chore: add missing SidePanelProvider for AgentMarketplace and organize imports

- Removed handling for empty support_contact object in createAgent function.
- Changed default value of support_contact in agent schema to undefined.

.env.example

@@ -349,6 +349,11 @@ REGISTRATION_VIOLATION_SCORE=1
 CONCURRENT_VIOLATION_SCORE=1
 MESSAGE_VIOLATION_SCORE=1
 NON_BROWSER_VIOLATION_SCORE=20
+TTS_VIOLATION_SCORE=0
+STT_VIOLATION_SCORE=0
+FORK_VIOLATION_SCORE=0
+IMPORT_VIOLATION_SCORE=0
+FILE_UPLOAD_VIOLATION_SCORE=0
 
 LOGIN_MAX=7
 LOGIN_WINDOW=5
@@ -485,6 +490,21 @@ SAML_IMAGE_URL=
 # SAML_USE_AUTHN_RESPONSE_SIGNED=
 
 
+#===============================================#
+# Microsoft Graph API / Entra ID Integration  #
+#===============================================#
+
+# Enable Entra ID people search integration in permissions/sharing system
+# When enabled, the people picker will search both local database and Entra ID
+USE_ENTRA_ID_FOR_PEOPLE_SEARCH=false
+
+# When enabled, entra id groups owners will be considered as members of the group
+ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
+
+# Microsoft Graph API scopes needed for people/group search
+# Default scopes provide access to user profiles and group memberships
+OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All
+
 # LDAP
 LDAP_URL=
 LDAP_BIND_DN=
@@ -575,6 +595,10 @@ ALLOW_SHARED_LINKS_PUBLIC=true
 # If you have another service in front of your LibreChat doing compression, disable express based compression here
 # DISABLE_COMPRESSION=true
 
+# If you have gzipped version of uploaded image images in the same folder, this will enable gzip scan and serving of these images
+# Note: The images folder will be scanned on startup and a ma kept in memory. Be careful for large number of images.
+# ENABLE_IMAGE_OUTPUT_GZIP_SCAN=true
+
 #===================================================#
 #                        UI                         #
 #===================================================#
@@ -592,11 +616,31 @@ HELP_AND_FAQ_URL=https://librechat.ai
 # REDIS Options #
 #===============#
 
-# REDIS_URI=10.10.10.10:6379
+# Enable Redis for caching and session storage
 # USE_REDIS=true
 
-# USE_REDIS_CLUSTER=true
-# REDIS_CA=/path/to/ca.crt
+# Single Redis instance
+# REDIS_URI=redis://127.0.0.1:6379
+
+# Redis cluster (multiple nodes)
+# REDIS_URI=redis://127.0.0.1:7001,redis://127.0.0.1:7002,redis://127.0.0.1:7003
+
+# Redis with TLS/SSL encryption and CA certificate
+# REDIS_URI=rediss://127.0.0.1:6380
+# REDIS_CA=/path/to/ca-cert.pem
+
+# Redis authentication (if required)
+# REDIS_USERNAME=your_redis_username
+# REDIS_PASSWORD=your_redis_password
+
+# Redis key prefix configuration
+# Use environment variable name for dynamic prefix (recommended for cloud deployments)
+# REDIS_KEY_PREFIX_VAR=K_REVISION
+# Or use static prefix directly
+# REDIS_KEY_PREFIX=librechat
+
+# Redis connection limits
+# REDIS_MAX_LISTENERS=40
 
 #==================================================#
 #                      Others                      #

.github/workflows/client.yml

@@ -0,0 +1,32 @@
+name: Publish `@librechat/client` to NPM
+
+on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for manual trigger'
+        required: false
+        default: 'Manual publish requested'
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+          
+      - name: Check if client package exists
+        run: |
+          if [ -d "packages/client" ]; then
+            echo "Client package directory found"
+          else
+            echo "Client package directory not found - workflow ready for future use"
+            exit 0
+          fi
+          
+      - name: Placeholder for future publishing
+        run: echo "Client package publishing workflow is ready" 

.gitignore

@@ -125,3 +125,12 @@ helm/**/.values.yaml
 
 # SAML Idp cert
 *.cert
+
+# AI Assistants
+/.claude/
+/.cursor/
+/.copilot/
+/.aider/
+/.openai/
+/.tabnine/
+/.codeium

.vscode/launch.json

@@ -8,7 +8,8 @@
       "skipFiles": ["<node_internals>/**"],
       "program": "${workspaceFolder}/api/server/index.js",
       "env": {
-        "NODE_ENV": "production"
+        "NODE_ENV": "production",
+        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
       },
       "console": "integratedTerminal",
       "envFile": "${workspaceFolder}/.env"

api/app/clients/BaseClient.js

@@ -108,12 +108,15 @@ class BaseClient {
   /**
    * Abstract method to record token usage. Subclasses must implement this method.
    * If a correction to the token usage is needed, the method should return an object with the corrected token counts.
+   * Should only be used if `recordCollectedUsage` was not used instead.
+   * @param {string} [model]
    * @param {number} promptTokens
    * @param {number} completionTokens
    * @returns {Promise<void>}
    */
-  async recordTokenUsage({ promptTokens, completionTokens }) {
+  async recordTokenUsage({ model, promptTokens, completionTokens }) {
     logger.debug('[BaseClient] `recordTokenUsage` not implemented.', {
+      model,
       promptTokens,
       completionTokens,
     });
@@ -197,6 +200,10 @@ class BaseClient {
       this.currentMessages[this.currentMessages.length - 1].messageId = head;
     }
 
+    if (opts.isRegenerate && responseMessageId.endsWith('_')) {
+      responseMessageId = crypto.randomUUID();
+    }
+
     this.responseMessageId = responseMessageId;
 
     return {
@@ -737,9 +744,13 @@ class BaseClient {
       } else {
         responseMessage.tokenCount = this.getTokenCountForResponse(responseMessage);
         completionTokens = responseMessage.tokenCount;
+        await this.recordTokenUsage({
+          usage,
+          promptTokens,
+          completionTokens,
+          model: responseMessage.model,
+        });
       }
-
-      await this.recordTokenUsage({ promptTokens, completionTokens, usage });
     }
 
     if (userMessagePromise) {

api/app/clients/prompts/formatMessages.js

@@ -237,41 +237,9 @@ const formatAgentMessages = (payload) => {
   return messages;
 };
 
-/**
- * Formats an array of messages for LangChain, making sure all content fields are strings
- * @param {Array<(HumanMessage|AIMessage|SystemMessage|ToolMessage)>} payload - The array of messages to format.
- * @returns {Array<(HumanMessage|AIMessage|SystemMessage|ToolMessage)>} - The array of formatted LangChain messages, including ToolMessages for tool calls.
- */
-const formatContentStrings = (payload) => {
-  const messages = [];
-
-  for (const message of payload) {
-    if (typeof message.content === 'string') {
-      continue;
-    }
-
-    if (!Array.isArray(message.content)) {
-      continue;
-    }
-
-    // Reduce text types to a single string, ignore all other types
-    const content = message.content.reduce((acc, curr) => {
-      if (curr.type === ContentTypes.TEXT) {
-        return `${acc}${curr[ContentTypes.TEXT]}\n`;
-      }
-      return acc;
-    }, '');
-
-    message.content = content.trim();
-  }
-
-  return messages;
-};
-
 module.exports = {
   formatMessage,
   formatFromLangChain,
   formatAgentMessages,
-  formatContentStrings,
   formatLangChainMessages,
 };

api/app/clients/specs/BaseClient.test.js

@@ -422,6 +422,46 @@ describe('BaseClient', () => {
       expect(response).toEqual(expectedResult);
     });
 
+    test('should replace responseMessageId with new UUID when isRegenerate is true and messageId ends with underscore', async () => {
+      const mockCrypto = require('crypto');
+      const newUUID = 'new-uuid-1234';
+      jest.spyOn(mockCrypto, 'randomUUID').mockReturnValue(newUUID);
+
+      const opts = {
+        isRegenerate: true,
+        responseMessageId: 'existing-message-id_',
+      };
+
+      await TestClient.setMessageOptions(opts);
+
+      expect(TestClient.responseMessageId).toBe(newUUID);
+      expect(TestClient.responseMessageId).not.toBe('existing-message-id_');
+
+      mockCrypto.randomUUID.mockRestore();
+    });
+
+    test('should not replace responseMessageId when isRegenerate is false', async () => {
+      const opts = {
+        isRegenerate: false,
+        responseMessageId: 'existing-message-id_',
+      };
+
+      await TestClient.setMessageOptions(opts);
+
+      expect(TestClient.responseMessageId).toBe('existing-message-id_');
+    });
+
+    test('should not replace responseMessageId when it does not end with underscore', async () => {
+      const opts = {
+        isRegenerate: true,
+        responseMessageId: 'existing-message-id',
+      };
+
+      await TestClient.setMessageOptions(opts);
+
+      expect(TestClient.responseMessageId).toBe('existing-message-id');
+    });
+
     test('sendMessage should work with provided conversationId and parentMessageId', async () => {
       const userMessage = 'Second message in the conversation';
       const opts = {

api/app/clients/tools/util/fileSearch.js

@@ -3,6 +3,7 @@ const axios = require('axios');
 const { tool } = require('@langchain/core/tools');
 const { logger } = require('@librechat/data-schemas');
 const { Tools, EToolResources } = require('librechat-data-provider');
+const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
 const { generateShortLivedToken } = require('~/server/services/AuthService');
 const { getFiles } = require('~/models/File');
 
@@ -11,17 +12,30 @@ const { getFiles } = require('~/models/File');
  * @param {Object} options
  * @param {ServerRequest} options.req
  * @param {Agent['tool_resources']} options.tool_resources
+ * @param {string} [options.agentId] - The agent ID for file access control
  * @returns {Promise<{
  *   files: Array<{ file_id: string; filename: string }>,
  *   toolContext: string
  * }>}
  */
 const primeFiles = async (options) => {
-  const { tool_resources } = options;
+  const { tool_resources, req, agentId } = options;
   const file_ids = tool_resources?.[EToolResources.file_search]?.file_ids ?? [];
   const agentResourceIds = new Set(file_ids);
   const resourceFiles = tool_resources?.[EToolResources.file_search]?.files ?? [];
-  const dbFiles = ((await getFiles({ file_id: { $in: file_ids } })) ?? []).concat(resourceFiles);
+
+  // Get all files first
+  const allFiles = (await getFiles({ file_id: { $in: file_ids } }, null, { text: 0 })) ?? [];
+
+  // Filter by access if user and agent are provided
+  let dbFiles;
+  if (req?.user?.id && agentId) {
+    dbFiles = await filterFilesByAgentAccess(allFiles, req.user.id, agentId);
+  } else {
+    dbFiles = allFiles;
+  }
+
+  dbFiles = dbFiles.concat(resourceFiles);
 
   let toolContext = `- Note: Semantic search is available through the ${Tools.file_search} tool but no files are currently loaded. Request the user to upload documents to search through.`;
 

api/app/clients/tools/util/handleTools.js

@@ -1,14 +1,9 @@
-const { mcpToolPattern } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { SerpAPI } = require('@langchain/community/tools/serpapi');
 const { Calculator } = require('@langchain/community/tools/calculator');
+const { mcpToolPattern, loadWebSearchAuth } = require('@librechat/api');
 const { EnvVar, createCodeExecutionTool, createSearchTool } = require('@librechat/agents');
-const {
-  Tools,
-  EToolResources,
-  loadWebSearchAuth,
-  replaceSpecialVars,
-} = require('librechat-data-provider');
+const { Tools, EToolResources, replaceSpecialVars } = require('librechat-data-provider');
 const {
   availableTools,
   manifestToolMap,
@@ -245,7 +240,13 @@ const loadTools = async ({
           authFields: [EnvVar.CODE_API_KEY],
         });
         const codeApiKey = authValues[EnvVar.CODE_API_KEY];
-        const { files, toolContext } = await primeCodeFiles(options, codeApiKey);
+        const { files, toolContext } = await primeCodeFiles(
+          {
+            ...options,
+            agentId: agent?.id,
+          },
+          codeApiKey,
+        );
         if (toolContext) {
           toolContextMap[tool] = toolContext;
         }
@@ -260,7 +261,10 @@ const loadTools = async ({
       continue;
     } else if (tool === Tools.file_search) {
       requestedTools[tool] = async () => {
-        const { files, toolContext } = await primeSearchFiles(options);
+        const { files, toolContext } = await primeSearchFiles({
+          ...options,
+          agentId: agent?.id,
+        });
         if (toolContext) {
           toolContextMap[tool] = toolContext;
         }

api/cache/cacheConfig.js

@@ -0,0 +1,33 @@
+const fs = require('fs');
+const { math, isEnabled } = require('@librechat/api');
+
+// To ensure that different deployments do not interfere with each other's cache, we use a prefix for the Redis keys.
+// This prefix is usually the deployment ID, which is often passed to the container or pod as an env var.
+// Set REDIS_KEY_PREFIX_VAR to the env var that contains the deployment ID.
+const REDIS_KEY_PREFIX_VAR = process.env.REDIS_KEY_PREFIX_VAR;
+const REDIS_KEY_PREFIX = process.env.REDIS_KEY_PREFIX;
+if (REDIS_KEY_PREFIX_VAR && REDIS_KEY_PREFIX) {
+  throw new Error('Only either REDIS_KEY_PREFIX_VAR or REDIS_KEY_PREFIX can be set.');
+}
+
+const USE_REDIS = isEnabled(process.env.USE_REDIS);
+if (USE_REDIS && !process.env.REDIS_URI) {
+  throw new Error('USE_REDIS is enabled but REDIS_URI is not set.');
+}
+
+const cacheConfig = {
+  USE_REDIS,
+  REDIS_URI: process.env.REDIS_URI,
+  REDIS_USERNAME: process.env.REDIS_USERNAME,
+  REDIS_PASSWORD: process.env.REDIS_PASSWORD,
+  REDIS_CA: process.env.REDIS_CA ? fs.readFileSync(process.env.REDIS_CA, 'utf8') : null,
+  REDIS_KEY_PREFIX: process.env[REDIS_KEY_PREFIX_VAR] || REDIS_KEY_PREFIX || '',
+  REDIS_MAX_LISTENERS: math(process.env.REDIS_MAX_LISTENERS, 40),
+
+  CI: isEnabled(process.env.CI),
+  DEBUG_MEMORY_CACHE: isEnabled(process.env.DEBUG_MEMORY_CACHE),
+
+  BAN_DURATION: math(process.env.BAN_DURATION, 7200000), // 2 hours
+};
+
+module.exports = { cacheConfig };

api/cache/cacheConfig.spec.js

@@ -0,0 +1,108 @@
+const fs = require('fs');
+
+describe('cacheConfig', () => {
+  let originalEnv;
+  let originalReadFileSync;
+
+  beforeEach(() => {
+    originalEnv = { ...process.env };
+    originalReadFileSync = fs.readFileSync;
+
+    // Clear all related env vars first
+    delete process.env.REDIS_URI;
+    delete process.env.REDIS_CA;
+    delete process.env.REDIS_KEY_PREFIX_VAR;
+    delete process.env.REDIS_KEY_PREFIX;
+    delete process.env.USE_REDIS;
+
+    // Clear require cache
+    jest.resetModules();
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+    fs.readFileSync = originalReadFileSync;
+    jest.resetModules();
+  });
+
+  describe('REDIS_KEY_PREFIX validation and resolution', () => {
+    test('should throw error when both REDIS_KEY_PREFIX_VAR and REDIS_KEY_PREFIX are set', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'DEPLOYMENT_ID';
+      process.env.REDIS_KEY_PREFIX = 'manual-prefix';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).toThrow('Only either REDIS_KEY_PREFIX_VAR or REDIS_KEY_PREFIX can be set.');
+    });
+
+    test('should resolve REDIS_KEY_PREFIX from variable reference', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'DEPLOYMENT_ID';
+      process.env.DEPLOYMENT_ID = 'test-deployment-123';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('test-deployment-123');
+    });
+
+    test('should use direct REDIS_KEY_PREFIX value', () => {
+      process.env.REDIS_KEY_PREFIX = 'direct-prefix';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('direct-prefix');
+    });
+
+    test('should default to empty string when no prefix is configured', () => {
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('');
+    });
+
+    test('should handle empty variable reference', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'EMPTY_VAR';
+      process.env.EMPTY_VAR = '';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('');
+    });
+
+    test('should handle undefined variable reference', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'UNDEFINED_VAR';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('');
+    });
+  });
+
+  describe('USE_REDIS and REDIS_URI validation', () => {
+    test('should throw error when USE_REDIS is enabled but REDIS_URI is not set', () => {
+      process.env.USE_REDIS = 'true';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).toThrow('USE_REDIS is enabled but REDIS_URI is not set.');
+    });
+
+    test('should not throw error when USE_REDIS is enabled and REDIS_URI is set', () => {
+      process.env.USE_REDIS = 'true';
+      process.env.REDIS_URI = 'redis://localhost:6379';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).not.toThrow();
+    });
+
+    test('should handle empty REDIS_URI when USE_REDIS is enabled', () => {
+      process.env.USE_REDIS = 'true';
+      process.env.REDIS_URI = '';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).toThrow('USE_REDIS is enabled but REDIS_URI is not set.');
+    });
+  });
+
+  describe('REDIS_CA file reading', () => {
+    test('should be null when REDIS_CA is not set', () => {
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_CA).toBeNull();
+    });
+  });
+});

