Arrange: Balance config is now passed directly in txData
     const userId = new mongoose.Types.ObjectId();
     const initialBalance = 10000000;
     await Balance.create({ user: userId, tokenCredits: initialBalance });
@@ -156,6 +154,7 @@ describe('Regular Token Spending Tests', () => {
       model,
       context: 'test',
       endpointTokenConfig: null,
+      balance: { enabled: false },
     };
 
     const tokenUsage = {
@@ -186,6 +185,7 @@ describe('Structured Token Spending Tests', () => {
       model,
       context: 'message',
       endpointTokenConfig: null,
+      balance: { enabled: true },
     };
 
     const tokenUsage = {
@@ -239,6 +239,7 @@ describe('Structured Token Spending Tests', () => {
       conversationId: 'test-convo',
       model,
       context: 'message',
+      balance: { enabled: true },
     };
 
     const tokenUsage = {
@@ -271,6 +272,7 @@ describe('Structured Token Spending Tests', () => {
       conversationId: 'test-convo',
       model,
       context: 'message',
+      balance: { enabled: true },
     };
 
     const tokenUsage = {
@@ -302,6 +304,7 @@ describe('Structured Token Spending Tests', () => {
       conversationId: 'test-convo',
       model,
       context: 'message',
+      balance: { enabled: true },
     };
 
     const tokenUsage = {};
@@ -328,6 +331,7 @@ describe('Structured Token Spending Tests', () => {
       conversationId: 'test-convo',
       model,
       context: 'incomplete',
+      balance: { enabled: true },
     };
 
     const tokenUsage = {
@@ -364,6 +368,7 @@ describe('NaN Handling Tests', () => {
       endpointTokenConfig: null,
       rawAmount: NaN,
       tokenType: 'prompt',
+      balance: { enabled: true },
     };
 
     // Act

api/models/index.js

@@ -22,9 +22,17 @@ const {
 } = require('./Message');
 const { getConvoTitle, getConvo, saveConvo, deleteConvos } = require('./Conversation');
 const { getPreset, getPresets, savePreset, deletePresets } = require('./Preset');
+const { File } = require('~/db/models');
+
+const seedDatabase = async () => {
+  await methods.initializeRoles();
+  await methods.seedDefaultRoles();
+  await methods.ensureDefaultCategories();
+};
 
 module.exports = {
   ...methods,
+  seedDatabase,
   comparePassword,
   findFileById,
   createFile,
@@ -51,4 +59,6 @@ module.exports = {
   getPresets,
   savePreset,
   deletePresets,
+
+  Files: File,
 };

api/models/interface.js

@@ -0,0 +1,24 @@
+const { logger } = require('@librechat/data-schemas');
+const { updateInterfacePermissions: updateInterfacePerms } = require('@librechat/api');
+const { getRoleByName, updateAccessPermissions } = require('./Role');
+
+/**
+ * Update interface permissions based on app configuration.
+ * Must be done independently from loading the app config.
+ * @param {AppConfig} appConfig
+ */
+async function updateInterfacePermissions(appConfig) {
+  try {
+    await updateInterfacePerms({
+      appConfig,
+      getRoleByName,
+      updateAccessPermissions,
+    });
+  } catch (error) {
+    logger.error('Error updating interface permissions:', error);
+  }
+}
+
+module.exports = {
+  updateInterfacePermissions,
+};

api/models/spendTokens.js

@@ -5,13 +5,7 @@ const { createTransaction, createStructuredTransaction } = require('./Transactio
  *
  * @function
  * @async
- * @param {Object} txData - Transaction data.
- * @param {mongoose.Schema.Types.ObjectId} txData.user - The user ID.
- * @param {String} txData.conversationId - The ID of the conversation.
- * @param {String} txData.model - The model name.
- * @param {String} txData.context - The context in which the transaction is made.
- * @param {EndpointTokenConfig} [txData.endpointTokenConfig] - The current endpoint token config.
- * @param {String} [txData.valueKey] - The value key (optional).
+ * @param {txData} txData - Transaction data.
  * @param {Object} tokenUsage - The number of tokens used.
  * @param {Number} tokenUsage.promptTokens - The number of prompt tokens used.
  * @param {Number} tokenUsage.completionTokens - The number of completion tokens used.
@@ -69,13 +63,7 @@ const spendTokens = async (txData, tokenUsage) => {
  *
  * @function
  * @async
- * @param {Object} txData - Transaction data.
- * @param {mongoose.Schema.Types.ObjectId} txData.user - The user ID.
- * @param {String} txData.conversationId - The ID of the conversation.
- * @param {String} txData.model - The model name.
- * @param {String} txData.context - The context in which the transaction is made.
- * @param {EndpointTokenConfig} [txData.endpointTokenConfig] - The current endpoint token config.
- * @param {String} [txData.valueKey] - The value key (optional).
+ * @param {txData} txData - Transaction data.
  * @param {Object} tokenUsage - The number of tokens used.
  * @param {Object} tokenUsage.promptTokens - The number of prompt tokens used.
  * @param {Number} tokenUsage.promptTokens.input - The number of input tokens.

api/models/spendTokens.spec.js

@@ -5,7 +5,6 @@ const { createTransaction, createAutoRefillTransaction } = require('./Transactio
 
 require('~/db/models');
 
-// Mock the logger to prevent console output during tests
 jest.mock('~/config', () => ({
   logger: {
     debug: jest.fn(),
@@ -13,10 +12,6 @@ jest.mock('~/config', () => ({
   },
 }));
 
-// Mock the Config service
-const { getBalanceConfig } = require('~/server/services/Config');
-jest.mock('~/server/services/Config');
-
 describe('spendTokens', () => {
   let mongoServer;
   let userId;
@@ -44,8 +39,7 @@ describe('spendTokens', () => {
     // Create a new user ID for each test
     userId = new mongoose.Types.ObjectId();
 
-    // Mock the balance config to be enabled by default
-    getBalanceConfig.mockResolvedValue({ enabled: true });
+    // Balance config is now passed directly in txData
   });
 
   it('should create transactions for both prompt and completion tokens', async () => {
@@ -60,6 +54,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo',
       model: 'gpt-3.5-turbo',
       context: 'test',
+      balance: { enabled: true },
     };
     const tokenUsage = {
       promptTokens: 100,
@@ -98,6 +93,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo',
       model: 'gpt-3.5-turbo',
       context: 'test',
+      balance: { enabled: true },
     };
     const tokenUsage = {
       promptTokens: 100,
@@ -127,6 +123,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo',
       model: 'gpt-3.5-turbo',
       context: 'test',
+      balance: { enabled: true },
     };
     const tokenUsage = {};
 
@@ -138,8 +135,7 @@ describe('spendTokens', () => {
   });
 
   it('should not update balance when the balance feature is disabled', async () => {
-    // Override configuration: disable balance updates
-    getBalanceConfig.mockResolvedValue({ enabled: false });
+    // Balance is now passed directly in txData
     // Create a balance for the user
     await Balance.create({
       user: userId,
@@ -151,6 +147,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo',
       model: 'gpt-3.5-turbo',
       context: 'test',
+      balance: { enabled: false },
     };
     const tokenUsage = {
       promptTokens: 100,
@@ -180,6 +177,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo',
       model: 'gpt-4', // Using a more expensive model
       context: 'test',
+      balance: { enabled: true },
     };
 
     // Spending more tokens than the user has balance for
@@ -233,6 +231,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo-1',
       model: 'gpt-4',
       context: 'test',
+      balance: { enabled: true },
     };
 
     const tokenUsage1 = {
@@ -252,6 +251,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo-2',
       model: 'gpt-4',
       context: 'test',
+      balance: { enabled: true },
     };
 
     const tokenUsage2 = {
@@ -292,6 +292,7 @@ describe('spendTokens', () => {
       tokenType: 'completion',
       rawAmount: -100,
       context: 'test',
+      balance: { enabled: true },
     });
 
     console.log('Direct Transaction.create result:', directResult);
@@ -316,6 +317,7 @@ describe('spendTokens', () => {
         conversationId: `test-convo-${model}`,
         model,
         context: 'test',
+        balance: { enabled: true },
       };
 
       const tokenUsage = {
@@ -352,6 +354,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo-1',
       model: 'claude-3-5-sonnet',
       context: 'test',
+      balance: { enabled: true },
     };
 
     const tokenUsage1 = {
@@ -375,6 +378,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo-2',
       model: 'claude-3-5-sonnet',
       context: 'test',
+      balance: { enabled: true },
     };
 
     const tokenUsage2 = {
@@ -426,6 +430,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo',
       model: 'claude-3-5-sonnet', // Using a model that supports structured tokens
       context: 'test',
+      balance: { enabled: true },
     };
 
     // Spending more tokens than the user has balance for
@@ -505,6 +510,7 @@ describe('spendTokens', () => {
         conversationId,
         user: userId,
         model: usage.model,
+        balance: { enabled: true },
       };
 
       // Calculate expected spend for this transaction
@@ -617,6 +623,7 @@ describe('spendTokens', () => {
           tokenType: 'credits',
           context: 'concurrent-refill-test',
           rawAmount: refillAmount,
+          balance: { enabled: true },
         }),
       );
     }
@@ -683,6 +690,7 @@ describe('spendTokens', () => {
       conversationId: 'test-convo',
       model: 'claude-3-5-sonnet',
       context: 'test',
+      balance: { enabled: true },
     };
     const tokenUsage = {
       promptTokens: {

api/models/tx.js

@@ -1,4 +1,4 @@
-const { matchModelName } = require('../utils');
+const { matchModelName } = require('../utils/tokens');
 const defaultRate = 6;
 
 /**
@@ -87,6 +87,9 @@ const tokenValues = Object.assign(
     'gpt-4.1': { prompt: 2, completion: 8 },
     'gpt-4.5': { prompt: 75, completion: 150 },
     'gpt-4o-mini': { prompt: 0.15, completion: 0.6 },
+    'gpt-5': { prompt: 1.25, completion: 10 },
+    'gpt-5-mini': { prompt: 0.25, completion: 2 },
+    'gpt-5-nano': { prompt: 0.05, completion: 0.4 },
     'gpt-4o': { prompt: 2.5, completion: 10 },
     'gpt-4o-2024-05-13': { prompt: 5, completion: 15 },
     'gpt-4-1106': { prompt: 10, completion: 30 },
@@ -147,6 +150,9 @@ const tokenValues = Object.assign(
     codestral: { prompt: 0.3, completion: 0.9 },
     'ministral-8b': { prompt: 0.1, completion: 0.1 },
     'ministral-3b': { prompt: 0.04, completion: 0.04 },
+    // GPT-OSS models
+    'gpt-oss-20b': { prompt: 0.05, completion: 0.2 },
+    'gpt-oss-120b': { prompt: 0.15, completion: 0.6 },
   },
   bedrockValues,
 );
@@ -214,6 +220,12 @@ const getValueKey = (model, endpoint) => {
     return 'gpt-4.1';
   } else if (modelName.includes('gpt-4o-2024-05-13')) {
     return 'gpt-4o-2024-05-13';
+  } else if (modelName.includes('gpt-5-nano')) {
+    return 'gpt-5-nano';
+  } else if (modelName.includes('gpt-5-mini')) {
+    return 'gpt-5-mini';
+  } else if (modelName.includes('gpt-5')) {
+    return 'gpt-5';
   } else if (modelName.includes('gpt-4o-mini')) {
     return 'gpt-4o-mini';
   } else if (modelName.includes('gpt-4o')) {

api/models/tx.spec.js

@@ -25,8 +25,14 @@ describe('getValueKey', () => {
     expect(getValueKey('gpt-4-some-other-info')).toBe('8k');
   });
 
-  it('should return undefined for model names that do not match any known patterns', () => {
-    expect(getValueKey('gpt-5-some-other-info')).toBeUndefined();
+  it('should return "gpt-5" for model name containing "gpt-5"', () => {
+    expect(getValueKey('gpt-5-some-other-info')).toBe('gpt-5');
+    expect(getValueKey('gpt-5-2025-01-30')).toBe('gpt-5');
+    expect(getValueKey('gpt-5-2025-01-30-0130')).toBe('gpt-5');
+    expect(getValueKey('openai/gpt-5')).toBe('gpt-5');
+    expect(getValueKey('openai/gpt-5-2025-01-30')).toBe('gpt-5');
+    expect(getValueKey('gpt-5-turbo')).toBe('gpt-5');
+    expect(getValueKey('gpt-5-0130')).toBe('gpt-5');
   });
 
   it('should return "gpt-3.5-turbo-1106" for model name containing "gpt-3.5-turbo-1106"', () => {
@@ -84,6 +90,29 @@ describe('getValueKey', () => {
     expect(getValueKey('gpt-4.1-nano-0125')).toBe('gpt-4.1-nano');
   });
 
+  it('should return "gpt-5" for model type of "gpt-5"', () => {
+    expect(getValueKey('gpt-5-2025-01-30')).toBe('gpt-5');
+    expect(getValueKey('gpt-5-2025-01-30-0130')).toBe('gpt-5');
+    expect(getValueKey('openai/gpt-5')).toBe('gpt-5');
+    expect(getValueKey('openai/gpt-5-2025-01-30')).toBe('gpt-5');
+    expect(getValueKey('gpt-5-turbo')).toBe('gpt-5');
+    expect(getValueKey('gpt-5-0130')).toBe('gpt-5');
+  });
+
+  it('should return "gpt-5-mini" for model type of "gpt-5-mini"', () => {
+    expect(getValueKey('gpt-5-mini-2025-01-30')).toBe('gpt-5-mini');
+    expect(getValueKey('openai/gpt-5-mini')).toBe('gpt-5-mini');
+    expect(getValueKey('gpt-5-mini-0130')).toBe('gpt-5-mini');
+    expect(getValueKey('gpt-5-mini-2025-01-30-0130')).toBe('gpt-5-mini');
+  });
+
+  it('should return "gpt-5-nano" for model type of "gpt-5-nano"', () => {
+    expect(getValueKey('gpt-5-nano-2025-01-30')).toBe('gpt-5-nano');
+    expect(getValueKey('openai/gpt-5-nano')).toBe('gpt-5-nano');
+    expect(getValueKey('gpt-5-nano-0130')).toBe('gpt-5-nano');
+    expect(getValueKey('gpt-5-nano-2025-01-30-0130')).toBe('gpt-5-nano');
+  });
+
   it('should return "gpt-4o" for model type of "gpt-4o"', () => {
     expect(getValueKey('gpt-4o-2024-08-06')).toBe('gpt-4o');
     expect(getValueKey('gpt-4o-2024-08-06-0718')).toBe('gpt-4o');
@@ -207,6 +236,48 @@ describe('getMultiplier', () => {
     );
   });
 
+  it('should return the correct multiplier for gpt-5', () => {
+    const valueKey = getValueKey('gpt-5-2025-01-30');
+    expect(getMultiplier({ valueKey, tokenType: 'prompt' })).toBe(tokenValues['gpt-5'].prompt);
+    expect(getMultiplier({ valueKey, tokenType: 'completion' })).toBe(
+      tokenValues['gpt-5'].completion,
+    );
+    expect(getMultiplier({ model: 'gpt-5-preview', tokenType: 'prompt' })).toBe(
+      tokenValues['gpt-5'].prompt,
+    );
+    expect(getMultiplier({ model: 'openai/gpt-5', tokenType: 'completion' })).toBe(
+      tokenValues['gpt-5'].completion,
+    );
+  });
+
+  it('should return the correct multiplier for gpt-5-mini', () => {
+    const valueKey = getValueKey('gpt-5-mini-2025-01-30');
+    expect(getMultiplier({ valueKey, tokenType: 'prompt' })).toBe(tokenValues['gpt-5-mini'].prompt);
+    expect(getMultiplier({ valueKey, tokenType: 'completion' })).toBe(
+      tokenValues['gpt-5-mini'].completion,
+    );
+    expect(getMultiplier({ model: 'gpt-5-mini-preview', tokenType: 'prompt' })).toBe(
+      tokenValues['gpt-5-mini'].prompt,
+    );
+    expect(getMultiplier({ model: 'openai/gpt-5-mini', tokenType: 'completion' })).toBe(
+      tokenValues['gpt-5-mini'].completion,
+    );
+  });
+
+  it('should return the correct multiplier for gpt-5-nano', () => {
+    const valueKey = getValueKey('gpt-5-nano-2025-01-30');
+    expect(getMultiplier({ valueKey, tokenType: 'prompt' })).toBe(tokenValues['gpt-5-nano'].prompt);
+    expect(getMultiplier({ valueKey, tokenType: 'completion' })).toBe(
+      tokenValues['gpt-5-nano'].completion,
+    );
+    expect(getMultiplier({ model: 'gpt-5-nano-preview', tokenType: 'prompt' })).toBe(
+      tokenValues['gpt-5-nano'].prompt,
+    );
+    expect(getMultiplier({ model: 'openai/gpt-5-nano', tokenType: 'completion' })).toBe(
+      tokenValues['gpt-5-nano'].completion,
+    );
+  });
+
   it('should return the correct multiplier for gpt-4o', () => {
     const valueKey = getValueKey('gpt-4o-2024-08-06');
     expect(getMultiplier({ valueKey, tokenType: 'prompt' })).toBe(tokenValues['gpt-4o'].prompt);
@@ -307,10 +378,22 @@ describe('getMultiplier', () => {
   });
 
   it('should return defaultRate if derived valueKey does not match any known patterns', () => {
-    expect(getMultiplier({ tokenType: 'prompt', model: 'gpt-5-some-other-info' })).toBe(
+    expect(getMultiplier({ tokenType: 'prompt', model: 'gpt-10-some-other-info' })).toBe(
       defaultRate,
     );
   });
+
+  it('should return correct multipliers for GPT-OSS models', () => {
+    const models = ['gpt-oss-20b', 'gpt-oss-120b'];
+    models.forEach((key) => {
+      const expectedPrompt = tokenValues[key].prompt;
+      const expectedCompletion = tokenValues[key].completion;
+      expect(getMultiplier({ valueKey: key, tokenType: 'prompt' })).toBe(expectedPrompt);
+      expect(getMultiplier({ valueKey: key, tokenType: 'completion' })).toBe(expectedCompletion);
+      expect(getMultiplier({ model: key, tokenType: 'prompt' })).toBe(expectedPrompt);
+      expect(getMultiplier({ model: key, tokenType: 'completion' })).toBe(expectedCompletion);
+    });
+  });
 });
 
 describe('AWS Bedrock Model Tests', () => {

api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@librechat/backend",
-  "version": "v0.8.0-rc1",
+  "version": "v0.8.0-rc2",
   "description": "",
   "scripts": {
     "start": "echo 'please run this from the root directory'",
@@ -49,9 +49,10 @@
     "@langchain/google-vertexai": "^0.2.13",
     "@langchain/openai": "^0.5.18",
     "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^2.4.69",
+    "@librechat/agents": "^2.4.76",
     "@librechat/api": "*",
     "@librechat/data-schemas": "*",
+    "@microsoft/microsoft-graph-client": "^3.0.7",
     "@modelcontextprotocol/sdk": "^1.17.1",
     "@node-saml/passport-saml": "^5.1.0",
     "@waylaidwanderer/fetch-event-source": "^3.0.1",

api/server/cleanup.js

@@ -1,6 +1,6 @@
-const { logger } = require('~/config');
+const { logger } = require('@librechat/data-schemas');
 
-// WeakMap to hold temporary data associated with requests
+/** WeakMap to hold temporary data associated with requests */
 const requestDataMap = new WeakMap();
 
 const FinalizationRegistry = global.FinalizationRegistry || null;
@@ -23,7 +23,7 @@ const clientRegistry = FinalizationRegistry
         } else {
           logger.debug('[FinalizationRegistry] Cleaning up client');
         }
-      } catch (e) {
+      } catch {
         // Ignore errors
       }
     })
@@ -55,6 +55,9 @@ function disposeClient(client) {
     if (client.responseMessageId) {
       client.responseMessageId = null;
     }
+    if (client.parentMessageId) {
+      client.parentMessageId = null;
+    }
     if (client.message_file_map) {
       client.message_file_map = null;
     }
@@ -334,7 +337,7 @@ function disposeClient(client) {
       }
     }
     client.options = null;
-  } catch (e) {
+  } catch {
     // Ignore errors during disposal
   }
 }

api/server/controllers/AuthController.js

@@ -12,6 +12,7 @@ const {
 } = require('~/server/services/AuthService');
 const { findUser, getUserById, deleteAllUserSessions, findSession } = require('~/models');
 const { getOpenIdConfig } = require('~/strategies');
+const { getGraphApiToken } = require('~/server/services/GraphTokenService');
 
 const registrationController = async (req, res) => {
   try {
@@ -83,7 +84,7 @@ const refreshController = async (req, res) => {
   }
   try {
     const payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
-    const user = await getUserById(payload.id, '-password -__v -totpSecret');
+    const user = await getUserById(payload.id, '-password -__v -totpSecret -backupCodes');
     if (!user) {
       return res.status(401).redirect('/login');
     }
@@ -118,9 +119,54 @@ const refreshController = async (req, res) => {
   }
 };
 
+const graphTokenController = async (req, res) => {
+  try {
+    // Validate user is authenticated via Entra ID
+    if (!req.user.openidId || req.user.provider !== 'openid') {
+      return res.status(403).json({
+        message: 'Microsoft Graph access requires Entra ID authentication',
+      });
+    }
+
+    // Check if OpenID token reuse is active (required for on-behalf-of flow)
+    if (!isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+      return res.status(403).json({
+        message: 'SharePoint integration requires OpenID token reuse to be enabled',
+      });
+    }
+
+    // Extract access token from Authorization header
+    const authHeader = req.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({
+        message: 'Valid authorization token required',
+      });
+    }
+
+    // Get scopes from query parameters
+    const scopes = req.query.scopes;
+    if (!scopes) {
+      return res.status(400).json({
+        message: 'Graph API scopes are required as query parameter',
+      });
+    }
+
+    const accessToken = authHeader.substring(7); // Remove 'Bearer ' prefix
+    const tokenResponse = await getGraphApiToken(req.user, accessToken, scopes);
+
+    res.json(tokenResponse);
+  } catch (error) {
+    logger.error('[graphTokenController] Failed to obtain Graph API token:', error);
+    res.status(500).json({
+      message: 'Failed to obtain Microsoft Graph token',
+    });
+  }
+};
+
 module.exports = {
   refreshController,
   registrationController,
   resetPasswordController,
   resetPasswordRequestController,
+  graphTokenController,
 };

api/server/controllers/ErrorController.js

@@ -1,46 +0,0 @@
-const { logger } = require('~/config');
-
-//handle duplicates
-const handleDuplicateKeyError = (err, res) => {
-  logger.error('Duplicate key error:', err.keyValue);
-  const field = `${JSON.stringify(Object.keys(err.keyValue))}`;
-  const code = 409;
-  res
-    .status(code)
-    .send({ messages: `An document with that ${field} already exists.`, fields: field });
-};
-
-//handle validation errors
-const handleValidationError = (err, res) => {
-  logger.error('Validation error:', err.errors);
-  let errors = Object.values(err.errors).map((el) => el.message);
-  let fields = `${JSON.stringify(Object.values(err.errors).map((el) => el.path))}`;
-  let code = 400;
-  if (errors.length > 1) {
-    errors = errors.join(' ');
-    res.status(code).send({ messages: `${JSON.stringify(errors)}`, fields: fields });
-  } else {
-    res.status(code).send({ messages: `${JSON.stringify(errors)}`, fields: fields });
-  }
-};
-
-module.exports = (err, _req, res, _next) => {
-  try {
-    if (err.name === 'ValidationError') {
-      return handleValidationError(err, res);
-    }
-    if (err.code && err.code == 11000) {
-      return handleDuplicateKeyError(err, res);
-    }
-    // Special handling for errors like SyntaxError
-    if (err.statusCode && err.body) {
-      return res.status(err.statusCode).send(err.body);
-    }
-
-    logger.error('ErrorController => error', err);
-    return res.status(500).send('An unknown error occurred.');
-  } catch (err) {
-    logger.error('ErrorController => processing error', err);
-    return res.status(500).send('Processing error in ErrorController.');
-  }
-};

api/server/controllers/ModelController.js

@@ -5,6 +5,7 @@ const { logger } = require('~/config');
 
