chore: Remove unused permission-related UI localization keys

- Added `useInfiniteScroll` hook to manage infinite scrolling behavior in agent grids.
- Integrated infinite scroll functionality into `AgentGrid` and `VirtualizedAgentGrid` components.
- Updated `AgentMarketplace` to pass the scroll container to the agent grid components.
- Refactored loading indicators to show a spinner instead of a "Load More" button.
- Created `VirtualizedAgentGrid` component for optimized rendering of agent cards using virtualization.
- Added performance tests for `VirtualizedAgentGrid` to ensure efficient handling of large datasets.
- Updated translations to include new messages for end-of-results scenarios.

.env.example

@@ -15,6 +15,20 @@ HOST=localhost
 PORT=3080
 
 MONGO_URI=mongodb://127.0.0.1:27017/LibreChat
+#The maximum number of connections in the connection pool. */
+MONGO_MAX_POOL_SIZE=
+#The minimum number of connections in the connection pool. */
+MONGO_MIN_POOL_SIZE=
+#The maximum number of connections that may be in the process of being established concurrently by the connection pool. */
+MONGO_MAX_CONNECTING=
+#The maximum number of milliseconds that a connection can remain idle in the pool before being removed and closed. */
+MONGO_MAX_IDLE_TIME_MS=
+#The maximum time in milliseconds that a thread can wait for a connection to become available. */
+MONGO_WAIT_QUEUE_TIMEOUT_MS=
+# Set to false to disable automatic index creation for all models associated with this connection. */
+MONGO_AUTO_INDEX=
+# Set to `false` to disable Mongoose automatically calling `createCollection()` on every model created on this connection. */
+MONGO_AUTO_CREATE=
 
 DOMAIN_CLIENT=http://localhost:3080
 DOMAIN_SERVER=http://localhost:3080
@@ -442,6 +456,8 @@ OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 OPENID_USERNAME_CLAIM=
 # Set to determine which user info property returned from OpenID Provider to store as the User's name
 OPENID_NAME_CLAIM=
+# Optional audience parameter for OpenID authorization requests
+OPENID_AUDIENCE=
 
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=
@@ -463,6 +479,21 @@ OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE="user.read" # example for Scope Needed for
 # Set to true to use the OpenID Connect end session endpoint for logout
 OPENID_USE_END_SESSION_ENDPOINT=
 
+#========================#
+# SharePoint Integration #
+#========================#
+# Requires Entra ID (OpenID) authentication to be configured
+
+# Enable SharePoint file picker in chat and agent panels
+# ENABLE_SHAREPOINT_FILEPICKER=true
+
+# SharePoint tenant base URL (e.g., https://yourtenant.sharepoint.com)
+# SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
+
+# Microsoft Graph API And SharePoint scopes for file picker
+# SHAREPOINT_PICKER_SHAREPOINT_SCOPE==https://yourtenant.sharepoint.com/AllSites.Read
+# SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
+#========================#
 
 # SAML
 # Note: If OpenID is enabled, SAML authentication will be automatically disabled.
@@ -490,6 +521,21 @@ SAML_IMAGE_URL=
 # SAML_USE_AUTHN_RESPONSE_SIGNED=
 
 
+#===============================================#
+# Microsoft Graph API / Entra ID Integration  #
+#===============================================#
+
+# Enable Entra ID people search integration in permissions/sharing system
+# When enabled, the people picker will search both local database and Entra ID
+USE_ENTRA_ID_FOR_PEOPLE_SEARCH=false
+
+# When enabled, entra id groups owners will be considered as members of the group
+ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
+
+# Microsoft Graph API scopes needed for people/group search
+# Default scopes provide access to user profiles and group memberships
+OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All
+
 # LDAP
 LDAP_URL=
 LDAP_BIND_DN=
@@ -627,6 +673,15 @@ HELP_AND_FAQ_URL=https://librechat.ai
 # Redis connection limits
 # REDIS_MAX_LISTENERS=40
 
+# Redis ping interval in seconds (0 = disabled, >0 = enabled)
+# When set to a positive integer, Redis clients will ping the server at this interval to keep connections alive
+# When unset or 0, no pinging is performed (recommended for most use cases)
+# REDIS_PING_INTERVAL=300
+
+# Force specific cache namespaces to use in-memory storage even when Redis is enabled
+# Comma-separated list of CacheKeys (e.g., STATIC_CONFIG,ROLES,MESSAGES)
+# FORCED_IN_MEMORY_CACHE_NAMESPACES=STATIC_CONFIG,ROLES
+
 #==================================================#
 #                      Others                      #
 #==================================================#

.github/workflows/backend-review.yml

@@ -7,7 +7,7 @@ on:
       - release/*
     paths:
       - 'api/**'
-      - 'packages/api/**'
+      - 'packages/**'
 jobs:
   tests_Backend:
     name: Run Backend unit tests

.github/workflows/client.yml

@@ -0,0 +1,58 @@
+name: Publish `@librechat/client` to NPM
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'packages/client/package.json'
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for manual trigger'
+        required: false
+        default: 'Manual publish requested'
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+        
+      - name: Install client dependencies
+        run: cd packages/client && npm ci
+        
+      - name: Build client
+        run: cd packages/client && npm run build
+        
+      - name: Set up npm authentication
+        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.PUBLISH_NPM_TOKEN }}" > ~/.npmrc
+        
+      - name: Check version change
+        id: check
+        working-directory: packages/client
+        run: |
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          PUBLISHED_VERSION=$(npm view @librechat/client version 2>/dev/null || echo "0.0.0")
+          if [ "$PACKAGE_VERSION" = "$PUBLISHED_VERSION" ]; then
+            echo "No version change, skipping publish"
+            echo "skip=true" >> $GITHUB_OUTPUT
+          else
+            echo "Version changed, proceeding with publish"
+            echo "skip=false" >> $GITHUB_OUTPUT
+          fi
+            
+      - name: Pack package
+        if: steps.check.outputs.skip != 'true'
+        working-directory: packages/client
+        run: npm pack
+        
+      - name: Publish
+        if: steps.check.outputs.skip != 'true'
+        working-directory: packages/client
+        run: npm publish *.tgz --access public

.github/workflows/data-schemas.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18.x'
+          node-version: '20.x'
           
       - name: Install dependencies
         run: cd packages/data-schemas && npm ci

.github/workflows/frontend-review.yml

@@ -8,7 +8,7 @@ on:
       - release/*
     paths:
       - 'client/**'
-      - 'packages/**'
+      - 'packages/data-provider/**'
 
 jobs:
   tests_frontend_ubuntu:

.github/workflows/generate-release-changelog-pr.yml

@@ -1,95 +0,0 @@
-name: Generate Release Changelog PR
-
-on:
-  push:
-    tags:
-      - 'v*.*.*'
-  workflow_dispatch:
-
-jobs:
-  generate-release-changelog-pr:
-    permissions:
-      contents: write    # Needed for pushing commits and creating branches.
-      pull-requests: write
-    runs-on: ubuntu-latest
-    steps:
-      # 1. Checkout the repository (with full history).
-      - name: Checkout Repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      # 2. Generate the release changelog using our custom configuration.
-      - name: Generate Release Changelog
-        id: generate_release
-        uses: mikepenz/release-changelog-builder-action@v5.1.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          configuration: ".github/configuration-release.json"
-          owner: ${{ github.repository_owner }}
-          repo: ${{ github.event.repository.name }}
-          outputFile: CHANGELOG-release.md
-
-      # 3. Update the main CHANGELOG.md:
-      #    - If it doesn't exist, create it with a basic header.
-      #    - Remove the "Unreleased" section (if present).
-      #    - Prepend the new release changelog above previous releases.
-      #    - Remove all temporary files before committing.
-      - name: Update CHANGELOG.md
-        run: |
-          # Determine the release tag, e.g. "v1.2.3"
-          TAG=${GITHUB_REF##*/}
-          echo "Using release tag: $TAG"
-          
-          # Ensure CHANGELOG.md exists; if not, create a basic header.
-          if [ ! -f CHANGELOG.md ]; then
-            echo "# Changelog" > CHANGELOG.md
-            echo "" >> CHANGELOG.md
-            echo "All notable changes to this project will be documented in this file." >> CHANGELOG.md
-            echo "" >> CHANGELOG.md
-          fi
-
-          echo "Updating CHANGELOG.md…"
-          
-          # Remove the "Unreleased" section (from "## [Unreleased]" until the first occurrence of '---') if it exists.
-          if grep -q "^## \[Unreleased\]" CHANGELOG.md; then
-            awk '/^## \[Unreleased\]/{flag=1} flag && /^---/{flag=0; next} !flag' CHANGELOG.md > CHANGELOG.cleaned
-          else
-            cp CHANGELOG.md CHANGELOG.cleaned
-          fi
-
-          # Split the cleaned file into:
-          #   - header.md: content before the first release header ("## [v...").
-          #   - tail.md: content from the first release header onward.
-          awk '/^## \[v/{exit} {print}' CHANGELOG.cleaned > header.md
-          awk 'f{print} /^## \[v/{f=1; print}' CHANGELOG.cleaned > tail.md
-
-          # Combine header, the new release changelog, and the tail.
-          echo "Combining updated changelog parts..."
-          cat header.md CHANGELOG-release.md > CHANGELOG.md.new
-          echo "" >> CHANGELOG.md.new
-          cat tail.md >> CHANGELOG.md.new
-
-          mv CHANGELOG.md.new CHANGELOG.md
-
-          # Remove temporary files.
-          rm -f CHANGELOG.cleaned header.md tail.md CHANGELOG-release.md
-
-          echo "Final CHANGELOG.md content:"
-          cat CHANGELOG.md
-
-      # 4. Create (or update) the Pull Request with the updated CHANGELOG.md.
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          sign-commits: true
-          commit-message: "chore: update CHANGELOG for release ${{ github.ref_name }}"
-          base: main
-          branch: "changelog/${{ github.ref_name }}"
-          reviewers: danny-avila
-          title: "📜 docs: Changelog for release ${{ github.ref_name }}"
-          body: |
-            **Description**:
-            - This PR updates the CHANGELOG.md by removing the "Unreleased" section and adding new release notes for release ${{ github.ref_name }} above previous releases.

.github/workflows/generate-unreleased-changelog-pr.yml

@@ -1,107 +0,0 @@
-name: Generate Unreleased Changelog PR
-
-on:
-  schedule:
-    - cron: "0 0 * * 1"  # Runs every Monday at 00:00 UTC
-  workflow_dispatch:
-
-jobs:
-  generate-unreleased-changelog-pr:
-    permissions:
-      contents: write    # Needed for pushing commits and creating branches.
-      pull-requests: write
-    runs-on: ubuntu-latest
-    steps:
-      # 1. Checkout the repository on main.
-      - name: Checkout Repository on Main
-        uses: actions/checkout@v4
-        with:
-          ref: main
-          fetch-depth: 0
-
-      # 4. Get the latest version tag.
-      - name: Get Latest Tag
-        id: get_latest_tag
-        run: |
-          LATEST_TAG=$(git describe --tags $(git rev-list --tags --max-count=1) || echo "none")
-          echo "Latest tag: $LATEST_TAG"
-          echo "tag=$LATEST_TAG" >> $GITHUB_OUTPUT
-
-      # 5. Generate the Unreleased changelog.
-      - name: Generate Unreleased Changelog
-        id: generate_unreleased
-        uses: mikepenz/release-changelog-builder-action@v5.1.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          configuration: ".github/configuration-unreleased.json"
-          owner: ${{ github.repository_owner }}
-          repo: ${{ github.event.repository.name }}
-          outputFile: CHANGELOG-unreleased.md
-          fromTag: ${{ steps.get_latest_tag.outputs.tag }}
-          toTag: main
-
-      # 7. Update CHANGELOG.md with the new Unreleased section.
-      - name: Update CHANGELOG.md
-        id: update_changelog
-        run: |
-          # Create CHANGELOG.md if it doesn't exist.
-          if [ ! -f CHANGELOG.md ]; then
-            echo "# Changelog" > CHANGELOG.md
-            echo "" >> CHANGELOG.md
-            echo "All notable changes to this project will be documented in this file." >> CHANGELOG.md
-            echo "" >> CHANGELOG.md
-          fi
-          
-          echo "Updating CHANGELOG.md…"
-          
-          # Extract content before the "## [Unreleased]" (or first version header if missing).
-          if grep -q "^## \[Unreleased\]" CHANGELOG.md; then
-            awk '/^## \[Unreleased\]/{exit} {print}' CHANGELOG.md > CHANGELOG_TMP.md
-          else
-            awk '/^## \[v/{exit} {print}' CHANGELOG.md > CHANGELOG_TMP.md
-          fi
-          
-          # Append the generated Unreleased changelog.
-          echo "" >> CHANGELOG_TMP.md
-          cat CHANGELOG-unreleased.md >> CHANGELOG_TMP.md
-          echo "" >> CHANGELOG_TMP.md
-          
-          # Append the remainder of the original changelog (starting from the first version header).
-          awk 'f{print} /^## \[v/{f=1; print}' CHANGELOG.md >> CHANGELOG_TMP.md
-          
-          # Replace the old file with the updated file.
-          mv CHANGELOG_TMP.md CHANGELOG.md
-          
-          # Remove the temporary generated file.
-          rm -f CHANGELOG-unreleased.md
-          
-          echo "Final CHANGELOG.md:"
-          cat CHANGELOG.md
-
-      # 8. Check if CHANGELOG.md has any updates.
-      - name: Check for CHANGELOG.md changes
-        id: changelog_changes
-        run: |
-          if git diff --quiet CHANGELOG.md; then
-            echo "has_changes=false" >> $GITHUB_OUTPUT
-          else
-            echo "has_changes=true" >> $GITHUB_OUTPUT
-          fi
-
-      # 9. Create (or update) the Pull Request only if there are changes.
-      - name: Create Pull Request
-        if: steps.changelog_changes.outputs.has_changes == 'true'
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          base: main
-          branch: "changelog/unreleased-update"
-          sign-commits: true
-          commit-message: "action: update Unreleased changelog"
-          title: "📜 docs: Unreleased Changelog"
-          body: |
-            **Description**:
-            - This PR updates the Unreleased section in CHANGELOG.md.
-            - It compares the current main branch with the latest version tag (determined as ${{ steps.get_latest_tag.outputs.tag }}),
-              regenerates the Unreleased changelog, removes any old Unreleased block, and inserts the new content.

.github/workflows/i18n-unused-keys.yml

@@ -6,6 +6,7 @@ on:
       - "client/src/**"
       - "api/**"
       - "packages/data-provider/src/**"
+      - "packages/client/**"
 
 jobs:
   detect-unused-i18n-keys:
@@ -23,7 +24,7 @@ jobs:
 
           # Define paths
           I18N_FILE="client/src/locales/en/translation.json"
-          SOURCE_DIRS=("client/src" "api" "packages/data-provider/src")
+          SOURCE_DIRS=("client/src" "api" "packages/data-provider/src" "packages/client")
 
           # Check if translation file exists
           if [[ ! -f "$I18N_FILE" ]]; then

.github/workflows/locize-i18n-sync.yml

@@ -48,7 +48,7 @@ jobs:
 
       # 2. Download translation files from locize.
       - name: Download Translations from locize
-        uses: locize/download@v1
+        uses: locize/download@v2
         with:
           project-id: ${{ secrets.LOCIZE_PROJECT_ID }}
           path: "client/src/locales"

.github/workflows/unused-packages.yml

@@ -7,6 +7,7 @@ on:
       - 'package-lock.json'
       - 'client/**'
       - 'api/**'
+      - 'packages/client/**'
 
 jobs:
   detect-unused-packages:
@@ -28,7 +29,7 @@ jobs:
 
       - name: Validate JSON files
         run: |
-          for FILE in package.json client/package.json api/package.json; do
+          for FILE in package.json client/package.json api/package.json packages/client/package.json; do
             if [[ -f "$FILE" ]]; then
               jq empty "$FILE" || (echo "::error title=Invalid JSON::$FILE is invalid" && exit 1)
             fi
@@ -63,12 +64,31 @@ jobs:
             local folder=$1
             local output_file=$2
             if [[ -d "$folder" ]]; then
-              grep -rEho "require\\(['\"]([a-zA-Z0-9@/._-]+)['\"]\\)" "$folder" --include=\*.{js,ts,mjs,cjs} | \
+              # Extract require() statements
+              grep -rEho "require\\(['\"]([a-zA-Z0-9@/._-]+)['\"]\\)" "$folder" --include=\*.{js,ts,tsx,jsx,mjs,cjs} | \
                 sed -E "s/require\\(['\"]([a-zA-Z0-9@/._-]+)['\"]\\)/\1/" > "$output_file"
           
-              grep -rEho "import .* from ['\"]([a-zA-Z0-9@/._-]+)['\"]" "$folder" --include=\*.{js,ts,mjs,cjs} | \
+              # Extract ES6 imports - various patterns
+              # import x from 'module'
+              grep -rEho "import .* from ['\"]([a-zA-Z0-9@/._-]+)['\"]" "$folder" --include=\*.{js,ts,tsx,jsx,mjs,cjs} | \
                 sed -E "s/import .* from ['\"]([a-zA-Z0-9@/._-]+)['\"]/\1/" >> "$output_file"
+              
+              # import 'module' (side-effect imports)
+              grep -rEho "import ['\"]([a-zA-Z0-9@/._-]+)['\"]" "$folder" --include=\*.{js,ts,tsx,jsx,mjs,cjs} | \
+                sed -E "s/import ['\"]([a-zA-Z0-9@/._-]+)['\"]/\1/" >> "$output_file"
+              
+              # export { x } from 'module' or export * from 'module'
+              grep -rEho "export .* from ['\"]([a-zA-Z0-9@/._-]+)['\"]" "$folder" --include=\*.{js,ts,tsx,jsx,mjs,cjs} | \
+                sed -E "s/export .* from ['\"]([a-zA-Z0-9@/._-]+)['\"]/\1/" >> "$output_file"
+              
+              # import type { x } from 'module' (TypeScript)
+              grep -rEho "import type .* from ['\"]([a-zA-Z0-9@/._-]+)['\"]" "$folder" --include=\*.{ts,tsx} | \
+                sed -E "s/import type .* from ['\"]([a-zA-Z0-9@/._-]+)['\"]/\1/" >> "$output_file"
           
+              # Remove subpath imports but keep the base package
+              # e.g., '@tanstack/react-query/devtools' becomes '@tanstack/react-query'
+              sed -i -E 's|^(@?[a-zA-Z0-9-]+(/[a-zA-Z0-9-]+)?)/.*|\1|' "$output_file"
+              
               sort -u "$output_file" -o "$output_file"
             else
               touch "$output_file"
@@ -78,13 +98,80 @@ jobs:
           extract_deps_from_code "." root_used_code.txt
           extract_deps_from_code "client" client_used_code.txt
           extract_deps_from_code "api" api_used_code.txt
+          
+          # Extract dependencies used by @librechat/client package
+          extract_deps_from_code "packages/client" packages_client_used_code.txt
+
+      - name: Get @librechat/client dependencies
+        id: get-librechat-client-deps
+        run: |
+          if [[ -f "packages/client/package.json" ]]; then
+            # Get all dependencies from @librechat/client (dependencies, devDependencies, and peerDependencies)
+            DEPS=$(jq -r '.dependencies // {} | keys[]' packages/client/package.json 2>/dev/null || echo "")
+            DEV_DEPS=$(jq -r '.devDependencies // {} | keys[]' packages/client/package.json 2>/dev/null || echo "")
+            PEER_DEPS=$(jq -r '.peerDependencies // {} | keys[]' packages/client/package.json 2>/dev/null || echo "")
+            
+            # Combine all dependencies
+            echo "$DEPS" > librechat_client_deps.txt
+            echo "$DEV_DEPS" >> librechat_client_deps.txt
+            echo "$PEER_DEPS" >> librechat_client_deps.txt
+            
+            # Also include dependencies that are imported in packages/client
+            cat packages_client_used_code.txt >> librechat_client_deps.txt
+            
+            # Remove empty lines and sort
+            grep -v '^$' librechat_client_deps.txt | sort -u > temp_deps.txt
+            mv temp_deps.txt librechat_client_deps.txt
+          else
+            touch librechat_client_deps.txt
+          fi
+
+      - name: Extract Workspace Dependencies
+        id: extract-workspace-deps
+        run: |
+          # Function to get dependencies from a workspace package that are used by another package
+          get_workspace_package_deps() {
+            local package_json=$1
+            local output_file=$2
+            
+            # Get all workspace dependencies (starting with @librechat/)
+            if [[ -f "$package_json" ]]; then
+              local workspace_deps=$(jq -r '.dependencies // {} | to_entries[] | select(.key | startswith("@librechat/")) | .key' "$package_json" 2>/dev/null || echo "")
+              
+              # For each workspace dependency, get its dependencies
+              for dep in $workspace_deps; do
+                # Convert @librechat/api to packages/api
+                local workspace_path=$(echo "$dep" | sed 's/@librechat\//packages\//')
+                local workspace_package_json="${workspace_path}/package.json"
+                
+                if [[ -f "$workspace_package_json" ]]; then
+                  # Extract all dependencies from the workspace package
+                  jq -r '.dependencies // {} | keys[]' "$workspace_package_json" 2>/dev/null >> "$output_file"
+                  # Also extract peerDependencies
+                  jq -r '.peerDependencies // {} | keys[]' "$workspace_package_json" 2>/dev/null >> "$output_file"
+                fi
+              done
+            fi
+            
+            if [[ -f "$output_file" ]]; then
+              sort -u "$output_file" -o "$output_file"
+            else
+              touch "$output_file"
+            fi
+          }
+          
+          # Get workspace dependencies for each package
+          get_workspace_package_deps "package.json" root_workspace_deps.txt
+          get_workspace_package_deps "client/package.json" client_workspace_deps.txt
+          get_workspace_package_deps "api/package.json" api_workspace_deps.txt
 
       - name: Run depcheck for root package.json
         id: check-root
         run: |
           if [[ -f "package.json" ]]; then
             UNUSED=$(depcheck --json | jq -r '.dependencies | join("\n")' || echo "")
-            UNUSED=$(comm -23 <(echo "$UNUSED" | sort) <(cat root_used_deps.txt root_used_code.txt | sort) || echo "")
+            # Exclude dependencies used in scripts, code, and workspace packages
+            UNUSED=$(comm -23 <(echo "$UNUSED" | sort) <(cat root_used_deps.txt root_used_code.txt root_workspace_deps.txt | sort) || echo "")
             echo "ROOT_UNUSED<<EOF" >> $GITHUB_ENV
             echo "$UNUSED" >> $GITHUB_ENV
             echo "EOF" >> $GITHUB_ENV
@@ -97,7 +184,8 @@ jobs:
             chmod -R 755 client
             cd client
             UNUSED=$(depcheck --json | jq -r '.dependencies | join("\n")' || echo "")
-            UNUSED=$(comm -23 <(echo "$UNUSED" | sort) <(cat ../client_used_deps.txt ../client_used_code.txt | sort) || echo "")
+            # Exclude dependencies used in scripts, code, and workspace packages
+            UNUSED=$(comm -23 <(echo "$UNUSED" | sort) <(cat ../client_used_deps.txt ../client_used_code.txt ../client_workspace_deps.txt | sort) || echo "")
             # Filter out false positives
             UNUSED=$(echo "$UNUSED" | grep -v "^micromark-extension-llm-math$" || echo "")
             echo "CLIENT_UNUSED<<EOF" >> $GITHUB_ENV
@@ -113,7 +201,8 @@ jobs:
             chmod -R 755 api
             cd api
             UNUSED=$(depcheck --json | jq -r '.dependencies | join("\n")' || echo "")
-            UNUSED=$(comm -23 <(echo "$UNUSED" | sort) <(cat ../api_used_deps.txt ../api_used_code.txt | sort) || echo "")
+            # Exclude dependencies used in scripts, code, and workspace packages
+            UNUSED=$(comm -23 <(echo "$UNUSED" | sort) <(cat ../api_used_deps.txt ../api_used_code.txt ../api_workspace_deps.txt | sort) || echo "")
             echo "API_UNUSED<<EOF" >> $GITHUB_ENV
             echo "$UNUSED" >> $GITHUB_ENV
             echo "EOF" >> $GITHUB_ENV

.vscode/launch.json

@@ -8,7 +8,8 @@
       "skipFiles": ["<node_internals>/**"],
       "program": "${workspaceFolder}/api/server/index.js",
       "env": {
-        "NODE_ENV": "production"
+        "NODE_ENV": "production",
+        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
       },
       "console": "integratedTerminal",
       "envFile": "${workspaceFolder}/.env"

Dockerfile

@@ -1,4 +1,4 @@
-# v0.7.9-rc1
+# v0.8.0-rc1
 
 # Base node image
 FROM node:20-alpine AS node

Dockerfile.multi

@@ -1,5 +1,5 @@
 # Dockerfile.multi
-# v0.7.9-rc1
+# v0.8.0-rc1
 
 # Base for all builds
 FROM node:20-alpine AS base-min
@@ -16,6 +16,7 @@ COPY package*.json ./
 COPY packages/data-provider/package*.json ./packages/data-provider/
 COPY packages/api/package*.json ./packages/api/
 COPY packages/data-schemas/package*.json ./packages/data-schemas/
+COPY packages/client/package*.json ./packages/client/
 COPY client/package*.json ./client/
 COPY api/package*.json ./api/
 
@@ -45,11 +46,19 @@ COPY --from=data-provider-build /app/packages/data-provider/dist /app/packages/d
 COPY --from=data-schemas-build /app/packages/data-schemas/dist /app/packages/data-schemas/dist
 RUN npm run build
 
+# Build `client` package
+FROM base AS client-package-build
+WORKDIR /app/packages/client
+COPY packages/client ./
+RUN npm run build
+
 # Client build
 FROM base AS client-build
 WORKDIR /app/client
 COPY client ./
 COPY --from=data-provider-build /app/packages/data-provider/dist /app/packages/data-provider/dist
+COPY --from=client-package-build /app/packages/client/dist /app/packages/client/dist
+COPY --from=client-package-build /app/packages/client/src /app/packages/client/src
 ENV NODE_OPTIONS="--max-old-space-size=2048"
 RUN npm run build
 

api/app/clients/BaseClient.js

@@ -108,12 +108,15 @@ class BaseClient {
   /**
    * Abstract method to record token usage. Subclasses must implement this method.
    * If a correction to the token usage is needed, the method should return an object with the corrected token counts.
+   * Should only be used if `recordCollectedUsage` was not used instead.
+   * @param {string} [model]
    * @param {number} promptTokens
    * @param {number} completionTokens
    * @returns {Promise<void>}
    */
-  async recordTokenUsage({ promptTokens, completionTokens }) {
+  async recordTokenUsage({ model, promptTokens, completionTokens }) {
     logger.debug('[BaseClient] `recordTokenUsage` not implemented.', {
+      model,
       promptTokens,
       completionTokens,
     });
@@ -741,9 +744,13 @@ class BaseClient {
       } else {
         responseMessage.tokenCount = this.getTokenCountForResponse(responseMessage);
         completionTokens = responseMessage.tokenCount;
+        await this.recordTokenUsage({
+          usage,
+          promptTokens,
+          completionTokens,
+          model: responseMessage.model,
+        });
       }
-
-      await this.recordTokenUsage({ promptTokens, completionTokens, usage });
     }
 
     if (userMessagePromise) {

api/app/clients/prompts/formatMessages.js

@@ -237,41 +237,9 @@ const formatAgentMessages = (payload) => {
   return messages;
 };
 
-/**
- * Formats an array of messages for LangChain, making sure all content fields are strings
- * @param {Array<(HumanMessage|AIMessage|SystemMessage|ToolMessage)>} payload - The array of messages to format.
- * @returns {Array<(HumanMessage|AIMessage|SystemMessage|ToolMessage)>} - The array of formatted LangChain messages, including ToolMessages for tool calls.
- */
-const formatContentStrings = (payload) => {
-  const messages = [];
-
-  for (const message of payload) {
-    if (typeof message.content === 'string') {
-      continue;
-    }
-
-    if (!Array.isArray(message.content)) {
-      continue;
-    }
-
-    // Reduce text types to a single string, ignore all other types
-    const content = message.content.reduce((acc, curr) => {
-      if (curr.type === ContentTypes.TEXT) {
-        return `${acc}${curr[ContentTypes.TEXT]}\n`;
-      }
-      return acc;
-    }, '');
-
-    message.content = content.trim();
-  }
-
-  return messages;
-};
-
 module.exports = {
   formatMessage,
   formatFromLangChain,
   formatAgentMessages,
-  formatContentStrings,
   formatLangChainMessages,
 };

api/app/clients/tools/structured/DALLE3.js

@@ -3,8 +3,8 @@ const path = require('path');
 const OpenAI = require('openai');
 const fetch = require('node-fetch');
 const { v4: uuidv4 } = require('uuid');
+const { ProxyAgent } = require('undici');
 const { Tool } = require('@langchain/core/tools');
-const { HttpsProxyAgent } = require('https-proxy-agent');
 const { FileContext, ContentTypes } = require('librechat-data-provider');
 const { getImageBasename } = require('~/server/services/Files/images');
 const extractBaseURL = require('~/utils/extractBaseURL');
@@ -46,7 +46,10 @@ class DALLE3 extends Tool {
     }
 
     if (process.env.PROXY) {
-      config.httpAgent = new HttpsProxyAgent(process.env.PROXY);
+      const proxyAgent = new ProxyAgent(process.env.PROXY);
+      config.fetchOptions = {
+        dispatcher: proxyAgent,
+      };
     }
 
     /** @type {OpenAI} */
@@ -163,7 +166,8 @@ Error Message: ${error.message}`);
     if (this.isAgent) {
       let fetchOptions = {};
       if (process.env.PROXY) {
-        fetchOptions.agent = new HttpsProxyAgent(process.env.PROXY);
+        const proxyAgent = new ProxyAgent(process.env.PROXY);
+        fetchOptions.dispatcher = proxyAgent;
       }
       const imageResponse = await fetch(theImageUrl, fetchOptions);
       const arrayBuffer = await imageResponse.arrayBuffer();

api/app/clients/tools/structured/OpenAIImageTools.js

@@ -3,10 +3,10 @@ const axios = require('axios');
 const { v4 } = require('uuid');
 const OpenAI = require('openai');
 const FormData = require('form-data');
+const { ProxyAgent } = require('undici');
 const { tool } = require('@langchain/core/tools');
 const { logAxiosError } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
-const { HttpsProxyAgent } = require('https-proxy-agent');
 const { ContentTypes, EImageOutputType } = require('librechat-data-provider');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { extractBaseURL } = require('~/utils');
@@ -189,7 +189,10 @@ function createOpenAIImageTools(fields = {}) {
       }
       const clientConfig = { ...closureConfig };
       if (process.env.PROXY) {
-        clientConfig.httpAgent = new HttpsProxyAgent(process.env.PROXY);
+        const proxyAgent = new ProxyAgent(process.env.PROXY);
+        clientConfig.fetchOptions = {
+          dispatcher: proxyAgent,
+        };
       }
 
       /** @type {OpenAI} */
@@ -335,7 +338,10 @@ Error Message: ${error.message}`);
 
       const clientConfig = { ...closureConfig };
       if (process.env.PROXY) {
-        clientConfig.httpAgent = new HttpsProxyAgent(process.env.PROXY);
+        const proxyAgent = new ProxyAgent(process.env.PROXY);
+        clientConfig.fetchOptions = {
+          dispatcher: proxyAgent,
+        };
       }
 
       const formData = new FormData();
@@ -447,6 +453,19 @@ Error Message: ${error.message}`);
           baseURL,
         };
 
+        if (process.env.PROXY) {
+          try {
+            const url = new URL(process.env.PROXY);
+            axiosConfig.proxy = {
+              host: url.hostname.replace(/^\[|\]$/g, ''),
+              port: url.port ? parseInt(url.port, 10) : undefined,
+              protocol: url.protocol.replace(':', ''),
+            };
+          } catch (error) {
+            logger.error('Error parsing proxy URL:', error);
+          }
+        }
+
         if (process.env.IMAGE_GEN_OAI_AZURE_API_VERSION && process.env.IMAGE_GEN_OAI_BASEURL) {
           axiosConfig.params = {
             'api-version': process.env.IMAGE_GEN_OAI_AZURE_API_VERSION,

api/app/clients/tools/structured/specs/DALLE3-proxy.spec.js

@@ -0,0 +1,94 @@
+const DALLE3 = require('../DALLE3');
+const { ProxyAgent } = require('undici');
+
+const processFileURL = jest.fn();
+
+jest.mock('~/server/services/Files/images', () => ({
+  getImageBasename: jest.fn().mockImplementation((url) => {
+    const parts = url.split('/');
+    const lastPart = parts.pop();
+    const imageExtensionRegex = /\.(jpg|jpeg|png|gif|bmp|tiff|svg)$/i;
+    if (imageExtensionRegex.test(lastPart)) {
+      return lastPart;
+    }
+    return '';
+  }),
+}));
+
+jest.mock('fs', () => {
+  return {
+    existsSync: jest.fn(),
+    mkdirSync: jest.fn(),
+    promises: {
+      writeFile: jest.fn(),
+      readFile: jest.fn(),
+      unlink: jest.fn(),
+    },
+  };
+});
+
+jest.mock('path', () => {
+  return {
+    resolve: jest.fn(),
+    join: jest.fn(),
+    relative: jest.fn(),
+    extname: jest.fn().mockImplementation((filename) => {
+      return filename.slice(filename.lastIndexOf('.'));
+    }),
+  };
+});
+
+describe('DALLE3 Proxy Configuration', () => {
+  let originalEnv;
+
+  beforeAll(() => {
+    originalEnv = { ...process.env };
+  });
+
+  beforeEach(() => {
+    jest.resetModules();
+    process.env = { ...originalEnv };
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  it('should configure ProxyAgent in fetchOptions.dispatcher when PROXY env is set', () => {
+    // Set proxy environment variable
+    process.env.PROXY = 'http://proxy.example.com:8080';
+    process.env.DALLE_API_KEY = 'test-api-key';
+
+    // Create instance
+    const dalleWithProxy = new DALLE3({ processFileURL });
+
+    // Check that the openai client exists
+    expect(dalleWithProxy.openai).toBeDefined();
+
+    // Check that _options exists and has fetchOptions with a dispatcher
+    expect(dalleWithProxy.openai._options).toBeDefined();
+    expect(dalleWithProxy.openai._options.fetchOptions).toBeDefined();
+    expect(dalleWithProxy.openai._options.fetchOptions.dispatcher).toBeDefined();
+    expect(dalleWithProxy.openai._options.fetchOptions.dispatcher).toBeInstanceOf(ProxyAgent);
+  });
+
+  it('should not configure ProxyAgent when PROXY env is not set', () => {
+    // Ensure PROXY is not set
+    delete process.env.PROXY;
+    process.env.DALLE_API_KEY = 'test-api-key';
+
+    // Create instance
+    const dalleWithoutProxy = new DALLE3({ processFileURL });
+
+    // Check that the openai client exists
+    expect(dalleWithoutProxy.openai).toBeDefined();
+
+    // Check that _options exists but fetchOptions either doesn't exist or doesn't have a dispatcher
+    expect(dalleWithoutProxy.openai._options).toBeDefined();
+
+    // fetchOptions should either not exist or not have a dispatcher
+    if (dalleWithoutProxy.openai._options.fetchOptions) {
+      expect(dalleWithoutProxy.openai._options.fetchOptions.dispatcher).toBeUndefined();
+    }
+  });
+});

api/app/clients/tools/util/fileSearch.js

@@ -3,6 +3,7 @@ const axios = require('axios');
 const { tool } = require('@langchain/core/tools');
 const { logger } = require('@librechat/data-schemas');
 const { Tools, EToolResources } = require('librechat-data-provider');
+const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
 const { generateShortLivedToken } = require('~/server/services/AuthService');
 const { getFiles } = require('~/models/File');
 
@@ -22,14 +23,24 @@ const primeFiles = async (options) => {
   const file_ids = tool_resources?.[EToolResources.file_search]?.file_ids ?? [];
   const agentResourceIds = new Set(file_ids);
   const resourceFiles = tool_resources?.[EToolResources.file_search]?.files ?? [];
-  const dbFiles = (
-    (await getFiles(
-      { file_id: { $in: file_ids } },
-      null,
-      { text: 0 },
-      { userId: req?.user?.id, agentId },
-    )) ?? []
-  ).concat(resourceFiles);
+
+  // Get all files first
+  const allFiles = (await getFiles({ file_id: { $in: file_ids } }, null, { text: 0 })) ?? [];
+
+  // Filter by access if user and agent are provided
+  let dbFiles;
+  if (req?.user?.id && agentId) {
+    dbFiles = await filterFilesByAgentAccess({
+      files: allFiles,
+      userId: req.user.id,
+      role: req.user.role,
+      agentId,
+    });
+  } else {
+    dbFiles = allFiles;
+  }
+
+  dbFiles = dbFiles.concat(resourceFiles);
 
   let toolContext = `- Note: Semantic search is available through the ${Tools.file_search} tool but no files are currently loaded. Request the user to upload documents to search through.`;
 
@@ -114,11 +125,13 @@ const createFileSearchTool = async ({ req, files, entity_id }) => {
       }
 
       const formattedResults = validResults
-        .flatMap((result) =>
+        .flatMap((result, fileIndex) =>
           result.data.map(([docInfo, distance]) => ({
             filename: docInfo.metadata.source.split('/').pop(),
             content: docInfo.page_content,
             distance,
+            file_id: files[fileIndex]?.file_id,
+            page: docInfo.metadata.page || null,
           })),
         )
         // TODO: results should be sorted by relevance, not distance
@@ -128,18 +141,37 @@ const createFileSearchTool = async ({ req, files, entity_id }) => {
 
       const formattedString = formattedResults
         .map(
-          (result) =>
-            `File: ${result.filename}\nRelevance: ${1.0 - result.distance.toFixed(4)}\nContent: ${
+          (result, index) =>
+            `File: ${result.filename}\nAnchor: \\ue202turn0file${index} (${result.filename})\nRelevance: ${(1.0 - result.distance).toFixed(4)}\nContent: ${
               result.content
             }\n`,
         )
         .join('\n---\n');
 
-      return formattedString;
+      const sources = formattedResults.map((result) => ({
+        type: 'file',
+        fileId: result.file_id,
+        content: result.content,
+        fileName: result.filename,
+        relevance: 1.0 - result.distance,
+        pages: result.page ? [result.page] : [],
+        pageRelevance: result.page ? { [result.page]: 1.0 - result.distance } : {},
+      }));
+
+      return [formattedString, { [Tools.file_search]: { sources } }];
     },
     {
       name: Tools.file_search,
-      description: `Performs semantic search across attached "${Tools.file_search}" documents using natural language queries. This tool analyzes the content of uploaded files to find relevant information, quotes, and passages that best match your query. Use this to extract specific information or find relevant sections within the available documents.`,
+      responseFormat: 'content_and_artifact',
+      description: `Performs semantic search across attached "${Tools.file_search}" documents using natural language queries. This tool analyzes the content of uploaded files to find relevant information, quotes, and passages that best match your query. Use this to extract specific information or find relevant sections within the available documents.
+
+**CITE FILE SEARCH RESULTS:**
+Use anchor markers immediately after statements derived from file content. Reference the filename in your text:
+- File citation: "The document.pdf states that... \\ue202turn0file0"  
+- Page reference: "According to report.docx... \\ue202turn0file1"
+- Multi-file: "Multiple sources confirm... \\ue200\\ue202turn0file0\\ue202turn0file1\\ue201"
+
+**ALWAYS mention the filename in your text before the citation marker. NEVER use markdown links or footnotes.**`,
       schema: z.object({
         query: z
           .string()

api/app/clients/tools/util/handleTools.js

@@ -1,14 +1,9 @@
-const { mcpToolPattern } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { SerpAPI } = require('@langchain/community/tools/serpapi');
 const { Calculator } = require('@langchain/community/tools/calculator');
+const { mcpToolPattern, loadWebSearchAuth } = require('@librechat/api');
 const { EnvVar, createCodeExecutionTool, createSearchTool } = require('@librechat/agents');
-const {
-  Tools,
-  EToolResources,
-  loadWebSearchAuth,
-  replaceSpecialVars,
-} = require('librechat-data-provider');
+const { Tools, EToolResources, replaceSpecialVars } = require('librechat-data-provider');
 const {
   availableTools,
   manifestToolMap,

api/cache/cacheConfig.js

@@ -1,5 +1,6 @@
 const fs = require('fs');
 const { math, isEnabled } = require('@librechat/api');
+const { CacheKeys } = require('librechat-data-provider');
 
 // To ensure that different deployments do not interfere with each other's cache, we use a prefix for the Redis keys.
 // This prefix is usually the deployment ID, which is often passed to the container or pod as an env var.
@@ -15,7 +16,26 @@ if (USE_REDIS && !process.env.REDIS_URI) {
   throw new Error('USE_REDIS is enabled but REDIS_URI is not set.');
 }
 
+// Comma-separated list of cache namespaces that should be forced to use in-memory storage
+// even when Redis is enabled. This allows selective performance optimization for specific caches.
+const FORCED_IN_MEMORY_CACHE_NAMESPACES = process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES
+  ? process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES.split(',').map((key) => key.trim())
+  : [];
+
+// Validate against CacheKeys enum
+if (FORCED_IN_MEMORY_CACHE_NAMESPACES.length > 0) {
+  const validKeys = Object.values(CacheKeys);
+  const invalidKeys = FORCED_IN_MEMORY_CACHE_NAMESPACES.filter((key) => !validKeys.includes(key));
+
+  if (invalidKeys.length > 0) {
+    throw new Error(
+      `Invalid cache keys in FORCED_IN_MEMORY_CACHE_NAMESPACES: ${invalidKeys.join(', ')}. Valid keys: ${validKeys.join(', ')}`,
+    );
+  }
+}
+
 const cacheConfig = {
+  FORCED_IN_MEMORY_CACHE_NAMESPACES,
   USE_REDIS,
   REDIS_URI: process.env.REDIS_URI,
   REDIS_USERNAME: process.env.REDIS_USERNAME,
@@ -23,6 +43,15 @@ const cacheConfig = {
   REDIS_CA: process.env.REDIS_CA ? fs.readFileSync(process.env.REDIS_CA, 'utf8') : null,
   REDIS_KEY_PREFIX: process.env[REDIS_KEY_PREFIX_VAR] || REDIS_KEY_PREFIX || '',
   REDIS_MAX_LISTENERS: math(process.env.REDIS_MAX_LISTENERS, 40),
+  REDIS_PING_INTERVAL: math(process.env.REDIS_PING_INTERVAL, 0),
+  /** Max delay between reconnection attempts in ms */
+  REDIS_RETRY_MAX_DELAY: math(process.env.REDIS_RETRY_MAX_DELAY, 3000),
+  /** Max number of reconnection attempts (0 = infinite) */
+  REDIS_RETRY_MAX_ATTEMPTS: math(process.env.REDIS_RETRY_MAX_ATTEMPTS, 10),
+  /** Connection timeout in ms */
+  REDIS_CONNECT_TIMEOUT: math(process.env.REDIS_CONNECT_TIMEOUT, 10000),
+  /** Queue commands when disconnected */
+  REDIS_ENABLE_OFFLINE_QUEUE: isEnabled(process.env.REDIS_ENABLE_OFFLINE_QUEUE ?? 'true'),
 
   CI: isEnabled(process.env.CI),
   DEBUG_MEMORY_CACHE: isEnabled(process.env.DEBUG_MEMORY_CACHE),

api/cache/cacheConfig.spec.js

@@ -14,6 +14,8 @@ describe('cacheConfig', () => {
     delete process.env.REDIS_KEY_PREFIX_VAR;
     delete process.env.REDIS_KEY_PREFIX;
     delete process.env.USE_REDIS;
+    delete process.env.REDIS_PING_INTERVAL;
+    delete process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES;
 
     // Clear require cache
     jest.resetModules();
@@ -105,4 +107,51 @@ describe('cacheConfig', () => {
       expect(cacheConfig.REDIS_CA).toBeNull();
     });
   });
+
+  describe('REDIS_PING_INTERVAL configuration', () => {
+    test('should default to 0 when REDIS_PING_INTERVAL is not set', () => {
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_PING_INTERVAL).toBe(0);
+    });
+
+    test('should use provided REDIS_PING_INTERVAL value', () => {
+      process.env.REDIS_PING_INTERVAL = '300';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_PING_INTERVAL).toBe(300);
+    });
+  });
+
+  describe('FORCED_IN_MEMORY_CACHE_NAMESPACES validation', () => {
+    test('should parse comma-separated cache keys correctly', () => {
+      process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES = ' ROLES, STATIC_CONFIG ,MESSAGES ';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual([
+        'ROLES',
+        'STATIC_CONFIG',
+        'MESSAGES',
+      ]);
+    });
+
+    test('should throw error for invalid cache keys', () => {
+      process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES = 'INVALID_KEY,ROLES';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).toThrow('Invalid cache keys in FORCED_IN_MEMORY_CACHE_NAMESPACES: INVALID_KEY');
+    });
+
+    test('should handle empty string gracefully', () => {
+      process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES = '';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual([]);
+    });
+
+    test('should handle undefined env var gracefully', () => {
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual([]);
+    });
+  });
 });

api/cache/cacheFactory.js

@@ -1,12 +1,13 @@
 const KeyvRedis = require('@keyv/redis').default;
 const { Keyv } = require('keyv');
-const { cacheConfig } = require('./cacheConfig');
-const { keyvRedisClient, ioredisClient, GLOBAL_PREFIX_SEPARATOR } = require('./redisClients');
-const { Time } = require('librechat-data-provider');
-const ConnectRedis = require('connect-redis').default;
-const MemoryStore = require('memorystore')(require('express-session'));
-const { violationFile } = require('./keyvFiles');
 const { RedisStore } = require('rate-limit-redis');
+const { Time } = require('librechat-data-provider');
+const { logger } = require('@librechat/data-schemas');
+const { RedisStore: ConnectRedis } = require('connect-redis');
+const MemoryStore = require('memorystore')(require('express-session'));
+const { keyvRedisClient, ioredisClient, GLOBAL_PREFIX_SEPARATOR } = require('./redisClients');
+const { cacheConfig } = require('./cacheConfig');
+const { violationFile } = require('./keyvFiles');
 
 /**
  * Creates a cache instance using Redis or a fallback store. Suitable for general caching needs.
@@ -16,12 +17,25 @@ const { RedisStore } = require('rate-limit-redis');
  * @returns {Keyv} Cache instance.
  */
 const standardCache = (namespace, ttl = undefined, fallbackStore = undefined) => {
-  if (cacheConfig.USE_REDIS) {
-    const keyvRedis = new KeyvRedis(keyvRedisClient);
-    const cache = new Keyv(keyvRedis, { namespace, ttl });
-    keyvRedis.namespace = cacheConfig.REDIS_KEY_PREFIX;
-    keyvRedis.keyPrefixSeparator = GLOBAL_PREFIX_SEPARATOR;
-    return cache;
+  if (
+    cacheConfig.USE_REDIS &&
+    !cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES?.includes(namespace)
+  ) {
+    try {
+      const keyvRedis = new KeyvRedis(keyvRedisClient);
+      const cache = new Keyv(keyvRedis, { namespace, ttl });
+      keyvRedis.namespace = cacheConfig.REDIS_KEY_PREFIX;
+      keyvRedis.keyPrefixSeparator = GLOBAL_PREFIX_SEPARATOR;
+
+      cache.on('error', (err) => {
+        logger.error(`Cache error in namespace ${namespace}:`, err);
+      });
+
+      return cache;
+    } catch (err) {
+      logger.error(`Failed to create Redis cache for namespace ${namespace}:`, err);
+      throw err;
+    }
   }
   if (fallbackStore) return new Keyv({ store: fallbackStore, namespace, ttl });
   return new Keyv({ namespace, ttl });
@@ -47,7 +61,13 @@ const violationCache = (namespace, ttl = undefined) => {
 const sessionCache = (namespace, ttl = undefined) => {
   namespace = namespace.endsWith(':') ? namespace : `${namespace}:`;
   if (!cacheConfig.USE_REDIS) return new MemoryStore({ ttl, checkPeriod: Time.ONE_DAY });
-  return new ConnectRedis({ client: ioredisClient, ttl, prefix: namespace });
+  const store = new ConnectRedis({ client: ioredisClient, ttl, prefix: namespace });
+  if (ioredisClient) {
+    ioredisClient.on('error', (err) => {
+      logger.error(`Session store Redis error for namespace ${namespace}:`, err);
+    });
+  }
+  return store;
 };
 
 /**
@@ -59,8 +79,30 @@ const limiterCache = (prefix) => {
   if (!prefix) throw new Error('prefix is required');
   if (!cacheConfig.USE_REDIS) return undefined;
   prefix = prefix.endsWith(':') ? prefix : `${prefix}:`;
-  return new RedisStore({ sendCommand, prefix });
+
+  try {
+    if (!ioredisClient) {
+      logger.warn(`Redis client not available for rate limiter with prefix ${prefix}`);
+      return undefined;
+    }
+
+    return new RedisStore({ sendCommand, prefix });
+  } catch (err) {
+    logger.error(`Failed to create Redis rate limiter for prefix ${prefix}:`, err);
+    return undefined;
+  }
+};
+
+const sendCommand = (...args) => {
+  if (!ioredisClient) {
+    logger.warn('Redis client not available for command execution');
+    return Promise.reject(new Error('Redis client not available'));
+  }
+
+  return ioredisClient.call(...args).catch((err) => {
+    logger.error('Redis command execution failed:', err);
+    throw err;
+  });
 };
-const sendCommand = (...args) => ioredisClient?.call(...args);
 
 module.exports = { standardCache, sessionCache, violationCache, limiterCache };

api/cache/cacheFactory.spec.js

@@ -6,13 +6,17 @@ const mockKeyvRedis = {
   keyPrefixSeparator: '',
 };
 
-const mockKeyv = jest.fn().mockReturnValue({ mock: 'keyv' });
+const mockKeyv = jest.fn().mockReturnValue({
+  mock: 'keyv',
+  on: jest.fn(),
+});
 const mockConnectRedis = jest.fn().mockReturnValue({ mock: 'connectRedis' });
 const mockMemoryStore = jest.fn().mockReturnValue({ mock: 'memoryStore' });
 const mockRedisStore = jest.fn().mockReturnValue({ mock: 'redisStore' });
 
 const mockIoredisClient = {
   call: jest.fn(),
+  on: jest.fn(),
 };
 
 const mockKeyvRedisClient = {};
@@ -31,6 +35,7 @@ jest.mock('./cacheConfig', () => ({
   cacheConfig: {
     USE_REDIS: false,
     REDIS_KEY_PREFIX: 'test',
+    FORCED_IN_MEMORY_CACHE_NAMESPACES: [],
   },
 }));
 
@@ -44,9 +49,7 @@ jest.mock('./keyvFiles', () => ({
   violationFile: mockViolationFile,
 }));
 
-jest.mock('connect-redis', () => ({
-  default: mockConnectRedis,
-}));
+jest.mock('connect-redis', () => ({ RedisStore: mockConnectRedis }));
 
 jest.mock('memorystore', () => jest.fn(() => mockMemoryStore));
 
@@ -54,6 +57,14 @@ jest.mock('rate-limit-redis', () => ({
   RedisStore: mockRedisStore,
 }));
 