api/cache/cacheFactory.js

@@ -0,0 +1,66 @@
+const KeyvRedis = require('@keyv/redis').default;
+const { Keyv } = require('keyv');
+const { cacheConfig } = require('./cacheConfig');
+const { keyvRedisClient, ioredisClient, GLOBAL_PREFIX_SEPARATOR } = require('./redisClients');
+const { Time } = require('librechat-data-provider');
+const { RedisStore: ConnectRedis } = require('connect-redis');
+const MemoryStore = require('memorystore')(require('express-session'));
+const { violationFile } = require('./keyvFiles');
+const { RedisStore } = require('rate-limit-redis');
+
+/**
+ * Creates a cache instance using Redis or a fallback store. Suitable for general caching needs.
+ * @param {string} namespace - The cache namespace.
+ * @param {number} [ttl] - Time to live for cache entries.
+ * @param {object} [fallbackStore] - Optional fallback store if Redis is not used.
+ * @returns {Keyv} Cache instance.
+ */
+const standardCache = (namespace, ttl = undefined, fallbackStore = undefined) => {
+  if (cacheConfig.USE_REDIS) {
+    const keyvRedis = new KeyvRedis(keyvRedisClient);
+    const cache = new Keyv(keyvRedis, { namespace, ttl });
+    keyvRedis.namespace = cacheConfig.REDIS_KEY_PREFIX;
+    keyvRedis.keyPrefixSeparator = GLOBAL_PREFIX_SEPARATOR;
+    return cache;
+  }
+  if (fallbackStore) return new Keyv({ store: fallbackStore, namespace, ttl });
+  return new Keyv({ namespace, ttl });
+};
+
+/**
+ * Creates a cache instance for storing violation data.
+ * Uses a file-based fallback store if Redis is not enabled.
+ * @param {string} namespace - The cache namespace for violations.
+ * @param {number} [ttl] - Time to live for cache entries.
+ * @returns {Keyv} Cache instance for violations.
+ */
+const violationCache = (namespace, ttl = undefined) => {
+  return standardCache(`violations:${namespace}`, ttl, violationFile);
+};
+
+/**
+ * Creates a session cache instance using Redis or in-memory store.
+ * @param {string} namespace - The session namespace.
+ * @param {number} [ttl] - Time to live for session entries.
+ * @returns {MemoryStore | ConnectRedis} Session store instance.
+ */
+const sessionCache = (namespace, ttl = undefined) => {
+  namespace = namespace.endsWith(':') ? namespace : `${namespace}:`;
+  if (!cacheConfig.USE_REDIS) return new MemoryStore({ ttl, checkPeriod: Time.ONE_DAY });
+  return new ConnectRedis({ client: ioredisClient, ttl, prefix: namespace });
+};
+
+/**
+ * Creates a rate limiter cache using Redis.
+ * @param {string} prefix - The key prefix for rate limiting.
+ * @returns {RedisStore|undefined} RedisStore instance or undefined if Redis is not used.
+ */
+const limiterCache = (prefix) => {
+  if (!prefix) throw new Error('prefix is required');
+  if (!cacheConfig.USE_REDIS) return undefined;
+  prefix = prefix.endsWith(':') ? prefix : `${prefix}:`;
+  return new RedisStore({ sendCommand, prefix });
+};
+const sendCommand = (...args) => ioredisClient?.call(...args);
+
+module.exports = { standardCache, sessionCache, violationCache, limiterCache };

api/cache/cacheFactory.spec.js

@@ -0,0 +1,270 @@
+const { Time } = require('librechat-data-provider');
+
+// Mock dependencies first
+const mockKeyvRedis = {
+  namespace: '',
+  keyPrefixSeparator: '',
+};
+
+const mockKeyv = jest.fn().mockReturnValue({ mock: 'keyv' });
+const mockConnectRedis = jest.fn().mockReturnValue({ mock: 'connectRedis' });
+const mockMemoryStore = jest.fn().mockReturnValue({ mock: 'memoryStore' });
+const mockRedisStore = jest.fn().mockReturnValue({ mock: 'redisStore' });
+
+const mockIoredisClient = {
+  call: jest.fn(),
+};
+
+const mockKeyvRedisClient = {};
+const mockViolationFile = {};
+
+// Mock modules before requiring the main module
+jest.mock('@keyv/redis', () => ({
+  default: jest.fn().mockImplementation(() => mockKeyvRedis),
+}));
+
+jest.mock('keyv', () => ({
+  Keyv: mockKeyv,
+}));
+
+jest.mock('./cacheConfig', () => ({
+  cacheConfig: {
+    USE_REDIS: false,
+    REDIS_KEY_PREFIX: 'test',
+  },
+}));
+
+jest.mock('./redisClients', () => ({
+  keyvRedisClient: mockKeyvRedisClient,
+  ioredisClient: mockIoredisClient,
+  GLOBAL_PREFIX_SEPARATOR: '::',
+}));
+
+jest.mock('./keyvFiles', () => ({
+  violationFile: mockViolationFile,
+}));
+
+jest.mock('connect-redis', () => ({ RedisStore: mockConnectRedis }));
+
+jest.mock('memorystore', () => jest.fn(() => mockMemoryStore));
+
+jest.mock('rate-limit-redis', () => ({
+  RedisStore: mockRedisStore,
+}));
+
+// Import after mocking
+const { standardCache, sessionCache, violationCache, limiterCache } = require('./cacheFactory');
+const { cacheConfig } = require('./cacheConfig');
+
+describe('cacheFactory', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    // Reset cache config mock
+    cacheConfig.USE_REDIS = false;
+    cacheConfig.REDIS_KEY_PREFIX = 'test';
+  });
+
+  describe('redisCache', () => {
+    it('should create Redis cache when USE_REDIS is true', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+
+      standardCache(namespace, ttl);
+
+      expect(require('@keyv/redis').default).toHaveBeenCalledWith(mockKeyvRedisClient);
+      expect(mockKeyv).toHaveBeenCalledWith(mockKeyvRedis, { namespace, ttl });
+      expect(mockKeyvRedis.namespace).toBe(cacheConfig.REDIS_KEY_PREFIX);
+      expect(mockKeyvRedis.keyPrefixSeparator).toBe('::');
+    });
+
+    it('should create Redis cache with undefined ttl when not provided', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'test-namespace';
+
+      standardCache(namespace);
+
+      expect(mockKeyv).toHaveBeenCalledWith(mockKeyvRedis, { namespace, ttl: undefined });
+    });
+
+    it('should use fallback store when USE_REDIS is false and fallbackStore is provided', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+      const fallbackStore = { some: 'store' };
+
+      standardCache(namespace, ttl, fallbackStore);
+
+      expect(mockKeyv).toHaveBeenCalledWith({ store: fallbackStore, namespace, ttl });
+    });
+
+    it('should create default Keyv instance when USE_REDIS is false and no fallbackStore', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+
+      standardCache(namespace, ttl);
+
+      expect(mockKeyv).toHaveBeenCalledWith({ namespace, ttl });
+    });
+
+    it('should handle namespace and ttl as undefined', () => {
+      cacheConfig.USE_REDIS = false;
+
+      standardCache();
+
+      expect(mockKeyv).toHaveBeenCalledWith({ namespace: undefined, ttl: undefined });
+    });
+  });
+
+  describe('violationCache', () => {
+    it('should create violation cache with prefixed namespace', () => {
+      const namespace = 'test-violations';
+      const ttl = 7200;
+
+      // We can't easily mock the internal redisCache call since it's in the same module
+      // But we can test that the function executes without throwing
+      expect(() => violationCache(namespace, ttl)).not.toThrow();
+    });
+
+    it('should create violation cache with undefined ttl', () => {
+      const namespace = 'test-violations';
+
+      violationCache(namespace);
+
+      // The function should call redisCache with violations: prefixed namespace
+      // Since we can't easily mock the internal redisCache call, we test the behavior
+      expect(() => violationCache(namespace)).not.toThrow();
+    });
+
+    it('should handle undefined namespace', () => {
+      expect(() => violationCache(undefined)).not.toThrow();
+    });
+  });
+
+  describe('sessionCache', () => {
+    it('should return MemoryStore when USE_REDIS is false', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'sessions';
+      const ttl = 86400;
+
+      const result = sessionCache(namespace, ttl);
+
+      expect(mockMemoryStore).toHaveBeenCalledWith({ ttl, checkPeriod: Time.ONE_DAY });
+      expect(result).toBe(mockMemoryStore());
+    });
+
+    it('should return ConnectRedis when USE_REDIS is true', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions';
+      const ttl = 86400;
+
+      const result = sessionCache(namespace, ttl);
+
+      expect(mockConnectRedis).toHaveBeenCalledWith({
+        client: mockIoredisClient,
+        ttl,
+        prefix: `${namespace}:`,
+      });
+      expect(result).toBe(mockConnectRedis());
+    });
+
+    it('should add colon to namespace if not present', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions';
+
+      sessionCache(namespace);
+
+      expect(mockConnectRedis).toHaveBeenCalledWith({
+        client: mockIoredisClient,
+        ttl: undefined,
+        prefix: 'sessions:',
+      });
+    });
+
+    it('should not add colon to namespace if already present', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions:';
+
+      sessionCache(namespace);
+
+      expect(mockConnectRedis).toHaveBeenCalledWith({
+        client: mockIoredisClient,
+        ttl: undefined,
+        prefix: 'sessions:',
+      });
+    });
+
+    it('should handle undefined ttl', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'sessions';
+
+      sessionCache(namespace);
+
+      expect(mockMemoryStore).toHaveBeenCalledWith({
+        ttl: undefined,
+        checkPeriod: Time.ONE_DAY,
+      });
+    });
+  });
+
+  describe('limiterCache', () => {
+    it('should return undefined when USE_REDIS is false', () => {
+      cacheConfig.USE_REDIS = false;
+      const result = limiterCache('prefix');
+
+      expect(result).toBeUndefined();
+    });
+
+    it('should return RedisStore when USE_REDIS is true', () => {
+      cacheConfig.USE_REDIS = true;
+      const result = limiterCache('rate-limit');
+
+      expect(mockRedisStore).toHaveBeenCalledWith({
+        sendCommand: expect.any(Function),
+        prefix: `rate-limit:`,
+      });
+      expect(result).toBe(mockRedisStore());
+    });
+
+    it('should add colon to prefix if not present', () => {
+      cacheConfig.USE_REDIS = true;
+      limiterCache('rate-limit');
+
+      expect(mockRedisStore).toHaveBeenCalledWith({
+        sendCommand: expect.any(Function),
+        prefix: 'rate-limit:',
+      });
+    });
+
+    it('should not add colon to prefix if already present', () => {
+      cacheConfig.USE_REDIS = true;
+      limiterCache('rate-limit:');
+
+      expect(mockRedisStore).toHaveBeenCalledWith({
+        sendCommand: expect.any(Function),
+        prefix: 'rate-limit:',
+      });
+    });
+
+    it('should pass sendCommand function that calls ioredisClient.call', () => {
+      cacheConfig.USE_REDIS = true;
+      limiterCache('rate-limit');
+
+      const sendCommandCall = mockRedisStore.mock.calls[0][0];
+      const sendCommand = sendCommandCall.sendCommand;
+
+      // Test that sendCommand properly delegates to ioredisClient.call
+      const args = ['GET', 'test-key'];
+      sendCommand(...args);
+
+      expect(mockIoredisClient.call).toHaveBeenCalledWith(...args);
+    });
+
+    it('should handle undefined prefix', () => {
+      cacheConfig.USE_REDIS = true;
+      expect(() => limiterCache()).toThrow('prefix is required');
+    });
+  });
+});

api/cache/getLogStores.js

@@ -1,113 +1,52 @@
+const { cacheConfig } = require('./cacheConfig');
 const { Keyv } = require('keyv');
-const { isEnabled, math } = require('@librechat/api');
 const { CacheKeys, ViolationTypes, Time } = require('librechat-data-provider');
-const { logFile, violationFile } = require('./keyvFiles');
-const keyvRedis = require('./keyvRedis');
+const { logFile } = require('./keyvFiles');
 const keyvMongo = require('./keyvMongo');
-
-const { BAN_DURATION, USE_REDIS, DEBUG_MEMORY_CACHE, CI } = process.env ?? {};
-
-const duration = math(BAN_DURATION, 7200000);
-const isRedisEnabled = isEnabled(USE_REDIS);
-const debugMemoryCache = isEnabled(DEBUG_MEMORY_CACHE);
-
-const createViolationInstance = (namespace) => {
-  const config = isRedisEnabled ? { store: keyvRedis } : { store: violationFile, namespace };
-  return new Keyv(config);
-};
-
-// Serve cache from memory so no need to clear it on startup/exit
-const pending_req = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.PENDING_REQ });
-
-const config = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.CONFIG_STORE });
-
-const roles = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.ROLES });
-
-const mcpTools = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.MCP_TOOLS });
-
-const audioRuns = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TEN_MINUTES })
-  : new Keyv({ namespace: CacheKeys.AUDIO_RUNS, ttl: Time.TEN_MINUTES });
-
-const messages = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.ONE_MINUTE })
-  : new Keyv({ namespace: CacheKeys.MESSAGES, ttl: Time.ONE_MINUTE });
-
-const flows = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TWO_MINUTES })
-  : new Keyv({ namespace: CacheKeys.FLOWS, ttl: Time.ONE_MINUTE * 3 });
-
-const tokenConfig = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.THIRTY_MINUTES })
-  : new Keyv({ namespace: CacheKeys.TOKEN_CONFIG, ttl: Time.THIRTY_MINUTES });
-
-const genTitle = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TWO_MINUTES })
-  : new Keyv({ namespace: CacheKeys.GEN_TITLE, ttl: Time.TWO_MINUTES });
-
-const s3ExpiryInterval = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.THIRTY_MINUTES })
-  : new Keyv({ namespace: CacheKeys.S3_EXPIRY_INTERVAL, ttl: Time.THIRTY_MINUTES });
-
-const modelQueries = isEnabled(process.env.USE_REDIS)
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.MODEL_QUERIES });
-
-const abortKeys = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.ABORT_KEYS, ttl: Time.TEN_MINUTES });
-
-const openIdExchangedTokensCache = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TEN_MINUTES })
-  : new Keyv({ namespace: CacheKeys.OPENID_EXCHANGED_TOKENS, ttl: Time.TEN_MINUTES });
+const { standardCache, sessionCache, violationCache } = require('./cacheFactory');
 