 /**
  * @param {ServerRequest} req
+ * @returns {Promise<TModelsConfig>} The models config.
  */
 const getModelsConfig = async (req) => {
   const cache = getLogStores(CacheKeys.CONFIG_STORE);

api/server/controllers/PermissionsController.js

@@ -0,0 +1,484 @@
+/**
+ * @import { TUpdateResourcePermissionsRequest, TUpdateResourcePermissionsResponse } from 'librechat-data-provider'
+ */
+
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
+const { ResourceType, PrincipalType } = require('librechat-data-provider');
+const {
+  bulkUpdateResourcePermissions,
+  ensureGroupPrincipalExists,
+  getEffectivePermissions,
+  ensurePrincipalExists,
+  getAvailableRoles,
+} = require('~/server/services/PermissionService');
+const { AclEntry } = require('~/db/models');
+const {
+  searchPrincipals: searchLocalPrincipals,
+  sortPrincipalsByRelevance,
+  calculateRelevanceScore,
+} = require('~/models');
+const {
+  entraIdPrincipalFeatureEnabled,
+  searchEntraIdPrincipals,
+} = require('~/server/services/GraphApiService');
+
+/**
+ * Generic controller for resource permission endpoints
+ * Delegates validation and logic to PermissionService
+ */
+
+/**
+ * Validates that the resourceType is one of the supported enum values
+ * @param {string} resourceType - The resource type to validate
+ * @throws {Error} If resourceType is not valid
+ */
+const validateResourceType = (resourceType) => {
+  const validTypes = Object.values(ResourceType);
+  if (!validTypes.includes(resourceType)) {
+    throw new Error(`Invalid resourceType: ${resourceType}. Valid types: ${validTypes.join(', ')}`);
+  }
+};
+
+/**
+ * Bulk update permissions for a resource (grant, update, remove)
+ * @route PUT /api/{resourceType}/{resourceId}/permissions
+ * @param {Object} req - Express request object
+ * @param {Object} req.params - Route parameters
+ * @param {string} req.params.resourceType - Resource type (e.g., 'agent')
+ * @param {string} req.params.resourceId - Resource ID
+ * @param {TUpdateResourcePermissionsRequest} req.body - Request body
+ * @param {Object} res - Express response object
+ * @returns {Promise<TUpdateResourcePermissionsResponse>} Updated permissions response
+ */
+const updateResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    validateResourceType(resourceType);
+
+    /** @type {TUpdateResourcePermissionsRequest} */
+    const { updated, removed, public: isPublic, publicAccessRoleId } = req.body;
+    const { id: userId } = req.user;
+
+    // Prepare principals for the service call
+    const updatedPrincipals = [];
+    const revokedPrincipals = [];
+
+    // Add updated principals
+    if (updated && Array.isArray(updated)) {
+      updatedPrincipals.push(...updated);
+    }
+
+    // Add public permission if enabled
+    if (isPublic && publicAccessRoleId) {
+      updatedPrincipals.push({
+        type: PrincipalType.PUBLIC,
+        id: null,
+        accessRoleId: publicAccessRoleId,
+      });
+    }
+
+    // Prepare authentication context for enhanced group member fetching
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+    const authHeader = req.headers.authorization;
+    const accessToken =
+      authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+    const authContext =
+      useEntraId && accessToken
+        ? {
+            accessToken,
+            sub: req.user.openidId,
+          }
+        : null;
+
+    // Ensure updated principals exist in the database before processing permissions
+    const validatedPrincipals = [];
+    for (const principal of updatedPrincipals) {
+      try {
+        let principalId;
+
+        if (principal.type === PrincipalType.PUBLIC) {
+          principalId = null; // Public principals don't need database records
+        } else if (principal.type === PrincipalType.ROLE) {
+          principalId = principal.id; // Role principals use role name as ID
+        } else if (principal.type === PrincipalType.USER) {
+          principalId = await ensurePrincipalExists(principal);
+        } else if (principal.type === PrincipalType.GROUP) {
+          // Pass authContext to enable member fetching for Entra ID groups when available
+          principalId = await ensureGroupPrincipalExists(principal, authContext);
+        } else {
+          logger.error(`Unsupported principal type: ${principal.type}`);
+          continue; // Skip invalid principal types
+        }
+
+        // Update the principal with the validated ID for ACL operations
+        validatedPrincipals.push({
+          ...principal,
+          id: principalId,
+        });
+      } catch (error) {
+        logger.error('Error ensuring principal exists:', {
+          principal: {
+            type: principal.type,
+            id: principal.id,
+            name: principal.name,
+            source: principal.source,
+          },
+          error: error.message,
+        });
+        // Continue with other principals instead of failing the entire operation
+        continue;
+      }
+    }
+
+    // Add removed principals
+    if (removed && Array.isArray(removed)) {
+      revokedPrincipals.push(...removed);
+    }
+
+    // If public is disabled, add public to revoked list
+    if (!isPublic) {
+      revokedPrincipals.push({
+        type: PrincipalType.PUBLIC,
+        id: null,
+      });
+    }
+
+    const results = await bulkUpdateResourcePermissions({
+      resourceType,
+      resourceId,
+      updatedPrincipals: validatedPrincipals,
+      revokedPrincipals,
+      grantedBy: userId,
+    });
+
+    /** @type {TUpdateResourcePermissionsResponse} */
+    const response = {
+      message: 'Permissions updated successfully',
+      results: {
+        principals: results.granted,
+        public: isPublic || false,
+        publicAccessRoleId: isPublic ? publicAccessRoleId : undefined,
+      },
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error updating resource permissions:', error);
+    res.status(400).json({
+      error: 'Failed to update permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get principals with their permission roles for a resource (UI-friendly format)
+ * Uses efficient aggregation pipeline to join User/Group data in single query
+ * @route GET /api/permissions/{resourceType}/{resourceId}
+ */
+const getResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    validateResourceType(resourceType);
+
+    // Use aggregation pipeline for efficient single-query data retrieval
+    const results = await AclEntry.aggregate([
+      // Match ACL entries for this resource
+      {
+        $match: {
+          resourceType,
+          resourceId: mongoose.Types.ObjectId.isValid(resourceId)
+            ? mongoose.Types.ObjectId.createFromHexString(resourceId)
+            : resourceId,
+        },
+      },
+      // Lookup AccessRole information
+      {
+        $lookup: {
+          from: 'accessroles',
+          localField: 'roleId',
+          foreignField: '_id',
+          as: 'role',
+        },
+      },
+      // Lookup User information (for user principals)
+      {
+        $lookup: {
+          from: 'users',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'userInfo',
+        },
+      },
+      // Lookup Group information (for group principals)
+      {
+        $lookup: {
+          from: 'groups',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'groupInfo',
+        },
+      },
+      // Project final structure
+      {
+        $project: {
+          principalType: 1,
+          principalId: 1,
+          accessRoleId: { $arrayElemAt: ['$role.accessRoleId', 0] },
+          userInfo: { $arrayElemAt: ['$userInfo', 0] },
+          groupInfo: { $arrayElemAt: ['$groupInfo', 0] },
+        },
+      },
+    ]);
+
+    const principals = [];
+    let publicPermission = null;
+
+    // Process aggregation results
+    for (const result of results) {
+      if (result.principalType === PrincipalType.PUBLIC) {
+        publicPermission = {
+          public: true,
+          publicAccessRoleId: result.accessRoleId,
+        };
+      } else if (result.principalType === PrincipalType.USER && result.userInfo) {
+        principals.push({
+          type: PrincipalType.USER,
+          id: result.userInfo._id.toString(),
+          name: result.userInfo.name || result.userInfo.username,
+          email: result.userInfo.email,
+          avatar: result.userInfo.avatar,
+          source: !result.userInfo._id ? 'entra' : 'local',
+          idOnTheSource: result.userInfo.idOnTheSource || result.userInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      } else if (result.principalType === PrincipalType.GROUP && result.groupInfo) {
+        principals.push({
+          type: PrincipalType.GROUP,
+          id: result.groupInfo._id.toString(),
+          name: result.groupInfo.name,
+          email: result.groupInfo.email,
+          description: result.groupInfo.description,
+          avatar: result.groupInfo.avatar,
+          source: result.groupInfo.source || 'local',
+          idOnTheSource: result.groupInfo.idOnTheSource || result.groupInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      } else if (result.principalType === PrincipalType.ROLE) {
+        principals.push({
+          type: PrincipalType.ROLE,
+          /** Role name as ID */
+          id: result.principalId,
+          /** Display the role name */
+          name: result.principalId,
+          description: `System role: ${result.principalId}`,
+          accessRoleId: result.accessRoleId,
+        });
+      }
+    }
+
+    // Return response in format expected by frontend
+    const response = {
+      resourceType,
+      resourceId,
+      principals,
+      public: publicPermission?.public || false,
+      ...(publicPermission?.publicAccessRoleId && {
+        publicAccessRoleId: publicPermission.publicAccessRoleId,
+      }),
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error getting resource permissions principals:', error);
+    res.status(500).json({
+      error: 'Failed to get permissions principals',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get available roles for a resource type
+ * @route GET /api/{resourceType}/roles
+ */
+const getResourceRoles = async (req, res) => {
+  try {
+    const { resourceType } = req.params;
+    validateResourceType(resourceType);
+
+    const roles = await getAvailableRoles({ resourceType });
+
+    res.status(200).json(
+      roles.map((role) => ({
+        accessRoleId: role.accessRoleId,
+        name: role.name,
+        description: role.description,
+        permBits: role.permBits,
+      })),
+    );
+  } catch (error) {
+    logger.error('Error getting resource roles:', error);
+    res.status(500).json({
+      error: 'Failed to get roles',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get user's effective permission bitmask for a resource
+ * @route GET /api/{resourceType}/{resourceId}/effective
+ */
+const getUserEffectivePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    validateResourceType(resourceType);
+
+    const { id: userId } = req.user;
+
+    const permissionBits = await getEffectivePermissions({
+      userId,
+      role: req.user.role,
+      resourceType,
+      resourceId,
+    });
+
+    res.status(200).json({
+      permissionBits,
+    });
+  } catch (error) {
+    logger.error('Error getting user effective permissions:', error);
+    res.status(500).json({
+      error: 'Failed to get effective permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Search for users and groups to grant permissions
+ * Supports hybrid local database + Entra ID search when configured
+ * @route GET /api/permissions/search-principals
+ */
+const searchPrincipals = async (req, res) => {
+  try {
+    const { q: query, limit = 20, types } = req.query;
+
+    if (!query || query.trim().length === 0) {
+      return res.status(400).json({
+        error: 'Query parameter "q" is required and must not be empty',
+      });
+    }
+
+    if (query.trim().length < 2) {
+      return res.status(400).json({
+        error: 'Query must be at least 2 characters long',
+      });
+    }
+
+    const searchLimit = Math.min(Math.max(1, parseInt(limit) || 10), 50);
+
+    let typeFilters = null;
+    if (types) {
+      const typesArray = Array.isArray(types) ? types : types.split(',');
+      const validTypes = typesArray.filter((t) =>
+        [PrincipalType.USER, PrincipalType.GROUP, PrincipalType.ROLE].includes(t),
+      );
+      typeFilters = validTypes.length > 0 ? validTypes : null;
+    }
+
+    const localResults = await searchLocalPrincipals(query.trim(), searchLimit, typeFilters);
+    let allPrincipals = [...localResults];
+
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+
+    if (useEntraId && localResults.length < searchLimit) {
+      try {
+        let graphType = 'all';
+        if (typeFilters && typeFilters.length === 1) {
+          const graphTypeMap = {
+            [PrincipalType.USER]: 'users',
+            [PrincipalType.GROUP]: 'groups',
+          };
+          const mappedType = graphTypeMap[typeFilters[0]];
+          if (mappedType) {
+            graphType = mappedType;
+          }
+        }
+
+        const authHeader = req.headers.authorization;
+        const accessToken =
+          authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+
+        if (accessToken) {
+          const graphResults = await searchEntraIdPrincipals(
+            accessToken,
+            req.user.openidId,
+            query.trim(),
+            graphType,
+            searchLimit - localResults.length,
+          );
+
+          const localEmails = new Set(
+            localResults.map((p) => p.email?.toLowerCase()).filter(Boolean),
+          );
+          const localGroupSourceIds = new Set(
+            localResults.map((p) => p.idOnTheSource).filter(Boolean),
+          );
+
+          for (const principal of graphResults) {
+            const isDuplicateByEmail =
+              principal.email && localEmails.has(principal.email.toLowerCase());
+            const isDuplicateBySourceId =
+              principal.idOnTheSource && localGroupSourceIds.has(principal.idOnTheSource);
+
+            if (!isDuplicateByEmail && !isDuplicateBySourceId) {
+              allPrincipals.push(principal);
+            }
+          }
+        }
+      } catch (graphError) {
+        logger.warn('Graph API search failed, falling back to local results:', graphError.message);
+      }
+    }
+    const scoredResults = allPrincipals.map((item) => ({
+      ...item,
+      _searchScore: calculateRelevanceScore(item, query.trim()),
+    }));
+
+    const finalResults = sortPrincipalsByRelevance(scoredResults)
+      .slice(0, searchLimit)
+      .map((result) => {
+        const { _searchScore, ...resultWithoutScore } = result;
+        return resultWithoutScore;
+      });
+
+    res.status(200).json({
+      query: query.trim(),
+      limit: searchLimit,
+      types: typeFilters,
+      results: finalResults,
+      count: finalResults.length,
+      sources: {
+        local: finalResults.filter((r) => r.source === 'local').length,
+        entra: finalResults.filter((r) => r.source === 'entra').length,
+      },
+    });
+  } catch (error) {
+    logger.error('Error searching principals:', error);
+    res.status(500).json({
+      error: 'Failed to search principals',
+      details: error.message,
+    });
+  }
+};
+
+module.exports = {
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  getUserEffectivePermissions,
+  searchPrincipals,
+};

api/server/controllers/PluginController.js

@@ -1,54 +1,16 @@
 const { logger } = require('@librechat/data-schemas');
-const { CacheKeys, AuthType, Constants } = require('librechat-data-provider');
-const { getCustomConfig, getCachedTools } = require('~/server/services/Config');
-const { getToolkitKey } = require('~/server/services/ToolService');
+const { CacheKeys, Constants } = require('librechat-data-provider');
+const {
+  getToolkitKey,
+  checkPluginAuth,
+  filterUniquePlugins,
+  convertMCPToolsToPlugins,
+} = require('@librechat/api');
+const { getCachedTools, getAppConfig } = require('~/server/services/Config');
+const { availableTools, toolkits } = require('~/app/clients/tools');
 const { getMCPManager, getFlowStateManager } = require('~/config');
-const { availableTools } = require('~/app/clients/tools');
 const { getLogStores } = require('~/cache');
 
-/**
- * Filters out duplicate plugins from the list of plugins.
- *
- * @param {TPlugin[]} plugins The list of plugins to filter.
- * @returns {TPlugin[]} The list of plugins with duplicates removed.
- */
-const filterUniquePlugins = (plugins) => {
-  const seen = new Set();
-  return plugins.filter((plugin) => {
-    const duplicate = seen.has(plugin.pluginKey);
-    seen.add(plugin.pluginKey);
-    return !duplicate;
-  });
-};
-
-/**
- * Determines if a plugin is authenticated by checking if all required authentication fields have non-empty values.
- * Supports alternate authentication fields, allowing validation against multiple possible environment variables.
- *
- * @param {TPlugin} plugin The plugin object containing the authentication configuration.
- * @returns {boolean} True if the plugin is authenticated for all required fields, false otherwise.
- */
-const checkPluginAuth = (plugin) => {
-  if (!plugin.authConfig || plugin.authConfig.length === 0) {
-    return false;
-  }
-
-  return plugin.authConfig.every((authFieldObj) => {
-    const authFieldOptions = authFieldObj.authField.split('||');
-    let isFieldAuthenticated = false;
-
-    for (const fieldOption of authFieldOptions) {
-      const envValue = process.env[fieldOption];
-      if (envValue && envValue.trim() !== '' && envValue !== AuthType.USER_PROVIDED) {
-        isFieldAuthenticated = true;
-        break;
-      }
-    }
-
-    return isFieldAuthenticated;
-  });
-};
-
 const getAvailablePluginsController = async (req, res) => {
   try {
     const cache = getLogStores(CacheKeys.CONFIG_STORE);
@@ -58,8 +20,9 @@ const getAvailablePluginsController = async (req, res) => {
       return;
     }
 
+    const appConfig = await getAppConfig({ role: req.user?.role });
     /** @type {{ filteredTools: string[], includedTools: string[] }} */
-    const { filteredTools = [], includedTools = [] } = req.app.locals;
+    const { filteredTools = [], includedTools = [] } = appConfig;
     const pluginManifest = availableTools;
 
     const uniquePlugins = filterUniquePlugins(pluginManifest);
@@ -139,32 +102,39 @@ function createGetServerTools() {
 const getAvailableTools = async (req, res) => {
   try {
     const userId = req.user?.id;
-    const customConfig = await getCustomConfig();
+    const appConfig = await getAppConfig();
     const cache = getLogStores(CacheKeys.CONFIG_STORE);
     const cachedToolsArray = await cache.get(CacheKeys.TOOLS);
     const cachedUserTools = await getCachedTools({ userId });
-    const userPlugins = convertMCPToolsToPlugins(cachedUserTools, customConfig);
 
-    if (cachedToolsArray && userPlugins) {
+    const mcpManager = getMCPManager();
+    const userPlugins = convertMCPToolsToPlugins({ functionTools: cachedUserTools, mcpManager });
+
+    if (cachedToolsArray != null && userPlugins != null) {
       const dedupedTools = filterUniquePlugins([...userPlugins, ...cachedToolsArray]);
       res.status(200).json(dedupedTools);
       return;
     }
 
-    // If not in cache, build from manifest
     let pluginManifest = availableTools;
-    if (customConfig?.mcpServers != null) {
-      const mcpManager = getMCPManager();
-      const flowsCache = getLogStores(CacheKeys.FLOWS);
-      const flowManager = flowsCache ? getFlowStateManager(flowsCache) : null;
-      const serverToolsCallback = createServerToolsCallback();
-      const getServerTools = createGetServerTools();
-      const mcpTools = await mcpManager.loadManifestTools({
-        flowManager,
-        serverToolsCallback,
-        getServerTools,
-      });
-      pluginManifest = [...mcpTools, ...pluginManifest];
+    if (appConfig?.mcpConfig != null) {
+      try {
+        const flowsCache = getLogStores(CacheKeys.FLOWS);
+        const flowManager = flowsCache ? getFlowStateManager(flowsCache) : null;
+        const serverToolsCallback = createServerToolsCallback();
+        const getServerTools = createGetServerTools();
+        const mcpTools = await mcpManager.loadManifestTools({
+          flowManager,
+          serverToolsCallback,
+          getServerTools,
+        });
+        pluginManifest = [...mcpTools, ...pluginManifest];
+      } catch (error) {
+        logger.error(
+          '[getAvailableTools] Error loading MCP Tools, servers may still be initializing:',
+          error,
+        );
+      }
     }
 
     /** @type {TPlugin[]} */
@@ -185,7 +155,9 @@ const getAvailableTools = async (req, res) => {
       const isToolDefined = toolDefinitions[plugin.pluginKey] !== undefined;
       const isToolkit =
         plugin.toolkit === true &&
-        Object.keys(toolDefinitions).some((key) => getToolkitKey(key) === plugin.pluginKey);
+        Object.keys(toolDefinitions).some(
+          (key) => getToolkitKey({ toolkits, toolName: key }) === plugin.pluginKey,
+        );
 
       if (!isToolDefined && !isToolkit) {
         continue;
@@ -200,7 +172,7 @@ const getAvailableTools = async (req, res) => {
 
       const parts = plugin.pluginKey.split(Constants.mcp_delimiter);
       const serverName = parts[parts.length - 1];
-      const serverConfig = customConfig?.mcpServers?.[serverName];
+      const serverConfig = appConfig?.mcpConfig?.[serverName];
 
       if (!serverConfig?.customUserVars) {
         toolsOutput.push(toolToAdd);
@@ -235,58 +207,6 @@ const getAvailableTools = async (req, res) => {
   }
 };
 
-/**
- * Converts MCP function format tools to plugin format
- * @param {Object} functionTools - Object with function format tools
- * @param {Object} customConfig - Custom configuration for MCP servers
- * @returns {Array} Array of plugin objects
- */
-function convertMCPToolsToPlugins(functionTools, customConfig) {
-  const plugins = [];
-
-  for (const [toolKey, toolData] of Object.entries(functionTools)) {
-    if (!toolData.function || !toolKey.includes(Constants.mcp_delimiter)) {
-      continue;
-    }
-
-    const functionData = toolData.function;
-    const parts = toolKey.split(Constants.mcp_delimiter);
-    const serverName = parts[parts.length - 1];
-
-    const serverConfig = customConfig?.mcpServers?.[serverName];
-
-    const plugin = {
-      name: parts[0], // Use the tool name without server suffix
-      pluginKey: toolKey,
-      description: functionData.description || '',
-      authenticated: true,
-      icon: serverConfig?.iconPath,
-    };
-
-    // Build authConfig for MCP tools
-    if (!serverConfig?.customUserVars) {
-      plugin.authConfig = [];
-      plugins.push(plugin);
-      continue;
-    }
-
-    const customVarKeys = Object.keys(serverConfig.customUserVars);
-    if (customVarKeys.length === 0) {
-      plugin.authConfig = [];
-    } else {
-      plugin.authConfig = Object.entries(serverConfig.customUserVars).map(([key, value]) => ({
-        authField: key,
-        label: value.title || key,
-        description: value.description || '',
-      }));
-    }
-
-    plugins.push(plugin);
-  }
-
-  return plugins;
-}
-
 module.exports = {
   getAvailableTools,
   getAvailablePluginsController,

api/server/controllers/PluginController.spec.js

@@ -1,8 +1,7 @@
 const { Constants } = require('librechat-data-provider');
-const { getCustomConfig, getCachedTools } = require('~/server/services/Config');
+const { getCachedTools, getAppConfig } = require('~/server/services/Config');
 const { getLogStores } = require('~/cache');
 
-// Mock the dependencies
 jest.mock('@librechat/data-schemas', () => ({
   logger: {
     debug: jest.fn(),
@@ -11,8 +10,8 @@ jest.mock('@librechat/data-schemas', () => ({
 }));
 
 jest.mock('~/server/services/Config', () => ({
-  getCustomConfig: jest.fn(),
   getCachedTools: jest.fn(),
+  getAppConfig: jest.fn(),
 }));
 
 jest.mock('~/server/services/ToolService', () => ({
@@ -22,35 +21,251 @@ jest.mock('~/server/services/ToolService', () => ({
 jest.mock('~/config', () => ({
   getMCPManager: jest.fn(() => ({
     loadManifestTools: jest.fn().mockResolvedValue([]),
+    getRawConfig: jest.fn(),
   })),
   getFlowStateManager: jest.fn(),
 }));
 
 jest.mock('~/app/clients/tools', () => ({
   availableTools: [],
+  toolkits: [],
 }));
 
 jest.mock('~/cache', () => ({
   getLogStores: jest.fn(),
 }));
 
+jest.mock('@librechat/api', () => ({
+  getToolkitKey: jest.fn(),
+  checkPluginAuth: jest.fn(),
+  filterUniquePlugins: jest.fn(),
+  convertMCPToolsToPlugins: jest.fn(),
+}));
+
 // Import the actual module with the function we want to test
-const { getAvailableTools } = require('./PluginController');
+const { getAvailableTools, getAvailablePluginsController } = require('./PluginController');
+const {
+  filterUniquePlugins,
+  checkPluginAuth,
+  convertMCPToolsToPlugins,
+  getToolkitKey,
+} = require('@librechat/api');
 
 describe('PluginController', () => {
-  describe('plugin.icon behavior', () => {
-    let mockReq, mockRes, mockCache;
+  let mockReq, mockRes, mockCache;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockReq = { user: { id: 'test-user-id' } };
+    mockRes = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+    mockCache = { get: jest.fn(), set: jest.fn() };
+    getLogStores.mockReturnValue(mockCache);
+  });
+
+  describe('getAvailablePluginsController', () => {
+    beforeEach(() => {
+      getAppConfig.mockResolvedValue({
+        filteredTools: [],
+        includedTools: [],
+      });
+    });
+
+    it('should use filterUniquePlugins to remove duplicate plugins', async () => {
+      const mockPlugins = [
+        { name: 'Plugin1', pluginKey: 'key1', description: 'First' },
+        { name: 'Plugin2', pluginKey: 'key2', description: 'Second' },
+      ];
 
-    const callGetAvailableToolsWithMCPServer = async (mcpServers) => {
       mockCache.get.mockResolvedValue(null);
-      getCustomConfig.mockResolvedValue({ mcpServers });
+      filterUniquePlugins.mockReturnValue(mockPlugins);
+      checkPluginAuth.mockReturnValue(true);
+
+      await getAvailablePluginsController(mockReq, mockRes);
+
+      expect(filterUniquePlugins).toHaveBeenCalled();
+      expect(mockRes.status).toHaveBeenCalledWith(200);
+      // The response includes authenticated: true for each plugin when checkPluginAuth returns true
+      expect(mockRes.json).toHaveBeenCalledWith([
+        { name: 'Plugin1', pluginKey: 'key1', description: 'First', authenticated: true },
+        { name: 'Plugin2', pluginKey: 'key2', description: 'Second', authenticated: true },
+      ]);
+    });
+
+    it('should use checkPluginAuth to verify plugin authentication', async () => {
+      const mockPlugin = { name: 'Plugin1', pluginKey: 'key1', description: 'First' };
+
+      mockCache.get.mockResolvedValue(null);
+      filterUniquePlugins.mockReturnValue([mockPlugin]);
+      checkPluginAuth.mockReturnValueOnce(true);
+
+      await getAvailablePluginsController(mockReq, mockRes);
+
+      expect(checkPluginAuth).toHaveBeenCalledWith(mockPlugin);
+      const responseData = mockRes.json.mock.calls[0][0];
+      expect(responseData[0].authenticated).toBe(true);
+    });
+
+    it('should return cached plugins when available', async () => {
+      const cachedPlugins = [
+        { name: 'CachedPlugin', pluginKey: 'cached', description: 'Cached plugin' },
+      ];
+
+      mockCache.get.mockResolvedValue(cachedPlugins);
+
+      await getAvailablePluginsController(mockReq, mockRes);
+
+      expect(filterUniquePlugins).not.toHaveBeenCalled();
+      expect(checkPluginAuth).not.toHaveBeenCalled();
+      expect(mockRes.json).toHaveBeenCalledWith(cachedPlugins);
+    });
+
+    it('should filter plugins based on includedTools', async () => {
+      const mockPlugins = [
+        { name: 'Plugin1', pluginKey: 'key1', description: 'First' },
+        { name: 'Plugin2', pluginKey: 'key2', description: 'Second' },
+      ];
+
+      getAppConfig.mockResolvedValue({
+        filteredTools: [],
+        includedTools: ['key1'],
+      });
+      mockCache.get.mockResolvedValue(null);
+      filterUniquePlugins.mockReturnValue(mockPlugins);
+      checkPluginAuth.mockReturnValue(false);
+
+      await getAvailablePluginsController(mockReq, mockRes);
+
+      const responseData = mockRes.json.mock.calls[0][0];
+      expect(responseData).toHaveLength(1);
+      expect(responseData[0].pluginKey).toBe('key1');
+    });
+  });
+
+  describe('getAvailableTools', () => {
+    it('should use convertMCPToolsToPlugins for user-specific MCP tools', async () => {
+      const mockUserTools = {
+        [`tool1${Constants.mcp_delimiter}server1`]: {
+          function: { name: 'tool1', description: 'Tool 1' },
+        },
+      };
+      const mockConvertedPlugins = [
+        {
+          name: 'tool1',
+          pluginKey: `tool1${Constants.mcp_delimiter}server1`,
+          description: 'Tool 1',
+        },
+      ];
+
+      mockCache.get.mockResolvedValue(null);
+      getCachedTools.mockResolvedValueOnce(mockUserTools);
+      convertMCPToolsToPlugins.mockReturnValue(mockConvertedPlugins);
+      filterUniquePlugins.mockImplementation((plugins) => plugins);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(convertMCPToolsToPlugins).toHaveBeenCalledWith({
+        functionTools: mockUserTools,
+        mcpManager: expect.any(Object),
+      });
+    });
+
+    it('should use filterUniquePlugins to deduplicate combined tools', async () => {
+      const mockUserPlugins = [
+        { name: 'UserTool', pluginKey: 'user-tool', description: 'User tool' },
+      ];
+      const mockManifestPlugins = [
+        { name: 'ManifestTool', pluginKey: 'manifest-tool', description: 'Manifest tool' },
+      ];
+
+      mockCache.get.mockResolvedValue(mockManifestPlugins);
+      getCachedTools.mockResolvedValueOnce({});
+      convertMCPToolsToPlugins.mockReturnValue(mockUserPlugins);
+      filterUniquePlugins.mockReturnValue([...mockUserPlugins, ...mockManifestPlugins]);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      // Should be called to deduplicate the combined array
+      expect(filterUniquePlugins).toHaveBeenLastCalledWith([
+        ...mockUserPlugins,
+        ...mockManifestPlugins,
+      ]);
+    });
+
+    it('should use checkPluginAuth to verify authentication status', async () => {
+      const mockPlugin = { name: 'Tool1', pluginKey: 'tool1', description: 'Tool 1' };
+
+      mockCache.get.mockResolvedValue(null);
+      getCachedTools.mockResolvedValue({});
+      convertMCPToolsToPlugins.mockReturnValue([]);
+      filterUniquePlugins.mockReturnValue([mockPlugin]);
+      checkPluginAuth.mockReturnValue(true);
+
+      // Mock getCachedTools second call to return tool definitions
+      getCachedTools.mockResolvedValueOnce({}).mockResolvedValueOnce({ tool1: true });
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(checkPluginAuth).toHaveBeenCalledWith(mockPlugin);
+    });
+
+    it('should use getToolkitKey for toolkit validation', async () => {
+      const mockToolkit = {
+        name: 'Toolkit1',
+        pluginKey: 'toolkit1',
+        description: 'Toolkit 1',
+        toolkit: true,
+      };
+
+      mockCache.get.mockResolvedValue(null);
+      getCachedTools.mockResolvedValue({});
+      convertMCPToolsToPlugins.mockReturnValue([]);
+      filterUniquePlugins.mockReturnValue([mockToolkit]);
+      checkPluginAuth.mockReturnValue(false);
+      getToolkitKey.mockReturnValue('toolkit1');
+
+      // Mock getCachedTools second call to return tool definitions
+      getCachedTools.mockResolvedValueOnce({}).mockResolvedValueOnce({
+        toolkit1_function: true,
+      });
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(getToolkitKey).toHaveBeenCalled();
+    });
+  });
+
+  describe('plugin.icon behavior', () => {
+    const callGetAvailableToolsWithMCPServer = async (serverConfig) => {
+      mockCache.get.mockResolvedValue(null);
 
       const functionTools = {
         [`test-tool${Constants.mcp_delimiter}test-server`]: {
           function: { name: 'test-tool', description: 'A test tool' },
         },
       };
+
+      const mockConvertedPlugin = {
+        name: 'test-tool',
+        pluginKey: `test-tool${Constants.mcp_delimiter}test-server`,
+        description: 'A test tool',
+        icon: serverConfig?.iconPath,
+        authenticated: true,
+        authConfig: [],
+      };
+
+      // Mock the MCP manager to return the server config
+      const mockMCPManager = {
+        loadManifestTools: jest.fn().mockResolvedValue([]),
+        getRawConfig: jest.fn().mockReturnValue(serverConfig),
+      };
+      require('~/config').getMCPManager.mockReturnValue(mockMCPManager);
+
       getCachedTools.mockResolvedValueOnce(functionTools);
+      convertMCPToolsToPlugins.mockReturnValue([mockConvertedPlugin]);
+      filterUniquePlugins.mockImplementation((plugins) => plugins);
+      checkPluginAuth.mockReturnValue(true);
+      getToolkitKey.mockReturnValue(undefined);
+
       getCachedTools.mockResolvedValueOnce({
         [`test-tool${Constants.mcp_delimiter}test-server`]: true,
       });
@@ -60,30 +275,258 @@ describe('PluginController', () => {
       return responseData.find((tool) => tool.name === 'test-tool');
     };
 