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    error: jest.fn(),
+    warn: jest.fn(),
+    info: jest.fn(),
+  },
+}));
+
 // Import after mocking
 const { standardCache, sessionCache, violationCache, limiterCache } = require('./cacheFactory');
 const { cacheConfig } = require('./cacheConfig');
@@ -65,6 +76,7 @@ describe('cacheFactory', () => {
     // Reset cache config mock
     cacheConfig.USE_REDIS = false;
     cacheConfig.REDIS_KEY_PREFIX = 'test';
+    cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES = [];
   });
 
   describe('redisCache', () => {
@@ -118,6 +130,52 @@ describe('cacheFactory', () => {
 
       expect(mockKeyv).toHaveBeenCalledWith({ namespace: undefined, ttl: undefined });
     });
+
+    it('should use fallback when namespace is in FORCED_IN_MEMORY_CACHE_NAMESPACES', () => {
+      cacheConfig.USE_REDIS = true;
+      cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES = ['forced-memory'];
+      const namespace = 'forced-memory';
+      const ttl = 3600;
+
+      standardCache(namespace, ttl);
+
+      expect(require('@keyv/redis').default).not.toHaveBeenCalled();
+      expect(mockKeyv).toHaveBeenCalledWith({ namespace, ttl });
+    });
+
+    it('should use Redis when namespace is not in FORCED_IN_MEMORY_CACHE_NAMESPACES', () => {
+      cacheConfig.USE_REDIS = true;
+      cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES = ['other-namespace'];
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+
+      standardCache(namespace, ttl);
+
+      expect(require('@keyv/redis').default).toHaveBeenCalledWith(mockKeyvRedisClient);
+      expect(mockKeyv).toHaveBeenCalledWith(mockKeyvRedis, { namespace, ttl });
+    });
+
+    it('should throw error when Redis cache creation fails', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+      const testError = new Error('Redis connection failed');
+
+      const KeyvRedis = require('@keyv/redis').default;
+      KeyvRedis.mockImplementationOnce(() => {
+        throw testError;
+      });
+
+      expect(() => standardCache(namespace, ttl)).toThrow('Redis connection failed');
+
+      const { logger } = require('@librechat/data-schemas');
+      expect(logger.error).toHaveBeenCalledWith(
+        `Failed to create Redis cache for namespace ${namespace}:`,
+        testError,
+      );
+
+      expect(mockKeyv).not.toHaveBeenCalled();
+    });
   });
 
   describe('violationCache', () => {
@@ -209,6 +267,86 @@ describe('cacheFactory', () => {
         checkPeriod: Time.ONE_DAY,
       });
     });
+
+    it('should throw error when ConnectRedis constructor fails', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions';
+      const ttl = 86400;
+
+      // Mock ConnectRedis to throw an error during construction
+      const redisError = new Error('Redis connection failed');
+      mockConnectRedis.mockImplementationOnce(() => {
+        throw redisError;
+      });
+
+      // The error should propagate up, not be caught
+      expect(() => sessionCache(namespace, ttl)).toThrow('Redis connection failed');
+
+      // Verify that MemoryStore was NOT used as fallback
+      expect(mockMemoryStore).not.toHaveBeenCalled();
+    });
+
+    it('should register error handler but let errors propagate to Express', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions';
+
+      // Create a mock session store with middleware methods
+      const mockSessionStore = {
+        get: jest.fn(),
+        set: jest.fn(),
+        destroy: jest.fn(),
+      };
+      mockConnectRedis.mockReturnValue(mockSessionStore);
+
+      const store = sessionCache(namespace);
+
+      // Verify error handler was registered
+      expect(mockIoredisClient.on).toHaveBeenCalledWith('error', expect.any(Function));
+
+      // Get the error handler
+      const errorHandler = mockIoredisClient.on.mock.calls.find((call) => call[0] === 'error')[1];
+
+      // Simulate an error from Redis during a session operation
+      const redisError = new Error('Socket closed unexpectedly');
+
+      // The error handler should log but not swallow the error
+      const { logger } = require('@librechat/data-schemas');
+      errorHandler(redisError);
+
+      expect(logger.error).toHaveBeenCalledWith(
+        `Session store Redis error for namespace ${namespace}::`,
+        redisError,
+      );
+
+      // Now simulate what happens when session middleware tries to use the store
+      const callback = jest.fn();
+      mockSessionStore.get.mockImplementation((sid, cb) => {
+        cb(new Error('Redis connection lost'));
+      });
+
+      // Call the store's get method (as Express session would)
+      store.get('test-session-id', callback);
+
+      // The error should be passed to the callback, not swallowed
+      expect(callback).toHaveBeenCalledWith(new Error('Redis connection lost'));
+    });
+
+    it('should handle null ioredisClient gracefully', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions';
+
+      // Temporarily set ioredisClient to null (simulating connection not established)
+      const originalClient = require('./redisClients').ioredisClient;
+      require('./redisClients').ioredisClient = null;
+
+      // ConnectRedis might accept null client but would fail on first use
+      // The important thing is it doesn't throw uncaught exceptions during construction
+      const store = sessionCache(namespace);
+      expect(store).toBeDefined();
+
+      // Restore original client
+      require('./redisClients').ioredisClient = originalClient;
+    });
   });
 
   describe('limiterCache', () => {
@@ -250,8 +388,10 @@ describe('cacheFactory', () => {
       });
     });
 
-    it('should pass sendCommand function that calls ioredisClient.call', () => {
+    it('should pass sendCommand function that calls ioredisClient.call', async () => {
       cacheConfig.USE_REDIS = true;
+      mockIoredisClient.call.mockResolvedValue('test-value');
+
       limiterCache('rate-limit');
 
       const sendCommandCall = mockRedisStore.mock.calls[0][0];
@@ -259,9 +399,29 @@ describe('cacheFactory', () => {
 
       // Test that sendCommand properly delegates to ioredisClient.call
       const args = ['GET', 'test-key'];
-      sendCommand(...args);
+      const result = await sendCommand(...args);
 
       expect(mockIoredisClient.call).toHaveBeenCalledWith(...args);
+      expect(result).toBe('test-value');
+    });
+
+    it('should handle sendCommand errors properly', async () => {
+      cacheConfig.USE_REDIS = true;
+
+      // Mock the call method to reject with an error
+      const testError = new Error('Redis error');
+      mockIoredisClient.call.mockRejectedValue(testError);
+
+      limiterCache('rate-limit');
+
+      const sendCommandCall = mockRedisStore.mock.calls[0][0];
+      const sendCommand = sendCommandCall.sendCommand;
+
+      // Test that sendCommand properly handles errors
+      const args = ['GET', 'test-key'];
+
+      await expect(sendCommand(...args)).rejects.toThrow('Redis error');
+      expect(mockIoredisClient.call).toHaveBeenCalledWith(...args);
     });
 
     it('should handle undefined prefix', () => {

api/cache/getLogStores.js

@@ -33,6 +33,7 @@ const namespaces = {
   [CacheKeys.ROLES]: standardCache(CacheKeys.ROLES),
   [CacheKeys.MCP_TOOLS]: standardCache(CacheKeys.MCP_TOOLS),
   [CacheKeys.CONFIG_STORE]: standardCache(CacheKeys.CONFIG_STORE),
+  [CacheKeys.STATIC_CONFIG]: standardCache(CacheKeys.STATIC_CONFIG),
   [CacheKeys.PENDING_REQ]: standardCache(CacheKeys.PENDING_REQ),
   [CacheKeys.ENCODED_DOMAINS]: new Keyv({ store: keyvMongo, namespace: CacheKeys.ENCODED_DOMAINS }),
   [CacheKeys.ABORT_KEYS]: standardCache(CacheKeys.ABORT_KEYS, Time.TEN_MINUTES),

api/cache/redisClients.js

@@ -1,6 +1,7 @@
 const IoRedis = require('ioredis');
-const { cacheConfig } = require('./cacheConfig');
+const { logger } = require('@librechat/data-schemas');
 const { createClient, createCluster } = require('@keyv/redis');
+const { cacheConfig } = require('./cacheConfig');
 
 const GLOBAL_PREFIX_SEPARATOR = '::';
 
@@ -12,31 +13,136 @@ const ca = cacheConfig.REDIS_CA;
 /** @type {import('ioredis').Redis | import('ioredis').Cluster | null} */
 let ioredisClient = null;
 if (cacheConfig.USE_REDIS) {
+  /** @type {import('ioredis').RedisOptions | import('ioredis').ClusterOptions} */
   const redisOptions = {
     username: username,
     password: password,
     tls: ca ? { ca } : undefined,
     keyPrefix: `${cacheConfig.REDIS_KEY_PREFIX}${GLOBAL_PREFIX_SEPARATOR}`,
     maxListeners: cacheConfig.REDIS_MAX_LISTENERS,
+    retryStrategy: (times) => {
+      if (
+        cacheConfig.REDIS_RETRY_MAX_ATTEMPTS > 0 &&
+        times > cacheConfig.REDIS_RETRY_MAX_ATTEMPTS
+      ) {
+        logger.error(
+          `ioredis giving up after ${cacheConfig.REDIS_RETRY_MAX_ATTEMPTS} reconnection attempts`,
+        );
+        return null;
+      }
+      const delay = Math.min(times * 50, cacheConfig.REDIS_RETRY_MAX_DELAY);
+      logger.info(`ioredis reconnecting... attempt ${times}, delay ${delay}ms`);
+      return delay;
+    },
+    reconnectOnError: (err) => {
+      const targetError = 'READONLY';
+      if (err.message.includes(targetError)) {
+        logger.warn('ioredis reconnecting due to READONLY error');
+        return true;
+      }
+      return false;
+    },
+    enableOfflineQueue: cacheConfig.REDIS_ENABLE_OFFLINE_QUEUE,
+    connectTimeout: cacheConfig.REDIS_CONNECT_TIMEOUT,
+    maxRetriesPerRequest: 3,
   };
 
   ioredisClient =
     urls.length === 1
       ? new IoRedis(cacheConfig.REDIS_URI, redisOptions)
-      : new IoRedis.Cluster(cacheConfig.REDIS_URI, { redisOptions });
+      : new IoRedis.Cluster(cacheConfig.REDIS_URI, {
+          redisOptions,
+          clusterRetryStrategy: (times) => {
+            if (
+              cacheConfig.REDIS_RETRY_MAX_ATTEMPTS > 0 &&
+              times > cacheConfig.REDIS_RETRY_MAX_ATTEMPTS
+            ) {
+              logger.error(
+                `ioredis cluster giving up after ${cacheConfig.REDIS_RETRY_MAX_ATTEMPTS} reconnection attempts`,
+              );
+              return null;
+            }
+            const delay = Math.min(times * 100, cacheConfig.REDIS_RETRY_MAX_DELAY);
+            logger.info(`ioredis cluster reconnecting... attempt ${times}, delay ${delay}ms`);
+            return delay;
+          },
+          enableOfflineQueue: cacheConfig.REDIS_ENABLE_OFFLINE_QUEUE,
+        });
 
-  // Pinging the Redis server every 5 minutes to keep the connection alive
-  const pingInterval = setInterval(() => ioredisClient.ping(), 5 * 60 * 1000);
-  ioredisClient.on('close', () => clearInterval(pingInterval));
-  ioredisClient.on('end', () => clearInterval(pingInterval));
+  ioredisClient.on('error', (err) => {
+    logger.error('ioredis client error:', err);
+  });
+
+  ioredisClient.on('connect', () => {
+    logger.info('ioredis client connected');
+  });
+
+  ioredisClient.on('ready', () => {
+    logger.info('ioredis client ready');
+  });
+
+  ioredisClient.on('reconnecting', (delay) => {
+    logger.info(`ioredis client reconnecting in ${delay}ms`);
+  });
+
+  ioredisClient.on('close', () => {
+    logger.warn('ioredis client connection closed');
+  });
+
+  /** Ping Interval to keep the Redis server connection alive (if enabled) */
+  let pingInterval = null;
+  const clearPingInterval = () => {
+    if (pingInterval) {
+      clearInterval(pingInterval);
+      pingInterval = null;
+    }
+  };
+
+  if (cacheConfig.REDIS_PING_INTERVAL > 0) {
+    pingInterval = setInterval(() => {
+      if (ioredisClient && ioredisClient.status === 'ready') {
+        ioredisClient.ping().catch((err) => {
+          logger.error('ioredis ping failed:', err);
+        });
+      }
+    }, cacheConfig.REDIS_PING_INTERVAL * 1000);
+    ioredisClient.on('close', clearPingInterval);
+    ioredisClient.on('end', clearPingInterval);
+  }
 }
 
 /** @type {import('@keyv/redis').RedisClient | import('@keyv/redis').RedisCluster | null} */
 let keyvRedisClient = null;
 if (cacheConfig.USE_REDIS) {
-  // ** WARNING ** Keyv Redis client does not support Prefix like ioredis above.
-  // The prefix feature will be handled by the Keyv-Redis store in cacheFactory.js
-  const redisOptions = { username, password, socket: { tls: ca != null, ca } };
+  /**
+   * ** WARNING ** Keyv Redis client does not support Prefix like ioredis above.
+   * The prefix feature will be handled by the Keyv-Redis store in cacheFactory.js
+   * @type {import('@keyv/redis').RedisClientOptions | import('@keyv/redis').RedisClusterOptions}
+   */
+  const redisOptions = {
+    username,
+    password,
+    socket: {
+      tls: ca != null,
+      ca,
+      connectTimeout: cacheConfig.REDIS_CONNECT_TIMEOUT,
+      reconnectStrategy: (retries) => {
+        if (
+          cacheConfig.REDIS_RETRY_MAX_ATTEMPTS > 0 &&
+          retries > cacheConfig.REDIS_RETRY_MAX_ATTEMPTS
+        ) {
+          logger.error(
+            `@keyv/redis client giving up after ${cacheConfig.REDIS_RETRY_MAX_ATTEMPTS} reconnection attempts`,
+          );
+          return new Error('Max reconnection attempts reached');
+        }
+        const delay = Math.min(retries * 100, cacheConfig.REDIS_RETRY_MAX_DELAY);
+        logger.info(`@keyv/redis reconnecting... attempt ${retries}, delay ${delay}ms`);
+        return delay;
+      },
+    },
+    disableOfflineQueue: !cacheConfig.REDIS_ENABLE_OFFLINE_QUEUE,
+  };
 
   keyvRedisClient =
     urls.length === 1
@@ -48,10 +154,51 @@ if (cacheConfig.USE_REDIS) {
 
   keyvRedisClient.setMaxListeners(cacheConfig.REDIS_MAX_LISTENERS);
 
-  // Pinging the Redis server every 5 minutes to keep the connection alive
-  const keyvPingInterval = setInterval(() => keyvRedisClient.ping(), 5 * 60 * 1000);
-  keyvRedisClient.on('disconnect', () => clearInterval(keyvPingInterval));
-  keyvRedisClient.on('end', () => clearInterval(keyvPingInterval));
+  keyvRedisClient.on('error', (err) => {
+    logger.error('@keyv/redis client error:', err);
+  });
+
+  keyvRedisClient.on('connect', () => {
+    logger.info('@keyv/redis client connected');
+  });
+
+  keyvRedisClient.on('ready', () => {
+    logger.info('@keyv/redis client ready');
+  });
+
+  keyvRedisClient.on('reconnecting', () => {
+    logger.info('@keyv/redis client reconnecting...');
+  });
+
+  keyvRedisClient.on('disconnect', () => {
+    logger.warn('@keyv/redis client disconnected');
+  });
+
+  keyvRedisClient.connect().catch((err) => {
+    logger.error('@keyv/redis initial connection failed:', err);
+    throw err;
+  });
+
+  /** Ping Interval to keep the Redis server connection alive (if enabled) */
+  let pingInterval = null;
+  const clearPingInterval = () => {
+    if (pingInterval) {
+      clearInterval(pingInterval);
+      pingInterval = null;
+    }
+  };
+
+  if (cacheConfig.REDIS_PING_INTERVAL > 0) {
+    pingInterval = setInterval(() => {
+      if (keyvRedisClient && keyvRedisClient.isReady) {
+        keyvRedisClient.ping().catch((err) => {
+          logger.error('@keyv/redis ping failed:', err);
+        });
+      }
+    }, cacheConfig.REDIS_PING_INTERVAL * 1000);
+    keyvRedisClient.on('disconnect', clearPingInterval);
+    keyvRedisClient.on('end', clearPingInterval);
+  }
 }
 
 module.exports = { ioredisClient, keyvRedisClient, GLOBAL_PREFIX_SEPARATOR };

api/db/connect.js

@@ -1,11 +1,34 @@
 require('dotenv').config();
+const { isEnabled } = require('@librechat/api');
+const { logger } = require('@librechat/data-schemas');
+
 const mongoose = require('mongoose');
 const MONGO_URI = process.env.MONGO_URI;
 
 if (!MONGO_URI) {
   throw new Error('Please define the MONGO_URI environment variable');
 }
+/** The maximum number of connections in the connection pool. */
+const maxPoolSize = parseInt(process.env.MONGO_MAX_POOL_SIZE) || undefined;
+/** The minimum number of connections in the connection pool. */
+const minPoolSize = parseInt(process.env.MONGO_MIN_POOL_SIZE) || undefined;
+/** The maximum number of connections that may be in the process of being established concurrently by the connection pool. */
+const maxConnecting = parseInt(process.env.MONGO_MAX_CONNECTING) || undefined;
+/** The maximum number of milliseconds that a connection can remain idle in the pool before being removed and closed. */
+const maxIdleTimeMS = parseInt(process.env.MONGO_MAX_IDLE_TIME_MS) || undefined;
+/** The maximum time in milliseconds that a thread can wait for a connection to become available. */
+const waitQueueTimeoutMS = parseInt(process.env.MONGO_WAIT_QUEUE_TIMEOUT_MS) || undefined;
+/** Set to false to disable automatic index creation for all models associated with this connection. */
+const autoIndex =
+  process.env.MONGO_AUTO_INDEX != undefined
+    ? isEnabled(process.env.MONGO_AUTO_INDEX) || false
+    : undefined;
 
+/** Set to `false` to disable Mongoose automatically calling `createCollection()` on every model created on this connection. */
+const autoCreate =
+  process.env.MONGO_AUTO_CREATE != undefined
+    ? isEnabled(process.env.MONGO_AUTO_CREATE) || false
+    : undefined;
 /**
  * Global is used here to maintain a cached connection across hot reloads
  * in development. This prevents connections growing exponentially
@@ -26,13 +49,21 @@ async function connectDb() {
   if (!cached.promise || disconnected) {
     const opts = {
       bufferCommands: false,
+      ...(maxPoolSize ? { maxPoolSize } : {}),
+      ...(minPoolSize ? { minPoolSize } : {}),
+      ...(maxConnecting ? { maxConnecting } : {}),
+      ...(maxIdleTimeMS ? { maxIdleTimeMS } : {}),
+      ...(waitQueueTimeoutMS ? { waitQueueTimeoutMS } : {}),
+      ...(autoIndex != undefined ? { autoIndex } : {}),
+      ...(autoCreate != undefined ? { autoCreate } : {}),
       // useNewUrlParser: true,
       // useUnifiedTopology: true,
       // bufferMaxEntries: 0,
       // useFindAndModify: true,
       // useCreateIndex: true
     };
-
+    logger.info('Mongo Connection options');
+    logger.info(JSON.stringify(opts, null, 2));
     mongoose.set('strictQuery', true);
     cached.promise = mongoose.connect(MONGO_URI, opts).then((mongoose) => {
       return mongoose;

api/jest.config.js

@@ -3,6 +3,7 @@ module.exports = {
   clearMocks: true,
   roots: ['<rootDir>'],
   coverageDirectory: 'coverage',
+  testTimeout: 30000, // 30 seconds timeout for all tests
   setupFiles: [
     './test/jestSetup.js',
     './test/__mocks__/logger.js',

api/models/Agent.js

@@ -1,18 +1,17 @@
 const mongoose = require('mongoose');
 const crypto = require('node:crypto');
 const { logger } = require('@librechat/data-schemas');
-const { SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
+const { ResourceType, SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
 const { GLOBAL_PROJECT_NAME, EPHEMERAL_AGENT_ID, mcp_delimiter } =
   require('librechat-data-provider').Constants;
-const { CONFIG_STORE, STARTUP_CONFIG } = require('librechat-data-provider').CacheKeys;
 const {
-  getProjectByName,
-  addAgentIdsToProject,
-  removeAgentIdsFromProject,
   removeAgentFromAllProjects,
+  removeAgentIdsFromProject,
+  addAgentIdsToProject,
+  getProjectByName,
 } = require('./Project');
+const { removeAllPermissions } = require('~/server/services/PermissionService');
 const { getCachedTools } = require('~/server/services/Config');
-const getLogStores = require('~/cache/getLogStores');
 const { getActions } = require('./Action');
 const { Agent } = require('~/db/models');
 
@@ -23,7 +22,7 @@ const { Agent } = require('~/db/models');
  * @throws {Error} If the agent creation fails.
  */
 const createAgent = async (agentData) => {
-  const { author, ...versionData } = agentData;
+  const { author: _author, ...versionData } = agentData;
   const timestamp = new Date();
   const initialAgentData = {
     ...agentData,
@@ -34,7 +33,9 @@ const createAgent = async (agentData) => {
         updatedAt: timestamp,
       },
     ],
+    category: agentData.category || 'general',
   };
+
   return (await Agent.create(initialAgentData)).toObject();
 };
 
@@ -131,29 +132,7 @@ const loadAgent = async ({ req, agent_id, endpoint, model_parameters }) => {
   }
 
   agent.version = agent.versions ? agent.versions.length : 0;
-
-  if (agent.author.toString() === req.user.id) {
-    return agent;
-  }
-
-  if (!agent.projectIds) {
-    return null;
-  }
-
-  const cache = getLogStores(CONFIG_STORE);
-  /** @type {TStartupConfig} */
-  const cachedStartupConfig = await cache.get(STARTUP_CONFIG);
-  let { instanceProjectId } = cachedStartupConfig ?? {};
-  if (!instanceProjectId) {
-    instanceProjectId = (await getProjectByName(GLOBAL_PROJECT_NAME, '_id'))._id.toString();
-  }
-
-  for (const projectObjectId of agent.projectIds) {
-    const projectId = projectObjectId.toString();
-    if (projectId === instanceProjectId) {
-      return agent;
-    }
-  }
+  return agent;
 };
 
 /**
@@ -183,7 +162,7 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
     'actionsHash', // Exclude actionsHash from direct comparison
   ];
 
-  const { $push, $pull, $addToSet, ...directUpdates } = updateData;
+  const { $push: _$push, $pull: _$pull, $addToSet: _$addToSet, ...directUpdates } = updateData;
 
   if (Object.keys(directUpdates).length === 0 && !actionsHash) {
     return null;
@@ -202,54 +181,116 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
 
   let isMatch = true;
   for (const field of importantFields) {
-    if (!wouldBeVersion[field] && !lastVersion[field]) {
+    const wouldBeValue = wouldBeVersion[field];
+    const lastVersionValue = lastVersion[field];
+
+    // Skip if both are undefined/null
+    if (!wouldBeValue && !lastVersionValue) {
       continue;
     }
 
-    if (Array.isArray(wouldBeVersion[field]) && Array.isArray(lastVersion[field])) {
-      if (wouldBeVersion[field].length !== lastVersion[field].length) {
+    // Handle arrays
+    if (Array.isArray(wouldBeValue) || Array.isArray(lastVersionValue)) {
+      // Normalize: treat undefined/null as empty array for comparison
+      let wouldBeArr;
+      if (Array.isArray(wouldBeValue)) {
+        wouldBeArr = wouldBeValue;
+      } else if (wouldBeValue == null) {
+        wouldBeArr = [];
+      } else {
+        wouldBeArr = [wouldBeValue];
+      }
+
+      let lastVersionArr;
+      if (Array.isArray(lastVersionValue)) {
+        lastVersionArr = lastVersionValue;
+      } else if (lastVersionValue == null) {
+        lastVersionArr = [];
+      } else {
+        lastVersionArr = [lastVersionValue];
+      }
+
+      if (wouldBeArr.length !== lastVersionArr.length) {
         isMatch = false;
         break;
       }
 
       // Special handling for projectIds (MongoDB ObjectIds)
       if (field === 'projectIds') {
-        const wouldBeIds = wouldBeVersion[field].map((id) => id.toString()).sort();
-        const versionIds = lastVersion[field].map((id) => id.toString()).sort();
+        const wouldBeIds = wouldBeArr.map((id) => id.toString()).sort();
+        const versionIds = lastVersionArr.map((id) => id.toString()).sort();
 
         if (!wouldBeIds.every((id, i) => id === versionIds[i])) {
           isMatch = false;
           break;
         }
       }
-      // Handle arrays of objects like tool_kwargs
-      else if (typeof wouldBeVersion[field][0] === 'object' && wouldBeVersion[field][0] !== null) {
-        const sortedWouldBe = [...wouldBeVersion[field]].map((item) => JSON.stringify(item)).sort();
-        const sortedVersion = [...lastVersion[field]].map((item) => JSON.stringify(item)).sort();
+      // Handle arrays of objects
+      else if (
+        wouldBeArr.length > 0 &&
+        typeof wouldBeArr[0] === 'object' &&
+        wouldBeArr[0] !== null
+      ) {
+        const sortedWouldBe = [...wouldBeArr].map((item) => JSON.stringify(item)).sort();
+        const sortedVersion = [...lastVersionArr].map((item) => JSON.stringify(item)).sort();
 
         if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
           isMatch = false;
           break;
         }
       } else {
-        const sortedWouldBe = [...wouldBeVersion[field]].sort();
-        const sortedVersion = [...lastVersion[field]].sort();
+        const sortedWouldBe = [...wouldBeArr].sort();
+        const sortedVersion = [...lastVersionArr].sort();
 
         if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
           isMatch = false;
           break;
         }
       }
-    } else if (field === 'model_parameters') {
-      const wouldBeParams = wouldBeVersion[field] || {};
-      const lastVersionParams = lastVersion[field] || {};
-      if (JSON.stringify(wouldBeParams) !== JSON.stringify(lastVersionParams)) {
+    }
+    // Handle objects
+    else if (typeof wouldBeValue === 'object' && wouldBeValue !== null) {
+      const lastVersionObj =
+        typeof lastVersionValue === 'object' && lastVersionValue !== null ? lastVersionValue : {};
+
+      // For empty objects, normalize the comparison
+      const wouldBeKeys = Object.keys(wouldBeValue);
+      const lastVersionKeys = Object.keys(lastVersionObj);
+
+      // If both are empty objects, they're equal
+      if (wouldBeKeys.length === 0 && lastVersionKeys.length === 0) {
+        continue;
+      }
+
+      // Otherwise do a deep comparison
+      if (JSON.stringify(wouldBeValue) !== JSON.stringify(lastVersionObj)) {
+        isMatch = false;
+        break;
+      }
+    }
+    // Handle primitive values
+    else {
+      // For primitives, handle the case where one is undefined and the other is a default value
+      if (wouldBeValue !== lastVersionValue) {
+        // Special handling for boolean false vs undefined
+        if (
+          typeof wouldBeValue === 'boolean' &&
+          wouldBeValue === false &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
+        // Special handling for empty string vs undefined
+        if (
+          typeof wouldBeValue === 'string' &&
+          wouldBeValue === '' &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
         isMatch = false;
         break;
       }
-    } else if (wouldBeVersion[field] !== lastVersion[field]) {
-      isMatch = false;
-      break;
     }
   }
 
@@ -278,7 +319,14 @@ const updateAgent = async (searchParameter, updateData, options = {}) => {
 
   const currentAgent = await Agent.findOne(searchParameter);
   if (currentAgent) {
-    const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
+    const {
+      __v,
+      _id,
+      id: __id,
+      versions,
+      author: _author,
+      ...versionData
+    } = currentAgent.toObject();
     const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
     let actionsHash = null;
@@ -465,12 +513,117 @@ const deleteAgent = async (searchParameter) => {
   const agent = await Agent.findOneAndDelete(searchParameter);
   if (agent) {
     await removeAgentFromAllProjects(agent.id);
+    await removeAllPermissions({
+      resourceType: ResourceType.AGENT,
+      resourceId: agent._id,
+    });
   }
   return agent;
 };
 
+/**
+ * Get agents by accessible IDs with optional cursor-based pagination.
+ * @param {Object} params - The parameters for getting accessible agents.
+ * @param {Array} [params.accessibleIds] - Array of agent ObjectIds the user has ACL access to.
+ * @param {Object} [params.otherParams] - Additional query parameters (including author filter).
+ * @param {number} [params.limit] - Number of agents to return (max 100). If not provided, returns all agents.
+ * @param {string} [params.after] - Cursor for pagination - get agents after this cursor. // base64 encoded JSON string with updatedAt and _id.
+ * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
+ */
+const getListAgentsByAccess = async ({
+  accessibleIds = [],
+  otherParams = {},
+  limit = null,
+  after = null,
+}) => {
+  const isPaginated = limit !== null && limit !== undefined;
+  const normalizedLimit = isPaginated ? Math.min(Math.max(1, parseInt(limit) || 20), 100) : null;
+
+  // Build base query combining ACL accessible agents with other filters
+  const baseQuery = { ...otherParams, _id: { $in: accessibleIds } };
+
+  // Add cursor condition
+  if (after) {
+    try {
+      const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
+      const { updatedAt, _id } = cursor;
+
+      const cursorCondition = {
+        $or: [
+          { updatedAt: { $lt: new Date(updatedAt) } },
+          { updatedAt: new Date(updatedAt), _id: { $gt: new mongoose.Types.ObjectId(_id) } },
+        ],
+      };
+
+      // Merge cursor condition with base query
+      if (Object.keys(baseQuery).length > 0) {
+        baseQuery.$and = [{ ...baseQuery }, cursorCondition];
+        // Remove the original conditions from baseQuery to avoid duplication
+        Object.keys(baseQuery).forEach((key) => {
+          if (key !== '$and') delete baseQuery[key];
+        });
+      } else {
+        Object.assign(baseQuery, cursorCondition);
+      }
+    } catch (error) {
+      logger.warn('Invalid cursor:', error.message);
+    }
+  }
+
+  let query = Agent.find(baseQuery, {
+    id: 1,
+    _id: 1,
+    name: 1,
+    avatar: 1,
+    author: 1,
+    projectIds: 1,
+    description: 1,
+    updatedAt: 1,
+    category: 1,
+    support_contact: 1,
+    is_promoted: 1,
+  }).sort({ updatedAt: -1, _id: 1 });
+
+  // Only apply limit if pagination is requested
+  if (isPaginated) {
+    query = query.limit(normalizedLimit + 1);
+  }
+
+  const agents = await query.lean();
+
+  const hasMore = isPaginated ? agents.length > normalizedLimit : false;
+  const data = (isPaginated ? agents.slice(0, normalizedLimit) : agents).map((agent) => {
+    if (agent.author) {
+      agent.author = agent.author.toString();
+    }
+    return agent;
+  });
+
+  // Generate next cursor only if paginated
+  let nextCursor = null;
+  if (isPaginated && hasMore && data.length > 0) {
+    const lastAgent = agents[normalizedLimit - 1];
+    nextCursor = Buffer.from(
+      JSON.stringify({
+        updatedAt: lastAgent.updatedAt.toISOString(),
+        _id: lastAgent._id.toString(),
+      }),
+    ).toString('base64');
+  }
+
+  return {
+    object: 'list',
+    data,
+    first_id: data.length > 0 ? data[0].id : null,
+    last_id: data.length > 0 ? data[data.length - 1].id : null,
+    has_more: hasMore,
+    after: nextCursor,
+  };
+};
+
 /**
  * Get all agents.
+ * @deprecated Use getListAgentsByAccess for ACL-aware agent listing
  * @param {Object} searchParameter - The search parameters to find matching agents.
  * @param {string} searchParameter.author - The user ID of the agent's author.
  * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
@@ -489,13 +642,15 @@ const getListAgents = async (searchParameter) => {
   const agents = (
     await Agent.find(query, {
       id: 1,
-      _id: 0,
+      _id: 1,
       name: 1,
       avatar: 1,
       author: 1,
       projectIds: 1,
       description: 1,
+      // @deprecated - isCollaborative replaced by ACL permissions
       isCollaborative: 1,
+      category: 1,
     }).lean()
   ).map((agent) => {
     if (agent.author?.toString() !== author) {
@@ -661,6 +816,14 @@ const generateActionMetadataHash = async (actionIds, actions) => {
 
   return hashHex;
 };
+/**
+ * Counts the number of promoted agents.
+ * @returns  {Promise<number>} - The count of promoted agents
+ */
+const countPromotedAgents = async () => {
+  const count = await Agent.countDocuments({ is_promoted: true });
+  return count;
+};
 
 /**
  * Load a default agent based on the endpoint
@@ -678,6 +841,8 @@ module.exports = {
   revertAgentVersion,
   updateAgentProjects,
   addAgentResourceFile,
+  getListAgentsByAccess,
   removeAgentResourceFiles,
   generateActionMetadataHash,
+  countPromotedAgents,
 };

api/models/Agent.spec.js

@@ -14,6 +14,7 @@ const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
 const { agentSchema } = require('@librechat/data-schemas');
 const { MongoMemoryServer } = require('mongodb-memory-server');
+const { AccessRoleIds, ResourceType, PrincipalType } = require('librechat-data-provider');
 const {
   getAgent,
   loadAgent,
@@ -21,13 +22,16 @@ const {
   updateAgent,
   deleteAgent,
   getListAgents,
+  getListAgentsByAccess,
+  revertAgentVersion,
   updateAgentProjects,
   addAgentResourceFile,
   removeAgentResourceFiles,
   generateActionMetadataHash,
-  revertAgentVersion,
 } = require('./Agent');
+const permissionService = require('~/server/services/PermissionService');
 const { getCachedTools } = require('~/server/services/Config');
+const { AclEntry } = require('~/db/models');
 
 /**
  * @type {import('mongoose').Model<import('@librechat/data-schemas').IAgent>}
@@ -407,12 +411,26 @@ describe('models/Agent', () => {
 
   describe('Agent CRUD Operations', () => {
     let mongoServer;
+    let AccessRole;
 
     beforeAll(async () => {
       mongoServer = await MongoMemoryServer.create();
       const mongoUri = mongoServer.getUri();
       Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
       await mongoose.connect(mongoUri);
+
+      // Initialize models
+      const dbModels = require('~/db/models');
+      AccessRole = dbModels.AccessRole;
+
+      // Create necessary access roles for agents
+      await AccessRole.create({
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        name: 'Owner',
+        description: 'Full control over agents',
+        resourceType: ResourceType.AGENT,
+        permBits: 15, // VIEW | EDIT | DELETE | SHARE
+      });
     }, 20000);
 
     afterAll(async () => {
@@ -468,6 +486,51 @@ describe('models/Agent', () => {
       expect(agentAfterDelete).toBeNull();
     });
 
+    test('should remove ACL entries when deleting an agent', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Agent With Permissions',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+      });
+
+      // Grant permissions (simulating sharing)
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: authorId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        grantedBy: authorId,
+      });
+
+      // Verify ACL entry exists
+      const aclEntriesBefore = await AclEntry.find({
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+      });
+      expect(aclEntriesBefore).toHaveLength(1);
+
+      // Delete the agent
+      await deleteAgent({ id: agentId });
+
+      // Verify agent is deleted
+      const agentAfterDelete = await getAgent({ id: agentId });
+      expect(agentAfterDelete).toBeNull();
+
+      // Verify ACL entries are removed
+      const aclEntriesAfter = await AclEntry.find({
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+      });
+      expect(aclEntriesAfter).toHaveLength(0);
+    });
+
     test('should list agents by author', async () => {
       const authorId = new mongoose.Types.ObjectId();
       const otherAuthorId = new mongoose.Types.ObjectId();
@@ -1258,6 +1321,328 @@ describe('models/Agent', () => {
       expect(secondUpdate.versions).toHaveLength(3);
     });
 
+    test('should detect changes in support_contact fields', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with initial support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Agent with Support Contact',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Support',
+          email: 'initial@support.com',
+        },
+      });
+
+      // Update support_contact name only
+      const firstUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'initial@support.com',
+          },
+        },
+      );
+
+      expect(firstUpdate.versions).toHaveLength(2);
+      expect(firstUpdate.support_contact.name).toBe('Updated Support');
+      expect(firstUpdate.support_contact.email).toBe('initial@support.com');
+
+      // Update support_contact email only
+      const secondUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'updated@support.com',
+          },
+        },
+      );
+
+      expect(secondUpdate.versions).toHaveLength(3);
+      expect(secondUpdate.support_contact.email).toBe('updated@support.com');
+
+      // Try to update with same support_contact - should be detected as duplicate
+      await expect(
+        updateAgent(
+          { id: agentId },
+          {
+            support_contact: {
+              name: 'Updated Support',
+              email: 'updated@support.com',
+            },
+          },
+        ),
+      ).rejects.toThrow('Duplicate version');
+    });
+
+    test('should handle support_contact from empty to populated', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent without support_contact
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Agent without Support',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+      });
+
+      // Verify support_contact is undefined since it wasn't provided
+      expect(agent.support_contact).toBeUndefined();
+
+      // Update to add support_contact
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Support Team',
+            email: 'support@example.com',
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Support Team');
+      expect(updated.support_contact.email).toBe('support@example.com');
+    });
+
+    test('should handle support_contact edge cases in isDuplicateVersion', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Edge Case Agent',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Support',
+          email: 'support@test.com',
+        },
+      });
+
+      // Update to empty support_contact
+      const emptyUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {},
+        },
+      );
+
+      expect(emptyUpdate.versions).toHaveLength(2);
+      expect(emptyUpdate.support_contact).toEqual({});
+
+      // Update back to populated support_contact
+      const repopulated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Support',
+            email: 'support@test.com',
+          },
+        },
+      );
+
+      expect(repopulated.versions).toHaveLength(3);
+
+      // Verify all versions have correct support_contact
+      const finalAgent = await getAgent({ id: agentId });
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({});
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+    });
+
+    test('should preserve support_contact in version history', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent
+      await createAgent({
+        id: agentId,
+        name: 'Version History Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Contact',
+          email: 'initial@test.com',
+        },
+      });
+
+      // Multiple updates with different support_contact values
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Second Contact',
+            email: 'second@test.com',
+          },
+        },
+      );
+
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Third Contact',
+            email: 'third@test.com',
+          },
+        },
+      );
+
+      const finalAgent = await getAgent({ id: agentId });
+
+      // Verify version history
+      expect(finalAgent.versions).toHaveLength(3);
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Initial Contact',
+        email: 'initial@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({
+        name: 'Second Contact',
+        email: 'second@test.com',
+      });
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+
+      // Current state should match last version
+      expect(finalAgent.support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+    });
+
+    test('should handle partial support_contact updates', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with full support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Partial Update Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Original Name',
+          email: 'original@email.com',
+        },
+      });
+
+      // MongoDB's findOneAndUpdate will replace the entire support_contact object
+      // So we need to verify that partial updates still work correctly
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Name',
+            email: '', // Empty email
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Name');
+      expect(updated.support_contact.email).toBe('');
+
+      // Verify isDuplicateVersion works with partial changes
+      await expect(
+        updateAgent(
+          { id: agentId },
+          {
+            support_contact: {
+              name: 'New Name',
+              email: '',
+            },
+          },
+        ),
+      ).rejects.toThrow('Duplicate version');
+    });
+
+    // Edge Cases
+    describe.each([
+      {
+        operation: 'add',
+        name: 'empty file_id',
+        needsAgent: true,
+        params: { tool_resource: 'file_search', file_id: '' },
+        shouldResolve: true,
+      },
+      {
+        operation: 'add',
+        name: 'non-existent agent',
+        needsAgent: false,
+        params: { tool_resource: 'file_search', file_id: 'file123' },
+        shouldResolve: false,
+        error: 'Agent not found for adding resource file',
+      },
+    ])('addAgentResourceFile with $name', ({ needsAgent, params, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          await expect(addAgentResourceFile({ agent_id, ...params })).resolves.toBeDefined();
+        } else {
+          await expect(addAgentResourceFile({ agent_id, ...params })).rejects.toThrow(error);
+        }
+      });
+    });
+
+    describe.each([
+      {
+        name: 'empty files array',
+        files: [],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent tool_resource',
+        files: [{ tool_resource: 'non_existent_tool', file_id: 'file123' }],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent agent',
+        files: [{ tool_resource: 'file_search', file_id: 'file123' }],
+        needsAgent: false,
+        shouldResolve: false,
+        error: 'Agent not found for removing resource files',
+      },
+    ])('removeAgentResourceFiles with $name', ({ files, needsAgent, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          const result = await removeAgentResourceFiles({ agent_id, files });
+          expect(result).toBeDefined();
+          if (agent) {
+            expect(result.id).toBe(agent.id);
+          }
+        } else {
+          await expect(removeAgentResourceFiles({ agent_id, files })).rejects.toThrow(error);
+        }
+      });
+    });
+
     describe('Edge Cases', () => {
       test('should handle extremely large version history', async () => {
         const agentId = `agent_${uuidv4()}`;
@@ -1633,7 +2018,7 @@ describe('models/Agent', () => {
       expect(result.version).toBe(1);
     });
 
-    test('should return null when user is not author and agent has no projectIds', async () => {
+    test('should return agent even when user is not author (permissions checked at route level)', async () => {
       const authorId = new mongoose.Types.ObjectId();
       const userId = new mongoose.Types.ObjectId();
       const agentId = `agent_${uuidv4()}`;
@@ -1654,7 +2039,11 @@ describe('models/Agent', () => {
         model_parameters: { model: 'gpt-4' },
       });
 
-      expect(result).toBeFalsy();
+      // With the new permission system, loadAgent returns the agent regardless of permissions
+      // Permission checks are handled at the route level via middleware
+      expect(result).toBeTruthy();
+      expect(result.id).toBe(agentId);
+      expect(result.name).toBe('Test Agent');
     });
 
     test('should handle ephemeral agent with no MCP servers', async () => {
@@ -1762,7 +2151,7 @@ describe('models/Agent', () => {
         }
       });
 
-      test('should handle loadAgent with agent from different project', async () => {
+      test('should return agent from different project (permissions checked at route level)', async () => {
         const authorId = new mongoose.Types.ObjectId();
         const userId = new mongoose.Types.ObjectId();
         const agentId = `agent_${uuidv4()}`;
@@ -1785,7 +2174,11 @@ describe('models/Agent', () => {
           model_parameters: { model: 'gpt-4' },
         });
 
-        expect(result).toBeFalsy();
+        // With the new permission system, loadAgent returns the agent regardless of permissions
+        // Permission checks are handled at the route level via middleware
+        expect(result).toBeTruthy();
+        expect(result.id).toBe(agentId);
+        expect(result.name).toBe('Project Agent');
       });
     });
   });
@@ -2570,6 +2963,299 @@ describe('models/Agent', () => {
   });
 });
 
+describe('Support Contact Field', () => {
+  let mongoServer;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
+    await mongoose.connect(mongoUri);
+  }, 20000);
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await Agent.deleteMany({});
+  });
+
+  it('should not create subdocument with ObjectId for support_contact', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {
+        name: 'Support Team',
+        email: 'support@example.com',
+      },
+    };
+
+    // Create agent
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is stored correctly
+    expect(agent.support_contact).toBeDefined();
+    expect(agent.support_contact.name).toBe('Support Team');
+    expect(agent.support_contact.email).toBe('support@example.com');
+
+    // Verify no _id field is created in support_contact
+    expect(agent.support_contact._id).toBeUndefined();
+
+    // Fetch from database to double-check
+    const dbAgent = await Agent.findOne({ id: agentData.id });
+    expect(dbAgent.support_contact).toBeDefined();
+    expect(dbAgent.support_contact.name).toBe('Support Team');
+    expect(dbAgent.support_contact.email).toBe('support@example.com');
+    expect(dbAgent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle empty support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_empty_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {},
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify empty support_contact is stored as empty object
+    expect(agent.support_contact).toEqual({});
+    expect(agent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle missing support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_no_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is undefined when not provided
+    expect(agent.support_contact).toBeUndefined();
+  });
+
+  describe('getListAgentsByAccess - Security Tests', () => {
+    let userA, userB;
+    let agentA1, agentA2, agentA3;
+
+    beforeEach(async () => {
+      Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
+      await Agent.deleteMany({});
+      await AclEntry.deleteMany({});
+
+      // Create two users
+      userA = new mongoose.Types.ObjectId();
+      userB = new mongoose.Types.ObjectId();
+
+      // Create agents for user A
+      agentA1 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent A1',
+        description: 'User A agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+      });
+
+      agentA2 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent A2',
+        description: 'User A agent 2',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+      });
+
+      agentA3 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent A3',
+        description: 'User A agent 3',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+      });
+    });
+
+    test('should return empty list when user has no accessible agents (empty accessibleIds)', async () => {
+      // User B has no agents and no shared agents
+      const result = await getListAgentsByAccess({
+        accessibleIds: [],
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+      expect(result.first_id).toBeNull();
+      expect(result.last_id).toBeNull();
+    });
+
+    test('should not return other users agents when accessibleIds is empty', async () => {
+      // User B trying to list agents with empty accessibleIds should not see User A's agents
+      const result = await getListAgentsByAccess({
+        accessibleIds: [],
+        otherParams: { author: userB },
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+    });
+
+    test('should only return agents in accessibleIds list', async () => {
+      // Give User B access to only one of User A's agents
+      const accessibleIds = [agentA1._id];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0].id).toBe(agentA1.id);
+      expect(result.data[0].name).toBe('Agent A1');
+    });
+
+    test('should return multiple accessible agents when provided', async () => {
+      // Give User B access to two of User A's agents
+      const accessibleIds = [agentA1._id, agentA3._id];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(2);
+      const returnedIds = result.data.map((agent) => agent.id);
+      expect(returnedIds).toContain(agentA1.id);
+      expect(returnedIds).toContain(agentA3.id);
+      expect(returnedIds).not.toContain(agentA2.id);
+    });
+
+    test('should respect other query parameters while enforcing accessibleIds', async () => {
+      // Give access to all agents but filter by name
+      const accessibleIds = [agentA1._id, agentA2._id, agentA3._id];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: { name: 'Agent A2' },
+      });
+
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0].id).toBe(agentA2.id);
+    });
+
+    test('should handle pagination correctly with accessibleIds filter', async () => {
+      // Create more agents
+      const moreAgents = [];
+      for (let i = 4; i <= 10; i++) {
+        const agent = await createAgent({
+          id: `agent_${uuidv4().slice(0, 12)}`,
+          name: `Agent A${i}`,
+          description: `User A agent ${i}`,
+          provider: 'openai',
+          model: 'gpt-4',
+          author: userA,
+        });
+        moreAgents.push(agent);
+      }
+
+      // Give access to all agents
+      const allAgentIds = [agentA1, agentA2, agentA3, ...moreAgents].map((a) => a._id);
+
+      // First page
+      const page1 = await getListAgentsByAccess({
+        accessibleIds: allAgentIds,
+        otherParams: {},
+        limit: 5,
+      });
+
+      expect(page1.data).toHaveLength(5);
+      expect(page1.has_more).toBe(true);
+      expect(page1.after).toBeTruthy();
+
+      // Second page
+      const page2 = await getListAgentsByAccess({
+        accessibleIds: allAgentIds,
+        otherParams: {},
+        limit: 5,
+        after: page1.after,
+      });
+
+      expect(page2.data).toHaveLength(5);
+      expect(page2.has_more).toBe(false);
+
+      // Verify no overlap between pages
+      const page1Ids = page1.data.map((a) => a.id);
+      const page2Ids = page2.data.map((a) => a.id);
+      const intersection = page1Ids.filter((id) => page2Ids.includes(id));
+      expect(intersection).toHaveLength(0);
+    });
+
+    test('should return empty list when accessibleIds contains non-existent IDs', async () => {
+      // Try with non-existent agent IDs
+      const fakeIds = [new mongoose.Types.ObjectId(), new mongoose.Types.ObjectId()];
+
+      const result = await getListAgentsByAccess({
+        accessibleIds: fakeIds,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+    });
+
+    test('should handle undefined accessibleIds as empty array', async () => {
+      // When accessibleIds is undefined, it should be treated as empty array
+      const result = await getListAgentsByAccess({
+        accessibleIds: undefined,
+        otherParams: {},
+      });
+
+      expect(result.data).toHaveLength(0);
+      expect(result.has_more).toBe(false);
+    });
+
+    test('should combine accessibleIds with author filter correctly', async () => {
+      // Create an agent for User B
+      const agentB1 = await createAgent({
+        id: `agent_${uuidv4().slice(0, 12)}`,
+        name: 'Agent B1',
+        description: 'User B agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userB,
+      });
+
+      // Give User B access to one of User A's agents
+      const accessibleIds = [agentA1._id, agentB1._id];
+
+      // Filter by author should further restrict the results
+      const result = await getListAgentsByAccess({
+        accessibleIds,
+        otherParams: { author: userB },
+      });
+
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0].id).toBe(agentB1.id);
+      expect(result.data[0].author).toBe(userB.toString());
+    });
+  });
+});
+
 function createBasicAgent(overrides = {}) {
   const defaults = {
     id: `agent_${uuidv4()}`,

api/models/Conversation.js

@@ -1,6 +1,6 @@
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const getCustomConfig = require('~/server/services/Config/getCustomConfig');
+const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
 const { getMessages, deleteMessages } = require('./Message');
 const { Conversation } = require('~/db/models');
 