 const namespaces = {
-  [CacheKeys.ROLES]: roles,
-  [CacheKeys.MCP_TOOLS]: mcpTools,
-  [CacheKeys.CONFIG_STORE]: config,
-  [CacheKeys.PENDING_REQ]: pending_req,
-  [ViolationTypes.BAN]: new Keyv({ store: keyvMongo, namespace: CacheKeys.BANS, ttl: duration }),
-  [CacheKeys.ENCODED_DOMAINS]: new Keyv({
+  [ViolationTypes.GENERAL]: new Keyv({ store: logFile, namespace: 'violations' }),
+  [ViolationTypes.LOGINS]: violationCache(ViolationTypes.LOGINS),
+  [ViolationTypes.CONCURRENT]: violationCache(ViolationTypes.CONCURRENT),
+  [ViolationTypes.NON_BROWSER]: violationCache(ViolationTypes.NON_BROWSER),
+  [ViolationTypes.MESSAGE_LIMIT]: violationCache(ViolationTypes.MESSAGE_LIMIT),
+  [ViolationTypes.REGISTRATIONS]: violationCache(ViolationTypes.REGISTRATIONS),
+  [ViolationTypes.TOKEN_BALANCE]: violationCache(ViolationTypes.TOKEN_BALANCE),
+  [ViolationTypes.TTS_LIMIT]: violationCache(ViolationTypes.TTS_LIMIT),
+  [ViolationTypes.STT_LIMIT]: violationCache(ViolationTypes.STT_LIMIT),
+  [ViolationTypes.CONVO_ACCESS]: violationCache(ViolationTypes.CONVO_ACCESS),
+  [ViolationTypes.TOOL_CALL_LIMIT]: violationCache(ViolationTypes.TOOL_CALL_LIMIT),
+  [ViolationTypes.FILE_UPLOAD_LIMIT]: violationCache(ViolationTypes.FILE_UPLOAD_LIMIT),
+  [ViolationTypes.VERIFY_EMAIL_LIMIT]: violationCache(ViolationTypes.VERIFY_EMAIL_LIMIT),
+  [ViolationTypes.RESET_PASSWORD_LIMIT]: violationCache(ViolationTypes.RESET_PASSWORD_LIMIT),
+  [ViolationTypes.ILLEGAL_MODEL_REQUEST]: violationCache(ViolationTypes.ILLEGAL_MODEL_REQUEST),
+  [ViolationTypes.BAN]: new Keyv({
     store: keyvMongo,
-    namespace: CacheKeys.ENCODED_DOMAINS,
-    ttl: 0,
+    namespace: CacheKeys.BANS,
+    ttl: cacheConfig.BAN_DURATION,
   }),
-  general: new Keyv({ store: logFile, namespace: 'violations' }),
-  concurrent: createViolationInstance('concurrent'),
-  non_browser: createViolationInstance('non_browser'),
-  message_limit: createViolationInstance('message_limit'),
-  token_balance: createViolationInstance(ViolationTypes.TOKEN_BALANCE),
-  registrations: createViolationInstance('registrations'),
-  [ViolationTypes.TTS_LIMIT]: createViolationInstance(ViolationTypes.TTS_LIMIT),
-  [ViolationTypes.STT_LIMIT]: createViolationInstance(ViolationTypes.STT_LIMIT),
-  [ViolationTypes.CONVO_ACCESS]: createViolationInstance(ViolationTypes.CONVO_ACCESS),
-  [ViolationTypes.TOOL_CALL_LIMIT]: createViolationInstance(ViolationTypes.TOOL_CALL_LIMIT),
-  [ViolationTypes.FILE_UPLOAD_LIMIT]: createViolationInstance(ViolationTypes.FILE_UPLOAD_LIMIT),
-  [ViolationTypes.VERIFY_EMAIL_LIMIT]: createViolationInstance(ViolationTypes.VERIFY_EMAIL_LIMIT),
-  [ViolationTypes.RESET_PASSWORD_LIMIT]: createViolationInstance(
-    ViolationTypes.RESET_PASSWORD_LIMIT,
+
+  [CacheKeys.OPENID_SESSION]: sessionCache(CacheKeys.OPENID_SESSION),
+  [CacheKeys.SAML_SESSION]: sessionCache(CacheKeys.SAML_SESSION),
+
+  [CacheKeys.ROLES]: standardCache(CacheKeys.ROLES),
+  [CacheKeys.MCP_TOOLS]: standardCache(CacheKeys.MCP_TOOLS),
+  [CacheKeys.CONFIG_STORE]: standardCache(CacheKeys.CONFIG_STORE),
+  [CacheKeys.PENDING_REQ]: standardCache(CacheKeys.PENDING_REQ),
+  [CacheKeys.ENCODED_DOMAINS]: new Keyv({ store: keyvMongo, namespace: CacheKeys.ENCODED_DOMAINS }),
+  [CacheKeys.ABORT_KEYS]: standardCache(CacheKeys.ABORT_KEYS, Time.TEN_MINUTES),
+  [CacheKeys.TOKEN_CONFIG]: standardCache(CacheKeys.TOKEN_CONFIG, Time.THIRTY_MINUTES),
+  [CacheKeys.GEN_TITLE]: standardCache(CacheKeys.GEN_TITLE, Time.TWO_MINUTES),
+  [CacheKeys.S3_EXPIRY_INTERVAL]: standardCache(CacheKeys.S3_EXPIRY_INTERVAL, Time.THIRTY_MINUTES),
+  [CacheKeys.MODEL_QUERIES]: standardCache(CacheKeys.MODEL_QUERIES),
+  [CacheKeys.AUDIO_RUNS]: standardCache(CacheKeys.AUDIO_RUNS, Time.TEN_MINUTES),
+  [CacheKeys.MESSAGES]: standardCache(CacheKeys.MESSAGES, Time.ONE_MINUTE),
+  [CacheKeys.FLOWS]: standardCache(CacheKeys.FLOWS, Time.ONE_MINUTE * 3),
+  [CacheKeys.OPENID_EXCHANGED_TOKENS]: standardCache(
+    CacheKeys.OPENID_EXCHANGED_TOKENS,
+    Time.TEN_MINUTES,
   ),
-  [ViolationTypes.ILLEGAL_MODEL_REQUEST]: createViolationInstance(
-    ViolationTypes.ILLEGAL_MODEL_REQUEST,
-  ),
-  logins: createViolationInstance('logins'),
-  [CacheKeys.ABORT_KEYS]: abortKeys,
-  [CacheKeys.TOKEN_CONFIG]: tokenConfig,
-  [CacheKeys.GEN_TITLE]: genTitle,
-  [CacheKeys.S3_EXPIRY_INTERVAL]: s3ExpiryInterval,
-  [CacheKeys.MODEL_QUERIES]: modelQueries,
-  [CacheKeys.AUDIO_RUNS]: audioRuns,
-  [CacheKeys.MESSAGES]: messages,
-  [CacheKeys.FLOWS]: flows,
-  [CacheKeys.OPENID_EXCHANGED_TOKENS]: openIdExchangedTokensCache,
 };
 
 /**
@@ -116,7 +55,10 @@ const namespaces = {
  */
 function getTTLStores() {
   return Object.values(namespaces).filter(
-    (store) => store instanceof Keyv && typeof store.opts?.ttl === 'number' && store.opts.ttl > 0,
+    (store) =>
+      store instanceof Keyv &&
+      parseInt(store.opts?.ttl ?? '0') > 0 &&
+      !store.opts?.store?.constructor?.name?.includes('Redis'), // Only include non-Redis stores
   );
 }
 
@@ -152,18 +94,18 @@ async function clearExpiredFromCache(cache) {
       if (data?.expires && data.expires <= expiryTime) {
         const deleted = await cache.opts.store.delete(key);
         if (!deleted) {
-          debugMemoryCache &&
+          cacheConfig.DEBUG_MEMORY_CACHE &&
             console.warn(`[Cache] Error deleting entry: ${key} from ${cache.opts.namespace}`);
           continue;
         }
         cleared++;
       }
     } catch (error) {
-      debugMemoryCache &&
+      cacheConfig.DEBUG_MEMORY_CACHE &&
         console.log(`[Cache] Error processing entry from ${cache.opts.namespace}:`, error);
       const deleted = await cache.opts.store.delete(key);
       if (!deleted) {
-        debugMemoryCache &&
+        cacheConfig.DEBUG_MEMORY_CACHE &&
           console.warn(`[Cache] Error deleting entry: ${key} from ${cache.opts.namespace}`);
         continue;
       }
@@ -172,7 +114,7 @@ async function clearExpiredFromCache(cache) {
   }
 
   if (cleared > 0) {
-    debugMemoryCache &&
+    cacheConfig.DEBUG_MEMORY_CACHE &&
       console.log(
         `[Cache] Cleared ${cleared} entries older than ${ttl}ms from ${cache.opts.namespace}`,
       );
@@ -213,7 +155,7 @@ async function clearAllExpiredFromCache() {
   }
 }
 
-if (!isRedisEnabled && !isEnabled(CI)) {
+if (!cacheConfig.USE_REDIS && !cacheConfig.CI) {
   /** @type {Set<NodeJS.Timeout>} */
   const cleanupIntervals = new Set();
 
@@ -224,7 +166,7 @@ if (!isRedisEnabled && !isEnabled(CI)) {
 
   cleanupIntervals.add(cleanup);
 
-  if (debugMemoryCache) {
+  if (cacheConfig.DEBUG_MEMORY_CACHE) {
     const monitor = setInterval(() => {
       const ttlStores = getTTLStores();
       const memory = process.memoryUsage();
@@ -245,13 +187,13 @@ if (!isRedisEnabled && !isEnabled(CI)) {
   }
 
   const dispose = () => {
-    debugMemoryCache && console.log('[Cache] Cleaning up and shutting down...');
+    cacheConfig.DEBUG_MEMORY_CACHE && console.log('[Cache] Cleaning up and shutting down...');
     cleanupIntervals.forEach((interval) => clearInterval(interval));
     cleanupIntervals.clear();
 
     // One final cleanup before exit
     clearAllExpiredFromCache().then(() => {
-      debugMemoryCache && console.log('[Cache] Final cleanup completed');
+      cacheConfig.DEBUG_MEMORY_CACHE && console.log('[Cache] Final cleanup completed');
       process.exit(0);
     });
   };

api/cache/ioredisClient.js

@@ -1,92 +0,0 @@
-const fs = require('fs');
-const Redis = require('ioredis');
-const { isEnabled } = require('~/server/utils');
-const logger = require('~/config/winston');
-
-const { REDIS_URI, USE_REDIS, USE_REDIS_CLUSTER, REDIS_CA, REDIS_MAX_LISTENERS } = process.env;
-
-/** @type {import('ioredis').Redis | import('ioredis').Cluster} */
-let ioredisClient;
-const redis_max_listeners = Number(REDIS_MAX_LISTENERS) || 40;
-
-function mapURI(uri) {
-  const regex =
-    /^(?:(?<scheme>\w+):\/\/)?(?:(?<user>[^:@]+)(?::(?<password>[^@]+))?@)?(?<host>[\w.-]+)(?::(?<port>\d{1,5}))?$/;
-  const match = uri.match(regex);
-
-  if (match) {
-    const { scheme, user, password, host, port } = match.groups;
-
-    return {
-      scheme: scheme || 'none',
-      user: user || null,
-      password: password || null,
-      host: host || null,
-      port: port || null,
-    };
-  } else {
-    const parts = uri.split(':');
-    if (parts.length === 2) {
-      return {
-        scheme: 'none',
-        user: null,
-        password: null,
-        host: parts[0],
-        port: parts[1],
-      };
-    }
-
-    return {
-      scheme: 'none',
-      user: null,
-      password: null,
-      host: uri,
-      port: null,
-    };
-  }
-}
-
-if (REDIS_URI && isEnabled(USE_REDIS)) {
-  let redisOptions = null;
-
-  if (REDIS_CA) {
-    const ca = fs.readFileSync(REDIS_CA);
-    redisOptions = { tls: { ca } };
-  }
-
-  if (isEnabled(USE_REDIS_CLUSTER)) {
-    const hosts = REDIS_URI.split(',').map((item) => {
-      var value = mapURI(item);
-
-      return {
-        host: value.host,
-        port: value.port,
-      };
-    });
-    ioredisClient = new Redis.Cluster(hosts, { redisOptions });
-  } else {
-    ioredisClient = new Redis(REDIS_URI, redisOptions);
-  }
-
-  ioredisClient.on('ready', () => {
-    logger.info('IoRedis connection ready');
-  });
-  ioredisClient.on('reconnecting', () => {
-    logger.info('IoRedis connection reconnecting');
-  });
-  ioredisClient.on('end', () => {
-    logger.info('IoRedis connection ended');
-  });
-  ioredisClient.on('close', () => {
-    logger.info('IoRedis connection closed');
-  });
-  ioredisClient.on('error', (err) => logger.error('IoRedis connection error:', err));
-  ioredisClient.setMaxListeners(redis_max_listeners);
-  logger.info(
-    '[Optional] IoRedis initialized for rate limiters. If you have issues, disable Redis or restart the server.',
-  );
-} else {
-  logger.info('[Optional] IoRedis not initialized for rate limiters.');
-}
-
-module.exports = ioredisClient;

api/cache/keyvRedis.js

@@ -1,109 +0,0 @@
-const fs = require('fs');
-const ioredis = require('ioredis');
-const KeyvRedis = require('@keyv/redis').default;
-const { isEnabled } = require('~/server/utils');
-const logger = require('~/config/winston');
-
-const { REDIS_URI, USE_REDIS, USE_REDIS_CLUSTER, REDIS_CA, REDIS_KEY_PREFIX, REDIS_MAX_LISTENERS } =
-  process.env;
-
-let keyvRedis;
-const redis_prefix = REDIS_KEY_PREFIX || '';
-const redis_max_listeners = Number(REDIS_MAX_LISTENERS) || 40;
-
-function mapURI(uri) {
-  const regex =
-    /^(?:(?<scheme>\w+):\/\/)?(?:(?<user>[^:@]+)(?::(?<password>[^@]+))?@)?(?<host>[\w.-]+)(?::(?<port>\d{1,5}))?$/;
-  const match = uri.match(regex);
-
-  if (match) {
-    const { scheme, user, password, host, port } = match.groups;
-
-    return {
-      scheme: scheme || 'none',
-      user: user || null,
-      password: password || null,
-      host: host || null,
-      port: port || null,
-    };
-  } else {
-    const parts = uri.split(':');
-    if (parts.length === 2) {
-      return {
-        scheme: 'none',
-        user: null,
-        password: null,
-        host: parts[0],
-        port: parts[1],
-      };
-    }
-
-    return {
-      scheme: 'none',
-      user: null,
-      password: null,
-      host: uri,
-      port: null,
-    };
-  }
-}
-
-if (REDIS_URI && isEnabled(USE_REDIS)) {
-  let redisOptions = null;
-  /** @type {import('@keyv/redis').KeyvRedisOptions} */
-  let keyvOpts = {
-    useRedisSets: false,
-    keyPrefix: redis_prefix,
-  };
-
-  if (REDIS_CA) {
-    const ca = fs.readFileSync(REDIS_CA);
-    redisOptions = { tls: { ca } };
-  }
-
-  if (isEnabled(USE_REDIS_CLUSTER)) {
-    const hosts = REDIS_URI.split(',').map((item) => {
-      var value = mapURI(item);
-
-      return {
-        host: value.host,
-        port: value.port,
-      };
-    });
-    const cluster = new ioredis.Cluster(hosts, { redisOptions });
-    keyvRedis = new KeyvRedis(cluster, keyvOpts);
-  } else {
-    keyvRedis = new KeyvRedis(REDIS_URI, keyvOpts);
-  }
-
-  const pingInterval = setInterval(
-    () => {
-      logger.debug('KeyvRedis ping');
-      keyvRedis.client.ping().catch((err) => logger.error('Redis keep-alive ping failed:', err));
-    },
-    5 * 60 * 1000,
-  );
-
-  keyvRedis.on('ready', () => {
-    logger.info('KeyvRedis connection ready');
-  });
-  keyvRedis.on('reconnecting', () => {
-    logger.info('KeyvRedis connection reconnecting');
-  });
-  keyvRedis.on('end', () => {
-    logger.info('KeyvRedis connection ended');
-  });
-  keyvRedis.on('close', () => {
-    clearInterval(pingInterval);
-    logger.info('KeyvRedis connection closed');
-  });
-  keyvRedis.on('error', (err) => logger.error('KeyvRedis connection error:', err));
-  keyvRedis.setMaxListeners(redis_max_listeners);
-  logger.info(
-    '[Optional] Redis initialized. If you have issues, or seeing older values, disable it or flush cache to refresh values.',
-  );
-} else {
-  logger.info('[Optional] Redis not initialized.');
-}
-
-module.exports = keyvRedis;

api/cache/logViolation.js

@@ -1,4 +1,5 @@
 const { isEnabled } = require('~/server/utils');
+const { ViolationTypes } = require('librechat-data-provider');
 const getLogStores = require('./getLogStores');
 const banViolation = require('./banViolation');
 