-    beforeEach(() => {
-      jest.clearAllMocks();
-      mockReq = { user: { id: 'test-user-id' } };
-      mockRes = { status: jest.fn().mockReturnThis(), json: jest.fn() };
-      mockCache = { get: jest.fn(), set: jest.fn() };
-      getLogStores.mockReturnValue(mockCache);
-    });
-
     it('should set plugin.icon when iconPath is defined', async () => {
-      const mcpServers = {
-        'test-server': {
-          iconPath: '/path/to/icon.png',
-        },
+      const serverConfig = {
+        iconPath: '/path/to/icon.png',
       };
-      const testTool = await callGetAvailableToolsWithMCPServer(mcpServers);
+      const testTool = await callGetAvailableToolsWithMCPServer(serverConfig);
       expect(testTool.icon).toBe('/path/to/icon.png');
     });
 
     it('should set plugin.icon to undefined when iconPath is not defined', async () => {
-      const mcpServers = {
-        'test-server': {},
-      };
-      const testTool = await callGetAvailableToolsWithMCPServer(mcpServers);
+      const serverConfig = {};
+      const testTool = await callGetAvailableToolsWithMCPServer(serverConfig);
       expect(testTool.icon).toBeUndefined();
     });
   });
+
+  describe('helper function integration', () => {
+    it('should properly handle MCP tools with custom user variables', async () => {
+      const appConfig = {
+        mcpConfig: {
+          'test-server': {
+            customUserVars: {
+              API_KEY: { title: 'API Key', description: 'Your API key' },
+            },
+          },
+        },
+      };
+
+      // We need to test the actual flow where MCP manager tools are included
+      const mcpManagerTools = [
+        {
+          name: 'tool1',
+          pluginKey: `tool1${Constants.mcp_delimiter}test-server`,
+          description: 'Tool 1',
+          authenticated: true,
+        },
+      ];
+
+      // Mock the MCP manager to return tools
+      const mockMCPManager = {
+        loadManifestTools: jest.fn().mockResolvedValue(mcpManagerTools),
+        getRawConfig: jest.fn(),
+      };
+      require('~/config').getMCPManager.mockReturnValue(mockMCPManager);
+
+      mockCache.get.mockResolvedValue(null);
+      getAppConfig.mockResolvedValue(appConfig);
+
+      // First call returns user tools (empty in this case)
+      getCachedTools.mockResolvedValueOnce({});
+
+      // Mock convertMCPToolsToPlugins to return empty array for user tools
+      convertMCPToolsToPlugins.mockReturnValue([]);
+
+      // Mock filterUniquePlugins to pass through
+      filterUniquePlugins.mockImplementation((plugins) => plugins || []);
+
+      // Mock checkPluginAuth
+      checkPluginAuth.mockReturnValue(true);
+
+      // Second call returns tool definitions
+      getCachedTools.mockResolvedValueOnce({
+        [`tool1${Constants.mcp_delimiter}test-server`]: true,
+      });
+
+      await getAvailableTools(mockReq, mockRes);
+
+      const responseData = mockRes.json.mock.calls[0][0];
+
+      // Find the MCP tool in the response
+      const mcpTool = responseData.find(
+        (tool) => tool.pluginKey === `tool1${Constants.mcp_delimiter}test-server`,
+      );
+
+      // The actual implementation adds authConfig and sets authenticated to false when customUserVars exist
+      expect(mcpTool).toBeDefined();
+      expect(mcpTool.authConfig).toEqual([
+        { authField: 'API_KEY', label: 'API Key', description: 'Your API key' },
+      ]);
+      expect(mcpTool.authenticated).toBe(false);
+    });
+
+    it('should handle error cases gracefully', async () => {
+      mockCache.get.mockRejectedValue(new Error('Cache error'));
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.json).toHaveBeenCalledWith({ message: 'Cache error' });
+    });
+  });
+
+  describe('edge cases with undefined/null values', () => {
+    it('should handle undefined cache gracefully', async () => {
+      getLogStores.mockReturnValue(undefined);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+    });
+
+    it('should handle null cachedTools and cachedUserTools', async () => {
+      mockCache.get.mockResolvedValue(null);
+      getCachedTools.mockResolvedValue(null);
+      convertMCPToolsToPlugins.mockReturnValue(undefined);
+      filterUniquePlugins.mockImplementation((plugins) => plugins || []);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(convertMCPToolsToPlugins).toHaveBeenCalledWith({
+        functionTools: null,
+        mcpManager: expect.any(Object),
+      });
+    });
+
+    it('should handle when getCachedTools returns undefined', async () => {
+      mockCache.get.mockResolvedValue(null);
+      getCachedTools.mockResolvedValue(undefined);
+      convertMCPToolsToPlugins.mockReturnValue(undefined);
+      filterUniquePlugins.mockImplementation((plugins) => plugins || []);
+      checkPluginAuth.mockReturnValue(false);
+
+      // Mock getCachedTools to return undefined for both calls
+      getCachedTools.mockReset();
+      getCachedTools.mockResolvedValueOnce(undefined).mockResolvedValueOnce(undefined);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(convertMCPToolsToPlugins).toHaveBeenCalledWith({
+        functionTools: undefined,
+        mcpManager: expect.any(Object),
+      });
+    });
+
+    it('should handle cachedToolsArray and userPlugins both being defined', async () => {
+      const cachedTools = [{ name: 'CachedTool', pluginKey: 'cached-tool', description: 'Cached' }];
+      const userTools = {
+        'user-tool': { function: { name: 'user-tool', description: 'User tool' } },
+      };
+      const userPlugins = [{ name: 'UserTool', pluginKey: 'user-tool', description: 'User tool' }];
+
+      mockCache.get.mockResolvedValue(cachedTools);
+      getCachedTools.mockResolvedValue(userTools);
+      convertMCPToolsToPlugins.mockReturnValue(userPlugins);
+      filterUniquePlugins.mockReturnValue([...userPlugins, ...cachedTools]);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(200);
+      expect(mockRes.json).toHaveBeenCalledWith([...userPlugins, ...cachedTools]);
+    });
+
+    it('should handle empty toolDefinitions object', async () => {
+      mockCache.get.mockResolvedValue(null);
+      getCachedTools.mockResolvedValueOnce({}).mockResolvedValueOnce({});
+      convertMCPToolsToPlugins.mockReturnValue([]);
+      filterUniquePlugins.mockImplementation((plugins) => plugins || []);
+      checkPluginAuth.mockReturnValue(true);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      // With empty tool definitions, no tools should be in the final output
+      expect(mockRes.json).toHaveBeenCalledWith([]);
+    });
+
+    it('should handle MCP tools without customUserVars', async () => {
+      const customConfig = {
+        mcpServers: {
+          'test-server': {
+            // No customUserVars defined
+          },
+        },
+      };
+
+      const mockUserTools = {
+        [`tool1${Constants.mcp_delimiter}test-server`]: {
+          function: { name: 'tool1', description: 'Tool 1' },
+        },
+      };
+
+      // Mock the MCP manager to return server config without customUserVars
+      const mockMCPManager = {
+        loadManifestTools: jest.fn().mockResolvedValue([]),
+        getRawConfig: jest.fn().mockReturnValue(customConfig.mcpServers['test-server']),
+      };
+      require('~/config').getMCPManager.mockReturnValue(mockMCPManager);
+
+      mockCache.get.mockResolvedValue(null);
+      getAppConfig.mockResolvedValue({
+        mcpConfig: customConfig.mcpServers,
+        filteredTools: [],
+        includedTools: [],
+      });
+      getCachedTools.mockResolvedValueOnce(mockUserTools);
+
+      const mockPlugin = {
+        name: 'tool1',
+        pluginKey: `tool1${Constants.mcp_delimiter}test-server`,
+        description: 'Tool 1',
+        authenticated: true,
+        authConfig: [],
+      };
+
+      convertMCPToolsToPlugins.mockReturnValue([mockPlugin]);
+      filterUniquePlugins.mockImplementation((plugins) => plugins);
+      checkPluginAuth.mockReturnValue(true);
+
+      getCachedTools.mockResolvedValueOnce({
+        [`tool1${Constants.mcp_delimiter}test-server`]: true,
+      });
+
+      await getAvailableTools(mockReq, mockRes);
+
+      const responseData = mockRes.json.mock.calls[0][0];
+      expect(responseData[0].authenticated).toBe(true);
+      // The actual implementation doesn't set authConfig on tools without customUserVars
+      expect(responseData[0].authConfig).toEqual([]);
+    });
+
+    it('should handle undefined filteredTools and includedTools', async () => {
+      getAppConfig.mockResolvedValue({});
+      mockCache.get.mockResolvedValue(null);
+      filterUniquePlugins.mockReturnValue([]);
+      checkPluginAuth.mockReturnValue(false);
+
+      await getAvailablePluginsController(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(200);
+      expect(mockRes.json).toHaveBeenCalledWith([]);
+    });
+
+    it('should handle toolkit with undefined toolDefinitions keys', async () => {
+      const mockToolkit = {
+        name: 'Toolkit1',
+        pluginKey: 'toolkit1',
+        description: 'Toolkit 1',
+        toolkit: true,
+      };
+
+      mockCache.get.mockResolvedValue(null);
+      getCachedTools.mockResolvedValue({});
+      convertMCPToolsToPlugins.mockReturnValue([]);
+      filterUniquePlugins.mockReturnValue([mockToolkit]);
+      checkPluginAuth.mockReturnValue(false);
+      getToolkitKey.mockReturnValue(undefined);
+
+      // Mock getCachedTools second call to return null
+      getCachedTools.mockResolvedValueOnce({}).mockResolvedValueOnce(null);
+
+      await getAvailableTools(mockReq, mockRes);
+
+      // Should handle null toolDefinitions gracefully
+      expect(mockRes.status).toHaveBeenCalledWith(200);
+    });
+  });
 });

api/server/controllers/TwoFactorController.js

@@ -47,7 +47,7 @@ const verify2FA = async (req, res) => {
   try {
     const userId = req.user.id;
     const { token, backupCode } = req.body;
-    const user = await getUserById(userId);
+    const user = await getUserById(userId, '_id totpSecret backupCodes');
 
     if (!user || !user.totpSecret) {
       return res.status(400).json({ message: '2FA not initiated' });
@@ -79,7 +79,7 @@ const confirm2FA = async (req, res) => {
   try {
     const userId = req.user.id;
     const { token } = req.body;
-    const user = await getUserById(userId);
+    const user = await getUserById(userId, '_id totpSecret');
 
     if (!user || !user.totpSecret) {
       return res.status(400).json({ message: '2FA not initiated' });
@@ -99,10 +99,36 @@ const confirm2FA = async (req, res) => {
 
 /**
  * Disable 2FA by clearing the stored secret and backup codes.
+ * Requires verification with either TOTP token or backup code if 2FA is fully enabled.
  */
 const disable2FA = async (req, res) => {
   try {
     const userId = req.user.id;
+    const { token, backupCode } = req.body;
+    const user = await getUserById(userId, '_id totpSecret backupCodes');
+
+    if (!user || !user.totpSecret) {
+      return res.status(400).json({ message: '2FA is not setup for this user' });
+    }
+
+    if (user.twoFactorEnabled) {
+      const secret = await getTOTPSecret(user.totpSecret);
+      let isVerified = false;
+
+      if (token) {
+        isVerified = await verifyTOTP(secret, token);
+      } else if (backupCode) {
+        isVerified = await verifyBackupCode({ user, backupCode });
+      } else {
+        return res
+          .status(400)
+          .json({ message: 'Either token or backup code is required to disable 2FA' });
+      }
+
+      if (!isVerified) {
+        return res.status(401).json({ message: 'Invalid token or backup code' });
+      }
+    }
     await updateUser(userId, { totpSecret: null, backupCodes: [], twoFactorEnabled: false });
     return res.status(200).json();
   } catch (err) {

api/server/controllers/UserController.js

@@ -1,5 +1,5 @@
 const { logger } = require('@librechat/data-schemas');
-const { webSearchKeys, extractWebSearchEnvVars } = require('@librechat/api');
+const { webSearchKeys, extractWebSearchEnvVars, normalizeHttpError } = require('@librechat/api');
 const {
   getFiles,
   updateUser,
@@ -17,15 +17,23 @@ const { needsRefresh, getNewS3URL } = require('~/server/services/Files/S3/crud')
 const { Tools, Constants, FileSources } = require('librechat-data-provider');
 const { processDeleteRequest } = require('~/server/services/Files/process');
 const { Transaction, Balance, User } = require('~/db/models');
+const { getAppConfig } = require('~/server/services/Config');
 const { deleteToolCalls } = require('~/models/ToolCall');
 const { deleteAllSharedLinks } = require('~/models');
 const { getMCPManager } = require('~/config');
 
 const getUserController = async (req, res) => {
+  const appConfig = await getAppConfig({ role: req.user?.role });
   /** @type {MongoUser} */
   const userData = req.user.toObject != null ? req.user.toObject() : { ...req.user };
+  /**
+   * These fields should not exist due to secure field selection, but deletion
+   * is done in case of alternate database incompatibility with Mongo API
+   * */
+  delete userData.password;
   delete userData.totpSecret;
-  if (req.app.locals.fileStrategy === FileSources.s3 && userData.avatar) {
+  delete userData.backupCodes;
+  if (appConfig.fileStrategy === FileSources.s3 && userData.avatar) {
     const avatarNeedsRefresh = needsRefresh(userData.avatar, 3600);
     if (!avatarNeedsRefresh) {
       return res.status(200).send(userData);
@@ -81,6 +89,7 @@ const deleteUserFiles = async (req) => {
 };
 
 const updateUserPluginsController = async (req, res) => {
+  const appConfig = await getAppConfig({ role: req.user?.role });
   const { user } = req;
   const { pluginKey, action, auth, isEntityTool } = req.body;
   try {
@@ -89,8 +98,8 @@ const updateUserPluginsController = async (req, res) => {
 
       if (userPluginsService instanceof Error) {
         logger.error('[userPluginsService]', userPluginsService);
-        const { status, message } = userPluginsService;
-        res.status(status).send({ message });
+        const { status, message } = normalizeHttpError(userPluginsService);
+        return res.status(status).send({ message });
       }
     }
 
@@ -125,7 +134,7 @@ const updateUserPluginsController = async (req, res) => {
 
     if (pluginKey === Tools.web_search) {
       /** @type  {TCustomConfig['webSearch']} */
-      const webSearchConfig = req.app.locals?.webSearch;
+      const webSearchConfig = appConfig?.webSearch;
       keys = extractWebSearchEnvVars({
         keys: action === 'install' ? keys : webSearchKeys,
         config: webSearchConfig,
@@ -137,7 +146,7 @@ const updateUserPluginsController = async (req, res) => {
         authService = await updateUserPluginAuth(user.id, keys[i], pluginKey, values[i]);
         if (authService instanceof Error) {
           logger.error('[authService]', authService);
-          ({ status, message } = authService);
+          ({ status, message } = normalizeHttpError(authService));
         }
       }
     } else if (action === 'uninstall') {
@@ -151,7 +160,7 @@ const updateUserPluginsController = async (req, res) => {
             `[authService] Error deleting all auth for MCP tool ${pluginKey}:`,
             authService,
           );
-          ({ status, message } = authService);
+          ({ status, message } = normalizeHttpError(authService));
         }
       } else {
         // This handles:
@@ -163,7 +172,7 @@ const updateUserPluginsController = async (req, res) => {
           authService = await deleteUserPluginAuth(user.id, keys[i]); // Deletes by authField name
           if (authService instanceof Error) {
             logger.error('[authService] Error deleting specific auth key:', authService);
-            ({ status, message } = authService);
+            ({ status, message } = normalizeHttpError(authService));
           }
         }
       }
@@ -193,7 +202,8 @@ const updateUserPluginsController = async (req, res) => {
       return res.status(status).send();
     }
 
-    res.status(status).send({ message });
+    const normalized = normalizeHttpError({ status, message });
+    return res.status(normalized.status).send({ message: normalized.message });
   } catch (err) {
     logger.error('[updateUserPluginsController]', err);
     return res.status(500).json({ message: 'Something went wrong.' });

api/server/controllers/agents/callbacks.js

@@ -11,6 +11,7 @@ const {
   handleToolCalls,
   ChatModelStreamHandler,
 } = require('@librechat/agents');
+const { processFileCitations } = require('~/server/services/Files/Citations');
 const { processCodeOutput } = require('~/server/services/Files/Code/process');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { saveBase64Image } = require('~/server/services/Files/process');
@@ -238,6 +239,31 @@ function createToolEndCallback({ req, res, artifactPromises }) {
       return;
     }
 
+    if (output.artifact[Tools.file_search]) {
+      artifactPromises.push(
+        (async () => {
+          const user = req.user;
+          const attachment = await processFileCitations({
+            user,
+            metadata,
+            toolArtifact: output.artifact,
+            toolCallId: output.tool_call_id,
+          });
+          if (!attachment) {
+            return null;
+          }
+          if (!res.headersSent) {
+            return attachment;
+          }
+          res.write(`event: attachment\ndata: ${JSON.stringify(attachment)}\n\n`);
+          return attachment;
+        })().catch((error) => {
+          logger.error('Error processing file citations:', error);
+          return null;
+        }),
+      );
+    }
+
     if (output.artifact[Tools.web_search]) {
       artifactPromises.push(
         (async () => {

api/server/controllers/agents/client.js

@@ -7,6 +7,8 @@ const {
   createRun,
   Tokenizer,
   checkAccess,
+  hasCustomUserVars,
+  getUserMCPAuthMap,
   memoryInstructions,
   formatContentStrings,
   createMemoryProcessor,
@@ -39,10 +41,10 @@ const {
   deleteMemory,
   setMemory,
 } = require('~/models');
-const { getMCPAuthMap, checkCapability, hasCustomUserVars } = require('~/server/services/Config');
 const { addCacheControl, createContextHandlers } = require('~/app/clients/prompts');
 const { initializeAgent } = require('~/server/services/Endpoints/agents/agent');
 const { spendTokens, spendStructuredTokens } = require('~/models/spendTokens');
+const { checkCapability, getAppConfig } = require('~/server/services/Config');
 const { encodeAndFormat } = require('~/server/services/Files/images/encode');
 const { getProviderConfig } = require('~/server/services/Endpoints');
 const BaseClient = require('~/app/clients/BaseClient');
@@ -402,6 +404,34 @@ class AgentClient extends BaseClient {
     return result;
   }
 
+  /**
+   * Creates a promise that resolves with the memory promise result or undefined after a timeout
+   * @param {Promise<(TAttachment | null)[] | undefined>} memoryPromise - The memory promise to await
+   * @param {number} timeoutMs - Timeout in milliseconds (default: 3000)
+   * @returns {Promise<(TAttachment | null)[] | undefined>}
+   */
+  async awaitMemoryWithTimeout(memoryPromise, timeoutMs = 3000) {
+    if (!memoryPromise) {
+      return;
+    }
+
+    try {
+      const timeoutPromise = new Promise((_, reject) =>
+        setTimeout(() => reject(new Error('Memory processing timeout')), timeoutMs),
+      );
+
+      const attachments = await Promise.race([memoryPromise, timeoutPromise]);
+      return attachments;
+    } catch (error) {
+      if (error.message === 'Memory processing timeout') {
+        logger.warn('[AgentClient] Memory processing timed out after 3 seconds');
+      } else {
+        logger.error('[AgentClient] Error processing memory:', error);
+      }
+      return;
+    }
+  }
+
   /**
    * @returns {Promise<string | undefined>}
    */
@@ -423,8 +453,8 @@ class AgentClient extends BaseClient {
       );
       return;
     }
-    /** @type {TCustomConfig['memory']} */
-    const memoryConfig = this.options.req?.app?.locals?.memory;
+    const appConfig = await getAppConfig({ role: user.role });
+    const memoryConfig = appConfig.memory;
     if (!memoryConfig || memoryConfig.disabled === true) {
       return;
     }
@@ -432,7 +462,7 @@ class AgentClient extends BaseClient {
     /** @type {Agent} */
     let prelimAgent;
     const allowedProviders = new Set(
-      this.options.req?.app?.locals?.[EModelEndpoint.agents]?.allowedProviders,
+      appConfig?.endpoints?.[EModelEndpoint.agents]?.allowedProviders,
     );
     try {
       if (memoryConfig.agent?.id != null && memoryConfig.agent.id !== this.options.agent.id) {
@@ -554,8 +584,8 @@ class AgentClient extends BaseClient {
       if (this.processMemory == null) {
         return;
       }
-      /** @type {TCustomConfig['memory']} */
-      const memoryConfig = this.options.req?.app?.locals?.memory;
+      const appConfig = await getAppConfig({ role: this.options.req.user?.role });
+      const memoryConfig = appConfig.memory;
       const messageWindowSize = memoryConfig?.messageWindowSize ?? 5;
 
       let messagesToProcess = [...messages];
@@ -596,9 +626,15 @@ class AgentClient extends BaseClient {
    * @param {Object} params
    * @param {string} [params.model]
    * @param {string} [params.context='message']
+   * @param {AppConfig['balance']} [params.balance]
    * @param {UsageMetadata[]} [params.collectedUsage=this.collectedUsage]
    */
-  async recordCollectedUsage({ model, context = 'message', collectedUsage = this.collectedUsage }) {
+  async recordCollectedUsage({
+    model,
+    balance,
+    context = 'message',
+    collectedUsage = this.collectedUsage,
+  }) {
     if (!collectedUsage || !collectedUsage.length) {
       return;
     }
@@ -620,6 +656,7 @@ class AgentClient extends BaseClient {
 
       const txMetadata = {
         context,
+        balance,
         conversationId: this.conversationId,
         user: this.user ?? this.options.req.user?.id,
         endpointTokenConfig: this.options.endpointTokenConfig,
@@ -731,8 +768,9 @@ class AgentClient extends BaseClient {
         abortController = new AbortController();
       }
 
-      /** @type {TCustomConfig['endpoints']['agents']} */
-      const agentsEConfig = this.options.req.app.locals[EModelEndpoint.agents];
+      const appConfig = await getAppConfig({ role: this.options.req.user?.role });
+      /** @type {AppConfig['endpoints']['agents']} */
+      const agentsEConfig = appConfig.endpoints?.[EModelEndpoint.agents];
 
       config = {
         configurable: {
@@ -740,6 +778,11 @@ class AgentClient extends BaseClient {
           last_agent_index: this.agentConfigs?.size ?? 0,
           user_id: this.user ?? this.options.req.user?.id,
           hide_sequential_outputs: this.options.agent.hide_sequential_outputs,
+          requestBody: {
+            messageId: this.responseMessageId,
+            conversationId: this.conversationId,
+            parentMessageId: this.parentMessageId,
+          },
           user: this.options.req.user,
         },
         recursionLimit: agentsEConfig?.recursionLimit ?? 25,
@@ -810,7 +853,7 @@ class AgentClient extends BaseClient {
 
         if (noSystemMessages === true && systemContent?.length) {
           const latestMessageContent = _messages.pop().content;
-          if (typeof latestMessage !== 'string') {
+          if (typeof latestMessageContent !== 'string') {
             latestMessageContent[0].text = [systemContent, latestMessageContent[0].text].join('\n');
             _messages.push(new HumanMessage({ content: latestMessageContent }));
           } else {
@@ -871,10 +914,10 @@ class AgentClient extends BaseClient {
         }
 
         try {
-          if (await hasCustomUserVars()) {
-            config.configurable.userMCPAuthMap = await getMCPAuthMap({
-              tools: agent.tools,
+          if (agent.tools?.length && hasCustomUserVars(appConfig)) {
+            config.configurable.userMCPAuthMap = await getUserMCPAuthMap({
               userId: this.options.req.user.id,
+              tools: agent.tools,
               findPluginAuthsByKeys,
             });
           }
@@ -1002,13 +1045,12 @@ class AgentClient extends BaseClient {
       });
 
       try {
-        if (memoryPromise) {
-          const attachments = await memoryPromise;
-          if (attachments && attachments.length > 0) {
-            this.artifactPromises.push(...attachments);
-          }
+        const attachments = await this.awaitMemoryWithTimeout(memoryPromise);
+        if (attachments && attachments.length > 0) {
+          this.artifactPromises.push(...attachments);
         }
-        await this.recordCollectedUsage({ context: 'message' });
+
+        await this.recordCollectedUsage({ context: 'message', balance: appConfig?.balance });
       } catch (err) {
         logger.error(
           '[api/server/controllers/agents/client.js #chatCompletion] Error recording collected usage',
@@ -1016,11 +1058,9 @@ class AgentClient extends BaseClient {
         );
       }
     } catch (err) {
-      if (memoryPromise) {
-        const attachments = await memoryPromise;
-        if (attachments && attachments.length > 0) {
-          this.artifactPromises.push(...attachments);
-        }
+      const attachments = await this.awaitMemoryWithTimeout(memoryPromise);
+      if (attachments && attachments.length > 0) {
+        this.artifactPromises.push(...attachments);
       }
       logger.error(
         '[api/server/controllers/agents/client.js #sendCompletion] Operation aborted',
@@ -1051,19 +1091,21 @@ class AgentClient extends BaseClient {
     }
     const { handleLLMEnd, collected: collectedMetadata } = createMetadataAggregator();
     const { req, res, agent } = this.options;
+    const appConfig = await getAppConfig({ role: req.user?.role });
     let endpoint = agent.endpoint;
 
     /** @type {import('@librechat/agents').ClientOptions} */
     let clientOptions = {
-      maxTokens: 75,
       model: agent.model || agent.model_parameters.model,
     };
 
-    let titleProviderConfig = await getProviderConfig(endpoint);
+    let titleProviderConfig = getProviderConfig({ provider: endpoint, appConfig });
 
     /** @type {TEndpoint | undefined} */
     const endpointConfig =
-      req.app.locals.all ?? req.app.locals[endpoint] ?? titleProviderConfig.customEndpointConfig;
+      appConfig.endpoints?.all ??
+      appConfig.endpoints?.[endpoint] ??
+      titleProviderConfig.customEndpointConfig;
     if (!endpointConfig) {
       logger.warn(
         '[api/server/controllers/agents/client.js #titleConvo] Error getting endpoint config',
@@ -1072,7 +1114,10 @@ class AgentClient extends BaseClient {
 
     if (endpointConfig?.titleEndpoint && endpointConfig.titleEndpoint !== endpoint) {
       try {
-        titleProviderConfig = await getProviderConfig(endpointConfig.titleEndpoint);
+        titleProviderConfig = getProviderConfig({
+          provider: endpointConfig.titleEndpoint,
+          appConfig,
+        });
         endpoint = endpointConfig.titleEndpoint;
       } catch (error) {
         logger.warn(
@@ -1081,7 +1126,7 @@ class AgentClient extends BaseClient {
         );
         // Fall back to original provider config
         endpoint = agent.endpoint;
-        titleProviderConfig = await getProviderConfig(endpoint);
+        titleProviderConfig = getProviderConfig({ provider: endpoint, appConfig });
       }
     }
 
@@ -1122,12 +1167,15 @@ class AgentClient extends BaseClient {
       clientOptions.configuration = options.configOptions;
     }
 