api/models/Conversation.spec.js

@@ -0,0 +1,572 @@
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { EModelEndpoint } = require('librechat-data-provider');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const {
+  deleteNullOrEmptyConversations,
+  searchConversation,
+  getConvosByCursor,
+  getConvosQueried,
+  getConvoFiles,
+  getConvoTitle,
+  deleteConvos,
+  saveConvo,
+  getConvo,
+} = require('./Conversation');
+jest.mock('~/server/services/Config/getCustomConfig');
+jest.mock('./Message');
+const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
+const { getMessages, deleteMessages } = require('./Message');
+
+const { Conversation } = require('~/db/models');
+
+describe('Conversation Operations', () => {
+  let mongoServer;
+  let mockReq;
+  let mockConversationData;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    // Clear database
+    await Conversation.deleteMany({});
+
+    // Reset mocks
+    jest.clearAllMocks();
+
+    // Default mock implementations
+    getMessages.mockResolvedValue([]);
+    deleteMessages.mockResolvedValue({ deletedCount: 0 });
+
+    mockReq = {
+      user: { id: 'user123' },
+      body: {},
+    };
+
+    mockConversationData = {
+      conversationId: uuidv4(),
+      title: 'Test Conversation',
+      endpoint: EModelEndpoint.openAI,
+    };
+  });
+
+  describe('saveConvo', () => {
+    it('should save a conversation for an authenticated user', async () => {
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result.conversationId).toBe(mockConversationData.conversationId);
+      expect(result.user).toBe('user123');
+      expect(result.title).toBe('Test Conversation');
+      expect(result.endpoint).toBe(EModelEndpoint.openAI);
+
+      // Verify the conversation was actually saved to the database
+      const savedConvo = await Conversation.findOne({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+      });
+      expect(savedConvo).toBeTruthy();
+      expect(savedConvo.title).toBe('Test Conversation');
+    });
+
+    it('should query messages when saving a conversation', async () => {
+      // Mock messages as ObjectIds
+      const mongoose = require('mongoose');
+      const mockMessages = [new mongoose.Types.ObjectId(), new mongoose.Types.ObjectId()];
+      getMessages.mockResolvedValue(mockMessages);
+
+      await saveConvo(mockReq, mockConversationData);
+
+      // Verify that getMessages was called with correct parameters
+      expect(getMessages).toHaveBeenCalledWith(
+        { conversationId: mockConversationData.conversationId },
+        '_id',
+      );
+    });
+
+    it('should handle newConversationId when provided', async () => {
+      const newConversationId = uuidv4();
+      const result = await saveConvo(mockReq, {
+        ...mockConversationData,
+        newConversationId,
+      });
+
+      expect(result.conversationId).toBe(newConversationId);
+    });
+
+    it('should handle unsetFields metadata', async () => {
+      const metadata = {
+        unsetFields: { someField: 1 },
+      };
+
+      await saveConvo(mockReq, mockConversationData, metadata);
+
+      const savedConvo = await Conversation.findOne({
+        conversationId: mockConversationData.conversationId,
+      });
+      expect(savedConvo.someField).toBeUndefined();
+    });
+  });
+
+  describe('isTemporary conversation handling', () => {
+    it('should save a conversation with expiredAt when isTemporary is true', async () => {
+      // Mock custom config with 24 hour retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 24,
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveConvo(mockReq, mockConversationData);
+      const afterSave = new Date();
+
+      expect(result.conversationId).toBe(mockConversationData.conversationId);
+      expect(result.expiredAt).toBeDefined();
+      expect(result.expiredAt).toBeInstanceOf(Date);
+
+      // Verify expiredAt is approximately 24 hours in the future
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 24 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        new Date(afterSave.getTime() + 24 * 60 * 60 * 1000 + 1000).getTime(),
+      );
+    });
+
+    it('should save a conversation without expiredAt when isTemporary is false', async () => {
+      mockReq.body = { isTemporary: false };
+
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result.conversationId).toBe(mockConversationData.conversationId);
+      expect(result.expiredAt).toBeNull();
+    });
+
+    it('should save a conversation without expiredAt when isTemporary is not provided', async () => {
+      // No isTemporary in body
+      mockReq.body = {};
+
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result.conversationId).toBe(mockConversationData.conversationId);
+      expect(result.expiredAt).toBeNull();
+    });
+
+    it('should use custom retention period from config', async () => {
+      // Mock custom config with 48 hour retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 48,
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Verify expiredAt is approximately 48 hours in the future
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 48 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should handle minimum retention period (1 hour)', async () => {
+      // Mock custom config with less than minimum retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 0.5, // Half hour - should be clamped to 1 hour
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Verify expiredAt is approximately 1 hour in the future (minimum)
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 1 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should handle maximum retention period (8760 hours)', async () => {
+      // Mock custom config with more than maximum retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 10000, // Should be clamped to 8760 hours
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Verify expiredAt is approximately 8760 hours (1 year) in the future
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 8760 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should handle getCustomConfig errors gracefully', async () => {
+      // Mock getCustomConfig to throw an error
+      getCustomConfig.mockRejectedValue(new Error('Config service unavailable'));
+
+      mockReq.body = { isTemporary: true };
+
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      // Should still save the conversation but with expiredAt as null
+      expect(result.conversationId).toBe(mockConversationData.conversationId);
+      expect(result.expiredAt).toBeNull();
+    });
+
+    it('should use default retention when config is not provided', async () => {
+      // Mock getCustomConfig to return empty config
+      getCustomConfig.mockResolvedValue({});
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Default retention is 30 days (720 hours)
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 30 * 24 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should update expiredAt when saving existing temporary conversation', async () => {
+      // First save a temporary conversation
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 24,
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+      const firstSave = await saveConvo(mockReq, mockConversationData);
+      const originalExpiredAt = firstSave.expiredAt;
+
+      // Wait a bit to ensure time difference
+      await new Promise((resolve) => setTimeout(resolve, 100));
+
+      // Save again with same conversationId but different title
+      const updatedData = { ...mockConversationData, title: 'Updated Title' };
+      const secondSave = await saveConvo(mockReq, updatedData);
+
+      // Should update title and create new expiredAt
+      expect(secondSave.title).toBe('Updated Title');
+      expect(secondSave.expiredAt).toBeDefined();
+      expect(new Date(secondSave.expiredAt).getTime()).toBeGreaterThan(
+        new Date(originalExpiredAt).getTime(),
+      );
+    });
+
+    it('should not set expiredAt when updating non-temporary conversation', async () => {
+      // First save a non-temporary conversation
+      mockReq.body = { isTemporary: false };
+      const firstSave = await saveConvo(mockReq, mockConversationData);
+      expect(firstSave.expiredAt).toBeNull();
+
+      // Update without isTemporary flag
+      mockReq.body = {};
+      const updatedData = { ...mockConversationData, title: 'Updated Title' };
+      const secondSave = await saveConvo(mockReq, updatedData);
+
+      expect(secondSave.title).toBe('Updated Title');
+      expect(secondSave.expiredAt).toBeNull();
+    });
+
+    it('should filter out expired conversations in getConvosByCursor', async () => {
+      // Create some test conversations
+      const nonExpiredConvo = await Conversation.create({
+        conversationId: uuidv4(),
+        user: 'user123',
+        title: 'Non-expired',
+        endpoint: EModelEndpoint.openAI,
+        expiredAt: null,
+        updatedAt: new Date(),
+      });
+
+      await Conversation.create({
+        conversationId: uuidv4(),
+        user: 'user123',
+        title: 'Future expired',
+        endpoint: EModelEndpoint.openAI,
+        expiredAt: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours from now
+        updatedAt: new Date(),
+      });
+
+      // Mock Meili search
+      Conversation.meiliSearch = jest.fn().mockResolvedValue({ hits: [] });
+
+      const result = await getConvosByCursor('user123');
+
+      // Should only return conversations with null or non-existent expiredAt
+      expect(result.conversations).toHaveLength(1);
+      expect(result.conversations[0].conversationId).toBe(nonExpiredConvo.conversationId);
+    });
+
+    it('should filter out expired conversations in getConvosQueried', async () => {
+      // Create test conversations
+      const nonExpiredConvo = await Conversation.create({
+        conversationId: uuidv4(),
+        user: 'user123',
+        title: 'Non-expired',
+        endpoint: EModelEndpoint.openAI,
+        expiredAt: null,
+      });
+
+      const expiredConvo = await Conversation.create({
+        conversationId: uuidv4(),
+        user: 'user123',
+        title: 'Expired',
+        endpoint: EModelEndpoint.openAI,
+        expiredAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+      });
+
+      const convoIds = [
+        { conversationId: nonExpiredConvo.conversationId },
+        { conversationId: expiredConvo.conversationId },
+      ];
+
+      const result = await getConvosQueried('user123', convoIds);
+
+      // Should only return the non-expired conversation
+      expect(result.conversations).toHaveLength(1);
+      expect(result.conversations[0].conversationId).toBe(nonExpiredConvo.conversationId);
+      expect(result.convoMap[nonExpiredConvo.conversationId]).toBeDefined();
+      expect(result.convoMap[expiredConvo.conversationId]).toBeUndefined();
+    });
+  });
+
+  describe('searchConversation', () => {
+    it('should find a conversation by conversationId', async () => {
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+        title: 'Test',
+        endpoint: EModelEndpoint.openAI,
+      });
+
+      const result = await searchConversation(mockConversationData.conversationId);
+
+      expect(result).toBeTruthy();
+      expect(result.conversationId).toBe(mockConversationData.conversationId);
+      expect(result.user).toBe('user123');
+      expect(result.title).toBeUndefined(); // Only returns conversationId and user
+    });
+
+    it('should return null if conversation not found', async () => {
+      const result = await searchConversation('non-existent-id');
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('getConvo', () => {
+    it('should retrieve a conversation for a user', async () => {
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+        title: 'Test Conversation',
+        endpoint: EModelEndpoint.openAI,
+      });
+
+      const result = await getConvo('user123', mockConversationData.conversationId);
+
+      expect(result.conversationId).toBe(mockConversationData.conversationId);
+      expect(result.user).toBe('user123');
+      expect(result.title).toBe('Test Conversation');
+    });
+
+    it('should return null if conversation not found', async () => {
+      const result = await getConvo('user123', 'non-existent-id');
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('getConvoTitle', () => {
+    it('should return the conversation title', async () => {
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+        title: 'Test Title',
+        endpoint: EModelEndpoint.openAI,
+      });
+
+      const result = await getConvoTitle('user123', mockConversationData.conversationId);
+      expect(result).toBe('Test Title');
+    });
+
+    it('should return null if conversation has no title', async () => {
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+        title: null,
+        endpoint: EModelEndpoint.openAI,
+      });
+
+      const result = await getConvoTitle('user123', mockConversationData.conversationId);
+      expect(result).toBeNull();
+    });
+
+    it('should return "New Chat" if conversation not found', async () => {
+      const result = await getConvoTitle('user123', 'non-existent-id');
+      expect(result).toBe('New Chat');
+    });
+  });
+
+  describe('getConvoFiles', () => {
+    it('should return conversation files', async () => {
+      const files = ['file1', 'file2'];
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+        endpoint: EModelEndpoint.openAI,
+        files,
+      });
+
+      const result = await getConvoFiles(mockConversationData.conversationId);
+      expect(result).toEqual(files);
+    });
+
+    it('should return empty array if no files', async () => {
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+        endpoint: EModelEndpoint.openAI,
+      });
+
+      const result = await getConvoFiles(mockConversationData.conversationId);
+      expect(result).toEqual([]);
+    });
+
+    it('should return empty array if conversation not found', async () => {
+      const result = await getConvoFiles('non-existent-id');
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('deleteConvos', () => {
+    it('should delete conversations and associated messages', async () => {
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user123',
+        title: 'To Delete',
+        endpoint: EModelEndpoint.openAI,
+      });
+
+      deleteMessages.mockResolvedValue({ deletedCount: 5 });
+
+      const result = await deleteConvos('user123', {
+        conversationId: mockConversationData.conversationId,
+      });
+
+      expect(result.deletedCount).toBe(1);
+      expect(result.messages.deletedCount).toBe(5);
+      expect(deleteMessages).toHaveBeenCalledWith({
+        conversationId: { $in: [mockConversationData.conversationId] },
+      });
+
+      // Verify conversation was deleted
+      const deletedConvo = await Conversation.findOne({
+        conversationId: mockConversationData.conversationId,
+      });
+      expect(deletedConvo).toBeNull();
+    });
+
+    it('should throw error if no conversations found', async () => {
+      await expect(deleteConvos('user123', { conversationId: 'non-existent' })).rejects.toThrow(
+        'Conversation not found or already deleted.',
+      );
+    });
+  });
+
+  describe('deleteNullOrEmptyConversations', () => {
+    it('should delete conversations with null, empty, or missing conversationIds', async () => {
+      // Since conversationId is required by the schema, we can't create documents with null/missing IDs
+      // This test should verify the function works when such documents exist (e.g., from data corruption)
+
+      // For this test, let's create a valid conversation and verify the function doesn't delete it
+      await Conversation.create({
+        conversationId: mockConversationData.conversationId,
+        user: 'user4',
+        endpoint: EModelEndpoint.openAI,
+      });
+
+      deleteMessages.mockResolvedValue({ deletedCount: 0 });
+
+      const result = await deleteNullOrEmptyConversations();
+
+      expect(result.conversations.deletedCount).toBe(0); // No invalid conversations to delete
+      expect(result.messages.deletedCount).toBe(0);
+
+      // Verify valid conversation remains
+      const remainingConvos = await Conversation.find({});
+      expect(remainingConvos).toHaveLength(1);
+      expect(remainingConvos[0].conversationId).toBe(mockConversationData.conversationId);
+    });
+  });
+
+  describe('Error Handling', () => {
+    it('should handle database errors in saveConvo', async () => {
+      // Force a database error by disconnecting
+      await mongoose.disconnect();
+
+      const result = await saveConvo(mockReq, mockConversationData);
+
+      expect(result).toEqual({ message: 'Error saving conversation' });
+
+      // Reconnect for other tests
+      await mongoose.connect(mongoServer.getUri());
+    });
+  });
+});

api/models/File.js

@@ -1,7 +1,5 @@
 const { logger } = require('@librechat/data-schemas');
-const { EToolResources, FileContext, Constants } = require('librechat-data-provider');
-const { getProjectByName } = require('./Project');
-const { getAgent } = require('./Agent');
+const { EToolResources, FileContext } = require('librechat-data-provider');
 const { File } = require('~/db/models');
 
 /**
@@ -14,119 +12,17 @@ const findFileById = async (file_id, options = {}) => {
   return await File.findOne({ file_id, ...options }).lean();
 };
 
-/**
- * Checks if a user has access to multiple files through a shared agent (batch operation)
- * @param {string} userId - The user ID to check access for
- * @param {string[]} fileIds - Array of file IDs to check
- * @param {string} agentId - The agent ID that might grant access
- * @returns {Promise<Map<string, boolean>>} Map of fileId to access status
- */
-const hasAccessToFilesViaAgent = async (userId, fileIds, agentId) => {
-  const accessMap = new Map();
-
-  // Initialize all files as no access
-  fileIds.forEach((fileId) => accessMap.set(fileId, false));
-
-  try {
-    const agent = await getAgent({ id: agentId });
-
-    if (!agent) {
-      return accessMap;
-    }
-
-    // Check if user is the author - if so, grant access to all files
-    if (agent.author.toString() === userId) {
-      fileIds.forEach((fileId) => accessMap.set(fileId, true));
-      return accessMap;
-    }
-
-    // Check if agent is shared with the user via projects
-    if (!agent.projectIds || agent.projectIds.length === 0) {
-      return accessMap;
-    }
-
-    // Check if agent is in global project
-    const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, '_id');
-    if (
-      !globalProject ||
-      !agent.projectIds.some((pid) => pid.toString() === globalProject._id.toString())
-    ) {
-      return accessMap;
-    }
-
-    // Agent is globally shared - check if it's collaborative
-    if (!agent.isCollaborative) {
-      return accessMap;
-    }
-
-    // Agent is globally shared and collaborative - check which files are actually attached
-    const attachedFileIds = new Set();
-    if (agent.tool_resources) {
-      for (const [_resourceType, resource] of Object.entries(agent.tool_resources)) {
-        if (resource?.file_ids && Array.isArray(resource.file_ids)) {
-          resource.file_ids.forEach((fileId) => attachedFileIds.add(fileId));
-        }
-      }
-    }
-
-    // Grant access only to files that are attached to this agent
-    fileIds.forEach((fileId) => {
-      if (attachedFileIds.has(fileId)) {
-        accessMap.set(fileId, true);
-      }
-    });
-
-    return accessMap;
-  } catch (error) {
-    logger.error('[hasAccessToFilesViaAgent] Error checking file access:', error);
-    return accessMap;
-  }
-};
-
 /**
  * Retrieves files matching a given filter, sorted by the most recently updated.
  * @param {Object} filter - The filter criteria to apply.
  * @param {Object} [_sortOptions] - Optional sort parameters.
  * @param {Object|String} [selectFields={ text: 0 }] - Fields to include/exclude in the query results.
  *                                                   Default excludes the 'text' field.
- * @param {Object} [options] - Additional options
- * @param {string} [options.userId] - User ID for access control
- * @param {string} [options.agentId] - Agent ID that might grant access to files
  * @returns {Promise<Array<MongoFile>>} A promise that resolves to an array of file documents.
  */
-const getFiles = async (filter, _sortOptions, selectFields = { text: 0 }, options = {}) => {
+const getFiles = async (filter, _sortOptions, selectFields = { text: 0 }) => {
   const sortOptions = { updatedAt: -1, ..._sortOptions };
-  const files = await File.find(filter).select(selectFields).sort(sortOptions).lean();
-
-  // If userId and agentId are provided, filter files based on access
-  if (options.userId && options.agentId) {
-    // Collect file IDs that need access check
-    const filesToCheck = [];
-    const ownedFiles = [];
-
-    for (const file of files) {
-      if (file.user && file.user.toString() === options.userId) {
-        ownedFiles.push(file);
-      } else {
-        filesToCheck.push(file);
-      }
-    }
-
-    if (filesToCheck.length === 0) {
-      return ownedFiles;
-    }
-
-    // Batch check access for all non-owned files
-    const fileIds = filesToCheck.map((f) => f.file_id);
-    const accessMap = await hasAccessToFilesViaAgent(options.userId, fileIds, options.agentId);
-
-    // Filter files based on access
-    const accessibleFiles = filesToCheck.filter((file) => accessMap.get(file.file_id));
-
-    return [...ownedFiles, ...accessibleFiles];
-  }
-
-  return files;
+  return await File.find(filter).select(selectFields).sort(sortOptions).lean();
 };
 
 /**
@@ -280,5 +176,4 @@ module.exports = {
   deleteFiles,
   deleteFileByFilter,
   batchUpdateFiles,
-  hasAccessToFilesViaAgent,
 };

api/models/File.spec.js

@@ -1,17 +1,23 @@
 const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
-const { fileSchema } = require('@librechat/data-schemas');
-const { agentSchema } = require('@librechat/data-schemas');
-const { projectSchema } = require('@librechat/data-schemas');
+const { createModels } = require('@librechat/data-schemas');
 const { MongoMemoryServer } = require('mongodb-memory-server');
-const { GLOBAL_PROJECT_NAME } = require('librechat-data-provider').Constants;
+const {
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+} = require('librechat-data-provider');
+const { grantPermission } = require('~/server/services/PermissionService');
 const { getFiles, createFile } = require('./File');
-const { getProjectByName } = require('./Project');
+const { seedDefaultRoles } = require('~/models');
 const { createAgent } = require('./Agent');
 
 let File;
 let Agent;
-let Project;
+let AclEntry;
+let User;
+let modelsToCleanup = [];
 
 describe('File Access Control', () => {
   let mongoServer;
@@ -19,13 +25,41 @@ describe('File Access Control', () => {
   beforeAll(async () => {
     mongoServer = await MongoMemoryServer.create();
     const mongoUri = mongoServer.getUri();
-    File = mongoose.models.File || mongoose.model('File', fileSchema);
-    Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
-    Project = mongoose.models.Project || mongoose.model('Project', projectSchema);
     await mongoose.connect(mongoUri);
+
+    // Initialize all models
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    const dbModels = require('~/db/models');
+    Object.assign(mongoose.models, dbModels);
+
+    File = dbModels.File;
+    Agent = dbModels.Agent;
+    AclEntry = dbModels.AclEntry;
+    User = dbModels.User;
+
+    // Seed default roles
+    await seedDefaultRoles();
   });
 
   afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
     await mongoose.disconnect();
     await mongoServer.stop();
   });
@@ -33,16 +67,33 @@ describe('File Access Control', () => {
   beforeEach(async () => {
     await File.deleteMany({});
     await Agent.deleteMany({});
-    await Project.deleteMany({});
+    await AclEntry.deleteMany({});
+    await User.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
   });
 
   describe('hasAccessToFilesViaAgent', () => {
     it('should efficiently check access for multiple files at once', async () => {
-      const userId = new mongoose.Types.ObjectId().toString();
-      const authorId = new mongoose.Types.ObjectId().toString();
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
       const agentId = uuidv4();
       const fileIds = [uuidv4(), uuidv4(), uuidv4(), uuidv4()];
 
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
       // Create files
       for (const fileId of fileIds) {
         await createFile({
@@ -54,13 +105,12 @@ describe('File Access Control', () => {
       }
 
       // Create agent with only first two files attached
-      await createAgent({
+      const agent = await createAgent({
         id: agentId,
         name: 'Test Agent',
         author: authorId,
         model: 'gpt-4',
         provider: 'openai',
-        isCollaborative: true,
         tool_resources: {
           file_search: {
             file_ids: [fileIds[0], fileIds[1]],
@@ -68,15 +118,24 @@ describe('File Access Control', () => {
         },
       });
 
-      // Get or create global project
-      const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, '_id');
-
-      // Share agent globally
-      await Agent.updateOne({ id: agentId }, { $push: { projectIds: globalProject._id } });
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
 
       // Check access for all files
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(userId, fileIds, agentId);
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId: agent.id, // Use agent.id which is the custom UUID
+      });
 
       // Should have access only to the first two files
       expect(accessMap.get(fileIds[0])).toBe(true);
@@ -86,10 +145,18 @@ describe('File Access Control', () => {
     });
 
     it('should grant access to all files when user is the agent author', async () => {
-      const authorId = new mongoose.Types.ObjectId().toString();
+      const authorId = new mongoose.Types.ObjectId();
       const agentId = uuidv4();
       const fileIds = [uuidv4(), uuidv4(), uuidv4()];
 
+      // Create author user
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
       // Create agent
       await createAgent({
         id: agentId,
@@ -105,8 +172,13 @@ describe('File Access Control', () => {
       });
 
       // Check access as the author
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(authorId, fileIds, agentId);
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: authorId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId,
+      });
 
       // Author should have access to all files
       expect(accessMap.get(fileIds[0])).toBe(true);
@@ -115,31 +187,58 @@ describe('File Access Control', () => {
     });
 
     it('should handle non-existent agent gracefully', async () => {
-      const userId = new mongoose.Types.ObjectId().toString();
+      const userId = new mongoose.Types.ObjectId();
       const fileIds = [uuidv4(), uuidv4()];
 
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(userId, fileIds, 'non-existent-agent');
+      // Create user
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId: 'non-existent-agent',
+      });
 
       // Should have no access to any files
       expect(accessMap.get(fileIds[0])).toBe(false);
       expect(accessMap.get(fileIds[1])).toBe(false);
     });
 
-    it('should deny access when agent is not collaborative', async () => {
-      const userId = new mongoose.Types.ObjectId().toString();
-      const authorId = new mongoose.Types.ObjectId().toString();
+    it('should deny access when user only has VIEW permission', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
       const agentId = uuidv4();
       const fileIds = [uuidv4(), uuidv4()];
 
-      // Create agent with files but isCollaborative: false
-      await createAgent({
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent with files
+      const agent = await createAgent({
         id: agentId,
-        name: 'Non-Collaborative Agent',
+        name: 'View-Only Agent',
         author: authorId,
         model: 'gpt-4',
         provider: 'openai',
-        isCollaborative: false,
         tool_resources: {
           file_search: {
             file_ids: fileIds,
@@ -147,17 +246,26 @@ describe('File Access Control', () => {
         },
       });
 
-      // Get or create global project
-      const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, '_id');
-
-      // Share agent globally
-      await Agent.updateOne({ id: agentId }, { $push: { projectIds: globalProject._id } });
+      // Grant only VIEW permission to user on the agent
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_VIEWER,
+        grantedBy: authorId,
+      });
 
       // Check access for files
-      const { hasAccessToFilesViaAgent } = require('./File');
-      const accessMap = await hasAccessToFilesViaAgent(userId, fileIds, agentId);
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId,
+      });
 
-      // Should have no access to any files when isCollaborative is false
+      // Should have no access to any files when only VIEW permission
       expect(accessMap.get(fileIds[0])).toBe(false);
       expect(accessMap.get(fileIds[1])).toBe(false);
     });
@@ -172,18 +280,28 @@ describe('File Access Control', () => {
       const sharedFileId = `file_${uuidv4()}`;
       const inaccessibleFileId = `file_${uuidv4()}`;
 
-      // Create/get global project using getProjectByName which will upsert
-      const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME);
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
 
       // Create agent with shared file
-      await createAgent({
+      const agent = await createAgent({
         id: agentId,
         name: 'Shared Agent',
         provider: 'test',
         model: 'test-model',
         author: authorId,
-        projectIds: [globalProject._id],
-        isCollaborative: true,
         tool_resources: {
           file_search: {
             file_ids: [sharedFileId],
@@ -191,6 +309,16 @@ describe('File Access Control', () => {
         },
       });
 
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
       // Create files
       await createFile({
         file_id: ownedFileId,
@@ -220,14 +348,22 @@ describe('File Access Control', () => {
         bytes: 300,
       });
 
-      // Get files with access control
-      const files = await getFiles(
+      // Get all files first
+      const allFiles = await getFiles(
         { file_id: { $in: [ownedFileId, sharedFileId, inaccessibleFileId] } },
         null,
         { text: 0 },
-        { userId: userId.toString(), agentId },
       );
 
+      // Then filter by access control
+      const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
+      const files = await filterFilesByAgentAccess({
+        files: allFiles,
+        userId: userId,
+        role: SystemRoles.USER,
+        agentId,
+      });
+
       expect(files).toHaveLength(2);
       expect(files.map((f) => f.file_id)).toContain(ownedFileId);
       expect(files.map((f) => f.file_id)).toContain(sharedFileId);
@@ -261,4 +397,166 @@ describe('File Access Control', () => {
       expect(files).toHaveLength(2);
     });
   });
+
+  describe('Role-based file permissions', () => {
+    it('should optimize permission checks when role is provided', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4()];
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+        role: 'ADMIN', // User has ADMIN role
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create files
+      for (const fileId of fileIds) {
+        await createFile({
+          file_id: fileId,
+          user: authorId,
+          filename: `${fileId}.txt`,
+          filepath: `/uploads/${fileId}.txt`,
+          type: 'text/plain',
+          bytes: 100,
+        });
+      }
+
+      // Create agent with files
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: fileIds,
+          },
+        },
+      });
+
+      // Grant permission to ADMIN role
+      await grantPermission({
+        principalType: PrincipalType.ROLE,
+        principalId: 'ADMIN',
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
+      // Check access with role provided (should avoid DB query)
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMapWithRole = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: 'ADMIN',
+        fileIds,
+        agentId: agent.id,
+      });
+
+      // User should have access through their ADMIN role
+      expect(accessMapWithRole.get(fileIds[0])).toBe(true);
+      expect(accessMapWithRole.get(fileIds[1])).toBe(true);
+
+      // Check access without role (will query DB to get user's role)
+      const accessMapWithoutRole = await hasAccessToFilesViaAgent({
+        userId: userId,
+        fileIds,
+        agentId: agent.id,
+      });
+
+      // Should have same result
+      expect(accessMapWithoutRole.get(fileIds[0])).toBe(true);
+      expect(accessMapWithoutRole.get(fileIds[1])).toBe(true);
+    });
+
+    it('should deny access when user role changes', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileId = uuidv4();
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+        role: 'EDITOR',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create file
+      await createFile({
+        file_id: fileId,
+        user: authorId,
+        filename: 'test.txt',
+        filepath: '/uploads/test.txt',
+        type: 'text/plain',
+        bytes: 100,
+      });
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant permission to EDITOR role only
+      await grantPermission({
+        principalType: PrincipalType.ROLE,
+        principalId: 'EDITOR',
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+
+      // Check with EDITOR role - should have access
+      const accessAsEditor = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: 'EDITOR',
+        fileIds: [fileId],
+        agentId: agent.id,
+      });
+      expect(accessAsEditor.get(fileId)).toBe(true);
+
+      // Simulate role change to USER - should lose access
+      const accessAsUser = await hasAccessToFilesViaAgent({
+        userId: userId,
+        role: SystemRoles.USER,
+        fileIds: [fileId],
+        agentId: agent.id,
+      });
+      expect(accessAsUser.get(fileId)).toBe(false);
+    });
+  });
 });

api/models/Message.js

@@ -1,7 +1,7 @@
 const { z } = require('zod');
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const getCustomConfig = require('~/server/services/Config/getCustomConfig');
+const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
 const { Message } = require('~/db/models');
 
 const idSchema = z.string().uuid();

api/models/Message.spec.js

@@ -1,17 +1,21 @@
 const mongoose = require('mongoose');
-const { MongoMemoryServer } = require('mongodb-memory-server');
 const { v4: uuidv4 } = require('uuid');
 const { messageSchema } = require('@librechat/data-schemas');
+const { MongoMemoryServer } = require('mongodb-memory-server');
 
 const {
   saveMessage,
   getMessages,
   updateMessage,
   deleteMessages,
+  bulkSaveMessages,
   updateMessageText,
   deleteMessagesSince,
 } = require('./Message');
 
+jest.mock('~/server/services/Config/getCustomConfig');
+const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
+
 /**
  * @type {import('mongoose').Model<import('@librechat/data-schemas').IMessage>}
  */
@@ -117,21 +121,21 @@ describe('Message Operations', () => {
       const conversationId = uuidv4();
 
       // Create multiple messages in the same conversation
-      const message1 = await saveMessage(mockReq, {
+      await saveMessage(mockReq, {
         messageId: 'msg1',
         conversationId,
         text: 'First message',
         user: 'user123',
       });
 
-      const message2 = await saveMessage(mockReq, {
+      await saveMessage(mockReq, {
         messageId: 'msg2',
         conversationId,
         text: 'Second message',
         user: 'user123',
       });
 
-      const message3 = await saveMessage(mockReq, {
+      await saveMessage(mockReq, {
         messageId: 'msg3',
         conversationId,
         text: 'Third message',
@@ -314,4 +318,265 @@ describe('Message Operations', () => {
       expect(messages[0].text).toBe('Victim message');
     });
   });
+
+  describe('isTemporary message handling', () => {
+    beforeEach(() => {
+      // Reset mocks before each test
+      jest.clearAllMocks();
+    });
+
+    it('should save a message with expiredAt when isTemporary is true', async () => {
+      // Mock custom config with 24 hour retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 24,
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveMessage(mockReq, mockMessageData);
+      const afterSave = new Date();
+
+      expect(result.messageId).toBe('msg123');
+      expect(result.expiredAt).toBeDefined();
+      expect(result.expiredAt).toBeInstanceOf(Date);
+
+      // Verify expiredAt is approximately 24 hours in the future
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 24 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        new Date(afterSave.getTime() + 24 * 60 * 60 * 1000 + 1000).getTime(),
+      );
+    });
+
+    it('should save a message without expiredAt when isTemporary is false', async () => {
+      mockReq.body = { isTemporary: false };
+
+      const result = await saveMessage(mockReq, mockMessageData);
+
+      expect(result.messageId).toBe('msg123');
+      expect(result.expiredAt).toBeNull();
+    });
+
+    it('should save a message without expiredAt when isTemporary is not provided', async () => {
+      // No isTemporary in body
+      mockReq.body = {};
+
+      const result = await saveMessage(mockReq, mockMessageData);
+
+      expect(result.messageId).toBe('msg123');
+      expect(result.expiredAt).toBeNull();
+    });
+
+    it('should use custom retention period from config', async () => {
+      // Mock custom config with 48 hour retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 48,
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveMessage(mockReq, mockMessageData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Verify expiredAt is approximately 48 hours in the future
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 48 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should handle minimum retention period (1 hour)', async () => {
+      // Mock custom config with less than minimum retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 0.5, // Half hour - should be clamped to 1 hour
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveMessage(mockReq, mockMessageData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Verify expiredAt is approximately 1 hour in the future (minimum)
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 1 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should handle maximum retention period (8760 hours)', async () => {
+      // Mock custom config with more than maximum retention
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 10000, // Should be clamped to 8760 hours
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveMessage(mockReq, mockMessageData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Verify expiredAt is approximately 8760 hours (1 year) in the future
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 8760 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should handle getCustomConfig errors gracefully', async () => {
+      // Mock getCustomConfig to throw an error
+      getCustomConfig.mockRejectedValue(new Error('Config service unavailable'));
+
+      mockReq.body = { isTemporary: true };
+
+      const result = await saveMessage(mockReq, mockMessageData);
+
+      // Should still save the message but with expiredAt as null
+      expect(result.messageId).toBe('msg123');
+      expect(result.expiredAt).toBeNull();
+    });
+
+    it('should use default retention when config is not provided', async () => {
+      // Mock getCustomConfig to return empty config
+      getCustomConfig.mockResolvedValue({});
+
+      mockReq.body = { isTemporary: true };
+
+      const beforeSave = new Date();
+      const result = await saveMessage(mockReq, mockMessageData);
+
+      expect(result.expiredAt).toBeDefined();
+
+      // Default retention is 30 days (720 hours)
+      const expectedExpirationTime = new Date(beforeSave.getTime() + 30 * 24 * 60 * 60 * 1000);
+      const actualExpirationTime = new Date(result.expiredAt);
+
+      expect(actualExpirationTime.getTime()).toBeGreaterThanOrEqual(
+        expectedExpirationTime.getTime() - 1000,
+      );
+      expect(actualExpirationTime.getTime()).toBeLessThanOrEqual(
+        expectedExpirationTime.getTime() + 1000,
+      );
+    });
+
+    it('should not update expiredAt on message update', async () => {
+      // First save a temporary message
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 24,
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+      const savedMessage = await saveMessage(mockReq, mockMessageData);
+      const originalExpiredAt = savedMessage.expiredAt;
+
+      // Now update the message without isTemporary flag
+      mockReq.body = {};
+      const updatedMessage = await updateMessage(mockReq, {
+        messageId: 'msg123',
+        text: 'Updated text',
+      });
+
+      // expiredAt should not be in the returned updated message object
+      expect(updatedMessage.expiredAt).toBeUndefined();
+
+      // Verify in database that expiredAt wasn't changed
+      const dbMessage = await Message.findOne({ messageId: 'msg123', user: 'user123' });
+      expect(dbMessage.expiredAt).toEqual(originalExpiredAt);
+    });
+
+    it('should preserve expiredAt when saving existing temporary message', async () => {
+      // First save a temporary message
+      getCustomConfig.mockResolvedValue({
+        interface: {
+          temporaryChatRetention: 24,
+        },
+      });
+
+      mockReq.body = { isTemporary: true };
+      const firstSave = await saveMessage(mockReq, mockMessageData);
+      const originalExpiredAt = firstSave.expiredAt;
+
+      // Wait a bit to ensure time difference
+      await new Promise((resolve) => setTimeout(resolve, 100));
+
+      // Save again with same messageId but different text
+      const updatedData = { ...mockMessageData, text: 'Updated text' };
+      const secondSave = await saveMessage(mockReq, updatedData);
+
+      // Should update text but create new expiredAt
+      expect(secondSave.text).toBe('Updated text');
+      expect(secondSave.expiredAt).toBeDefined();
+      expect(new Date(secondSave.expiredAt).getTime()).toBeGreaterThan(
+        new Date(originalExpiredAt).getTime(),
+      );
+    });
+
+    it('should handle bulk operations with temporary messages', async () => {
+      // This test verifies bulkSaveMessages doesn't interfere with expiredAt
+      const messages = [
+        {
+          messageId: 'bulk1',
+          conversationId: uuidv4(),
+          text: 'Bulk message 1',
+          user: 'user123',
+          expiredAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+        },
+        {
+          messageId: 'bulk2',
+          conversationId: uuidv4(),
+          text: 'Bulk message 2',
+          user: 'user123',
+          expiredAt: null,
+        },
+      ];
+
+      await bulkSaveMessages(messages);
+
+      const savedMessages = await Message.find({
+        messageId: { $in: ['bulk1', 'bulk2'] },
+      }).lean();
+
+      expect(savedMessages).toHaveLength(2);
+
+      const bulk1 = savedMessages.find((m) => m.messageId === 'bulk1');
+      const bulk2 = savedMessages.find((m) => m.messageId === 'bulk2');
+
+      expect(bulk1.expiredAt).toBeDefined();
+      expect(bulk2.expiredAt).toBeNull();
+    });
+  });
 });

api/models/Prompt.js

@@ -1,12 +1,18 @@
 const { ObjectId } = require('mongodb');
 const { logger } = require('@librechat/data-schemas');
-const { SystemRoles, SystemCategories, Constants } = require('librechat-data-provider');
 const {
-  getProjectByName,
-  addGroupIdsToProject,
-  removeGroupIdsFromProject,
+  Constants,
+  SystemRoles,
+  ResourceType,
+  SystemCategories,
+} = require('librechat-data-provider');
+const {
   removeGroupFromAllProjects,
+  removeGroupIdsFromProject,
+  addGroupIdsToProject,
+  getProjectByName,
 } = require('./Project');
+const { removeAllPermissions } = require('~/server/services/PermissionService');
 const { PromptGroup, Prompt } = require('~/db/models');
 const { escapeRegExp } = require('~/server/utils');
 
@@ -100,10 +106,6 @@ const getAllPromptGroups = async (req, filter) => {
   try {
     const { name, ...query } = filter;
 
-    if (!query.author) {
-      throw new Error('Author is required');
-    }
-
     let searchShared = true;
     let searchSharedOnly = false;
     if (name) {
@@ -153,10 +155,6 @@ const getPromptGroups = async (req, filter) => {
     const validatedPageNumber = Math.max(parseInt(pageNumber, 10), 1);
     const validatedPageSize = Math.max(parseInt(pageSize, 10), 1);
 
-    if (!query.author) {
-      throw new Error('Author is required');
-    }
-
     let searchShared = true;
     let searchSharedOnly = false;
     if (name) {
@@ -221,12 +219,16 @@ const getPromptGroups = async (req, filter) => {
  * @returns {Promise<TDeletePromptGroupResponse>}
  */
 const deletePromptGroup = async ({ _id, author, role }) => {
-  const query = { _id, author };
-  const groupQuery = { groupId: new ObjectId(_id), author };
-  if (role === SystemRoles.ADMIN) {
-    delete query.author;
-    delete groupQuery.author;
+  // Build query - with ACL, author is optional
+  const query = { _id };
+  const groupQuery = { groupId: new ObjectId(_id) };
+
+  // Legacy: Add author filter if provided (backward compatibility)
+  if (author && role !== SystemRoles.ADMIN) {
+    query.author = author;
+    groupQuery.author = author;
   }
+
   const response = await PromptGroup.deleteOne(query);
 
   if (!response || response.deletedCount === 0) {
@@ -235,6 +237,13 @@ const deletePromptGroup = async ({ _id, author, role }) => {
 
   await Prompt.deleteMany(groupQuery);
   await removeGroupFromAllProjects(_id);
+
+  try {
+    await removeAllPermissions({ resourceType: ResourceType.PROMPTGROUP, resourceId: _id });
+  } catch (error) {
+    logger.error('Error removing promptGroup permissions:', error);
+  }
+
   return { message: 'Prompt group deleted successfully' };
 };
 
@@ -430,6 +439,16 @@ module.exports = {
       .lean();
 
     if (remainingPrompts.length === 0) {
+      // Remove all ACL entries for the promptGroup when deleting the last prompt
+      try {
+        await removeAllPermissions({
+          resourceType: ResourceType.PROMPTGROUP,
+          resourceId: groupId,
+        });
+      } catch (error) {
+        logger.error('Error removing promptGroup permissions:', error);
+      }
+
       await PromptGroup.deleteOne({ _id: groupId });
       await removeGroupFromAllProjects(groupId);
 

api/models/Prompt.spec.js

@@ -0,0 +1,564 @@
+const mongoose = require('mongoose');
+const { ObjectId } = require('mongodb');
+const { logger } = require('@librechat/data-schemas');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const {
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+  PermissionBits,
+} = require('librechat-data-provider');
+
+// Mock the config/connect module to prevent connection attempts during tests
+jest.mock('../../config/connect', () => jest.fn().mockResolvedValue(true));
+
+const dbModels = require('~/db/models');
+
+// Disable console for tests
+logger.silent = true;
+
+let mongoServer;
+let Prompt, PromptGroup, AclEntry, AccessRole, User, Group, Project;
+let promptFns, permissionService;
+let testUsers, testGroups, testRoles;
+
+beforeAll(async () => {
+  // Set up MongoDB memory server
+  mongoServer = await MongoMemoryServer.create();
+  const mongoUri = mongoServer.getUri();
+  await mongoose.connect(mongoUri);
+
+  // Initialize models
+  Prompt = dbModels.Prompt;
+  PromptGroup = dbModels.PromptGroup;
+  AclEntry = dbModels.AclEntry;
+  AccessRole = dbModels.AccessRole;
+  User = dbModels.User;
+  Group = dbModels.Group;
+  Project = dbModels.Project;
+
+  promptFns = require('~/models/Prompt');
+  permissionService = require('~/server/services/PermissionService');
+
+  // Create test data
+  await setupTestData();
+});
+
+afterAll(async () => {
+  await mongoose.disconnect();
+  await mongoServer.stop();
+  jest.clearAllMocks();
+});
+
+async function setupTestData() {
+  // Create access roles for promptGroups
+  testRoles = {
+    viewer: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+      name: 'Viewer',
+      description: 'Can view promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW,
+    }),
+    editor: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+      name: 'Editor',
+      description: 'Can view and edit promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW | PermissionBits.EDIT,
+    }),
+    owner: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+      name: 'Owner',
+      description: 'Full control over promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits:
+        PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE,
+    }),
+  };
+
+  // Create test users
+  testUsers = {
+    owner: await User.create({
+      name: 'Prompt Owner',
+      email: 'owner@example.com',
+      role: SystemRoles.USER,
+    }),
+    editor: await User.create({
+      name: 'Prompt Editor',
+      email: 'editor@example.com',
+      role: SystemRoles.USER,
+    }),
+    viewer: await User.create({
+      name: 'Prompt Viewer',
+      email: 'viewer@example.com',
+      role: SystemRoles.USER,
+    }),
+    admin: await User.create({
+      name: 'Admin User',
+      email: 'admin@example.com',
+      role: SystemRoles.ADMIN,
+    }),
+    noAccess: await User.create({
+      name: 'No Access User',
+      email: 'noaccess@example.com',
+      role: SystemRoles.USER,
+    }),
+  };
+
+  // Create test groups
+  testGroups = {
+    editors: await Group.create({
+      name: 'Prompt Editors',
+      description: 'Group with editor access',
+    }),
+    viewers: await Group.create({
+      name: 'Prompt Viewers',
+      description: 'Group with viewer access',
+    }),
+  };
+
+  await Project.create({
+    name: 'Global',
+    description: 'Global project',
+    promptGroupIds: [],
+  });
+}
+
+describe('Prompt ACL Permissions', () => {
+  describe('Creating Prompts with Permissions', () => {
+    it('should grant owner permissions when creating a prompt', async () => {
+      // First create a group
+      const testGroup = await PromptGroup.create({
+        name: 'Test Group',
+        category: 'testing',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new mongoose.Types.ObjectId(),
+      });
+
+      const promptData = {
+        prompt: {
+          prompt: 'Test prompt content',
+          name: 'Test Prompt',
+          type: 'text',
+          groupId: testGroup._id,
+        },
+        author: testUsers.owner._id,
+      };
+
+      await promptFns.savePrompt(promptData);
+
+      // Manually grant permissions as would happen in the route
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Check ACL entry
+      const aclEntry = await AclEntry.findOne({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+      });
+
+      expect(aclEntry).toBeTruthy();
+      expect(aclEntry.permBits).toBe(testRoles.owner.permBits);
+    });
+  });
+
+  describe('Accessing Prompts', () => {
+    let testPromptGroup;
+
+    beforeEach(async () => {
+      // Create a prompt group
+      testPromptGroup = await PromptGroup.create({
+        name: 'Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create a prompt
+      await Prompt.create({
+        prompt: 'Test prompt for access control',
+        name: 'Access Test Prompt',
+        author: testUsers.owner._id,
+        groupId: testPromptGroup._id,
+        type: 'text',
+      });
+
+      // Grant owner permissions
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('owner should have full access to their prompt', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      expect(hasAccess).toBe(true);
+
+      const canEdit = await permissionService.checkPermission({
+        userId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(canEdit).toBe(true);
+    });
+
+    it('user with viewer role should only have view access', async () => {
+      // Grant viewer permissions
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      const canView = await permissionService.checkPermission({
+        userId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      const canEdit = await permissionService.checkPermission({
+        userId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(canView).toBe(true);
+      expect(canEdit).toBe(false);
+    });
+
+    it('user without permissions should have no access', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.noAccess._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      expect(hasAccess).toBe(false);
+    });
+
+    it('admin should have access regardless of permissions', async () => {
+      // Admin users should work through normal permission system
+      // The middleware layer handles admin bypass, not the permission service
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.admin._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+      });
+
+      // Without explicit permissions, even admin won't have access at this layer
+      expect(hasAccess).toBe(false);
+
+      // The actual admin bypass happens in the middleware layer (`canAccessPromptViaGroup`/`canAccessPromptGroupResource`)
+      // which checks req.user.role === SystemRoles.ADMIN
+    });
+  });
+
+  describe('Group-based Access', () => {
+    let testPromptGroup;
+
+    beforeEach(async () => {
+      // Create a prompt group first
+      testPromptGroup = await PromptGroup.create({
+        name: 'Group Access Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      await Prompt.create({
+        prompt: 'Group access test prompt',
+        name: 'Group Test',
+        author: testUsers.owner._id,
+        groupId: testPromptGroup._id,
+        type: 'text',
+      });
+
+      // Add users to groups
+      await User.findByIdAndUpdate(testUsers.editor._id, {
+        $push: { groups: testGroups.editors._id },
+      });
+
+      await User.findByIdAndUpdate(testUsers.viewer._id, {
+        $push: { groups: testGroups.viewers._id },
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await AclEntry.deleteMany({});
+      await User.updateMany({}, { $set: { groups: [] } });
+    });
+
+    it('group members should inherit group permissions', async () => {
+      // Create a prompt group
+      const testPromptGroup = await PromptGroup.create({
+        name: 'Group Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      const { addUserToGroup } = require('~/models');
+      await addUserToGroup(testUsers.editor._id, testGroups.editors._id);
+
+      const prompt = await promptFns.savePrompt({
+        author: testUsers.owner._id,
+        prompt: {
+          prompt: 'Group test prompt',
+          name: 'Group Test',
+          groupId: testPromptGroup._id,
+          type: 'text',
+        },
+      });
+
+      // Check if savePrompt returned an error
+      if (!prompt || !prompt.prompt) {
+        throw new Error(`Failed to save prompt: ${prompt?.message || 'Unknown error'}`);
+      }
+
+      // Grant edit permissions to the group
+      await permissionService.grantPermission({
+        principalType: PrincipalType.GROUP,
+        principalId: testGroups.editors._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Check if group member has access
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.editor._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(hasAccess).toBe(true);
+
+      // Check that non-member doesn't have access
+      const nonMemberAccess = await permissionService.checkPermission({
+        userId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
+
+      expect(nonMemberAccess).toBe(false);
+    });
+  });
+
+  describe('Public Access', () => {
+    let publicPromptGroup, privatePromptGroup;
+
+    beforeEach(async () => {
+      // Create separate prompt groups for public and private access
+      publicPromptGroup = await PromptGroup.create({
+        name: 'Public Access Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      privatePromptGroup = await PromptGroup.create({
+        name: 'Private Access Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create prompts in their respective groups
+      await Prompt.create({
+        prompt: 'Public prompt',
+        name: 'Public',
+        author: testUsers.owner._id,
+        groupId: publicPromptGroup._id,
+        type: 'text',
+      });
+
+      await Prompt.create({
+        prompt: 'Private prompt',
+        name: 'Private',
+        author: testUsers.owner._id,
+        groupId: privatePromptGroup._id,
+        type: 'text',
+      });
+
+      // Grant public view access to publicPromptGroup
+      await permissionService.grantPermission({
+        principalType: PrincipalType.PUBLIC,
+        principalId: null,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: publicPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Grant only owner access to privatePromptGroup
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: privatePromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('public prompt should be accessible to any user', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.noAccess._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: publicPromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+        includePublic: true,
+      });
+
+      expect(hasAccess).toBe(true);
+    });
+
+    it('private prompt should not be accessible to unauthorized users', async () => {
+      const hasAccess = await permissionService.checkPermission({
+        userId: testUsers.noAccess._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: privatePromptGroup._id,
+        requiredPermission: PermissionBits.VIEW,
+        includePublic: true,
+      });
+
+      expect(hasAccess).toBe(false);
+    });
+  });
+
+  describe('Prompt Deletion', () => {
+    let testPromptGroup;
+
+    it('should remove ACL entries when prompt is deleted', async () => {
+      testPromptGroup = await PromptGroup.create({
+        name: 'Deletion Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      const prompt = await promptFns.savePrompt({
+        author: testUsers.owner._id,
+        prompt: {
+          prompt: 'To be deleted',
+          name: 'Delete Test',
+          groupId: testPromptGroup._id,
+          type: 'text',
+        },
+      });
+
+      // Check if savePrompt returned an error
+      if (!prompt || !prompt.prompt) {
+        throw new Error(`Failed to save prompt: ${prompt?.message || 'Unknown error'}`);
+      }
+
+      const testPromptId = prompt.prompt._id;
+      const promptGroupId = testPromptGroup._id;
+
+      // Grant permission
+      await permissionService.grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Verify ACL entry exists
+      const beforeDelete = await AclEntry.find({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+      });
+      expect(beforeDelete).toHaveLength(1);
+
+      // Delete the prompt
+      await promptFns.deletePrompt({
+        promptId: testPromptId,
+        groupId: promptGroupId,
+        author: testUsers.owner._id,
+        role: SystemRoles.USER,
+      });
+
+      // Verify ACL entries are removed
+      const aclEntries = await AclEntry.find({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testPromptGroup._id,
+      });
+
+      expect(aclEntries).toHaveLength(0);
+    });
+  });
+
+  describe('Backwards Compatibility', () => {
+    it('should handle prompts without ACL entries gracefully', async () => {
+      // Create a prompt group first
+      const promptGroup = await PromptGroup.create({
+        name: 'Legacy Test Group',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create a prompt without ACL entries (legacy prompt)
+      const legacyPrompt = await Prompt.create({
+        prompt: 'Legacy prompt without ACL',
+        name: 'Legacy',
+        author: testUsers.owner._id,
+        groupId: promptGroup._id,
+        type: 'text',
+      });
+
+      // The system should handle this gracefully
+      const prompt = await promptFns.getPrompt({ _id: legacyPrompt._id });
+      expect(prompt).toBeTruthy();
+      expect(prompt._id.toString()).toBe(legacyPrompt._id.toString());
+    });
+  });
+});

api/models/PromptGroupMigration.spec.js

@@ -0,0 +1,280 @@
+const mongoose = require('mongoose');
+const { ObjectId } = require('mongodb');
+const { logger } = require('@librechat/data-schemas');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const {
+  Constants,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+  PrincipalModel,
+  PermissionBits,
+} = require('librechat-data-provider');
+
+// Mock the config/connect module to prevent connection attempts during tests
+jest.mock('../../config/connect', () => jest.fn().mockResolvedValue(true));
+
+// Disable console for tests
+logger.silent = true;
+
+describe('PromptGroup Migration Script', () => {
+  let mongoServer;
+  let Prompt, PromptGroup, AclEntry, AccessRole, User, Project;
+  let migrateToPromptGroupPermissions;
+  let testOwner, testProject;
+  let ownerRole, viewerRole;
+
+  beforeAll(async () => {
+    // Set up MongoDB memory server
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize models
+    const dbModels = require('~/db/models');
+    Prompt = dbModels.Prompt;
+    PromptGroup = dbModels.PromptGroup;
+    AclEntry = dbModels.AclEntry;
+    AccessRole = dbModels.AccessRole;
+    User = dbModels.User;
+    Project = dbModels.Project;
+
+    // Create test user
+    testOwner = await User.create({
+      name: 'Test Owner',
+      email: 'owner@test.com',
+      role: 'USER',
+    });
+
+    // Create test project with the proper name
+    const projectName = Constants.GLOBAL_PROJECT_NAME || 'instance';
+    testProject = await Project.create({
+      name: projectName,
+      description: 'Global project',
+      promptGroupIds: [],
+    });
+
+    // Create promptGroup access roles
+    ownerRole = await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+      name: 'Owner',
+      description: 'Full control over promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits:
+        PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE,
+    });
+
+    viewerRole = await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+      name: 'Viewer',
+      description: 'Can view promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW,
+    });
+
+    await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+      name: 'Editor',
+      description: 'Can view and edit promptGroups',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW | PermissionBits.EDIT,
+    });
+
+    // Import migration function
+    const migration = require('../../config/migrate-prompt-permissions');
+    migrateToPromptGroupPermissions = migration.migrateToPromptGroupPermissions;
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    // Clean up before each test
+    await Prompt.deleteMany({});
+    await PromptGroup.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Reset the project's promptGroupIds array
+    testProject.promptGroupIds = [];
+    await testProject.save();
+  });
+
+  it('should categorize promptGroups correctly in dry run', async () => {
+    // Create global prompt group (in Global project)
+    const globalPromptGroup = await PromptGroup.create({
+      name: 'Global Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Create private prompt group (not in any project)
+    await PromptGroup.create({
+      name: 'Private Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Add global group to project's promptGroupIds array
+    testProject.promptGroupIds = [globalPromptGroup._id];
+    await testProject.save();
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: true });
+
+    expect(result.dryRun).toBe(true);
+    expect(result.summary.total).toBe(2);
+    expect(result.summary.globalViewAccess).toBe(1);
+    expect(result.summary.privateGroups).toBe(1);
+  });
+
+  it('should grant appropriate permissions during migration', async () => {
+    // Create prompt groups
+    const globalPromptGroup = await PromptGroup.create({
+      name: 'Global Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    const privatePromptGroup = await PromptGroup.create({
+      name: 'Private Group',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Add global group to project's promptGroupIds array
+    testProject.promptGroupIds = [globalPromptGroup._id];
+    await testProject.save();
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: false });
+
+    expect(result.migrated).toBe(2);
+    expect(result.errors).toBe(0);
+    expect(result.ownerGrants).toBe(2);
+    expect(result.publicViewGrants).toBe(1);
+
+    // Check global promptGroup permissions
+    const globalOwnerEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: globalPromptGroup._id,
+      principalType: PrincipalType.USER,
+      principalId: testOwner._id,
+    });
+    expect(globalOwnerEntry).toBeTruthy();
+    expect(globalOwnerEntry.permBits).toBe(ownerRole.permBits);
+
+    const globalPublicEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: globalPromptGroup._id,
+      principalType: PrincipalType.PUBLIC,
+    });
+    expect(globalPublicEntry).toBeTruthy();
+    expect(globalPublicEntry.permBits).toBe(viewerRole.permBits);
+
+    // Check private promptGroup permissions
+    const privateOwnerEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: privatePromptGroup._id,
+      principalType: PrincipalType.USER,
+      principalId: testOwner._id,
+    });
+    expect(privateOwnerEntry).toBeTruthy();
+    expect(privateOwnerEntry.permBits).toBe(ownerRole.permBits);
+
+    const privatePublicEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: privatePromptGroup._id,
+      principalType: PrincipalType.PUBLIC,
+    });
+    expect(privatePublicEntry).toBeNull();
+  });
+
+  it('should skip promptGroups that already have ACL entries', async () => {
+    // Create prompt groups
+    const promptGroup1 = await PromptGroup.create({
+      name: 'Group 1',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    const promptGroup2 = await PromptGroup.create({
+      name: 'Group 2',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Grant permission to one promptGroup manually (simulating it already has ACL)
+    await AclEntry.create({
+      principalType: PrincipalType.USER,
+      principalId: testOwner._id,
+      principalModel: PrincipalModel.USER,
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: promptGroup1._id,
+      permBits: ownerRole.permBits,
+      roleId: ownerRole._id,
+      grantedBy: testOwner._id,
+      grantedAt: new Date(),
+    });
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: false });
+
+    // Should only migrate promptGroup2, skip promptGroup1
+    expect(result.migrated).toBe(1);
+    expect(result.errors).toBe(0);
+
+    // Verify promptGroup2 now has permissions
+    const group2Entry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: promptGroup2._id,
+    });
+    expect(group2Entry).toBeTruthy();
+  });
+
+  it('should handle promptGroups with prompts correctly', async () => {
+    // Create a promptGroup with some prompts
+    const promptGroup = await PromptGroup.create({
+      name: 'Group with Prompts',
+      author: testOwner._id,
+      authorName: testOwner.name,
+      productionId: new ObjectId(),
+    });
+
+    // Create some prompts in this group
+    await Prompt.create({
+      prompt: 'First prompt',
+      author: testOwner._id,
+      groupId: promptGroup._id,
+      type: 'text',
+    });
+
+    await Prompt.create({
+      prompt: 'Second prompt',
+      author: testOwner._id,
+      groupId: promptGroup._id,
+      type: 'text',
+    });
+
+    const result = await migrateToPromptGroupPermissions({ dryRun: false });
+
+    expect(result.migrated).toBe(1);
+    expect(result.errors).toBe(0);
+
+    // Verify the promptGroup has permissions
+    const groupEntry = await AclEntry.findOne({
+      resourceType: ResourceType.PROMPTGROUP,
+      resourceId: promptGroup._id,
+    });
+    expect(groupEntry).toBeTruthy();
+
+    // Verify no prompt-level permissions were created
+    const promptEntries = await AclEntry.find({
+      resourceType: 'prompt',
+    });
+    expect(promptEntries).toHaveLength(0);
+  });
+});

api/models/Role.js

@@ -2,7 +2,6 @@ const {
   CacheKeys,
   SystemRoles,
   roleDefaults,
-  PermissionTypes,
   permissionsSchema,
   removeNullishValues,
 } = require('librechat-data-provider');

api/models/index.js

@@ -22,6 +22,7 @@ const {
 } = require('./Message');
 const { getConvoTitle, getConvo, saveConvo, deleteConvos } = require('./Conversation');
 const { getPreset, getPresets, savePreset, deletePresets } = require('./Preset');
+const { File } = require('~/db/models');
 
 module.exports = {
   ...methods,
@@ -51,4 +52,6 @@ module.exports = {
   getPresets,
   savePreset,
   deletePresets,
+
+  Files: File,
 };

api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@librechat/backend",
-  "version": "v0.7.9-rc1",
+  "version": "v0.8.0-rc1",
   "description": "",
   "scripts": {
     "start": "echo 'please run this from the root directory'",
@@ -44,19 +44,22 @@
     "@googleapis/youtube": "^20.0.0",
     "@keyv/redis": "^4.3.3",
     "@langchain/community": "^0.3.47",
-    "@langchain/core": "^0.3.60",
+    "@langchain/core": "^0.3.62",
     "@langchain/google-genai": "^0.2.13",
     "@langchain/google-vertexai": "^0.2.13",
+    "@langchain/openai": "^0.5.18",
     "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^2.4.60",
+    "@librechat/agents": "^2.4.69",
     "@librechat/api": "*",
     "@librechat/data-schemas": "*",
-    "@node-saml/passport-saml": "^5.0.0",
+    "@modelcontextprotocol/sdk": "^1.17.1",
+    "@node-saml/passport-saml": "^5.1.0",
+    "@microsoft/microsoft-graph-client": "^3.0.7",
     "@waylaidwanderer/fetch-event-source": "^3.0.1",
     "axios": "^1.8.2",
     "bcryptjs": "^2.4.3",
-    "compression": "^1.7.4",
-    "connect-redis": "^7.1.0",
+    "compression": "^1.8.1",
+    "connect-redis": "^8.1.0",
     "cookie": "^0.7.2",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
@@ -66,10 +69,11 @@
     "express": "^4.21.2",
     "express-mongo-sanitize": "^2.2.0",
     "express-rate-limit": "^7.4.1",
-    "express-session": "^1.18.1",
+    "express-session": "^1.18.2",
     "express-static-gzip": "^2.2.0",
     "file-type": "^18.7.0",
     "firebase": "^11.0.2",
+    "form-data": "^4.0.4",
     "googleapis": "^126.0.1",
     "handlebars": "^4.7.7",
     "https-proxy-agent": "^7.0.6",
@@ -87,12 +91,12 @@
     "mime": "^3.0.0",
     "module-alias": "^2.2.3",
     "mongoose": "^8.12.1",
-    "multer": "^2.0.1",
+    "multer": "^2.0.2",
     "nanoid": "^3.3.7",
     "node-fetch": "^2.7.0",
     "nodemailer": "^6.9.15",
     "ollama": "^0.5.0",
-    "openai": "^4.96.2",
+    "openai": "^5.10.1",
     "openai-chat-tokens": "^0.2.8",
     "openid-client": "^6.5.0",
     "passport": "^0.6.0",
@@ -117,7 +121,7 @@
   },
   "devDependencies": {
     "jest": "^29.7.0",
-    "mongodb-memory-server": "^10.1.3",
+    "mongodb-memory-server": "^10.1.4",
     "nodemon": "^3.0.3",
     "supertest": "^7.1.0"
   }

api/server/controllers/AuthController.js

@@ -12,6 +12,7 @@ const {
 } = require('~/server/services/AuthService');
 const { findUser, getUserById, deleteAllUserSessions, findSession } = require('~/models');
 const { getOpenIdConfig } = require('~/strategies');
+const { getGraphApiToken } = require('~/server/services/GraphTokenService');
 
 const registrationController = async (req, res) => {
   try {
@@ -118,9 +119,54 @@ const refreshController = async (req, res) => {
   }
 };
 