@@ -9,14 +10,14 @@ const banViolation = require('./banViolation');
  * @param {Object} res - Express response object.
  * @param {string} type - The type of violation.
  * @param {Object} errorMessage - The error message to log.
- * @param {number} [score=1] - The severity of the violation. Defaults to 1
+ * @param {number | string} [score=1] - The severity of the violation. Defaults to 1
  */
 const logViolation = async (req, res, type, errorMessage, score = 1) => {
   const userId = req.user?.id ?? req.user?._id;
   if (!userId) {
     return;
   }
-  const logs = getLogStores('general');
+  const logs = getLogStores(ViolationTypes.GENERAL);
   const violationLogs = getLogStores(type);
   const key = isEnabled(process.env.USE_REDIS) ? `${type}:${userId}` : userId;
 

api/cache/redisClients.js

@@ -0,0 +1,57 @@
+const IoRedis = require('ioredis');
+const { cacheConfig } = require('./cacheConfig');
+const { createClient, createCluster } = require('@keyv/redis');
+
+const GLOBAL_PREFIX_SEPARATOR = '::';
+
+const urls = cacheConfig.REDIS_URI?.split(',').map((uri) => new URL(uri));
+const username = urls?.[0].username || cacheConfig.REDIS_USERNAME;
+const password = urls?.[0].password || cacheConfig.REDIS_PASSWORD;
+const ca = cacheConfig.REDIS_CA;
+
+/** @type {import('ioredis').Redis | import('ioredis').Cluster | null} */
+let ioredisClient = null;
+if (cacheConfig.USE_REDIS) {
+  const redisOptions = {
+    username: username,
+    password: password,
+    tls: ca ? { ca } : undefined,
+    keyPrefix: `${cacheConfig.REDIS_KEY_PREFIX}${GLOBAL_PREFIX_SEPARATOR}`,
+    maxListeners: cacheConfig.REDIS_MAX_LISTENERS,
+  };
+
+  ioredisClient =
+    urls.length === 1
+      ? new IoRedis(cacheConfig.REDIS_URI, redisOptions)
+      : new IoRedis.Cluster(cacheConfig.REDIS_URI, { redisOptions });
+
+  // Pinging the Redis server every 5 minutes to keep the connection alive
+  const pingInterval = setInterval(() => ioredisClient.ping(), 5 * 60 * 1000);
+  ioredisClient.on('close', () => clearInterval(pingInterval));
+  ioredisClient.on('end', () => clearInterval(pingInterval));
+}
+
+/** @type {import('@keyv/redis').RedisClient | import('@keyv/redis').RedisCluster | null} */
+let keyvRedisClient = null;
+if (cacheConfig.USE_REDIS) {
+  // ** WARNING ** Keyv Redis client does not support Prefix like ioredis above.
+  // The prefix feature will be handled by the Keyv-Redis store in cacheFactory.js
+  const redisOptions = { username, password, socket: { tls: ca != null, ca } };
+
+  keyvRedisClient =
+    urls.length === 1
+      ? createClient({ url: cacheConfig.REDIS_URI, ...redisOptions })
+      : createCluster({
+          rootNodes: cacheConfig.REDIS_URI.split(',').map((url) => ({ url })),
+          defaults: redisOptions,
+        });
+
+  keyvRedisClient.setMaxListeners(cacheConfig.REDIS_MAX_LISTENERS);
+
+  // Pinging the Redis server every 5 minutes to keep the connection alive
+  const keyvPingInterval = setInterval(() => keyvRedisClient.ping(), 5 * 60 * 1000);
+  keyvRedisClient.on('disconnect', () => clearInterval(keyvPingInterval));
+  keyvRedisClient.on('end', () => clearInterval(keyvPingInterval));
+}
+
+module.exports = { ioredisClient, keyvRedisClient, GLOBAL_PREFIX_SEPARATOR };

api/jest.config.js

@@ -3,6 +3,7 @@ module.exports = {
   clearMocks: true,
   roots: ['<rootDir>'],
   coverageDirectory: 'coverage',
+  testTimeout: 30000, // 30 seconds timeout for all tests
   setupFiles: [
     './test/jestSetup.js',
     './test/__mocks__/logger.js',

api/models/Agent.js

@@ -4,7 +4,7 @@ const { logger } = require('@librechat/data-schemas');
 const { SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
 const { GLOBAL_PROJECT_NAME, EPHEMERAL_AGENT_ID, mcp_delimiter } =
   require('librechat-data-provider').Constants;
-const { CONFIG_STORE, STARTUP_CONFIG } = require('librechat-data-provider').CacheKeys;
+// Default category value for new agents
 const {
   getProjectByName,
   addAgentIdsToProject,
@@ -12,7 +12,9 @@ const {
   removeAgentFromAllProjects,
 } = require('./Project');
 const { getCachedTools } = require('~/server/services/Config');
-const getLogStores = require('~/cache/getLogStores');
+
+// Category values are now imported from shared constants
+// Schema fields (category, support_contact, is_promoted) are defined in @librechat/data-schemas
 const { getActions } = require('./Action');
 const { Agent } = require('~/db/models');
 
@@ -23,7 +25,7 @@ const { Agent } = require('~/db/models');
  * @throws {Error} If the agent creation fails.
  */
 const createAgent = async (agentData) => {
-  const { author, ...versionData } = agentData;
+  const { author: _author, ...versionData } = agentData;
   const timestamp = new Date();
   const initialAgentData = {
     ...agentData,
@@ -34,7 +36,9 @@ const createAgent = async (agentData) => {
         updatedAt: timestamp,
       },
     ],
+    category: agentData.category || 'general',
   };
+
   return (await Agent.create(initialAgentData)).toObject();
 };
 
@@ -131,29 +135,7 @@ const loadAgent = async ({ req, agent_id, endpoint, model_parameters }) => {
   }
 
   agent.version = agent.versions ? agent.versions.length : 0;
-
-  if (agent.author.toString() === req.user.id) {
-    return agent;
-  }
-
-  if (!agent.projectIds) {
-    return null;
-  }
-
-  const cache = getLogStores(CONFIG_STORE);
-  /** @type {TStartupConfig} */
-  const cachedStartupConfig = await cache.get(STARTUP_CONFIG);
-  let { instanceProjectId } = cachedStartupConfig ?? {};
-  if (!instanceProjectId) {
-    instanceProjectId = (await getProjectByName(GLOBAL_PROJECT_NAME, '_id'))._id.toString();
-  }
-
-  for (const projectObjectId of agent.projectIds) {
-    const projectId = projectObjectId.toString();
-    if (projectId === instanceProjectId) {
-      return agent;
-    }
-  }
+  return agent;
 };
 
 /**
@@ -183,7 +165,7 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
     'actionsHash', // Exclude actionsHash from direct comparison
   ];
 
-  const { $push, $pull, $addToSet, ...directUpdates } = updateData;
+  const { $push: _$push, $pull: _$pull, $addToSet: _$addToSet, ...directUpdates } = updateData;
 
   if (Object.keys(directUpdates).length === 0 && !actionsHash) {
     return null;
@@ -202,54 +184,116 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
 
   let isMatch = true;
   for (const field of importantFields) {
-    if (!wouldBeVersion[field] && !lastVersion[field]) {
+    const wouldBeValue = wouldBeVersion[field];
+    const lastVersionValue = lastVersion[field];
+
+    // Skip if both are undefined/null
+    if (!wouldBeValue && !lastVersionValue) {
       continue;
     }
 
-    if (Array.isArray(wouldBeVersion[field]) && Array.isArray(lastVersion[field])) {
-      if (wouldBeVersion[field].length !== lastVersion[field].length) {
+    // Handle arrays
+    if (Array.isArray(wouldBeValue) || Array.isArray(lastVersionValue)) {
+      // Normalize: treat undefined/null as empty array for comparison
+      let wouldBeArr;
+      if (Array.isArray(wouldBeValue)) {
+        wouldBeArr = wouldBeValue;
+      } else if (wouldBeValue == null) {
+        wouldBeArr = [];
+      } else {
+        wouldBeArr = [wouldBeValue];
+      }
+
+      let lastVersionArr;
+      if (Array.isArray(lastVersionValue)) {
+        lastVersionArr = lastVersionValue;
+      } else if (lastVersionValue == null) {
+        lastVersionArr = [];
+      } else {
+        lastVersionArr = [lastVersionValue];
+      }
+
+      if (wouldBeArr.length !== lastVersionArr.length) {
         isMatch = false;
         break;
       }
 
       // Special handling for projectIds (MongoDB ObjectIds)
       if (field === 'projectIds') {
-        const wouldBeIds = wouldBeVersion[field].map((id) => id.toString()).sort();
-        const versionIds = lastVersion[field].map((id) => id.toString()).sort();
+        const wouldBeIds = wouldBeArr.map((id) => id.toString()).sort();
+        const versionIds = lastVersionArr.map((id) => id.toString()).sort();
 
         if (!wouldBeIds.every((id, i) => id === versionIds[i])) {
           isMatch = false;
           break;
         }
       }
-      // Handle arrays of objects like tool_kwargs
-      else if (typeof wouldBeVersion[field][0] === 'object' && wouldBeVersion[field][0] !== null) {
-        const sortedWouldBe = [...wouldBeVersion[field]].map((item) => JSON.stringify(item)).sort();
-        const sortedVersion = [...lastVersion[field]].map((item) => JSON.stringify(item)).sort();
+      // Handle arrays of objects
+      else if (
+        wouldBeArr.length > 0 &&
+        typeof wouldBeArr[0] === 'object' &&
+        wouldBeArr[0] !== null
+      ) {
+        const sortedWouldBe = [...wouldBeArr].map((item) => JSON.stringify(item)).sort();
+        const sortedVersion = [...lastVersionArr].map((item) => JSON.stringify(item)).sort();
 
         if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
           isMatch = false;
           break;
         }
       } else {
-        const sortedWouldBe = [...wouldBeVersion[field]].sort();
-        const sortedVersion = [...lastVersion[field]].sort();
+        const sortedWouldBe = [...wouldBeArr].sort();
+        const sortedVersion = [...lastVersionArr].sort();
 
         if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
           isMatch = false;
           break;
         }
       }
-    } else if (field === 'model_parameters') {
-      const wouldBeParams = wouldBeVersion[field] || {};
-      const lastVersionParams = lastVersion[field] || {};
-      if (JSON.stringify(wouldBeParams) !== JSON.stringify(lastVersionParams)) {
+    }
+    // Handle objects
+    else if (typeof wouldBeValue === 'object' && wouldBeValue !== null) {
+      const lastVersionObj =
+        typeof lastVersionValue === 'object' && lastVersionValue !== null ? lastVersionValue : {};
+
+      // For empty objects, normalize the comparison
+      const wouldBeKeys = Object.keys(wouldBeValue);
+      const lastVersionKeys = Object.keys(lastVersionObj);
+
+      // If both are empty objects, they're equal
+      if (wouldBeKeys.length === 0 && lastVersionKeys.length === 0) {
+        continue;
+      }
+
+      // Otherwise do a deep comparison
+      if (JSON.stringify(wouldBeValue) !== JSON.stringify(lastVersionObj)) {
+        isMatch = false;
+        break;
+      }
+    }
+    // Handle primitive values
+    else {
+      // For primitives, handle the case where one is undefined and the other is a default value
+      if (wouldBeValue !== lastVersionValue) {
+        // Special handling for boolean false vs undefined
+        if (
+          typeof wouldBeValue === 'boolean' &&
+          wouldBeValue === false &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
+        // Special handling for empty string vs undefined
+        if (
+          typeof wouldBeValue === 'string' &&
+          wouldBeValue === '' &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
         isMatch = false;
         break;
       }
-    } else if (wouldBeVersion[field] !== lastVersion[field]) {
-      isMatch = false;
-      break;
     }
   }
 
@@ -278,7 +322,14 @@ const updateAgent = async (searchParameter, updateData, options = {}) => {
 
   const currentAgent = await Agent.findOne(searchParameter);
   if (currentAgent) {
-    const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
+    const {
+      __v,
+      _id,
+      id: __id,
+      versions,
+      author: _author,
+      ...versionData
+    } = currentAgent.toObject();
     const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
     let actionsHash = null;
@@ -469,8 +520,113 @@ const deleteAgent = async (searchParameter) => {
   return agent;
 };
 
+/**
+ * Get agents by accessible IDs with optional cursor-based pagination.
+ * @param {Object} params - The parameters for getting accessible agents.
+ * @param {Array} [params.accessibleIds] - Array of agent ObjectIds the user has ACL access to.
+ * @param {Object} [params.otherParams] - Additional query parameters (including author filter).
+ * @param {number} [params.limit] - Number of agents to return (max 100). If not provided, returns all agents.
+ * @param {string} [params.after] - Cursor for pagination - get agents after this cursor. // base64 encoded JSON string with updatedAt and _id.
+ * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
+ */
+const getListAgentsByAccess = async ({
+  accessibleIds = [],
+  otherParams = {},
+  limit = null,
+  after = null,
+}) => {
+  const isPaginated = limit !== null && limit !== undefined;
+  const normalizedLimit = isPaginated ? Math.min(Math.max(1, parseInt(limit) || 20), 100) : null;
+
+  // Build base query combining ACL accessible agents with other filters
+  const baseQuery = { ...otherParams };
+
+  if (accessibleIds.length > 0) {
+    baseQuery._id = { $in: accessibleIds };
+  }
+
+  // Add cursor condition
+  if (after) {
+    try {
+      const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
+      const { updatedAt, _id } = cursor;
+
+      const cursorCondition = {
+        $or: [
+          { updatedAt: { $lt: new Date(updatedAt) } },
+          { updatedAt: new Date(updatedAt), _id: { $gt: new mongoose.Types.ObjectId(_id) } },
+        ],
+      };
+
+      // Merge cursor condition with base query
+      if (Object.keys(baseQuery).length > 0) {
+        baseQuery.$and = [{ ...baseQuery }, cursorCondition];
+        // Remove the original conditions from baseQuery to avoid duplication
+        Object.keys(baseQuery).forEach((key) => {
+          if (key !== '$and') delete baseQuery[key];
+        });
+      } else {
+        Object.assign(baseQuery, cursorCondition);
+      }
+    } catch (error) {
+      logger.warn('Invalid cursor:', error.message);
+    }
+  }
+
+  let query = Agent.find(baseQuery, {
+    id: 1,
+    _id: 1,
+    name: 1,
+    avatar: 1,
+    author: 1,
+    projectIds: 1,
+    description: 1,
+    updatedAt: 1,
+    category: 1,
+    support_contact: 1,
+    is_promoted: 1,
+  }).sort({ updatedAt: -1, _id: 1 });
+
+  // Only apply limit if pagination is requested
+  if (isPaginated) {
+    query = query.limit(normalizedLimit + 1);
+  }
+
+  const agents = await query.lean();
+
+  const hasMore = isPaginated ? agents.length > normalizedLimit : false;
+  const data = (isPaginated ? agents.slice(0, normalizedLimit) : agents).map((agent) => {
+    if (agent.author) {
+      agent.author = agent.author.toString();
+    }
+    return agent;
+  });
+
+  // Generate next cursor only if paginated
+  let nextCursor = null;
+  if (isPaginated && hasMore && data.length > 0) {
+    const lastAgent = agents[normalizedLimit - 1];
+    nextCursor = Buffer.from(
+      JSON.stringify({
+        updatedAt: lastAgent.updatedAt.toISOString(),
+        _id: lastAgent._id.toString(),
+      }),
+    ).toString('base64');
+  }
+
+  return {
+    object: 'list',
+    data,
+    first_id: data.length > 0 ? data[0].id : null,
+    last_id: data.length > 0 ? data[data.length - 1].id : null,
+    has_more: hasMore,
+    after: nextCursor,
+  };
+};
+
 /**
  * Get all agents.
+ * @deprecated Use getListAgentsByAccess for ACL-aware agent listing
  * @param {Object} searchParameter - The search parameters to find matching agents.
  * @param {string} searchParameter.author - The user ID of the agent's author.
  * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
@@ -489,13 +645,15 @@ const getListAgents = async (searchParameter) => {
   const agents = (
     await Agent.find(query, {
       id: 1,
-      _id: 0,
+      _id: 1,
       name: 1,
       avatar: 1,
       author: 1,
       projectIds: 1,
       description: 1,
+      // @deprecated - isCollaborative replaced by ACL permissions
       isCollaborative: 1,
+      category: 1,
     }).lean()
   ).map((agent) => {
     if (agent.author?.toString() !== author) {
@@ -661,6 +819,14 @@ const generateActionMetadataHash = async (actionIds, actions) => {
 
   return hashHex;
 };
+/**
+ * Counts the number of promoted agents.
+ * @returns  {Promise<number>} - The count of promoted agents
+ */
+const countPromotedAgents = async () => {
+  const count = await Agent.countDocuments({ is_promoted: true });
+  return count;
+};
 