-    // Ensure maxTokens is set for non-o1 models
-    if (!/\b(o\d)\b/i.test(clientOptions.model) && !clientOptions.maxTokens) {
-      clientOptions.maxTokens = 75;
-    } else if (/\b(o\d)\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+    if (clientOptions.maxTokens != null) {
       delete clientOptions.maxTokens;
     }
+    if (clientOptions?.modelKwargs?.max_completion_tokens != null) {
+      delete clientOptions.modelKwargs.max_completion_tokens;
+    }
+    if (clientOptions?.modelKwargs?.max_output_tokens != null) {
+      delete clientOptions.modelKwargs.max_output_tokens;
+    }
 
     clientOptions = Object.assign(
       Object.fromEntries(
@@ -1182,9 +1230,10 @@ class AgentClient extends BaseClient {
       });
 
       await this.recordCollectedUsage({
-        model: clientOptions.model,
-        context: 'title',
         collectedUsage,
+        context: 'title',
+        model: clientOptions.model,
+        balance: appConfig?.balance,
       }).catch((err) => {
         logger.error(
           '[api/server/controllers/agents/client.js #titleConvo] Error recording collected usage',
@@ -1203,17 +1252,26 @@ class AgentClient extends BaseClient {
    * @param {object} params
    * @param {number} params.promptTokens
    * @param {number} params.completionTokens
-   * @param {OpenAIUsageMetadata} [params.usage]
    * @param {string} [params.model]
+   * @param {OpenAIUsageMetadata} [params.usage]
+   * @param {AppConfig['balance']} [params.balance]
    * @param {string} [params.context='message']
    * @returns {Promise<void>}
    */
-  async recordTokenUsage({ model, promptTokens, completionTokens, usage, context = 'message' }) {
+  async recordTokenUsage({
+    model,
+    usage,
+    balance,
+    promptTokens,
+    completionTokens,
+    context = 'message',
+  }) {
     try {
       await spendTokens(
         {
           model,
           context,
+          balance,
           conversationId: this.conversationId,
           user: this.user ?? this.options.req.user?.id,
           endpointTokenConfig: this.options.endpointTokenConfig,
@@ -1230,6 +1288,7 @@ class AgentClient extends BaseClient {
         await spendTokens(
           {
             model,
+            balance,
             context: 'reasoning',
             conversationId: this.conversationId,
             user: this.user ?? this.options.req.user?.id,

api/server/controllers/agents/client.test.js

@@ -1,5 +1,6 @@
 const { Providers } = require('@librechat/agents');
 const { Constants, EModelEndpoint } = require('librechat-data-provider');
+const { getAppConfig } = require('~/server/services/Config');
 const AgentClient = require('./client');
 
 jest.mock('@librechat/agents', () => ({
@@ -10,6 +11,10 @@ jest.mock('@librechat/agents', () => ({
   }),
 }));
 
+jest.mock('~/server/services/Config', () => ({
+  getAppConfig: jest.fn(),
+}));
+
 describe('AgentClient - titleConvo', () => {
   let client;
   let mockRun;
@@ -39,19 +44,21 @@ describe('AgentClient - titleConvo', () => {
       },
     };
 
-    // Mock request and response
-    mockReq = {
-      app: {
-        locals: {
-          [EModelEndpoint.openAI]: {
-            // Match the agent endpoint
-            titleModel: 'gpt-3.5-turbo',
-            titlePrompt: 'Custom title prompt',
-            titleMethod: 'structured',
-            titlePromptTemplate: 'Template: {{content}}',
-          },
+    // Mock getAppConfig to return endpoint configurations
+    getAppConfig.mockResolvedValue({
+      endpoints: {
+        [EModelEndpoint.openAI]: {
+          // Match the agent endpoint
+          titleModel: 'gpt-3.5-turbo',
+          titlePrompt: 'Custom title prompt',
+          titleMethod: 'structured',
+          titlePromptTemplate: 'Template: {{content}}',
         },
       },
+    });
+
+    // Mock request and response
+    mockReq = {
       user: {
         id: 'user-123',
       },
@@ -143,7 +150,7 @@ describe('AgentClient - titleConvo', () => {
 
     it('should handle missing endpoint config gracefully', async () => {
       // Remove endpoint config
-      mockReq.app.locals[EModelEndpoint.openAI] = undefined;
+      getAppConfig.mockResolvedValue({ endpoints: {} });
 
       const text = 'Test conversation text';
       const abortController = new AbortController();
@@ -161,7 +168,16 @@ describe('AgentClient - titleConvo', () => {
 
     it('should use agent model when titleModel is not provided', async () => {
       // Remove titleModel from config
-      delete mockReq.app.locals[EModelEndpoint.openAI].titleModel;
+      getAppConfig.mockResolvedValue({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titlePrompt: 'Custom title prompt',
+            titleMethod: 'structured',
+            titlePromptTemplate: 'Template: {{content}}',
+            // titleModel is omitted
+          },
+        },
+      });
 
       const text = 'Test conversation text';
       const abortController = new AbortController();
@@ -173,7 +189,16 @@ describe('AgentClient - titleConvo', () => {
     });
 
     it('should not use titleModel when it equals CURRENT_MODEL constant', async () => {
-      mockReq.app.locals[EModelEndpoint.openAI].titleModel = Constants.CURRENT_MODEL;
+      getAppConfig.mockResolvedValue({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleModel: Constants.CURRENT_MODEL,
+            titlePrompt: 'Custom title prompt',
+            titleMethod: 'structured',
+            titlePromptTemplate: 'Template: {{content}}',
+          },
+        },
+      });
 
       const text = 'Test conversation text';
       const abortController = new AbortController();
@@ -245,10 +270,17 @@ describe('AgentClient - titleConvo', () => {
       process.env.ANTHROPIC_API_KEY = 'test-api-key';
 
       // Add titleEndpoint to the config
-      mockReq.app.locals[EModelEndpoint.openAI].titleEndpoint = EModelEndpoint.anthropic;
-      mockReq.app.locals[EModelEndpoint.openAI].titleMethod = 'structured';
-      mockReq.app.locals[EModelEndpoint.openAI].titlePrompt = 'Custom title prompt';
-      mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate = 'Custom template';
+      getAppConfig.mockResolvedValue({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleModel: 'gpt-3.5-turbo',
+            titleEndpoint: EModelEndpoint.anthropic,
+            titleMethod: 'structured',
+            titlePrompt: 'Custom title prompt',
+            titlePromptTemplate: 'Custom template',
+          },
+        },
+      });
 
       const text = 'Test conversation text';
       const abortController = new AbortController();
@@ -274,19 +306,17 @@ describe('AgentClient - titleConvo', () => {
     });
 
     it('should use all config when endpoint config is missing', async () => {
-      // Remove endpoint-specific config
-      delete mockReq.app.locals[EModelEndpoint.openAI].titleModel;
-      delete mockReq.app.locals[EModelEndpoint.openAI].titlePrompt;
-      delete mockReq.app.locals[EModelEndpoint.openAI].titleMethod;
-      delete mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate;
-
-      // Set 'all' config
-      mockReq.app.locals.all = {
-        titleModel: 'gpt-4o-mini',
-        titlePrompt: 'All config title prompt',
-        titleMethod: 'completion',
-        titlePromptTemplate: 'All config template: {{content}}',
-      };
+      // Set 'all' config without endpoint-specific config
+      getAppConfig.mockResolvedValue({
+        endpoints: {
+          all: {
+            titleModel: 'gpt-4o-mini',
+            titlePrompt: 'All config title prompt',
+            titleMethod: 'completion',
+            titlePromptTemplate: 'All config template: {{content}}',
+          },
+        },
+      });
 
       const text = 'Test conversation text';
       const abortController = new AbortController();
@@ -309,18 +339,22 @@ describe('AgentClient - titleConvo', () => {
 
     it('should prioritize all config over endpoint config for title settings', async () => {
       // Set both endpoint and 'all' config
-      mockReq.app.locals[EModelEndpoint.openAI].titleModel = 'gpt-3.5-turbo';
-      mockReq.app.locals[EModelEndpoint.openAI].titlePrompt = 'Endpoint title prompt';
-      mockReq.app.locals[EModelEndpoint.openAI].titleMethod = 'structured';
-      // Remove titlePromptTemplate from endpoint config to test fallback
-      delete mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate;
-
-      mockReq.app.locals.all = {
-        titleModel: 'gpt-4o-mini',
-        titlePrompt: 'All config title prompt',
-        titleMethod: 'completion',
-        titlePromptTemplate: 'All config template',
-      };
+      getAppConfig.mockResolvedValue({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleModel: 'gpt-3.5-turbo',
+            titlePrompt: 'Endpoint title prompt',
+            titleMethod: 'structured',
+            // titlePromptTemplate is omitted to test fallback
+          },
+          all: {
+            titleModel: 'gpt-4o-mini',
+            titlePrompt: 'All config title prompt',
+            titleMethod: 'completion',
+            titlePromptTemplate: 'All config template',
+          },
+        },
+      });
 
       const text = 'Test conversation text';
       const abortController = new AbortController();
@@ -346,18 +380,19 @@ describe('AgentClient - titleConvo', () => {
       const originalApiKey = process.env.ANTHROPIC_API_KEY;
       process.env.ANTHROPIC_API_KEY = 'test-anthropic-key';
 
-      // Remove endpoint-specific config to test 'all' config
-      delete mockReq.app.locals[EModelEndpoint.openAI];
-
       // Set comprehensive 'all' config with all new title options
-      mockReq.app.locals.all = {
-        titleConvo: true,
-        titleModel: 'claude-3-haiku-20240307',
-        titleMethod: 'completion', // Testing the new default method
-        titlePrompt: 'Generate a concise, descriptive title for this conversation',
-        titlePromptTemplate: 'Conversation summary: {{content}}',
-        titleEndpoint: EModelEndpoint.anthropic, // Should switch provider to Anthropic
-      };
+      getAppConfig.mockResolvedValue({
+        endpoints: {
+          all: {
+            titleConvo: true,
+            titleModel: 'claude-3-haiku-20240307',
+            titleMethod: 'completion', // Testing the new default method
+            titlePrompt: 'Generate a concise, descriptive title for this conversation',
+            titlePromptTemplate: 'Conversation summary: {{content}}',
+            titleEndpoint: EModelEndpoint.anthropic, // Should switch provider to Anthropic
+          },
+        },
+      });
 
       const text = 'Test conversation about AI and machine learning';
       const abortController = new AbortController();
@@ -402,16 +437,17 @@ describe('AgentClient - titleConvo', () => {
         // Clear previous calls
         mockRun.generateTitle.mockClear();
 
-        // Remove endpoint config
-        delete mockReq.app.locals[EModelEndpoint.openAI];
-
         // Set 'all' config with specific titleMethod
-        mockReq.app.locals.all = {
-          titleModel: 'gpt-4o-mini',
-          titleMethod: method,
-          titlePrompt: `Testing ${method} method`,
-          titlePromptTemplate: `Template for ${method}: {{content}}`,
-        };
+        getAppConfig.mockResolvedValue({
+          endpoints: {
+            all: {
+              titleModel: 'gpt-4o-mini',
+              titleMethod: method,
+              titlePrompt: `Testing ${method} method`,
+              titlePromptTemplate: `Template for ${method}: {{content}}`,
+            },
+          },
+        });
 
         const text = `Test conversation for ${method} method`;
         const abortController = new AbortController();
@@ -455,32 +491,36 @@ describe('AgentClient - titleConvo', () => {
         // Set up Azure endpoint with serverless config
         mockAgent.endpoint = EModelEndpoint.azureOpenAI;
         mockAgent.provider = EModelEndpoint.azureOpenAI;
-        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
-          titleConvo: true,
-          titleModel: 'grok-3',
-          titleMethod: 'completion',
-          titlePrompt: 'Azure serverless title prompt',
-          streamRate: 35,
-          modelGroupMap: {
-            'grok-3': {
-              group: 'Azure AI Foundry',
-              deploymentName: 'grok-3',
-            },
-          },
-          groupMap: {
-            'Azure AI Foundry': {
-              apiKey: '${AZURE_API_KEY}',
-              baseURL: 'https://test.services.ai.azure.com/models',
-              version: '2024-05-01-preview',
-              serverless: true,
-              models: {
+        getAppConfig.mockResolvedValue({
+          endpoints: {
+            [EModelEndpoint.azureOpenAI]: {
+              titleConvo: true,
+              titleModel: 'grok-3',
+              titleMethod: 'completion',
+              titlePrompt: 'Azure serverless title prompt',
+              streamRate: 35,
+              modelGroupMap: {
                 'grok-3': {
+                  group: 'Azure AI Foundry',
                   deploymentName: 'grok-3',
                 },
               },
+              groupMap: {
+                'Azure AI Foundry': {
+                  apiKey: '${AZURE_API_KEY}',
+                  baseURL: 'https://test.services.ai.azure.com/models',
+                  version: '2024-05-01-preview',
+                  serverless: true,
+                  models: {
+                    'grok-3': {
+                      deploymentName: 'grok-3',
+                    },
+                  },
+                },
+              },
             },
           },
-        };
+        });
         mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
         mockReq.body.model = 'grok-3';
 
@@ -503,31 +543,35 @@ describe('AgentClient - titleConvo', () => {
         // Set up Azure endpoint
         mockAgent.endpoint = EModelEndpoint.azureOpenAI;
         mockAgent.provider = EModelEndpoint.azureOpenAI;
-        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
-          titleConvo: true,
-          titleModel: 'gpt-4o',
-          titleMethod: 'structured',
-          titlePrompt: 'Azure instance title prompt',
-          streamRate: 35,
-          modelGroupMap: {
-            'gpt-4o': {
-              group: 'eastus',
-              deploymentName: 'gpt-4o',
-            },
-          },
-          groupMap: {
-            eastus: {
-              apiKey: '${EASTUS_API_KEY}',
-              instanceName: 'region-instance',
-              version: '2024-02-15-preview',
-              models: {
+        getAppConfig.mockResolvedValue({
+          endpoints: {
+            [EModelEndpoint.azureOpenAI]: {
+              titleConvo: true,
+              titleModel: 'gpt-4o',
+              titleMethod: 'structured',
+              titlePrompt: 'Azure instance title prompt',
+              streamRate: 35,
+              modelGroupMap: {
                 'gpt-4o': {
+                  group: 'eastus',
                   deploymentName: 'gpt-4o',
                 },
               },
+              groupMap: {
+                eastus: {
+                  apiKey: '${EASTUS_API_KEY}',
+                  instanceName: 'region-instance',
+                  version: '2024-02-15-preview',
+                  models: {
+                    'gpt-4o': {
+                      deploymentName: 'gpt-4o',
+                    },
+                  },
+                },
+              },
             },
           },
-        };
+        });
         mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
         mockReq.body.model = 'gpt-4o';
 
@@ -551,32 +595,36 @@ describe('AgentClient - titleConvo', () => {
         mockAgent.endpoint = EModelEndpoint.azureOpenAI;
         mockAgent.provider = EModelEndpoint.azureOpenAI;
         mockAgent.model_parameters.model = 'gpt-4o-latest';
-        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
-          titleConvo: true,
-          titleModel: Constants.CURRENT_MODEL,
-          titleMethod: 'functions',
-          streamRate: 35,
-          modelGroupMap: {
-            'gpt-4o-latest': {
-              group: 'region-eastus',
-              deploymentName: 'gpt-4o-mini',
-              version: '2024-02-15-preview',
-            },
-          },
-          groupMap: {
-            'region-eastus': {
-              apiKey: '${EASTUS2_API_KEY}',
-              instanceName: 'test-instance',
-              version: '2024-12-01-preview',
-              models: {
+        getAppConfig.mockResolvedValue({
+          endpoints: {
+            [EModelEndpoint.azureOpenAI]: {
+              titleConvo: true,
+              titleModel: Constants.CURRENT_MODEL,
+              titleMethod: 'functions',
+              streamRate: 35,
+              modelGroupMap: {
                 'gpt-4o-latest': {
+                  group: 'region-eastus',
                   deploymentName: 'gpt-4o-mini',
                   version: '2024-02-15-preview',
                 },
               },
+              groupMap: {
+                'region-eastus': {
+                  apiKey: '${EASTUS2_API_KEY}',
+                  instanceName: 'test-instance',
+                  version: '2024-12-01-preview',
+                  models: {
+                    'gpt-4o-latest': {
+                      deploymentName: 'gpt-4o-mini',
+                      version: '2024-02-15-preview',
+                    },
+                  },
+                },
+              },
             },
           },
-        };
+        });
         mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
         mockReq.body.model = 'gpt-4o-latest';
 
@@ -598,59 +646,63 @@ describe('AgentClient - titleConvo', () => {
         // Set up Azure endpoint
         mockAgent.endpoint = EModelEndpoint.azureOpenAI;
         mockAgent.provider = EModelEndpoint.azureOpenAI;
-        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
-          titleConvo: true,
-          titleModel: 'o1-mini',
-          titleMethod: 'completion',
-          streamRate: 35,
-          modelGroupMap: {
-            'gpt-4o': {
-              group: 'eastus',
-              deploymentName: 'gpt-4o',
-            },
-            'o1-mini': {
-              group: 'region-eastus',
-              deploymentName: 'o1-mini',
-            },
-            'codex-mini': {
-              group: 'codex-mini',
-              deploymentName: 'codex-mini',
-            },
-          },
-          groupMap: {
-            eastus: {
-              apiKey: '${EASTUS_API_KEY}',
-              instanceName: 'region-eastus',
-              version: '2024-02-15-preview',
-              models: {
+        getAppConfig.mockResolvedValue({
+          endpoints: {
+            [EModelEndpoint.azureOpenAI]: {
+              titleConvo: true,
+              titleModel: 'o1-mini',
+              titleMethod: 'completion',
+              streamRate: 35,
+              modelGroupMap: {
                 'gpt-4o': {
+                  group: 'eastus',
                   deploymentName: 'gpt-4o',
                 },
-              },
-            },
-            'region-eastus': {
-              apiKey: '${EASTUS2_API_KEY}',
-              instanceName: 'region-eastus2',
-              version: '2024-12-01-preview',
-              models: {
                 'o1-mini': {
+                  group: 'region-eastus',
                   deploymentName: 'o1-mini',
                 },
-              },
-            },
-            'codex-mini': {
-              apiKey: '${AZURE_API_KEY}',
-              baseURL: 'https://example.cognitiveservices.azure.com/openai/',
-              version: '2025-04-01-preview',
-              serverless: true,
-              models: {
                 'codex-mini': {
+                  group: 'codex-mini',
                   deploymentName: 'codex-mini',
                 },
               },
+              groupMap: {
+                eastus: {
+                  apiKey: '${EASTUS_API_KEY}',
+                  instanceName: 'region-eastus',
+                  version: '2024-02-15-preview',
+                  models: {
+                    'gpt-4o': {
+                      deploymentName: 'gpt-4o',
+                    },
+                  },
+                },
+                'region-eastus': {
+                  apiKey: '${EASTUS2_API_KEY}',
+                  instanceName: 'region-eastus2',
+                  version: '2024-12-01-preview',
+                  models: {
+                    'o1-mini': {
+                      deploymentName: 'o1-mini',
+                    },
+                  },
+                },
+                'codex-mini': {
+                  apiKey: '${AZURE_API_KEY}',
+                  baseURL: 'https://example.cognitiveservices.azure.com/openai/',
+                  version: '2025-04-01-preview',
+                  serverless: true,
+                  models: {
+                    'codex-mini': {
+                      deploymentName: 'codex-mini',
+                    },
+                  },
+                },
+              },
             },
           },
-        };
+        });
         mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
         mockReq.body.model = 'o1-mini';
 
@@ -679,36 +731,37 @@ describe('AgentClient - titleConvo', () => {
         mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
         mockReq.body.model = 'gpt-4';
 
-        // Remove Azure-specific config
-        delete mockReq.app.locals[EModelEndpoint.azureOpenAI];
-
         // Set 'all' config as fallback with a serverless Azure config
-        mockReq.app.locals.all = {
-          titleConvo: true,
-          titleModel: 'gpt-4',
-          titleMethod: 'structured',
-          titlePrompt: 'Fallback title prompt from all config',
-          titlePromptTemplate: 'Template: {{content}}',
-          modelGroupMap: {
-            'gpt-4': {
-              group: 'default-group',
-              deploymentName: 'gpt-4',
-            },
-          },
-          groupMap: {
-            'default-group': {
-              apiKey: '${AZURE_API_KEY}',
-              baseURL: 'https://default.openai.azure.com/',
-              version: '2024-02-15-preview',
-              serverless: true,
-              models: {
+        getAppConfig.mockResolvedValue({
+          endpoints: {
+            all: {
+              titleConvo: true,
+              titleModel: 'gpt-4',
+              titleMethod: 'structured',
+              titlePrompt: 'Fallback title prompt from all config',
+              titlePromptTemplate: 'Template: {{content}}',
+              modelGroupMap: {
                 'gpt-4': {
+                  group: 'default-group',
                   deploymentName: 'gpt-4',
                 },
               },
+              groupMap: {
+                'default-group': {
+                  apiKey: '${AZURE_API_KEY}',
+                  baseURL: 'https://default.openai.azure.com/',
+                  version: '2024-02-15-preview',
+                  serverless: true,
+                  models: {
+                    'gpt-4': {
+                      deploymentName: 'gpt-4',
+                    },
+                  },
+                },
+              },
             },
           },
-        };
+        });
 
         const text = 'Test Azure with all config fallback';
         const abortController = new AbortController();
@@ -728,6 +781,239 @@ describe('AgentClient - titleConvo', () => {
     });
   });
 
+  describe('getOptions method - GPT-5+ model handling', () => {
+    let mockReq;
+    let mockRes;
+    let mockAgent;
+    let mockOptions;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+
+      mockAgent = {
+        id: 'agent-123',
+        endpoint: EModelEndpoint.openAI,
+        provider: EModelEndpoint.openAI,
+        model_parameters: {
+          model: 'gpt-5',
+        },
+      };
+
+      mockReq = {
+        app: {
+          locals: {},
+        },
+        user: {
+          id: 'user-123',
+        },
+      };
+
+      mockRes = {};
+
+      mockOptions = {
+        req: mockReq,
+        res: mockRes,
+        agent: mockAgent,
+      };
+
+      client = new AgentClient(mockOptions);
+    });
+
+    it('should move maxTokens to modelKwargs.max_completion_tokens for GPT-5 models', () => {
+      const clientOptions = {
+        model: 'gpt-5',
+        maxTokens: 2048,
+        temperature: 0.7,
+      };
+
+      // Simulate the getOptions logic that handles GPT-5+ models
+      if (/\bgpt-[5-9]\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+        clientOptions.modelKwargs = clientOptions.modelKwargs ?? {};
+        clientOptions.modelKwargs.max_completion_tokens = clientOptions.maxTokens;
+        delete clientOptions.maxTokens;
+      }
+
+      expect(clientOptions.maxTokens).toBeUndefined();
+      expect(clientOptions.modelKwargs).toBeDefined();
+      expect(clientOptions.modelKwargs.max_completion_tokens).toBe(2048);
+      expect(clientOptions.temperature).toBe(0.7); // Other options should remain
+    });
+
+    it('should move maxTokens to modelKwargs.max_output_tokens for GPT-5 models with useResponsesApi', () => {
+      const clientOptions = {
+        model: 'gpt-5',
+        maxTokens: 2048,
+        temperature: 0.7,
+        useResponsesApi: true,
+      };
+
+      if (/\bgpt-[5-9]\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+        clientOptions.modelKwargs = clientOptions.modelKwargs ?? {};
+        const paramName =
+          clientOptions.useResponsesApi === true ? 'max_output_tokens' : 'max_completion_tokens';
+        clientOptions.modelKwargs[paramName] = clientOptions.maxTokens;
+        delete clientOptions.maxTokens;
+      }
+
+      expect(clientOptions.maxTokens).toBeUndefined();
+      expect(clientOptions.modelKwargs).toBeDefined();
+      expect(clientOptions.modelKwargs.max_output_tokens).toBe(2048);
+      expect(clientOptions.temperature).toBe(0.7); // Other options should remain
+    });
+
+    it('should handle GPT-5+ models with existing modelKwargs', () => {
+      const clientOptions = {
+        model: 'gpt-6',
+        maxTokens: 1500,
+        temperature: 0.8,
+        modelKwargs: {
+          customParam: 'value',
+        },
+      };
+
+      // Simulate the getOptions logic
+      if (/\bgpt-[5-9]\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+        clientOptions.modelKwargs = clientOptions.modelKwargs ?? {};
+        clientOptions.modelKwargs.max_completion_tokens = clientOptions.maxTokens;
+        delete clientOptions.maxTokens;
+      }
+
+      expect(clientOptions.maxTokens).toBeUndefined();
+      expect(clientOptions.modelKwargs).toEqual({
+        customParam: 'value',
+        max_completion_tokens: 1500,
+      });
+    });
+
+    it('should not modify maxTokens for non-GPT-5+ models', () => {
+      const clientOptions = {
+        model: 'gpt-4',
+        maxTokens: 2048,
+        temperature: 0.7,
+      };
+
+      // Simulate the getOptions logic
+      if (/\bgpt-[5-9]\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+        clientOptions.modelKwargs = clientOptions.modelKwargs ?? {};
+        clientOptions.modelKwargs.max_completion_tokens = clientOptions.maxTokens;
+        delete clientOptions.maxTokens;
+      }
+
+      // Should not be modified since it's GPT-4
+      expect(clientOptions.maxTokens).toBe(2048);
+      expect(clientOptions.modelKwargs).toBeUndefined();
+    });
+
+    it('should handle various GPT-5+ model formats', () => {
+      const testCases = [
+        { model: 'gpt-5', shouldTransform: true },
+        { model: 'gpt-5-turbo', shouldTransform: true },
+        { model: 'gpt-6', shouldTransform: true },
+        { model: 'gpt-7-preview', shouldTransform: true },
+        { model: 'gpt-8', shouldTransform: true },
+        { model: 'gpt-9-mini', shouldTransform: true },
+        { model: 'gpt-4', shouldTransform: false },
+        { model: 'gpt-4o', shouldTransform: false },
+        { model: 'gpt-3.5-turbo', shouldTransform: false },
+        { model: 'claude-3', shouldTransform: false },
+      ];
+
+      testCases.forEach(({ model, shouldTransform }) => {
+        const clientOptions = {
+          model,
+          maxTokens: 1000,
+        };
+
+        // Simulate the getOptions logic
+        if (/\bgpt-[5-9]\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+          clientOptions.modelKwargs = clientOptions.modelKwargs ?? {};
+          clientOptions.modelKwargs.max_completion_tokens = clientOptions.maxTokens;
+          delete clientOptions.maxTokens;
+        }
+
+        if (shouldTransform) {
+          expect(clientOptions.maxTokens).toBeUndefined();
+          expect(clientOptions.modelKwargs?.max_completion_tokens).toBe(1000);
+        } else {
+          expect(clientOptions.maxTokens).toBe(1000);
+          expect(clientOptions.modelKwargs).toBeUndefined();
+        }
+      });
+    });
+
+    it('should not swap max token param for older models when using useResponsesApi', () => {
+      const testCases = [
+        { model: 'gpt-5', shouldTransform: true },
+        { model: 'gpt-5-turbo', shouldTransform: true },
+        { model: 'gpt-6', shouldTransform: true },
+        { model: 'gpt-7-preview', shouldTransform: true },
+        { model: 'gpt-8', shouldTransform: true },
+        { model: 'gpt-9-mini', shouldTransform: true },
+        { model: 'gpt-4', shouldTransform: false },
+        { model: 'gpt-4o', shouldTransform: false },
+        { model: 'gpt-3.5-turbo', shouldTransform: false },
+        { model: 'claude-3', shouldTransform: false },
+      ];
+
+      testCases.forEach(({ model, shouldTransform }) => {
+        const clientOptions = {
+          model,
+          maxTokens: 1000,
+          useResponsesApi: true,
+        };
+
+        if (/\bgpt-[5-9]\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+          clientOptions.modelKwargs = clientOptions.modelKwargs ?? {};
+          const paramName =
+            clientOptions.useResponsesApi === true ? 'max_output_tokens' : 'max_completion_tokens';
+          clientOptions.modelKwargs[paramName] = clientOptions.maxTokens;
+          delete clientOptions.maxTokens;
+        }
+
+        if (shouldTransform) {
+          expect(clientOptions.maxTokens).toBeUndefined();
+          expect(clientOptions.modelKwargs?.max_output_tokens).toBe(1000);
+        } else {
+          expect(clientOptions.maxTokens).toBe(1000);
+          expect(clientOptions.modelKwargs).toBeUndefined();
+        }
+      });
+    });
+
+    it('should not transform if maxTokens is null or undefined', () => {
+      const testCases = [
+        { model: 'gpt-5', maxTokens: null },
+        { model: 'gpt-5', maxTokens: undefined },
+        { model: 'gpt-6', maxTokens: 0 }, // Should transform even if 0
+      ];
+
+      testCases.forEach(({ model, maxTokens }, index) => {
+        const clientOptions = {
+          model,
+          maxTokens,
+          temperature: 0.7,
+        };
+
+        // Simulate the getOptions logic
+        if (/\bgpt-[5-9]\b/i.test(clientOptions.model) && clientOptions.maxTokens != null) {
+          clientOptions.modelKwargs = clientOptions.modelKwargs ?? {};
+          clientOptions.modelKwargs.max_completion_tokens = clientOptions.maxTokens;
+          delete clientOptions.maxTokens;
+        }
+
+        if (index < 2) {
+          // null or undefined cases
+          expect(clientOptions.maxTokens).toBe(maxTokens);
+          expect(clientOptions.modelKwargs).toBeUndefined();
+        } else {
+          // 0 case - should transform
+          expect(clientOptions.maxTokens).toBeUndefined();
+          expect(clientOptions.modelKwargs?.max_completion_tokens).toBe(0);
+        }
+      });
+    });
+  });
+
   describe('runMemory method', () => {
     let client;
     let mockReq;
@@ -749,13 +1035,6 @@ describe('AgentClient - titleConvo', () => {
       };
 
       mockReq = {
-        app: {
-          locals: {
-            memory: {
-              messageWindowSize: 3,
-            },
-          },
-        },
         user: {
           id: 'user-123',
           personalization: {
@@ -764,6 +1043,13 @@ describe('AgentClient - titleConvo', () => {
         },
       };
 