+const graphTokenController = async (req, res) => {
+  try {
+    // Validate user is authenticated via Entra ID
+    if (!req.user.openidId || req.user.provider !== 'openid') {
+      return res.status(403).json({
+        message: 'Microsoft Graph access requires Entra ID authentication',
+      });
+    }
+
+    // Check if OpenID token reuse is active (required for on-behalf-of flow)
+    if (!isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+      return res.status(403).json({
+        message: 'SharePoint integration requires OpenID token reuse to be enabled',
+      });
+    }
+
+    // Extract access token from Authorization header
+    const authHeader = req.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({
+        message: 'Valid authorization token required',
+      });
+    }
+
+    // Get scopes from query parameters
+    const scopes = req.query.scopes;
+    if (!scopes) {
+      return res.status(400).json({
+        message: 'Graph API scopes are required as query parameter',
+      });
+    }
+
+    const accessToken = authHeader.substring(7); // Remove 'Bearer ' prefix
+    const tokenResponse = await getGraphApiToken(req.user, accessToken, scopes);
+
+    res.json(tokenResponse);
+  } catch (error) {
+    logger.error('[graphTokenController] Failed to obtain Graph API token:', error);
+    res.status(500).json({
+      message: 'Failed to obtain Microsoft Graph token',
+    });
+  }
+};
+
 module.exports = {
   refreshController,
   registrationController,
   resetPasswordController,
   resetPasswordRequestController,
+  graphTokenController,
 };

api/server/controllers/PermissionsController.js

@@ -0,0 +1,471 @@
+/**
+ * @import { TUpdateResourcePermissionsRequest, TUpdateResourcePermissionsResponse } from 'librechat-data-provider'
+ */
+
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
+const { ResourceType, PrincipalType } = require('librechat-data-provider');
+const {
+  bulkUpdateResourcePermissions,
+  ensureGroupPrincipalExists,
+  getEffectivePermissions,
+  ensurePrincipalExists,
+  getAvailableRoles,
+} = require('~/server/services/PermissionService');
+const { AclEntry } = require('~/db/models');
+const {
+  searchPrincipals: searchLocalPrincipals,
+  sortPrincipalsByRelevance,
+  calculateRelevanceScore,
+} = require('~/models');
+const {
+  entraIdPrincipalFeatureEnabled,
+  searchEntraIdPrincipals,
+} = require('~/server/services/GraphApiService');
+
+/**
+ * Generic controller for resource permission endpoints
+ * Delegates validation and logic to PermissionService
+ */
+
+/**
+ * Validates that the resourceType is one of the supported enum values
+ * @param {string} resourceType - The resource type to validate
+ * @throws {Error} If resourceType is not valid
+ */
+const validateResourceType = (resourceType) => {
+  const validTypes = Object.values(ResourceType);
+  if (!validTypes.includes(resourceType)) {
+    throw new Error(`Invalid resourceType: ${resourceType}. Valid types: ${validTypes.join(', ')}`);
+  }
+};
+
+/**
+ * Bulk update permissions for a resource (grant, update, remove)
+ * @route PUT /api/{resourceType}/{resourceId}/permissions
+ * @param {Object} req - Express request object
+ * @param {Object} req.params - Route parameters
+ * @param {string} req.params.resourceType - Resource type (e.g., 'agent')
+ * @param {string} req.params.resourceId - Resource ID
+ * @param {TUpdateResourcePermissionsRequest} req.body - Request body
+ * @param {Object} res - Express response object
+ * @returns {Promise<TUpdateResourcePermissionsResponse>} Updated permissions response
+ */
+const updateResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    validateResourceType(resourceType);
+
+    /** @type {TUpdateResourcePermissionsRequest} */
+    const { updated, removed, public: isPublic, publicAccessRoleId } = req.body;
+    const { id: userId } = req.user;
+
+    // Prepare principals for the service call
+    const updatedPrincipals = [];
+    const revokedPrincipals = [];
+
+    // Add updated principals
+    if (updated && Array.isArray(updated)) {
+      updatedPrincipals.push(...updated);
+    }
+
+    // Add public permission if enabled
+    if (isPublic && publicAccessRoleId) {
+      updatedPrincipals.push({
+        type: PrincipalType.PUBLIC,
+        id: null,
+        accessRoleId: publicAccessRoleId,
+      });
+    }
+
+    // Prepare authentication context for enhanced group member fetching
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+    const authHeader = req.headers.authorization;
+    const accessToken =
+      authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+    const authContext =
+      useEntraId && accessToken
+        ? {
+            accessToken,
+            sub: req.user.openidId,
+          }
+        : null;
+
+    // Ensure updated principals exist in the database before processing permissions
+    const validatedPrincipals = [];
+    for (const principal of updatedPrincipals) {
+      try {
+        let principalId;
+
+        if (principal.type === PrincipalType.PUBLIC) {
+          principalId = null; // Public principals don't need database records
+        } else if (principal.type === PrincipalType.ROLE) {
+          principalId = principal.id; // Role principals use role name as ID
+        } else if (principal.type === PrincipalType.USER) {
+          principalId = await ensurePrincipalExists(principal);
+        } else if (principal.type === PrincipalType.GROUP) {
+          // Pass authContext to enable member fetching for Entra ID groups when available
+          principalId = await ensureGroupPrincipalExists(principal, authContext);
+        } else {
+          logger.error(`Unsupported principal type: ${principal.type}`);
+          continue; // Skip invalid principal types
+        }
+
+        // Update the principal with the validated ID for ACL operations
+        validatedPrincipals.push({
+          ...principal,
+          id: principalId,
+        });
+      } catch (error) {
+        logger.error('Error ensuring principal exists:', {
+          principal: {
+            type: principal.type,
+            id: principal.id,
+            name: principal.name,
+            source: principal.source,
+          },
+          error: error.message,
+        });
+        // Continue with other principals instead of failing the entire operation
+        continue;
+      }
+    }
+
+    // Add removed principals
+    if (removed && Array.isArray(removed)) {
+      revokedPrincipals.push(...removed);
+    }
+
+    // If public is disabled, add public to revoked list
+    if (!isPublic) {
+      revokedPrincipals.push({
+        type: PrincipalType.PUBLIC,
+        id: null,
+      });
+    }
+
+    const results = await bulkUpdateResourcePermissions({
+      resourceType,
+      resourceId,
+      updatedPrincipals: validatedPrincipals,
+      revokedPrincipals,
+      grantedBy: userId,
+    });
+
+    /** @type {TUpdateResourcePermissionsResponse} */
+    const response = {
+      message: 'Permissions updated successfully',
+      results: {
+        principals: results.granted,
+        public: isPublic || false,
+        publicAccessRoleId: isPublic ? publicAccessRoleId : undefined,
+      },
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error updating resource permissions:', error);
+    res.status(400).json({
+      error: 'Failed to update permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get principals with their permission roles for a resource (UI-friendly format)
+ * Uses efficient aggregation pipeline to join User/Group data in single query
+ * @route GET /api/permissions/{resourceType}/{resourceId}
+ */
+const getResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    validateResourceType(resourceType);
+
+    // Use aggregation pipeline for efficient single-query data retrieval
+    const results = await AclEntry.aggregate([
+      // Match ACL entries for this resource
+      {
+        $match: {
+          resourceType,
+          resourceId: mongoose.Types.ObjectId.isValid(resourceId)
+            ? mongoose.Types.ObjectId.createFromHexString(resourceId)
+            : resourceId,
+        },
+      },
+      // Lookup AccessRole information
+      {
+        $lookup: {
+          from: 'accessroles',
+          localField: 'roleId',
+          foreignField: '_id',
+          as: 'role',
+        },
+      },
+      // Lookup User information (for user principals)
+      {
+        $lookup: {
+          from: 'users',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'userInfo',
+        },
+      },
+      // Lookup Group information (for group principals)
+      {
+        $lookup: {
+          from: 'groups',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'groupInfo',
+        },
+      },
+      // Project final structure
+      {
+        $project: {
+          principalType: 1,
+          principalId: 1,
+          accessRoleId: { $arrayElemAt: ['$role.accessRoleId', 0] },
+          userInfo: { $arrayElemAt: ['$userInfo', 0] },
+          groupInfo: { $arrayElemAt: ['$groupInfo', 0] },
+        },
+      },
+    ]);
+
+    const principals = [];
+    let publicPermission = null;
+
+    // Process aggregation results
+    for (const result of results) {
+      if (result.principalType === PrincipalType.PUBLIC) {
+        publicPermission = {
+          public: true,
+          publicAccessRoleId: result.accessRoleId,
+        };
+      } else if (result.principalType === PrincipalType.USER && result.userInfo) {
+        principals.push({
+          type: PrincipalType.USER,
+          id: result.userInfo._id.toString(),
+          name: result.userInfo.name || result.userInfo.username,
+          email: result.userInfo.email,
+          avatar: result.userInfo.avatar,
+          source: !result.userInfo._id ? 'entra' : 'local',
+          idOnTheSource: result.userInfo.idOnTheSource || result.userInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      } else if (result.principalType === PrincipalType.GROUP && result.groupInfo) {
+        principals.push({
+          type: PrincipalType.GROUP,
+          id: result.groupInfo._id.toString(),
+          name: result.groupInfo.name,
+          email: result.groupInfo.email,
+          description: result.groupInfo.description,
+          avatar: result.groupInfo.avatar,
+          source: result.groupInfo.source || 'local',
+          idOnTheSource: result.groupInfo.idOnTheSource || result.groupInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      } else if (result.principalType === PrincipalType.ROLE) {
+        principals.push({
+          type: PrincipalType.ROLE,
+          /** Role name as ID */
+          id: result.principalId,
+          /** Display the role name */
+          name: result.principalId,
+          description: `System role: ${result.principalId}`,
+          accessRoleId: result.accessRoleId,
+        });
+      }
+    }
+
+    // Return response in format expected by frontend
+    const response = {
+      resourceType,
+      resourceId,
+      principals,
+      public: publicPermission?.public || false,
+      ...(publicPermission?.publicAccessRoleId && {
+        publicAccessRoleId: publicPermission.publicAccessRoleId,
+      }),
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error getting resource permissions principals:', error);
+    res.status(500).json({
+      error: 'Failed to get permissions principals',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get available roles for a resource type
+ * @route GET /api/{resourceType}/roles
+ */
+const getResourceRoles = async (req, res) => {
+  try {
+    const { resourceType } = req.params;
+    validateResourceType(resourceType);
+
+    const roles = await getAvailableRoles({ resourceType });
+
+    res.status(200).json(
+      roles.map((role) => ({
+        accessRoleId: role.accessRoleId,
+        name: role.name,
+        description: role.description,
+        permBits: role.permBits,
+      })),
+    );
+  } catch (error) {
+    logger.error('Error getting resource roles:', error);
+    res.status(500).json({
+      error: 'Failed to get roles',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get user's effective permission bitmask for a resource
+ * @route GET /api/{resourceType}/{resourceId}/effective
+ */
+const getUserEffectivePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    validateResourceType(resourceType);
+
+    const { id: userId } = req.user;
+
+    const permissionBits = await getEffectivePermissions({
+      userId,
+      role: req.user.role,
+      resourceType,
+      resourceId,
+    });
+
+    res.status(200).json({
+      permissionBits,
+    });
+  } catch (error) {
+    logger.error('Error getting user effective permissions:', error);
+    res.status(500).json({
+      error: 'Failed to get effective permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Search for users and groups to grant permissions
+ * Supports hybrid local database + Entra ID search when configured
+ * @route GET /api/permissions/search-principals
+ */
+const searchPrincipals = async (req, res) => {
+  try {
+    const { q: query, limit = 20, type } = req.query;
+
+    if (!query || query.trim().length === 0) {
+      return res.status(400).json({
+        error: 'Query parameter "q" is required and must not be empty',
+      });
+    }
+
+    if (query.trim().length < 2) {
+      return res.status(400).json({
+        error: 'Query must be at least 2 characters long',
+      });
+    }
+
+    const searchLimit = Math.min(Math.max(1, parseInt(limit) || 10), 50);
+    const typeFilter = [PrincipalType.USER, PrincipalType.GROUP, PrincipalType.ROLE].includes(type)
+      ? type
+      : null;
+
+    const localResults = await searchLocalPrincipals(query.trim(), searchLimit, typeFilter);
+    let allPrincipals = [...localResults];
+
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+
+    if (useEntraId && localResults.length < searchLimit) {
+      try {
+        const graphTypeMap = {
+          user: 'users',
+          group: 'groups',
+          null: 'all',
+        };
+
+        const authHeader = req.headers.authorization;
+        const accessToken =
+          authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+
+        if (accessToken) {
+          const graphResults = await searchEntraIdPrincipals(
+            accessToken,
+            req.user.openidId,
+            query.trim(),
+            graphTypeMap[typeFilter],
+            searchLimit - localResults.length,
+          );
+
+          const localEmails = new Set(
+            localResults.map((p) => p.email?.toLowerCase()).filter(Boolean),
+          );
+          const localGroupSourceIds = new Set(
+            localResults.map((p) => p.idOnTheSource).filter(Boolean),
+          );
+
+          for (const principal of graphResults) {
+            const isDuplicateByEmail =
+              principal.email && localEmails.has(principal.email.toLowerCase());
+            const isDuplicateBySourceId =
+              principal.idOnTheSource && localGroupSourceIds.has(principal.idOnTheSource);
+
+            if (!isDuplicateByEmail && !isDuplicateBySourceId) {
+              allPrincipals.push(principal);
+            }
+          }
+        }
+      } catch (graphError) {
+        logger.warn('Graph API search failed, falling back to local results:', graphError.message);
+      }
+    }
+    const scoredResults = allPrincipals.map((item) => ({
+      ...item,
+      _searchScore: calculateRelevanceScore(item, query.trim()),
+    }));
+
+    allPrincipals = sortPrincipalsByRelevance(scoredResults)
+      .slice(0, searchLimit)
+      .map((result) => {
+        const { _searchScore, ...resultWithoutScore } = result;
+        return resultWithoutScore;
+      });
+    res.status(200).json({
+      query: query.trim(),
+      limit: searchLimit,
+      type: typeFilter,
+      results: allPrincipals,
+      count: allPrincipals.length,
+      sources: {
+        local: allPrincipals.filter((r) => r.source === 'local').length,
+        entra: allPrincipals.filter((r) => r.source === 'entra').length,
+      },
+    });
+  } catch (error) {
+    logger.error('Error searching principals:', error);
+    res.status(500).json({
+      error: 'Failed to search principals',
+      details: error.message,
+    });
+  }
+};
+
+module.exports = {
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  getUserEffectivePermissions,
+  searchPrincipals,
+};

api/server/controllers/PluginController.js

@@ -97,7 +97,7 @@ function createServerToolsCallback() {
         return;
       }
       await mcpToolsCache.set(serverName, serverTools);
-      logger.warn(`MCP tools for ${serverName} added to cache.`);
+      logger.debug(`MCP tools for ${serverName} added to cache.`);
     } catch (error) {
       logger.error('Error retrieving MCP tools from cache:', error);
     }
@@ -143,7 +143,7 @@ const getAvailableTools = async (req, res) => {
     const cache = getLogStores(CacheKeys.CONFIG_STORE);
     const cachedToolsArray = await cache.get(CacheKeys.TOOLS);
     const cachedUserTools = await getCachedTools({ userId });
-    const userPlugins = await convertMCPToolsToPlugins(cachedUserTools, customConfig, userId);
+    const userPlugins = convertMCPToolsToPlugins(cachedUserTools, customConfig);
 
     if (cachedToolsArray && userPlugins) {
       const dedupedTools = filterUniquePlugins([...userPlugins, ...cachedToolsArray]);
@@ -202,102 +202,23 @@ const getAvailableTools = async (req, res) => {
       const serverName = parts[parts.length - 1];
       const serverConfig = customConfig?.mcpServers?.[serverName];
 
-      logger.warn(
-        `[getAvailableTools] Processing MCP tool:`,
-        JSON.stringify({
-          pluginKey: plugin.pluginKey,
-          serverName,
-          hasServerConfig: !!serverConfig,
-          hasCustomUserVars: !!serverConfig?.customUserVars,
-        }),
-      );
-
-      if (!serverConfig) {
-        logger.warn(
-          `[getAvailableTools] No server config found for ${serverName}, skipping auth check`,
-        );
+      if (!serverConfig?.customUserVars) {
         toolsOutput.push(toolToAdd);
         continue;
       }
 
-      // Handle MCP servers with customUserVars (user-level auth required)
-      if (serverConfig.customUserVars) {
-        logger.warn(`[getAvailableTools] Processing user-level MCP server: ${serverName}`);
-        const customVarKeys = Object.keys(serverConfig.customUserVars);
+      const customVarKeys = Object.keys(serverConfig.customUserVars);
 
-        // Build authConfig for MCP tools
+      if (customVarKeys.length === 0) {
+        toolToAdd.authConfig = [];
+        toolToAdd.authenticated = true;
+      } else {
         toolToAdd.authConfig = Object.entries(serverConfig.customUserVars).map(([key, value]) => ({
           authField: key,
           label: value.title || key,
           description: value.description || '',
         }));
-
-        // Check actual connection status for MCP tools with auth requirements
-        if (userId) {
-          try {
-            const mcpManager = getMCPManager(userId);
-            const connectionStatus = await mcpManager.getUserConnectionStatus(userId, serverName);
-            toolToAdd.authenticated = connectionStatus.connected;
-            logger.warn(`[getAvailableTools] User-level connection status for ${serverName}:`, {
-              connected: connectionStatus.connected,
-              hasConnection: connectionStatus.hasConnection,
-            });
-          } catch (error) {
-            logger.error(
-              `[getAvailableTools] Error checking connection status for ${serverName}:`,
-              error,
-            );
-            toolToAdd.authenticated = false;
-          }
-        } else {
-          // For non-authenticated requests, default to false
-          toolToAdd.authenticated = false;
-        }
-      } else {
-        // Handle app-level MCP servers (no auth required)
-        logger.warn(`[getAvailableTools] Processing app-level MCP server: ${serverName}`);
-        toolToAdd.authConfig = [];
-
-        // Check if the app-level connection is active
-        try {
-          const mcpManager = getMCPManager();
-          const allConnections = mcpManager.getAllConnections();
-          logger.warn(`[getAvailableTools] All app-level connections:`, {
-            connectionNames: Array.from(allConnections.keys()),
-            serverName,
-          });
-
-          const appConnection = mcpManager.getConnection(serverName);
-          logger.warn(`[getAvailableTools] Checking app-level connection for ${serverName}:`, {
-            hasConnection: !!appConnection,
-            connectionState: appConnection?.getConnectionState?.(),
-          });
-
-          if (appConnection) {
-            const connectionState = appConnection.getConnectionState();
-            logger.warn(`[getAvailableTools] App-level connection status for ${serverName}:`, {
-              connectionState,
-              hasConnection: !!appConnection,
-            });
-
-            // For app-level connections, consider them authenticated if they're in 'connected' state
-            // This is more reliable than isConnected() which does network calls
-            toolToAdd.authenticated = connectionState === 'connected';
-            logger.warn(`[getAvailableTools] Final authenticated status for ${serverName}:`, {
-              authenticated: toolToAdd.authenticated,
-              connectionState,
-            });
-          } else {
-            logger.warn(`[getAvailableTools] No app-level connection found for ${serverName}`);
-            toolToAdd.authenticated = false;
-          }
-        } catch (error) {
-          logger.error(
-            `[getAvailableTools] Error checking app-level connection status for ${serverName}:`,
-            error,
-          );
-          toolToAdd.authenticated = false;
-        }
+        toolToAdd.authenticated = false;
       }
 
       toolsOutput.push(toolToAdd);
@@ -320,7 +241,7 @@ const getAvailableTools = async (req, res) => {
  * @param {Object} customConfig - Custom configuration for MCP servers
  * @returns {Array} Array of plugin objects
  */
-async function convertMCPToolsToPlugins(functionTools, customConfig, userId = null) {
+function convertMCPToolsToPlugins(functionTools, customConfig) {
   const plugins = [];
 
   for (const [toolKey, toolData] of Object.entries(functionTools)) {
@@ -332,19 +253,19 @@ async function convertMCPToolsToPlugins(functionTools, customConfig, userId = nu
     const parts = toolKey.split(Constants.mcp_delimiter);
     const serverName = parts[parts.length - 1];
 
+    const serverConfig = customConfig?.mcpServers?.[serverName];
+
     const plugin = {
       name: parts[0], // Use the tool name without server suffix
       pluginKey: toolKey,
       description: functionData.description || '',
-      authenticated: false, // Default to false, will be updated based on connection status
-      icon: undefined,
+      authenticated: true,
+      icon: serverConfig?.iconPath,
     };
 
     // Build authConfig for MCP tools
-    const serverConfig = customConfig?.mcpServers?.[serverName];
     if (!serverConfig?.customUserVars) {
       plugin.authConfig = [];
-      plugin.authenticated = true; // No auth required
       plugins.push(plugin);
       continue;
     }
@@ -352,30 +273,12 @@ async function convertMCPToolsToPlugins(functionTools, customConfig, userId = nu
     const customVarKeys = Object.keys(serverConfig.customUserVars);
     if (customVarKeys.length === 0) {
       plugin.authConfig = [];
-      plugin.authenticated = true; // No auth required
     } else {
       plugin.authConfig = Object.entries(serverConfig.customUserVars).map(([key, value]) => ({
         authField: key,
         label: value.title || key,
         description: value.description || '',
       }));
-
-      // Check actual connection status for MCP tools with auth requirements
-      if (userId) {
-        try {
-          const mcpManager = getMCPManager(userId);
-          const connectionStatus = await mcpManager.getUserConnectionStatus(userId, serverName);
-          plugin.authenticated = connectionStatus.connected;
-        } catch (error) {
-          logger.error(
-            `[convertMCPToolsToPlugins] Error checking connection status for ${serverName}:`,
-            error,
-          );
-          plugin.authenticated = false;
-        }
-      } else {
-        plugin.authenticated = false;
-      }
     }
 
     plugins.push(plugin);

api/server/controllers/PluginController.spec.js

@@ -0,0 +1,89 @@
+const { Constants } = require('librechat-data-provider');
+const { getCustomConfig, getCachedTools } = require('~/server/services/Config');
+const { getLogStores } = require('~/cache');
+
+// Mock the dependencies
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    debug: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+jest.mock('~/server/services/Config', () => ({
+  getCustomConfig: jest.fn(),
+  getCachedTools: jest.fn(),
+}));
+
+jest.mock('~/server/services/ToolService', () => ({
+  getToolkitKey: jest.fn(),
+}));
+
+jest.mock('~/config', () => ({
+  getMCPManager: jest.fn(() => ({
+    loadManifestTools: jest.fn().mockResolvedValue([]),
+  })),
+  getFlowStateManager: jest.fn(),
+}));
+
+jest.mock('~/app/clients/tools', () => ({
+  availableTools: [],
+}));
+
+jest.mock('~/cache', () => ({
+  getLogStores: jest.fn(),
+}));
+
+// Import the actual module with the function we want to test
+const { getAvailableTools } = require('./PluginController');
+
+describe('PluginController', () => {
+  describe('plugin.icon behavior', () => {
+    let mockReq, mockRes, mockCache;
+
+    const callGetAvailableToolsWithMCPServer = async (mcpServers) => {
+      mockCache.get.mockResolvedValue(null);
+      getCustomConfig.mockResolvedValue({ mcpServers });
+
+      const functionTools = {
+        [`test-tool${Constants.mcp_delimiter}test-server`]: {
+          function: { name: 'test-tool', description: 'A test tool' },
+        },
+      };
+      getCachedTools.mockResolvedValueOnce(functionTools);
+      getCachedTools.mockResolvedValueOnce({
+        [`test-tool${Constants.mcp_delimiter}test-server`]: true,
+      });
+
+      await getAvailableTools(mockReq, mockRes);
+      const responseData = mockRes.json.mock.calls[0][0];
+      return responseData.find((tool) => tool.name === 'test-tool');
+    };
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      mockReq = { user: { id: 'test-user-id' } };
+      mockRes = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+      mockCache = { get: jest.fn(), set: jest.fn() };
+      getLogStores.mockReturnValue(mockCache);
+    });
+
+    it('should set plugin.icon when iconPath is defined', async () => {
+      const mcpServers = {
+        'test-server': {
+          iconPath: '/path/to/icon.png',
+        },
+      };
+      const testTool = await callGetAvailableToolsWithMCPServer(mcpServers);
+      expect(testTool.icon).toBe('/path/to/icon.png');
+    });
+
+    it('should set plugin.icon to undefined when iconPath is not defined', async () => {
+      const mcpServers = {
+        'test-server': {},
+      };
+      const testTool = await callGetAvailableToolsWithMCPServer(mcpServers);
+      expect(testTool.icon).toBeUndefined();
+    });
+  });
+});

api/server/controllers/UserController.js

@@ -1,11 +1,5 @@
-const {
-  Tools,
-  Constants,
-  FileSources,
-  webSearchKeys,
-  extractWebSearchEnvVars,
-} = require('librechat-data-provider');
 const { logger } = require('@librechat/data-schemas');
+const { webSearchKeys, extractWebSearchEnvVars } = require('@librechat/api');
 const {
   getFiles,
   updateUser,
@@ -20,6 +14,7 @@ const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/service
 const { updateUserPluginsService, deleteUserKey } = require('~/server/services/UserService');
 const { verifyEmail, resendVerificationEmail } = require('~/server/services/AuthService');
 const { needsRefresh, getNewS3URL } = require('~/server/services/Files/S3/crud');
+const { Tools, Constants, FileSources } = require('librechat-data-provider');
 const { processDeleteRequest } = require('~/server/services/Files/process');
 const { Transaction, Balance, User } = require('~/db/models');
 const { deleteToolCalls } = require('~/models/ToolCall');
@@ -180,14 +175,12 @@ const updateUserPluginsController = async (req, res) => {
         try {
           const mcpManager = getMCPManager(user.id);
           if (mcpManager) {
-            // Extract server name from pluginKey (e.g., "mcp_myserver" -> "myserver")
+            // Extract server name from pluginKey (format: "mcp_<serverName>")
             const serverName = pluginKey.replace(Constants.mcp_prefix, '');
-
             logger.info(
-              `[updateUserPluginsController] Disconnecting MCP connection for user ${user.id} and server ${serverName} after plugin auth update for ${pluginKey}.`,
+              `[updateUserPluginsController] Disconnecting MCP server ${serverName} for user ${user.id} after plugin auth update for ${pluginKey}.`,
             );
-            // COMMENTED OUT: Don't kill the server connection on revoke
-            // await mcpManager.disconnectUserConnection(user.id, serverName);
+            await mcpManager.disconnectUserConnection(user.id, serverName);
           }
         } catch (disconnectError) {
           logger.error(

api/server/controllers/agents/callbacks.js

@@ -11,6 +11,7 @@ const {
   handleToolCalls,
   ChatModelStreamHandler,
 } = require('@librechat/agents');
+const { processFileCitations } = require('~/server/services/Files/Citations');
 const { processCodeOutput } = require('~/server/services/Files/Code/process');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { saveBase64Image } = require('~/server/services/Files/process');
@@ -238,6 +239,31 @@ function createToolEndCallback({ req, res, artifactPromises }) {
       return;
     }
 
+    if (output.artifact[Tools.file_search]) {
+      artifactPromises.push(
+        (async () => {
+          const user = req.user;
+          const attachment = await processFileCitations({
+            user,
+            metadata,
+            toolArtifact: output.artifact,
+            toolCallId: output.tool_call_id,
+          });
+          if (!attachment) {
+            return null;
+          }
+          if (!res.headersSent) {
+            return attachment;
+          }
+          res.write(`event: attachment\ndata: ${JSON.stringify(attachment)}\n\n`);
+          return attachment;
+        })().catch((error) => {
+          logger.error('Error processing file citations:', error);
+          return null;
+        }),
+      );
+    }
+
     if (output.artifact[Tools.web_search]) {
       artifactPromises.push(
         (async () => {

api/server/controllers/agents/client.js

@@ -8,15 +8,16 @@ const {
   Tokenizer,
   checkAccess,
   memoryInstructions,
+  formatContentStrings,
   createMemoryProcessor,
 } = require('@librechat/api');
 const {
   Callback,
   Providers,
   GraphEvents,
+  TitleMethod,
   formatMessage,
   formatAgentMessages,
-  formatContentStrings,
   getTokenCountForMessage,
   createMetadataAggregator,
 } = require('@librechat/agents');
@@ -26,7 +27,6 @@ const {
   VisionModes,
   ContentTypes,
   EModelEndpoint,
-  KnownEndpoints,
   PermissionTypes,
   isAgentsEndpoint,
   AgentCapabilities,
@@ -71,13 +71,15 @@ const payloadParser = ({ req, agent, endpoint }) => {
   if (isAgentsEndpoint(endpoint)) {
     return { model: undefined };
   } else if (endpoint === EModelEndpoint.bedrock) {
-    return bedrockInputSchema.parse(agent.model_parameters);
+    const parsedValues = bedrockInputSchema.parse(agent.model_parameters);
+    if (parsedValues.thinking == null) {
+      parsedValues.thinking = false;
+    }
+    return parsedValues;
   }
   return req.body.endpointOption.model_parameters;
 };
 
-const legacyContentEndpoints = new Set([KnownEndpoints.groq, KnownEndpoints.deepseek]);
-
 const noSystemModelRegex = [/\b(o1-preview|o1-mini|amazon\.titan-text)\b/gi];
 
 function createTokenCounter(encoding) {
@@ -510,6 +512,39 @@ class AgentClient extends BaseClient {
     return withoutKeys;
   }
 
+  /**
+   * Filters out image URLs from message content
+   * @param {BaseMessage} message - The message to filter
+   * @returns {BaseMessage} - A new message with image URLs removed
+   */
+  filterImageUrls(message) {
+    if (!message.content || typeof message.content === 'string') {
+      return message;
+    }
+
+    if (Array.isArray(message.content)) {
+      const filteredContent = message.content.filter(
+        (part) => part.type !== ContentTypes.IMAGE_URL,
+      );
+
+      if (filteredContent.length === 1 && filteredContent[0].type === ContentTypes.TEXT) {
+        const MessageClass = message.constructor;
+        return new MessageClass({
+          content: filteredContent[0].text,
+          additional_kwargs: message.additional_kwargs,
+        });
+      }
+
+      const MessageClass = message.constructor;
+      return new MessageClass({
+        content: filteredContent,
+        additional_kwargs: message.additional_kwargs,
+      });
+    }
+
+    return message;
+  }
+
   /**
    * @param {BaseMessage[]} messages
    * @returns {Promise<void | (TAttachment | null)[]>}
@@ -538,7 +573,8 @@ class AgentClient extends BaseClient {
         }
       }
 
-      const bufferString = getBufferString(messagesToProcess);
+      const filteredMessages = messagesToProcess.map((msg) => this.filterImageUrls(msg));
+      const bufferString = getBufferString(filteredMessages);
       const bufferMessage = new HumanMessage(`# Current Chat:\n\n${bufferString}`);
       return await this.processMemory([bufferMessage]);
     } catch (error) {
@@ -718,9 +754,6 @@ class AgentClient extends BaseClient {
         this.indexTokenCountMap,
         toolSet,
       );
-      if (legacyContentEndpoints.has(this.options.agent.endpoint?.toLowerCase())) {
-        initialMessages = formatContentStrings(initialMessages);
-      }
 
       /**
        *
@@ -736,6 +769,9 @@ class AgentClient extends BaseClient {
         if (i > 0) {
           this.model = agent.model_parameters.model;
         }
+        if (i > 0 && config.signal == null) {
+          config.signal = abortController.signal;
+        }
         if (agent.recursion_limit && typeof agent.recursion_limit === 'number') {
           config.recursionLimit = agent.recursion_limit;
         }
@@ -774,7 +810,7 @@ class AgentClient extends BaseClient {
 
         if (noSystemMessages === true && systemContent?.length) {
           const latestMessageContent = _messages.pop().content;
-          if (typeof latestMessage !== 'string') {
+          if (typeof latestMessageContent !== 'string') {
             latestMessageContent[0].text = [systemContent, latestMessageContent[0].text].join('\n');
             _messages.push(new HumanMessage({ content: latestMessageContent }));
           } else {
@@ -784,6 +820,9 @@ class AgentClient extends BaseClient {
         }
 
         let messages = _messages;
+        if (agent.useLegacyContent === true) {
+          messages = formatContentStrings(messages);
+        }
         if (
           agent.model_parameters?.clientOptions?.defaultHeaders?.['anthropic-beta']?.includes(
             'prompt-caching',
@@ -969,6 +1008,7 @@ class AgentClient extends BaseClient {
             this.artifactPromises.push(...attachments);
           }
         }
+
         await this.recordCollectedUsage({ context: 'message' });
       } catch (err) {
         logger.error(
@@ -1012,25 +1052,40 @@ class AgentClient extends BaseClient {
     }
     const { handleLLMEnd, collected: collectedMetadata } = createMetadataAggregator();
     const { req, res, agent } = this.options;
-    const endpoint = agent.endpoint;
+    let endpoint = agent.endpoint;
 
     /** @type {import('@librechat/agents').ClientOptions} */
     let clientOptions = {
       maxTokens: 75,
-      model: agent.model_parameters.model,
+      model: agent.model || agent.model_parameters.model,
     };
 
-    const { getOptions, overrideProvider, customEndpointConfig } =
-      await getProviderConfig(endpoint);
+    let titleProviderConfig = await getProviderConfig(endpoint);
 
     /** @type {TEndpoint | undefined} */
-    const endpointConfig = req.app.locals[endpoint] ?? customEndpointConfig;
+    const endpointConfig =
+      req.app.locals.all ?? req.app.locals[endpoint] ?? titleProviderConfig.customEndpointConfig;
     if (!endpointConfig) {
       logger.warn(
         '[api/server/controllers/agents/client.js #titleConvo] Error getting endpoint config',
       );
     }
 
+    if (endpointConfig?.titleEndpoint && endpointConfig.titleEndpoint !== endpoint) {
+      try {
+        titleProviderConfig = await getProviderConfig(endpointConfig.titleEndpoint);
+        endpoint = endpointConfig.titleEndpoint;
+      } catch (error) {
+        logger.warn(
+          `[api/server/controllers/agents/client.js #titleConvo] Error getting title endpoint config for ${endpointConfig.titleEndpoint}, falling back to default`,
+          error,
+        );
+        // Fall back to original provider config
+        endpoint = agent.endpoint;
+        titleProviderConfig = await getProviderConfig(endpoint);
+      }
+    }
+
     if (
       endpointConfig &&
       endpointConfig.titleModel &&
@@ -1039,7 +1094,7 @@ class AgentClient extends BaseClient {
       clientOptions.model = endpointConfig.titleModel;
     }
 
-    const options = await getOptions({
+    const options = await titleProviderConfig.getOptions({
       req,
       res,
       optionsOnly: true,
@@ -1048,7 +1103,7 @@ class AgentClient extends BaseClient {
       endpointOption: { model_parameters: clientOptions },
     });
 
-    let provider = options.provider ?? overrideProvider ?? agent.provider;
+    let provider = options.provider ?? titleProviderConfig.overrideProvider ?? agent.provider;
     if (
       endpoint === EModelEndpoint.azureOpenAI &&
       options.llmConfig?.azureOpenAIApiInstanceName == null
@@ -1081,16 +1136,23 @@ class AgentClient extends BaseClient {
       ),
     );
 
-    if (provider === Providers.GOOGLE) {
+    if (
+      provider === Providers.GOOGLE &&
+      (endpointConfig?.titleMethod === TitleMethod.FUNCTIONS ||
+        endpointConfig?.titleMethod === TitleMethod.STRUCTURED)
+    ) {
       clientOptions.json = true;
     }
 
     try {
       const titleResult = await this.run.generateTitle({
         provider,
+        clientOptions,
         inputText: text,
         contentParts: this.contentParts,
-        clientOptions,
+        titleMethod: endpointConfig?.titleMethod,
+        titlePrompt: endpointConfig?.titlePrompt,
+        titlePromptTemplate: endpointConfig?.titlePromptTemplate,
         chainOptions: {
           signal: abortController.signal,
           callbacks: [
@@ -1138,8 +1200,52 @@ class AgentClient extends BaseClient {
     }
   }
 
-  /** Silent method, as `recordCollectedUsage` is used instead */
-  async recordTokenUsage() {}
+  /**
+   * @param {object} params
+   * @param {number} params.promptTokens
+   * @param {number} params.completionTokens
+   * @param {OpenAIUsageMetadata} [params.usage]
+   * @param {string} [params.model]
+   * @param {string} [params.context='message']
+   * @returns {Promise<void>}
+   */
+  async recordTokenUsage({ model, promptTokens, completionTokens, usage, context = 'message' }) {
+    try {
+      await spendTokens(
+        {
+          model,
+          context,
+          conversationId: this.conversationId,
+          user: this.user ?? this.options.req.user?.id,
+          endpointTokenConfig: this.options.endpointTokenConfig,
+        },
+        { promptTokens, completionTokens },
+      );
+
+      if (
+        usage &&
+        typeof usage === 'object' &&
+        'reasoning_tokens' in usage &&
+        typeof usage.reasoning_tokens === 'number'
+      ) {
+        await spendTokens(
+          {
+            model,
+            context: 'reasoning',
+            conversationId: this.conversationId,
+            user: this.user ?? this.options.req.user?.id,
+            endpointTokenConfig: this.options.endpointTokenConfig,
+          },
+          { completionTokens: usage.reasoning_tokens },
+        );
+      }
+    } catch (error) {
+      logger.error(
+        '[api/server/controllers/agents/client.js #recordTokenUsage] Error recording token usage',
+        error,
+      );
+    }
+  }
 
   getEncoding() {
     return 'o200k_base';