 /**
  * Load a default agent based on the endpoint
@@ -678,6 +844,8 @@ module.exports = {
   revertAgentVersion,
   updateAgentProjects,
   addAgentResourceFile,
+  getListAgentsByAccess,
   removeAgentResourceFiles,
   generateActionMetadataHash,
+  countPromotedAgents,
 };

api/models/Agent.spec.js

@@ -1258,6 +1258,328 @@ describe('models/Agent', () => {
       expect(secondUpdate.versions).toHaveLength(3);
     });
 
+    test('should detect changes in support_contact fields', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with initial support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Agent with Support Contact',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Support',
+          email: 'initial@support.com',
+        },
+      });
+
+      // Update support_contact name only
+      const firstUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'initial@support.com',
+          },
+        },
+      );
+
+      expect(firstUpdate.versions).toHaveLength(2);
+      expect(firstUpdate.support_contact.name).toBe('Updated Support');
+      expect(firstUpdate.support_contact.email).toBe('initial@support.com');
+
+      // Update support_contact email only
+      const secondUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'updated@support.com',
+          },
+        },
+      );
+
+      expect(secondUpdate.versions).toHaveLength(3);
+      expect(secondUpdate.support_contact.email).toBe('updated@support.com');
+
+      // Try to update with same support_contact - should be detected as duplicate
+      await expect(
+        updateAgent(
+          { id: agentId },
+          {
+            support_contact: {
+              name: 'Updated Support',
+              email: 'updated@support.com',
+            },
+          },
+        ),
+      ).rejects.toThrow('Duplicate version');
+    });
+
+    test('should handle support_contact from empty to populated', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent without support_contact
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Agent without Support',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+      });
+
+      // Verify support_contact is undefined since it wasn't provided
+      expect(agent.support_contact).toBeUndefined();
+
+      // Update to add support_contact
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Support Team',
+            email: 'support@example.com',
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Support Team');
+      expect(updated.support_contact.email).toBe('support@example.com');
+    });
+
+    test('should handle support_contact edge cases in isDuplicateVersion', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Edge Case Agent',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Support',
+          email: 'support@test.com',
+        },
+      });
+
+      // Update to empty support_contact
+      const emptyUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {},
+        },
+      );
+
+      expect(emptyUpdate.versions).toHaveLength(2);
+      expect(emptyUpdate.support_contact).toEqual({});
+
+      // Update back to populated support_contact
+      const repopulated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Support',
+            email: 'support@test.com',
+          },
+        },
+      );
+
+      expect(repopulated.versions).toHaveLength(3);
+
+      // Verify all versions have correct support_contact
+      const finalAgent = await getAgent({ id: agentId });
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({});
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+    });
+
+    test('should preserve support_contact in version history', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent
+      await createAgent({
+        id: agentId,
+        name: 'Version History Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Contact',
+          email: 'initial@test.com',
+        },
+      });
+
+      // Multiple updates with different support_contact values
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Second Contact',
+            email: 'second@test.com',
+          },
+        },
+      );
+
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Third Contact',
+            email: 'third@test.com',
+          },
+        },
+      );
+
+      const finalAgent = await getAgent({ id: agentId });
+
+      // Verify version history
+      expect(finalAgent.versions).toHaveLength(3);
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Initial Contact',
+        email: 'initial@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({
+        name: 'Second Contact',
+        email: 'second@test.com',
+      });
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+
+      // Current state should match last version
+      expect(finalAgent.support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+    });
+
+    test('should handle partial support_contact updates', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with full support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Partial Update Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Original Name',
+          email: 'original@email.com',
+        },
+      });
+
+      // MongoDB's findOneAndUpdate will replace the entire support_contact object
+      // So we need to verify that partial updates still work correctly
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Name',
+            email: '', // Empty email
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Name');
+      expect(updated.support_contact.email).toBe('');
+
+      // Verify isDuplicateVersion works with partial changes
+      await expect(
+        updateAgent(
+          { id: agentId },
+          {
+            support_contact: {
+              name: 'New Name',
+              email: '',
+            },
+          },
+        ),
+      ).rejects.toThrow('Duplicate version');
+    });
+
+    // Edge Cases
+    describe.each([
+      {
+        operation: 'add',
+        name: 'empty file_id',
+        needsAgent: true,
+        params: { tool_resource: 'file_search', file_id: '' },
+        shouldResolve: true,
+      },
+      {
+        operation: 'add',
+        name: 'non-existent agent',
+        needsAgent: false,
+        params: { tool_resource: 'file_search', file_id: 'file123' },
+        shouldResolve: false,
+        error: 'Agent not found for adding resource file',
+      },
+    ])('addAgentResourceFile with $name', ({ needsAgent, params, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          await expect(addAgentResourceFile({ agent_id, ...params })).resolves.toBeDefined();
+        } else {
+          await expect(addAgentResourceFile({ agent_id, ...params })).rejects.toThrow(error);
+        }
+      });
+    });
+
+    describe.each([
+      {
+        name: 'empty files array',
+        files: [],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent tool_resource',
+        files: [{ tool_resource: 'non_existent_tool', file_id: 'file123' }],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent agent',
+        files: [{ tool_resource: 'file_search', file_id: 'file123' }],
+        needsAgent: false,
+        shouldResolve: false,
+        error: 'Agent not found for removing resource files',
+      },
+    ])('removeAgentResourceFiles with $name', ({ files, needsAgent, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          const result = await removeAgentResourceFiles({ agent_id, files });
+          expect(result).toBeDefined();
+          if (agent) {
+            expect(result.id).toBe(agent.id);
+          }
+        } else {
+          await expect(removeAgentResourceFiles({ agent_id, files })).rejects.toThrow(error);
+        }
+      });
+    });
+
     describe('Edge Cases', () => {
       test('should handle extremely large version history', async () => {
         const agentId = `agent_${uuidv4()}`;
@@ -1633,7 +1955,7 @@ describe('models/Agent', () => {
       expect(result.version).toBe(1);
     });
 
-    test('should return null when user is not author and agent has no projectIds', async () => {
+    test('should return agent even when user is not author (permissions checked at route level)', async () => {
       const authorId = new mongoose.Types.ObjectId();
       const userId = new mongoose.Types.ObjectId();
       const agentId = `agent_${uuidv4()}`;
@@ -1654,7 +1976,11 @@ describe('models/Agent', () => {
         model_parameters: { model: 'gpt-4' },
       });
 
-      expect(result).toBeFalsy();
+      // With the new permission system, loadAgent returns the agent regardless of permissions
+      // Permission checks are handled at the route level via middleware
+      expect(result).toBeTruthy();
+      expect(result.id).toBe(agentId);
+      expect(result.name).toBe('Test Agent');
     });
 
     test('should handle ephemeral agent with no MCP servers', async () => {
@@ -1762,7 +2088,7 @@ describe('models/Agent', () => {
         }
       });
 
-      test('should handle loadAgent with agent from different project', async () => {
+      test('should return agent from different project (permissions checked at route level)', async () => {
         const authorId = new mongoose.Types.ObjectId();
         const userId = new mongoose.Types.ObjectId();
         const agentId = `agent_${uuidv4()}`;
@@ -1785,7 +2111,11 @@ describe('models/Agent', () => {
           model_parameters: { model: 'gpt-4' },
         });
 
-        expect(result).toBeFalsy();
+        // With the new permission system, loadAgent returns the agent regardless of permissions
+        // Permission checks are handled at the route level via middleware
+        expect(result).toBeTruthy();
+        expect(result.id).toBe(agentId);
+        expect(result.name).toBe('Project Agent');
       });
     });
   });
@@ -2570,6 +2900,93 @@ describe('models/Agent', () => {
   });
 });
 
+describe('Support Contact Field', () => {
+  let mongoServer;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
+    await mongoose.connect(mongoUri);
+  }, 20000);
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await Agent.deleteMany({});
+  });
+
+  it('should not create subdocument with ObjectId for support_contact', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {
+        name: 'Support Team',
+        email: 'support@example.com',
+      },
+    };
+
+    // Create agent
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is stored correctly
+    expect(agent.support_contact).toBeDefined();
+    expect(agent.support_contact.name).toBe('Support Team');
+    expect(agent.support_contact.email).toBe('support@example.com');
+
+    // Verify no _id field is created in support_contact
+    expect(agent.support_contact._id).toBeUndefined();
+
+    // Fetch from database to double-check
+    const dbAgent = await Agent.findOne({ id: agentData.id });
+    expect(dbAgent.support_contact).toBeDefined();
+    expect(dbAgent.support_contact.name).toBe('Support Team');
+    expect(dbAgent.support_contact.email).toBe('support@example.com');
+    expect(dbAgent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle empty support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_empty_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {},
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify empty support_contact is stored as empty object
+    expect(agent.support_contact).toEqual({});
+    expect(agent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle missing support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_no_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is undefined when not provided
+    expect(agent.support_contact).toBeUndefined();
+  });
+});
+
 function createBasicAgent(overrides = {}) {
   const defaults = {
     id: `agent_${uuidv4()}`,

api/models/Conversation.js

@@ -1,6 +1,6 @@
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const getCustomConfig = require('~/server/services/Config/loadCustomConfig');
+const getCustomConfig = require('~/server/services/Config/getCustomConfig');
 const { getMessages, deleteMessages } = require('./Message');
 const { Conversation } = require('~/db/models');
 

api/models/File.spec.js

@@ -0,0 +1,375 @@
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { createModels } = require('@librechat/data-schemas');
+const { getFiles, createFile } = require('./File');
+const { createAgent } = require('./Agent');
+const { grantPermission } = require('~/server/services/PermissionService');
+const { seedDefaultRoles } = require('~/models');
+
+let File;
+let Agent;
+let AclEntry;
+let User;
+let AccessRole;
+let modelsToCleanup = [];
+
+describe('File Access Control', () => {
+  let mongoServer;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize all models
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    const dbModels = require('~/db/models');
+    Object.assign(mongoose.models, dbModels);
+
+    File = dbModels.File;
+    Agent = dbModels.Agent;
+    AclEntry = dbModels.AclEntry;
+    User = dbModels.User;
+    AccessRole = dbModels.AccessRole;
+
+    // Seed default roles
+    await seedDefaultRoles();
+  });
+
+  afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await AclEntry.deleteMany({});
+    await User.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
+  });
+
+  describe('hasAccessToFilesViaAgent', () => {
+    it('should efficiently check access for multiple files at once', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4(), uuidv4(), uuidv4()];
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create files
+      for (const fileId of fileIds) {
+        await createFile({
+          user: authorId,
+          file_id: fileId,
+          filename: `file-${fileId}.txt`,
+          filepath: `/uploads/${fileId}`,
+        });
+      }
+
+      // Create agent with only first two files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [fileIds[0], fileIds[1]],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      // Check access for all files
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(userId.toString(), fileIds, agentId);
+
+      // Should have access only to the first two files
+      expect(accessMap.get(fileIds[0])).toBe(true);
+      expect(accessMap.get(fileIds[1])).toBe(true);
+      expect(accessMap.get(fileIds[2])).toBe(false);
+      expect(accessMap.get(fileIds[3])).toBe(false);
+    });
+
+    it('should grant access to all files when user is the agent author', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4(), uuidv4()];
+
+      // Create author user
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [fileIds[0]], // Only one file attached
+          },
+        },
+      });
+
+      // Check access as the author
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(authorId.toString(), fileIds, agentId);
+
+      // Author should have access to all files
+      expect(accessMap.get(fileIds[0])).toBe(true);
+      expect(accessMap.get(fileIds[1])).toBe(true);
+      expect(accessMap.get(fileIds[2])).toBe(true);
+    });
+
+    it('should handle non-existent agent gracefully', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const fileIds = [uuidv4(), uuidv4()];
+
+      // Create user
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(
+        userId.toString(),
+        fileIds,
+        'non-existent-agent',
+      );
+
+      // Should have no access to any files
+      expect(accessMap.get(fileIds[0])).toBe(false);
+      expect(accessMap.get(fileIds[1])).toBe(false);
+    });
+
+    it('should deny access when user only has VIEW permission', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4()];
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent with files
+      const agent = await createAgent({
+        id: agentId,
+        name: 'View-Only Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: fileIds,
+          },
+        },
+      });
+
+      // Grant only VIEW permission to user on the agent
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_viewer',
+        grantedBy: authorId,
+      });
+
+      // Check access for files
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(userId.toString(), fileIds, agentId);
+
+      // Should have no access to any files when only VIEW permission
+      expect(accessMap.get(fileIds[0])).toBe(false);
+      expect(accessMap.get(fileIds[1])).toBe(false);
+    });
+  });
+
+  describe('getFiles with agent access control', () => {
+    test('should return files owned by user and files accessible through agent', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const userId = new mongoose.Types.ObjectId();
+      const agentId = `agent_${uuidv4()}`;
+      const ownedFileId = `file_${uuidv4()}`;
+      const sharedFileId = `file_${uuidv4()}`;
+      const inaccessibleFileId = `file_${uuidv4()}`;
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent with shared file
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Shared Agent',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [sharedFileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      // Create files
+      await createFile({
+        file_id: ownedFileId,
+        user: userId,
+        filename: 'owned.txt',
+        filepath: '/uploads/owned.txt',
+        type: 'text/plain',
+        bytes: 100,
+      });
+
+      await createFile({
+        file_id: sharedFileId,
+        user: authorId,
+        filename: 'shared.txt',
+        filepath: '/uploads/shared.txt',
+        type: 'text/plain',
+        bytes: 200,
+        embedded: true,
+      });
+
+      await createFile({
+        file_id: inaccessibleFileId,
+        user: authorId,
+        filename: 'inaccessible.txt',
+        filepath: '/uploads/inaccessible.txt',
+        type: 'text/plain',
+        bytes: 300,
+      });
+
+      // Get all files first
+      const allFiles = await getFiles(
+        { file_id: { $in: [ownedFileId, sharedFileId, inaccessibleFileId] } },
+        null,
+        { text: 0 },
+      );
+
+      // Then filter by access control
+      const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
+      const files = await filterFilesByAgentAccess(allFiles, userId.toString(), agentId);
+
+      expect(files).toHaveLength(2);
+      expect(files.map((f) => f.file_id)).toContain(ownedFileId);
+      expect(files.map((f) => f.file_id)).toContain(sharedFileId);
+      expect(files.map((f) => f.file_id)).not.toContain(inaccessibleFileId);
+    });
+
+    test('should return all files when no userId/agentId provided', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const fileId1 = `file_${uuidv4()}`;
+      const fileId2 = `file_${uuidv4()}`;
+
+      await createFile({
+        file_id: fileId1,
+        user: userId,
+        filename: 'file1.txt',
+        filepath: '/uploads/file1.txt',
+        type: 'text/plain',
+        bytes: 100,
+      });
+
+      await createFile({
+        file_id: fileId2,
+        user: new mongoose.Types.ObjectId(),
+        filename: 'file2.txt',
+        filepath: '/uploads/file2.txt',
+        type: 'text/plain',
+        bytes: 200,
+      });
+
+      const files = await getFiles({ file_id: { $in: [fileId1, fileId2] } });
+      expect(files).toHaveLength(2);
+    });
+  });
+});

api/models/Message.js

@@ -1,7 +1,7 @@
 const { z } = require('zod');
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const getCustomConfig = require('~/server/services/Config/loadCustomConfig');
+const getCustomConfig = require('~/server/services/Config/getCustomConfig');
 const { Message } = require('~/db/models');
 
 const idSchema = z.string().uuid();

api/models/Role.js

@@ -2,7 +2,6 @@ const {
   CacheKeys,
   SystemRoles,
   roleDefaults,
-  PermissionTypes,
   permissionsSchema,
   removeNullishValues,
 } = require('librechat-data-provider');

api/models/tx.js

@@ -135,10 +135,11 @@ const tokenValues = Object.assign(
     'grok-2-1212': { prompt: 2.0, completion: 10.0 },
     'grok-2-latest': { prompt: 2.0, completion: 10.0 },
     'grok-2': { prompt: 2.0, completion: 10.0 },
-    'grok-3-mini-fast': { prompt: 0.4, completion: 4 },
+    'grok-3-mini-fast': { prompt: 0.6, completion: 4 },
     'grok-3-mini': { prompt: 0.3, completion: 0.5 },
     'grok-3-fast': { prompt: 5.0, completion: 25.0 },
     'grok-3': { prompt: 3.0, completion: 15.0 },
+    'grok-4': { prompt: 3.0, completion: 15.0 },
     'grok-beta': { prompt: 5.0, completion: 15.0 },
     'mistral-large': { prompt: 2.0, completion: 6.0 },
     'pixtral-large': { prompt: 2.0, completion: 6.0 },

api/models/tx.spec.js

@@ -636,6 +636,15 @@ describe('Grok Model Tests - Pricing', () => {
       );
     });
 