+      // Mock getAppConfig for memory tests
+      getAppConfig.mockResolvedValue({
+        memory: {
+          messageWindowSize: 3,
+        },
+      });
+
       mockRes = {};
 
       mockOptions = {

api/server/controllers/agents/request.js

@@ -233,6 +233,26 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
         );
       }
     }
+    // Edge case: sendMessage completed but abort happened during sendCompletion
+    // We need to ensure a final event is sent
+    else if (!res.headersSent && !res.finished) {
+      logger.debug(
+        '[AgentController] Handling edge case: `sendMessage` completed but aborted during `sendCompletion`',
+      );
+
+      const finalResponse = { ...response };
+      finalResponse.error = true;
+
+      sendEvent(res, {
+        final: true,
+        conversation,
+        title: conversation.title,
+        requestMessage: userMessage,
+        responseMessage: finalResponse,
+        error: { message: 'Request was aborted during completion' },
+      });
+      res.end();
+    }
 
     // Save user message if needed
     if (!client.skipSaveUserMessage) {

api/server/controllers/agents/v1.js

@@ -5,30 +5,40 @@ const { logger } = require('@librechat/data-schemas');
 const { agentCreateSchema, agentUpdateSchema } = require('@librechat/api');
 const {
   Tools,
-  Constants,
-  FileSources,
   SystemRoles,
+  FileSources,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
   EToolResources,
+  PermissionBits,
   actionDelimiter,
   removeNullishValues,
 } = require('librechat-data-provider');
 const {
-  getAgent,
+  getListAgentsByAccess,
+  countPromotedAgents,
+  revertAgentVersion,
   createAgent,
   updateAgent,
   deleteAgent,
-  getListAgents,
+  getAgent,
 } = require('~/models/Agent');
+const {
+  findPubliclyAccessibleResources,
+  findAccessibleResources,
+  hasPublicPermission,
+  grantPermission,
+} = require('~/server/services/PermissionService');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
+const { getCachedTools, getAppConfig } = require('~/server/services/Config');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
+const { getFileStrategy } = require('~/server/utils/getFileStrategy');
 const { refreshS3Url } = require('~/server/services/Files/S3/crud');
 const { filterFile } = require('~/server/services/Files/process');
 const { updateAction, getActions } = require('~/models/Action');
-const { getCachedTools } = require('~/server/services/Config');
-const { updateAgentProjects } = require('~/models/Agent');
-const { getProjectByName } = require('~/models/Project');
-const { revertAgentVersion } = require('~/models/Agent');
 const { deleteFileByFilter } = require('~/models/File');
+const { getCategoriesWithCounts } = require('~/models');
 
 const systemTools = {
   [Tools.execute_code]: true,
@@ -42,7 +52,7 @@ const systemTools = {
  * @param {ServerRequest} req - The request object.
  * @param {AgentCreateParams} req.body - The request body.
  * @param {ServerResponse} res - The response object.
- * @returns {Agent} 201 - success response - application/json
+ * @returns {Promise<Agent>} 201 - success response - application/json
  */
 const createAgentHandler = async (req, res) => {
   try {
@@ -67,6 +77,27 @@ const createAgentHandler = async (req, res) => {
     }
 
     const agent = await createAgent(agentData);
+
+    // Automatically grant owner permissions to the creator
+    try {
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[createAgent] Granted owner permissions to user ${userId} for agent ${agent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[createAgent] Failed to grant owner permissions for agent ${agent.id}:`,
+        permissionError,
+      );
+    }
+
     res.status(201).json(agent);
   } catch (error) {
     if (error instanceof z.ZodError) {
@@ -89,21 +120,14 @@ const createAgentHandler = async (req, res) => {
  * @returns {Promise<Agent>} 200 - success response - application/json
  * @returns {Error} 404 - Agent not found
  */
-const getAgentHandler = async (req, res) => {
+const getAgentHandler = async (req, res, expandProperties = false) => {
   try {
     const id = req.params.id;
     const author = req.user.id;
 
-    let query = { id, author };
-
-    const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, ['agentIds']);
-    if (globalProject && (globalProject.agentIds?.length ?? 0) > 0) {
-      query = {
-        $or: [{ id, $in: globalProject.agentIds }, query],
-      };
-    }
-
-    const agent = await getAgent(query);
+    // Permissions are validated by middleware before calling this function
+    // Simply load the agent by ID
+    const agent = await getAgent({ id });
 
     if (!agent) {
       return res.status(404).json({ error: 'Agent not found' });
@@ -120,23 +144,45 @@ const getAgentHandler = async (req, res) => {
     }
 
     agent.author = agent.author.toString();
+
+    // @deprecated - isCollaborative replaced by ACL permissions
     agent.isCollaborative = !!agent.isCollaborative;
 
+    // Check if agent is public
+    const isPublic = await hasPublicPermission({
+      resourceType: ResourceType.AGENT,
+      resourceId: agent._id,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    agent.isPublic = isPublic;
+
     if (agent.author !== author) {
       delete agent.author;
     }
 
-    if (!agent.isCollaborative && agent.author !== author && req.user.role !== SystemRoles.ADMIN) {
+    if (!expandProperties) {
+      // VIEW permission: Basic agent info only
       return res.status(200).json({
+        _id: agent._id,
         id: agent.id,
         name: agent.name,
+        description: agent.description,
         avatar: agent.avatar,
         author: agent.author,
+        provider: agent.provider,
+        model: agent.model,
         projectIds: agent.projectIds,
+        // @deprecated - isCollaborative replaced by ACL permissions
         isCollaborative: agent.isCollaborative,
+        isPublic: agent.isPublic,
         version: agent.version,
+        // Safe metadata
+        createdAt: agent.createdAt,
+        updatedAt: agent.updatedAt,
       });
     }
+
+    // EDIT permission: Full agent details including sensitive configuration
     return res.status(200).json(agent);
   } catch (error) {
     logger.error('[/Agents/:id] Error retrieving agent', error);
@@ -157,42 +203,22 @@ const updateAgentHandler = async (req, res) => {
   try {
     const id = req.params.id;
     const validatedData = agentUpdateSchema.parse(req.body);
-    const { projectIds, removeProjectIds, ...updateData } = removeNullishValues(validatedData);
-    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const { _id, ...updateData } = removeNullishValues(validatedData);
     const existingAgent = await getAgent({ id });
 
     if (!existingAgent) {
       return res.status(404).json({ error: 'Agent not found' });
     }
 
-    const isAuthor = existingAgent.author.toString() === req.user.id;
-    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
-
-    if (!hasEditPermission) {
-      return res.status(403).json({
-        error: 'You do not have permission to modify this non-collaborative agent',
-      });
-    }
-
-    /** @type {boolean} */
-    const isProjectUpdate = (projectIds?.length ?? 0) > 0 || (removeProjectIds?.length ?? 0) > 0;
-
     let updatedAgent =
       Object.keys(updateData).length > 0
         ? await updateAgent({ id }, updateData, {
             updatingUserId: req.user.id,
-            skipVersioning: isProjectUpdate,
           })
         : existingAgent;
 
-    if (isProjectUpdate) {
-      updatedAgent = await updateAgentProjects({
-        user: req.user,
-        agentId: id,
-        projectIds,
-        removeProjectIds,
-      });
-    }
+    // Add version count to the response
+    updatedAgent.version = updatedAgent.versions ? updatedAgent.versions.length : 0;
 
     if (updatedAgent.author) {
       updatedAgent.author = updatedAgent.author.toString();
@@ -318,6 +344,26 @@ const duplicateAgentHandler = async (req, res) => {
     newAgentData.actions = agentActions;
     const newAgent = await createAgent(newAgentData);
 
+    // Automatically grant owner permissions to the duplicator
+    try {
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: newAgent._id,
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[duplicateAgent] Granted owner permissions to user ${userId} for duplicated agent ${newAgent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[duplicateAgent] Failed to grant owner permissions for duplicated agent ${newAgent.id}:`,
+        permissionError,
+      );
+    }
+
     return res.status(201).json({
       agent: newAgent,
       actions: newActionsList,
@@ -344,7 +390,7 @@ const deleteAgentHandler = async (req, res) => {
     if (!agent) {
       return res.status(404).json({ error: 'Agent not found' });
     }
-    await deleteAgent({ id, author: req.user.id });
+    await deleteAgent({ id });
     return res.json({ message: 'Agent deleted' });
   } catch (error) {
     logger.error('[/Agents/:id] Error deleting Agent', error);
@@ -353,7 +399,7 @@ const deleteAgentHandler = async (req, res) => {
 };
 
 /**
- *
+ * Lists agents using ACL-aware permissions (ownership + explicit shares).
  * @route GET /Agents
  * @param {object} req - Express Request
  * @param {object} req.query - Request query
@@ -362,9 +408,65 @@ const deleteAgentHandler = async (req, res) => {
  */
 const getListAgentsHandler = async (req, res) => {
   try {
-    const data = await getListAgents({
-      author: req.user.id,
+    const userId = req.user.id;
+    const { category, search, limit, cursor, promoted } = req.query;
+    let requiredPermission = req.query.requiredPermission;
+    if (typeof requiredPermission === 'string') {
+      requiredPermission = parseInt(requiredPermission, 10);
+      if (isNaN(requiredPermission)) {
+        requiredPermission = PermissionBits.VIEW;
+      }
+    } else if (typeof requiredPermission !== 'number') {
+      requiredPermission = PermissionBits.VIEW;
+    }
+    // Base filter
+    const filter = {};
+
+    // Handle category filter - only apply if category is defined
+    if (category !== undefined && category.trim() !== '') {
+      filter.category = category;
+    }
+
+    // Handle promoted filter - only from query param
+    if (promoted === '1') {
+      filter.is_promoted = true;
+    } else if (promoted === '0') {
+      filter.is_promoted = { $ne: true };
+    }
+
+    // Handle search filter
+    if (search && search.trim() !== '') {
+      filter.$or = [
+        { name: { $regex: search.trim(), $options: 'i' } },
+        { description: { $regex: search.trim(), $options: 'i' } },
+      ];
+    }
+    // Get agent IDs the user has VIEW access to via ACL
+    const accessibleIds = await findAccessibleResources({
+      userId,
+      role: req.user.role,
+      resourceType: ResourceType.AGENT,
+      requiredPermissions: requiredPermission,
     });
+    const publiclyAccessibleIds = await findPubliclyAccessibleResources({
+      resourceType: ResourceType.AGENT,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    // Use the new ACL-aware function
+    const data = await getListAgentsByAccess({
+      accessibleIds,
+      otherParams: filter,
+      limit,
+      after: cursor,
+    });
+    if (data?.data?.length) {
+      data.data = data.data.map((agent) => {
+        if (publiclyAccessibleIds.some((id) => id.equals(agent._id))) {
+          agent.isPublic = true;
+        }
+        return agent;
+      });
+    }
     return res.json(data);
   } catch (error) {
     logger.error('[/Agents] Error listing Agents', error);
@@ -385,6 +487,7 @@ const getListAgentsHandler = async (req, res) => {
  */
 const uploadAgentAvatarHandler = async (req, res) => {
   try {
+    const appConfig = await getAppConfig({ role: req.user?.role });
     filterFile({ req, file: req.file, image: true, isAvatar: true });
     const { agent_id } = req.params;
     if (!agent_id) {
@@ -398,7 +501,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
       return res.status(404).json({ error: 'Agent not found' });
     }
 
-    const isAuthor = existingAgent.author.toString() === req.user.id;
+    const isAuthor = existingAgent.author.toString() === req.user.id.toString();
     const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
 
     if (!hasEditPermission) {
@@ -408,9 +511,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
     }
 
     const buffer = await fs.readFile(req.file.path);
-
-    const fileStrategy = req.app.locals.fileStrategy;
-
+    const fileStrategy = getFileStrategy(appConfig, { isAvatar: true });
     const resizedBuffer = await resizeAvatar({
       userId: req.user.id,
       input: buffer,
@@ -506,7 +607,7 @@ const revertAgentVersionHandler = async (req, res) => {
       return res.status(404).json({ error: 'Agent not found' });
     }
 
-    const isAuthor = existingAgent.author.toString() === req.user.id;
+    const isAuthor = existingAgent.author.toString() === req.user.id.toString();
     const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
 
     if (!hasEditPermission) {
@@ -531,7 +632,48 @@ const revertAgentVersionHandler = async (req, res) => {
     res.status(500).json({ error: error.message });
   }
 };
+/**
+ * Get all agent categories with counts
+ *
+ * @param {Object} _req - Express request object (unused)
+ * @param {Object} res - Express response object
+ */
+const getAgentCategories = async (_req, res) => {
+  try {
+    const categories = await getCategoriesWithCounts();
+    const promotedCount = await countPromotedAgents();
+    const formattedCategories = categories.map((category) => ({
+      value: category.value,
+      label: category.label,
+      count: category.agentCount,
+      description: category.description,
+    }));
 
+    if (promotedCount > 0) {
+      formattedCategories.unshift({
+        value: 'promoted',
+        label: 'Promoted',
+        count: promotedCount,
+        description: 'Our recommended agents',
+      });
+    }
+
+    formattedCategories.push({
+      value: 'all',
+      label: 'All',
+      description: 'All available agents',
+    });
+
+    res.status(200).json(formattedCategories);
+  } catch (error) {
+    logger.error('[/Agents/Marketplace] Error fetching agent categories:', error);
+    res.status(500).json({
+      error: 'Failed to fetch agent categories',
+      userMessage: 'Unable to load categories. Please refresh the page.',
+      suggestion: 'Try refreshing the page or check your network connection',
+    });
+  }
+};
 module.exports = {
   createAgent: createAgentHandler,
   getAgent: getAgentHandler,
@@ -541,4 +683,5 @@ module.exports = {
   getListAgents: getListAgentsHandler,
   uploadAgentAvatar: uploadAgentAvatarHandler,
   revertAgentVersion: revertAgentVersionHandler,
+  getAgentCategories,
 };

api/server/controllers/agents/v1.spec.js

@@ -1,5 +1,6 @@
 const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
+const { nanoid } = require('nanoid');
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const { agentSchema } = require('@librechat/data-schemas');
 
@@ -41,7 +42,27 @@ jest.mock('~/models/File', () => ({
   deleteFileByFilter: jest.fn(),
 }));
 
-const { createAgent: createAgentHandler, updateAgent: updateAgentHandler } = require('./v1');
+jest.mock('~/server/services/PermissionService', () => ({
+  findAccessibleResources: jest.fn().mockResolvedValue([]),
+  findPubliclyAccessibleResources: jest.fn().mockResolvedValue([]),
+  grantPermission: jest.fn(),
+  hasPublicPermission: jest.fn().mockResolvedValue(false),
+}));
+
+jest.mock('~/models', () => ({
+  getCategoriesWithCounts: jest.fn(),
+}));
+
+const {
+  createAgent: createAgentHandler,
+  updateAgent: updateAgentHandler,
+  getListAgents: getListAgentsHandler,
+} = require('./v1');
+
+const {
+  findAccessibleResources,
+  findPubliclyAccessibleResources,
+} = require('~/server/services/PermissionService');
 
 /**
  * @type {import('mongoose').Model<import('@librechat/data-schemas').IAgent>}
@@ -79,6 +100,7 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       },
       body: {},
       params: {},
+      query: {},
       app: {
         locals: {
           fileStrategy: 'local',
@@ -235,6 +257,81 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.tool_resources.invalid_resource).toBeUndefined();
     });
 
+    test('should handle support_contact with empty strings', async () => {
+      const dataWithEmptyContact = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Empty Contact',
+        support_contact: {
+          name: '',
+          email: '',
+        },
+      };
+
+      mockReq.body = dataWithEmptyContact;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+      expect(createdAgent.name).toBe('Agent with Empty Contact');
+      expect(createdAgent.support_contact).toBeDefined();
+      expect(createdAgent.support_contact.name).toBe('');
+      expect(createdAgent.support_contact.email).toBe('');
+    });
+
+    test('should handle support_contact with valid email', async () => {
+      const dataWithValidContact = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Valid Contact',
+        support_contact: {
+          name: 'Support Team',
+          email: 'support@example.com',
+        },
+      };
+
+      mockReq.body = dataWithValidContact;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+      expect(createdAgent.support_contact).toBeDefined();
+      expect(createdAgent.support_contact.name).toBe('Support Team');
+      expect(createdAgent.support_contact.email).toBe('support@example.com');
+    });
+
+    test('should reject support_contact with invalid email', async () => {
+      const dataWithInvalidEmail = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Invalid Email',
+        support_contact: {
+          name: 'Support',
+          email: 'not-an-email',
+        },
+      };
+
+      mockReq.body = dataWithInvalidEmail;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          error: 'Invalid request data',
+          details: expect.arrayContaining([
+            expect.objectContaining({
+              path: ['support_contact', 'email'],
+            }),
+          ]),
+        }),
+      );
+    });
+
     test('should handle avatar validation', async () => {
       const dataWithAvatar = {
         provider: 'openai',
@@ -372,52 +469,6 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.id).toBe(existingAgentId);
     });
 
-    test('should reject update from non-author when not collaborative', async () => {
-      const differentUserId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = differentUserId; // Different user
-      mockReq.params.id = existingAgentId;
-      mockReq.body = {
-        name: 'Unauthorized Update',
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      expect(mockRes.status).toHaveBeenCalledWith(403);
-      expect(mockRes.json).toHaveBeenCalledWith({
-        error: 'You do not have permission to modify this non-collaborative agent',
-      });
-
-      // Verify agent was not modified in database
-      const agentInDb = await Agent.findOne({ id: existingAgentId });
-      expect(agentInDb.name).toBe('Original Agent');
-    });
-
-    test('should allow update from non-author when collaborative', async () => {
-      // First make the agent collaborative
-      await Agent.updateOne({ id: existingAgentId }, { isCollaborative: true });
-
-      const differentUserId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = differentUserId; // Different user
-      mockReq.params.id = existingAgentId;
-      mockReq.body = {
-        name: 'Collaborative Update',
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      expect(mockRes.status).not.toHaveBeenCalledWith(403);
-      expect(mockRes.json).toHaveBeenCalled();
-
-      const updatedAgent = mockRes.json.mock.calls[0][0];
-      expect(updatedAgent.name).toBe('Collaborative Update');
-      // Author field should be removed for non-author
-      expect(updatedAgent.author).toBeUndefined();
-
-      // Verify in database
-      const agentInDb = await Agent.findOne({ id: existingAgentId });
-      expect(agentInDb.name).toBe('Collaborative Update');
-    });
-
     test('should allow admin to update any agent', async () => {
       const adminUserId = new mongoose.Types.ObjectId().toString();
       mockReq.user.id = adminUserId;
@@ -498,6 +549,28 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(mockRes.json).toHaveBeenCalledWith({ error: 'Agent not found' });
     });
 
+    test('should include version field in update response', async () => {
+      mockReq.user.id = existingAgentAuthorId.toString();
+      mockReq.params.id = existingAgentId;
+      mockReq.body = {
+        name: 'Updated with Version Check',
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.json).toHaveBeenCalled();
+      const updatedAgent = mockRes.json.mock.calls[0][0];
+
+      // Verify version field is included and is a number
+      expect(updatedAgent).toHaveProperty('version');
+      expect(typeof updatedAgent.version).toBe('number');
+      expect(updatedAgent.version).toBeGreaterThanOrEqual(1);
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: existingAgentId });
+      expect(updatedAgent.version).toBe(agentInDb.versions.length);
+    });
+
     test('should handle validation errors properly', async () => {
       mockReq.user.id = existingAgentAuthorId.toString();
       mockReq.params.id = existingAgentId;
@@ -555,45 +628,6 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.__v).not.toBe(99);
     });
 
-    test('should prevent privilege escalation through isCollaborative', async () => {
-      // Create a non-collaborative agent
-      const authorId = new mongoose.Types.ObjectId();
-      const agent = await Agent.create({
-        id: `agent_${uuidv4()}`,
-        name: 'Private Agent',
-        provider: 'openai',
-        model: 'gpt-4',
-        author: authorId,
-        isCollaborative: false,
-        versions: [
-          {
-            name: 'Private Agent',
-            provider: 'openai',
-            model: 'gpt-4',
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        ],
-      });
-
-      // Try to make it collaborative as a different user
-      const attackerId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = attackerId;
-      mockReq.params.id = agent.id;
-      mockReq.body = {
-        isCollaborative: true, // Trying to escalate privileges
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      // Should be rejected
-      expect(mockRes.status).toHaveBeenCalledWith(403);
-
-      // Verify in database that it's still not collaborative
-      const agentInDb = await Agent.findOne({ id: agent.id });
-      expect(agentInDb.isCollaborative).toBe(false);
-    });
-
     test('should prevent author hijacking', async () => {
       const originalAuthorId = new mongoose.Types.ObjectId();
       const attackerId = new mongoose.Types.ObjectId();
@@ -656,4 +690,373 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.futureFeature).toBeUndefined();
     });
   });
+
+  describe('getListAgentsHandler - Security Tests', () => {
+    let userA, userB;
+    let agentA1, agentA2, agentA3, agentB1;
+
+    beforeEach(async () => {
+      await Agent.deleteMany({});
+      jest.clearAllMocks();
+
+      // Create two test users
+      userA = new mongoose.Types.ObjectId();
+      userB = new mongoose.Types.ObjectId();
+
+      // Create agents for User A
+      agentA1 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent A1',
+        description: 'User A agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        versions: [
+          {
+            name: 'Agent A1',
+            description: 'User A agent 1',
+            provider: 'openai',
+            model: 'gpt-4',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      agentA2 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent A2',
+        description: 'User A agent 2',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        versions: [
+          {
+            name: 'Agent A2',
+            description: 'User A agent 2',
+            provider: 'openai',
+            model: 'gpt-4',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      agentA3 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent A3',
+        description: 'User A agent 3',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        category: 'productivity',
+        versions: [
+          {
+            name: 'Agent A3',
+            description: 'User A agent 3',
+            provider: 'openai',
+            model: 'gpt-4',
+            category: 'productivity',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      // Create an agent for User B
+      agentB1 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent B1',
+        description: 'User B agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userB,
+        versions: [
+          {
+            name: 'Agent B1',
+            description: 'User B agent 1',
+            provider: 'openai',
+            model: 'gpt-4',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+    });
+
+    test('should return empty list when user has no accessible agents', async () => {
+      // User B has no permissions and no owned agents
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      expect(findAccessibleResources).toHaveBeenCalledWith({
+        userId: userB.toString(),
+        role: 'USER',
+        resourceType: 'agent',
+        requiredPermissions: 1, // VIEW permission
+      });
+
+      expect(mockRes.json).toHaveBeenCalledWith({
+        object: 'list',
+        data: [],
+        first_id: null,
+        last_id: null,
+        has_more: false,
+        after: null,
+      });
+    });
+
+    test('should not return other users agents when accessibleIds is empty', async () => {
+      // User B trying to see agents with no permissions
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(0);
+
+      // Verify User A's agents are not included
+      const agentIds = response.data.map((a) => a.id);
+      expect(agentIds).not.toContain(agentA1.id);
+      expect(agentIds).not.toContain(agentA2.id);
+      expect(agentIds).not.toContain(agentA3.id);
+    });
+
+    test('should only return agents user has access to', async () => {
+      // User B has access to one of User A's agents
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([agentA1._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(agentA1.id);
+      expect(response.data[0].name).toBe('Agent A1');
+    });
+
+    test('should return multiple accessible agents', async () => {
+      // User B has access to multiple agents
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA3._id, agentB1._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(3);
+
+      const agentIds = response.data.map((a) => a.id);
+      expect(agentIds).toContain(agentA1.id);
+      expect(agentIds).toContain(agentA3.id);
+      expect(agentIds).toContain(agentB1.id);
+      expect(agentIds).not.toContain(agentA2.id);
+    });
+
+    test('should apply category filter correctly with ACL', async () => {
+      // User has access to all agents but filters by category
+      mockReq.user.id = userB.toString();
+      mockReq.query.category = 'productivity';
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id, agentA3._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(agentA3.id);
+      expect(response.data[0].category).toBe('productivity');
+    });
+
+    test('should apply search filter correctly with ACL', async () => {
+      // User has access to multiple agents but searches for specific one
+      mockReq.user.id = userB.toString();
+      mockReq.query.search = 'A2';
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id, agentA3._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(agentA2.id);
+    });
+
+    test('should handle pagination with ACL filtering', async () => {
+      // Create more agents for pagination testing
+      const moreAgents = [];
+      for (let i = 4; i <= 10; i++) {
+        const agent = await Agent.create({
+          id: `agent_${nanoid(12)}`,
+          name: `Agent A${i}`,
+          description: `User A agent ${i}`,
+          provider: 'openai',
+          model: 'gpt-4',
+          author: userA,
+          versions: [
+            {
+              name: `Agent A${i}`,
+              description: `User A agent ${i}`,
+              provider: 'openai',
+              model: 'gpt-4',
+              createdAt: new Date(),
+              updatedAt: new Date(),
+            },
+          ],
+        });
+        moreAgents.push(agent);
+      }
+
+      // User has access to all agents
+      const allAgentIds = [agentA1, agentA2, agentA3, ...moreAgents].map((a) => a._id);
+      mockReq.user.id = userB.toString();
+      mockReq.query.limit = '5';
+      findAccessibleResources.mockResolvedValue(allAgentIds);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(5);
+      expect(response.has_more).toBe(true);
+      expect(response.after).toBeTruthy();
+    });
+
+    test('should mark publicly accessible agents', async () => {
+      // User has access to agents, some are public
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([agentA2._id]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(2);
+
+      const publicAgent = response.data.find((a) => a.id === agentA2.id);
+      const privateAgent = response.data.find((a) => a.id === agentA1.id);
+
+      expect(publicAgent.isPublic).toBe(true);
+      expect(privateAgent.isPublic).toBeUndefined();
+    });
+
+    test('should handle requiredPermission parameter', async () => {
+      // Test with different permission levels
+      mockReq.user.id = userB.toString();
+      mockReq.query.requiredPermission = '15'; // FULL_ACCESS
+      findAccessibleResources.mockResolvedValue([agentA1._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      expect(findAccessibleResources).toHaveBeenCalledWith({
+        userId: userB.toString(),
+        role: 'USER',
+        resourceType: 'agent',
+        requiredPermissions: 15,
+      });
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+    });
+
+    test('should handle promoted filter with ACL', async () => {
+      // Create a promoted agent
+      const promotedAgent = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Promoted Agent',
+        description: 'A promoted agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        is_promoted: true,
+        versions: [
+          {
+            name: 'Promoted Agent',
+            description: 'A promoted agent',
+            provider: 'openai',
+            model: 'gpt-4',
+            is_promoted: true,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      mockReq.user.id = userB.toString();
+      mockReq.query.promoted = '1';
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id, promotedAgent._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(promotedAgent.id);
+      expect(response.data[0].is_promoted).toBe(true);
+    });
+
+    test('should handle errors gracefully', async () => {
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockRejectedValue(new Error('Permission service error'));
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.json).toHaveBeenCalledWith({
+        error: 'Permission service error',
+      });
+    });
+
+    test('should respect combined filters with ACL', async () => {
+      // Create agents with specific attributes
+      const productivityPromoted = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Productivity Pro',
+        description: 'A promoted productivity agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        category: 'productivity',
+        is_promoted: true,
+        versions: [
+          {
+            name: 'Productivity Pro',
+            description: 'A promoted productivity agent',
+            provider: 'openai',
+            model: 'gpt-4',
+            category: 'productivity',
+            is_promoted: true,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      mockReq.user.id = userB.toString();
+      mockReq.query.category = 'productivity';
+      mockReq.query.promoted = '1';
+      findAccessibleResources.mockResolvedValue([
+        agentA1._id,
+        agentA2._id,
+        agentA3._id,
+        productivityPromoted._id,
+      ]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(productivityPromoted.id);
+      expect(response.data[0].category).toBe('productivity');
+      expect(response.data[0].is_promoted).toBe(true);
+    });
+  });
 });

api/server/controllers/assistants/chatV1.js

@@ -29,6 +29,7 @@ const { createRun, StreamRunManager } = require('~/server/services/Runs');
 const { addTitle } = require('~/server/services/Endpoints/assistants');
 const { createRunBody } = require('~/server/services/createRunBody');
 const { sendResponse } = require('~/server/middleware/error');
+const { getAppConfig } = require('~/server/services/Config');
 const { getTransactions } = require('~/models/Transaction');
 const { checkBalance } = require('~/models/balanceMethods');
 const { getConvo } = require('~/models/Conversation');
@@ -47,6 +48,7 @@ const { getOpenAIClient } = require('./helpers');
  * @returns {void}
  */
 const chatV1 = async (req, res) => {
+  const appConfig = await getAppConfig({ role: req.user?.role });
   logger.debug('[/assistants/chat/] req.body', req.body);
 
   const {
@@ -251,7 +253,7 @@ const chatV1 = async (req, res) => {
     }
 
     const checkBalanceBeforeRun = async () => {
-      const balance = req.app?.locals?.balance;
+      const balance = appConfig?.balance;
       if (!balance?.enabled) {
         return;
       }

api/server/controllers/assistants/chatV2.js

@@ -26,6 +26,7 @@ const validateAuthor = require('~/server/middleware/assistants/validateAuthor');
 const { createRun, StreamRunManager } = require('~/server/services/Runs');
 const { addTitle } = require('~/server/services/Endpoints/assistants');
 const { createRunBody } = require('~/server/services/createRunBody');
+const { getAppConfig } = require('~/server/services/Config');
 const { getTransactions } = require('~/models/Transaction');
 const { checkBalance } = require('~/models/balanceMethods');
 const { getConvo } = require('~/models/Conversation');
@@ -44,6 +45,7 @@ const { getOpenAIClient } = require('./helpers');
  */
 const chatV2 = async (req, res) => {
   logger.debug('[/assistants/chat/] req.body', req.body);
+  const appConfig = await getAppConfig({ role: req.user?.role });
 