api/server/controllers/agents/client.test.js

@@ -0,0 +1,957 @@
+const { Providers } = require('@librechat/agents');
+const { Constants, EModelEndpoint } = require('librechat-data-provider');
+const AgentClient = require('./client');
+
+jest.mock('@librechat/agents', () => ({
+  ...jest.requireActual('@librechat/agents'),
+  createMetadataAggregator: () => ({
+    handleLLMEnd: jest.fn(),
+    collected: [],
+  }),
+}));
+
+describe('AgentClient - titleConvo', () => {
+  let client;
+  let mockRun;
+  let mockReq;
+  let mockRes;
+  let mockAgent;
+  let mockOptions;
+
+  beforeEach(() => {
+    // Reset all mocks
+    jest.clearAllMocks();
+
+    // Mock run object
+    mockRun = {
+      generateTitle: jest.fn().mockResolvedValue({
+        title: 'Generated Title',
+      }),
+    };
+
+    // Mock agent - with both endpoint and provider
+    mockAgent = {
+      id: 'agent-123',
+      endpoint: EModelEndpoint.openAI, // Use a valid provider as endpoint for getProviderConfig
+      provider: EModelEndpoint.openAI, // Add provider property
+      model_parameters: {
+        model: 'gpt-4',
+      },
+    };
+
+    // Mock request and response
+    mockReq = {
+      app: {
+        locals: {
+          [EModelEndpoint.openAI]: {
+            // Match the agent endpoint
+            titleModel: 'gpt-3.5-turbo',
+            titlePrompt: 'Custom title prompt',
+            titleMethod: 'structured',
+            titlePromptTemplate: 'Template: {{content}}',
+          },
+        },
+      },
+      user: {
+        id: 'user-123',
+      },
+      body: {
+        model: 'gpt-4',
+        endpoint: EModelEndpoint.openAI,
+        key: null,
+      },
+    };
+
+    mockRes = {};
+
+    // Mock options
+    mockOptions = {
+      req: mockReq,
+      res: mockRes,
+      agent: mockAgent,
+      endpointTokenConfig: {},
+    };
+
+    // Create client instance
+    client = new AgentClient(mockOptions);
+    client.run = mockRun;
+    client.responseMessageId = 'response-123';
+    client.conversationId = 'convo-123';
+    client.contentParts = [{ type: 'text', text: 'Test content' }];
+    client.recordCollectedUsage = jest.fn().mockResolvedValue(); // Mock as async function that resolves
+  });
+
+  describe('titleConvo method', () => {
+    it('should throw error if run is not initialized', async () => {
+      client.run = null;
+
+      await expect(
+        client.titleConvo({ text: 'Test', abortController: new AbortController() }),
+      ).rejects.toThrow('Run not initialized');
+    });
+
+    it('should use titlePrompt from endpoint config', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titlePrompt: 'Custom title prompt',
+        }),
+      );
+    });
+
+    it('should use titlePromptTemplate from endpoint config', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titlePromptTemplate: 'Template: {{content}}',
+        }),
+      );
+    });
+
+    it('should use titleMethod from endpoint config', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          provider: Providers.OPENAI,
+          titleMethod: 'structured',
+        }),
+      );
+    });
+
+    it('should use titleModel from endpoint config when provided', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Check that generateTitle was called with correct clientOptions
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-3.5-turbo');
+    });
+
+    it('should handle missing endpoint config gracefully', async () => {
+      // Remove endpoint config
+      mockReq.app.locals[EModelEndpoint.openAI] = undefined;
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titlePrompt: undefined,
+          titlePromptTemplate: undefined,
+          titleMethod: undefined,
+        }),
+      );
+    });
+
+    it('should use agent model when titleModel is not provided', async () => {
+      // Remove titleModel from config
+      delete mockReq.app.locals[EModelEndpoint.openAI].titleModel;
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4'); // Should use agent's model
+    });
+
+    it('should not use titleModel when it equals CURRENT_MODEL constant', async () => {
+      mockReq.app.locals[EModelEndpoint.openAI].titleModel = Constants.CURRENT_MODEL;
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4'); // Should use agent's model
+    });
+
+    it('should pass all required parameters to generateTitle', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith({
+        provider: expect.any(String),
+        inputText: text,
+        contentParts: client.contentParts,
+        clientOptions: expect.objectContaining({
+          model: 'gpt-3.5-turbo',
+        }),
+        titlePrompt: 'Custom title prompt',
+        titlePromptTemplate: 'Template: {{content}}',
+        titleMethod: 'structured',
+        chainOptions: expect.objectContaining({
+          signal: abortController.signal,
+        }),
+      });
+    });
+
+    it('should record collected usage after title generation', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(client.recordCollectedUsage).toHaveBeenCalledWith({
+        model: 'gpt-3.5-turbo',
+        context: 'title',
+        collectedUsage: expect.any(Array),
+      });
+    });
+
+    it('should return the generated title', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      const result = await client.titleConvo({ text, abortController });
+
+      expect(result).toBe('Generated Title');
+    });
+
+    it('should handle errors gracefully and return undefined', async () => {
+      mockRun.generateTitle.mockRejectedValue(new Error('Title generation failed'));
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      const result = await client.titleConvo({ text, abortController });
+
+      expect(result).toBeUndefined();
+    });
+
+    it('should pass titleEndpoint configuration to generateTitle', async () => {
+      // Mock the API key just for this test
+      const originalApiKey = process.env.ANTHROPIC_API_KEY;
+      process.env.ANTHROPIC_API_KEY = 'test-api-key';
+
+      // Add titleEndpoint to the config
+      mockReq.app.locals[EModelEndpoint.openAI].titleEndpoint = EModelEndpoint.anthropic;
+      mockReq.app.locals[EModelEndpoint.openAI].titleMethod = 'structured';
+      mockReq.app.locals[EModelEndpoint.openAI].titlePrompt = 'Custom title prompt';
+      mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate = 'Custom template';
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify generateTitle was called with the custom configuration
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titleMethod: 'structured',
+          provider: Providers.ANTHROPIC,
+          titlePrompt: 'Custom title prompt',
+          titlePromptTemplate: 'Custom template',
+        }),
+      );
+
+      // Restore the original API key
+      if (originalApiKey) {
+        process.env.ANTHROPIC_API_KEY = originalApiKey;
+      } else {
+        delete process.env.ANTHROPIC_API_KEY;
+      }
+    });
+
+    it('should use all config when endpoint config is missing', async () => {
+      // Remove endpoint-specific config
+      delete mockReq.app.locals[EModelEndpoint.openAI].titleModel;
+      delete mockReq.app.locals[EModelEndpoint.openAI].titlePrompt;
+      delete mockReq.app.locals[EModelEndpoint.openAI].titleMethod;
+      delete mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate;
+
+      // Set 'all' config
+      mockReq.app.locals.all = {
+        titleModel: 'gpt-4o-mini',
+        titlePrompt: 'All config title prompt',
+        titleMethod: 'completion',
+        titlePromptTemplate: 'All config template: {{content}}',
+      };
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify generateTitle was called with 'all' config values
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titleMethod: 'completion',
+          titlePrompt: 'All config title prompt',
+          titlePromptTemplate: 'All config template: {{content}}',
+        }),
+      );
+
+      // Check that the model was set from 'all' config
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4o-mini');
+    });
+
+    it('should prioritize all config over endpoint config for title settings', async () => {
+      // Set both endpoint and 'all' config
+      mockReq.app.locals[EModelEndpoint.openAI].titleModel = 'gpt-3.5-turbo';
+      mockReq.app.locals[EModelEndpoint.openAI].titlePrompt = 'Endpoint title prompt';
+      mockReq.app.locals[EModelEndpoint.openAI].titleMethod = 'structured';
+      // Remove titlePromptTemplate from endpoint config to test fallback
+      delete mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate;
+
+      mockReq.app.locals.all = {
+        titleModel: 'gpt-4o-mini',
+        titlePrompt: 'All config title prompt',
+        titleMethod: 'completion',
+        titlePromptTemplate: 'All config template',
+      };
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify 'all' config takes precedence over endpoint config
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titleMethod: 'completion',
+          titlePrompt: 'All config title prompt',
+          titlePromptTemplate: 'All config template',
+        }),
+      );
+
+      // Check that the model was set from 'all' config
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4o-mini');
+    });
+
+    it('should use all config with titleEndpoint and verify provider switch', async () => {
+      // Mock the API key for the titleEndpoint provider
+      const originalApiKey = process.env.ANTHROPIC_API_KEY;
+      process.env.ANTHROPIC_API_KEY = 'test-anthropic-key';
+
+      // Remove endpoint-specific config to test 'all' config
+      delete mockReq.app.locals[EModelEndpoint.openAI];
+
+      // Set comprehensive 'all' config with all new title options
+      mockReq.app.locals.all = {
+        titleConvo: true,
+        titleModel: 'claude-3-haiku-20240307',
+        titleMethod: 'completion', // Testing the new default method
+        titlePrompt: 'Generate a concise, descriptive title for this conversation',
+        titlePromptTemplate: 'Conversation summary: {{content}}',
+        titleEndpoint: EModelEndpoint.anthropic, // Should switch provider to Anthropic
+      };
+
+      const text = 'Test conversation about AI and machine learning';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify all config values were used
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          provider: Providers.ANTHROPIC, // Critical: Verify provider switched to Anthropic
+          titleMethod: 'completion',
+          titlePrompt: 'Generate a concise, descriptive title for this conversation',
+          titlePromptTemplate: 'Conversation summary: {{content}}',
+          inputText: text,
+          contentParts: client.contentParts,
+        }),
+      );
+
+      // Verify the model was set from 'all' config
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('claude-3-haiku-20240307');
+
+      // Verify other client options are set correctly
+      expect(generateTitleCall.clientOptions).toMatchObject({
+        model: 'claude-3-haiku-20240307',
+        // Note: Anthropic's getOptions may set its own maxTokens value
+      });
+
+      // Restore the original API key
+      if (originalApiKey) {
+        process.env.ANTHROPIC_API_KEY = originalApiKey;
+      } else {
+        delete process.env.ANTHROPIC_API_KEY;
+      }
+    });
+
+    it('should test all titleMethod options from all config', async () => {
+      // Test each titleMethod: 'completion', 'functions', 'structured'
+      const titleMethods = ['completion', 'functions', 'structured'];
+
+      for (const method of titleMethods) {
+        // Clear previous calls
+        mockRun.generateTitle.mockClear();
+
+        // Remove endpoint config
+        delete mockReq.app.locals[EModelEndpoint.openAI];
+
+        // Set 'all' config with specific titleMethod
+        mockReq.app.locals.all = {
+          titleModel: 'gpt-4o-mini',
+          titleMethod: method,
+          titlePrompt: `Testing ${method} method`,
+          titlePromptTemplate: `Template for ${method}: {{content}}`,
+        };
+
+        const text = `Test conversation for ${method} method`;
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify the correct titleMethod was used
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            titleMethod: method,
+            titlePrompt: `Testing ${method} method`,
+            titlePromptTemplate: `Template for ${method}: {{content}}`,
+          }),
+        );
+      }
+    });
+
+    describe('Azure-specific title generation', () => {
+      let originalEnv;
+
+      beforeEach(() => {
+        // Reset mocks
+        jest.clearAllMocks();
+
+        // Save original environment variables
+        originalEnv = { ...process.env };
+
+        // Mock Azure API keys
+        process.env.AZURE_OPENAI_API_KEY = 'test-azure-key';
+        process.env.AZURE_API_KEY = 'test-azure-key';
+        process.env.EASTUS_API_KEY = 'test-eastus-key';
+        process.env.EASTUS2_API_KEY = 'test-eastus2-key';
+      });
+
+      afterEach(() => {
+        // Restore environment variables
+        process.env = originalEnv;
+      });
+
+      it('should use OPENAI provider for Azure serverless endpoints', async () => {
+        // Set up Azure endpoint with serverless config
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: 'grok-3',
+          titleMethod: 'completion',
+          titlePrompt: 'Azure serverless title prompt',
+          streamRate: 35,
+          modelGroupMap: {
+            'grok-3': {
+              group: 'Azure AI Foundry',
+              deploymentName: 'grok-3',
+            },
+          },
+          groupMap: {
+            'Azure AI Foundry': {
+              apiKey: '${AZURE_API_KEY}',
+              baseURL: 'https://test.services.ai.azure.com/models',
+              version: '2024-05-01-preview',
+              serverless: true,
+              models: {
+                'grok-3': {
+                  deploymentName: 'grok-3',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'grok-3';
+
+        const text = 'Test Azure serverless conversation';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify provider was switched to OPENAI for serverless
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.OPENAI, // Should be OPENAI for serverless
+            titleMethod: 'completion',
+            titlePrompt: 'Azure serverless title prompt',
+          }),
+        );
+      });
+
+      it('should use AZURE provider for Azure endpoints with instanceName', async () => {
+        // Set up Azure endpoint
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: 'gpt-4o',
+          titleMethod: 'structured',
+          titlePrompt: 'Azure instance title prompt',
+          streamRate: 35,
+          modelGroupMap: {
+            'gpt-4o': {
+              group: 'eastus',
+              deploymentName: 'gpt-4o',
+            },
+          },
+          groupMap: {
+            eastus: {
+              apiKey: '${EASTUS_API_KEY}',
+              instanceName: 'region-instance',
+              version: '2024-02-15-preview',
+              models: {
+                'gpt-4o': {
+                  deploymentName: 'gpt-4o',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'gpt-4o';
+
+        const text = 'Test Azure instance conversation';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify provider remains AZURE with instanceName
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.AZURE,
+            titleMethod: 'structured',
+            titlePrompt: 'Azure instance title prompt',
+          }),
+        );
+      });
+
+      it('should handle Azure titleModel with CURRENT_MODEL constant', async () => {
+        // Set up Azure endpoint
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockAgent.model_parameters.model = 'gpt-4o-latest';
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: Constants.CURRENT_MODEL,
+          titleMethod: 'functions',
+          streamRate: 35,
+          modelGroupMap: {
+            'gpt-4o-latest': {
+              group: 'region-eastus',
+              deploymentName: 'gpt-4o-mini',
+              version: '2024-02-15-preview',
+            },
+          },
+          groupMap: {
+            'region-eastus': {
+              apiKey: '${EASTUS2_API_KEY}',
+              instanceName: 'test-instance',
+              version: '2024-12-01-preview',
+              models: {
+                'gpt-4o-latest': {
+                  deploymentName: 'gpt-4o-mini',
+                  version: '2024-02-15-preview',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'gpt-4o-latest';
+
+        const text = 'Test Azure current model';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify it uses the correct model when titleModel is CURRENT_MODEL
+        const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+        // When CURRENT_MODEL is used with Azure, the model gets mapped to the deployment name
+        // In this case, 'gpt-4o-latest' is mapped to 'gpt-4o-mini' deployment
+        expect(generateTitleCall.clientOptions.model).toBe('gpt-4o-mini');
+        // Also verify that CURRENT_MODEL constant was not passed as the model
+        expect(generateTitleCall.clientOptions.model).not.toBe(Constants.CURRENT_MODEL);
+      });
+
+      it('should handle Azure with multiple model groups', async () => {
+        // Set up Azure endpoint
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: 'o1-mini',
+          titleMethod: 'completion',
+          streamRate: 35,
+          modelGroupMap: {
+            'gpt-4o': {
+              group: 'eastus',
+              deploymentName: 'gpt-4o',
+            },
+            'o1-mini': {
+              group: 'region-eastus',
+              deploymentName: 'o1-mini',
+            },
+            'codex-mini': {
+              group: 'codex-mini',
+              deploymentName: 'codex-mini',
+            },
+          },
+          groupMap: {
+            eastus: {
+              apiKey: '${EASTUS_API_KEY}',
+              instanceName: 'region-eastus',
+              version: '2024-02-15-preview',
+              models: {
+                'gpt-4o': {
+                  deploymentName: 'gpt-4o',
+                },
+              },
+            },
+            'region-eastus': {
+              apiKey: '${EASTUS2_API_KEY}',
+              instanceName: 'region-eastus2',
+              version: '2024-12-01-preview',
+              models: {
+                'o1-mini': {
+                  deploymentName: 'o1-mini',
+                },
+              },
+            },
+            'codex-mini': {
+              apiKey: '${AZURE_API_KEY}',
+              baseURL: 'https://example.cognitiveservices.azure.com/openai/',
+              version: '2025-04-01-preview',
+              serverless: true,
+              models: {
+                'codex-mini': {
+                  deploymentName: 'codex-mini',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'o1-mini';
+
+        const text = 'Test Azure multi-group conversation';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify correct model and provider are used
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.AZURE,
+            titleMethod: 'completion',
+          }),
+        );
+
+        const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+        expect(generateTitleCall.clientOptions.model).toBe('o1-mini');
+        expect(generateTitleCall.clientOptions.maxTokens).toBeUndefined(); // o1 models shouldn't have maxTokens
+      });
+
+      it('should use all config as fallback for Azure endpoints', async () => {
+        // Set up Azure endpoint with minimal config
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'gpt-4';
+
+        // Remove Azure-specific config
+        delete mockReq.app.locals[EModelEndpoint.azureOpenAI];
+
+        // Set 'all' config as fallback with a serverless Azure config
+        mockReq.app.locals.all = {
+          titleConvo: true,
+          titleModel: 'gpt-4',
+          titleMethod: 'structured',
+          titlePrompt: 'Fallback title prompt from all config',
+          titlePromptTemplate: 'Template: {{content}}',
+          modelGroupMap: {
+            'gpt-4': {
+              group: 'default-group',
+              deploymentName: 'gpt-4',
+            },
+          },
+          groupMap: {
+            'default-group': {
+              apiKey: '${AZURE_API_KEY}',
+              baseURL: 'https://default.openai.azure.com/',
+              version: '2024-02-15-preview',
+              serverless: true,
+              models: {
+                'gpt-4': {
+                  deploymentName: 'gpt-4',
+                },
+              },
+            },
+          },
+        };
+
+        const text = 'Test Azure with all config fallback';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify all config is used
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.OPENAI, // Should be OPENAI when no instanceName
+            titleMethod: 'structured',
+            titlePrompt: 'Fallback title prompt from all config',
+            titlePromptTemplate: 'Template: {{content}}',
+          }),
+        );
+      });
+    });
+  });
+
+  describe('runMemory method', () => {
+    let client;
+    let mockReq;
+    let mockRes;
+    let mockAgent;
+    let mockOptions;
+    let mockProcessMemory;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+
+      mockAgent = {
+        id: 'agent-123',
+        endpoint: EModelEndpoint.openAI,
+        provider: EModelEndpoint.openAI,
+        model_parameters: {
+          model: 'gpt-4',
+        },
+      };
+
+      mockReq = {
+        app: {
+          locals: {
+            memory: {
+              messageWindowSize: 3,
+            },
+          },
+        },
+        user: {
+          id: 'user-123',
+          personalization: {
+            memories: true,
+          },
+        },
+      };
+
+      mockRes = {};
+
+      mockOptions = {
+        req: mockReq,
+        res: mockRes,
+        agent: mockAgent,
+      };
+
+      mockProcessMemory = jest.fn().mockResolvedValue([]);
+
+      client = new AgentClient(mockOptions);
+      client.processMemory = mockProcessMemory;
+      client.conversationId = 'convo-123';
+      client.responseMessageId = 'response-123';
+    });
+
+    it('should filter out image URLs from message content', async () => {
+      const { HumanMessage, AIMessage } = require('@langchain/core/messages');
+      const messages = [
+        new HumanMessage({
+          content: [
+            {
+              type: 'text',
+              text: 'What is in this image?',
+            },
+            {
+              type: 'image_url',
+              image_url: {
+                url: 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAAAABJRU5ErkJggg==',
+                detail: 'auto',
+              },
+            },
+          ],
+        }),
+        new AIMessage('I can see a small red pixel in the image.'),
+        new HumanMessage({
+          content: [
+            {
+              type: 'text',
+              text: 'What about this one?',
+            },
+            {
+              type: 'image_url',
+              image_url: {
+                url: 'data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/',
+                detail: 'high',
+              },
+            },
+          ],
+        }),
+      ];
+
+      await client.runMemory(messages);
+
+      expect(mockProcessMemory).toHaveBeenCalledTimes(1);
+      const processedMessage = mockProcessMemory.mock.calls[0][0][0];
+
+      // Verify the buffer message was created
+      expect(processedMessage.constructor.name).toBe('HumanMessage');
+      expect(processedMessage.content).toContain('# Current Chat:');
+
+      // Verify that image URLs are not in the buffer string
+      expect(processedMessage.content).not.toContain('image_url');
+      expect(processedMessage.content).not.toContain('data:image');
+      expect(processedMessage.content).not.toContain('base64');
+
+      // Verify text content is preserved
+      expect(processedMessage.content).toContain('What is in this image?');
+      expect(processedMessage.content).toContain('I can see a small red pixel in the image.');
+      expect(processedMessage.content).toContain('What about this one?');
+    });
+
+    it('should handle messages with only text content', async () => {
+      const { HumanMessage, AIMessage } = require('@langchain/core/messages');
+      const messages = [
+        new HumanMessage('Hello, how are you?'),
+        new AIMessage('I am doing well, thank you!'),
+        new HumanMessage('That is great to hear.'),
+      ];
+
+      await client.runMemory(messages);
+
+      expect(mockProcessMemory).toHaveBeenCalledTimes(1);
+      const processedMessage = mockProcessMemory.mock.calls[0][0][0];
+
+      expect(processedMessage.content).toContain('Hello, how are you?');
+      expect(processedMessage.content).toContain('I am doing well, thank you!');
+      expect(processedMessage.content).toContain('That is great to hear.');
+    });
+
+    it('should handle mixed content types correctly', async () => {
+      const { HumanMessage } = require('@langchain/core/messages');
+      const { ContentTypes } = require('librechat-data-provider');
+
+      const messages = [
+        new HumanMessage({
+          content: [
+            {
+              type: 'text',
+              text: 'Here is some text',
+            },
+            {
+              type: ContentTypes.IMAGE_URL,
+              image_url: {
+                url: 'https://example.com/image.png',
+              },
+            },
+            {
+              type: 'text',
+              text: ' and more text',
+            },
+          ],
+        }),
+      ];
+
+      await client.runMemory(messages);
+
+      expect(mockProcessMemory).toHaveBeenCalledTimes(1);
+      const processedMessage = mockProcessMemory.mock.calls[0][0][0];
+
+      // Should contain text parts but not image URLs
+      expect(processedMessage.content).toContain('Here is some text');
+      expect(processedMessage.content).toContain('and more text');
+      expect(processedMessage.content).not.toContain('example.com/image.png');
+      expect(processedMessage.content).not.toContain('IMAGE_URL');
+    });
+
+    it('should preserve original messages without mutation', async () => {
+      const { HumanMessage } = require('@langchain/core/messages');
+      const originalContent = [
+        {
+          type: 'text',
+          text: 'Original text',
+        },
+        {
+          type: 'image_url',
+          image_url: {
+            url: 'data:image/png;base64,ABC123',
+          },
+        },
+      ];
+
+      const messages = [
+        new HumanMessage({
+          content: [...originalContent],
+        }),
+      ];
+
+      await client.runMemory(messages);
+
+      // Verify original message wasn't mutated
+      expect(messages[0].content).toHaveLength(2);
+      expect(messages[0].content[1].type).toBe('image_url');
+      expect(messages[0].content[1].image_url.url).toBe('data:image/png;base64,ABC123');
+    });
+
+    it('should handle message window size correctly', async () => {
+      const { HumanMessage, AIMessage } = require('@langchain/core/messages');
+      const messages = [
+        new HumanMessage('Message 1'),
+        new AIMessage('Response 1'),
+        new HumanMessage('Message 2'),
+        new AIMessage('Response 2'),
+        new HumanMessage('Message 3'),
+        new AIMessage('Response 3'),
+      ];
+
+      // Window size is set to 3 in mockReq
+      await client.runMemory(messages);
+
+      expect(mockProcessMemory).toHaveBeenCalledTimes(1);
+      const processedMessage = mockProcessMemory.mock.calls[0][0][0];
+
+      // Should only include last 3 messages due to window size
+      expect(processedMessage.content).toContain('Message 3');
+      expect(processedMessage.content).toContain('Response 3');
+      expect(processedMessage.content).not.toContain('Message 1');
+      expect(processedMessage.content).not.toContain('Response 1');
+    });
+
+    it('should return early if processMemory is not set', async () => {
+      const { HumanMessage } = require('@langchain/core/messages');
+      client.processMemory = null;
+
+      const result = await client.runMemory([new HumanMessage('Test')]);
+
+      expect(result).toBeUndefined();
+      expect(mockProcessMemory).not.toHaveBeenCalled();
+    });
+  });
+});

api/server/controllers/agents/errors.js

@@ -105,8 +105,6 @@ const createErrorHandler = ({ req, res, getContext, originPath = '/assistants/ch
         return res.end();
       }
       await cache.delete(cacheKey);
-      // const cancelledRun = await openai.beta.threads.runs.cancel(thread_id, run_id);
-      // logger.debug(`[${originPath}] Cancelled run:`, cancelledRun);
     } catch (error) {
       logger.error(`[${originPath}] Error cancelling run`, error);
     }
@@ -115,7 +113,6 @@ const createErrorHandler = ({ req, res, getContext, originPath = '/assistants/ch
 
     let run;
     try {
-      // run = await openai.beta.threads.runs.retrieve(thread_id, run_id);
       await recordUsage({
         ...run.usage,
         model: run.model,
@@ -128,18 +125,9 @@ const createErrorHandler = ({ req, res, getContext, originPath = '/assistants/ch
 
     let finalEvent;
     try {
-      // const errorContentPart = {
-      //   text: {
-      //     value:
-      //       error?.message ?? 'There was an error processing your request. Please try again later.',
-      //   },
-      //   type: ContentTypes.ERROR,
-      // };
-
       finalEvent = {
         final: true,
         conversation: await getConvo(req.user.id, conversationId),
-        // runMessages,
       };
     } catch (error) {
       logger.error(`[${originPath}] Error finalizing error process`, error);

api/server/controllers/agents/v1.js

@@ -5,30 +5,40 @@ const { logger } = require('@librechat/data-schemas');
 const { agentCreateSchema, agentUpdateSchema } = require('@librechat/api');
 const {
   Tools,
-  Constants,
-  FileSources,
   SystemRoles,
+  FileSources,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
   EToolResources,
+  PermissionBits,
   actionDelimiter,
   removeNullishValues,
 } = require('librechat-data-provider');
 const {
-  getAgent,
+  getListAgentsByAccess,
+  countPromotedAgents,
+  revertAgentVersion,
   createAgent,
   updateAgent,
   deleteAgent,
-  getListAgents,
+  getAgent,
 } = require('~/models/Agent');
+const {
+  findPubliclyAccessibleResources,
+  findAccessibleResources,
+  hasPublicPermission,
+  grantPermission,
+} = require('~/server/services/PermissionService');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
+const { getFileStrategy } = require('~/server/utils/getFileStrategy');
 const { refreshS3Url } = require('~/server/services/Files/S3/crud');
 const { filterFile } = require('~/server/services/Files/process');
 const { updateAction, getActions } = require('~/models/Action');
 const { getCachedTools } = require('~/server/services/Config');
-const { updateAgentProjects } = require('~/models/Agent');
-const { getProjectByName } = require('~/models/Project');
-const { revertAgentVersion } = require('~/models/Agent');
 const { deleteFileByFilter } = require('~/models/File');
+const { getCategoriesWithCounts } = require('~/models');
 
 const systemTools = {
   [Tools.execute_code]: true,
@@ -42,7 +52,7 @@ const systemTools = {
  * @param {ServerRequest} req - The request object.
  * @param {AgentCreateParams} req.body - The request body.
  * @param {ServerResponse} res - The response object.
- * @returns {Agent} 201 - success response - application/json
+ * @returns {Promise<Agent>} 201 - success response - application/json
  */
 const createAgentHandler = async (req, res) => {
   try {
@@ -67,6 +77,27 @@ const createAgentHandler = async (req, res) => {
     }
 
     const agent = await createAgent(agentData);
+
+    // Automatically grant owner permissions to the creator
+    try {
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[createAgent] Granted owner permissions to user ${userId} for agent ${agent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[createAgent] Failed to grant owner permissions for agent ${agent.id}:`,
+        permissionError,
+      );
+    }
+
     res.status(201).json(agent);
   } catch (error) {
     if (error instanceof z.ZodError) {
@@ -89,21 +120,14 @@ const createAgentHandler = async (req, res) => {
  * @returns {Promise<Agent>} 200 - success response - application/json
  * @returns {Error} 404 - Agent not found
  */
-const getAgentHandler = async (req, res) => {
+const getAgentHandler = async (req, res, expandProperties = false) => {
   try {
     const id = req.params.id;
     const author = req.user.id;
 
-    let query = { id, author };
-
-    const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, ['agentIds']);
-    if (globalProject && (globalProject.agentIds?.length ?? 0) > 0) {
-      query = {
-        $or: [{ id, $in: globalProject.agentIds }, query],
-      };
-    }
-
-    const agent = await getAgent(query);
+    // Permissions are validated by middleware before calling this function
+    // Simply load the agent by ID
+    const agent = await getAgent({ id });
 
     if (!agent) {
       return res.status(404).json({ error: 'Agent not found' });
@@ -120,23 +144,45 @@ const getAgentHandler = async (req, res) => {
     }
 
     agent.author = agent.author.toString();
+
+    // @deprecated - isCollaborative replaced by ACL permissions
     agent.isCollaborative = !!agent.isCollaborative;
 
+    // Check if agent is public
+    const isPublic = await hasPublicPermission({
+      resourceType: ResourceType.AGENT,
+      resourceId: agent._id,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    agent.isPublic = isPublic;
+
     if (agent.author !== author) {
       delete agent.author;
     }
 
-    if (!agent.isCollaborative && agent.author !== author && req.user.role !== SystemRoles.ADMIN) {
+    if (!expandProperties) {
+      // VIEW permission: Basic agent info only
       return res.status(200).json({
+        _id: agent._id,
         id: agent.id,
         name: agent.name,
+        description: agent.description,
         avatar: agent.avatar,
         author: agent.author,
+        provider: agent.provider,
+        model: agent.model,
         projectIds: agent.projectIds,
+        // @deprecated - isCollaborative replaced by ACL permissions
         isCollaborative: agent.isCollaborative,
+        isPublic: agent.isPublic,
         version: agent.version,
+        // Safe metadata
+        createdAt: agent.createdAt,
+        updatedAt: agent.updatedAt,
       });
     }
+
+    // EDIT permission: Full agent details including sensitive configuration
     return res.status(200).json(agent);
   } catch (error) {
     logger.error('[/Agents/:id] Error retrieving agent', error);
@@ -157,43 +203,20 @@ const updateAgentHandler = async (req, res) => {
   try {
     const id = req.params.id;
     const validatedData = agentUpdateSchema.parse(req.body);
-    const { projectIds, removeProjectIds, ...updateData } = removeNullishValues(validatedData);
-    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const { _id, ...updateData } = removeNullishValues(validatedData);
     const existingAgent = await getAgent({ id });
 
     if (!existingAgent) {
       return res.status(404).json({ error: 'Agent not found' });
     }
 
-    const isAuthor = existingAgent.author.toString() === req.user.id;
-    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
-
-    if (!hasEditPermission) {
-      return res.status(403).json({
-        error: 'You do not have permission to modify this non-collaborative agent',
-      });
-    }
-
-    /** @type {boolean} */
-    const isProjectUpdate = (projectIds?.length ?? 0) > 0 || (removeProjectIds?.length ?? 0) > 0;
-
     let updatedAgent =
       Object.keys(updateData).length > 0
         ? await updateAgent({ id }, updateData, {
             updatingUserId: req.user.id,
-            skipVersioning: isProjectUpdate,
           })
         : existingAgent;
 
-    if (isProjectUpdate) {
-      updatedAgent = await updateAgentProjects({
-        user: req.user,
-        agentId: id,
-        projectIds,
-        removeProjectIds,
-      });
-    }
-
     if (updatedAgent.author) {
       updatedAgent.author = updatedAgent.author.toString();
     }
@@ -318,6 +341,26 @@ const duplicateAgentHandler = async (req, res) => {
     newAgentData.actions = agentActions;
     const newAgent = await createAgent(newAgentData);
 
+    // Automatically grant owner permissions to the duplicator
+    try {
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: userId,
+        resourceType: ResourceType.AGENT,
+        resourceId: newAgent._id,
+        accessRoleId: AccessRoleIds.AGENT_OWNER,
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[duplicateAgent] Granted owner permissions to user ${userId} for duplicated agent ${newAgent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[duplicateAgent] Failed to grant owner permissions for duplicated agent ${newAgent.id}:`,
+        permissionError,
+      );
+    }
+
     return res.status(201).json({
       agent: newAgent,
       actions: newActionsList,
@@ -344,7 +387,7 @@ const deleteAgentHandler = async (req, res) => {
     if (!agent) {
       return res.status(404).json({ error: 'Agent not found' });
     }
-    await deleteAgent({ id, author: req.user.id });
+    await deleteAgent({ id });
     return res.json({ message: 'Agent deleted' });
   } catch (error) {
     logger.error('[/Agents/:id] Error deleting Agent', error);
@@ -353,7 +396,7 @@ const deleteAgentHandler = async (req, res) => {
 };
 
 /**
- *
+ * Lists agents using ACL-aware permissions (ownership + explicit shares).
  * @route GET /Agents
  * @param {object} req - Express Request
  * @param {object} req.query - Request query
@@ -362,9 +405,65 @@ const deleteAgentHandler = async (req, res) => {
  */
 const getListAgentsHandler = async (req, res) => {
   try {
-    const data = await getListAgents({
-      author: req.user.id,
+    const userId = req.user.id;
+    const { category, search, limit, cursor, promoted } = req.query;
+    let requiredPermission = req.query.requiredPermission;
+    if (typeof requiredPermission === 'string') {
+      requiredPermission = parseInt(requiredPermission, 10);
+      if (isNaN(requiredPermission)) {
+        requiredPermission = PermissionBits.VIEW;
+      }
+    } else if (typeof requiredPermission !== 'number') {
+      requiredPermission = PermissionBits.VIEW;
+    }
+    // Base filter
+    const filter = {};
+
+    // Handle category filter - only apply if category is defined
+    if (category !== undefined && category.trim() !== '') {
+      filter.category = category;
+    }
+
+    // Handle promoted filter - only from query param
+    if (promoted === '1') {
+      filter.is_promoted = true;
+    } else if (promoted === '0') {
+      filter.is_promoted = { $ne: true };
+    }
+
+    // Handle search filter
+    if (search && search.trim() !== '') {
+      filter.$or = [
+        { name: { $regex: search.trim(), $options: 'i' } },
+        { description: { $regex: search.trim(), $options: 'i' } },
+      ];
+    }
+    // Get agent IDs the user has VIEW access to via ACL
+    const accessibleIds = await findAccessibleResources({
+      userId,
+      role: req.user.role,
+      resourceType: ResourceType.AGENT,
+      requiredPermissions: requiredPermission,
     });
+    const publiclyAccessibleIds = await findPubliclyAccessibleResources({
+      resourceType: ResourceType.AGENT,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    // Use the new ACL-aware function
+    const data = await getListAgentsByAccess({
+      accessibleIds,
+      otherParams: filter,
+      limit,
+      after: cursor,
+    });
+    if (data?.data?.length) {
+      data.data = data.data.map((agent) => {
+        if (publiclyAccessibleIds.some((id) => id.equals(agent._id))) {
+          agent.isPublic = true;
+        }
+        return agent;
+      });
+    }
     return res.json(data);
   } catch (error) {
     logger.error('[/Agents] Error listing Agents', error);
@@ -398,7 +497,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
       return res.status(404).json({ error: 'Agent not found' });
     }
 
-    const isAuthor = existingAgent.author.toString() === req.user.id;
+    const isAuthor = existingAgent.author.toString() === req.user.id.toString();
     const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
 
     if (!hasEditPermission) {
@@ -409,7 +508,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
 
     const buffer = await fs.readFile(req.file.path);
 
-    const fileStrategy = req.app.locals.fileStrategy;
+    const fileStrategy = getFileStrategy(req.app.locals, { isAvatar: true });
 
     const resizedBuffer = await resizeAvatar({
       userId: req.user.id,
@@ -506,7 +605,7 @@ const revertAgentVersionHandler = async (req, res) => {
       return res.status(404).json({ error: 'Agent not found' });
     }
 
-    const isAuthor = existingAgent.author.toString() === req.user.id;
+    const isAuthor = existingAgent.author.toString() === req.user.id.toString();
     const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
 
     if (!hasEditPermission) {
@@ -531,7 +630,48 @@ const revertAgentVersionHandler = async (req, res) => {
     res.status(500).json({ error: error.message });
   }
 };
+/**
+ * Get all agent categories with counts
+ *
+ * @param {Object} _req - Express request object (unused)
+ * @param {Object} res - Express response object
+ */
+const getAgentCategories = async (_req, res) => {
+  try {
+    const categories = await getCategoriesWithCounts();
+    const promotedCount = await countPromotedAgents();
+    const formattedCategories = categories.map((category) => ({
+      value: category.value,
+      label: category.label,
+      count: category.agentCount,
+      description: category.description,
+    }));
 
+    if (promotedCount > 0) {
+      formattedCategories.unshift({
+        value: 'promoted',
+        label: 'Promoted',
+        count: promotedCount,
+        description: 'Our recommended agents',
+      });
+    }
+
+    formattedCategories.push({
+      value: 'all',
+      label: 'All',
+      description: 'All available agents',
+    });
+
+    res.status(200).json(formattedCategories);
+  } catch (error) {
+    logger.error('[/Agents/Marketplace] Error fetching agent categories:', error);
+    res.status(500).json({
+      error: 'Failed to fetch agent categories',
+      userMessage: 'Unable to load categories. Please refresh the page.',
+      suggestion: 'Try refreshing the page or check your network connection',
+    });
+  }
+};
 module.exports = {
   createAgent: createAgentHandler,
   getAgent: getAgentHandler,
@@ -541,4 +681,5 @@ module.exports = {
   getListAgents: getListAgentsHandler,
   uploadAgentAvatar: uploadAgentAvatarHandler,
   revertAgentVersion: revertAgentVersionHandler,
+  getAgentCategories,
 };

api/server/controllers/agents/v1.spec.js

@@ -1,5 +1,6 @@
 const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
+const { nanoid } = require('nanoid');
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const { agentSchema } = require('@librechat/data-schemas');
 
@@ -41,7 +42,27 @@ jest.mock('~/models/File', () => ({
   deleteFileByFilter: jest.fn(),
 }));
 
-const { createAgent: createAgentHandler, updateAgent: updateAgentHandler } = require('./v1');
+jest.mock('~/server/services/PermissionService', () => ({
+  findAccessibleResources: jest.fn().mockResolvedValue([]),
+  findPubliclyAccessibleResources: jest.fn().mockResolvedValue([]),
+  grantPermission: jest.fn(),
+  hasPublicPermission: jest.fn().mockResolvedValue(false),
+}));
+
+jest.mock('~/models', () => ({
+  getCategoriesWithCounts: jest.fn(),
+}));
+
+const {
+  createAgent: createAgentHandler,
+  updateAgent: updateAgentHandler,
+  getListAgents: getListAgentsHandler,
+} = require('./v1');
+
+const {
+  findAccessibleResources,
+  findPubliclyAccessibleResources,
+} = require('~/server/services/PermissionService');
 
 /**
  * @type {import('mongoose').Model<import('@librechat/data-schemas').IAgent>}
@@ -79,6 +100,7 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       },
       body: {},
       params: {},
+      query: {},
       app: {
         locals: {
           fileStrategy: 'local',
@@ -235,6 +257,81 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.tool_resources.invalid_resource).toBeUndefined();
     });
 
+    test('should handle support_contact with empty strings', async () => {
+      const dataWithEmptyContact = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Empty Contact',
+        support_contact: {
+          name: '',
+          email: '',
+        },
+      };
+
+      mockReq.body = dataWithEmptyContact;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+      expect(createdAgent.name).toBe('Agent with Empty Contact');
+      expect(createdAgent.support_contact).toBeDefined();
+      expect(createdAgent.support_contact.name).toBe('');
+      expect(createdAgent.support_contact.email).toBe('');
+    });
+
+    test('should handle support_contact with valid email', async () => {
+      const dataWithValidContact = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Valid Contact',
+        support_contact: {
+          name: 'Support Team',
+          email: 'support@example.com',
+        },
+      };
+
+      mockReq.body = dataWithValidContact;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+      expect(createdAgent.support_contact).toBeDefined();
+      expect(createdAgent.support_contact.name).toBe('Support Team');
+      expect(createdAgent.support_contact.email).toBe('support@example.com');
+    });
+
+    test('should reject support_contact with invalid email', async () => {
+      const dataWithInvalidEmail = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Invalid Email',
+        support_contact: {
+          name: 'Support',
+          email: 'not-an-email',
+        },
+      };
+
+      mockReq.body = dataWithInvalidEmail;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          error: 'Invalid request data',
+          details: expect.arrayContaining([
+            expect.objectContaining({
+              path: ['support_contact', 'email'],
+            }),
+          ]),
+        }),
+      );
+    });
+
     test('should handle avatar validation', async () => {
       const dataWithAvatar = {
         provider: 'openai',
@@ -372,52 +469,6 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.id).toBe(existingAgentId);
     });
 
-    test('should reject update from non-author when not collaborative', async () => {
-      const differentUserId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = differentUserId; // Different user
-      mockReq.params.id = existingAgentId;
-      mockReq.body = {
-        name: 'Unauthorized Update',
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      expect(mockRes.status).toHaveBeenCalledWith(403);
-      expect(mockRes.json).toHaveBeenCalledWith({
-        error: 'You do not have permission to modify this non-collaborative agent',
-      });
-
-      // Verify agent was not modified in database
-      const agentInDb = await Agent.findOne({ id: existingAgentId });
-      expect(agentInDb.name).toBe('Original Agent');
-    });
-
-    test('should allow update from non-author when collaborative', async () => {
-      // First make the agent collaborative
-      await Agent.updateOne({ id: existingAgentId }, { isCollaborative: true });
-
-      const differentUserId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = differentUserId; // Different user
-      mockReq.params.id = existingAgentId;
-      mockReq.body = {
-        name: 'Collaborative Update',
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      expect(mockRes.status).not.toHaveBeenCalledWith(403);
-      expect(mockRes.json).toHaveBeenCalled();
-
-      const updatedAgent = mockRes.json.mock.calls[0][0];
-      expect(updatedAgent.name).toBe('Collaborative Update');
-      // Author field should be removed for non-author
-      expect(updatedAgent.author).toBeUndefined();
-
-      // Verify in database
-      const agentInDb = await Agent.findOne({ id: existingAgentId });
-      expect(agentInDb.name).toBe('Collaborative Update');
-    });
-
     test('should allow admin to update any agent', async () => {
       const adminUserId = new mongoose.Types.ObjectId().toString();
       mockReq.user.id = adminUserId;
@@ -555,45 +606,6 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.__v).not.toBe(99);
     });
 
-    test('should prevent privilege escalation through isCollaborative', async () => {
-      // Create a non-collaborative agent
-      const authorId = new mongoose.Types.ObjectId();
-      const agent = await Agent.create({
-        id: `agent_${uuidv4()}`,
-        name: 'Private Agent',
-        provider: 'openai',
-        model: 'gpt-4',
-        author: authorId,
-        isCollaborative: false,
-        versions: [
-          {
-            name: 'Private Agent',
-            provider: 'openai',
-            model: 'gpt-4',
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        ],
-      });
-
-      // Try to make it collaborative as a different user
-      const attackerId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = attackerId;
-      mockReq.params.id = agent.id;
-      mockReq.body = {
-        isCollaborative: true, // Trying to escalate privileges
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      // Should be rejected
-      expect(mockRes.status).toHaveBeenCalledWith(403);
-
-      // Verify in database that it's still not collaborative
-      const agentInDb = await Agent.findOne({ id: agent.id });
-      expect(agentInDb.isCollaborative).toBe(false);
-    });
-
     test('should prevent author hijacking', async () => {
       const originalAuthorId = new mongoose.Types.ObjectId();
       const attackerId = new mongoose.Types.ObjectId();
@@ -656,4 +668,373 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.futureFeature).toBeUndefined();
     });
   });
+
+  describe('getListAgentsHandler - Security Tests', () => {
+    let userA, userB;
+    let agentA1, agentA2, agentA3, agentB1;
+
+    beforeEach(async () => {
+      await Agent.deleteMany({});
+      jest.clearAllMocks();
+
+      // Create two test users
+      userA = new mongoose.Types.ObjectId();
+      userB = new mongoose.Types.ObjectId();
+
+      // Create agents for User A
+      agentA1 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent A1',
+        description: 'User A agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        versions: [
+          {
+            name: 'Agent A1',
+            description: 'User A agent 1',
+            provider: 'openai',
+            model: 'gpt-4',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      agentA2 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent A2',
+        description: 'User A agent 2',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        versions: [
+          {
+            name: 'Agent A2',
+            description: 'User A agent 2',
+            provider: 'openai',
+            model: 'gpt-4',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      agentA3 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent A3',
+        description: 'User A agent 3',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        category: 'productivity',
+        versions: [
+          {
+            name: 'Agent A3',
+            description: 'User A agent 3',
+            provider: 'openai',
+            model: 'gpt-4',
+            category: 'productivity',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      // Create an agent for User B
+      agentB1 = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Agent B1',
+        description: 'User B agent 1',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userB,
+        versions: [
+          {
+            name: 'Agent B1',
+            description: 'User B agent 1',
+            provider: 'openai',
+            model: 'gpt-4',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+    });
+
+    test('should return empty list when user has no accessible agents', async () => {
+      // User B has no permissions and no owned agents
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      expect(findAccessibleResources).toHaveBeenCalledWith({
+        userId: userB.toString(),
+        role: 'USER',
+        resourceType: 'agent',
+        requiredPermissions: 1, // VIEW permission
+      });
+
+      expect(mockRes.json).toHaveBeenCalledWith({
+        object: 'list',
+        data: [],
+        first_id: null,
+        last_id: null,
+        has_more: false,
+        after: null,
+      });
+    });
+
+    test('should not return other users agents when accessibleIds is empty', async () => {
+      // User B trying to see agents with no permissions
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(0);
+
+      // Verify User A's agents are not included
+      const agentIds = response.data.map((a) => a.id);
+      expect(agentIds).not.toContain(agentA1.id);
+      expect(agentIds).not.toContain(agentA2.id);
+      expect(agentIds).not.toContain(agentA3.id);
+    });
+
+    test('should only return agents user has access to', async () => {
+      // User B has access to one of User A's agents
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([agentA1._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(agentA1.id);
+      expect(response.data[0].name).toBe('Agent A1');
+    });
+
+    test('should return multiple accessible agents', async () => {
+      // User B has access to multiple agents
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA3._id, agentB1._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(3);
+
+      const agentIds = response.data.map((a) => a.id);
+      expect(agentIds).toContain(agentA1.id);
+      expect(agentIds).toContain(agentA3.id);
+      expect(agentIds).toContain(agentB1.id);
+      expect(agentIds).not.toContain(agentA2.id);
+    });
+
+    test('should apply category filter correctly with ACL', async () => {
+      // User has access to all agents but filters by category
+      mockReq.user.id = userB.toString();
+      mockReq.query.category = 'productivity';
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id, agentA3._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(agentA3.id);
+      expect(response.data[0].category).toBe('productivity');
+    });
+
+    test('should apply search filter correctly with ACL', async () => {
+      // User has access to multiple agents but searches for specific one
+      mockReq.user.id = userB.toString();
+      mockReq.query.search = 'A2';
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id, agentA3._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(agentA2.id);
+    });
+
+    test('should handle pagination with ACL filtering', async () => {
+      // Create more agents for pagination testing
+      const moreAgents = [];
+      for (let i = 4; i <= 10; i++) {
+        const agent = await Agent.create({
+          id: `agent_${nanoid(12)}`,
+          name: `Agent A${i}`,
+          description: `User A agent ${i}`,
+          provider: 'openai',
+          model: 'gpt-4',
+          author: userA,
+          versions: [
+            {
+              name: `Agent A${i}`,
+              description: `User A agent ${i}`,
+              provider: 'openai',
+              model: 'gpt-4',
+              createdAt: new Date(),
+              updatedAt: new Date(),
+            },
+          ],
+        });
+        moreAgents.push(agent);
+      }
+
+      // User has access to all agents
+      const allAgentIds = [agentA1, agentA2, agentA3, ...moreAgents].map((a) => a._id);
+      mockReq.user.id = userB.toString();
+      mockReq.query.limit = '5';
+      findAccessibleResources.mockResolvedValue(allAgentIds);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(5);
+      expect(response.has_more).toBe(true);
+      expect(response.after).toBeTruthy();
+    });
+
+    test('should mark publicly accessible agents', async () => {
+      // User has access to agents, some are public
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([agentA2._id]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(2);
+
+      const publicAgent = response.data.find((a) => a.id === agentA2.id);
+      const privateAgent = response.data.find((a) => a.id === agentA1.id);
+
+      expect(publicAgent.isPublic).toBe(true);
+      expect(privateAgent.isPublic).toBeUndefined();
+    });
+
+    test('should handle requiredPermission parameter', async () => {
+      // Test with different permission levels
+      mockReq.user.id = userB.toString();
+      mockReq.query.requiredPermission = '15'; // FULL_ACCESS
+      findAccessibleResources.mockResolvedValue([agentA1._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      expect(findAccessibleResources).toHaveBeenCalledWith({
+        userId: userB.toString(),
+        role: 'USER',
+        resourceType: 'agent',
+        requiredPermissions: 15,
+      });
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+    });
+
+    test('should handle promoted filter with ACL', async () => {
+      // Create a promoted agent
+      const promotedAgent = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Promoted Agent',
+        description: 'A promoted agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        is_promoted: true,
+        versions: [
+          {
+            name: 'Promoted Agent',
+            description: 'A promoted agent',
+            provider: 'openai',
+            model: 'gpt-4',
+            is_promoted: true,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      mockReq.user.id = userB.toString();
+      mockReq.query.promoted = '1';
+      findAccessibleResources.mockResolvedValue([agentA1._id, agentA2._id, promotedAgent._id]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(promotedAgent.id);
+      expect(response.data[0].is_promoted).toBe(true);
+    });
+
+    test('should handle errors gracefully', async () => {
+      mockReq.user.id = userB.toString();
+      findAccessibleResources.mockRejectedValue(new Error('Permission service error'));
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.json).toHaveBeenCalledWith({
+        error: 'Permission service error',
+      });
+    });
+
+    test('should respect combined filters with ACL', async () => {
+      // Create agents with specific attributes
+      const productivityPromoted = await Agent.create({
+        id: `agent_${nanoid(12)}`,
+        name: 'Productivity Pro',
+        description: 'A promoted productivity agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: userA,
+        category: 'productivity',
+        is_promoted: true,
+        versions: [
+          {
+            name: 'Productivity Pro',
+            description: 'A promoted productivity agent',
+            provider: 'openai',
+            model: 'gpt-4',
+            category: 'productivity',
+            is_promoted: true,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+
+      mockReq.user.id = userB.toString();
+      mockReq.query.category = 'productivity';
+      mockReq.query.promoted = '1';
+      findAccessibleResources.mockResolvedValue([
+        agentA1._id,
+        agentA2._id,
+        agentA3._id,
+        productivityPromoted._id,
+      ]);
+      findPubliclyAccessibleResources.mockResolvedValue([]);
+
+      await getListAgentsHandler(mockReq, mockRes);
+
+      const response = mockRes.json.mock.calls[0][0];
+      expect(response.data).toHaveLength(1);
+      expect(response.data[0].id).toBe(productivityPromoted.id);
+      expect(response.data[0].category).toBe('productivity');
+      expect(response.data[0].is_promoted).toBe(true);
+    });
+  });
 });

api/server/controllers/assistants/chatV1.js

@@ -152,7 +152,7 @@ const chatV1 = async (req, res) => {
         return res.end();
       }
       await cache.delete(cacheKey);
-      const cancelledRun = await openai.beta.threads.runs.cancel(thread_id, run_id);
+      const cancelledRun = await openai.beta.threads.runs.cancel(run_id, { thread_id });
       logger.debug('[/assistants/chat/] Cancelled run:', cancelledRun);
     } catch (error) {
       logger.error('[/assistants/chat/] Error cancelling run', error);
@@ -162,7 +162,7 @@ const chatV1 = async (req, res) => {
 
     let run;
     try {
-      run = await openai.beta.threads.runs.retrieve(thread_id, run_id);
+      run = await openai.beta.threads.runs.retrieve(run_id, { thread_id });
       await recordUsage({
         ...run.usage,
         model: run.model,
@@ -623,7 +623,7 @@ const chatV1 = async (req, res) => {
 
     if (!response.run.usage) {
       await sleep(3000);
-      completedRun = await openai.beta.threads.runs.retrieve(thread_id, response.run.id);
+      completedRun = await openai.beta.threads.runs.retrieve(response.run.id, { thread_id });
       if (completedRun.usage) {
         await recordUsage({
           ...completedRun.usage,

api/server/controllers/assistants/chatV2.js

@@ -467,7 +467,7 @@ const chatV2 = async (req, res) => {
 
     if (!response.run.usage) {
       await sleep(3000);
-      completedRun = await openai.beta.threads.runs.retrieve(thread_id, response.run.id);
+      completedRun = await openai.beta.threads.runs.retrieve(response.run.id, { thread_id });
       if (completedRun.usage) {
         await recordUsage({
           ...completedRun.usage,

api/server/controllers/assistants/errors.js

@@ -108,7 +108,7 @@ const createErrorHandler = ({ req, res, getContext, originPath = '/assistants/ch
         return res.end();
       }
       await cache.delete(cacheKey);
-      const cancelledRun = await openai.beta.threads.runs.cancel(thread_id, run_id);
+      const cancelledRun = await openai.beta.threads.runs.cancel(run_id, { thread_id });
       logger.debug(`[${originPath}] Cancelled run:`, cancelledRun);
     } catch (error) {
       logger.error(`[${originPath}] Error cancelling run`, error);
@@ -118,7 +118,7 @@ const createErrorHandler = ({ req, res, getContext, originPath = '/assistants/ch
 
     let run;
     try {
-      run = await openai.beta.threads.runs.retrieve(thread_id, run_id);
+      run = await openai.beta.threads.runs.retrieve(run_id, { thread_id });
       await recordUsage({
         ...run.usage,
         model: run.model,

api/server/controllers/assistants/helpers.js

@@ -173,6 +173,16 @@ const listAssistantsForAzure = async ({ req, res, version, azureConfig = {}, que
   };
 };
 