+    test('should return correct prompt and completion rates for Grok 4 model', () => {
+      expect(getMultiplier({ model: 'grok-4-0709', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4'].prompt,
+      );
+      expect(getMultiplier({ model: 'grok-4-0709', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4'].completion,
+      );
+    });
+
     test('should return correct prompt and completion rates for Grok 3 models with prefixes', () => {
       expect(getMultiplier({ model: 'xai/grok-3', tokenType: 'prompt' })).toBe(
         tokenValues['grok-3'].prompt,
@@ -662,6 +671,15 @@ describe('Grok Model Tests - Pricing', () => {
         tokenValues['grok-3-mini-fast'].completion,
       );
     });
+
+    test('should return correct prompt and completion rates for Grok 4 model with prefixes', () => {
+      expect(getMultiplier({ model: 'xai/grok-4-0709', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4'].prompt,
+      );
+      expect(getMultiplier({ model: 'xai/grok-4-0709', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4'].completion,
+      );
+    });
   });
 });
 

api/package.json

@@ -44,19 +44,21 @@
     "@googleapis/youtube": "^20.0.0",
     "@keyv/redis": "^4.3.3",
     "@langchain/community": "^0.3.47",
-    "@langchain/core": "^0.3.60",
+    "@langchain/core": "^0.3.62",
     "@langchain/google-genai": "^0.2.13",
     "@langchain/google-vertexai": "^0.2.13",
+    "@langchain/openai": "^0.5.18",
     "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^2.4.56",
+    "@librechat/agents": "^2.4.63",
     "@librechat/api": "*",
     "@librechat/data-schemas": "*",
     "@node-saml/passport-saml": "^5.0.0",
+    "@microsoft/microsoft-graph-client": "^3.0.7",
     "@waylaidwanderer/fetch-event-source": "^3.0.1",
     "axios": "^1.8.2",
     "bcryptjs": "^2.4.3",
-    "compression": "^1.7.4",
-    "connect-redis": "^7.1.0",
+    "compression": "^1.8.1",
+    "connect-redis": "^8.1.0",
     "cookie": "^0.7.2",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
@@ -66,7 +68,7 @@
     "express": "^4.21.2",
     "express-mongo-sanitize": "^2.2.0",
     "express-rate-limit": "^7.4.1",
-    "express-session": "^1.18.1",
+    "express-session": "^1.18.2",
     "express-static-gzip": "^2.2.0",
     "file-type": "^18.7.0",
     "firebase": "^11.0.2",
@@ -87,7 +89,7 @@
     "mime": "^3.0.0",
     "module-alias": "^2.2.3",
     "mongoose": "^8.12.1",
-    "multer": "^2.0.1",
+    "multer": "^2.0.2",
     "nanoid": "^3.3.7",
     "node-fetch": "^2.7.0",
     "nodemailer": "^6.9.15",

api/server/controllers/PermissionsController.js

@@ -0,0 +1,437 @@
+/**
+ * @import { TUpdateResourcePermissionsRequest, TUpdateResourcePermissionsResponse } from 'librechat-data-provider'
+ */
+
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
+const {
+  getAvailableRoles,
+  ensurePrincipalExists,
+  getEffectivePermissions,
+  ensureGroupPrincipalExists,
+  bulkUpdateResourcePermissions,
+} = require('~/server/services/PermissionService');
+const { AclEntry } = require('~/db/models');
+const {
+  searchPrincipals: searchLocalPrincipals,
+  sortPrincipalsByRelevance,
+  calculateRelevanceScore,
+} = require('~/models');
+const {
+  searchEntraIdPrincipals,
+  entraIdPrincipalFeatureEnabled,
+} = require('~/server/services/GraphApiService');
+
+/**
+ * Generic controller for resource permission endpoints
+ * Delegates validation and logic to PermissionService
+ */
+
+/**
+ * Bulk update permissions for a resource (grant, update, remove)
+ * @route PUT /api/{resourceType}/{resourceId}/permissions
+ * @param {Object} req - Express request object
+ * @param {Object} req.params - Route parameters
+ * @param {string} req.params.resourceType - Resource type (e.g., 'agent')
+ * @param {string} req.params.resourceId - Resource ID
+ * @param {TUpdateResourcePermissionsRequest} req.body - Request body
+ * @param {Object} res - Express response object
+ * @returns {Promise<TUpdateResourcePermissionsResponse>} Updated permissions response
+ */
+const updateResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    /** @type {TUpdateResourcePermissionsRequest} */
+    const { updated, removed, public: isPublic, publicAccessRoleId } = req.body;
+    const { id: userId } = req.user;
+
+    // Prepare principals for the service call
+    const updatedPrincipals = [];
+    const revokedPrincipals = [];
+
+    // Add updated principals
+    if (updated && Array.isArray(updated)) {
+      updatedPrincipals.push(...updated);
+    }
+
+    // Add public permission if enabled
+    if (isPublic && publicAccessRoleId) {
+      updatedPrincipals.push({
+        type: 'public',
+        id: null,
+        accessRoleId: publicAccessRoleId,
+      });
+    }
+
+    // Prepare authentication context for enhanced group member fetching
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+    const authHeader = req.headers.authorization;
+    const accessToken =
+      authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+    const authContext =
+      useEntraId && accessToken
+        ? {
+            accessToken,
+            sub: req.user.openidId,
+          }
+        : null;
+
+    // Ensure updated principals exist in the database before processing permissions
+    const validatedPrincipals = [];
+    for (const principal of updatedPrincipals) {
+      try {
+        let principalId;
+
+        if (principal.type === 'public') {
+          principalId = null; // Public principals don't need database records
+        } else if (principal.type === 'user') {
+          principalId = await ensurePrincipalExists(principal);
+        } else if (principal.type === 'group') {
+          // Pass authContext to enable member fetching for Entra ID groups when available
+          principalId = await ensureGroupPrincipalExists(principal, authContext);
+        } else {
+          logger.error(`Unsupported principal type: ${principal.type}`);
+          continue; // Skip invalid principal types
+        }
+
+        // Update the principal with the validated ID for ACL operations
+        validatedPrincipals.push({
+          ...principal,
+          id: principalId,
+        });
+      } catch (error) {
+        logger.error('Error ensuring principal exists:', {
+          principal: {
+            type: principal.type,
+            id: principal.id,
+            name: principal.name,
+            source: principal.source,
+          },
+          error: error.message,
+        });
+        // Continue with other principals instead of failing the entire operation
+        continue;
+      }
+    }
+
+    // Add removed principals
+    if (removed && Array.isArray(removed)) {
+      revokedPrincipals.push(...removed);
+    }
+
+    // If public is disabled, add public to revoked list
+    if (!isPublic) {
+      revokedPrincipals.push({
+        type: 'public',
+        id: null,
+      });
+    }
+
+    const results = await bulkUpdateResourcePermissions({
+      resourceType,
+      resourceId,
+      updatedPrincipals: validatedPrincipals,
+      revokedPrincipals,
+      grantedBy: userId,
+    });
+
+    /** @type {TUpdateResourcePermissionsResponse} */
+    const response = {
+      message: 'Permissions updated successfully',
+      results: {
+        principals: results.granted,
+        public: isPublic || false,
+        publicAccessRoleId: isPublic ? publicAccessRoleId : undefined,
+      },
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error updating resource permissions:', error);
+    res.status(400).json({
+      error: 'Failed to update permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get principals with their permission roles for a resource (UI-friendly format)
+ * Uses efficient aggregation pipeline to join User/Group data in single query
+ * @route GET /api/permissions/{resourceType}/{resourceId}
+ */
+const getResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+
+    // Use aggregation pipeline for efficient single-query data retrieval
+    const results = await AclEntry.aggregate([
+      // Match ACL entries for this resource
+      {
+        $match: {
+          resourceType,
+          resourceId: mongoose.Types.ObjectId.isValid(resourceId)
+            ? mongoose.Types.ObjectId.createFromHexString(resourceId)
+            : resourceId,
+        },
+      },
+      // Lookup AccessRole information
+      {
+        $lookup: {
+          from: 'accessroles',
+          localField: 'roleId',
+          foreignField: '_id',
+          as: 'role',
+        },
+      },
+      // Lookup User information (for user principals)
+      {
+        $lookup: {
+          from: 'users',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'userInfo',
+        },
+      },
+      // Lookup Group information (for group principals)
+      {
+        $lookup: {
+          from: 'groups',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'groupInfo',
+        },
+      },
+      // Project final structure
+      {
+        $project: {
+          principalType: 1,
+          principalId: 1,
+          accessRoleId: { $arrayElemAt: ['$role.accessRoleId', 0] },
+          userInfo: { $arrayElemAt: ['$userInfo', 0] },
+          groupInfo: { $arrayElemAt: ['$groupInfo', 0] },
+        },
+      },
+    ]);
+
+    const principals = [];
+    let publicPermission = null;
+
+    // Process aggregation results
+    for (const result of results) {
+      if (result.principalType === 'public') {
+        publicPermission = {
+          public: true,
+          publicAccessRoleId: result.accessRoleId,
+        };
+      } else if (result.principalType === 'user' && result.userInfo) {
+        principals.push({
+          type: 'user',
+          id: result.userInfo._id.toString(),
+          name: result.userInfo.name || result.userInfo.username,
+          email: result.userInfo.email,
+          avatar: result.userInfo.avatar,
+          source: !result.userInfo._id ? 'entra' : 'local',
+          idOnTheSource: result.userInfo.idOnTheSource || result.userInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      } else if (result.principalType === 'group' && result.groupInfo) {
+        principals.push({
+          type: 'group',
+          id: result.groupInfo._id.toString(),
+          name: result.groupInfo.name,
+          email: result.groupInfo.email,
+          description: result.groupInfo.description,
+          avatar: result.groupInfo.avatar,
+          source: result.groupInfo.source || 'local',
+          idOnTheSource: result.groupInfo.idOnTheSource || result.groupInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      }
+    }
+
+    // Return response in format expected by frontend
+    const response = {
+      resourceType,
+      resourceId,
+      principals,
+      public: publicPermission?.public || false,
+      ...(publicPermission?.publicAccessRoleId && {
+        publicAccessRoleId: publicPermission.publicAccessRoleId,
+      }),
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error getting resource permissions principals:', error);
+    res.status(500).json({
+      error: 'Failed to get permissions principals',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get available roles for a resource type
+ * @route GET /api/{resourceType}/roles
+ */
+const getResourceRoles = async (req, res) => {
+  try {
+    const { resourceType } = req.params;
+
+    const roles = await getAvailableRoles({ resourceType });
+
+    res.status(200).json(
+      roles.map((role) => ({
+        accessRoleId: role.accessRoleId,
+        name: role.name,
+        description: role.description,
+        permBits: role.permBits,
+      })),
+    );
+  } catch (error) {
+    logger.error('Error getting resource roles:', error);
+    res.status(500).json({
+      error: 'Failed to get roles',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get user's effective permission bitmask for a resource
+ * @route GET /api/{resourceType}/{resourceId}/effective
+ */
+const getUserEffectivePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    const { id: userId } = req.user;
+
+    const permissionBits = await getEffectivePermissions({
+      userId,
+      resourceType,
+      resourceId,
+    });
+
+    res.status(200).json({
+      permissionBits,
+    });
+  } catch (error) {
+    logger.error('Error getting user effective permissions:', error);
+    res.status(500).json({
+      error: 'Failed to get effective permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Search for users and groups to grant permissions
+ * Supports hybrid local database + Entra ID search when configured
+ * @route GET /api/permissions/search-principals
+ */
+const searchPrincipals = async (req, res) => {
+  try {
+    const { q: query, limit = 20, type } = req.query;
+
+    if (!query || query.trim().length === 0) {
+      return res.status(400).json({
+        error: 'Query parameter "q" is required and must not be empty',
+      });
+    }
+
+    if (query.trim().length < 2) {
+      return res.status(400).json({
+        error: 'Query must be at least 2 characters long',
+      });
+    }
+
+    const searchLimit = Math.min(Math.max(1, parseInt(limit) || 10), 50);
+    const typeFilter = ['user', 'group'].includes(type) ? type : null;
+
+    const localResults = await searchLocalPrincipals(query.trim(), searchLimit, typeFilter);
+    let allPrincipals = [...localResults];
+
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+
+    if (useEntraId && localResults.length < searchLimit) {
+      try {
+        const graphTypeMap = {
+          user: 'users',
+          group: 'groups',
+          null: 'all',
+        };
+
+        const authHeader = req.headers.authorization;
+        const accessToken =
+          authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+
+        if (accessToken) {
+          const graphResults = await searchEntraIdPrincipals(
+            accessToken,
+            req.user.openidId,
+            query.trim(),
+            graphTypeMap[typeFilter],
+            searchLimit - localResults.length,
+          );
+
+          const localEmails = new Set(
+            localResults.map((p) => p.email?.toLowerCase()).filter(Boolean),
+          );
+          const localGroupSourceIds = new Set(
+            localResults.map((p) => p.idOnTheSource).filter(Boolean),
+          );
+
+          for (const principal of graphResults) {
+            const isDuplicateByEmail =
+              principal.email && localEmails.has(principal.email.toLowerCase());
+            const isDuplicateBySourceId =
+              principal.idOnTheSource && localGroupSourceIds.has(principal.idOnTheSource);
+
+            if (!isDuplicateByEmail && !isDuplicateBySourceId) {
+              allPrincipals.push(principal);
+            }
+          }
+        }
+      } catch (graphError) {
+        logger.warn('Graph API search failed, falling back to local results:', graphError.message);
+      }
+    }
+    const scoredResults = allPrincipals.map((item) => ({
+      ...item,
+      _searchScore: calculateRelevanceScore(item, query.trim()),
+    }));
+
+    allPrincipals = sortPrincipalsByRelevance(scoredResults)
+      .slice(0, searchLimit)
+      .map((result) => {
+        const { _searchScore, ...resultWithoutScore } = result;
+        return resultWithoutScore;
+      });
+    res.status(200).json({
+      query: query.trim(),
+      limit: searchLimit,
+      type: typeFilter,
+      results: allPrincipals,
+      count: allPrincipals.length,
+      sources: {
+        local: allPrincipals.filter((r) => r.source === 'local').length,
+        entra: allPrincipals.filter((r) => r.source === 'entra').length,
+      },
+    });
+  } catch (error) {
+    logger.error('Error searching principals:', error);
+    res.status(500).json({
+      error: 'Failed to search principals',
+      details: error.message,
+    });
+  }
+};
+
+module.exports = {
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  getUserEffectivePermissions,
+  searchPrincipals,
+};

api/server/controllers/PluginController.js

@@ -1,11 +1,10 @@
 const { logger } = require('@librechat/data-schemas');
-const { CacheKeys, AuthType } = require('librechat-data-provider');
+const { CacheKeys, AuthType, Constants } = require('librechat-data-provider');
 const { getCustomConfig, getCachedTools } = require('~/server/services/Config');
 const { getToolkitKey } = require('~/server/services/ToolService');
 const { getMCPManager, getFlowStateManager } = require('~/config');
 const { availableTools } = require('~/app/clients/tools');
 const { getLogStores } = require('~/cache');
-const { Constants } = require('librechat-data-provider');
 