   /** @type {{files: MongoFile[]}} */
   const {
@@ -126,7 +128,7 @@ const chatV2 = async (req, res) => {
     }
 
     const checkBalanceBeforeRun = async () => {
-      const balance = req.app?.locals?.balance;
+      const balance = appConfig?.balance;
       if (!balance?.enabled) {
         return;
       }
@@ -374,9 +376,9 @@ const chatV2 = async (req, res) => {
       };
 
       /** @type {undefined | TAssistantEndpoint} */
-      const config = req.app.locals[endpoint] ?? {};
+      const config = appConfig.endpoints?.[endpoint] ?? {};
       /** @type {undefined | TBaseEndpoint} */
-      const allConfig = req.app.locals.all;
+      const allConfig = appConfig.endpoints?.all;
 
       const streamRunManager = new StreamRunManager({
         req,

api/server/controllers/assistants/helpers.js

@@ -7,8 +7,8 @@ const {
 const {
   initializeClient: initAzureClient,
 } = require('~/server/services/Endpoints/azureAssistants');
+const { getEndpointsConfig, getAppConfig } = require('~/server/services/Config');
 const { initializeClient } = require('~/server/services/Endpoints/assistants');
-const { getEndpointsConfig } = require('~/server/services/Config');
 
 /**
  * @param {Express.Request} req
@@ -210,6 +210,7 @@ async function getOpenAIClient({ req, res, endpointOption, initAppClient, overri
  * @returns {Promise<AssistantListResponse>} 200 - success response - application/json
  */
 const fetchAssistants = async ({ req, res, overrideEndpoint }) => {
+  const appConfig = await getAppConfig({ role: req.user?.role });
   const {
     limit = 100,
     order = 'desc',
@@ -230,20 +231,20 @@ const fetchAssistants = async ({ req, res, overrideEndpoint }) => {
   if (endpoint === EModelEndpoint.assistants) {
     ({ body } = await listAllAssistants({ req, res, version, query }));
   } else if (endpoint === EModelEndpoint.azureAssistants) {
-    const azureConfig = req.app.locals[EModelEndpoint.azureOpenAI];
+    const azureConfig = appConfig.endpoints?.[EModelEndpoint.azureOpenAI];
     body = await listAssistantsForAzure({ req, res, version, azureConfig, query });
   }
 
   if (req.user.role === SystemRoles.ADMIN) {
     return body;
-  } else if (!req.app.locals[endpoint]) {
+  } else if (!appConfig.endpoints?.[endpoint]) {
     return body;
   }
 
   body.data = filterAssistants({
     userId: req.user.id,
     assistants: body.data,
-    assistantsConfig: req.app.locals[endpoint],
+    assistantsConfig: appConfig.endpoints?.[endpoint],
   });
   return body;
 };

api/server/controllers/assistants/v1.js

@@ -5,9 +5,9 @@ const { uploadImageBuffer, filterFile } = require('~/server/services/Files/proce
 const validateAuthor = require('~/server/middleware/assistants/validateAuthor');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { deleteAssistantActions } = require('~/server/services/ActionService');
+const { getCachedTools, getAppConfig } = require('~/server/services/Config');
 const { updateAssistantDoc, getAssistants } = require('~/models/Assistant');
 const { getOpenAIClient, fetchAssistants } = require('./helpers');
-const { getCachedTools } = require('~/server/services/Config');
 const { manifestToolMap } = require('~/app/clients/tools');
 const { deleteFileByFilter } = require('~/models/File');
 
@@ -258,8 +258,9 @@ function filterAssistantDocs({ documents, userId, assistantsConfig = {} }) {
  */
 const getAssistantDocuments = async (req, res) => {
   try {
+    const appConfig = await getAppConfig({ role: req.user?.role });
     const endpoint = req.query;
-    const assistantsConfig = req.app.locals[endpoint];
+    const assistantsConfig = appConfig.endpoints?.[endpoint];
     const documents = await getAssistants(
       {},
       {
@@ -296,6 +297,7 @@ const getAssistantDocuments = async (req, res) => {
  */
 const uploadAssistantAvatar = async (req, res) => {
   try {
+    const appConfig = await getAppConfig({ role: req.user?.role });
     filterFile({ req, file: req.file, image: true, isAvatar: true });
     const { assistant_id } = req.params;
     if (!assistant_id) {
@@ -337,7 +339,7 @@ const uploadAssistantAvatar = async (req, res) => {
     const metadata = {
       ..._metadata,
       avatar: image.filepath,
-      avatar_source: req.app.locals.fileStrategy,
+      avatar_source: appConfig.fileStrategy,
     };
 
     const promises = [];
@@ -347,7 +349,7 @@ const uploadAssistantAvatar = async (req, res) => {
         {
           avatar: {
             filepath: image.filepath,
-            source: req.app.locals.fileStrategy,
+            source: appConfig.fileStrategy,
           },
           user: req.user.id,
         },

api/server/controllers/auth/TwoFactorAuthController.js

@@ -22,10 +22,11 @@ const verify2FAWithTempToken = async (req, res) => {
     try {
       payload = jwt.verify(tempToken, process.env.JWT_SECRET);
     } catch (err) {
+      logger.error('Failed to verify temporary token:', err);
       return res.status(401).json({ message: 'Invalid or expired temporary token' });
     }
 
-    const user = await getUserById(payload.userId);
+    const user = await getUserById(payload.userId, '+totpSecret +backupCodes');
     if (!user || !user.twoFactorEnabled) {
       return res.status(400).json({ message: '2FA is not enabled for this user' });
     }
@@ -42,11 +43,11 @@ const verify2FAWithTempToken = async (req, res) => {
       return res.status(401).json({ message: 'Invalid 2FA code or backup code' });
     }
 
-    // Prepare user data to return (omit sensitive fields).
     const userData = user.toObject ? user.toObject() : { ...user };
-    delete userData.password;
     delete userData.__v;
+    delete userData.password;
     delete userData.totpSecret;
+    delete userData.backupCodes;
     userData.id = user._id.toString();
 
     const authToken = await setAuthTokens(user._id, res);

api/server/controllers/tools.js

@@ -13,6 +13,7 @@ const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/p
 const { processCodeOutput } = require('~/server/services/Files/Code/process');
 const { createToolCall, getToolCallsByConvo } = require('~/models/ToolCall');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
+const { getAppConfig } = require('~/server/services/Config');
 const { loadTools } = require('~/app/clients/tools/util');
 const { getRoleByName } = require('~/models/Role');
 const { getMessage } = require('~/models/Message');
@@ -35,9 +36,10 @@ const toolAccessPermType = {
  */
 const verifyWebSearchAuth = async (req, res) => {
   try {
+    const appConfig = await getAppConfig({ role: req.user?.role });
     const userId = req.user.id;
     /** @type {TCustomConfig['webSearch']} */
-    const webSearchConfig = req.app.locals?.webSearch || {};
+    const webSearchConfig = appConfig?.webSearch || {};
     const result = await loadWebSearchAuth({
       userId,
       loadAuthValues,
@@ -110,6 +112,7 @@ const verifyToolAuth = async (req, res) => {
  */
 const callTool = async (req, res) => {
   try {
+    const appConfig = await getAppConfig({ role: req.user?.role });
     const { toolId = '' } = req.params;
     if (!fieldsMap[toolId]) {
       logger.warn(`[${toolId}/call] User ${req.user.id} attempted call to invalid tool`);
@@ -155,8 +158,10 @@ const callTool = async (req, res) => {
         returnMetadata: true,
         processFileURL,
         uploadImageBuffer,
-        fileStrategy: req.app.locals.fileStrategy,
       },
+      webSearch: appConfig.webSearch,
+      fileStrategy: appConfig.fileStrategy,
+      imageOutputType: appConfig.imageOutputType,
     });
 
     const tool = loadedTools[0];

api/server/index.js

@@ -8,19 +8,20 @@ const express = require('express');
 const passport = require('passport');
 const compression = require('compression');
 const cookieParser = require('cookie-parser');
-const { isEnabled } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const mongoSanitize = require('express-mongo-sanitize');
+const { isEnabled, ErrorController } = require('@librechat/api');
 const { connectDb, indexSync } = require('~/db');
-
 const validateImageRequest = require('./middleware/validateImageRequest');
 const { jwtLogin, ldapLogin, passportLogin } = require('~/strategies');
-const errorController = require('./controllers/ErrorController');
+const { updateInterfacePermissions } = require('~/models/interface');
+const { checkMigrations } = require('./services/start/migration');
 const initializeMCPs = require('./services/initializeMCPs');
 const configureSocialLogins = require('./socialLogins');
-const AppService = require('./services/AppService');
+const { getAppConfig } = require('./services/Config');
 const staticCache = require('./utils/staticCache');
 const noIndex = require('./middleware/noIndex');
+const { seedDatabase } = require('~/models');
 const routes = require('./routes');
 
 const { PORT, HOST, ALLOW_SOCIAL_LOGIN, DISABLE_COMPRESSION, TRUST_PROXY } = process.env ?? {};
@@ -46,9 +47,11 @@ const startServer = async () => {
   app.disable('x-powered-by');
   app.set('trust proxy', trusted_proxy);
 
-  await AppService(app);
+  await seedDatabase();
 
-  const indexPath = path.join(app.locals.paths.dist, 'index.html');
+  const appConfig = await getAppConfig();
+  await updateInterfacePermissions(appConfig);
+  const indexPath = path.join(appConfig.paths.dist, 'index.html');
   const indexHTML = fs.readFileSync(indexPath, 'utf8');
 
   app.get('/health', (_req, res) => res.status(200).send('OK'));
@@ -67,10 +70,9 @@ const startServer = async () => {
     console.warn('Response compression has been disabled via DISABLE_COMPRESSION.');
   }
 
-  // Serve static assets with aggressive caching
-  app.use(staticCache(app.locals.paths.dist));
-  app.use(staticCache(app.locals.paths.fonts));
-  app.use(staticCache(app.locals.paths.assets));
+  app.use(staticCache(appConfig.paths.dist));
+  app.use(staticCache(appConfig.paths.fonts));
+  app.use(staticCache(appConfig.paths.assets));
 
   if (!ALLOW_SOCIAL_LOGIN) {
     console.warn('Social logins are disabled. Set ALLOW_SOCIAL_LOGIN=true to enable them.');
@@ -117,11 +119,12 @@ const startServer = async () => {
   app.use('/api/agents', routes.agents);
   app.use('/api/banner', routes.banner);
   app.use('/api/memories', routes.memories);
+  app.use('/api/permissions', routes.accessPermissions);
+
   app.use('/api/tags', routes.tags);
   app.use('/api/mcp', routes.mcp);
 
-  // Add the error controller one more time after all routes
-  app.use(errorController);
+  app.use(ErrorController);
 
   app.use((req, res) => {
     res.set({
@@ -146,7 +149,7 @@ const startServer = async () => {
       logger.info(`Server listening at http://${host == '0.0.0.0' ? 'localhost' : host}:${port}`);
     }
 
-    initializeMCPs(app);
+    initializeMCPs().then(() => checkMigrations());
   });
 };
 

api/server/index.spec.js

@@ -3,9 +3,28 @@ const request = require('supertest');
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const mongoose = require('mongoose');
 
-jest.mock('~/server/services/Config/loadCustomConfig', () => {
-  return jest.fn(() => Promise.resolve({}));
-});
+jest.mock('~/server/services/Config', () => ({
+  loadCustomConfig: jest.fn(() => Promise.resolve({})),
+  setAppConfig: jest.fn(),
+  getAppConfig: jest.fn().mockResolvedValue({
+    paths: {
+      uploads: '/tmp',
+      dist: '/tmp/dist',
+      fonts: '/tmp/fonts',
+      assets: '/tmp/assets',
+    },
+    fileStrategy: 'local',
+    imageOutputType: 'PNG',
+  }),
+  setCachedTools: jest.fn(),
+}));
+
+jest.mock('~/app/clients/tools', () => ({
+  createOpenAIImageTools: jest.fn(() => []),
+  createYouTubeTools: jest.fn(() => []),
+  manifestToolMap: {},
+  toolkits: [],
+}));
 
 describe('Server Configuration', () => {
   // Increase the default timeout to allow for Mongo cleanup
@@ -31,6 +50,22 @@ describe('Server Configuration', () => {
   });
 
   beforeAll(async () => {
+    // Create the required directories and files for the test
+    const fs = require('fs');
+    const path = require('path');
+
+    const dirs = ['/tmp/dist', '/tmp/fonts', '/tmp/assets'];
+    dirs.forEach((dir) => {
+      if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+      }
+    });
+
+    fs.writeFileSync(
+      path.join('/tmp/dist', 'index.html'),
+      '<!DOCTYPE html><html><head><title>LibreChat</title></head><body><div id="root"></div></body></html>',
+    );
+
     mongoServer = await MongoMemoryServer.create();
     process.env.MONGO_URI = mongoServer.getUri();
     process.env.PORT = '0'; // Use a random available port
@@ -92,7 +127,7 @@ async function healthCheckPoll(app, retries = 0) {
     if (response.status === 200) {
       return; // App is healthy
     }
-  } catch (error) {
+  } catch {
     // Ignore connection errors during polling
   }
 

api/server/middleware/accessResources/canAccessAgentFromBody.js

@@ -0,0 +1,97 @@
+const { logger } = require('@librechat/data-schemas');
+const { Constants, isAgentsEndpoint, ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getAgent } = require('~/models/Agent');
+
+/**
+ * Agent ID resolver function for agent_id from request body
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ * This is used specifically for chat routes where agent_id comes from request body
+ *
+ * @param {string} agentCustomId - Custom agent ID from request body
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentIdFromBody = async (agentCustomId) => {
+  // Handle ephemeral agents - they don't need permission checks
+  if (agentCustomId === Constants.EPHEMERAL_AGENT_ID) {
+    return null; // No permission check needed for ephemeral agents
+  }
+
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Middleware factory that creates middleware to check agent access permissions from request body.
+ * This middleware is specifically designed for chat routes where the agent_id comes from req.body
+ * instead of route parameters.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for agent chat (requires VIEW permission)
+ * router.post('/chat',
+ *   canAccessAgentFromBody({ requiredPermission: PermissionBits.VIEW }),
+ *   buildEndpointOption,
+ *   chatController
+ * );
+ */
+const canAccessAgentFromBody = (options) => {
+  const { requiredPermission } = options;
+
+  // Validate required options
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentFromBody: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      const { endpoint, agent_id } = req.body;
+      let agentId = agent_id;
+
+      if (!isAgentsEndpoint(endpoint)) {
+        agentId = Constants.EPHEMERAL_AGENT_ID;
+      }
+
+      if (!agentId) {
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: 'agent_id is required in request body',
+        });
+      }
+
+      // Skip permission checks for ephemeral agents
+      if (agentId === Constants.EPHEMERAL_AGENT_ID) {
+        return next();
+      }
+
+      const agentAccessMiddleware = canAccessResource({
+        resourceType: ResourceType.AGENT,
+        requiredPermission,
+        resourceIdParam: 'agent_id', // This will be ignored since we use custom resolver
+        idResolver: () => resolveAgentIdFromBody(agentId),
+      });
+
+      const tempReq = {
+        ...req,
+        params: {
+          ...req.params,
+          agent_id: agentId,
+        },
+      };
+
+      return agentAccessMiddleware(tempReq, res, next);
+    } catch (error) {
+      logger.error('Failed to validate agent access permissions', error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to validate agent access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessAgentFromBody,
+};

api/server/middleware/accessResources/canAccessAgentResource.js

@@ -0,0 +1,59 @@
+const { ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getAgent } = require('~/models/Agent');
+
+/**
+ * Agent ID resolver function
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ *
+ * @param {string} agentCustomId - Custom agent ID from route parameter
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentId = async (agentCustomId) => {
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Agent-specific middleware factory that creates middleware to check agent access permissions.
+ * This middleware extends the generic canAccessResource to handle agent custom ID resolution.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='id'] - The name of the route parameter containing the agent custom ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for viewing agents
+ * router.get('/agents/:id',
+ *   canAccessAgentResource({ requiredPermission: 1 }),
+ *   getAgent
+ * );
+ *
+ * @example
+ * // Custom resource ID parameter and edit permission
+ * router.patch('/agents/:agent_id',
+ *   canAccessAgentResource({
+ *     requiredPermission: 2,
+ *     resourceIdParam: 'agent_id'
+ *   }),
+ *   updateAgent
+ * );
+ */
+const canAccessAgentResource = (options) => {
+  const { requiredPermission, resourceIdParam = 'id' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentResource: requiredPermission is required and must be a number');
+  }
+
+  return canAccessResource({
+    resourceType: ResourceType.AGENT,
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolveAgentId,
+  });
+};
+
+module.exports = {
+  canAccessAgentResource,
+};

api/server/middleware/accessResources/canAccessAgentResource.spec.js

@@ -0,0 +1,385 @@
+const mongoose = require('mongoose');
+const { ResourceType, PrincipalType, PrincipalModel } = require('librechat-data-provider');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { User, Role, AclEntry } = require('~/db/models');
+const { createAgent } = require('~/models/Agent');
+
+describe('canAccessAgentResource middleware', () => {
+  let mongoServer;
+  let req, res, next;
+  let testUser;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    await Role.create({
+      name: 'test-role',
+      permissions: {
+        AGENTS: {
+          USE: true,
+          CREATE: true,
+          SHARED_GLOBAL: false,
+        },
+      },
+    });
+
+    // Create a test user
+    testUser = await User.create({
+      email: 'test@example.com',
+      name: 'Test User',
+      username: 'testuser',
+      role: 'test-role',
+    });
+
+    req = {
+      user: { id: testUser._id, role: testUser.role },
+      params: {},
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+
+    jest.clearAllMocks();
+  });
+
+  describe('middleware factory', () => {
+    test('should throw error if requiredPermission is not provided', () => {
+      expect(() => canAccessAgentResource({})).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should throw error if requiredPermission is not a number', () => {
+      expect(() => canAccessAgentResource({ requiredPermission: '1' })).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should create middleware with default resourceIdParam', () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3); // Express middleware signature
+    });
+
+    test('should create middleware with custom resourceIdParam', () => {
+      const middleware = canAccessAgentResource({
+        requiredPermission: 2,
+        resourceIdParam: 'agent_id',
+      });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3);
+    });
+  });
+
+  describe('permission checking with real agents', () => {
+    test('should allow access when user is the agent author', async () => {
+      // Create an agent owned by the test user
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author (owner permissions)
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when user is not the author and has no ACL entry', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other@example.com',
+        name: 'Other User',
+        username: 'otheruser',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Other User Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry for the other user (owner)
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: otherUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should allow access when user has ACL entry with sufficient permissions', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other2@example.com',
+        name: 'Other User 2',
+        username: 'otheruser2',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Shared Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting view permission to test user
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when ACL permissions are insufficient', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other3@example.com',
+        name: 'Other User 3',
+        username: 'otheruser3',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Limited Access Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting only view permission
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission only
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 2 }); // EDIT permission required
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should handle non-existent agent', async () => {
+      req.params.id = 'agent_nonexistent';
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Not Found',
+        message: 'agent not found',
+      });
+    });
+
+    test('should use custom resourceIdParam', async () => {
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Custom Param Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.agent_id = agent.id; // Using custom param name
+
+      const middleware = canAccessAgentResource({
+        requiredPermission: 1,
+        resourceIdParam: 'agent_id',
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('permission levels', () => {
+    let agent;
+
+    beforeEach(async () => {
+      agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Permission Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry with all permissions for the owner
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+    });
+
+    test('should support view permission (1)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support edit permission (2)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 2 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support delete permission (4)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 4 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support share permission (8)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 8 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support combined permissions', async () => {
+      const viewAndEdit = 1 | 2; // 3
+      const middleware = canAccessAgentResource({ requiredPermission: viewAndEdit });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+
+  describe('integration with agent operations', () => {
+    test('should work with agent CRUD operations', async () => {
+      const agentId = `agent_${Date.now()}`;
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Integration Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+        description: 'Testing integration',
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agentId;
+
+      // Test view access
+      const viewMiddleware = canAccessAgentResource({ requiredPermission: 1 });
+      await viewMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+      jest.clearAllMocks();
+
+      // Update the agent
+      const { updateAgent } = require('~/models/Agent');
+      await updateAgent({ id: agentId }, { description: 'Updated description' });
+
+      // Test edit access
+      const editMiddleware = canAccessAgentResource({ requiredPermission: 2 });
+      await editMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+});

api/server/middleware/accessResources/canAccessPromptGroupResource.js

@@ -0,0 +1,61 @@
+const { ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getPromptGroup } = require('~/models/Prompt');
+
+/**
+ * PromptGroup ID resolver function
+ * Resolves promptGroup ID to MongoDB ObjectId
+ *
+ * @param {string} groupId - PromptGroup ID from route parameter
+ * @returns {Promise<Object|null>} PromptGroup document with _id field, or null if not found
+ */
+const resolvePromptGroupId = async (groupId) => {
+  return await getPromptGroup({ _id: groupId });
+};
+
+/**
+ * PromptGroup-specific middleware factory that creates middleware to check promptGroup access permissions.
+ * This middleware extends the generic canAccessResource to handle promptGroup ID resolution.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='groupId'] - The name of the route parameter containing the promptGroup ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for viewing promptGroups
+ * router.get('/prompts/groups/:groupId',
+ *   canAccessPromptGroupResource({ requiredPermission: 1 }),
+ *   getPromptGroup
+ * );
+ *
+ * @example
+ * // Custom resource ID parameter and edit permission
+ * router.patch('/prompts/groups/:id',
+ *   canAccessPromptGroupResource({
+ *     requiredPermission: 2,
+ *     resourceIdParam: 'id'
+ *   }),
+ *   updatePromptGroup
+ * );
+ */
+const canAccessPromptGroupResource = (options) => {
+  const { requiredPermission, resourceIdParam = 'groupId' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error(
+      'canAccessPromptGroupResource: requiredPermission is required and must be a number',
+    );
+  }
+
+  return canAccessResource({
+    resourceType: ResourceType.PROMPTGROUP,
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolvePromptGroupId,
+  });
+};
+
+module.exports = {
+  canAccessPromptGroupResource,
+};

api/server/middleware/accessResources/canAccessPromptViaGroup.js

@@ -0,0 +1,55 @@
+const { ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getPrompt } = require('~/models/Prompt');
+
+/**
+ * Prompt to PromptGroup ID resolver function
+ * Resolves prompt ID to its parent promptGroup ID
+ *
+ * @param {string} promptId - Prompt ID from route parameter
+ * @returns {Promise<Object|null>} Object with promptGroup's _id field, or null if not found
+ */
+const resolvePromptToGroupId = async (promptId) => {
+  const prompt = await getPrompt({ _id: promptId });
+  if (!prompt || !prompt.groupId) {
+    return null;
+  }
+  // Return an object with _id that matches the promptGroup ID
+  return { _id: prompt.groupId };
+};
+
+/**
+ * Middleware factory that checks promptGroup permissions when accessing individual prompts.
+ * This allows permission management at the promptGroup level while still supporting
+ * individual prompt access patterns.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='promptId'] - The name of the route parameter containing the prompt ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Check promptGroup permissions when viewing a prompt
+ * router.get('/prompts/:promptId',
+ *   canAccessPromptViaGroup({ requiredPermission: 1 }),
+ *   getPrompt
+ * );
+ */
+const canAccessPromptViaGroup = (options) => {
+  const { requiredPermission, resourceIdParam = 'promptId' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessPromptViaGroup: requiredPermission is required and must be a number');
+  }
+
+  return canAccessResource({
+    resourceType: ResourceType.PROMPTGROUP,
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolvePromptToGroupId,
+  });
+};
+
+module.exports = {
+  canAccessPromptViaGroup,
+};