+/**
+ * Initializes the OpenAI client.
+ * @param {object} params - The parameters object.
+ * @param {ServerRequest} params.req - The request object.
+ * @param {ServerResponse} params.res - The response object.
+ * @param {TEndpointOption} params.endpointOption - The endpoint options.
+ * @param {boolean} params.initAppClient - Whether to initialize the app client.
+ * @param {string} params.overrideEndpoint - The endpoint to override.
+ * @returns {Promise<{ openai: OpenAIClient, openAIApiKey: string; client: import('~/app/clients/OpenAIClient') }>} - The initialized OpenAI client.
+ */
 async function getOpenAIClient({ req, res, endpointOption, initAppClient, overrideEndpoint }) {
   let endpoint = overrideEndpoint ?? req.body.endpoint ?? req.query.endpoint;
   const version = await getCurrentVersion(req, endpoint);

api/server/controllers/assistants/v1.js

@@ -197,7 +197,7 @@ const deleteAssistant = async (req, res) => {
     await validateAuthor({ req, openai });
 
     const assistant_id = req.params.id;
-    const deletionStatus = await openai.beta.assistants.del(assistant_id);
+    const deletionStatus = await openai.beta.assistants.delete(assistant_id);
     if (deletionStatus?.deleted) {
       await deleteAssistantActions({ req, assistant_id });
     }
@@ -365,7 +365,7 @@ const uploadAssistantAvatar = async (req, res) => {
     try {
       await fs.unlink(req.file.path);
       logger.debug('[/:agent_id/avatar] Temp. image upload file deleted');
-    } catch (error) {
+    } catch {
       logger.debug('[/:agent_id/avatar] Temp. image upload file already deleted');
     }
   }

api/server/controllers/tools.js

@@ -1,14 +1,13 @@
 const { nanoid } = require('nanoid');
 const { EnvVar } = require('@librechat/agents');
-const { checkAccess } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
+const { checkAccess, loadWebSearchAuth } = require('@librechat/api');
 const {
   Tools,
   AuthType,
   Permissions,
   ToolCallTypes,
   PermissionTypes,
-  loadWebSearchAuth,
 } = require('librechat-data-provider');
 const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/process');
 const { processCodeOutput } = require('~/server/services/Files/Code/process');

api/server/index.js

@@ -117,6 +117,8 @@ const startServer = async () => {
   app.use('/api/agents', routes.agents);
   app.use('/api/banner', routes.banner);
   app.use('/api/memories', routes.memories);
+  app.use('/api/permissions', routes.accessPermissions);
+
   app.use('/api/tags', routes.tags);
   app.use('/api/mcp', routes.mcp);
 

api/server/middleware/abortRun.js

@@ -47,7 +47,7 @@ async function abortRun(req, res) {
 
   try {
     await cache.set(cacheKey, 'cancelled', three_minutes);
-    const cancelledRun = await openai.beta.threads.runs.cancel(thread_id, run_id);
+    const cancelledRun = await openai.beta.threads.runs.cancel(run_id, { thread_id });
     logger.debug('[abortRun] Cancelled run:', cancelledRun);
   } catch (error) {
     logger.error('[abortRun] Error cancelling run', error);
@@ -60,7 +60,7 @@ async function abortRun(req, res) {
   }
 
   try {
-    const run = await openai.beta.threads.runs.retrieve(thread_id, run_id);
+    const run = await openai.beta.threads.runs.retrieve(run_id, { thread_id });
     await recordUsage({
       ...run.usage,
       model: run.model,

api/server/middleware/accessResources/canAccessAgentFromBody.js

@@ -0,0 +1,97 @@
+const { logger } = require('@librechat/data-schemas');
+const { Constants, isAgentsEndpoint, ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getAgent } = require('~/models/Agent');
+
+/**
+ * Agent ID resolver function for agent_id from request body
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ * This is used specifically for chat routes where agent_id comes from request body
+ *
+ * @param {string} agentCustomId - Custom agent ID from request body
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentIdFromBody = async (agentCustomId) => {
+  // Handle ephemeral agents - they don't need permission checks
+  if (agentCustomId === Constants.EPHEMERAL_AGENT_ID) {
+    return null; // No permission check needed for ephemeral agents
+  }
+
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Middleware factory that creates middleware to check agent access permissions from request body.
+ * This middleware is specifically designed for chat routes where the agent_id comes from req.body
+ * instead of route parameters.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for agent chat (requires VIEW permission)
+ * router.post('/chat',
+ *   canAccessAgentFromBody({ requiredPermission: PermissionBits.VIEW }),
+ *   buildEndpointOption,
+ *   chatController
+ * );
+ */
+const canAccessAgentFromBody = (options) => {
+  const { requiredPermission } = options;
+
+  // Validate required options
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentFromBody: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      const { endpoint, agent_id } = req.body;
+      let agentId = agent_id;
+
+      if (!isAgentsEndpoint(endpoint)) {
+        agentId = Constants.EPHEMERAL_AGENT_ID;
+      }
+
+      if (!agentId) {
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: 'agent_id is required in request body',
+        });
+      }
+
+      // Skip permission checks for ephemeral agents
+      if (agentId === Constants.EPHEMERAL_AGENT_ID) {
+        return next();
+      }
+
+      const agentAccessMiddleware = canAccessResource({
+        resourceType: ResourceType.AGENT,
+        requiredPermission,
+        resourceIdParam: 'agent_id', // This will be ignored since we use custom resolver
+        idResolver: () => resolveAgentIdFromBody(agentId),
+      });
+
+      const tempReq = {
+        ...req,
+        params: {
+          ...req.params,
+          agent_id: agentId,
+        },
+      };
+
+      return agentAccessMiddleware(tempReq, res, next);
+    } catch (error) {
+      logger.error('Failed to validate agent access permissions', error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to validate agent access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessAgentFromBody,
+};

api/server/middleware/accessResources/canAccessAgentResource.js

@@ -0,0 +1,59 @@
+const { ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getAgent } = require('~/models/Agent');
+
+/**
+ * Agent ID resolver function
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ *
+ * @param {string} agentCustomId - Custom agent ID from route parameter
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentId = async (agentCustomId) => {
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Agent-specific middleware factory that creates middleware to check agent access permissions.
+ * This middleware extends the generic canAccessResource to handle agent custom ID resolution.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='id'] - The name of the route parameter containing the agent custom ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for viewing agents
+ * router.get('/agents/:id',
+ *   canAccessAgentResource({ requiredPermission: 1 }),
+ *   getAgent
+ * );
+ *
+ * @example
+ * // Custom resource ID parameter and edit permission
+ * router.patch('/agents/:agent_id',
+ *   canAccessAgentResource({
+ *     requiredPermission: 2,
+ *     resourceIdParam: 'agent_id'
+ *   }),
+ *   updateAgent
+ * );
+ */
+const canAccessAgentResource = (options) => {
+  const { requiredPermission, resourceIdParam = 'id' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentResource: requiredPermission is required and must be a number');
+  }
+
+  return canAccessResource({
+    resourceType: ResourceType.AGENT,
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolveAgentId,
+  });
+};
+
+module.exports = {
+  canAccessAgentResource,
+};

api/server/middleware/accessResources/canAccessAgentResource.spec.js

@@ -0,0 +1,385 @@
+const mongoose = require('mongoose');
+const { ResourceType, PrincipalType, PrincipalModel } = require('librechat-data-provider');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { User, Role, AclEntry } = require('~/db/models');
+const { createAgent } = require('~/models/Agent');
+
+describe('canAccessAgentResource middleware', () => {
+  let mongoServer;
+  let req, res, next;
+  let testUser;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    await Role.create({
+      name: 'test-role',
+      permissions: {
+        AGENTS: {
+          USE: true,
+          CREATE: true,
+          SHARED_GLOBAL: false,
+        },
+      },
+    });
+
+    // Create a test user
+    testUser = await User.create({
+      email: 'test@example.com',
+      name: 'Test User',
+      username: 'testuser',
+      role: 'test-role',
+    });
+
+    req = {
+      user: { id: testUser._id, role: testUser.role },
+      params: {},
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+
+    jest.clearAllMocks();
+  });
+
+  describe('middleware factory', () => {
+    test('should throw error if requiredPermission is not provided', () => {
+      expect(() => canAccessAgentResource({})).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should throw error if requiredPermission is not a number', () => {
+      expect(() => canAccessAgentResource({ requiredPermission: '1' })).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should create middleware with default resourceIdParam', () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3); // Express middleware signature
+    });
+
+    test('should create middleware with custom resourceIdParam', () => {
+      const middleware = canAccessAgentResource({
+        requiredPermission: 2,
+        resourceIdParam: 'agent_id',
+      });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3);
+    });
+  });
+
+  describe('permission checking with real agents', () => {
+    test('should allow access when user is the agent author', async () => {
+      // Create an agent owned by the test user
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author (owner permissions)
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when user is not the author and has no ACL entry', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other@example.com',
+        name: 'Other User',
+        username: 'otheruser',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Other User Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry for the other user (owner)
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: otherUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should allow access when user has ACL entry with sufficient permissions', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other2@example.com',
+        name: 'Other User 2',
+        username: 'otheruser2',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Shared Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting view permission to test user
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when ACL permissions are insufficient', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other3@example.com',
+        name: 'Other User 3',
+        username: 'otheruser3',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Limited Access Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting only view permission
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission only
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 2 }); // EDIT permission required
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should handle non-existent agent', async () => {
+      req.params.id = 'agent_nonexistent';
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Not Found',
+        message: 'agent not found',
+      });
+    });
+
+    test('should use custom resourceIdParam', async () => {
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Custom Param Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.agent_id = agent.id; // Using custom param name
+
+      const middleware = canAccessAgentResource({
+        requiredPermission: 1,
+        resourceIdParam: 'agent_id',
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('permission levels', () => {
+    let agent;
+
+    beforeEach(async () => {
+      agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Permission Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry with all permissions for the owner
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+    });
+
+    test('should support view permission (1)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support edit permission (2)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 2 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support delete permission (4)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 4 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support share permission (8)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 8 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support combined permissions', async () => {
+      const viewAndEdit = 1 | 2; // 3
+      const middleware = canAccessAgentResource({ requiredPermission: viewAndEdit });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+
+  describe('integration with agent operations', () => {
+    test('should work with agent CRUD operations', async () => {
+      const agentId = `agent_${Date.now()}`;
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Integration Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+        description: 'Testing integration',
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: PrincipalType.USER,
+        principalId: testUser._id,
+        principalModel: PrincipalModel.USER,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agentId;
+
+      // Test view access
+      const viewMiddleware = canAccessAgentResource({ requiredPermission: 1 });
+      await viewMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+      jest.clearAllMocks();
+
+      // Update the agent
+      const { updateAgent } = require('~/models/Agent');
+      await updateAgent({ id: agentId }, { description: 'Updated description' });
+
+      // Test edit access
+      const editMiddleware = canAccessAgentResource({ requiredPermission: 2 });
+      await editMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+});

api/server/middleware/accessResources/canAccessPromptGroupResource.js

@@ -0,0 +1,61 @@
+const { ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getPromptGroup } = require('~/models/Prompt');
+
+/**
+ * PromptGroup ID resolver function
+ * Resolves promptGroup ID to MongoDB ObjectId
+ *
+ * @param {string} groupId - PromptGroup ID from route parameter
+ * @returns {Promise<Object|null>} PromptGroup document with _id field, or null if not found
+ */
+const resolvePromptGroupId = async (groupId) => {
+  return await getPromptGroup({ _id: groupId });
+};
+
+/**
+ * PromptGroup-specific middleware factory that creates middleware to check promptGroup access permissions.
+ * This middleware extends the generic canAccessResource to handle promptGroup ID resolution.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='groupId'] - The name of the route parameter containing the promptGroup ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for viewing promptGroups
+ * router.get('/prompts/groups/:groupId',
+ *   canAccessPromptGroupResource({ requiredPermission: 1 }),
+ *   getPromptGroup
+ * );
+ *
+ * @example
+ * // Custom resource ID parameter and edit permission
+ * router.patch('/prompts/groups/:id',
+ *   canAccessPromptGroupResource({
+ *     requiredPermission: 2,
+ *     resourceIdParam: 'id'
+ *   }),
+ *   updatePromptGroup
+ * );
+ */
+const canAccessPromptGroupResource = (options) => {
+  const { requiredPermission, resourceIdParam = 'groupId' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error(
+      'canAccessPromptGroupResource: requiredPermission is required and must be a number',
+    );
+  }
+
+  return canAccessResource({
+    resourceType: ResourceType.PROMPTGROUP,
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolvePromptGroupId,
+  });
+};
+
+module.exports = {
+  canAccessPromptGroupResource,
+};

api/server/middleware/accessResources/canAccessPromptViaGroup.js

@@ -0,0 +1,55 @@
+const { ResourceType } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getPrompt } = require('~/models/Prompt');
+
+/**
+ * Prompt to PromptGroup ID resolver function
+ * Resolves prompt ID to its parent promptGroup ID
+ *
+ * @param {string} promptId - Prompt ID from route parameter
+ * @returns {Promise<Object|null>} Object with promptGroup's _id field, or null if not found
+ */
+const resolvePromptToGroupId = async (promptId) => {
+  const prompt = await getPrompt({ _id: promptId });
+  if (!prompt || !prompt.groupId) {
+    return null;
+  }
+  // Return an object with _id that matches the promptGroup ID
+  return { _id: prompt.groupId };
+};
+
+/**
+ * Middleware factory that checks promptGroup permissions when accessing individual prompts.
+ * This allows permission management at the promptGroup level while still supporting
+ * individual prompt access patterns.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='promptId'] - The name of the route parameter containing the prompt ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Check promptGroup permissions when viewing a prompt
+ * router.get('/prompts/:promptId',
+ *   canAccessPromptViaGroup({ requiredPermission: 1 }),
+ *   getPrompt
+ * );
+ */
+const canAccessPromptViaGroup = (options) => {
+  const { requiredPermission, resourceIdParam = 'promptId' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessPromptViaGroup: requiredPermission is required and must be a number');
+  }
+
+  return canAccessResource({
+    resourceType: ResourceType.PROMPTGROUP,
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolvePromptToGroupId,
+  });
+};
+
+module.exports = {
+  canAccessPromptViaGroup,
+};

api/server/middleware/accessResources/canAccessResource.js

@@ -0,0 +1,158 @@
+const { logger } = require('@librechat/data-schemas');
+const { SystemRoles } = require('librechat-data-provider');
+const { checkPermission } = require('~/server/services/PermissionService');
+
+/**
+ * Generic base middleware factory that creates middleware to check resource access permissions.
+ * This middleware expects MongoDB ObjectIds as resource identifiers for ACL permission checks.
+ *
+ * @param {Object} options - Configuration options
+ * @param {string} options.resourceType - The type of resource (e.g., 'agent', 'file', 'project')
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='resourceId'] - The name of the route parameter containing the resource ID
+ * @param {Function} [options.idResolver] - Optional function to resolve custom IDs to ObjectIds
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Direct usage with ObjectId (for resources that use MongoDB ObjectId in routes)
+ * router.get('/prompts/:promptId',
+ *   canAccessResource({ resourceType: 'prompt', requiredPermission: 1 }),
+ *   getPrompt
+ * );
+ *
+ * @example
+ * // Usage with custom ID resolver (for resources that use custom string IDs)
+ * router.get('/agents/:id',
+ *   canAccessResource({
+ *     resourceType: 'agent',
+ *     requiredPermission: 1,
+ *     resourceIdParam: 'id',
+ *     idResolver: (customId) => resolveAgentId(customId)
+ *   }),
+ *   getAgent
+ * );
+ */
+const canAccessResource = (options) => {
+  const {
+    resourceType,
+    requiredPermission,
+    resourceIdParam = 'resourceId',
+    idResolver = null,
+  } = options;
+
+  if (!resourceType || typeof resourceType !== 'string') {
+    throw new Error('canAccessResource: resourceType is required and must be a string');
+  }
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessResource: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      // Extract resource ID from route parameters
+      const rawResourceId = req.params[resourceIdParam];
+
+      if (!rawResourceId) {
+        logger.warn(`[canAccessResource] Missing ${resourceIdParam} in route parameters`);
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: `${resourceIdParam} is required`,
+        });
+      }
+
+      // Check if user is authenticated
+      if (!req.user || !req.user.id) {
+        logger.warn(
+          `[canAccessResource] Unauthenticated request for ${resourceType} ${rawResourceId}`,
+        );
+        return res.status(401).json({
+          error: 'Unauthorized',
+          message: 'Authentication required',
+        });
+      }
+      // if system admin let through
+      if (req.user.role === SystemRoles.ADMIN) {
+        return next();
+      }
+      const userId = req.user.id;
+      let resourceId = rawResourceId;
+      let resourceInfo = null;
+
+      // Resolve custom ID to ObjectId if resolver is provided
+      if (idResolver) {
+        logger.debug(
+          `[canAccessResource] Resolving ${resourceType} custom ID ${rawResourceId} to ObjectId`,
+        );
+
+        const resolutionResult = await idResolver(rawResourceId);
+
+        if (!resolutionResult) {
+          logger.warn(`[canAccessResource] ${resourceType} not found: ${rawResourceId}`);
+          return res.status(404).json({
+            error: 'Not Found',
+            message: `${resourceType} not found`,
+          });
+        }
+
+        // Handle different resolver return formats
+        if (typeof resolutionResult === 'string' || resolutionResult._id) {
+          resourceId = resolutionResult._id || resolutionResult;
+          resourceInfo = typeof resolutionResult === 'object' ? resolutionResult : null;
+        } else {
+          resourceId = resolutionResult;
+        }
+
+        logger.debug(
+          `[canAccessResource] Resolved ${resourceType} ${rawResourceId} to ObjectId ${resourceId}`,
+        );
+      }
+
+      // Check permissions using PermissionService with ObjectId
+      const hasPermission = await checkPermission({
+        userId,
+        role: req.user.role,
+        resourceType,
+        resourceId,
+        requiredPermission,
+      });
+
+      if (hasPermission) {
+        logger.debug(
+          `[canAccessResource] User ${userId} has permission ${requiredPermission} on ${resourceType} ${rawResourceId} (${resourceId})`,
+        );
+
+        req.resourceAccess = {
+          resourceType,
+          resourceId, // MongoDB ObjectId for ACL operations
+          customResourceId: rawResourceId, // Original ID from route params
+          permission: requiredPermission,
+          userId,
+          ...(resourceInfo && { resourceInfo }),
+        };
+
+        return next();
+      }
+
+      logger.warn(
+        `[canAccessResource] User ${userId} denied access to ${resourceType} ${rawResourceId} ` +
+          `(required permission: ${requiredPermission})`,
+      );
+
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: `Insufficient permissions to access this ${resourceType}`,
+      });
+    } catch (error) {
+      logger.error(`[canAccessResource] Error checking access for ${resourceType}:`, error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to check resource access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessResource,
+};

api/server/middleware/accessResources/fileAccess.js

@@ -0,0 +1,125 @@
+const { logger } = require('@librechat/data-schemas');
+const { PermissionBits, hasPermissions, ResourceType } = require('librechat-data-provider');
+const { getEffectivePermissions } = require('~/server/services/PermissionService');
+const { getAgent } = require('~/models/Agent');
+const { getFiles } = require('~/models/File');
+
+/**
+ * Checks if user has access to a file through agent permissions
+ * Files inherit permissions from agents - if you can view the agent, you can access its files
+ */
+const checkAgentBasedFileAccess = async ({ userId, role, fileId }) => {
+  try {
+    // Find agents that have this file in their tool_resources
+    const agentsWithFile = await getAgent({
+      $or: [
+        { 'tool_resources.file_search.file_ids': fileId },
+        { 'tool_resources.execute_code.file_ids': fileId },
+        { 'tool_resources.ocr.file_ids': fileId },
+      ],
+    });
+
+    if (!agentsWithFile || agentsWithFile.length === 0) {
+      return false;
+    }
+
+    // Check if user has access to any of these agents
+    for (const agent of Array.isArray(agentsWithFile) ? agentsWithFile : [agentsWithFile]) {
+      // Check if user is the agent author
+      if (agent.author && agent.author.toString() === userId) {
+        logger.debug(`[fileAccess] User is author of agent ${agent.id}`);
+        return true;
+      }
+
+      // Check ACL permissions for VIEW access on the agent
+      try {
+        const permissions = await getEffectivePermissions({
+          userId,
+          role,
+          resourceType: ResourceType.AGENT,
+          resourceId: agent._id || agent.id,
+        });
+
+        if (hasPermissions(permissions, PermissionBits.VIEW)) {
+          logger.debug(`[fileAccess] User ${userId} has VIEW permissions on agent ${agent.id}`);
+          return true;
+        }
+      } catch (permissionError) {
+        logger.warn(
+          `[fileAccess] Permission check failed for agent ${agent.id}:`,
+          permissionError.message,
+        );
+        // Continue checking other agents
+      }
+    }
+
+    return false;
+  } catch (error) {
+    logger.error('[fileAccess] Error checking agent-based access:', error);
+    return false;
+  }
+};
+
+/**
+ * Middleware to check if user can access a file
+ * Checks: 1) File ownership, 2) Agent-based access (file inherits agent permissions)
+ */
+const fileAccess = async (req, res, next) => {
+  try {
+    const fileId = req.params.file_id;
+    const userId = req.user?.id;
+    const userRole = req.user?.role;
+    if (!fileId) {
+      return res.status(400).json({
+        error: 'Bad Request',
+        message: 'file_id is required',
+      });
+    }
+
+    if (!userId) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    // Get the file
+    const [file] = await getFiles({ file_id: fileId });
+    if (!file) {
+      return res.status(404).json({
+        error: 'Not Found',
+        message: 'File not found',
+      });
+    }
+
+    // Check if user owns the file
+    if (file.user && file.user.toString() === userId) {
+      req.fileAccess = { file };
+      return next();
+    }
+
+    // Check agent-based access (file inherits agent permissions)
+    const hasAgentAccess = await checkAgentBasedFileAccess({ userId, role: userRole, fileId });
+    if (hasAgentAccess) {
+      req.fileAccess = { file };
+      return next();
+    }
+
+    // No access
+    logger.warn(`[fileAccess] User ${userId} denied access to file ${fileId}`);
+    return res.status(403).json({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to access this file',
+    });
+  } catch (error) {
+    logger.error('[fileAccess] Error checking file access:', error);
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check file access permissions',
+    });
+  }
+};
+
+module.exports = {
+  fileAccess,
+};

api/server/middleware/accessResources/index.js

@@ -0,0 +1,13 @@
+const { canAccessResource } = require('./canAccessResource');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { canAccessAgentFromBody } = require('./canAccessAgentFromBody');
+const { canAccessPromptViaGroup } = require('./canAccessPromptViaGroup');
+const { canAccessPromptGroupResource } = require('./canAccessPromptGroupResource');
+
+module.exports = {
+  canAccessResource,
+  canAccessAgentResource,
+  canAccessAgentFromBody,
+  canAccessPromptViaGroup,
+  canAccessPromptGroupResource,
+};

api/server/middleware/checkPeoplePickerAccess.js

@@ -0,0 +1,82 @@
+const { PrincipalType, PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to check if user has permission to access people picker functionality
+ * Checks specific permission based on the 'type' query parameter:
+ * - type=user: requires VIEW_USERS permission
+ * - type=group: requires VIEW_GROUPS permission
+ * - type=role: requires VIEW_ROLES permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS OR VIEW_ROLES
+ */
+const checkPeoplePickerAccess = async (req, res, next) => {
+  try {
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const { type } = req.query;
+    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
+    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
+    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+    const canViewRoles = peoplePickerPerms[Permissions.VIEW_ROLES] === true;
+
+    const permissionChecks = {
+      [PrincipalType.USER]: {
+        hasPermission: canViewUsers,
+        message: 'Insufficient permissions to search for users',
+      },
+      [PrincipalType.GROUP]: {
+        hasPermission: canViewGroups,
+        message: 'Insufficient permissions to search for groups',
+      },
+      [PrincipalType.ROLE]: {
+        hasPermission: canViewRoles,
+        message: 'Insufficient permissions to search for roles',
+      },
+    };
+
+    const check = permissionChecks[type];
+    if (check && !check.hasPermission) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: check.message,
+      });
+    }
+
+    if (!type && !canViewUsers && !canViewGroups && !canViewRoles) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to search for users, groups, or roles',
+      });
+    }
+
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkPeoplePickerAccess,
+};

api/server/middleware/checkPeoplePickerAccess.spec.js

@@ -0,0 +1,250 @@
+const { PrincipalType, PermissionTypes, Permissions } = require('librechat-data-provider');
+const { checkPeoplePickerAccess } = require('./checkPeoplePickerAccess');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+jest.mock('~/models/Role');
+jest.mock('~/config', () => ({
+  logger: {
+    error: jest.fn(),
+  },
+}));
+
+describe('checkPeoplePickerAccess', () => {
+  let req, res, next;
+
+  beforeEach(() => {
+    req = {
+      user: { id: 'user123', role: 'USER' },
+      query: {},
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+    jest.clearAllMocks();
+  });
+
+  it('should return 401 if user is not authenticated', async () => {
+    req.user = null;
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Unauthorized',
+      message: 'Authentication required',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should return 403 if role has no permissions', async () => {
+    getRoleByName.mockResolvedValue(null);
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'No permissions configured for user role',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow access when searching for users with VIEW_USERS permission', async () => {
+    req.query.type = PrincipalType.USER;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: true,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny access when searching for users without VIEW_USERS permission', async () => {
+    req.query.type = PrincipalType.USER;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: true,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for users',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow access when searching for groups with VIEW_GROUPS permission', async () => {
+    req.query.type = PrincipalType.GROUP;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: true,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny access when searching for groups without VIEW_GROUPS permission', async () => {
+    req.query.type = PrincipalType.GROUP;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: true,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for groups',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow access when searching for roles with VIEW_ROLES permission', async () => {
+    req.query.type = PrincipalType.ROLE;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny access when searching for roles without VIEW_ROLES permission', async () => {
+    req.query.type = PrincipalType.ROLE;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: true,
+          [Permissions.VIEW_GROUPS]: true,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for roles',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should allow mixed search when user has at least one permission', async () => {
+    // No type specified = mixed search
+    req.query.type = undefined;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: true,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('should deny mixed search when user has no permissions', async () => {
+    // No type specified = mixed search
+    req.query.type = undefined;
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PEOPLE_PICKER]: {
+          [Permissions.VIEW_USERS]: false,
+          [Permissions.VIEW_GROUPS]: false,
+          [Permissions.VIEW_ROLES]: false,
+        },
+      },
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for users, groups, or roles',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should handle errors gracefully', async () => {
+    const error = new Error('Database error');
+    getRoleByName.mockRejectedValue(error);
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(logger.error).toHaveBeenCalledWith(
+      '[checkPeoplePickerAccess][user123] checkPeoplePickerAccess error for req.query.type = undefined',
+      error,
+    );
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should handle missing permissions object gracefully', async () => {
+    req.query.type = PrincipalType.USER;
+    getRoleByName.mockResolvedValue({
+      permissions: {}, // No PEOPLE_PICKER permissions
+    });
+
+    await checkPeoplePickerAccess(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'Insufficient permissions to search for users',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+});

api/server/middleware/index.js

@@ -8,6 +8,7 @@ const concurrentLimiter = require('./concurrentLimiter');
 const validateEndpoint = require('./validateEndpoint');
 const requireLocalAuth = require('./requireLocalAuth');
 const canDeleteAccount = require('./canDeleteAccount');
+const accessResources = require('./accessResources');
 const setBalanceConfig = require('./setBalanceConfig');
 const requireLdapAuth = require('./requireLdapAuth');
 const abortMiddleware = require('./abortMiddleware');
@@ -29,6 +30,7 @@ module.exports = {
   ...validate,
   ...limiters,
   ...roles,
+  ...accessResources,
   noIndex,
   checkBan,
   uaParser,

api/server/middleware/roles/access.spec.js

@@ -0,0 +1,370 @@
+const mongoose = require('mongoose');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { checkAccess, generateCheckAccess } = require('@librechat/api');
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { Role } = require('~/db/models');
+
+// Mock the logger from @librechat/data-schemas
+jest.mock('@librechat/data-schemas', () => ({
+  ...jest.requireActual('@librechat/data-schemas'),
+  logger: {
+    warn: jest.fn(),
+    error: jest.fn(),
+    info: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+// Mock the cache to use a simple in-memory implementation
+const mockCache = new Map();
+jest.mock('~/cache/getLogStores', () => {
+  return jest.fn(() => ({
+    get: jest.fn(async (key) => mockCache.get(key)),
+    set: jest.fn(async (key, value) => mockCache.set(key, value)),
+    clear: jest.fn(async () => mockCache.clear()),
+  }));
+});
+
+describe('Access Middleware', () => {
+  let mongoServer;
+  let req, res, next;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    mockCache.clear(); // Clear the cache between tests
+
+    // Create test roles
+    await Role.create({
+      name: 'user',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: false,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    await Role.create({
+      name: 'admin',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: true,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.SHARED_GLOBAL]: true,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    // Create limited role with no AGENTS permissions
+    await Role.create({
+      name: 'limited',
+      permissions: {
+        // Explicitly set AGENTS permissions to false
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: false,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        // Has permissions for other types
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: true,
+        },
+      },
+    });
+
+    req = {
+      user: { id: 'user123', role: 'user' },
+      body: {},
+      originalUrl: '/test',
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+    jest.clearAllMocks();
+  });
+
+  describe('checkAccess', () => {
+    test('should return false if user is not provided', async () => {
+      const result = await checkAccess({
+        user: null,
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if user lacks required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if user has only some of multiple permissions', async () => {
+      // User has USE but not CREATE, so should fail when checking for both
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has all of multiple permissions', async () => {
+      // Admin has both USE and CREATE
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should check body properties when permission is not directly granted', async () => {
+      const req = { body: { id: 'agent123' } };
+      const result = await checkAccess({
+        req,
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.UPDATE],
+        bodyProps: {
+          [Permissions.UPDATE]: ['id'],
+        },
+        checkObject: req.body,
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if role is not found', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'nonexistent' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if role has no permissions for the requested type', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'limited' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should handle admin role with all permissions', async () => {
+      const createResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(createResult).toBe(true);
+
+      const shareResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      expect(shareResult).toBe(true);
+    });
+  });
+
+  describe('generateCheckAccess', () => {
+    test('should call next() when user has required permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should return 403 when user lacks permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should check body properties when configured', async () => {
+      req.body = { agentId: 'agent123', description: 'test' };
+
+      const bodyProps = {
+        [Permissions.CREATE]: ['agentId'],
+      };
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        bodyProps,
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should handle database errors gracefully', async () => {
+      // Mock getRoleByName to throw an error
+      const mockGetRoleByName = jest
+        .fn()
+        .mockRejectedValue(new Error('Database connection failed'));
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName: mockGetRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        message: expect.stringContaining('Server error:'),
+      });
+    });
+
+    test('should work with multiple permission types', async () => {
+      req.user.role = 'admin';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE, Permissions.CREATE, Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should handle missing user gracefully', async () => {
+      req.user = null;
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should handle role with no AGENTS permissions', async () => {
+      await Role.create({
+        name: 'noaccess',
+        permissions: {
+          // Explicitly set AGENTS with all permissions false
+          [PermissionTypes.AGENTS]: {
+            [Permissions.USE]: false,
+            [Permissions.CREATE]: false,
+            [Permissions.SHARED_GLOBAL]: false,
+          },
+        },
+      });
+      req.user.role = 'noaccess';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+  });
+});

api/server/routes/accessPermissions.js

@@ -0,0 +1,85 @@
+const express = require('express');
+const { ResourceType, PermissionBits } = require('librechat-data-provider');
+const {
+  getUserEffectivePermissions,
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  searchPrincipals,
+} = require('~/server/controllers/PermissionsController');
+const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
+const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess');
+
+const router = express.Router();
+
+// Apply common middleware
+router.use(requireJwtAuth);
+router.use(checkBan);
+router.use(uaParser);
+
+/**
+ * Generic routes for resource permissions
+ * Pattern: /api/permissions/{resourceType}/{resourceId}
+ */
+
+/**
+ * GET /api/permissions/search-principals
+ * Search for users and groups to grant permissions
+ */
+router.get('/search-principals', checkPeoplePickerAccess, searchPrincipals);
+
+/**
+ * GET /api/permissions/{resourceType}/roles
+ * Get available roles for a resource type
+ */
+router.get('/:resourceType/roles', getResourceRoles);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}
+ * Get all permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId', getResourcePermissions);
+
+/**
+ * PUT /api/permissions/{resourceType}/{resourceId}
+ * Bulk update permissions for a specific resource
+ */
+router.put(
+  '/:resourceType/:resourceId',
+  // Use middleware that dynamically handles resource type and permissions
+  (req, res, next) => {
+    const { resourceType } = req.params;
+    let middleware;
+
+    if (resourceType === ResourceType.AGENT) {
+      middleware = canAccessResource({
+        resourceType: ResourceType.AGENT,
+        requiredPermission: PermissionBits.SHARE,
+        resourceIdParam: 'resourceId',
+      });
+    } else if (resourceType === ResourceType.PROMPTGROUP) {
+      middleware = canAccessResource({
+        resourceType: ResourceType.PROMPTGROUP,
+        requiredPermission: PermissionBits.SHARE,
+        resourceIdParam: 'resourceId',
+      });
+    } else {
+      return res.status(400).json({
+        error: 'Bad Request',
+        message: `Unsupported resource type: ${resourceType}`,
+      });
+    }
+
+    // Execute the middleware
+    middleware(req, res, next);
+  },
+  updateResourcePermissions,
+);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}/effective
+ * Get user's effective permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId/effective', getUserEffectivePermissions);
+
+module.exports = router;

api/server/routes/agents/actions.js

@@ -3,16 +3,19 @@ const { nanoid } = require('nanoid');
 const { logger } = require('@librechat/data-schemas');
 const { generateCheckAccess } = require('@librechat/api');
 const {
-  SystemRoles,
   Permissions,
+  ResourceType,
   PermissionTypes,
   actionDelimiter,
+  PermissionBits,
   removeNullishValues,
 } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
+const { findAccessibleResources } = require('~/server/services/PermissionService');
+const { getAgent, updateAgent, getListAgentsByAccess } = require('~/models/Agent');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
 const { isActionDomainAllowed } = require('~/server/services/domains');
-const { getAgent, updateAgent } = require('~/models/Agent');
+const { canAccessAgentResource } = require('~/server/middleware');
 const { getRoleByName } = require('~/models/Role');
 
 const router = express.Router();
@@ -23,12 +26,6 @@ const checkAgentCreate = generateCheckAccess({
   getRoleByName,
 });
 
-// If the user has ADMIN role
-// then action edition is possible even if not owner of the assistant
-const isAdmin = (req) => {
-  return req.user.role === SystemRoles.ADMIN;
-};
-
 /**
  * Retrieves all user's actions
  * @route GET /actions/
@@ -37,10 +34,23 @@ const isAdmin = (req) => {
  */
 router.get('/', async (req, res) => {
   try {
-    const admin = isAdmin(req);
-    // If admin, get all actions, otherwise only user's actions
-    const searchParams = admin ? {} : { user: req.user.id };
-    res.json(await getActions(searchParams));
+    const userId = req.user.id;
+    const editableAgentObjectIds = await findAccessibleResources({
+      userId,
+      role: req.user.role,
+      resourceType: ResourceType.AGENT,
+      requiredPermissions: PermissionBits.EDIT,
+    });
+
+    const agentsResponse = await getListAgentsByAccess({
+      accessibleIds: editableAgentObjectIds,
+    });
+
+    const editableAgentIds = agentsResponse.data.map((agent) => agent.id);
+    const actions =
+      editableAgentIds.length > 0 ? await getActions({ agent_id: { $in: editableAgentIds } }) : [];
+
+    res.json(actions);
   } catch (error) {
     res.status(500).json({ error: error.message });
   }
@@ -55,106 +65,111 @@ router.get('/', async (req, res) => {
  * @param {ActionMetadata} req.body.metadata - Metadata for the action.
  * @returns {Object} 200 - success response - application/json
  */
-router.post('/:agent_id', checkAgentCreate, async (req, res) => {
-  try {
-    const { agent_id } = req.params;
+router.post(
+  '/:agent_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id } = req.params;
 
-    /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
-    const { functions, action_id: _action_id, metadata: _metadata } = req.body;
-    if (!functions.length) {
-      return res.status(400).json({ message: 'No functions provided' });
-    }
-
-    let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
-    const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
-    if (!isDomainAllowed) {
-      return res.status(400).json({ message: 'Domain not allowed' });
-    }
-
-    let { domain } = metadata;
-    domain = await domainParser(domain, true);
-
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
-    }
-
-    const action_id = _action_id ?? nanoid();
-    const initialPromises = [];
-    const admin = isAdmin(req);
-
-    // If admin, can edit any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    // TODO: share agents
-    initialPromises.push(getAgent(agentQuery));
-    if (_action_id) {
-      initialPromises.push(getActions({ action_id }, true));
-    }
-
-    /** @type {[Agent, [Action|undefined]]} */
-    const [agent, actions_result] = await Promise.all(initialPromises);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for adding action' });
-    }
-
-    if (actions_result && actions_result.length) {
-      const action = actions_result[0];
-      metadata = { ...action.metadata, ...metadata };
-    }
-
-    const { actions: _actions = [], author: agent_author } = agent ?? {};
-    const actions = [];
-    for (const action of _actions) {
-      const [_action_domain, current_action_id] = action.split(actionDelimiter);
-      if (current_action_id === action_id) {
-        continue;
+      /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
+      const { functions, action_id: _action_id, metadata: _metadata } = req.body;
+      if (!functions.length) {
+        return res.status(400).json({ message: 'No functions provided' });
       }
 
-      actions.push(action);
-    }
-
-    actions.push(`${domain}${actionDelimiter}${action_id}`);
-
-    /** @type {string[]}} */
-    const { tools: _tools = [] } = agent;
-
-    const tools = _tools
-      .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
-      .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
-
-    // Force version update since actions are changing
-    const updatedAgent = await updateAgent(
-      agentQuery,
-      { tools, actions },
-      {
-        updatingUserId: req.user.id,
-        forceVersion: true,
-      },
-    );
-
-    // Only update user field for new actions
-    const actionUpdateData = { metadata, agent_id };
-    if (!actions_result || !actions_result.length) {
-      // For new actions, use the agent owner's user ID
-      actionUpdateData.user = agent_author || req.user.id;
-    }
-
-    /** @type {[Action]} */
-    const updatedAction = await updateAction({ action_id }, actionUpdateData);
-
-    const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
-    for (let field of sensitiveFields) {
-      if (updatedAction.metadata[field]) {
-        delete updatedAction.metadata[field];
+      let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
+      const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
+      if (!isDomainAllowed) {
+        return res.status(400).json({ message: 'Domain not allowed' });
       }
-    }
 
-    res.json([updatedAgent, updatedAction]);
-  } catch (error) {
-    const message = 'Trouble updating the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+      let { domain } = metadata;
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const action_id = _action_id ?? nanoid();
+      const initialPromises = [];
+
+      // Permissions already validated by middleware - load agent directly
+      initialPromises.push(getAgent({ id: agent_id }));
+      if (_action_id) {
+        initialPromises.push(getActions({ action_id }, true));
+      }
+
+      /** @type {[Agent, [Action|undefined]]} */
+      const [agent, actions_result] = await Promise.all(initialPromises);
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for adding action' });
+      }
+
+      if (actions_result && actions_result.length) {
+        const action = actions_result[0];
+        metadata = { ...action.metadata, ...metadata };
+      }
+
+      const { actions: _actions = [], author: agent_author } = agent ?? {};
+      const actions = [];
+      for (const action of _actions) {
+        const [_action_domain, current_action_id] = action.split(actionDelimiter);
+        if (current_action_id === action_id) {
+          continue;
+        }
+
+        actions.push(action);
+      }
+
+      actions.push(`${domain}${actionDelimiter}${action_id}`);
+
+      /** @type {string[]}} */
+      const { tools: _tools = [] } = agent;
+
+      const tools = _tools
+        .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
+        .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
+
+      // Force version update since actions are changing
+      const updatedAgent = await updateAgent(
+        { id: agent_id },
+        { tools, actions },
+        {
+          updatingUserId: req.user.id,
+          forceVersion: true,
+        },
+      );
+
+      // Only update user field for new actions
+      const actionUpdateData = { metadata, agent_id };
+      if (!actions_result || !actions_result.length) {
+        // For new actions, use the agent owner's user ID
+        actionUpdateData.user = agent_author || req.user.id;
+      }
+
+      /** @type {[Action]} */
+      const updatedAction = await updateAction({ action_id }, actionUpdateData);
+
+      const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
+      for (let field of sensitiveFields) {
+        if (updatedAction.metadata[field]) {
+          delete updatedAction.metadata[field];
+        }
+      }
+
+      res.json([updatedAgent, updatedAction]);
+    } catch (error) {
+      const message = 'Trouble updating the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
+    }
+  },
+);
 
 /**
  * Deletes an action for a specific agent.
@@ -163,52 +178,56 @@ router.post('/:agent_id', checkAgentCreate, async (req, res) => {
  * @param {string} req.params.action_id - The ID of the action to delete.
  * @returns {Object} 200 - success response - application/json
  */
-router.delete('/:agent_id/:action_id', checkAgentCreate, async (req, res) => {
-  try {
-    const { agent_id, action_id } = req.params;
-    const admin = isAdmin(req);
+router.delete(
+  '/:agent_id/:action_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id, action_id } = req.params;
 
-    // If admin, can delete any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    const agent = await getAgent(agentQuery);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for deleting action' });
-    }
-
-    const { tools = [], actions = [] } = agent;
-
-    let domain = '';
-    const updatedActions = actions.filter((action) => {
-      if (action.includes(action_id)) {
-        [domain] = action.split(actionDelimiter);
-        return false;
+      // Permissions already validated by middleware - load agent directly
+      const agent = await getAgent({ id: agent_id });
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for deleting action' });
       }
-      return true;
-    });
 
-    domain = await domainParser(domain, true);
+      const { tools = [], actions = [] } = agent;
 
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
+      let domain = '';
+      const updatedActions = actions.filter((action) => {
+        if (action.includes(action_id)) {
+          [domain] = action.split(actionDelimiter);
+          return false;
+        }
+        return true;
+      });
+
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
+
+      // Force version update since actions are being removed
+      await updateAgent(
+        { id: agent_id },
+        { tools: updatedTools, actions: updatedActions },
+        { updatingUserId: req.user.id, forceVersion: true },
+      );
+      await deleteAction({ action_id });
+      res.status(200).json({ message: 'Action deleted successfully' });
+    } catch (error) {
+      const message = 'Trouble deleting the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
     }
-
-    const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
-
-    // Force version update since actions are being removed
-    await updateAgent(
-      agentQuery,
-      { tools: updatedTools, actions: updatedActions },
-      { updatingUserId: req.user.id, forceVersion: true },
-    );
-    // If admin, can delete any action, otherwise only user's actions
-    const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
-    await deleteAction(actionQuery);
-    res.status(200).json({ message: 'Action deleted successfully' });
-  } catch (error) {
-    const message = 'Trouble deleting the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+  },
+);
 
 module.exports = router;

api/server/routes/agents/chat.js

@@ -1,12 +1,13 @@
 const express = require('express');
 const { generateCheckAccess, skipAgentCheck } = require('@librechat/api');
-const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { PermissionTypes, Permissions, PermissionBits } = require('librechat-data-provider');
 const {
   setHeaders,
   moderateText,
   // validateModel,
   validateConvoAccess,
   buildEndpointOption,
+  canAccessAgentFromBody,
 } = require('~/server/middleware');
 const { initializeClient } = require('~/server/services/Endpoints/agents');
 const AgentController = require('~/server/controllers/agents/request');
@@ -23,8 +24,12 @@ const checkAgentAccess = generateCheckAccess({
   skipCheck: skipAgentCheck,
   getRoleByName,
 });
+const checkAgentResourceAccess = canAccessAgentFromBody({
+  requiredPermission: PermissionBits.VIEW,
+});
 
 router.use(checkAgentAccess);
+router.use(checkAgentResourceAccess);
 router.use(validateConvoAccess);
 router.use(buildEndpointOption);
 router.use(setHeaders);

api/server/routes/agents/index.js

@@ -37,4 +37,6 @@ if (isEnabled(LIMIT_MESSAGE_USER)) {
 chatRouter.use('/', chat);
 router.use('/chat', chatRouter);
 
+// Add marketplace routes
+
 module.exports = router;

api/server/routes/agents/v1.js

@@ -1,7 +1,7 @@
 const express = require('express');
 const { generateCheckAccess } = require('@librechat/api');
-const { PermissionTypes, Permissions } = require('librechat-data-provider');
-const { requireJwtAuth } = require('~/server/middleware');
+const { PermissionTypes, Permissions, PermissionBits } = require('librechat-data-provider');
+const { requireJwtAuth, canAccessAgentResource } = require('~/server/middleware');
 const v1 = require('~/server/controllers/agents/v1');
 const { getRoleByName } = require('~/models/Role');
 const actions = require('./actions');
@@ -44,6 +44,11 @@ router.use('/actions', actions);
  */
 router.use('/tools', tools);
 
+/**
+ * Get all agent categories with counts
+ * @route GET /agents/marketplace/categories
+ */
+router.get('/categories', v1.getAgentCategories);
 /**
  * Creates an agent.
  * @route POST /agents
@@ -53,13 +58,38 @@ router.use('/tools', tools);
 router.post('/', checkAgentCreate, v1.createAgent);
 
 /**
- * Retrieves an agent.
+ * Retrieves basic agent information (VIEW permission required).
+ * Returns safe, non-sensitive agent data for viewing purposes.
  * @route GET /agents/:id
  * @param {string} req.params.id - Agent identifier.
- * @returns {Agent} 200 - Success response - application/json
+ * @returns {Agent} 200 - Basic agent info - application/json
  */
-router.get('/:id', checkAgentAccess, v1.getAgent);
+router.get(
+  '/:id',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.getAgent,
+);
 
+/**
+ * Retrieves full agent details including sensitive configuration (EDIT permission required).
+ * Returns complete agent data for editing/configuration purposes.
+ * @route GET /agents/:id/expanded
+ * @param {string} req.params.id - Agent identifier.
+ * @returns {Agent} 200 - Full agent details - application/json
+ */
+router.get(
+  '/:id/expanded',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  (req, res) => v1.getAgent(req, res, true), // Expanded version
+);
 /**
  * Updates an agent.
  * @route PATCH /agents/:id
@@ -67,7 +97,15 @@ router.get('/:id', checkAgentAccess, v1.getAgent);
  * @param {AgentUpdateParams} req.body - The agent update parameters.
  * @returns {Agent} 200 - Success response - application/json
  */
-router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
+router.patch(
+  '/:id',
+  checkGlobalAgentShare,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  v1.updateAgent,
+);
 
 /**
  * Duplicates an agent.
@@ -75,7 +113,15 @@ router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
  * @param {string} req.params.id - Agent identifier.
  * @returns {Agent} 201 - Success response - application/json
  */
-router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
+router.post(
+  '/:id/duplicate',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.duplicateAgent,
+);
 
 /**
  * Deletes an agent.
@@ -83,7 +129,15 @@ router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
  * @param {string} req.params.id - Agent identifier.
  * @returns {Agent} 200 - success response - application/json
  */
-router.delete('/:id', checkAgentCreate, v1.deleteAgent);
+router.delete(
+  '/:id',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.DELETE,
+    resourceIdParam: 'id',
+  }),
+  v1.deleteAgent,
+);
 
 /**
  * Reverts an agent to a previous version.
@@ -110,6 +164,14 @@ router.get('/', checkAgentAccess, v1.getListAgents);
  * @param {string} [req.body.metadata] - Optional metadata for the agent's avatar.
  * @returns {Object} 200 - success response - application/json
  */
-avatar.post('/:agent_id/avatar/', checkAgentAccess, v1.uploadAgentAvatar);
+avatar.post(
+  '/:agent_id/avatar/',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  v1.uploadAgentAvatar,
+);
 
 module.exports = { v1: router, avatar };

api/server/routes/auth.js

@@ -4,6 +4,7 @@ const {
   registrationController,
   resetPasswordController,
   resetPasswordRequestController,
+  graphTokenController,
 } = require('~/server/controllers/AuthController');
 const { loginController } = require('~/server/controllers/auth/LoginController');
 const { logoutController } = require('~/server/controllers/auth/LogoutController');
@@ -69,4 +70,6 @@ router.post('/2fa/confirm', requireJwtAuth, confirm2FA);
 router.post('/2fa/disable', requireJwtAuth, disable2FA);
 router.post('/2fa/backup/regenerate', requireJwtAuth, regenerateBackupCodes);
 
+router.get('/graph-token', requireJwtAuth, graphTokenController);
+
 module.exports = router;

api/server/routes/config.js

@@ -1,10 +1,11 @@
 const express = require('express');
+const { isEnabled } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { CacheKeys, defaultSocialLogins, Constants } = require('librechat-data-provider');
 const { getCustomConfig } = require('~/server/services/Config/getCustomConfig');
 const { getLdapConfig } = require('~/server/services/Config/ldap');
 const { getProjectByName } = require('~/models/Project');
-const { isEnabled } = require('~/server/utils');
+const { getMCPManager } = require('~/config');
 const { getLogStores } = require('~/cache');
 
 const router = express.Router();
@@ -20,6 +21,9 @@ const publicSharedLinksEnabled =
   (process.env.ALLOW_SHARED_LINKS_PUBLIC === undefined ||
     isEnabled(process.env.ALLOW_SHARED_LINKS_PUBLIC));
 
+const sharePointFilePickerEnabled = isEnabled(process.env.ENABLE_SHAREPOINT_FILEPICKER);
+const openidReuseTokens = isEnabled(process.env.OPENID_REUSE_TOKENS);
+
 router.get('/', async function (req, res) {
   const cache = getLogStores(CacheKeys.CONFIG_STORE);
 
@@ -97,16 +101,26 @@ router.get('/', async function (req, res) {
       instanceProjectId: instanceProject._id.toString(),
       bundlerURL: process.env.SANDPACK_BUNDLER_URL,
       staticBundlerURL: process.env.SANDPACK_STATIC_BUNDLER_URL,
+      sharePointFilePickerEnabled,
+      sharePointBaseUrl: process.env.SHAREPOINT_BASE_URL,
+      sharePointPickerGraphScope: process.env.SHAREPOINT_PICKER_GRAPH_SCOPE,
+      sharePointPickerSharePointScope: process.env.SHAREPOINT_PICKER_SHAREPOINT_SCOPE,
+      openidReuseTokens,
     };
 
     payload.mcpServers = {};
     const config = await getCustomConfig();
     if (config?.mcpServers != null) {
+      const mcpManager = getMCPManager();
+      const oauthServers = mcpManager.getOAuthServers();
+
       for (const serverName in config.mcpServers) {
         const serverConfig = config.mcpServers[serverName];
         payload.mcpServers[serverName] = {
           customUserVars: serverConfig?.customUserVars || {},
-          requiresOAuth: req.app.locals.mcpOAuthRequirements?.[serverName] || false,
+          chatMenu: serverConfig?.chatMenu,
+          isOAuth: oauthServers.has(serverName),
+          startup: serverConfig?.startup,
         };
       }
     }

api/server/routes/convos.js

@@ -111,7 +111,7 @@ router.delete('/', async (req, res) => {
     /** @type {{ openai: OpenAI }} */
     const { openai } = await assistantClients[endpoint].initializeClient({ req, res });
     try {
-      const response = await openai.beta.threads.del(thread_id);
+      const response = await openai.beta.threads.delete(thread_id);
       logger.debug('Deleted OpenAI thread:', response);
     } catch (error) {
       logger.error('Error deleting OpenAI thread:', error);

api/server/routes/files/avatar.js

@@ -3,6 +3,7 @@ const express = require('express');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
 const { filterFile } = require('~/server/services/Files/process');
+const { getFileStrategy } = require('~/server/utils/getFileStrategy');
 const { logger } = require('~/config');
 
 const router = express.Router();
@@ -18,7 +19,7 @@ router.post('/', async (req, res) => {
       throw new Error('User ID is undefined');
     }
 
-    const fileStrategy = req.app.locals.fileStrategy;
+    const fileStrategy = getFileStrategy(req.app.locals, { isAvatar: true });
     const desiredFormat = req.app.locals.imageOutputType;
     const resizedBuffer = await resizeAvatar({
       userId,

api/server/routes/files/files.agents.test.js

@@ -2,10 +2,13 @@ const express = require('express');
 const request = require('supertest');
 const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
+const { createMethods } = require('@librechat/data-schemas');
 const { MongoMemoryServer } = require('mongodb-memory-server');
-const { GLOBAL_PROJECT_NAME } = require('librechat-data-provider').Constants;
+const { AccessRoleIds, ResourceType, PrincipalType } = require('librechat-data-provider');
+const { createAgent } = require('~/models/Agent');
+const { createFile } = require('~/models/File');
 
-// Mock dependencies
+// Only mock the external dependencies that we don't want to test
 jest.mock('~/server/services/Files/process', () => ({
   processDeleteRequest: jest.fn().mockResolvedValue({}),
   filterFile: jest.fn(),
@@ -25,31 +28,8 @@ jest.mock('~/server/services/Tools/credentials', () => ({
   loadAuthValues: jest.fn(),
 }));
 
-jest.mock('~/server/services/Files/S3/crud', () => ({
-  refreshS3FileUrls: jest.fn(),
-}));
-
-jest.mock('~/cache', () => ({
-  getLogStores: jest.fn(() => ({
-    get: jest.fn(),
-    set: jest.fn(),
-  })),
-}));
-
-jest.mock('~/config', () => ({
-  logger: {
-    error: jest.fn(),
-    warn: jest.fn(),
-    debug: jest.fn(),
-  },
-}));
-
-const { createFile } = require('~/models/File');
-const { createAgent } = require('~/models/Agent');
-const { getProjectByName } = require('~/models/Project');
-
-// Import the router after mocks
-const router = require('./files');
+// Import the router
+const router = require('~/server/routes/files/files');
 
 describe('File Routes - Agent Files Endpoint', () => {
   let app;
@@ -60,13 +40,42 @@ describe('File Routes - Agent Files Endpoint', () => {
   let fileId1;
   let fileId2;
   let fileId3;
+  let File;
+  let User;
+  let Agent;
+  let methods;
+  let AclEntry;
+  // eslint-disable-next-line no-unused-vars
+  let AccessRole;
+  let modelsToCleanup = [];
 
   beforeAll(async () => {
     mongoServer = await MongoMemoryServer.create();
-    await mongoose.connect(mongoServer.getUri());
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
 
-    // Initialize models
-    require('~/db/models');
+    // Initialize all models using createModels
+    const { createModels } = require('@librechat/data-schemas');
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    Object.assign(mongoose.models, models);
+
+    // Create methods with our test mongoose instance
+    methods = createMethods(mongoose);
+
+    // Now we can access models from the db/models
+    File = models.File;
+    Agent = models.Agent;
+    AclEntry = models.AclEntry;
+    User = models.User;
+    AccessRole = models.AccessRole;
+
+    // Seed default roles using our methods
+    await methods.seedDefaultRoles();
 
     app = express();
     app.use(express.json());
@@ -82,88 +91,121 @@ describe('File Routes - Agent Files Endpoint', () => {
   });
 
   afterAll(async () => {
-    await mongoose.disconnect();
-    await mongoServer.stop();
-  });
-
-  beforeEach(async () => {
-    jest.clearAllMocks();
-
-    // Clear database
+    // Clean up all collections before disconnecting
     const collections = mongoose.connection.collections;
     for (const key in collections) {
       await collections[key].deleteMany({});
     }
 
-    authorId = new mongoose.Types.ObjectId().toString();
-    otherUserId = new mongoose.Types.ObjectId().toString();
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    // Clean up all test data
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await User.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
+
+    // Create test users
+    authorId = new mongoose.Types.ObjectId();
+    otherUserId = new mongoose.Types.ObjectId();
     agentId = uuidv4();
     fileId1 = uuidv4();
     fileId2 = uuidv4();
     fileId3 = uuidv4();
 