 /**
  * Filters out duplicate plugins from the list of plugins.
@@ -140,9 +139,9 @@ function createGetServerTools() {
 const getAvailableTools = async (req, res) => {
   try {
     const cache = getLogStores(CacheKeys.CONFIG_STORE);
-    const cachedTools = await cache.get(CacheKeys.TOOLS);
-    if (cachedTools) {
-      res.status(200).json(cachedTools);
+    const cachedToolsArray = await cache.get(CacheKeys.TOOLS);
+    if (cachedToolsArray) {
+      res.status(200).json(cachedToolsArray);
       return;
     }
 
@@ -173,7 +172,7 @@ const getAvailableTools = async (req, res) => {
       }
     });
 
-    const toolDefinitions = await getCachedTools({ includeGlobal: true });
+    const toolDefinitions = (await getCachedTools({ includeGlobal: true })) || {};
 
     const toolsOutput = [];
     for (const plugin of authenticatedPlugins) {

api/server/controllers/UserController.js

@@ -1,11 +1,5 @@
-const {
-  Tools,
-  Constants,
-  FileSources,
-  webSearchKeys,
-  extractWebSearchEnvVars,
-} = require('librechat-data-provider');
 const { logger } = require('@librechat/data-schemas');
+const { webSearchKeys, extractWebSearchEnvVars } = require('@librechat/api');
 const {
   getFiles,
   updateUser,
@@ -20,6 +14,7 @@ const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/service
 const { updateUserPluginsService, deleteUserKey } = require('~/server/services/UserService');
 const { verifyEmail, resendVerificationEmail } = require('~/server/services/AuthService');
 const { needsRefresh, getNewS3URL } = require('~/server/services/Files/S3/crud');
+const { Tools, Constants, FileSources } = require('librechat-data-provider');
 const { processDeleteRequest } = require('~/server/services/Files/process');
 const { Transaction, Balance, User } = require('~/db/models');
 const { deleteToolCalls } = require('~/models/ToolCall');

api/server/controllers/agents/client.js

@@ -1,11 +1,14 @@
 require('events').EventEmitter.defaultMaxListeners = 100;
 const { logger } = require('@librechat/data-schemas');
+const { DynamicStructuredTool } = require('@langchain/core/tools');
+const { getBufferString, HumanMessage } = require('@langchain/core/messages');
 const {
   sendEvent,
   createRun,
   Tokenizer,
   checkAccess,
   memoryInstructions,
+  formatContentStrings,
   createMemoryProcessor,
 } = require('@librechat/api');
 const {
@@ -14,7 +17,6 @@ const {
   GraphEvents,
   formatMessage,
   formatAgentMessages,
-  formatContentStrings,
   getTokenCountForMessage,
   createMetadataAggregator,
 } = require('@librechat/agents');
@@ -24,20 +26,22 @@ const {
   VisionModes,
   ContentTypes,
   EModelEndpoint,
-  KnownEndpoints,
   PermissionTypes,
   isAgentsEndpoint,
   AgentCapabilities,
   bedrockInputSchema,
   removeNullishValues,
 } = require('librechat-data-provider');
-const { DynamicStructuredTool } = require('@langchain/core/tools');
-const { getBufferString, HumanMessage } = require('@langchain/core/messages');
-const { createGetMCPAuthMap, checkCapability } = require('~/server/services/Config');
+const {
+  findPluginAuthsByKeys,
+  getFormattedMemories,
+  deleteMemory,
+  setMemory,
+} = require('~/models');
+const { getMCPAuthMap, checkCapability, hasCustomUserVars } = require('~/server/services/Config');
 const { addCacheControl, createContextHandlers } = require('~/app/clients/prompts');
 const { initializeAgent } = require('~/server/services/Endpoints/agents/agent');
 const { spendTokens, spendStructuredTokens } = require('~/models/spendTokens');
-const { getFormattedMemories, deleteMemory, setMemory } = require('~/models');
 const { encodeAndFormat } = require('~/server/services/Files/images/encode');
 const { getProviderConfig } = require('~/server/services/Endpoints');
 const BaseClient = require('~/app/clients/BaseClient');
@@ -54,6 +58,7 @@ const omitTitleOptions = new Set([
   'thinkingBudget',
   'includeThoughts',
   'maxOutputTokens',
+  'additionalModelRequestFields',
 ]);
 
 /**
@@ -70,8 +75,6 @@ const payloadParser = ({ req, agent, endpoint }) => {
   return req.body.endpointOption.model_parameters;
 };
 
-const legacyContentEndpoints = new Set([KnownEndpoints.groq, KnownEndpoints.deepseek]);
-
 const noSystemModelRegex = [/\b(o1-preview|o1-mini|amazon\.titan-text)\b/gi];
 
 function createTokenCounter(encoding) {
@@ -452,6 +455,12 @@ class AgentClient extends BaseClient {
       res: this.options.res,
       agent: prelimAgent,
       allowedProviders,
+      endpointOption: {
+        endpoint:
+          prelimAgent.id !== Constants.EPHEMERAL_AGENT_ID
+            ? EModelEndpoint.agents
+            : memoryConfig.agent?.provider,
+      },
     });
 
     if (!agent) {
@@ -700,17 +709,12 @@ class AgentClient extends BaseClient {
         version: 'v2',
       };
 
-      const getUserMCPAuthMap = await createGetMCPAuthMap();
-
       const toolSet = new Set((this.options.agent.tools ?? []).map((tool) => tool && tool.name));
       let { messages: initialMessages, indexTokenCountMap } = formatAgentMessages(
         payload,
         this.indexTokenCountMap,
         toolSet,
       );
-      if (legacyContentEndpoints.has(this.options.agent.endpoint?.toLowerCase())) {
-        initialMessages = formatContentStrings(initialMessages);
-      }
 
       /**
        *
@@ -774,6 +778,9 @@ class AgentClient extends BaseClient {
         }
 
         let messages = _messages;
+        if (agent.useLegacyContent === true) {
+          messages = formatContentStrings(messages);
+        }
         if (
           agent.model_parameters?.clientOptions?.defaultHeaders?.['anthropic-beta']?.includes(
             'prompt-caching',
@@ -822,10 +829,11 @@ class AgentClient extends BaseClient {
         }
 
         try {
-          if (getUserMCPAuthMap) {
-            config.configurable.userMCPAuthMap = await getUserMCPAuthMap({
+          if (await hasCustomUserVars()) {
+            config.configurable.userMCPAuthMap = await getMCPAuthMap({
               tools: agent.tools,
               userId: this.options.req.user.id,
+              findPluginAuthsByKeys,
             });
           }
         } catch (err) {
@@ -1043,6 +1051,12 @@ class AgentClient extends BaseClient {
       options.llmConfig?.azureOpenAIApiInstanceName == null
     ) {
       provider = Providers.OPENAI;
+    } else if (
+      endpoint === EModelEndpoint.azureOpenAI &&
+      options.llmConfig?.azureOpenAIApiInstanceName != null &&
+      provider !== Providers.AZURE
+    ) {
+      provider = Providers.AZURE;
     }
 
     /** @type {import('@librechat/agents').ClientOptions} */
@@ -1121,8 +1135,52 @@ class AgentClient extends BaseClient {
     }
   }
 
-  /** Silent method, as `recordCollectedUsage` is used instead */
-  async recordTokenUsage() {}
+  /**
+   * @param {object} params
+   * @param {number} params.promptTokens
+   * @param {number} params.completionTokens
+   * @param {OpenAIUsageMetadata} [params.usage]
+   * @param {string} [params.model]
+   * @param {string} [params.context='message']
+   * @returns {Promise<void>}
+   */
+  async recordTokenUsage({ model, promptTokens, completionTokens, usage, context = 'message' }) {
+    try {
+      await spendTokens(
+        {
+          model,
+          context,
+          conversationId: this.conversationId,
+          user: this.user ?? this.options.req.user?.id,
+          endpointTokenConfig: this.options.endpointTokenConfig,
+        },
+        { promptTokens, completionTokens },
+      );
+
+      if (
+        usage &&
+        typeof usage === 'object' &&
+        'reasoning_tokens' in usage &&
+        typeof usage.reasoning_tokens === 'number'
+      ) {
+        await spendTokens(
+          {
+            model,
+            context: 'reasoning',
+            conversationId: this.conversationId,
+            user: this.user ?? this.options.req.user?.id,
+            endpointTokenConfig: this.options.endpointTokenConfig,
+          },
+          { completionTokens: usage.reasoning_tokens },
+        );
+      }
+    } catch (error) {
+      logger.error(
+        '[api/server/controllers/agents/client.js #recordTokenUsage] Error recording token usage',
+        error,
+      );
+    }
+  }
 
   getEncoding() {
     return 'o200k_base';

api/server/controllers/agents/request.js

@@ -12,6 +12,7 @@ const { saveMessage } = require('~/models');
 const AgentController = async (req, res, next, initializeClient, addTitle) => {
   let {
     text,
+    isRegenerate,
     endpointOption,
     conversationId,
     isContinued = false,
@@ -167,6 +168,7 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
       onStart,
       getReqData,
       isContinued,
+      isRegenerate,
       editedContent,
       conversationId,
       parentMessageId,

api/server/controllers/agents/v1.js

@@ -1,13 +1,12 @@
 const { z } = require('zod');
 const fs = require('fs').promises;
 const { nanoid } = require('nanoid');
-const { logger } = require('@librechat/data-schemas');
+const { logger, PermissionBits } = require('@librechat/data-schemas');
 const { agentCreateSchema, agentUpdateSchema } = require('@librechat/api');
 const {
   Tools,
-  Constants,
-  FileSources,
   SystemRoles,
+  FileSources,
   EToolResources,
   actionDelimiter,
   removeNullishValues,
@@ -17,18 +16,24 @@ const {
   createAgent,
   updateAgent,
   deleteAgent,
-  getListAgents,
+  getListAgentsByAccess,
+  countPromotedAgents,
+  revertAgentVersion,
 } = require('~/models/Agent');
+const {
+  grantPermission,
+  findAccessibleResources,
+  findPubliclyAccessibleResources,
+  hasPublicPermission,
+} = require('~/server/services/PermissionService');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
 const { refreshS3Url } = require('~/server/services/Files/S3/crud');
 const { filterFile } = require('~/server/services/Files/process');
 const { updateAction, getActions } = require('~/models/Action');
 const { getCachedTools } = require('~/server/services/Config');
-const { updateAgentProjects } = require('~/models/Agent');
-const { getProjectByName } = require('~/models/Project');
-const { revertAgentVersion } = require('~/models/Agent');
 const { deleteFileByFilter } = require('~/models/File');
+const { getCategoriesWithCounts } = require('~/models');
 
 const systemTools = {
   [Tools.execute_code]: true,
@@ -67,6 +72,27 @@ const createAgentHandler = async (req, res) => {
     }
 
     const agent = await createAgent(agentData);
+
+    // Automatically grant owner permissions to the creator
+    try {
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_owner',
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[createAgent] Granted owner permissions to user ${userId} for agent ${agent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[createAgent] Failed to grant owner permissions for agent ${agent.id}:`,
+        permissionError,
+      );
+    }
+
     res.status(201).json(agent);
   } catch (error) {
     if (error instanceof z.ZodError) {
@@ -89,21 +115,14 @@ const createAgentHandler = async (req, res) => {
  * @returns {Promise<Agent>} 200 - success response - application/json
  * @returns {Error} 404 - Agent not found
  */
-const getAgentHandler = async (req, res) => {
+const getAgentHandler = async (req, res, expandProperties = false) => {
   try {
     const id = req.params.id;
     const author = req.user.id;
 
-    let query = { id, author };
-
-    const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, ['agentIds']);
-    if (globalProject && (globalProject.agentIds?.length ?? 0) > 0) {
-      query = {
-        $or: [{ id, $in: globalProject.agentIds }, query],
-      };
-    }
-
-    const agent = await getAgent(query);
+    // Permissions are validated by middleware before calling this function
+    // Simply load the agent by ID
+    const agent = await getAgent({ id });
 
     if (!agent) {
       return res.status(404).json({ error: 'Agent not found' });
@@ -120,23 +139,45 @@ const getAgentHandler = async (req, res) => {
     }
 
     agent.author = agent.author.toString();
+
+    // @deprecated - isCollaborative replaced by ACL permissions
     agent.isCollaborative = !!agent.isCollaborative;
 
+    // Check if agent is public
+    const isPublic = await hasPublicPermission({
+      resourceType: 'agent',
+      resourceId: agent._id,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    agent.isPublic = isPublic;
+
     if (agent.author !== author) {
       delete agent.author;
     }
 
-    if (!agent.isCollaborative && agent.author !== author && req.user.role !== SystemRoles.ADMIN) {
+    if (!expandProperties) {
+      // VIEW permission: Basic agent info only
       return res.status(200).json({
+        _id: agent._id,
         id: agent.id,
         name: agent.name,
+        description: agent.description,
         avatar: agent.avatar,
         author: agent.author,
+        provider: agent.provider,
+        model: agent.model,
         projectIds: agent.projectIds,
+        // @deprecated - isCollaborative replaced by ACL permissions
         isCollaborative: agent.isCollaborative,
+        isPublic: agent.isPublic,
         version: agent.version,
+        // Safe metadata
+        createdAt: agent.createdAt,
+        updatedAt: agent.updatedAt,
       });
     }
+
+    // EDIT permission: Full agent details including sensitive configuration
     return res.status(200).json(agent);
   } catch (error) {
     logger.error('[/Agents/:id] Error retrieving agent', error);
@@ -157,43 +198,20 @@ const updateAgentHandler = async (req, res) => {
   try {
     const id = req.params.id;
     const validatedData = agentUpdateSchema.parse(req.body);
-    const { projectIds, removeProjectIds, ...updateData } = removeNullishValues(validatedData);
-    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const { _id, ...updateData } = removeNullishValues(validatedData);
     const existingAgent = await getAgent({ id });
 
     if (!existingAgent) {
       return res.status(404).json({ error: 'Agent not found' });
     }
 
-    const isAuthor = existingAgent.author.toString() === req.user.id;
-    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
-
-    if (!hasEditPermission) {
-      return res.status(403).json({
-        error: 'You do not have permission to modify this non-collaborative agent',
-      });
-    }
-
-    /** @type {boolean} */
-    const isProjectUpdate = (projectIds?.length ?? 0) > 0 || (removeProjectIds?.length ?? 0) > 0;
-
     let updatedAgent =
       Object.keys(updateData).length > 0
         ? await updateAgent({ id }, updateData, {
             updatingUserId: req.user.id,
-            skipVersioning: isProjectUpdate,
           })
         : existingAgent;
 