api/server/middleware/accessResources/canAccessResource.js

@@ -0,0 +1,158 @@
+const { logger } = require('@librechat/data-schemas');
+const { SystemRoles } = require('librechat-data-provider');
+const { checkPermission } = require('~/server/services/PermissionService');
+
+/**
+ * Generic base middleware factory that creates middleware to check resource access permissions.
+ * This middleware expects MongoDB ObjectIds as resource identifiers for ACL permission checks.
+ *
+ * @param {Object} options - Configuration options
+ * @param {string} options.resourceType - The type of resource (e.g., 'agent', 'file', 'project')
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='resourceId'] - The name of the route parameter containing the resource ID
+ * @param {Function} [options.idResolver] - Optional function to resolve custom IDs to ObjectIds
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Direct usage with ObjectId (for resources that use MongoDB ObjectId in routes)
+ * router.get('/prompts/:promptId',
+ *   canAccessResource({ resourceType: 'prompt', requiredPermission: 1 }),
+ *   getPrompt
+ * );
+ *
+ * @example
+ * // Usage with custom ID resolver (for resources that use custom string IDs)
+ * router.get('/agents/:id',
+ *   canAccessResource({
+ *     resourceType: 'agent',
+ *     requiredPermission: 1,
+ *     resourceIdParam: 'id',
+ *     idResolver: (customId) => resolveAgentId(customId)
+ *   }),
+ *   getAgent
+ * );
+ */
+const canAccessResource = (options) => {
+  const {
+    resourceType,
+    requiredPermission,
+    resourceIdParam = 'resourceId',
+    idResolver = null,
+  } = options;
+
+  if (!resourceType || typeof resourceType !== 'string') {
+    throw new Error('canAccessResource: resourceType is required and must be a string');
+  }
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessResource: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      // Extract resource ID from route parameters
+      const rawResourceId = req.params[resourceIdParam];
+
+      if (!rawResourceId) {
+        logger.warn(`[canAccessResource] Missing ${resourceIdParam} in route parameters`);
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: `${resourceIdParam} is required`,
+        });
+      }
+
+      // Check if user is authenticated
+      if (!req.user || !req.user.id) {
+        logger.warn(
+          `[canAccessResource] Unauthenticated request for ${resourceType} ${rawResourceId}`,
+        );
+        return res.status(401).json({
+          error: 'Unauthorized',
+          message: 'Authentication required',
+        });
+      }
+      // if system admin let through
+      if (req.user.role === SystemRoles.ADMIN) {
+        return next();
+      }
+      const userId = req.user.id;
+      let resourceId = rawResourceId;
+      let resourceInfo = null;
+
+      // Resolve custom ID to ObjectId if resolver is provided
+      if (idResolver) {
+        logger.debug(
+          `[canAccessResource] Resolving ${resourceType} custom ID ${rawResourceId} to ObjectId`,
+        );
+
+        const resolutionResult = await idResolver(rawResourceId);
+
+        if (!resolutionResult) {
+          logger.warn(`[canAccessResource] ${resourceType} not found: ${rawResourceId}`);
+          return res.status(404).json({
+            error: 'Not Found',
+            message: `${resourceType} not found`,
+          });
+        }
+
+        // Handle different resolver return formats
+        if (typeof resolutionResult === 'string' || resolutionResult._id) {
+          resourceId = resolutionResult._id || resolutionResult;
+          resourceInfo = typeof resolutionResult === 'object' ? resolutionResult : null;
+        } else {
+          resourceId = resolutionResult;
+        }
+
+        logger.debug(
+          `[canAccessResource] Resolved ${resourceType} ${rawResourceId} to ObjectId ${resourceId}`,
+        );
+      }
+
+      // Check permissions using PermissionService with ObjectId
+      const hasPermission = await checkPermission({
+        userId,
+        role: req.user.role,
+        resourceType,
+        resourceId,
+        requiredPermission,
+      });
+
+      if (hasPermission) {
+        logger.debug(
+          `[canAccessResource] User ${userId} has permission ${requiredPermission} on ${resourceType} ${rawResourceId} (${resourceId})`,
+        );
+
+        req.resourceAccess = {
+          resourceType,
+          resourceId, // MongoDB ObjectId for ACL operations
+          customResourceId: rawResourceId, // Original ID from route params
+          permission: requiredPermission,
+          userId,
+          ...(resourceInfo && { resourceInfo }),
+        };
+
+        return next();
+      }
+
+      logger.warn(
+        `[canAccessResource] User ${userId} denied access to ${resourceType} ${rawResourceId} ` +
+          `(required permission: ${requiredPermission})`,
+      );
+
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: `Insufficient permissions to access this ${resourceType}`,
+      });
+    } catch (error) {
+      logger.error(`[canAccessResource] Error checking access for ${resourceType}:`, error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to check resource access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessResource,
+};

api/server/middleware/accessResources/fileAccess.js

@@ -0,0 +1,125 @@
+const { logger } = require('@librechat/data-schemas');
+const { PermissionBits, hasPermissions, ResourceType } = require('librechat-data-provider');
+const { getEffectivePermissions } = require('~/server/services/PermissionService');
+const { getAgent } = require('~/models/Agent');
+const { getFiles } = require('~/models/File');
+
+/**
+ * Checks if user has access to a file through agent permissions
+ * Files inherit permissions from agents - if you can view the agent, you can access its files
+ */
+const checkAgentBasedFileAccess = async ({ userId, role, fileId }) => {
+  try {
+    // Find agents that have this file in their tool_resources
+    const agentsWithFile = await getAgent({
+      $or: [
+        { 'tool_resources.file_search.file_ids': fileId },
+        { 'tool_resources.execute_code.file_ids': fileId },
+        { 'tool_resources.ocr.file_ids': fileId },
+      ],
+    });
+
+    if (!agentsWithFile || agentsWithFile.length === 0) {
+      return false;
+    }
+
+    // Check if user has access to any of these agents
+    for (const agent of Array.isArray(agentsWithFile) ? agentsWithFile : [agentsWithFile]) {
+      // Check if user is the agent author
+      if (agent.author && agent.author.toString() === userId) {
+        logger.debug(`[fileAccess] User is author of agent ${agent.id}`);
+        return true;
+      }
+
+      // Check ACL permissions for VIEW access on the agent
+      try {
+        const permissions = await getEffectivePermissions({
+          userId,
+          role,
+          resourceType: ResourceType.AGENT,
+          resourceId: agent._id || agent.id,
+        });
+
+        if (hasPermissions(permissions, PermissionBits.VIEW)) {
+          logger.debug(`[fileAccess] User ${userId} has VIEW permissions on agent ${agent.id}`);
+          return true;
+        }
+      } catch (permissionError) {
+        logger.warn(
+          `[fileAccess] Permission check failed for agent ${agent.id}:`,
+          permissionError.message,
+        );
+        // Continue checking other agents
+      }
+    }
+
+    return false;
+  } catch (error) {
+    logger.error('[fileAccess] Error checking agent-based access:', error);
+    return false;
+  }
+};
+
+/**
+ * Middleware to check if user can access a file
+ * Checks: 1) File ownership, 2) Agent-based access (file inherits agent permissions)
+ */
+const fileAccess = async (req, res, next) => {
+  try {
+    const fileId = req.params.file_id;
+    const userId = req.user?.id;
+    const userRole = req.user?.role;
+    if (!fileId) {
+      return res.status(400).json({
+        error: 'Bad Request',
+        message: 'file_id is required',
+      });
+    }
+
+    if (!userId) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    // Get the file
+    const [file] = await getFiles({ file_id: fileId });
+    if (!file) {
+      return res.status(404).json({
+        error: 'Not Found',
+        message: 'File not found',
+      });
+    }
+
+    // Check if user owns the file
+    if (file.user && file.user.toString() === userId) {
+      req.fileAccess = { file };
+      return next();
+    }
+
+    // Check agent-based access (file inherits agent permissions)
+    const hasAgentAccess = await checkAgentBasedFileAccess({ userId, role: userRole, fileId });
+    if (hasAgentAccess) {
+      req.fileAccess = { file };
+      return next();
+    }
+
+    // No access
+    logger.warn(`[fileAccess] User ${userId} denied access to file ${fileId}`);
+    return res.status(403).json({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to access this file',
+    });
+  } catch (error) {
+    logger.error('[fileAccess] Error checking file access:', error);
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check file access permissions',
+    });
+  }
+};
+
+module.exports = {
+  fileAccess,
+};

api/server/middleware/accessResources/index.js

@@ -0,0 +1,13 @@
+const { canAccessResource } = require('./canAccessResource');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { canAccessAgentFromBody } = require('./canAccessAgentFromBody');
+const { canAccessPromptViaGroup } = require('./canAccessPromptViaGroup');
+const { canAccessPromptGroupResource } = require('./canAccessPromptGroupResource');
+
+module.exports = {
+  canAccessResource,
+  canAccessAgentResource,
+  canAccessAgentFromBody,
+  canAccessPromptViaGroup,
+  canAccessPromptGroupResource,
+};

api/server/middleware/assistants/validate.js

@@ -1,5 +1,6 @@
 const { v4 } = require('uuid');
 const { handleAbortError } = require('~/server/middleware/abortMiddleware');
+const { getAppConfig } = require('~/server/services/Config/app');
 
 /**
  * Checks if the assistant is supported or excluded
@@ -12,8 +13,9 @@ const { handleAbortError } = require('~/server/middleware/abortMiddleware');
 const validateAssistant = async (req, res, next) => {
   const { endpoint, conversationId, assistant_id, messageId } = req.body;
 
+  const appConfig = await getAppConfig({ role: req.user?.role });
   /** @type {Partial<TAssistantEndpoint>} */
-  const assistantsConfig = req.app.locals?.[endpoint];
+  const assistantsConfig = appConfig.endpoints?.[endpoint];
   if (!assistantsConfig) {
     return next();
   }

api/server/middleware/assistants/validateAuthor.js

@@ -1,4 +1,5 @@
 const { SystemRoles } = require('librechat-data-provider');
+const { getAppConfig } = require('~/server/services/Config/app');
 const { getAssistant } = require('~/models/Assistant');
 
 /**
@@ -20,8 +21,9 @@ const validateAuthor = async ({ req, openai, overrideEndpoint, overrideAssistant
   const assistant_id =
     overrideAssistantId ?? req.params.id ?? req.body.assistant_id ?? req.query.assistant_id;
 
+  const appConfig = await getAppConfig({ role: req.user?.role });
   /** @type {Partial<TAssistantEndpoint>} */
-  const assistantsConfig = req.app.locals?.[endpoint];
+  const assistantsConfig = appConfig.endpoints?.[endpoint];
   if (!assistantsConfig) {
     return;
   }

api/server/middleware/buildEndpointOption.js

@@ -10,6 +10,7 @@ const azureAssistants = require('~/server/services/Endpoints/azureAssistants');
 const assistants = require('~/server/services/Endpoints/assistants');
 const { processFiles } = require('~/server/services/Files/process');
 const anthropic = require('~/server/services/Endpoints/anthropic');
+const { getAppConfig } = require('~/server/services/Config/app');
 const bedrock = require('~/server/services/Endpoints/bedrock');
 const openAI = require('~/server/services/Endpoints/openAI');
 const agents = require('~/server/services/Endpoints/agents');
@@ -40,9 +41,10 @@ async function buildEndpointOption(req, res, next) {
     return handleError(res, { text: 'Error parsing conversation' });
   }
 
-  if (req.app.locals.modelSpecs?.list && req.app.locals.modelSpecs?.enforce) {
+  const appConfig = await getAppConfig({ role: req.user?.role });
+  if (appConfig.modelSpecs?.list && appConfig.modelSpecs?.enforce) {
     /** @type {{ list: TModelSpec[] }}*/
-    const { list } = req.app.locals.modelSpecs;
+    const { list } = appConfig.modelSpecs;
     const { spec } = parsedBody;
 
     if (!spec) {

api/server/middleware/checkDomainAllowed.js

@@ -1,5 +1,6 @@
+const { logger } = require('@librechat/data-schemas');
 const { isEmailDomainAllowed } = require('~/server/services/domains');
-const { logger } = require('~/config');
+const { getAppConfig } = require('~/server/services/Config');
 
 /**
  * Checks the domain's social login is allowed
@@ -14,7 +15,10 @@ const { logger } = require('~/config');
  */
 const checkDomainAllowed = async (req, res, next = () => {}) => {
   const email = req?.user?.email;
-  if (email && !(await isEmailDomainAllowed(email))) {
+  const appConfig = getAppConfig({
+    role: req?.user?.role,
+  });
+  if (email && !(await isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains))) {
     logger.error(`[Social Login] [Social Login not allowed] [Email: ${email}]`);
     return res.redirect('/login');
   } else {

api/server/middleware/checkPeoplePickerAccess.js

@@ -0,0 +1,82 @@
+const { PrincipalType, PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to check if user has permission to access people picker functionality
+ * Checks specific permission based on the 'type' query parameter:
+ * - type=user: requires VIEW_USERS permission
+ * - type=group: requires VIEW_GROUPS permission
+ * - type=role: requires VIEW_ROLES permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS OR VIEW_ROLES
+ */
+const checkPeoplePickerAccess = async (req, res, next) => {
+  try {
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const { type } = req.query;
+    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
+    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
+    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+    const canViewRoles = peoplePickerPerms[Permissions.VIEW_ROLES] === true;
+
+    const permissionChecks = {
+      [PrincipalType.USER]: {
+        hasPermission: canViewUsers,
+        message: 'Insufficient permissions to search for users',
+      },
+      [PrincipalType.GROUP]: {
+        hasPermission: canViewGroups,
+        message: 'Insufficient permissions to search for groups',
+      },
+      [PrincipalType.ROLE]: {
+        hasPermission: canViewRoles,
+        message: 'Insufficient permissions to search for roles',
+      },
+    };
+
+    const check = permissionChecks[type];
+    if (check && !check.hasPermission) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: check.message,
+      });
+    }
+
+    if (!type && !canViewUsers && !canViewGroups && !canViewRoles) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to search for users, groups, or roles',
+      });
+    }
+
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkPeoplePickerAccess,
+};

api/server/middleware/checkPeoplePickerAccess.spec.js

@@ -0,0 +1,250 @@
+const { PrincipalType, PermissionTypes, Permissions } = require('librechat-data-provider');
+const { checkPeoplePickerAccess } = require('./checkPeoplePickerAccess');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+jest.mock('~/models/Role');
+jest.mock('~/config', () => ({
+  logger: {
+    error: jest.fn(),
+  },
+}));
+
+describe('checkPeoplePickerAccess', () => {
+  let req, res, next;
+
+  beforeEach(() => {
+    req = {
+      user: { id: 'user123', role: 'USER' },
+      query: {},
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+    jest.clearAllMocks();
+  });
+
+  it('should return 401 if user is not authenticated', async () => {
+    req.user = null;
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Unauthorized',
+      message: 'Authentication required',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should return 403 if role has no permissions', async () => {
+    getRoleByName.mockResolvedValue(null);
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'No permissions configured for user role',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow access when searching for users with VIEW_USERS permission', async () => {
+    req.query.type = PrincipalType.USER;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: true,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny access when searching for users without VIEW_USERS permission', async () => {
+    req.query.type = PrincipalType.USER;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: true,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for users',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow access when searching for groups with VIEW_GROUPS permission', async () => {
+    req.query.type = PrincipalType.GROUP;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: true,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny access when searching for groups without VIEW_GROUPS permission', async () => {
+    req.query.type = PrincipalType.GROUP;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: true,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for groups',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow access when searching for roles with VIEW_ROLES permission', async () => {
+    req.query.type = PrincipalType.ROLE;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny access when searching for roles without VIEW_ROLES permission', async () => {
+    req.query.type = PrincipalType.ROLE;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: true,
+          [Permissions.VIEW_GROUPS]: true,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for roles',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow mixed search when user has at least one permission', async () => {
+    // No type specified = mixed search
+    req.query.type = undefined;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny mixed search when user has no permissions', async () => {
+    // No type specified = mixed search
+    req.query.type = undefined;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for users, groups, or roles',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should handle errors gracefully', async () => {
+    const error = new Error('Database error');
+    getRoleByName.mockRejectedValue(error);
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(logger.error).toHaveBeenCalledWith(
+      '[checkPeoplePickerAccess][user123] checkPeoplePickerAccess error for req.query.type = undefined',
+      error,
+    );
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should handle missing permissions object gracefully', async () => {
+    req.query.type = PrincipalType.USER;
+    getRoleByName.mockResolvedValue({
+      permissions: {}, // No PEOPLE_PICKER permissions
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for users',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+});

api/server/middleware/index.js

@@ -8,7 +8,7 @@ const concurrentLimiter = require('./concurrentLimiter');
 const validateEndpoint = require('./validateEndpoint');
 const requireLocalAuth = require('./requireLocalAuth');
 const canDeleteAccount = require('./canDeleteAccount');
-const setBalanceConfig = require('./setBalanceConfig');
+const accessResources = require('./accessResources');
 const requireLdapAuth = require('./requireLdapAuth');
 const abortMiddleware = require('./abortMiddleware');
 const checkInviteUser = require('./checkInviteUser');
@@ -29,6 +29,7 @@ module.exports = {
   ...validate,
   ...limiters,
   ...roles,
+  ...accessResources,
   noIndex,
   checkBan,
   uaParser,
@@ -42,7 +43,6 @@ module.exports = {
   requireLocalAuth,
   canDeleteAccount,
   validateEndpoint,
-  setBalanceConfig,
   concurrentLimiter,
   checkDomainAllowed,
   validateMessageReq,

api/server/middleware/roles/access.spec.js

@@ -0,0 +1,370 @@
+const mongoose = require('mongoose');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { checkAccess, generateCheckAccess } = require('@librechat/api');
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { Role } = require('~/db/models');
+
+// Mock the logger from @librechat/data-schemas
+jest.mock('@librechat/data-schemas', () => ({
+  ...jest.requireActual('@librechat/data-schemas'),
+  logger: {
+    warn: jest.fn(),
+    error: jest.fn(),
+    info: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+// Mock the cache to use a simple in-memory implementation
+const mockCache = new Map();
+jest.mock('~/cache/getLogStores', () => {
+  return jest.fn(() => ({
+    get: jest.fn(async (key) => mockCache.get(key)),
+    set: jest.fn(async (key, value) => mockCache.set(key, value)),
+    clear: jest.fn(async () => mockCache.clear()),
+  }));
+});
+
+describe('Access Middleware', () => {
+  let mongoServer;
+  let req, res, next;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    mockCache.clear(); // Clear the cache between tests
+
+    // Create test roles
+    await Role.create({
+      name: 'user',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: false,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    await Role.create({
+      name: 'admin',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: true,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.SHARED_GLOBAL]: true,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    // Create limited role with no AGENTS permissions
+    await Role.create({
+      name: 'limited',
+      permissions: {
+        // Explicitly set AGENTS permissions to false
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: false,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        // Has permissions for other types
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: true,
+        },
+      },
+    });
+
+    req = {
+      user: { id: 'user123', role: 'user' },
+      body: {},
+      originalUrl: '/test',
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+    jest.clearAllMocks();
+  });
+
+  describe('checkAccess', () => {
+    test('should return false if user is not provided', async () => {
+      const result = await checkAccess({
+        user: null,
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if user lacks required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if user has only some of multiple permissions', async () => {
+      // User has USE but not CREATE, so should fail when checking for both
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has all of multiple permissions', async () => {
+      // Admin has both USE and CREATE
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should check body properties when permission is not directly granted', async () => {
+      const req = { body: { id: 'agent123' } };
+      const result = await checkAccess({
+        req,
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.UPDATE],
+        bodyProps: {
+          [Permissions.UPDATE]: ['id'],
+        },
+        checkObject: req.body,
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if role is not found', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'nonexistent' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if role has no permissions for the requested type', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'limited' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should handle admin role with all permissions', async () => {
+      const createResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(createResult).toBe(true);
+
+      const shareResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      expect(shareResult).toBe(true);
+    });
+  });
+
+  describe('generateCheckAccess', () => {
+    test('should call next() when user has required permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should return 403 when user lacks permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should check body properties when configured', async () => {
+      req.body = { agentId: 'agent123', description: 'test' };
+
+      const bodyProps = {
+        [Permissions.CREATE]: ['agentId'],
+      };
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        bodyProps,
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should handle database errors gracefully', async () => {
+      // Mock getRoleByName to throw an error
+      const mockGetRoleByName = jest
+        .fn()
+        .mockRejectedValue(new Error('Database connection failed'));
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName: mockGetRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        message: expect.stringContaining('Server error:'),
+      });
+    });
+
+    test('should work with multiple permission types', async () => {
+      req.user.role = 'admin';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE, Permissions.CREATE, Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should handle missing user gracefully', async () => {
+      req.user = null;
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should handle role with no AGENTS permissions', async () => {
+      await Role.create({
+        name: 'noaccess',
+        permissions: {
+          // Explicitly set AGENTS with all permissions false
+          [PermissionTypes.AGENTS]: {
+            [Permissions.USE]: false,
+            [Permissions.CREATE]: false,
+            [Permissions.SHARED_GLOBAL]: false,
+          },
+        },
+      });
+      req.user.role = 'noaccess';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+  });
+});

api/server/middleware/setBalanceConfig.js

@@ -1,91 +0,0 @@
-const { logger } = require('@librechat/data-schemas');
-const { getBalanceConfig } = require('~/server/services/Config');
-const { Balance } = require('~/db/models');
-
-/**
- * Middleware to synchronize user balance settings with current balance configuration.
- * @function
- * @param {Object} req - Express request object containing user information.
- * @param {Object} res - Express response object.
- * @param {import('express').NextFunction} next - Next middleware function.
- */
-const setBalanceConfig = async (req, res, next) => {
-  try {
-    const balanceConfig = await getBalanceConfig();
-    if (!balanceConfig?.enabled) {
-      return next();
-    }
-    if (balanceConfig.startBalance == null) {
-      return next();
-    }
-
-    const userId = req.user._id;
-    const userBalanceRecord = await Balance.findOne({ user: userId }).lean();
-    const updateFields = buildUpdateFields(balanceConfig, userBalanceRecord);
-
-    if (Object.keys(updateFields).length === 0) {
-      return next();
-    }
-
-    await Balance.findOneAndUpdate(
-      { user: userId },
-      { $set: updateFields },
-      { upsert: true, new: true },
-    );
-
-    next();
-  } catch (error) {
-    logger.error('Error setting user balance:', error);
-    next(error);
-  }
-};
-
-/**
- * Build an object containing fields that need updating
- * @param {Object} config - The balance configuration
- * @param {Object|null} userRecord - The user's current balance record, if any
- * @returns {Object} Fields that need updating
- */
-function buildUpdateFields(config, userRecord) {
-  const updateFields = {};
-
-  // Ensure user record has the required fields
-  if (!userRecord) {
-    updateFields.user = userRecord?.user;
-    updateFields.tokenCredits = config.startBalance;
-  }
-
-  if (userRecord?.tokenCredits == null && config.startBalance != null) {
-    updateFields.tokenCredits = config.startBalance;
-  }
-
-  const isAutoRefillConfigValid =
-    config.autoRefillEnabled &&
-    config.refillIntervalValue != null &&
-    config.refillIntervalUnit != null &&
-    config.refillAmount != null;
-
-  if (!isAutoRefillConfigValid) {
-    return updateFields;
-  }
-
-  if (userRecord?.autoRefillEnabled !== config.autoRefillEnabled) {
-    updateFields.autoRefillEnabled = config.autoRefillEnabled;
-  }
-
-  if (userRecord?.refillIntervalValue !== config.refillIntervalValue) {
-    updateFields.refillIntervalValue = config.refillIntervalValue;
-  }
-
-  if (userRecord?.refillIntervalUnit !== config.refillIntervalUnit) {
-    updateFields.refillIntervalUnit = config.refillIntervalUnit;
-  }
-
-  if (userRecord?.refillAmount !== config.refillAmount) {
-    updateFields.refillAmount = config.refillAmount;
-  }
-
-  return updateFields;
-}
-
-module.exports = setBalanceConfig;

api/server/middleware/spec/validateImages.spec.js

@@ -1,13 +1,18 @@
 const jwt = require('jsonwebtoken');
 const validateImageRequest = require('~/server/middleware/validateImageRequest');
 
+jest.mock('~/server/services/Config/app', () => ({
+  getAppConfig: jest.fn(),
+}));
+
 describe('validateImageRequest middleware', () => {
   let req, res, next;
   const validObjectId = '65cfb246f7ecadb8b1e8036b';
+  const { getAppConfig } = require('~/server/services/Config/app');
 
   beforeEach(() => {
+    jest.clearAllMocks();
     req = {
-      app: { locals: { secureImageLinks: true } },
       headers: {},
       originalUrl: '',
     };
@@ -17,79 +22,86 @@ describe('validateImageRequest middleware', () => {
     };
     next = jest.fn();
     process.env.JWT_REFRESH_SECRET = 'test-secret';
+
+    // Mock getAppConfig to return secureImageLinks: true by default
+    getAppConfig.mockResolvedValue({
+      secureImageLinks: true,
+    });
   });
 
   afterEach(() => {
     jest.clearAllMocks();
   });
 
-  test('should call next() if secureImageLinks is false', () => {
-    req.app.locals.secureImageLinks = false;
-    validateImageRequest(req, res, next);
+  test('should call next() if secureImageLinks is false', async () => {
+    getAppConfig.mockResolvedValue({
+      secureImageLinks: false,
+    });
+    await validateImageRequest(req, res, next);
     expect(next).toHaveBeenCalled();
   });
 
-  test('should return 401 if refresh token is not provided', () => {
-    validateImageRequest(req, res, next);
+  test('should return 401 if refresh token is not provided', async () => {
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(401);
     expect(res.send).toHaveBeenCalledWith('Unauthorized');
   });
 
-  test('should return 403 if refresh token is invalid', () => {
+  test('should return 403 if refresh token is invalid', async () => {
     req.headers.cookie = 'refreshToken=invalid-token';
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
-  test('should return 403 if refresh token is expired', () => {
+  test('should return 403 if refresh token is expired', async () => {
     const expiredToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) - 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${expiredToken}`;
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
-  test('should call next() for valid image path', () => {
+  test('should call next() for valid image path', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = `/images/${validObjectId}/example.jpg`;
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(next).toHaveBeenCalled();
   });
 
-  test('should return 403 for invalid image path', () => {
+  test('should return 403 for invalid image path', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = '/images/65cfb246f7ecadb8b1e8036c/example.jpg'; // Different ObjectId
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
-  test('should return 403 for invalid ObjectId format', () => {
+  test('should return 403 for invalid ObjectId format', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = '/images/123/example.jpg'; // Invalid ObjectId
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(res.status).toHaveBeenCalledWith(403);
     expect(res.send).toHaveBeenCalledWith('Access Denied');
   });
 
   // File traversal tests
-  test('should prevent file traversal attempts', () => {
+  test('should prevent file traversal attempts', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
@@ -103,23 +115,23 @@ describe('validateImageRequest middleware', () => {
       `/images/${validObjectId}/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd`,
     ];
 
-    traversalAttempts.forEach((attempt) => {
+    for (const attempt of traversalAttempts) {
       req.originalUrl = attempt;
-      validateImageRequest(req, res, next);
+      await validateImageRequest(req, res, next);
       expect(res.status).toHaveBeenCalledWith(403);
       expect(res.send).toHaveBeenCalledWith('Access Denied');
       jest.clearAllMocks();
-    });
+    }
   });
 
-  test('should handle URL encoded characters in valid paths', () => {
+  test('should handle URL encoded characters in valid paths', async () => {
     const validToken = jwt.sign(
       { id: validObjectId, exp: Math.floor(Date.now() / 1000) + 3600 },
       process.env.JWT_REFRESH_SECRET,
     );
     req.headers.cookie = `refreshToken=${validToken}`;
     req.originalUrl = `/images/${validObjectId}/image%20with%20spaces.jpg`;
-    validateImageRequest(req, res, next);
+    await validateImageRequest(req, res, next);
     expect(next).toHaveBeenCalled();
   });
 });

api/server/middleware/validateImageRequest.js

@@ -1,6 +1,7 @@
 const cookies = require('cookie');
 const jwt = require('jsonwebtoken');
-const { logger } = require('~/config');
+const { logger } = require('@librechat/data-schemas');
+const { getAppConfig } = require('~/server/services/Config/app');
 
 const OBJECT_ID_LENGTH = 24;
 const OBJECT_ID_PATTERN = /^[0-9a-f]{24}$/i;
@@ -24,8 +25,9 @@ function isValidObjectId(id) {
  * Middleware to validate image request.
  * Must be set by `secureImageLinks` via custom config file.
  */
-function validateImageRequest(req, res, next) {
-  if (!req.app.locals.secureImageLinks) {
+async function validateImageRequest(req, res, next) {
+  const appConfig = await getAppConfig({ role: req.user?.role });
+  if (!appConfig.secureImageLinks) {
     return next();
   }
 

api/server/middleware/validateModel.js

@@ -33,7 +33,7 @@ const validateModel = async (req, res, next) => {
     return next();
   }
 