+    // Create users in database
+    await User.create({
+      _id: authorId,
+      username: 'author',
+      email: 'author@test.com',
+    });
+
+    await User.create({
+      _id: otherUserId,
+      username: 'other',
+      email: 'other@test.com',
+    });
+
     // Create files
     await createFile({
       user: authorId,
       file_id: fileId1,
-      filename: 'agent-file1.txt',
-      filepath: `/uploads/${authorId}/${fileId1}`,
-      bytes: 1024,
+      filename: 'file1.txt',
+      filepath: '/uploads/file1.txt',
+      bytes: 100,
       type: 'text/plain',
     });
 
     await createFile({
       user: authorId,
       file_id: fileId2,
-      filename: 'agent-file2.txt',
-      filepath: `/uploads/${authorId}/${fileId2}`,
-      bytes: 2048,
+      filename: 'file2.txt',
+      filepath: '/uploads/file2.txt',
+      bytes: 200,
       type: 'text/plain',
     });
 
     await createFile({
       user: otherUserId,
       file_id: fileId3,
-      filename: 'user-file.txt',
-      filepath: `/uploads/${otherUserId}/${fileId3}`,
-      bytes: 512,
+      filename: 'file3.txt',
+      filepath: '/uploads/file3.txt',
+      bytes: 300,
       type: 'text/plain',
     });
-
-    // Create an agent with files attached
-    await createAgent({
-      id: agentId,
-      name: 'Test Agent',
-      author: authorId,
-      model: 'gpt-4',
-      provider: 'openai',
-      isCollaborative: true,
-      tool_resources: {
-        file_search: {
-          file_ids: [fileId1, fileId2],
-        },
-      },
-    });
-
-    // Share the agent globally
-    const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, '_id');
-    if (globalProject) {
-      const { updateAgent } = require('~/models/Agent');
-      await updateAgent({ id: agentId }, { projectIds: [globalProject._id] });
-    }
   });
 
   describe('GET /files/agent/:agent_id', () => {
-    it('should return files accessible through the agent for non-author', async () => {
+    it('should return files accessible through the agent for non-author with EDIT permission', async () => {
+      // Create an agent with files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent using PermissionService
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: otherUserId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
+      // Mock req.user for this request
+      app.use((req, res, next) => {
+        req.user = { id: otherUserId.toString() };
+        next();
+      });
+
       const response = await request(app).get(`/files/agent/${agentId}`);
 
       expect(response.status).toBe(200);
-      expect(response.body).toHaveLength(2); // Only agent files, not user-owned files
-
-      const fileIds = response.body.map((f) => f.file_id);
-      expect(fileIds).toContain(fileId1);
-      expect(fileIds).toContain(fileId2);
-      expect(fileIds).not.toContain(fileId3); // User's own file not included
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId1);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId2);
     });
 
     it('should return 400 when agent_id is not provided', async () => {
@@ -176,45 +218,63 @@ describe('File Routes - Agent Files Endpoint', () => {
       const response = await request(app).get('/files/agent/non-existent-agent');
 
       expect(response.status).toBe(200);
-      expect(response.body).toEqual([]); // Empty array for non-existent agent
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toEqual([]);
     });
 
-    it('should return empty array when agent is not collaborative', async () => {
-      // Create a non-collaborative agent
-      const nonCollabAgentId = uuidv4();
-      await createAgent({
-        id: nonCollabAgentId,
-        name: 'Non-Collaborative Agent',
-        author: authorId,
-        model: 'gpt-4',
+    it('should return empty array when user only has VIEW permission', async () => {
+      // Create an agent with files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
         provider: 'openai',
-        isCollaborative: false,
+        model: 'gpt-4',
+        author: authorId,
         tool_resources: {
           file_search: {
-            file_ids: [fileId1],
+            file_ids: [fileId1, fileId2],
           },
         },
       });
 
-      // Share it globally
-      const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, '_id');
-      if (globalProject) {
-        const { updateAgent } = require('~/models/Agent');
-        await updateAgent({ id: nonCollabAgentId }, { projectIds: [globalProject._id] });
-      }
+      // Grant only VIEW permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: otherUserId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_VIEWER,
+        grantedBy: authorId,
+      });
 
-      const response = await request(app).get(`/files/agent/${nonCollabAgentId}`);
+      const response = await request(app).get(`/files/agent/${agentId}`);
 
       expect(response.status).toBe(200);
-      expect(response.body).toEqual([]); // Empty array when not collaborative
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toEqual([]);
     });
 
     it('should return agent files for agent author', async () => {
+      // Create an agent with files attached
+      await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
       // Create a new app instance with author authentication
       const authorApp = express();
       authorApp.use(express.json());
       authorApp.use((req, res, next) => {
-        req.user = { id: authorId };
+        req.user = { id: authorId.toString() };
         req.app = { locals: {} };
         next();
       });
@@ -223,46 +283,48 @@ describe('File Routes - Agent Files Endpoint', () => {
       const response = await request(authorApp).get(`/files/agent/${agentId}`);
 
       expect(response.status).toBe(200);
-      expect(response.body).toHaveLength(2); // Agent files for author
-
-      const fileIds = response.body.map((f) => f.file_id);
-      expect(fileIds).toContain(fileId1);
-      expect(fileIds).toContain(fileId2);
-      expect(fileIds).not.toContain(fileId3); // User's own file not included
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
     });
 
     it('should return files uploaded by other users to shared agent for author', async () => {
-      // Create a file uploaded by another user
+      const anotherUserId = new mongoose.Types.ObjectId();
       const otherUserFileId = uuidv4();
-      const anotherUserId = new mongoose.Types.ObjectId().toString();
+
+      await User.create({
+        _id: anotherUserId,
+        username: 'another',
+        email: 'another@test.com',
+      });
 
       await createFile({
         user: anotherUserId,
         file_id: otherUserFileId,
         filename: 'other-user-file.txt',
-        filepath: `/uploads/${anotherUserId}/${otherUserFileId}`,
-        bytes: 4096,
+        filepath: '/uploads/other-user-file.txt',
+        bytes: 400,
         type: 'text/plain',
       });
 
-      // Update agent to include the file uploaded by another user
-      const { updateAgent } = require('~/models/Agent');
-      await updateAgent(
-        { id: agentId },
-        {
-          tool_resources: {
-            file_search: {
-              file_ids: [fileId1, fileId2, otherUserFileId],
-            },
+      // Create agent to include the file uploaded by another user
+      await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, otherUserFileId],
           },
         },
-      );
+      });
 
-      // Create app instance with author authentication
+      // Create a new app instance with author authentication
       const authorApp = express();
       authorApp.use(express.json());
       authorApp.use((req, res, next) => {
-        req.user = { id: authorId };
+        req.user = { id: authorId.toString() };
         req.app = { locals: {} };
         next();
       });
@@ -271,12 +333,10 @@ describe('File Routes - Agent Files Endpoint', () => {
       const response = await request(authorApp).get(`/files/agent/${agentId}`);
 
       expect(response.status).toBe(200);
-      expect(response.body).toHaveLength(3); // Including file from another user
-
-      const fileIds = response.body.map((f) => f.file_id);
-      expect(fileIds).toContain(fileId1);
-      expect(fileIds).toContain(fileId2);
-      expect(fileIds).toContain(otherUserFileId); // File uploaded by another user
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId1);
+      expect(response.body.map((f) => f.file_id)).toContain(otherUserFileId);
     });
   });
 });

api/server/routes/files/files.js

@@ -5,9 +5,10 @@ const {
   Time,
   isUUID,
   CacheKeys,
-  Constants,
   FileSources,
+  ResourceType,
   EModelEndpoint,
+  PermissionBits,
   isAgentsEndpoint,
   checkOpenAIStorage,
 } = require('librechat-data-provider');
@@ -17,12 +18,15 @@ const {
   processDeleteRequest,
   processAgentFileUpload,
 } = require('~/server/services/Files/process');
-const { getFiles, batchUpdateFiles, hasAccessToFilesViaAgent } = require('~/models/File');
+const { fileAccess } = require('~/server/middleware/accessResources/fileAccess');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
+const { checkPermission } = require('~/server/services/PermissionService');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { refreshS3FileUrls } = require('~/server/services/Files/S3/crud');
-const { getProjectByName } = require('~/models/Project');
+const { hasAccessToFilesViaAgent } = require('~/server/services/Files');
+const { getFiles, batchUpdateFiles } = require('~/models/File');
+const { cleanFileName } = require('~/server/utils/files');
 const { getAssistant } = require('~/models/Assistant');
 const { getAgent } = require('~/models/Agent');
 const { getLogStores } = require('~/cache');
@@ -67,29 +71,25 @@ router.get('/agent/:agent_id', async (req, res) => {
       return res.status(400).json({ error: 'Agent ID is required' });
     }
 
-    // Get the agent to check ownership and attached files
     const agent = await getAgent({ id: agent_id });
-
     if (!agent) {
-      // No agent found, return empty array
       return res.status(200).json([]);
     }
 
-    // Check if user has access to the agent
     if (agent.author.toString() !== userId) {
-      // Non-authors need the agent to be globally shared and collaborative
-      const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, '_id');
+      const hasEditPermission = await checkPermission({
+        userId,
+        role: req.user.role,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        requiredPermission: PermissionBits.EDIT,
+      });
 
-      if (
-        !globalProject ||
-        !agent.projectIds.some((pid) => pid.toString() === globalProject._id.toString()) ||
-        !agent.isCollaborative
-      ) {
+      if (!hasEditPermission) {
         return res.status(200).json([]);
       }
     }
 
-    // Collect all file IDs from agent's tool resources
     const agentFileIds = [];
     if (agent.tool_resources) {
       for (const [, resource] of Object.entries(agent.tool_resources)) {
@@ -99,12 +99,10 @@ router.get('/agent/:agent_id', async (req, res) => {
       }
     }
 
-    // If no files attached to agent, return empty array
     if (agentFileIds.length === 0) {
       return res.status(200).json([]);
     }
 
-    // Get only the files attached to this agent
     const files = await getFiles({ file_id: { $in: agentFileIds } }, null, { text: 0 });
 
     res.status(200).json(files);
@@ -153,18 +151,15 @@ router.delete('/', async (req, res) => {
 
     const ownedFiles = [];
     const nonOwnedFiles = [];
-    const fileMap = new Map();
 
     for (const file of dbFiles) {
-      fileMap.set(file.file_id, file);
-      if (file.user.toString() === req.user.id) {
+      if (file.user.toString() === req.user.id.toString()) {
         ownedFiles.push(file);
       } else {
         nonOwnedFiles.push(file);
       }
     }
 
-    // If all files are owned by the user, no need for further checks
     if (nonOwnedFiles.length === 0) {
       await processDeleteRequest({ req, files: ownedFiles });
       logger.debug(
@@ -177,20 +172,18 @@ router.delete('/', async (req, res) => {
       return;
     }
 
-    // Check access for non-owned files
     let authorizedFiles = [...ownedFiles];
     let unauthorizedFiles = [];
 
     if (req.body.agent_id && nonOwnedFiles.length > 0) {
-      // Batch check access for all non-owned files
       const nonOwnedFileIds = nonOwnedFiles.map((f) => f.file_id);
-      const accessMap = await hasAccessToFilesViaAgent(
-        req.user.id,
-        nonOwnedFileIds,
-        req.body.agent_id,
-      );
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: req.user.id,
+        role: req.user.role,
+        fileIds: nonOwnedFileIds,
+        agentId: req.body.agent_id,
+      });
 
-      // Separate authorized and unauthorized files
       for (const file of nonOwnedFiles) {
         if (accessMap.get(file.file_id)) {
           authorizedFiles.push(file);
@@ -199,7 +192,6 @@ router.delete('/', async (req, res) => {
         }
       }
     } else {
-      // No agent context, all non-owned files are unauthorized
       unauthorizedFiles = nonOwnedFiles;
     }
 
@@ -303,42 +295,30 @@ router.get('/code/download/:session_id/:fileId', async (req, res) => {
   }
 });
 
-router.get('/download/:userId/:file_id', async (req, res) => {
+router.get('/download/:userId/:file_id', fileAccess, async (req, res) => {
   try {
     const { userId, file_id } = req.params;
     logger.debug(`File download requested by user ${userId}: ${file_id}`);
 
-    if (userId !== req.user.id) {
-      logger.warn(`${errorPrefix} forbidden: ${file_id}`);
-      return res.status(403).send('Forbidden');
-    }
-
-    const [file] = await getFiles({ file_id });
-    const errorPrefix = `File download requested by user ${userId}`;
-
-    if (!file) {
-      logger.warn(`${errorPrefix} not found: ${file_id}`);
-      return res.status(404).send('File not found');
-    }
-
-    if (!file.filepath.includes(userId)) {
-      logger.warn(`${errorPrefix} forbidden: ${file_id}`);
-      return res.status(403).send('Forbidden');
-    }
+    // Access already validated by fileAccess middleware
+    const file = req.fileAccess.file;
 
     if (checkOpenAIStorage(file.source) && !file.model) {
-      logger.warn(`${errorPrefix} has no associated model: ${file_id}`);
+      logger.warn(`File download requested by user ${userId} has no associated model: ${file_id}`);
       return res.status(400).send('The model used when creating this file is not available');
     }
 
     const { getDownloadStream } = getStrategyFunctions(file.source);
     if (!getDownloadStream) {
-      logger.warn(`${errorPrefix} has no stream method implemented: ${file.source}`);
+      logger.warn(
+        `File download requested by user ${userId} has no stream method implemented: ${file.source}`,
+      );
       return res.status(501).send('Not Implemented');
     }
 
     const setHeaders = () => {
-      res.setHeader('Content-Disposition', `attachment; filename="${file.filename}"`);
+      const cleanedFilename = cleanFileName(file.filename);
+      res.setHeader('Content-Disposition', `attachment; filename="${cleanedFilename}"`);
       res.setHeader('Content-Type', 'application/octet-stream');
       res.setHeader('X-File-Metadata', JSON.stringify(file));
     };
@@ -365,12 +345,17 @@ router.get('/download/:userId/:file_id', async (req, res) => {
       logger.debug(`File ${file_id} downloaded from OpenAI`);
       passThrough.body.pipe(res);
     } else {
-      fileStream = getDownloadStream(file_id);
+      fileStream = await getDownloadStream(req, file.filepath);
+
+      fileStream.on('error', (streamError) => {
+        logger.error('[DOWNLOAD ROUTE] Stream error:', streamError);
+      });
+
       setHeaders();
       fileStream.pipe(res);
     }
   } catch (error) {
-    logger.error('Error downloading file:', error);
+    logger.error('[DOWNLOAD ROUTE] Error downloading file:', error);
     res.status(500).send('Error downloading file');
   }
 });
@@ -405,7 +390,6 @@ router.post('/', async (req, res) => {
       message = error.message;
     }
 
-    // TODO: delete remote file if it exists
     try {
       await fs.unlink(req.file.path);
       cleanup = false;
@@ -413,13 +397,15 @@ router.post('/', async (req, res) => {
       logger.error('[/files] Error deleting file:', error);
     }
     res.status(500).json({ message });
-  }
-
-  if (cleanup) {
-    try {
-      await fs.unlink(req.file.path);
-    } catch (error) {
-      logger.error('[/files] Error deleting file after file processing:', error);
+  } finally {
+    if (cleanup) {
+      try {
+        await fs.unlink(req.file.path);
+      } catch (error) {
+        logger.error('[/files] Error deleting file after file processing:', error);
+      }
+    } else {
+      logger.debug('[/files] File processing completed without cleanup');
     }
   }
 });

api/server/routes/files/files.test.js

@@ -2,10 +2,18 @@ const express = require('express');
 const request = require('supertest');
 const mongoose = require('mongoose');
 const { v4: uuidv4 } = require('uuid');
+const { createMethods } = require('@librechat/data-schemas');
 const { MongoMemoryServer } = require('mongodb-memory-server');
-const { GLOBAL_PROJECT_NAME } = require('librechat-data-provider').Constants;
+const {
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+} = require('librechat-data-provider');
+const { createAgent } = require('~/models/Agent');
+const { createFile } = require('~/models/File');
 
-// Mock dependencies
+// Only mock the external dependencies that we don't want to test
 jest.mock('~/server/services/Files/process', () => ({
   processDeleteRequest: jest.fn().mockResolvedValue({}),
   filterFile: jest.fn(),
@@ -44,9 +52,6 @@ jest.mock('~/config', () => ({
   },
 }));
 
-const { createFile } = require('~/models/File');
-const { createAgent } = require('~/models/Agent');
-const { getProjectByName } = require('~/models/Project');
 const { processDeleteRequest } = require('~/server/services/Files/process');
 
 // Import the router after mocks
@@ -57,22 +62,49 @@ describe('File Routes - Delete with Agent Access', () => {
   let mongoServer;
   let authorId;
   let otherUserId;
-  let agentId;
   let fileId;
+  let File;
+  let Agent;
+  let AclEntry;
+  let User;
+  let methods;
+  let modelsToCleanup = [];
 
   beforeAll(async () => {
     mongoServer = await MongoMemoryServer.create();
-    await mongoose.connect(mongoServer.getUri());
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
 
-    // Initialize models
-    require('~/db/models');
+    // Initialize all models using createModels
+    const { createModels } = require('@librechat/data-schemas');
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    Object.assign(mongoose.models, models);
+
+    // Create methods with our test mongoose instance
+    methods = createMethods(mongoose);
+
+    // Now we can access models from the db/models
+    File = models.File;
+    Agent = models.Agent;
+    AclEntry = models.AclEntry;
+    User = models.User;
+
+    // Seed default roles using our methods
+    await methods.seedDefaultRoles();
 
     app = express();
     app.use(express.json());
 
-    // Mock authentication middleware
     app.use((req, res, next) => {
-      req.user = { id: otherUserId || 'default-user' };
+      req.user = {
+        id: otherUserId || 'default-user',
+        role: SystemRoles.USER,
+      };
       req.app = { locals: {} };
       next();
     });
@@ -81,6 +113,19 @@ describe('File Routes - Delete with Agent Access', () => {
   });
 
   afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
     await mongoose.disconnect();
     await mongoServer.stop();
   });
@@ -88,48 +133,40 @@ describe('File Routes - Delete with Agent Access', () => {
   beforeEach(async () => {
     jest.clearAllMocks();
 
-    // Clear database
-    const collections = mongoose.connection.collections;
-    for (const key in collections) {
-      await collections[key].deleteMany({});
-    }
+    // Clear database - clean up all test data
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await User.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
 
-    authorId = new mongoose.Types.ObjectId().toString();
-    otherUserId = new mongoose.Types.ObjectId().toString();
+    // Create test data
+    authorId = new mongoose.Types.ObjectId();
+    otherUserId = new mongoose.Types.ObjectId();
     fileId = uuidv4();
 
+    // Create users in database
+    await User.create({
+      _id: authorId,
+      username: 'author',
+      email: 'author@test.com',
+    });
+
+    await User.create({
+      _id: otherUserId,
+      username: 'other',
+      email: 'other@test.com',
+    });
+
     // Create a file owned by the author
     await createFile({
       user: authorId,
       file_id: fileId,
       filename: 'test.txt',
-      filepath: `/uploads/${authorId}/${fileId}`,
-      bytes: 1024,
+      filepath: '/uploads/test.txt',
+      bytes: 100,
       type: 'text/plain',
     });
-
-    // Create an agent with the file attached
-    const agent = await createAgent({
-      id: uuidv4(),
-      name: 'Test Agent',
-      author: authorId,
-      model: 'gpt-4',
-      provider: 'openai',
-      isCollaborative: true,
-      tool_resources: {
-        file_search: {
-          file_ids: [fileId],
-        },
-      },
-    });
-    agentId = agent.id;
-
-    // Share the agent globally
-    const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, '_id');
-    if (globalProject) {
-      const { updateAgent } = require('~/models/Agent');
-      await updateAgent({ id: agentId }, { projectIds: [globalProject._id] });
-    }
   });
 
   describe('DELETE /files', () => {
@@ -140,8 +177,8 @@ describe('File Routes - Delete with Agent Access', () => {
         user: otherUserId,
         file_id: userFileId,
         filename: 'user-file.txt',
-        filepath: `/uploads/${otherUserId}/${userFileId}`,
-        bytes: 1024,
+        filepath: '/uploads/user-file.txt',
+        bytes: 200,
         type: 'text/plain',
       });
 
@@ -151,7 +188,7 @@ describe('File Routes - Delete with Agent Access', () => {
           files: [
             {
               file_id: userFileId,
-              filepath: `/uploads/${otherUserId}/${userFileId}`,
+              filepath: '/uploads/user-file.txt',
             },
           ],
         });
@@ -168,7 +205,7 @@ describe('File Routes - Delete with Agent Access', () => {
           files: [
             {
               file_id: fileId,
-              filepath: `/uploads/${authorId}/${fileId}`,
+              filepath: '/uploads/test.txt',
             },
           ],
         });
@@ -180,14 +217,39 @@ describe('File Routes - Delete with Agent Access', () => {
     });
 
     it('should allow deleting files accessible through shared agent', async () => {
+      // Create an agent with the file attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: otherUserId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
       const response = await request(app)
         .delete('/files')
         .send({
-          agent_id: agentId,
+          agent_id: agent.id,
           files: [
             {
               file_id: fileId,
-              filepath: `/uploads/${authorId}/${fileId}`,
+              filepath: '/uploads/test.txt',
             },
           ],
         });
@@ -204,19 +266,44 @@ describe('File Routes - Delete with Agent Access', () => {
         user: authorId,
         file_id: unattachedFileId,
         filename: 'unattached.txt',
-        filepath: `/uploads/${authorId}/${unattachedFileId}`,
-        bytes: 1024,
+        filepath: '/uploads/unattached.txt',
+        bytes: 300,
         type: 'text/plain',
       });
 
+      // Create an agent without the unattached file
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId], // Only fileId, not unattachedFileId
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: otherUserId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
       const response = await request(app)
         .delete('/files')
         .send({
-          agent_id: agentId,
+          agent_id: agent.id,
           files: [
             {
               file_id: unattachedFileId,
-              filepath: `/uploads/${authorId}/${unattachedFileId}`,
+              filepath: '/uploads/unattached.txt',
             },
           ],
         });
@@ -224,6 +311,7 @@ describe('File Routes - Delete with Agent Access', () => {
       expect(response.status).toBe(403);
       expect(response.body.message).toBe('You can only delete files you have access to');
       expect(response.body.unauthorizedFiles).toContain(unattachedFileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
     });
 
     it('should handle mixed authorized and unauthorized files', async () => {
@@ -233,8 +321,8 @@ describe('File Routes - Delete with Agent Access', () => {
         user: otherUserId,
         file_id: userFileId,
         filename: 'user-file.txt',
-        filepath: `/uploads/${otherUserId}/${userFileId}`,
-        bytes: 1024,
+        filepath: '/uploads/user-file.txt',
+        bytes: 200,
         type: 'text/plain',
       });
 
@@ -244,51 +332,87 @@ describe('File Routes - Delete with Agent Access', () => {
         user: authorId,
         file_id: unauthorizedFileId,
         filename: 'unauthorized.txt',
-        filepath: `/uploads/${authorId}/${unauthorizedFileId}`,
-        bytes: 1024,
+        filepath: '/uploads/unauthorized.txt',
+        bytes: 400,
         type: 'text/plain',
       });
 
+      // Create an agent with only fileId attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: otherUserId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_EDITOR,
+        grantedBy: authorId,
+      });
+
       const response = await request(app)
         .delete('/files')
         .send({
-          agent_id: agentId,
+          agent_id: agent.id,
           files: [
-            {
-              file_id: fileId, // Authorized through agent
-              filepath: `/uploads/${authorId}/${fileId}`,
-            },
-            {
-              file_id: userFileId, // Owned by user
-              filepath: `/uploads/${otherUserId}/${userFileId}`,
-            },
-            {
-              file_id: unauthorizedFileId, // Not authorized
-              filepath: `/uploads/${authorId}/${unauthorizedFileId}`,
-            },
+            { file_id: userFileId, filepath: '/uploads/user-file.txt' },
+            { file_id: fileId, filepath: '/uploads/test.txt' },
+            { file_id: unauthorizedFileId, filepath: '/uploads/unauthorized.txt' },
           ],
         });
 
       expect(response.status).toBe(403);
       expect(response.body.message).toBe('You can only delete files you have access to');
       expect(response.body.unauthorizedFiles).toContain(unauthorizedFileId);
-      expect(response.body.unauthorizedFiles).not.toContain(fileId);
-      expect(response.body.unauthorizedFiles).not.toContain(userFileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
     });
 
-    it('should prevent deleting files when agent is not collaborative', async () => {
-      // Update the agent to be non-collaborative
-      const { updateAgent } = require('~/models/Agent');
-      await updateAgent({ id: agentId }, { isCollaborative: false });
+    it('should prevent deleting files when user lacks EDIT permission on agent', async () => {
+      // Create an agent with the file attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant only VIEW permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: otherUserId,
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+        accessRoleId: AccessRoleIds.AGENT_VIEWER,
+        grantedBy: authorId,
+      });
 
       const response = await request(app)
         .delete('/files')
         .send({
-          agent_id: agentId,
+          agent_id: agent.id,
           files: [
             {
               file_id: fileId,
-              filepath: `/uploads/${authorId}/${fileId}`,
+              filepath: '/uploads/test.txt',
             },
           ],
         });

api/server/routes/index.js

@@ -1,3 +1,4 @@
+const accessPermissions = require('./accessPermissions');
 const assistants = require('./assistants');
 const categories = require('./categories');
 const tokenizer = require('./tokenizer');
@@ -28,6 +29,7 @@ const user = require('./user');
 const mcp = require('./mcp');
 
 module.exports = {
+  mcp,
   edit,
   auth,
   keys,
@@ -55,5 +57,5 @@ module.exports = {
   assistants,
   categories,
   staticRoute,
-  mcp,
+  accessPermissions,
 };

api/server/routes/mcp.js

@@ -4,7 +4,8 @@ const { MCPOAuthHandler } = require('@librechat/api');
 const { CacheKeys, Constants } = require('librechat-data-provider');
 const { findToken, updateToken, createToken, deleteTokens } = require('~/models');
 const { setCachedTools, getCachedTools, loadCustomConfig } = require('~/server/services/Config');
-const { getUserPluginAuthValueByPlugin } = require('~/server/services/PluginService');
+const { getMCPSetupData, getServerConnectionStatus } = require('~/server/services/MCP');
+const { getUserPluginAuthValue } = require('~/server/services/PluginService');
 const { getMCPManager, getFlowStateManager } = require('~/config');
 const { requireJwtAuth } = require('~/server/middleware');
 const { getLogStores } = require('~/cache');
@@ -92,7 +93,6 @@ router.get('/:serverName/oauth/callback', async (req, res) => {
       return res.redirect('/oauth/error?error=missing_state');
     }
 
-    // Extract flow ID from state
     const flowId = state;
     logger.debug('[MCP OAuth] Using flow ID from state', { flowId });
 
@@ -115,14 +115,68 @@ router.get('/:serverName/oauth/callback', async (req, res) => {
       hasCodeVerifier: !!flowState.codeVerifier,
     });
 
-    // Complete the OAuth flow
     logger.debug('[MCP OAuth] Completing OAuth flow');
     const tokens = await MCPOAuthHandler.completeOAuthFlow(flowId, code, flowManager);
     logger.info('[MCP OAuth] OAuth flow completed, tokens received in callback route');
 
-    // For system-level OAuth, we need to store the tokens and retry the connection
-    if (flowState.userId === 'system') {
-      logger.debug(`[MCP OAuth] System-level OAuth completed for ${serverName}`);
+    try {
+      const mcpManager = getMCPManager(flowState.userId);
+      logger.debug(`[MCP OAuth] Attempting to reconnect ${serverName} with new OAuth tokens`);
+
+      if (flowState.userId !== 'system') {
+        const user = { id: flowState.userId };
+
+        const userConnection = await mcpManager.getUserConnection({
+          user,
+          serverName,
+          flowManager,
+          tokenMethods: {
+            findToken,
+            updateToken,
+            createToken,
+            deleteTokens,
+          },
+        });
+
+        logger.info(
+          `[MCP OAuth] Successfully reconnected ${serverName} for user ${flowState.userId}`,
+        );
+
+        const userTools = (await getCachedTools({ userId: flowState.userId })) || {};
+
+        const mcpDelimiter = Constants.mcp_delimiter;
+        for (const key of Object.keys(userTools)) {
+          if (key.endsWith(`${mcpDelimiter}${serverName}`)) {
+            delete userTools[key];
+          }
+        }
+
+        const tools = await userConnection.fetchTools();
+        for (const tool of tools) {
+          const name = `${tool.name}${Constants.mcp_delimiter}${serverName}`;
+          userTools[name] = {
+            type: 'function',
+            ['function']: {
+              name,
+              description: tool.description,
+              parameters: tool.inputSchema,
+            },
+          };
+        }
+
+        await setCachedTools(userTools, { userId: flowState.userId });
+
+        logger.debug(
+          `[MCP OAuth] Cached ${tools.length} tools for ${serverName} user ${flowState.userId}`,
+        );
+      } else {
+        logger.debug(`[MCP OAuth] System-level OAuth completed for ${serverName}`);
+      }
+    } catch (error) {
+      logger.warn(
+        `[MCP OAuth] Failed to reconnect ${serverName} after OAuth, but tokens are saved:`,
+        error,
+      );
     }
 
     /** ID of the flow that the tool/connection is waiting for */
@@ -154,7 +208,6 @@ router.get('/oauth/tokens/:flowId', requireJwtAuth, async (req, res) => {
       return res.status(401).json({ error: 'User not authenticated' });
     }
 
-    // Allow system flows or user-owned flows
     if (!flowId.startsWith(`${user.id}:`) && !flowId.startsWith('system:')) {
       return res.status(403).json({ error: 'Access denied' });
     }
@@ -205,9 +258,200 @@ router.get('/oauth/status/:flowId', async (req, res) => {
   }
 });
 
+/**
+ * Cancel OAuth flow
+ * This endpoint cancels a pending OAuth flow
+ */
+router.post('/oauth/cancel/:serverName', requireJwtAuth, async (req, res) => {
+  try {
+    const { serverName } = req.params;
+    const user = req.user;
+
+    if (!user?.id) {
+      return res.status(401).json({ error: 'User not authenticated' });
+    }
+
+    logger.info(`[MCP OAuth Cancel] Cancelling OAuth flow for ${serverName} by user ${user.id}`);
+
+    const flowsCache = getLogStores(CacheKeys.FLOWS);
+    const flowManager = getFlowStateManager(flowsCache);
+    const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName);
+    const flowState = await flowManager.getFlowState(flowId, 'mcp_oauth');
+
+    if (!flowState) {
+      logger.debug(`[MCP OAuth Cancel] No active flow found for ${serverName}`);
+      return res.json({
+        success: true,
+        message: 'No active OAuth flow to cancel',
+      });
+    }
+
+    await flowManager.failFlow(flowId, 'mcp_oauth', 'User cancelled OAuth flow');
+
+    logger.info(`[MCP OAuth Cancel] Successfully cancelled OAuth flow for ${serverName}`);
+
+    res.json({
+      success: true,
+      message: `OAuth flow for ${serverName} cancelled successfully`,
+    });
+  } catch (error) {
+    logger.error('[MCP OAuth Cancel] Failed to cancel OAuth flow', error);
+    res.status(500).json({ error: 'Failed to cancel OAuth flow' });
+  }
+});
+
+/**
+ * Reinitialize MCP server
+ * This endpoint allows reinitializing a specific MCP server
+ */
+router.post('/:serverName/reinitialize', requireJwtAuth, async (req, res) => {
+  try {
+    const { serverName } = req.params;
+    const user = req.user;
+
+    if (!user?.id) {
+      return res.status(401).json({ error: 'User not authenticated' });
+    }
+
+    logger.info(`[MCP Reinitialize] Reinitializing server: ${serverName}`);
+
+    const printConfig = false;
+    const config = await loadCustomConfig(printConfig);
+    if (!config || !config.mcpServers || !config.mcpServers[serverName]) {
+      return res.status(404).json({
+        error: `MCP server '${serverName}' not found in configuration`,
+      });
+    }
+
+    const flowsCache = getLogStores(CacheKeys.FLOWS);
+    const flowManager = getFlowStateManager(flowsCache);
+    const mcpManager = getMCPManager();
+
+    await mcpManager.disconnectServer(serverName);
+    logger.info(`[MCP Reinitialize] Disconnected existing server: ${serverName}`);
+
+    const serverConfig = config.mcpServers[serverName];
+    mcpManager.mcpConfigs[serverName] = serverConfig;
+    let customUserVars = {};
+    if (serverConfig.customUserVars && typeof serverConfig.customUserVars === 'object') {
+      for (const varName of Object.keys(serverConfig.customUserVars)) {
+        try {
+          const value = await getUserPluginAuthValue(user.id, varName, false);
+          customUserVars[varName] = value;
+        } catch (err) {
+          logger.error(`[MCP Reinitialize] Error fetching ${varName} for user ${user.id}:`, err);
+        }
+      }
+    }
+
+    let userConnection = null;
+    let oauthRequired = false;
+    let oauthUrl = null;
+
+    try {
+      userConnection = await mcpManager.getUserConnection({
+        user,
+        serverName,
+        flowManager,
+        customUserVars,
+        tokenMethods: {
+          findToken,
+          updateToken,
+          createToken,
+          deleteTokens,
+        },
+        returnOnOAuth: true,
+        oauthStart: async (authURL) => {
+          logger.info(`[MCP Reinitialize] OAuth URL received: ${authURL}`);
+          oauthUrl = authURL;
+          oauthRequired = true;
+        },
+      });
+
+      logger.info(`[MCP Reinitialize] Successfully established connection for ${serverName}`);
+    } catch (err) {
+      logger.info(`[MCP Reinitialize] getUserConnection threw error: ${err.message}`);
+      logger.info(
+        `[MCP Reinitialize] OAuth state - oauthRequired: ${oauthRequired}, oauthUrl: ${oauthUrl ? 'present' : 'null'}`,
+      );
+
+      const isOAuthError =
+        err.message?.includes('OAuth') ||
+        err.message?.includes('authentication') ||
+        err.message?.includes('401');
+
+      const isOAuthFlowInitiated = err.message === 'OAuth flow initiated - return early';
+
+      if (isOAuthError || oauthRequired || isOAuthFlowInitiated) {
+        logger.info(
+          `[MCP Reinitialize] OAuth required for ${serverName} (isOAuthError: ${isOAuthError}, oauthRequired: ${oauthRequired}, isOAuthFlowInitiated: ${isOAuthFlowInitiated})`,
+        );
+        oauthRequired = true;
+      } else {
+        logger.error(
+          `[MCP Reinitialize] Error initializing MCP server ${serverName} for user:`,
+          err,
+        );
+        return res.status(500).json({ error: 'Failed to reinitialize MCP server for user' });
+      }
+    }
+
+    if (userConnection && !oauthRequired) {
+      const userTools = (await getCachedTools({ userId: user.id })) || {};
+
+      const mcpDelimiter = Constants.mcp_delimiter;
+      for (const key of Object.keys(userTools)) {
+        if (key.endsWith(`${mcpDelimiter}${serverName}`)) {
+          delete userTools[key];
+        }
+      }
+
+      const tools = await userConnection.fetchTools();
+      for (const tool of tools) {
+        const name = `${tool.name}${Constants.mcp_delimiter}${serverName}`;
+        userTools[name] = {
+          type: 'function',
+          ['function']: {
+            name,
+            description: tool.description,
+            parameters: tool.inputSchema,
+          },
+        };
+      }
+
+      await setCachedTools(userTools, { userId: user.id });
+    }
+
+    logger.debug(
+      `[MCP Reinitialize] Sending response for ${serverName} - oauthRequired: ${oauthRequired}, oauthUrl: ${oauthUrl ? 'present' : 'null'}`,
+    );
+
+    const getResponseMessage = () => {
+      if (oauthRequired) {
+        return `MCP server '${serverName}' ready for OAuth authentication`;
+      }
+      if (userConnection) {
+        return `MCP server '${serverName}' reinitialized successfully`;
+      }
+      return `Failed to reinitialize MCP server '${serverName}'`;
+    };
+
+    res.json({
+      success: (userConnection && !oauthRequired) || (oauthRequired && oauthUrl),
+      message: getResponseMessage(),
+      serverName,
+      oauthRequired,
+      oauthUrl,
+    });
+  } catch (error) {
+    logger.error('[MCP Reinitialize] Unexpected error', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
 /**
  * Get connection status for all MCP servers
- * This endpoint returns the actual connection status from MCPManager
+ * This endpoint returns all app level and user-scoped connection statuses from MCPManager without disconnecting idle connections
  */
 router.get('/connection/status', requireJwtAuth, async (req, res) => {
   try {
@@ -217,75 +461,83 @@ router.get('/connection/status', requireJwtAuth, async (req, res) => {
       return res.status(401).json({ error: 'User not authenticated' });
     }
 
-    const mcpManager = getMCPManager();
+    const { mcpConfig, appConnections, userConnections, oauthServers } = await getMCPSetupData(
+      user.id,
+    );
     const connectionStatus = {};
 
-    // Get all MCP server names from custom config
-    const config = await loadCustomConfig();
-    const mcpConfig = config?.mcpServers;
-
-    if (mcpConfig) {
-      for (const [serverName, config] of Object.entries(mcpConfig)) {
-        try {
-          // Check if this is an app-level connection (exists in mcpManager.connections)
-          const appConnection = mcpManager.getConnection(serverName);
-          const hasAppConnection = !!appConnection;
-
-          // Check if this is a user-level connection (exists in mcpManager.userConnections)
-          const userConnection = mcpManager.getUserConnectionIfExists(user.id, serverName);
-          const hasUserConnection = !!userConnection;
-
-          // Determine if connected based on actual connection state
-          let connected = false;
-          if (hasAppConnection) {
-            connected = await appConnection.isConnected();
-          } else if (hasUserConnection) {
-            connected = await userConnection.isConnected();
-          }
-
-          // Determine if this server requires user authentication
-          const hasAuthConfig =
-            config.customUserVars && Object.keys(config.customUserVars).length > 0;
-          const requiresOAuth = req.app.locals.mcpOAuthRequirements?.[serverName] || false;
-
-          connectionStatus[serverName] = {
-            connected,
-            hasAuthConfig,
-            hasConnection: hasAppConnection || hasUserConnection,
-            isAppLevel: hasAppConnection,
-            isUserLevel: hasUserConnection,
-            requiresOAuth,
-          };
-        } catch (error) {
-          logger.error(
-            `[MCP Connection Status] Error checking connection for ${serverName}:`,
-            error,
-          );
-          connectionStatus[serverName] = {
-            connected: false,
-            hasAuthConfig: config.customUserVars && Object.keys(config.customUserVars).length > 0,
-            hasConnection: false,
-            isAppLevel: false,
-            isUserLevel: false,
-            requiresOAuth: req.app.locals.mcpOAuthRequirements?.[serverName] || false,
-            error: error.message,
-          };
-        }
-      }
+    for (const [serverName] of Object.entries(mcpConfig)) {
+      connectionStatus[serverName] = await getServerConnectionStatus(
+        user.id,
+        serverName,
+        appConnections,
+        userConnections,
+        oauthServers,
+      );
     }
 
-    logger.info(`[MCP Connection Status] Returning status for user ${user.id}:`, connectionStatus);
-
     res.json({
       success: true,
       connectionStatus,
     });
   } catch (error) {
+    if (error.message === 'MCP config not found') {
+      return res.status(404).json({ error: error.message });
+    }
     logger.error('[MCP Connection Status] Failed to get connection status', error);
     res.status(500).json({ error: 'Failed to get connection status' });
   }
 });
 
+/**
+ * Get connection status for a single MCP server
+ * This endpoint returns the connection status for a specific server for a given user
+ */
+router.get('/connection/status/:serverName', requireJwtAuth, async (req, res) => {
+  try {
+    const user = req.user;
+    const { serverName } = req.params;
+
+    if (!user?.id) {
+      return res.status(401).json({ error: 'User not authenticated' });
+    }
+
+    const { mcpConfig, appConnections, userConnections, oauthServers } = await getMCPSetupData(
+      user.id,
+    );
+
+    if (!mcpConfig[serverName]) {
+      return res
+        .status(404)
+        .json({ error: `MCP server '${serverName}' not found in configuration` });
+    }
+
+    const serverStatus = await getServerConnectionStatus(
+      user.id,
+      serverName,
+      appConnections,
+      userConnections,
+      oauthServers,
+    );
+
+    res.json({
+      success: true,
+      serverName,
+      connectionStatus: serverStatus.connectionState,
+      requiresOAuth: serverStatus.requiresOAuth,
+    });
+  } catch (error) {
+    if (error.message === 'MCP config not found') {
+      return res.status(404).json({ error: error.message });
+    }
+    logger.error(
+      `[MCP Per-Server Status] Failed to get connection status for ${req.params.serverName}`,
+      error,
+    );
+    res.status(500).json({ error: 'Failed to get connection status' });
+  }
+});
+
 /**
  * Check which authentication values exist for a specific MCP server
  * This endpoint returns only boolean flags indicating if values are set, not the actual values
@@ -299,7 +551,8 @@ router.get('/:serverName/auth-values', requireJwtAuth, async (req, res) => {
       return res.status(401).json({ error: 'User not authenticated' });
     }
 
-    const config = await loadCustomConfig();
+    const printConfig = false;
+    const config = await loadCustomConfig(printConfig);
     if (!config || !config.mcpServers || !config.mcpServers[serverName]) {
       return res.status(404).json({
         error: `MCP server '${serverName}' not found in configuration`,
@@ -310,19 +563,16 @@ router.get('/:serverName/auth-values', requireJwtAuth, async (req, res) => {
     const pluginKey = `${Constants.mcp_prefix}${serverName}`;
     const authValueFlags = {};
 
-    // Check existence of saved values for each custom user variable (don't fetch actual values)
     if (serverConfig.customUserVars && typeof serverConfig.customUserVars === 'object') {
       for (const varName of Object.keys(serverConfig.customUserVars)) {
         try {
-          const value = await getUserPluginAuthValueByPlugin(user.id, varName, pluginKey, false);
-          // Only store boolean flag indicating if value exists
+          const value = await getUserPluginAuthValue(user.id, varName, false, pluginKey);
           authValueFlags[varName] = !!(value && value.length > 0);
         } catch (err) {
           logger.error(
             `[MCP Auth Value Flags] Error checking ${varName} for user ${user.id}:`,
             err,
           );
-          // Default to false if we can't check
           authValueFlags[varName] = false;
         }
       }
@@ -342,337 +592,4 @@ router.get('/:serverName/auth-values', requireJwtAuth, async (req, res) => {
   }
 });
 
-/**
- * Check if a specific MCP server requires OAuth
- * This endpoint checks if a specific MCP server requires OAuth authentication
- */
-router.get('/:serverName/oauth/required', requireJwtAuth, async (req, res) => {
-  try {
-    const { serverName } = req.params;
-    const user = req.user;
-
-    if (!user?.id) {
-      return res.status(401).json({ error: 'User not authenticated' });
-    }
-
-    const mcpManager = getMCPManager();
-    const requiresOAuth = await mcpManager.isOAuthRequired(serverName);
-
-    res.json({
-      success: true,
-      serverName,
-      requiresOAuth,
-    });
-  } catch (error) {
-    logger.error(
-      `[MCP OAuth Required] Failed to check OAuth requirement for ${req.params.serverName}`,
-      error,
-    );
-    res.status(500).json({ error: 'Failed to check OAuth requirement' });
-  }
-});
-
-/**
- * Complete MCP server reinitialization after OAuth
- * This endpoint completes the reinitialization process after OAuth authentication
- */
-router.post('/:serverName/reinitialize/complete', requireJwtAuth, async (req, res) => {
-  let responseSent = false;
-
-  try {
-    const { serverName } = req.params;
-    const user = req.user;
-
-    if (!user?.id) {
-      responseSent = true;
-      return res.status(401).json({ error: 'User not authenticated' });
-    }
-
-    logger.info(`[MCP Complete Reinitialize] Starting completion for ${serverName}`);
-
-    const mcpManager = getMCPManager();
-
-    // Wait for connection to be established via event-driven approach
-    const userConnection = await new Promise((resolve, reject) => {
-      // Set a reasonable timeout (10 seconds)
-      const timeout = setTimeout(() => {
-        mcpManager.removeListener('connectionEstablished', connectionHandler);
-        reject(new Error('Timeout waiting for connection establishment'));
-      }, 10000);
-
-      const connectionHandler = ({
-        userId: eventUserId,
-        serverName: eventServerName,
-        connection,
-      }) => {
-        if (eventUserId === user.id && eventServerName === serverName) {
-          clearTimeout(timeout);
-          mcpManager.removeListener('connectionEstablished', connectionHandler);
-          resolve(connection);
-        }
-      };
-
-      // Check if connection already exists
-      const existingConnection = mcpManager.getUserConnectionIfExists(user.id, serverName);
-      if (existingConnection) {
-        clearTimeout(timeout);
-        resolve(existingConnection);
-        return;
-      }
-
-      // Listen for the connection establishment event
-      mcpManager.on('connectionEstablished', connectionHandler);
-    });
-
-    if (!userConnection) {
-      responseSent = true;
-      return res.status(404).json({ error: 'User connection not found' });
-    }
-
-    const userTools = (await getCachedTools({ userId: user.id })) || {};
-
-    // Remove any old tools from this server in the user's cache
-    const mcpDelimiter = Constants.mcp_delimiter;
-    for (const key of Object.keys(userTools)) {
-      if (key.endsWith(`${mcpDelimiter}${serverName}`)) {
-        delete userTools[key];
-      }
-    }
-
-    // Add the new tools from this server
-    const tools = await userConnection.fetchTools();
-    for (const tool of tools) {
-      const name = `${tool.name}${Constants.mcp_delimiter}${serverName}`;
-      userTools[name] = {
-        type: 'function',
-        ['function']: {
-          name,
-          description: tool.description,
-          parameters: tool.inputSchema,
-        },
-      };
-    }
-
-    // Save the updated user tool cache
-    await setCachedTools(userTools, { userId: user.id });
-
-    responseSent = true;
-    res.json({
-      success: true,
-      message: `MCP server '${serverName}' reinitialized successfully`,
-      serverName,
-    });
-  } catch (error) {
-    logger.error(
-      `[MCP Complete Reinitialize] Error completing reinitialization for ${req.params.serverName}:`,
-      error,
-    );
-
-    if (!responseSent) {
-      res.status(500).json({
-        success: false,
-        message: 'Failed to complete MCP server reinitialization',
-        serverName: req.params.serverName,
-      });
-    }
-  }
-});
-
-/**
- * Reinitialize MCP server
- * This endpoint allows reinitializing a specific MCP server
- */
-router.post('/:serverName/reinitialize', requireJwtAuth, async (req, res) => {
-  let responseSent = false;
-
-  try {
-    const { serverName } = req.params;
-    const user = req.user;
-
-    if (!user?.id) {
-      responseSent = true;
-      return res.status(401).json({ error: 'User not authenticated' });
-    }
-
-    logger.info(`[MCP Reinitialize] Reinitializing server: ${serverName}`);
-
-    const config = await loadCustomConfig();
-    if (!config || !config.mcpServers || !config.mcpServers[serverName]) {
-      responseSent = true;
-      return res.status(404).json({
-        error: `MCP server '${serverName}' not found in configuration`,
-      });
-    }
-
-    const flowsCache = getLogStores(CacheKeys.FLOWS);
-    const flowManager = getFlowStateManager(flowsCache);
-    const mcpManager = getMCPManager();
-
-    // Clean up any stale OAuth flows for this server
-    try {
-      const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName);
-      const existingFlow = await flowManager.getFlowState(flowId, 'mcp_oauth');
-      if (existingFlow && existingFlow.status === 'PENDING') {
-        logger.info(`[MCP Reinitialize] Cleaning up stale OAuth flow for ${serverName}`);
-        await flowManager.failFlow(flowId, 'mcp_oauth', new Error('OAuth flow interrupted'));
-      }
-    } catch (error) {
-      logger.warn(
-        `[MCP Reinitialize] Error cleaning up stale OAuth flow for ${serverName}:`,
-        error,
-      );
-    }
-
-    await mcpManager.disconnectServer(serverName);
-    logger.info(`[MCP Reinitialize] Disconnected existing server: ${serverName}`);
-
-    const serverConfig = config.mcpServers[serverName];
-    mcpManager.mcpConfigs[serverName] = serverConfig;
-    let customUserVars = {};
-    if (serverConfig.customUserVars && typeof serverConfig.customUserVars === 'object') {
-      for (const varName of Object.keys(serverConfig.customUserVars)) {
-        try {
-          const pluginKey = `${Constants.mcp_prefix}${serverName}`;
-          const value = await getUserPluginAuthValueByPlugin(user.id, varName, pluginKey, false);
-          if (value) {
-            customUserVars[varName] = value;
-          }
-        } catch (err) {
-          logger.error(`[MCP Reinitialize] Error fetching ${varName} for user ${user.id}:`, err);
-        }
-      }
-    }
-
-    let userConnection = null;
-    let oauthRequired = false;
-
-    try {
-      userConnection = await mcpManager.getUserConnection({
-        user,
-        serverName,
-        flowManager,
-        customUserVars,
-        tokenMethods: {
-          findToken,
-          updateToken,
-          createToken,
-          deleteTokens,
-        },
-        oauthStart: (authURL) => {
-          // This will be called if OAuth is required
-          oauthRequired = true;
-          responseSent = true;
-          logger.info(`[MCP Reinitialize] OAuth required for ${serverName}, auth URL: ${authURL}`);
-
-          // Get the flow ID for polling
-          const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName);
-
-          // Return the OAuth response immediately - client will poll for completion
-          res.json({
-            success: false,
-            oauthRequired: true,
-            authURL,
-            flowId,
-            message: `OAuth authentication required for MCP server '${serverName}'`,
-            serverName,
-          });
-        },
-        oauthEnd: () => {
-          // This will be called when OAuth flow completes
-          logger.info(`[MCP Reinitialize] OAuth flow completed for ${serverName}`);
-        },
-      });
-
-      // If response was already sent for OAuth, don't continue
-      if (responseSent) {
-        return;
-      }
-    } catch (err) {
-      logger.error(`[MCP Reinitialize] Error initializing MCP server ${serverName} for user:`, err);
-
-      // Check if this is an OAuth error
-      if (err.message && err.message.includes('OAuth required')) {
-        // Try to get the OAuth URL from the flow manager
-        try {
-          const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName);
-          const existingFlow = await flowManager.getFlowState(flowId, 'mcp_oauth');
-
-          if (existingFlow && existingFlow.metadata) {
-            const { serverUrl, oauth: oauthConfig } = existingFlow.metadata;
-            if (serverUrl && oauthConfig) {
-              const { authorizationUrl: authUrl } = await MCPOAuthHandler.initiateOAuthFlow(
-                serverName,
-                serverUrl,
-                user.id,
-                oauthConfig,
-              );
-
-              return res.json({
-                success: false,
-                oauthRequired: true,
-                authURL: authUrl,
-                flowId,
-                message: `OAuth authentication required for MCP server '${serverName}'`,
-                serverName,
-              });
-            }
-          }
-        } catch (oauthErr) {
-          logger.error(`[MCP Reinitialize] Error getting OAuth URL for ${serverName}:`, oauthErr);
-        }
-
-        responseSent = true;
-        return res.status(401).json({
-          success: false,
-          oauthRequired: true,
-          message: `OAuth authentication required for MCP server '${serverName}'`,
-          serverName,
-        });
-      }
-
-      responseSent = true;
-      return res.status(500).json({ error: 'Failed to reinitialize MCP server for user' });
-    }
-
-    const userTools = (await getCachedTools({ userId: user.id })) || {};
-
-    // Remove any old tools from this server in the user's cache
-    const mcpDelimiter = Constants.mcp_delimiter;
-    for (const key of Object.keys(userTools)) {
-      if (key.endsWith(`${mcpDelimiter}${serverName}`)) {
-        delete userTools[key];
-      }
-    }
-
-    // Add the new tools from this server
-    const tools = await userConnection.fetchTools();
-    for (const tool of tools) {
-      const name = `${tool.name}${Constants.mcp_delimiter}${serverName}`;
-      userTools[name] = {
-        type: 'function',
-        ['function']: {
-          name,
-          description: tool.description,
-          parameters: tool.inputSchema,
-        },
-      };
-    }
-
-    // Save the updated user tool cache
-    await setCachedTools(userTools, { userId: user.id });
-
-    responseSent = true;
-    res.json({
-      success: true,
-      message: `MCP server '${serverName}' reinitialized successfully`,
-      serverName,
-    });
-  } catch (error) {
-    logger.error('[MCP Reinitialize] Unexpected error', error);
-    if (!responseSent) {
-      res.status(500).json({ error: 'Internal server error' });
-    }
-  }
-});
-
 module.exports = router;

api/server/routes/oauth.js

@@ -9,6 +9,7 @@ const {
   setBalanceConfig,
   checkDomainAllowed,
 } = require('~/server/middleware');
+const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
 const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
@@ -35,6 +36,7 @@ const oauthHandler = async (req, res) => {
       req.user.provider == 'openid' &&
       isEnabled(process.env.OPENID_REUSE_TOKENS) === true
     ) {
+      await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
       setOpenIDAuthTokens(req.user.tokenset, res);
     } else {
       await setAuthTokens(req.user._id, res);

api/server/routes/prompts.js

@@ -1,22 +1,39 @@
 const express = require('express');
 const { logger } = require('@librechat/data-schemas');
 const { generateCheckAccess } = require('@librechat/api');
-const { Permissions, SystemRoles, PermissionTypes } = require('librechat-data-provider');
 const {
-  getPrompt,
-  getPrompts,
-  savePrompt,
-  deletePrompt,
-  getPromptGroup,
-  getPromptGroups,
+  Permissions,
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+  PermissionBits,
+  PermissionTypes,
+} = require('librechat-data-provider');
+const {
+  makePromptProduction,
+  getAllPromptGroups,
   updatePromptGroup,
   deletePromptGroup,
   createPromptGroup,
-  getAllPromptGroups,
-  // updatePromptLabels,
-  makePromptProduction,
+  getPromptGroups,
+  getPromptGroup,
+  deletePrompt,
+  getPrompts,
+  savePrompt,
+  getPrompt,
 } = require('~/models/Prompt');
-const { requireJwtAuth } = require('~/server/middleware');
+const {
+  canAccessPromptGroupResource,
+  canAccessPromptViaGroup,
+  requireJwtAuth,
+} = require('~/server/middleware');
+const {
+  findPubliclyAccessibleResources,
+  getEffectivePermissions,
+  findAccessibleResources,
+  grantPermission,
+} = require('~/server/services/PermissionService');
 const { getRoleByName } = require('~/models/Role');
 
 const router = express.Router();
@@ -48,43 +65,53 @@ router.use(checkPromptAccess);
  * Route to get single prompt group by its ID
  * GET /groups/:groupId
  */
-router.get('/groups/:groupId', async (req, res) => {
-  let groupId = req.params.groupId;
-  const author = req.user.id;
+router.get(
+  '/groups/:groupId',
+  canAccessPromptGroupResource({
+    requiredPermission: PermissionBits.VIEW,
+  }),
+  async (req, res) => {
+    const { groupId } = req.params;
 