-  const { ILLEGAL_MODEL_REQ_SCORE: score = 5 } = process.env ?? {};
+  const { ILLEGAL_MODEL_REQ_SCORE: score = 1 } = process.env ?? {};
 
   const type = ViolationTypes.ILLEGAL_MODEL_REQUEST;
   const errorMessage = {

api/server/routes/__tests__/mcp.spec.js

@@ -1,7 +1,7 @@
-const express = require('express');
+const { MongoMemoryServer } = require('mongodb-memory-server');
 const request = require('supertest');
 const mongoose = require('mongoose');
-const { MongoMemoryServer } = require('mongodb-memory-server');
+const express = require('express');
 
 jest.mock('@librechat/api', () => ({
   MCPOAuthHandler: {
@@ -494,12 +494,9 @@ describe('MCP Routes', () => {
     });
 
     it('should return 500 when token retrieval throws an unexpected error', async () => {
-      const mockFlowManager = {
-        getFlowState: jest.fn().mockRejectedValue(new Error('Database connection failed')),
-      };
-
-      getLogStores.mockReturnValue({});
-      require('~/config').getFlowStateManager.mockReturnValue(mockFlowManager);
+      getLogStores.mockImplementation(() => {
+        throw new Error('Database connection failed');
+      });
 
       const response = await request(app).get('/api/mcp/oauth/tokens/test-user-id:error-flow');
 
@@ -563,8 +560,8 @@ describe('MCP Routes', () => {
   });
 
   describe('POST /oauth/cancel/:serverName', () => {
-    const { getLogStores } = require('~/cache');
     const { MCPOAuthHandler } = require('@librechat/api');
+    const { getLogStores } = require('~/cache');
 
     it('should cancel OAuth flow successfully', async () => {
       const mockFlowManager = {
@@ -644,15 +641,15 @@ describe('MCP Routes', () => {
   });
 
   describe('POST /:serverName/reinitialize', () => {
-    const { loadCustomConfig } = require('~/server/services/Config');
-    const { getUserPluginAuthValue } = require('~/server/services/PluginService');
-
     it('should return 404 when server is not found in configuration', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'other-server': {},
-        },
-      });
+      const mockMcpManager = {
+        getRawConfig: jest.fn().mockReturnValue(null),
+        disconnectUserConnection: jest.fn().mockResolvedValue(),
+      };
+
+      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
+      require('~/config').getFlowStateManager.mockReturnValue({});
+      require('~/cache').getLogStores.mockReturnValue({});
 
       const response = await request(app).post('/api/mcp/non-existent-server/reinitialize');
 
@@ -663,16 +660,11 @@ describe('MCP Routes', () => {
     });
 
     it('should handle OAuth requirement during reinitialize', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'oauth-server': {
-            customUserVars: {},
-          },
-        },
-      });
-
       const mockMcpManager = {
-        disconnectServer: jest.fn().mockResolvedValue(),
+        getRawConfig: jest.fn().mockReturnValue({
+          customUserVars: {},
+        }),
+        disconnectUserConnection: jest.fn().mockResolvedValue(),
         mcpConfigs: {},
         getUserConnection: jest.fn().mockImplementation(async ({ oauthStart }) => {
           if (oauthStart) {
@@ -690,7 +682,7 @@ describe('MCP Routes', () => {
 
       expect(response.status).toBe(200);
       expect(response.body).toEqual({
-        success: 'https://oauth.example.com/auth',
+        success: true,
         message: "MCP server 'oauth-server' ready for OAuth authentication",
         serverName: 'oauth-server',
         oauthRequired: true,
@@ -699,14 +691,9 @@ describe('MCP Routes', () => {
     });
 
     it('should return 500 when reinitialize fails with non-OAuth error', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'error-server': {},
-        },
-      });
-
       const mockMcpManager = {
-        disconnectServer: jest.fn().mockResolvedValue(),
+        getRawConfig: jest.fn().mockReturnValue({}),
+        disconnectUserConnection: jest.fn().mockResolvedValue(),
         mcpConfigs: {},
         getUserConnection: jest.fn().mockRejectedValue(new Error('Connection failed')),
       };
@@ -724,7 +711,13 @@ describe('MCP Routes', () => {
     });
 
     it('should return 500 when unexpected error occurs', async () => {
-      loadCustomConfig.mockRejectedValue(new Error('Config loading failed'));
+      const mockMcpManager = {
+        getRawConfig: jest.fn().mockImplementation(() => {
+          throw new Error('Config loading failed');
+        }),
+      };
+
+      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
 
       const response = await request(app).post('/api/mcp/test-server/reinitialize');
 
@@ -747,29 +740,17 @@ describe('MCP Routes', () => {
       expect(response.body).toEqual({ error: 'User not authenticated' });
     });
 
-    it('should handle errors when fetching custom user variables', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'test-server': {
-            customUserVars: {
-              API_KEY: 'test-key-var',
-              SECRET_TOKEN: 'test-secret-var',
-            },
-          },
-        },
-      });
-
-      getUserPluginAuthValue
-        .mockResolvedValueOnce('test-api-key-value')
-        .mockRejectedValueOnce(new Error('Database error'));
-
+    it('should successfully reinitialize server and cache tools', async () => {
       const mockUserConnection = {
-        fetchTools: jest.fn().mockResolvedValue([]),
+        fetchTools: jest.fn().mockResolvedValue([
+          { name: 'tool1', description: 'Test tool 1', inputSchema: { type: 'object' } },
+          { name: 'tool2', description: 'Test tool 2', inputSchema: { type: 'object' } },
+        ]),
       };
 
       const mockMcpManager = {
-        disconnectServer: jest.fn().mockResolvedValue(),
-        mcpConfigs: {},
+        getRawConfig: jest.fn().mockReturnValue({ endpoint: 'http://test-server.com' }),
+        disconnectUserConnection: jest.fn().mockResolvedValue(),
         getUserConnection: jest.fn().mockResolvedValue(mockUserConnection),
       };
 
@@ -784,38 +765,54 @@ describe('MCP Routes', () => {
       const response = await request(app).post('/api/mcp/test-server/reinitialize');
 
       expect(response.status).toBe(200);
-      expect(response.body.success).toBe(true);
+      expect(response.body).toEqual({
+        success: true,
+        message: "MCP server 'test-server' reinitialized successfully",
+        serverName: 'test-server',
+        oauthRequired: false,
+        oauthUrl: null,
+      });
+      expect(mockMcpManager.disconnectUserConnection).toHaveBeenCalledWith(
+        'test-user-id',
+        'test-server',
+      );
+      expect(setCachedTools).toHaveBeenCalled();
     });
 
-    it('should return failure message when reinitialize completely fails', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'test-server': {},
-        },
-      });
+    it('should handle server with custom user variables', async () => {
+      const mockUserConnection = {
+        fetchTools: jest.fn().mockResolvedValue([]),
+      };
 
       const mockMcpManager = {
-        disconnectServer: jest.fn().mockResolvedValue(),
-        mcpConfigs: {},
-        getUserConnection: jest.fn().mockResolvedValue(null),
+        getRawConfig: jest.fn().mockReturnValue({
+          endpoint: 'http://test-server.com',
+          customUserVars: {
+            API_KEY: 'some-env-var',
+          },
+        }),
+        disconnectUserConnection: jest.fn().mockResolvedValue(),
+        getUserConnection: jest.fn().mockResolvedValue(mockUserConnection),
       };
 
       require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
       require('~/config').getFlowStateManager.mockReturnValue({});
       require('~/cache').getLogStores.mockReturnValue({});
+      require('~/server/services/PluginService').getUserPluginAuthValue.mockResolvedValue(
+        'api-key-value',
+      );
 
       const { getCachedTools, setCachedTools } = require('~/server/services/Config');
-      const { Constants } = require('librechat-data-provider');
-      getCachedTools.mockResolvedValue({
-        [`existing-tool${Constants.mcp_delimiter}test-server`]: { type: 'function' },
-      });
+      getCachedTools.mockResolvedValue({});
       setCachedTools.mockResolvedValue();
 
       const response = await request(app).post('/api/mcp/test-server/reinitialize');
 
       expect(response.status).toBe(200);
-      expect(response.body.success).toBe(false);
-      expect(response.body.message).toBe("Failed to reinitialize MCP server 'test-server'");
+      expect(response.body.success).toBe(true);
+      expect(
+        require('~/server/services/PluginService').getUserPluginAuthValue,
+      ).toHaveBeenCalledWith('test-user-id', 'API_KEY', false);
     });
   });
 
@@ -984,21 +981,19 @@ describe('MCP Routes', () => {
   });
 
   describe('GET /:serverName/auth-values', () => {
-    const { loadCustomConfig } = require('~/server/services/Config');
     const { getUserPluginAuthValue } = require('~/server/services/PluginService');
 
     it('should return auth value flags for server', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'test-server': {
-            customUserVars: {
-              API_KEY: 'some-env-var',
-              SECRET_TOKEN: 'another-env-var',
-            },
+      const mockMcpManager = {
+        getRawConfig: jest.fn().mockReturnValue({
+          customUserVars: {
+            API_KEY: 'some-env-var',
+            SECRET_TOKEN: 'another-env-var',
           },
-        },
-      });
+        }),
+      };
 
+      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
       getUserPluginAuthValue.mockResolvedValueOnce('some-api-key-value').mockResolvedValueOnce('');
 
       const response = await request(app).get('/api/mcp/test-server/auth-values');
@@ -1017,11 +1012,11 @@ describe('MCP Routes', () => {
     });
 
     it('should return 404 when server is not found in configuration', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'other-server': {},
-        },
-      });
+      const mockMcpManager = {
+        getRawConfig: jest.fn().mockReturnValue(null),
+      };
+
+      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
 
       const response = await request(app).get('/api/mcp/non-existent-server/auth-values');
 
@@ -1032,16 +1027,15 @@ describe('MCP Routes', () => {
     });
 
     it('should handle errors when checking auth values', async () => {
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'test-server': {
-            customUserVars: {
-              API_KEY: 'some-env-var',
-            },
+      const mockMcpManager = {
+        getRawConfig: jest.fn().mockReturnValue({
+          customUserVars: {
+            API_KEY: 'some-env-var',
           },
-        },
-      });
+        }),
+      };
 
+      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
       getUserPluginAuthValue.mockRejectedValue(new Error('Database error'));
 
       const response = await request(app).get('/api/mcp/test-server/auth-values');
@@ -1057,7 +1051,13 @@ describe('MCP Routes', () => {
     });
 
     it('should return 500 when auth values check throws unexpected error', async () => {
-      loadCustomConfig.mockRejectedValue(new Error('Config loading failed'));
+      const mockMcpManager = {
+        getRawConfig: jest.fn().mockImplementation(() => {
+          throw new Error('Config loading failed');
+        }),
+      };
+
+      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
 
       const response = await request(app).get('/api/mcp/test-server/auth-values');
 
@@ -1066,14 +1066,13 @@ describe('MCP Routes', () => {
     });
 
     it('should handle customUserVars that is not an object', async () => {
-      const { loadCustomConfig } = require('~/server/services/Config');
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'test-server': {
-            customUserVars: 'not-an-object',
-          },
-        },
-      });
+      const mockMcpManager = {
+        getRawConfig: jest.fn().mockReturnValue({
+          customUserVars: 'not-an-object',
+        }),
+      };
+
+      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
 
       const response = await request(app).get('/api/mcp/test-server/auth-values');
 
@@ -1097,98 +1096,6 @@ describe('MCP Routes', () => {
     });
   });
 
-  describe('POST /:serverName/reinitialize - Tool Deletion Coverage', () => {
-    it('should handle null cached tools during reinitialize (triggers || {} fallback)', async () => {
-      const { loadCustomConfig, getCachedTools } = require('~/server/services/Config');
-
-      const mockUserConnection = {
-        fetchTools: jest.fn().mockResolvedValue([{ name: 'new-tool', description: 'A new tool' }]),
-      };
-
-      const mockMcpManager = {
-        getUserConnection: jest.fn().mockResolvedValue(mockUserConnection),
-        disconnectServer: jest.fn(),
-        initializeServer: jest.fn(),
-        mcpConfigs: {},
-      };
-      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
-
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'test-server': { env: { API_KEY: 'test-key' } },
-        },
-      });
-
-      getCachedTools.mockResolvedValue(null);
-
-      const response = await request(app).post('/api/mcp/test-server/reinitialize').expect(200);
-
-      expect(response.body).toEqual({
-        message: "MCP server 'test-server' reinitialized successfully",
-        success: true,
-        oauthRequired: false,
-        oauthUrl: null,
-        serverName: 'test-server',
-      });
-    });
-
-    it('should delete existing cached tools during successful reinitialize', async () => {
-      const {
-        loadCustomConfig,
-        getCachedTools,
-        setCachedTools,
-      } = require('~/server/services/Config');
-
-      const mockUserConnection = {
-        fetchTools: jest.fn().mockResolvedValue([{ name: 'new-tool', description: 'A new tool' }]),
-      };
-
-      const mockMcpManager = {
-        getUserConnection: jest.fn().mockResolvedValue(mockUserConnection),
-        disconnectServer: jest.fn(),
-        initializeServer: jest.fn(),
-        mcpConfigs: {},
-      };
-      require('~/config').getMCPManager.mockReturnValue(mockMcpManager);
-
-      loadCustomConfig.mockResolvedValue({
-        mcpServers: {
-          'test-server': { env: { API_KEY: 'test-key' } },
-        },
-      });
-
-      const existingTools = {
-        'old-tool_mcp_test-server': { type: 'function' },
-        'other-tool_mcp_other-server': { type: 'function' },
-      };
-      getCachedTools.mockResolvedValue(existingTools);
-
-      const response = await request(app).post('/api/mcp/test-server/reinitialize').expect(200);
-
-      expect(response.body).toEqual({
-        message: "MCP server 'test-server' reinitialized successfully",
-        success: true,
-        oauthRequired: false,
-        oauthUrl: null,
-        serverName: 'test-server',
-      });
-
-      expect(setCachedTools).toHaveBeenCalledWith(
-        expect.objectContaining({
-          'new-tool_mcp_test-server': expect.any(Object),
-          'other-tool_mcp_other-server': { type: 'function' },
-        }),
-        { userId: 'test-user-id' },
-      );
-      expect(setCachedTools).toHaveBeenCalledWith(
-        expect.not.objectContaining({
-          'old-tool_mcp_test-server': expect.anything(),
-        }),
-        { userId: 'test-user-id' },
-      );
-    });
-  });
-
   describe('GET /:serverName/oauth/callback - Edge Cases', () => {
     it('should handle OAuth callback without toolFlowId (falsy toolFlowId)', async () => {
       const { MCPOAuthHandler } = require('@librechat/api');

api/server/routes/accessPermissions.js

@@ -0,0 +1,85 @@
+const express = require('express');
+const { ResourceType, PermissionBits } = require('librechat-data-provider');
+const {
+  getUserEffectivePermissions,
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  searchPrincipals,
+} = require('~/server/controllers/PermissionsController');
+const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
+const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess');
+
+const router = express.Router();
+
+// Apply common middleware
+router.use(requireJwtAuth);
+router.use(checkBan);
+router.use(uaParser);
+
+/**
+ * Generic routes for resource permissions
+ * Pattern: /api/permissions/{resourceType}/{resourceId}
+ */
+
+/**
+ * GET /api/permissions/search-principals
+ * Search for users and groups to grant permissions
+ */
+router.get('/search-principals', checkPeoplePickerAccess, searchPrincipals);
+
+/**
+ * GET /api/permissions/{resourceType}/roles
+ * Get available roles for a resource type
+ */
+router.get('/:resourceType/roles', getResourceRoles);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}
+ * Get all permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId', getResourcePermissions);
+
+/**
+ * PUT /api/permissions/{resourceType}/{resourceId}
+ * Bulk update permissions for a specific resource
+ */
+router.put(
+  '/:resourceType/:resourceId',
+  // Use middleware that dynamically handles resource type and permissions
+  (req, res, next) => {
+    const { resourceType } = req.params;
+    let middleware;
+
+    if (resourceType === ResourceType.AGENT) {
+      middleware = canAccessResource({
+        resourceType: ResourceType.AGENT,
+        requiredPermission: PermissionBits.SHARE,
+        resourceIdParam: 'resourceId',
+      });
+    } else if (resourceType === ResourceType.PROMPTGROUP) {
+      middleware = canAccessResource({
+        resourceType: ResourceType.PROMPTGROUP,
+        requiredPermission: PermissionBits.SHARE,
+        resourceIdParam: 'resourceId',
+      });
+    } else {
+      return res.status(400).json({
+        error: 'Bad Request',
+        message: `Unsupported resource type: ${resourceType}`,
+      });
+    }
+
+    // Execute the middleware
+    middleware(req, res, next);
+  },
+  updateResourcePermissions,
+);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}/effective
+ * Get user's effective permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId/effective', getUserEffectivePermissions);
+
+module.exports = router;

api/server/routes/agents/actions.js

@@ -3,16 +3,20 @@ const { nanoid } = require('nanoid');
 const { logger } = require('@librechat/data-schemas');
 const { generateCheckAccess } = require('@librechat/api');
 const {
-  SystemRoles,
   Permissions,
+  ResourceType,
   PermissionTypes,
   actionDelimiter,
+  PermissionBits,
   removeNullishValues,
 } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
+const { findAccessibleResources } = require('~/server/services/PermissionService');
+const { getAgent, updateAgent, getListAgentsByAccess } = require('~/models/Agent');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
 const { isActionDomainAllowed } = require('~/server/services/domains');
-const { getAgent, updateAgent } = require('~/models/Agent');
+const { canAccessAgentResource } = require('~/server/middleware');
+const { getAppConfig } = require('~/server/services/Config/app');
 const { getRoleByName } = require('~/models/Role');
 
 const router = express.Router();
@@ -23,12 +27,6 @@ const checkAgentCreate = generateCheckAccess({
   getRoleByName,
 });
 
-// If the user has ADMIN role
-// then action edition is possible even if not owner of the assistant
-const isAdmin = (req) => {
-  return req.user.role === SystemRoles.ADMIN;
-};
-
 /**
  * Retrieves all user's actions
  * @route GET /actions/
@@ -37,10 +35,23 @@ const isAdmin = (req) => {
  */
 router.get('/', async (req, res) => {
   try {
-    const admin = isAdmin(req);
-    // If admin, get all actions, otherwise only user's actions
-    const searchParams = admin ? {} : { user: req.user.id };
-    res.json(await getActions(searchParams));
+    const userId = req.user.id;
+    const editableAgentObjectIds = await findAccessibleResources({
+      userId,
+      role: req.user.role,
+      resourceType: ResourceType.AGENT,
+      requiredPermissions: PermissionBits.EDIT,
+    });
+
+    const agentsResponse = await getListAgentsByAccess({
+      accessibleIds: editableAgentObjectIds,
+    });
+
+    const editableAgentIds = agentsResponse.data.map((agent) => agent.id);
+    const actions =
+      editableAgentIds.length > 0 ? await getActions({ agent_id: { $in: editableAgentIds } }) : [];
+
+    res.json(actions);
   } catch (error) {
     res.status(500).json({ error: error.message });
   }
@@ -55,106 +66,115 @@ router.get('/', async (req, res) => {
  * @param {ActionMetadata} req.body.metadata - Metadata for the action.
  * @returns {Object} 200 - success response - application/json
  */
-router.post('/:agent_id', checkAgentCreate, async (req, res) => {
-  try {
-    const { agent_id } = req.params;
+router.post(
+  '/:agent_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id } = req.params;
 
-    /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
-    const { functions, action_id: _action_id, metadata: _metadata } = req.body;
-    if (!functions.length) {
-      return res.status(400).json({ message: 'No functions provided' });
-    }
-
-    let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
-    const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
-    if (!isDomainAllowed) {
-      return res.status(400).json({ message: 'Domain not allowed' });
-    }
-
-    let { domain } = metadata;
-    domain = await domainParser(domain, true);
-
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
-    }
-
-    const action_id = _action_id ?? nanoid();
-    const initialPromises = [];
-    const admin = isAdmin(req);
-
-    // If admin, can edit any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    // TODO: share agents
-    initialPromises.push(getAgent(agentQuery));
-    if (_action_id) {
-      initialPromises.push(getActions({ action_id }, true));
-    }
-
-    /** @type {[Agent, [Action|undefined]]} */
-    const [agent, actions_result] = await Promise.all(initialPromises);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for adding action' });
-    }
-
-    if (actions_result && actions_result.length) {
-      const action = actions_result[0];
-      metadata = { ...action.metadata, ...metadata };
-    }
-
-    const { actions: _actions = [], author: agent_author } = agent ?? {};
-    const actions = [];
-    for (const action of _actions) {
-      const [_action_domain, current_action_id] = action.split(actionDelimiter);
-      if (current_action_id === action_id) {
-        continue;
+      /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
+      const { functions, action_id: _action_id, metadata: _metadata } = req.body;
+      if (!functions.length) {
+        return res.status(400).json({ message: 'No functions provided' });
       }
 
-      actions.push(action);
-    }
-
-    actions.push(`${domain}${actionDelimiter}${action_id}`);
-
-    /** @type {string[]}} */
-    const { tools: _tools = [] } = agent;
-
-    const tools = _tools
-      .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
-      .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
-
-    // Force version update since actions are changing
-    const updatedAgent = await updateAgent(
-      agentQuery,
-      { tools, actions },
-      {
-        updatingUserId: req.user.id,
-        forceVersion: true,
-      },
-    );
-
-    // Only update user field for new actions
-    const actionUpdateData = { metadata, agent_id };
-    if (!actions_result || !actions_result.length) {
-      // For new actions, use the agent owner's user ID
-      actionUpdateData.user = agent_author || req.user.id;
-    }
-
-    /** @type {[Action]} */
-    const updatedAction = await updateAction({ action_id }, actionUpdateData);
-
-    const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
-    for (let field of sensitiveFields) {
-      if (updatedAction.metadata[field]) {
-        delete updatedAction.metadata[field];
+      let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
+      const appConfig = await getAppConfig({ role: req.user.role });
+      const isDomainAllowed = await isActionDomainAllowed(
+        metadata.domain,
+        appConfig?.actions?.allowedDomains,
+      );
+      if (!isDomainAllowed) {
+        return res.status(400).json({ message: 'Domain not allowed' });
       }
-    }
 
-    res.json([updatedAgent, updatedAction]);
-  } catch (error) {
-    const message = 'Trouble updating the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+      let { domain } = metadata;
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const action_id = _action_id ?? nanoid();
+      const initialPromises = [];
+
+      // Permissions already validated by middleware - load agent directly
+      initialPromises.push(getAgent({ id: agent_id }));
+      if (_action_id) {
+        initialPromises.push(getActions({ action_id }, true));
+      }
+
+      /** @type {[Agent, [Action|undefined]]} */
+      const [agent, actions_result] = await Promise.all(initialPromises);
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for adding action' });
+      }
+
+      if (actions_result && actions_result.length) {
+        const action = actions_result[0];
+        metadata = { ...action.metadata, ...metadata };
+      }
+
+      const { actions: _actions = [], author: agent_author } = agent ?? {};
+      const actions = [];
+      for (const action of _actions) {
+        const [_action_domain, current_action_id] = action.split(actionDelimiter);
+        if (current_action_id === action_id) {
+          continue;
+        }
+
+        actions.push(action);
+      }
+
+      actions.push(`${domain}${actionDelimiter}${action_id}`);
+
+      /** @type {string[]}} */
+      const { tools: _tools = [] } = agent;
+
+      const tools = _tools
+        .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
+        .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
+
+      // Force version update since actions are changing
+      const updatedAgent = await updateAgent(
+        { id: agent_id },
+        { tools, actions },
+        {
+          updatingUserId: req.user.id,
+          forceVersion: true,
+        },
+      );
+
+      // Only update user field for new actions
+      const actionUpdateData = { metadata, agent_id };
+      if (!actions_result || !actions_result.length) {
+        // For new actions, use the agent owner's user ID
+        actionUpdateData.user = agent_author || req.user.id;
+      }
+
+      /** @type {[Action]} */
+      const updatedAction = await updateAction({ action_id }, actionUpdateData);
+
+      const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
+      for (let field of sensitiveFields) {
+        if (updatedAction.metadata[field]) {
+          delete updatedAction.metadata[field];
+        }
+      }
+
+      res.json([updatedAgent, updatedAction]);
+    } catch (error) {
+      const message = 'Trouble updating the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
+    }
+  },
+);
 
 /**
  * Deletes an action for a specific agent.
@@ -163,52 +183,56 @@ router.post('/:agent_id', checkAgentCreate, async (req, res) => {
  * @param {string} req.params.action_id - The ID of the action to delete.
  * @returns {Object} 200 - success response - application/json
  */
-router.delete('/:agent_id/:action_id', checkAgentCreate, async (req, res) => {
-  try {
-    const { agent_id, action_id } = req.params;
-    const admin = isAdmin(req);
+router.delete(
+  '/:agent_id/:action_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id, action_id } = req.params;
 
-    // If admin, can delete any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    const agent = await getAgent(agentQuery);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for deleting action' });
-    }
-
-    const { tools = [], actions = [] } = agent;
-
-    let domain = '';
-    const updatedActions = actions.filter((action) => {
-      if (action.includes(action_id)) {
-        [domain] = action.split(actionDelimiter);
-        return false;
+      // Permissions already validated by middleware - load agent directly
+      const agent = await getAgent({ id: agent_id });
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for deleting action' });
       }
-      return true;
-    });
 
-    domain = await domainParser(domain, true);
+      const { tools = [], actions = [] } = agent;
 
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
+      let domain = '';
+      const updatedActions = actions.filter((action) => {
+        if (action.includes(action_id)) {
+          [domain] = action.split(actionDelimiter);
+          return false;
+        }
+        return true;
+      });
+
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
+
+      // Force version update since actions are being removed
+      await updateAgent(
+        { id: agent_id },
+        { tools: updatedTools, actions: updatedActions },
+        { updatingUserId: req.user.id, forceVersion: true },
+      );
+      await deleteAction({ action_id });
+      res.status(200).json({ message: 'Action deleted successfully' });
+    } catch (error) {
+      const message = 'Trouble deleting the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
     }
-
-    const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
-
-    // Force version update since actions are being removed
-    await updateAgent(
-      agentQuery,
-      { tools: updatedTools, actions: updatedActions },
-      { updatingUserId: req.user.id, forceVersion: true },
-    );
-    // If admin, can delete any action, otherwise only user's actions
-    const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
-    await deleteAction(actionQuery);
-    res.status(200).json({ message: 'Action deleted successfully' });
-  } catch (error) {
-    const message = 'Trouble deleting the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+  },
+);
 
 module.exports = router;

api/server/routes/agents/chat.js

@@ -1,12 +1,13 @@
 const express = require('express');
 const { generateCheckAccess, skipAgentCheck } = require('@librechat/api');
-const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { PermissionTypes, Permissions, PermissionBits } = require('librechat-data-provider');
 const {
   setHeaders,
   moderateText,
   // validateModel,
   validateConvoAccess,
   buildEndpointOption,
+  canAccessAgentFromBody,
 } = require('~/server/middleware');
 const { initializeClient } = require('~/server/services/Endpoints/agents');
 const AgentController = require('~/server/controllers/agents/request');
@@ -23,8 +24,12 @@ const checkAgentAccess = generateCheckAccess({
   skipCheck: skipAgentCheck,
   getRoleByName,
 });
+const checkAgentResourceAccess = canAccessAgentFromBody({
+  requiredPermission: PermissionBits.VIEW,
+});
 
 router.use(checkAgentAccess);
+router.use(checkAgentResourceAccess);
 router.use(validateConvoAccess);
 router.use(buildEndpointOption);
 router.use(setHeaders);