-  const query = {
-    _id: groupId,
-    $or: [{ projectIds: { $exists: true, $ne: [], $not: { $size: 0 } } }, { author }],
-  };
+    try {
+      const group = await getPromptGroup({ _id: groupId });
 
-  if (req.user.role === SystemRoles.ADMIN) {
-    delete query.$or;
-  }
+      if (!group) {
+        return res.status(404).send({ message: 'Prompt group not found' });
+      }
 
-  try {
-    const group = await getPromptGroup(query);
-
-    if (!group) {
-      return res.status(404).send({ message: 'Prompt group not found' });
+      res.status(200).send(group);
+    } catch (error) {
+      logger.error('Error getting prompt group', error);
+      res.status(500).send({ message: 'Error getting prompt group' });
     }
-
-    res.status(200).send(group);
-  } catch (error) {
-    logger.error('Error getting prompt group', error);
-    res.status(500).send({ message: 'Error getting prompt group' });
-  }
-});
+  },
+);
 
 /**
- * Route to fetch all prompt groups
- * GET /groups
+ * Route to fetch all prompt groups (ACL-aware)
+ * GET /all
  */
 router.get('/all', async (req, res) => {
   try {
-    const groups = await getAllPromptGroups(req, {
-      author: req.user._id,
+    const userId = req.user.id;
+
+    // Get promptGroup IDs the user has VIEW access to via ACL
+    const accessibleIds = await findAccessibleResources({
+      userId,
+      role: req.user.role,
+      resourceType: ResourceType.PROMPTGROUP,
+      requiredPermissions: PermissionBits.VIEW,
     });
-    res.status(200).send(groups);
+
+    const groups = await getAllPromptGroups(req, {});
+
+    // Filter the results to only include accessible groups
+    const accessibleGroups = groups.filter((group) =>
+      accessibleIds.some((id) => id.toString() === group._id.toString()),
+    );
+
+    res.status(200).send(accessibleGroups);
   } catch (error) {
     logger.error(error);
     res.status(500).send({ error: 'Error getting prompt groups' });
@@ -92,15 +119,45 @@ router.get('/all', async (req, res) => {
 });
 
 /**
- * Route to fetch paginated prompt groups with filters
+ * Route to fetch paginated prompt groups with filters (ACL-aware)
  * GET /groups
  */
 router.get('/groups', async (req, res) => {
   try {
-    const filter = req.query;
-    /* Note: The aggregation requires an ObjectId */
-    filter.author = req.user._id;
+    const userId = req.user.id;
+    const filter = { ...req.query };
+    delete filter.author; // Remove author filter as we'll use ACL
+
+    // Get promptGroup IDs the user has VIEW access to via ACL
+    const accessibleIds = await findAccessibleResources({
+      userId,
+      role: req.user.role,
+      resourceType: ResourceType.PROMPTGROUP,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+
+    // Get publicly accessible promptGroups
+    const publiclyAccessibleIds = await findPubliclyAccessibleResources({
+      resourceType: ResourceType.PROMPTGROUP,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+
     const groups = await getPromptGroups(req, filter);
+
+    if (groups.promptGroups && groups.promptGroups.length > 0) {
+      groups.promptGroups = groups.promptGroups.filter((group) =>
+        accessibleIds.some((id) => id.toString() === group._id.toString()),
+      );
+
+      // Mark public groups
+      groups.promptGroups = groups.promptGroups.map((group) => {
+        if (publiclyAccessibleIds.some((id) => id.equals(group._id))) {
+          group.isPublic = true;
+        }
+        return group;
+      });
+    }
+
     res.status(200).send(groups);
   } catch (error) {
     logger.error(error);
@@ -109,16 +166,17 @@ router.get('/groups', async (req, res) => {
 });
 
 /**
- * Updates or creates a prompt + promptGroup
+ * Creates a new prompt group with initial prompt
  * @param {object} req
  * @param {TCreatePrompt} req.body
  * @param {Express.Response} res
  */
-const createPrompt = async (req, res) => {
+const createNewPromptGroup = async (req, res) => {
   try {
     const { prompt, group } = req.body;
-    if (!prompt) {
-      return res.status(400).send({ error: 'Prompt is required' });
+
+    if (!prompt || !group || !group.name) {
+      return res.status(400).send({ error: 'Prompt and group name are required' });
     }
 
     const saveData = {
@@ -128,21 +186,81 @@ const createPrompt = async (req, res) => {
       authorName: req.user.name,
     };
 
-    /** @type {TCreatePromptResponse} */
-    let result;
-    if (group && group.name) {
-      result = await createPromptGroup(saveData);
-    } else {
-      result = await savePrompt(saveData);
+    const result = await createPromptGroup(saveData);
+
+    // Grant owner permissions to the creator on the new promptGroup
+    if (result.prompt && result.prompt._id && result.prompt.groupId) {
+      try {
+        await grantPermission({
+          principalType: PrincipalType.USER,
+          principalId: req.user.id,
+          resourceType: ResourceType.PROMPTGROUP,
+          resourceId: result.prompt.groupId,
+          accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+          grantedBy: req.user.id,
+        });
+        logger.debug(
+          `[createPromptGroup] Granted owner permissions to user ${req.user.id} for promptGroup ${result.prompt.groupId}`,
+        );
+      } catch (permissionError) {
+        logger.error(
+          `[createPromptGroup] Failed to grant owner permissions for promptGroup ${result.prompt.groupId}:`,
+          permissionError,
+        );
+      }
     }
+
     res.status(200).send(result);
   } catch (error) {
     logger.error(error);
-    res.status(500).send({ error: 'Error saving prompt' });
+    res.status(500).send({ error: 'Error creating prompt group' });
   }
 };
 
-router.post('/', checkPromptCreate, createPrompt);
+/**
+ * Adds a new prompt to an existing prompt group
+ * @param {object} req
+ * @param {TCreatePrompt} req.body
+ * @param {Express.Response} res
+ */
+const addPromptToGroup = async (req, res) => {
+  try {
+    const { groupId } = req.params;
+    const { prompt } = req.body;
+
+    if (!prompt) {
+      return res.status(400).send({ error: 'Prompt is required' });
+    }
+
+    // Ensure the prompt is associated with the correct group
+    prompt.groupId = groupId;
+
+    const saveData = {
+      prompt,
+      author: req.user.id,
+      authorName: req.user.name,
+    };
+
+    const result = await savePrompt(saveData);
+    res.status(200).send(result);
+  } catch (error) {
+    logger.error(error);
+    res.status(500).send({ error: 'Error adding prompt to group' });
+  }
+};
+
+// Create new prompt group (requires CREATE permission)
+router.post('/', checkPromptCreate, createNewPromptGroup);
+
+// Add prompt to existing group (requires EDIT permission on the group)
+router.post(
+  '/groups/:groupId/prompts',
+  checkPromptAccess,
+  canAccessPromptGroupResource({
+    requiredPermission: PermissionBits.EDIT,
+  }),
+  addPromptToGroup,
+);
 
 /**
  * Updates a prompt group
@@ -168,35 +286,74 @@ const patchPromptGroup = async (req, res) => {
   }
 };
 
-router.patch('/groups/:groupId', checkGlobalPromptShare, patchPromptGroup);
+router.patch(
+  '/groups/:groupId',
+  checkGlobalPromptShare,
+  canAccessPromptGroupResource({
+    requiredPermission: PermissionBits.EDIT,
+  }),
+  patchPromptGroup,
+);
 
-router.patch('/:promptId/tags/production', checkPromptCreate, async (req, res) => {
-  try {
+router.patch(
+  '/:promptId/tags/production',
+  checkPromptCreate,
+  canAccessPromptViaGroup({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'promptId',
+  }),
+  async (req, res) => {
+    try {
+      const { promptId } = req.params;
+      const result = await makePromptProduction(promptId);
+      res.status(200).send(result);
+    } catch (error) {
+      logger.error(error);
+      res.status(500).send({ error: 'Error updating prompt production' });
+    }
+  },
+);
+
+router.get(
+  '/:promptId',
+  canAccessPromptViaGroup({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'promptId',
+  }),
+  async (req, res) => {
     const { promptId } = req.params;
-    const result = await makePromptProduction(promptId);
-    res.status(200).send(result);
-  } catch (error) {
-    logger.error(error);
-    res.status(500).send({ error: 'Error updating prompt production' });
-  }
-});
-
-router.get('/:promptId', async (req, res) => {
-  const { promptId } = req.params;
-  const author = req.user.id;
-  const query = { _id: promptId, author };
-  if (req.user.role === SystemRoles.ADMIN) {
-    delete query.author;
-  }
-  const prompt = await getPrompt(query);
-  res.status(200).send(prompt);
-});
+    const prompt = await getPrompt({ _id: promptId });
+    res.status(200).send(prompt);
+  },
+);
 
 router.get('/', async (req, res) => {
   try {
     const author = req.user.id;
     const { groupId } = req.query;
-    const query = { groupId, author };
+
+    // If requesting prompts for a specific group, check permissions
+    if (groupId) {
+      const permissions = await getEffectivePermissions({
+        userId: req.user.id,
+        role: req.user.role,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: groupId,
+      });
+
+      if (!(permissions & PermissionBits.VIEW)) {
+        return res
+          .status(403)
+          .send({ error: 'Insufficient permissions to view prompts in this group' });
+      }
+
+      // If user has access, fetch all prompts in the group (not just their own)
+      const prompts = await getPrompts({ groupId });
+      return res.status(200).send(prompts);
+    }
+
+    // If no groupId, return user's own prompts
+    const query = { author };
     if (req.user.role === SystemRoles.ADMIN) {
       delete query.author;
     }
@@ -240,7 +397,8 @@ const deletePromptController = async (req, res) => {
 const deletePromptGroupController = async (req, res) => {
   try {
     const { groupId: _id } = req.params;
-    const message = await deletePromptGroup({ _id, author: req.user.id, role: req.user.role });
+    // Don't pass author - permissions are now checked by middleware
+    const message = await deletePromptGroup({ _id, role: req.user.role });
     res.send(message);
   } catch (error) {
     logger.error('Error deleting prompt group', error);
@@ -248,7 +406,22 @@ const deletePromptGroupController = async (req, res) => {
   }
 };
 
-router.delete('/:promptId', checkPromptCreate, deletePromptController);
-router.delete('/groups/:groupId', checkPromptCreate, deletePromptGroupController);
+router.delete(
+  '/:promptId',
+  checkPromptCreate,
+  canAccessPromptViaGroup({
+    requiredPermission: PermissionBits.DELETE,
+    resourceIdParam: 'promptId',
+  }),
+  deletePromptController,
+);
+router.delete(
+  '/groups/:groupId',
+  checkPromptCreate,
+  canAccessPromptGroupResource({
+    requiredPermission: PermissionBits.DELETE,
+  }),
+  deletePromptGroupController,
+);
 
 module.exports = router;

api/server/routes/prompts.test.js

@@ -0,0 +1,614 @@
+const express = require('express');
+const request = require('supertest');
+const mongoose = require('mongoose');
+const { ObjectId } = require('mongodb');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const {
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+  PermissionBits,
+} = require('librechat-data-provider');
+
+// Mock modules before importing
+jest.mock('~/server/services/Config', () => ({
+  getCachedTools: jest.fn().mockResolvedValue({}),
+  getCustomConfig: jest.fn(),
+}));
+
+jest.mock('~/models/Role', () => ({
+  getRoleByName: jest.fn(),
+}));
+
+jest.mock('~/server/middleware', () => ({
+  requireJwtAuth: (req, res, next) => next(),
+  canAccessPromptViaGroup: jest.requireActual('~/server/middleware').canAccessPromptViaGroup,
+  canAccessPromptGroupResource:
+    jest.requireActual('~/server/middleware').canAccessPromptGroupResource,
+}));
+
+let app;
+let mongoServer;
+let promptRoutes;
+let Prompt, PromptGroup, AclEntry, AccessRole, User;
+let testUsers, testRoles;
+let grantPermission;
+
+// Helper function to set user in middleware
+function setTestUser(app, user) {
+  app.use((req, res, next) => {
+    req.user = {
+      ...(user.toObject ? user.toObject() : user),
+      id: user.id || user._id.toString(),
+      _id: user._id,
+      name: user.name,
+      role: user.role,
+    };
+    if (user.role === SystemRoles.ADMIN) {
+      console.log('Setting admin user with role:', req.user.role);
+    }
+    next();
+  });
+}
+
+beforeAll(async () => {
+  mongoServer = await MongoMemoryServer.create();
+  const mongoUri = mongoServer.getUri();
+  await mongoose.connect(mongoUri);
+
+  // Initialize models
+  const dbModels = require('~/db/models');
+  Prompt = dbModels.Prompt;
+  PromptGroup = dbModels.PromptGroup;
+  AclEntry = dbModels.AclEntry;
+  AccessRole = dbModels.AccessRole;
+  User = dbModels.User;
+
+  // Import permission service
+  const permissionService = require('~/server/services/PermissionService');
+  grantPermission = permissionService.grantPermission;
+
+  // Create test data
+  await setupTestData();
+
+  // Setup Express app
+  app = express();
+  app.use(express.json());
+
+  // Mock authentication middleware - default to owner
+  setTestUser(app, testUsers.owner);
+
+  // Import routes after mocks are set up
+  promptRoutes = require('./prompts');
+  app.use('/api/prompts', promptRoutes);
+});
+
+afterAll(async () => {
+  await mongoose.disconnect();
+  await mongoServer.stop();
+  jest.clearAllMocks();
+});
+
+async function setupTestData() {
+  // Create access roles for promptGroups
+  testRoles = {
+    viewer: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+      name: 'Viewer',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW,
+    }),
+    editor: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+      name: 'Editor',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits: PermissionBits.VIEW | PermissionBits.EDIT,
+    }),
+    owner: await AccessRole.create({
+      accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+      name: 'Owner',
+      resourceType: ResourceType.PROMPTGROUP,
+      permBits:
+        PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE,
+    }),
+  };
+
+  // Create test users
+  testUsers = {
+    owner: await User.create({
+      id: new ObjectId().toString(),
+      _id: new ObjectId(),
+      name: 'Prompt Owner',
+      email: 'owner@example.com',
+      role: SystemRoles.USER,
+    }),
+    viewer: await User.create({
+      id: new ObjectId().toString(),
+      _id: new ObjectId(),
+      name: 'Prompt Viewer',
+      email: 'viewer@example.com',
+      role: SystemRoles.USER,
+    }),
+    editor: await User.create({
+      id: new ObjectId().toString(),
+      _id: new ObjectId(),
+      name: 'Prompt Editor',
+      email: 'editor@example.com',
+      role: SystemRoles.USER,
+    }),
+    noAccess: await User.create({
+      id: new ObjectId().toString(),
+      _id: new ObjectId(),
+      name: 'No Access',
+      email: 'noaccess@example.com',
+      role: SystemRoles.USER,
+    }),
+    admin: await User.create({
+      id: new ObjectId().toString(),
+      _id: new ObjectId(),
+      name: 'Admin',
+      email: 'admin@example.com',
+      role: SystemRoles.ADMIN,
+    }),
+  };
+
+  // Mock getRoleByName
+  const { getRoleByName } = require('~/models/Role');
+  getRoleByName.mockImplementation((roleName) => {
+    switch (roleName) {
+      case SystemRoles.USER:
+        return { permissions: { PROMPTS: { USE: true, CREATE: true } } };
+      case SystemRoles.ADMIN:
+        return { permissions: { PROMPTS: { USE: true, CREATE: true, SHARED_GLOBAL: true } } };
+      default:
+        return null;
+    }
+  });
+}
+
+describe('Prompt Routes - ACL Permissions', () => {
+  let consoleErrorSpy;
+
+  beforeEach(() => {
+    consoleErrorSpy = jest.spyOn(console, 'error').mockImplementation();
+  });
+
+  afterEach(() => {
+    consoleErrorSpy.mockRestore();
+  });
+
+  // Simple test to verify route is loaded
+  it('should have routes loaded', async () => {
+    // This should at least not crash
+    const response = await request(app).get('/api/prompts/test-404');
+    console.log('Test 404 response status:', response.status);
+    console.log('Test 404 response body:', response.body);
+    // We expect a 401 or 404, not 500
+    expect(response.status).not.toBe(500);
+  });
+
+  describe('POST /api/prompts - Create Prompt', () => {
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('should create a prompt and grant owner permissions', async () => {
+      const promptData = {
+        prompt: {
+          prompt: 'Test prompt content',
+          type: 'text',
+        },
+        group: {
+          name: 'Test Prompt Group',
+        },
+      };
+
+      const response = await request(app).post('/api/prompts').send(promptData);
+
+      if (response.status !== 200) {
+        console.log('POST /api/prompts error status:', response.status);
+        console.log('POST /api/prompts error body:', response.body);
+        console.log('Console errors:', consoleErrorSpy.mock.calls);
+      }
+
+      expect(response.status).toBe(200);
+      expect(response.body.prompt).toBeDefined();
+      expect(response.body.prompt.prompt).toBe(promptData.prompt.prompt);
+
+      // Check ACL entry was created
+      const aclEntry = await AclEntry.findOne({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: response.body.prompt.groupId,
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+      });
+
+      expect(aclEntry).toBeTruthy();
+      expect(aclEntry.roleId.toString()).toBe(testRoles.owner._id.toString());
+    });
+
+    it('should create a prompt group with prompt and grant owner permissions', async () => {
+      const promptData = {
+        prompt: {
+          prompt: 'Group prompt content',
+          // Remove 'name' from prompt - it's not in the schema
+        },
+        group: {
+          name: 'Test Group',
+          category: 'testing',
+        },
+      };
+
+      const response = await request(app).post('/api/prompts').send(promptData).expect(200);
+
+      expect(response.body.prompt).toBeDefined();
+      expect(response.body.group).toBeDefined();
+      expect(response.body.group.name).toBe(promptData.group.name);
+
+      // Check ACL entry was created for the promptGroup
+      const aclEntry = await AclEntry.findOne({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: response.body.group._id,
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+      });
+
+      expect(aclEntry).toBeTruthy();
+    });
+  });
+
+  describe('GET /api/prompts/:promptId - Get Prompt', () => {
+    let testPrompt;
+    let testGroup;
+
+    beforeEach(async () => {
+      // Create a prompt group first
+      testGroup = await PromptGroup.create({
+        name: 'Test Group',
+        category: 'testing',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create a prompt
+      testPrompt = await Prompt.create({
+        prompt: 'Test prompt for retrieval',
+        name: 'Get Test',
+        author: testUsers.owner._id,
+        type: 'text',
+        groupId: testGroup._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('should retrieve prompt when user has view permissions', async () => {
+      // Grant view permissions on the promptGroup
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      const response = await request(app).get(`/api/prompts/${testPrompt._id}`);
+      expect(response.status).toBe(200);
+      expect(response.body._id).toBe(testPrompt._id.toString());
+      expect(response.body.prompt).toBe(testPrompt.prompt);
+    });
+
+    it('should deny access when user has no permissions', async () => {
+      // Change the user to one without access
+      setTestUser(app, testUsers.noAccess);
+
+      const response = await request(app).get(`/api/prompts/${testPrompt._id}`).expect(403);
+
+      // Verify error response
+      expect(response.body.error).toBe('Forbidden');
+      expect(response.body.message).toBe('Insufficient permissions to access this promptGroup');
+    });
+
+    it('should allow admin access without explicit permissions', async () => {
+      // First, reset the app to remove previous middleware
+      app = express();
+      app.use(express.json());
+
+      // Set admin user BEFORE adding routes
+      app.use((req, res, next) => {
+        req.user = {
+          ...testUsers.admin.toObject(),
+          id: testUsers.admin._id.toString(),
+          _id: testUsers.admin._id,
+          name: testUsers.admin.name,
+          role: testUsers.admin.role,
+        };
+        next();
+      });
+
+      // Now add the routes
+      const promptRoutes = require('./prompts');
+      app.use('/api/prompts', promptRoutes);
+
+      console.log('Admin user:', testUsers.admin);
+      console.log('Admin role:', testUsers.admin.role);
+      console.log('SystemRoles.ADMIN:', SystemRoles.ADMIN);
+
+      const response = await request(app).get(`/api/prompts/${testPrompt._id}`).expect(200);
+
+      expect(response.body._id).toBe(testPrompt._id.toString());
+    });
+  });
+
+  describe('DELETE /api/prompts/:promptId - Delete Prompt', () => {
+    let testPrompt;
+    let testGroup;
+
+    beforeEach(async () => {
+      // Create group with prompt
+      testGroup = await PromptGroup.create({
+        name: 'Delete Test Group',
+        category: 'testing',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      testPrompt = await Prompt.create({
+        prompt: 'Test prompt for deletion',
+        name: 'Delete Test',
+        author: testUsers.owner._id,
+        type: 'text',
+        groupId: testGroup._id,
+      });
+
+      // Add prompt to group
+      testGroup.productionId = testPrompt._id;
+      testGroup.promptIds = [testPrompt._id];
+      await testGroup.save();
+
+      // Grant owner permissions on the promptGroup
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_OWNER,
+        grantedBy: testUsers.owner._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('should delete prompt when user has delete permissions', async () => {
+      const response = await request(app)
+        .delete(`/api/prompts/${testPrompt._id}`)
+        .query({ groupId: testGroup._id.toString() })
+        .expect(200);
+
+      expect(response.body.prompt).toBe('Prompt deleted successfully');
+
+      // Verify prompt was deleted
+      const deletedPrompt = await Prompt.findById(testPrompt._id);
+      expect(deletedPrompt).toBeNull();
+
+      // Verify ACL entries were removed
+      const aclEntries = await AclEntry.find({
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+      });
+      expect(aclEntries).toHaveLength(0);
+    });
+
+    it('should deny deletion when user lacks delete permissions', async () => {
+      // Create a prompt as a different user (not the one trying to delete)
+      const authorPrompt = await Prompt.create({
+        prompt: 'Test prompt by another user',
+        name: 'Another User Prompt',
+        author: testUsers.editor._id, // Different author
+        type: 'text',
+        groupId: testGroup._id,
+      });
+
+      // Grant only viewer permissions to viewer user on the promptGroup
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.editor._id,
+      });
+
+      // Recreate app with viewer user
+      app = express();
+      app.use(express.json());
+      app.use((req, res, next) => {
+        req.user = {
+          ...testUsers.viewer.toObject(),
+          id: testUsers.viewer._id.toString(),
+          _id: testUsers.viewer._id,
+          name: testUsers.viewer.name,
+          role: testUsers.viewer.role,
+        };
+        next();
+      });
+      const promptRoutes = require('./prompts');
+      app.use('/api/prompts', promptRoutes);
+
+      await request(app)
+        .delete(`/api/prompts/${authorPrompt._id}`)
+        .query({ groupId: testGroup._id.toString() })
+        .expect(403);
+
+      // Verify prompt still exists
+      const prompt = await Prompt.findById(authorPrompt._id);
+      expect(prompt).toBeTruthy();
+    });
+  });
+
+  describe('PATCH /api/prompts/:promptId/tags/production - Make Production', () => {
+    let testPrompt;
+    let testGroup;
+
+    beforeEach(async () => {
+      // Create group
+      testGroup = await PromptGroup.create({
+        name: 'Production Test Group',
+        category: 'testing',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      testPrompt = await Prompt.create({
+        prompt: 'Test prompt for production',
+        name: 'Production Test',
+        author: testUsers.owner._id,
+        type: 'text',
+        groupId: testGroup._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('should make prompt production when user has edit permissions', async () => {
+      // Grant edit permissions on the promptGroup
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.owner._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_EDITOR,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Recreate app to ensure fresh middleware
+      app = express();
+      app.use(express.json());
+      app.use((req, res, next) => {
+        req.user = {
+          ...testUsers.owner.toObject(),
+          id: testUsers.owner._id.toString(),
+          _id: testUsers.owner._id,
+          name: testUsers.owner.name,
+          role: testUsers.owner.role,
+        };
+        next();
+      });
+      const promptRoutes = require('./prompts');
+      app.use('/api/prompts', promptRoutes);
+
+      const response = await request(app)
+        .patch(`/api/prompts/${testPrompt._id}/tags/production`)
+        .expect(200);
+
+      expect(response.body.message).toBe('Prompt production made successfully');
+
+      // Verify the group was updated
+      const updatedGroup = await PromptGroup.findById(testGroup._id);
+      expect(updatedGroup.productionId.toString()).toBe(testPrompt._id.toString());
+    });
+
+    it('should deny making production when user lacks edit permissions', async () => {
+      // Grant only view permissions to viewer on the promptGroup
+      await grantPermission({
+        principalType: PrincipalType.USER,
+        principalId: testUsers.viewer._id,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: testGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.owner._id,
+      });
+
+      // Recreate app with viewer user
+      app = express();
+      app.use(express.json());
+      app.use((req, res, next) => {
+        req.user = {
+          ...testUsers.viewer.toObject(),
+          id: testUsers.viewer._id.toString(),
+          _id: testUsers.viewer._id,
+          name: testUsers.viewer.name,
+          role: testUsers.viewer.role,
+        };
+        next();
+      });
+      const promptRoutes = require('./prompts');
+      app.use('/api/prompts', promptRoutes);
+
+      await request(app).patch(`/api/prompts/${testPrompt._id}/tags/production`).expect(403);
+
+      // Verify prompt hasn't changed
+      const unchangedGroup = await PromptGroup.findById(testGroup._id);
+      expect(unchangedGroup.productionId.toString()).not.toBe(testPrompt._id.toString());
+    });
+  });
+
+  describe('Public Access', () => {
+    let publicPrompt;
+    let publicGroup;
+
+    beforeEach(async () => {
+      // Create a prompt group
+      publicGroup = await PromptGroup.create({
+        name: 'Public Test Group',
+        category: 'testing',
+        author: testUsers.owner._id,
+        authorName: testUsers.owner.name,
+        productionId: new ObjectId(),
+      });
+
+      // Create a public prompt
+      publicPrompt = await Prompt.create({
+        prompt: 'Public prompt content',
+        name: 'Public Test',
+        author: testUsers.owner._id,
+        type: 'text',
+        groupId: publicGroup._id,
+      });
+
+      // Grant public viewer access on the promptGroup
+      await grantPermission({
+        principalType: PrincipalType.PUBLIC,
+        principalId: null,
+        resourceType: ResourceType.PROMPTGROUP,
+        resourceId: publicGroup._id,
+        accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
+        grantedBy: testUsers.owner._id,
+      });
+    });
+
+    afterEach(async () => {
+      await Prompt.deleteMany({});
+      await PromptGroup.deleteMany({});
+      await AclEntry.deleteMany({});
+    });
+
+    it('should allow any user to view public prompts', async () => {
+      // Change user to someone without explicit permissions
+      setTestUser(app, testUsers.noAccess);
+
+      const response = await request(app).get(`/api/prompts/${publicPrompt._id}`).expect(200);
+
+      expect(response.body._id).toBe(publicPrompt._id.toString());
+    });
+  });
+});

api/server/services/AppService.interface.spec.js

@@ -1,5 +1,7 @@
 jest.mock('~/models', () => ({
   initializeRoles: jest.fn(),
+  seedDefaultRoles: jest.fn(),
+  ensureDefaultCategories: jest.fn(),
 }));
 jest.mock('~/models/Role', () => ({
   updateAccessPermissions: jest.fn(),
@@ -87,4 +89,114 @@ describe('AppService interface configuration', () => {
     expect(app.locals.interfaceConfig.bookmarks).toBe(false);
     expect(loadDefaultInterface).toHaveBeenCalled();
   });
+
+  it('should correctly configure peoplePicker permissions including roles', async () => {
+    mockLoadCustomConfig.mockResolvedValue({
+      interface: {
+        peoplePicker: {
+          admin: {
+            users: true,
+            groups: true,
+            roles: true,
+          },
+          user: {
+            users: false,
+            groups: false,
+            roles: false,
+          },
+        },
+      },
+    });
+    loadDefaultInterface.mockResolvedValue({
+      peoplePicker: {
+        admin: {
+          users: true,
+          groups: true,
+          roles: true,
+        },
+        user: {
+          users: false,
+          groups: false,
+          roles: false,
+        },
+      },
+    });
+
+    await AppService(app);
+
+    expect(app.locals.interfaceConfig.peoplePicker).toBeDefined();
+    expect(app.locals.interfaceConfig.peoplePicker.admin).toMatchObject({
+      users: true,
+      groups: true,
+      roles: true,
+    });
+    expect(app.locals.interfaceConfig.peoplePicker.user).toMatchObject({
+      users: false,
+      groups: false,
+      roles: false,
+    });
+    expect(loadDefaultInterface).toHaveBeenCalled();
+  });
+
+  it('should handle mixed peoplePicker permissions for roles', async () => {
+    mockLoadCustomConfig.mockResolvedValue({
+      interface: {
+        peoplePicker: {
+          admin: {
+            users: true,
+            groups: true,
+            roles: false,
+          },
+          user: {
+            users: true,
+            groups: false,
+            roles: true,
+          },
+        },
+      },
+    });
+    loadDefaultInterface.mockResolvedValue({
+      peoplePicker: {
+        admin: {
+          users: true,
+          groups: true,
+          roles: false,
+        },
+        user: {
+          users: true,
+          groups: false,
+          roles: true,
+        },
+      },
+    });
+
+    await AppService(app);
+
+    expect(app.locals.interfaceConfig.peoplePicker.admin.roles).toBe(false);
+    expect(app.locals.interfaceConfig.peoplePicker.user.roles).toBe(true);
+  });
+
+  it('should set default peoplePicker roles permissions when not provided', async () => {
+    mockLoadCustomConfig.mockResolvedValue({});
+    loadDefaultInterface.mockResolvedValue({
+      peoplePicker: {
+        admin: {
+          users: true,
+          groups: true,
+          roles: true,
+        },
+        user: {
+          users: false,
+          groups: false,
+          roles: false,
+        },
+      },
+    });
+
+    await AppService(app);
+
+    expect(app.locals.interfaceConfig.peoplePicker).toBeDefined();
+    expect(app.locals.interfaceConfig.peoplePicker.admin.roles).toBe(true);
+    expect(app.locals.interfaceConfig.peoplePicker.user.roles).toBe(false);
+  });
 });

api/server/services/AppService.js

@@ -1,12 +1,11 @@
+const { agentsConfigSetup, loadWebSearchConfig } = require('@librechat/api');
 const {
   FileSources,
   loadOCRConfig,
   EModelEndpoint,
   loadMemoryConfig,
   getConfigDefaults,
-  loadWebSearchConfig,
 } = require('librechat-data-provider');
-const { agentsConfigSetup } = require('@librechat/api');
 const {
   checkHealth,
   checkConfig,
@@ -17,6 +16,7 @@ const {
 const { azureAssistantsDefaults, assistantsConfigSetup } = require('./start/assistants');
 const { initializeAzureBlobService } = require('./Files/Azure/initialize');
 const { initializeFirebase } = require('./Files/Firebase/initialize');
+const { seedDefaultRoles, initializeRoles, ensureDefaultCategories } = require('~/models');
 const loadCustomConfig = require('./Config/loadCustomConfig');
 const handleRateLimits = require('./Config/handleRateLimits');
 const { loadDefaultInterface } = require('./start/interface');
@@ -26,7 +26,6 @@ const { processModelSpecs } = require('./start/modelSpecs');
 const { initializeS3 } = require('./Files/S3/initialize');
 const { loadAndFormatTools } = require('./ToolService');
 const { isEnabled } = require('~/server/utils');
-const { initializeRoles } = require('~/models');
 const { setCachedTools } = require('./Config');
 const paths = require('~/config/paths');
 
@@ -37,6 +36,8 @@ const paths = require('~/config/paths');
  */
 const AppService = async (app) => {
   await initializeRoles();
+  await seedDefaultRoles();
+  await ensureDefaultCategories();
   /** @type {TCustomConfig} */
   const config = (await loadCustomConfig()) ?? {};
   const configDefaults = getConfigDefaults();
@@ -86,6 +87,7 @@ const AppService = async (app) => {
   const turnstileConfig = loadTurnstileConfig(config, configDefaults);
 
   const defaultLocals = {
+    config,
     ocr,
     paths,
     memory,
@@ -158,6 +160,10 @@ const AppService = async (app) => {
     }
   });
 
+  if (endpoints?.all) {
+    endpointLocals.all = endpoints.all;
+  }
+
   app.locals = {
     ...defaultLocals,
     fileConfig: config?.fileConfig,

api/server/services/AppService.spec.js

@@ -28,6 +28,8 @@ jest.mock('./Files/Firebase/initialize', () => ({
 }));
 jest.mock('~/models', () => ({
   initializeRoles: jest.fn(),
+  seedDefaultRoles: jest.fn(),
+  ensureDefaultCategories: jest.fn(),
 }));
 jest.mock('~/models/Role', () => ({
   updateAccessPermissions: jest.fn(),
@@ -131,6 +133,9 @@ describe('AppService', () => {
     expect(process.env.CDN_PROVIDER).toEqual('testStrategy');
 
     expect(app.locals).toEqual({
+      config: expect.objectContaining({
+        fileStrategy: 'testStrategy',
+      }),
       socialLogins: ['testLogin'],
       fileStrategy: 'testStrategy',
       interfaceConfig: expect.objectContaining({
@@ -165,6 +170,9 @@ describe('AppService', () => {
       agents: {
         disableBuilder: false,
         capabilities: expect.arrayContaining([...defaultAgentCapabilities]),
+        maxCitations: 30,
+        maxCitationsPerFile: 7,
+        minRelevanceScore: 0.45,
       },
     });
   });
@@ -543,6 +551,206 @@ describe('AppService', () => {
     expect(process.env.IMPORT_USER_MAX).toEqual('initialUserMax');
     expect(process.env.IMPORT_USER_WINDOW).toEqual('initialUserWindow');
   });
+
+  it('should correctly configure endpoint with titlePrompt, titleMethod, and titlePromptTemplate', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            titleModel: 'gpt-3.5-turbo',
+            titleMethod: 'structured',
+            titlePrompt: 'Custom title prompt for conversation',
+            titlePromptTemplate: 'Summarize this conversation: {{conversation}}',
+          },
+          [EModelEndpoint.assistants]: {
+            titleMethod: 'functions',
+            titlePrompt: 'Generate a title for this assistant conversation',
+            titlePromptTemplate: 'Assistant conversation template: {{messages}}',
+          },
+          [EModelEndpoint.azureOpenAI]: {
+            groups: azureGroups,
+            titleConvo: true,
+            titleMethod: 'completion',
+            titleModel: 'gpt-4',
+            titlePrompt: 'Azure title prompt',
+            titlePromptTemplate: 'Azure conversation: {{context}}',
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    // Check OpenAI endpoint configuration
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toEqual(
+      expect.objectContaining({
+        titleConvo: true,
+        titleModel: 'gpt-3.5-turbo',
+        titleMethod: 'structured',
+        titlePrompt: 'Custom title prompt for conversation',
+        titlePromptTemplate: 'Summarize this conversation: {{conversation}}',
+      }),
+    );
+
+    // Check Assistants endpoint configuration
+    expect(app.locals).toHaveProperty(EModelEndpoint.assistants);
+    expect(app.locals[EModelEndpoint.assistants]).toMatchObject({
+      titleMethod: 'functions',
+      titlePrompt: 'Generate a title for this assistant conversation',
+      titlePromptTemplate: 'Assistant conversation template: {{messages}}',
+    });
+
+    // Check Azure OpenAI endpoint configuration
+    expect(app.locals).toHaveProperty(EModelEndpoint.azureOpenAI);
+    expect(app.locals[EModelEndpoint.azureOpenAI]).toEqual(
+      expect.objectContaining({
+        titleConvo: true,
+        titleMethod: 'completion',
+        titleModel: 'gpt-4',
+        titlePrompt: 'Azure title prompt',
+        titlePromptTemplate: 'Azure conversation: {{context}}',
+      }),
+    );
+  });
+
+  it('should configure Agent endpoint with title generation settings', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.agents]: {
+            disableBuilder: false,
+            titleConvo: true,
+            titleModel: 'gpt-4',
+            titleMethod: 'structured',
+            titlePrompt: 'Generate a descriptive title for this agent conversation',
+            titlePromptTemplate: 'Agent conversation summary: {{content}}',
+            recursionLimit: 15,
+            capabilities: [AgentCapabilities.tools, AgentCapabilities.actions],
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    expect(app.locals).toHaveProperty(EModelEndpoint.agents);
+    expect(app.locals[EModelEndpoint.agents]).toMatchObject({
+      disableBuilder: false,
+      titleConvo: true,
+      titleModel: 'gpt-4',
+      titleMethod: 'structured',
+      titlePrompt: 'Generate a descriptive title for this agent conversation',
+      titlePromptTemplate: 'Agent conversation summary: {{content}}',
+      recursionLimit: 15,
+      capabilities: expect.arrayContaining([AgentCapabilities.tools, AgentCapabilities.actions]),
+    });
+  });
+
+  it('should handle missing title configuration options with defaults', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            // titlePrompt and titlePromptTemplate are not provided
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toMatchObject({
+      titleConvo: true,
+    });
+    // Check that the optional fields are undefined when not provided
+    expect(app.locals[EModelEndpoint.openAI].titlePrompt).toBeUndefined();
+    expect(app.locals[EModelEndpoint.openAI].titlePromptTemplate).toBeUndefined();
+    expect(app.locals[EModelEndpoint.openAI].titleMethod).toBeUndefined();
+  });
+
+  it('should correctly configure titleEndpoint when specified', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            titleModel: 'gpt-3.5-turbo',
+            titleEndpoint: EModelEndpoint.anthropic,
+            titlePrompt: 'Generate a concise title',
+          },
+          [EModelEndpoint.agents]: {
+            titleEndpoint: 'custom-provider',
+            titleMethod: 'structured',
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    // Check OpenAI endpoint has titleEndpoint
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toMatchObject({
+      titleConvo: true,
+      titleModel: 'gpt-3.5-turbo',
+      titleEndpoint: EModelEndpoint.anthropic,
+      titlePrompt: 'Generate a concise title',
+    });
+
+    // Check Agents endpoint has titleEndpoint
+    expect(app.locals).toHaveProperty(EModelEndpoint.agents);
+    expect(app.locals[EModelEndpoint.agents]).toMatchObject({
+      titleEndpoint: 'custom-provider',
+      titleMethod: 'structured',
+    });
+  });
+
+  it('should correctly configure all endpoint when specified', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          all: {
+            titleConvo: true,
+            titleModel: 'gpt-4o-mini',
+            titleMethod: 'structured',
+            titlePrompt: 'Default title prompt for all endpoints',
+            titlePromptTemplate: 'Default template: {{conversation}}',
+            titleEndpoint: EModelEndpoint.anthropic,
+            streamRate: 50,
+          },
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            titleModel: 'gpt-3.5-turbo',
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    // Check that 'all' endpoint config is loaded
+    expect(app.locals).toHaveProperty('all');
+    expect(app.locals.all).toMatchObject({
+      titleConvo: true,
+      titleModel: 'gpt-4o-mini',
+      titleMethod: 'structured',
+      titlePrompt: 'Default title prompt for all endpoints',
+      titlePromptTemplate: 'Default template: {{conversation}}',
+      titleEndpoint: EModelEndpoint.anthropic,
+      streamRate: 50,
+    });
+
+    // Check that OpenAI endpoint has its own config
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toMatchObject({
+      titleConvo: true,
+      titleModel: 'gpt-3.5-turbo',
+    });
+  });
 });
 
 describe('AppService updating app.locals and issuing warnings', () => {
@@ -570,6 +778,7 @@ describe('AppService updating app.locals and issuing warnings', () => {
 
     expect(app.locals).toBeDefined();
     expect(app.locals.paths).toBeDefined();
+    expect(app.locals.config).toEqual({});
     expect(app.locals.fileStrategy).toEqual(FileSources.local);
     expect(app.locals.socialLogins).toEqual(defaultSocialLogins);
     expect(app.locals.balance).toEqual(
@@ -602,6 +811,7 @@ describe('AppService updating app.locals and issuing warnings', () => {
 
     expect(app.locals).toBeDefined();
     expect(app.locals.paths).toBeDefined();
+    expect(app.locals.config).toEqual(customConfig);
     expect(app.locals.fileStrategy).toEqual(customConfig.fileStrategy);
     expect(app.locals.socialLogins).toEqual(customConfig.registration.socialLogins);
     expect(app.locals.balance).toEqual(customConfig.balance);
@@ -759,4 +969,59 @@ describe('AppService updating app.locals and issuing warnings', () => {
     expect(app.locals.ocr.strategy).toEqual('mistral_ocr');
     expect(app.locals.ocr.mistralModel).toEqual('mistral-medium');
   });
+
+  it('should correctly configure peoplePicker with roles permission when specified', async () => {
+    const mockConfig = {
+      interface: {
+        peoplePicker: {
+          admin: {
+            users: true,
+            groups: true,
+            roles: true,
+          },
+          user: {
+            users: false,
+            groups: false,
+            roles: true,
+          },
+        },
+      },
+    };
+
+    require('./Config/loadCustomConfig').mockImplementationOnce(() => Promise.resolve(mockConfig));
+
+    const app = { locals: {} };
+    await AppService(app);
+
+    // Check that interface config includes the roles permission
+    expect(app.locals.interfaceConfig.peoplePicker).toBeDefined();
+    expect(app.locals.interfaceConfig.peoplePicker.admin).toMatchObject({
+      users: true,
+      groups: true,
+      roles: true,
+    });
+    expect(app.locals.interfaceConfig.peoplePicker.user).toMatchObject({
+      users: false,
+      groups: false,
+      roles: true,
+    });
+  });
+
+  it('should use default peoplePicker roles permissions when not specified', async () => {
+    const mockConfig = {
+      interface: {
+        // No peoplePicker configuration
+      },
+    };
+
+    require('./Config/loadCustomConfig').mockImplementationOnce(() => Promise.resolve(mockConfig));
+
+    const app = { locals: {} };
+    await AppService(app);
+
+    // Check that default roles permissions are applied
+    expect(app.locals.interfaceConfig.peoplePicker).toBeDefined();
+    expect(app.locals.interfaceConfig.peoplePicker.admin.roles).toBe(true);
+    expect(app.locals.interfaceConfig.peoplePicker.user.roles).toBe(false);
+  });
 });

api/server/services/AssistantService.js

@@ -281,7 +281,7 @@ function createInProgressHandler(openai, thread_id, messages) {
 
       openai.seenCompletedMessages.add(message_id);
 
-      const message = await openai.beta.threads.messages.retrieve(thread_id, message_id);
+      const message = await openai.beta.threads.messages.retrieve(message_id, { thread_id });
       if (!message?.content?.length) {
         return;
       }
@@ -435,9 +435,11 @@ async function runAssistant({
     };
   });
 
-  const outputs = await processRequiredActions(openai, actions);
-
-  const toolRun = await openai.beta.threads.runs.submitToolOutputs(run.thread_id, run.id, outputs);
+  const tool_outputs = await processRequiredActions(openai, actions);
+  const toolRun = await openai.beta.threads.runs.submitToolOutputs(run.id, {
+    thread_id: run.thread_id,
+    tool_outputs,
+  });
 
   // Recursive call with accumulated steps and messages
   return await runAssistant({

api/server/services/Config/getCustomConfig.js

@@ -3,7 +3,6 @@ const { isEnabled, getUserMCPAuthMap } = require('@librechat/api');
 const { CacheKeys, EModelEndpoint } = require('librechat-data-provider');
 const { normalizeEndpointName } = require('~/server/utils');
 const loadCustomConfig = require('./loadCustomConfig');
-const { getCachedTools } = require('./getCachedTools');
 const getLogStores = require('~/cache/getLogStores');
 
 /**
@@ -12,8 +11,8 @@ const getLogStores = require('~/cache/getLogStores');
  * @returns {Promise<TCustomConfig | null>}
  * */
 async function getCustomConfig() {
-  const cache = getLogStores(CacheKeys.CONFIG_STORE);
-  return (await cache.get(CacheKeys.CUSTOM_CONFIG)) || (await loadCustomConfig());
+  const cache = getLogStores(CacheKeys.STATIC_CONFIG);
+  return (await cache.get(CacheKeys.LIBRECHAT_YAML_CONFIG)) || (await loadCustomConfig());
 }
 
 /**
@@ -66,13 +65,9 @@ async function getMCPAuthMap({ userId, tools, findPluginAuthsByKeys }) {
     if (!tools || tools.length === 0) {
       return;
     }
-    const appTools = await getCachedTools({
-      userId,
-    });
     return await getUserMCPAuthMap({
       tools,
       userId,
-      appTools,
       findPluginAuthsByKeys,
     });
   } catch (err) {

api/server/services/Config/loadCustomConfig.js

@@ -25,7 +25,7 @@ let i = 0;
  * @function loadCustomConfig
  * @returns {Promise<TCustomConfig | null>} A promise that resolves to null or the custom config object.
  * */
-async function loadCustomConfig() {
+async function loadCustomConfig(printConfig = true) {
   // Use CONFIG_PATH if set, otherwise fallback to defaultConfigPath
   const configPath = process.env.CONFIG_PATH || defaultConfigPath;
 
@@ -108,7 +108,11 @@ https://www.librechat.ai/docs/configuration/stt_tts`);
 
     return null;
   } else {
-    logger.debug('Custom config:', customConfig);
+    if (printConfig) {
+      logger.info('Custom config file loaded:');
+      logger.info(JSON.stringify(customConfig, null, 2));
+      logger.debug('Custom config:', customConfig);
+    }
   }
 
   (customConfig.endpoints?.custom ?? [])
@@ -116,8 +120,8 @@ https://www.librechat.ai/docs/configuration/stt_tts`);
     .forEach((endpoint) => parseCustomParams(endpoint.name, endpoint.customParams));
 
   if (customConfig.cache) {
-    const cache = getLogStores(CacheKeys.CONFIG_STORE);
-    await cache.set(CacheKeys.CUSTOM_CONFIG, customConfig);
+    const cache = getLogStores(CacheKeys.STATIC_CONFIG);
+    await cache.set(CacheKeys.LIBRECHAT_YAML_CONFIG, customConfig);
   }
 
   if (result.data.modelSpecs) {

api/server/services/Endpoints/agents/agent.js

@@ -104,7 +104,7 @@ const initializeAgent = async ({
 
   agent.endpoint = provider;
   const { getOptions, overrideProvider } = await getProviderConfig(provider);
-  if (overrideProvider) {
+  if (overrideProvider !== agent.provider) {
     agent.provider = overrideProvider;
   }
 
@@ -131,7 +131,7 @@ const initializeAgent = async ({
   );
   const agentMaxContextTokens = optionalChainWithEmptyCheck(
     maxContextTokens,
-    getModelMaxTokens(tokensModel, providerEndpointMap[provider]),
+    getModelMaxTokens(tokensModel, providerEndpointMap[provider], options.endpointTokenConfig),
     4096,
   );
 
@@ -186,11 +186,12 @@ const initializeAgent = async ({
 
   return {
     ...agent,
+    tools,
     attachments,
     resendFiles,
     toolContextMap,
-    tools,
-    maxContextTokens: (agentMaxContextTokens - maxTokens) * 0.9,
+    useLegacyContent: !!options.useLegacyContent,
+    maxContextTokens: Math.round((agentMaxContextTokens - maxTokens) * 0.9),
   };
 };
 

api/server/services/Endpoints/assistants/initalize.js

@@ -1,12 +1,12 @@
 const OpenAI = require('openai');
-const { HttpsProxyAgent } = require('https-proxy-agent');
+const { ProxyAgent } = require('undici');
 const { ErrorTypes, EModelEndpoint } = require('librechat-data-provider');
 const {
   getUserKeyValues,
   getUserKeyExpiry,
   checkUserKeyExpiry,
 } = require('~/server/services/UserService');
-const OpenAIClient = require('~/app/clients/OpenAIClient');
+const OAIClient = require('~/app/clients/OpenAIClient');
 const { isUserProvided } = require('~/server/utils');
 
 const initializeClient = async ({ req, res, endpointOption, version, initAppClient = false }) => {
@@ -59,7 +59,10 @@ const initializeClient = async ({ req, res, endpointOption, version, initAppClie
   }
 
   if (PROXY) {
-    opts.httpAgent = new HttpsProxyAgent(PROXY);
+    const proxyAgent = new ProxyAgent(PROXY);
+    opts.fetchOptions = {
+      dispatcher: proxyAgent,
+    };
   }
 
   if (OPENAI_ORGANIZATION) {
@@ -76,7 +79,7 @@ const initializeClient = async ({ req, res, endpointOption, version, initAppClie
   openai.res = res;
 
   if (endpointOption && initAppClient) {
-    const client = new OpenAIClient(apiKey, clientOptions);
+    const client = new OAIClient(apiKey, clientOptions);
     return {
       client,
       openai,

api/server/services/Endpoints/assistants/initialize.spec.js

@@ -1,5 +1,5 @@
 // const OpenAI = require('openai');
-const { HttpsProxyAgent } = require('https-proxy-agent');
+const { ProxyAgent } = require('undici');
 const { ErrorTypes } = require('librechat-data-provider');
 const { getUserKey, getUserKeyExpiry, getUserKeyValues } = require('~/server/services/UserService');
 const initializeClient = require('./initalize');
@@ -107,6 +107,7 @@ describe('initializeClient', () => {
     const res = {};
 
     const { openai } = await initializeClient({ req, res });
-    expect(openai.httpAgent).toBeInstanceOf(HttpsProxyAgent);
+    expect(openai.fetchOptions).toBeDefined();
+    expect(openai.fetchOptions.dispatcher).toBeInstanceOf(ProxyAgent);
   });
 });