-    if (isProjectUpdate) {
-      updatedAgent = await updateAgentProjects({
-        user: req.user,
-        agentId: id,
-        projectIds,
-        removeProjectIds,
-      });
-    }
-
     if (updatedAgent.author) {
       updatedAgent.author = updatedAgent.author.toString();
     }
@@ -318,6 +336,26 @@ const duplicateAgentHandler = async (req, res) => {
     newAgentData.actions = agentActions;
     const newAgent = await createAgent(newAgentData);
 
+    // Automatically grant owner permissions to the duplicator
+    try {
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: newAgent._id,
+        accessRoleId: 'agent_owner',
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[duplicateAgent] Granted owner permissions to user ${userId} for duplicated agent ${newAgent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[duplicateAgent] Failed to grant owner permissions for duplicated agent ${newAgent.id}:`,
+        permissionError,
+      );
+    }
+
     return res.status(201).json({
       agent: newAgent,
       actions: newActionsList,
@@ -344,7 +382,7 @@ const deleteAgentHandler = async (req, res) => {
     if (!agent) {
       return res.status(404).json({ error: 'Agent not found' });
     }
-    await deleteAgent({ id, author: req.user.id });
+    await deleteAgent({ id });
     return res.json({ message: 'Agent deleted' });
   } catch (error) {
     logger.error('[/Agents/:id] Error deleting Agent', error);
@@ -353,7 +391,7 @@ const deleteAgentHandler = async (req, res) => {
 };
 
 /**
- *
+ * Lists agents using ACL-aware permissions (ownership + explicit shares).
  * @route GET /Agents
  * @param {object} req - Express Request
  * @param {object} req.query - Request query
@@ -362,9 +400,64 @@ const deleteAgentHandler = async (req, res) => {
  */
 const getListAgentsHandler = async (req, res) => {
   try {
-    const data = await getListAgents({
-      author: req.user.id,
+    const userId = req.user.id;
+    const { category, search, limit, cursor, promoted } = req.query;
+    let requiredPermission = req.query.requiredPermission;
+    if (typeof requiredPermission === 'string') {
+      requiredPermission = parseInt(requiredPermission, 10);
+      if (isNaN(requiredPermission)) {
+        requiredPermission = PermissionBits.VIEW;
+      }
+    } else if (typeof requiredPermission !== 'number') {
+      requiredPermission = PermissionBits.VIEW;
+    }
+    // Base filter
+    const filter = {};
+
+    // Handle category filter - only apply if category is defined
+    if (category !== undefined && category.trim() !== '') {
+      filter.category = category;
+    }
+
+    // Handle promoted filter - only from query param
+    if (promoted === '1') {
+      filter.is_promoted = true;
+    } else if (promoted === '0') {
+      filter.is_promoted = { $ne: true };
+    }
+
+    // Handle search filter
+    if (search && search.trim() !== '') {
+      filter.$or = [
+        { name: { $regex: search.trim(), $options: 'i' } },
+        { description: { $regex: search.trim(), $options: 'i' } },
+      ];
+    }
+    // Get agent IDs the user has VIEW access to via ACL
+    const accessibleIds = await findAccessibleResources({
+      userId,
+      resourceType: 'agent',
+      requiredPermissions: requiredPermission,
     });
+    const publiclyAccessibleIds = await findPubliclyAccessibleResources({
+      resourceType: 'agent',
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    // Use the new ACL-aware function
+    const data = await getListAgentsByAccess({
+      accessibleIds,
+      otherParams: filter,
+      limit,
+      after: cursor,
+    });
+    if (data?.data?.length) {
+      data.data = data.data.map((agent) => {
+        if (publiclyAccessibleIds.some((id) => id.equals(agent._id))) {
+          agent.isPublic = true;
+        }
+        return agent;
+      });
+    }
     return res.json(data);
   } catch (error) {
     logger.error('[/Agents] Error listing Agents', error);
@@ -391,6 +484,22 @@ const uploadAgentAvatarHandler = async (req, res) => {
       return res.status(400).json({ message: 'Agent ID is required' });
     }
 
+    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const existingAgent = await getAgent({ id: agent_id });
+
+    if (!existingAgent) {
+      return res.status(404).json({ error: 'Agent not found' });
+    }
+
+    const isAuthor = existingAgent.author.toString() === req.user.id;
+    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
+
+    if (!hasEditPermission) {
+      return res.status(403).json({
+        error: 'You do not have permission to modify this non-collaborative agent',
+      });
+    }
+
     const buffer = await fs.readFile(req.file.path);
 
     const fileStrategy = req.app.locals.fileStrategy;
@@ -413,14 +522,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
       source: fileStrategy,
     };
 
-    let _avatar;
-    try {
-      const agent = await getAgent({ id: agent_id });
-      _avatar = agent.avatar;
-    } catch (error) {
-      logger.error('[/:agent_id/avatar] Error fetching agent', error);
-      _avatar = {};
-    }
+    let _avatar = existingAgent.avatar;
 
     if (_avatar && _avatar.source) {
       const { deleteFile } = getStrategyFunctions(_avatar.source);
@@ -442,7 +544,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
     };
 
     promises.push(
-      await updateAgent({ id: agent_id, author: req.user.id }, data, {
+      await updateAgent({ id: agent_id }, data, {
         updatingUserId: req.user.id,
       }),
     );
@@ -522,7 +624,48 @@ const revertAgentVersionHandler = async (req, res) => {
     res.status(500).json({ error: error.message });
   }
 };
+/**
+ * Get all agent categories with counts
+ *
+ * @param {Object} _req - Express request object (unused)
+ * @param {Object} res - Express response object
+ */
+const getAgentCategories = async (_req, res) => {
+  try {
+    const categories = await getCategoriesWithCounts();
+    const promotedCount = await countPromotedAgents();
+    const formattedCategories = categories.map((category) => ({
+      value: category.value,
+      label: category.label,
+      count: category.agentCount,
+      description: category.description,
+    }));
 
+    if (promotedCount > 0) {
+      formattedCategories.unshift({
+        value: 'promoted',
+        label: 'Promoted',
+        count: promotedCount,
+        description: 'Our recommended agents',
+      });
+    }
+
+    formattedCategories.push({
+      value: 'all',
+      label: 'All',
+      description: 'All available agents',
+    });
+
+    res.status(200).json(formattedCategories);
+  } catch (error) {
+    logger.error('[/Agents/Marketplace] Error fetching agent categories:', error);
+    res.status(500).json({
+      error: 'Failed to fetch agent categories',
+      userMessage: 'Unable to load categories. Please refresh the page.',
+      suggestion: 'Try refreshing the page or check your network connection',
+    });
+  }
+};
 module.exports = {
   createAgent: createAgentHandler,
   getAgent: getAgentHandler,
@@ -532,4 +675,5 @@ module.exports = {
   getListAgents: getListAgentsHandler,
   uploadAgentAvatar: uploadAgentAvatarHandler,
   revertAgentVersion: revertAgentVersionHandler,
+  getAgentCategories,
 };

api/server/controllers/agents/v1.spec.js

@@ -372,52 +372,6 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.id).toBe(existingAgentId);
     });
 
-    test('should reject update from non-author when not collaborative', async () => {
-      const differentUserId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = differentUserId; // Different user
-      mockReq.params.id = existingAgentId;
-      mockReq.body = {
-        name: 'Unauthorized Update',
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      expect(mockRes.status).toHaveBeenCalledWith(403);
-      expect(mockRes.json).toHaveBeenCalledWith({
-        error: 'You do not have permission to modify this non-collaborative agent',
-      });
-
-      // Verify agent was not modified in database
-      const agentInDb = await Agent.findOne({ id: existingAgentId });
-      expect(agentInDb.name).toBe('Original Agent');
-    });
-
-    test('should allow update from non-author when collaborative', async () => {
-      // First make the agent collaborative
-      await Agent.updateOne({ id: existingAgentId }, { isCollaborative: true });
-
-      const differentUserId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = differentUserId; // Different user
-      mockReq.params.id = existingAgentId;
-      mockReq.body = {
-        name: 'Collaborative Update',
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      expect(mockRes.status).not.toHaveBeenCalledWith(403);
-      expect(mockRes.json).toHaveBeenCalled();
-
-      const updatedAgent = mockRes.json.mock.calls[0][0];
-      expect(updatedAgent.name).toBe('Collaborative Update');
-      // Author field should be removed for non-author
-      expect(updatedAgent.author).toBeUndefined();
-
-      // Verify in database
-      const agentInDb = await Agent.findOne({ id: existingAgentId });
-      expect(agentInDb.name).toBe('Collaborative Update');
-    });
-
     test('should allow admin to update any agent', async () => {
       const adminUserId = new mongoose.Types.ObjectId().toString();
       mockReq.user.id = adminUserId;
@@ -555,45 +509,6 @@ describe('Agent Controllers - Mass Assignment Protection', () => {
       expect(agentInDb.__v).not.toBe(99);
     });
 
-    test('should prevent privilege escalation through isCollaborative', async () => {
-      // Create a non-collaborative agent
-      const authorId = new mongoose.Types.ObjectId();
-      const agent = await Agent.create({
-        id: `agent_${uuidv4()}`,
-        name: 'Private Agent',
-        provider: 'openai',
-        model: 'gpt-4',
-        author: authorId,
-        isCollaborative: false,
-        versions: [
-          {
-            name: 'Private Agent',
-            provider: 'openai',
-            model: 'gpt-4',
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        ],
-      });
-
-      // Try to make it collaborative as a different user
-      const attackerId = new mongoose.Types.ObjectId().toString();
-      mockReq.user.id = attackerId;
-      mockReq.params.id = agent.id;
-      mockReq.body = {
-        isCollaborative: true, // Trying to escalate privileges
-      };
-
-      await updateAgentHandler(mockReq, mockRes);
-
-      // Should be rejected
-      expect(mockRes.status).toHaveBeenCalledWith(403);
-
-      // Verify in database that it's still not collaborative
-      const agentInDb = await Agent.findOne({ id: agent.id });
-      expect(agentInDb.isCollaborative).toBe(false);
-    });
-
     test('should prevent author hijacking', async () => {
       const originalAuthorId = new mongoose.Types.ObjectId();
       const attackerId = new mongoose.Types.ObjectId();

api/server/controllers/tools.js

@@ -1,14 +1,13 @@
 const { nanoid } = require('nanoid');
 const { EnvVar } = require('@librechat/agents');
-const { checkAccess } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
+const { checkAccess, loadWebSearchAuth } = require('@librechat/api');
 const {
   Tools,
   AuthType,
   Permissions,
   ToolCallTypes,
   PermissionTypes,
-  loadWebSearchAuth,
 } = require('librechat-data-provider');
 const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/process');
 const { processCodeOutput } = require('~/server/services/Files/Code/process');

api/server/index.js

@@ -117,6 +117,8 @@ const startServer = async () => {
   app.use('/api/agents', routes.agents);
   app.use('/api/banner', routes.banner);
   app.use('/api/memories', routes.memories);
+  app.use('/api/permissions', routes.accessPermissions);
+
   app.use('/api/tags', routes.tags);
   app.use('/api/mcp', routes.mcp);
 

api/server/middleware/accessResources/canAccessAgentFromBody.js

@@ -0,0 +1,97 @@
+const { logger } = require('@librechat/data-schemas');
+const { Constants, isAgentsEndpoint } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getAgent } = require('~/models/Agent');
+
+/**
+ * Agent ID resolver function for agent_id from request body
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ * This is used specifically for chat routes where agent_id comes from request body
+ *
+ * @param {string} agentCustomId - Custom agent ID from request body
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentIdFromBody = async (agentCustomId) => {
+  // Handle ephemeral agents - they don't need permission checks
+  if (agentCustomId === Constants.EPHEMERAL_AGENT_ID) {
+    return null; // No permission check needed for ephemeral agents
+  }
+
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Middleware factory that creates middleware to check agent access permissions from request body.
+ * This middleware is specifically designed for chat routes where the agent_id comes from req.body
+ * instead of route parameters.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for agent chat (requires VIEW permission)
+ * router.post('/chat',
+ *   canAccessAgentFromBody({ requiredPermission: PermissionBits.VIEW }),
+ *   buildEndpointOption,
+ *   chatController
+ * );
+ */
+const canAccessAgentFromBody = (options) => {
+  const { requiredPermission } = options;
+
+  // Validate required options
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentFromBody: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      const { endpoint, agent_id } = req.body;
+      let agentId = agent_id;
+
+      if (!isAgentsEndpoint(endpoint)) {
+        agentId = Constants.EPHEMERAL_AGENT_ID;
+      }
+
+      if (!agentId) {
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: 'agent_id is required in request body',
+        });
+      }
+
+      // Skip permission checks for ephemeral agents
+      if (agentId === Constants.EPHEMERAL_AGENT_ID) {
+        return next();
+      }
+
+      const agentAccessMiddleware = canAccessResource({
+        resourceType: 'agent',
+        requiredPermission,
+        resourceIdParam: 'agent_id', // This will be ignored since we use custom resolver
+        idResolver: () => resolveAgentIdFromBody(agentId),
+      });
+
+      const tempReq = {
+        ...req,
+        params: {
+          ...req.params,
+          agent_id: agentId,
+        },
+      };
+
+      return agentAccessMiddleware(tempReq, res, next);
+    } catch (error) {
+      logger.error('Failed to validate agent access permissions', error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to validate agent access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessAgentFromBody,
+};

api/server/middleware/accessResources/canAccessAgentResource.js

@@ -0,0 +1,58 @@
+const { getAgent } = require('~/models/Agent');
+const { canAccessResource } = require('./canAccessResource');
+
+/**
+ * Agent ID resolver function
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ *
+ * @param {string} agentCustomId - Custom agent ID from route parameter
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentId = async (agentCustomId) => {
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Agent-specific middleware factory that creates middleware to check agent access permissions.
+ * This middleware extends the generic canAccessResource to handle agent custom ID resolution.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='id'] - The name of the route parameter containing the agent custom ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for viewing agents
+ * router.get('/agents/:id',
+ *   canAccessAgentResource({ requiredPermission: 1 }),
+ *   getAgent
+ * );
+ *
+ * @example
+ * // Custom resource ID parameter and edit permission
+ * router.patch('/agents/:agent_id',
+ *   canAccessAgentResource({
+ *     requiredPermission: 2,
+ *     resourceIdParam: 'agent_id'
+ *   }),
+ *   updateAgent
+ * );
+ */
+const canAccessAgentResource = (options) => {
+  const { requiredPermission, resourceIdParam = 'id' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentResource: requiredPermission is required and must be a number');
+  }
+
+  return canAccessResource({
+    resourceType: 'agent',
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolveAgentId,
+  });
+};
+
+module.exports = {
+  canAccessAgentResource,
+};

api/server/middleware/accessResources/canAccessAgentResource.spec.js

@@ -0,0 +1,384 @@
+const mongoose = require('mongoose');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { User, Role, AclEntry } = require('~/db/models');
+const { createAgent } = require('~/models/Agent');
+
+describe('canAccessAgentResource middleware', () => {
+  let mongoServer;
+  let req, res, next;
+  let testUser;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    await Role.create({
+      name: 'test-role',
+      permissions: {
+        AGENTS: {
+          USE: true,
+          CREATE: true,
+          SHARED_GLOBAL: false,
+        },
+      },
+    });
+
+    // Create a test user
+    testUser = await User.create({
+      email: 'test@example.com',
+      name: 'Test User',
+      username: 'testuser',
+      role: 'test-role',
+    });
+
+    req = {
+      user: { id: testUser._id.toString(), role: 'test-role' },
+      params: {},
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+
+    jest.clearAllMocks();
+  });
+
+  describe('middleware factory', () => {
+    test('should throw error if requiredPermission is not provided', () => {
+      expect(() => canAccessAgentResource({})).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should throw error if requiredPermission is not a number', () => {
+      expect(() => canAccessAgentResource({ requiredPermission: '1' })).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should create middleware with default resourceIdParam', () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3); // Express middleware signature
+    });
+
+    test('should create middleware with custom resourceIdParam', () => {
+      const middleware = canAccessAgentResource({
+        requiredPermission: 2,
+        resourceIdParam: 'agent_id',
+      });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3);
+    });
+  });
+
+  describe('permission checking with real agents', () => {
+    test('should allow access when user is the agent author', async () => {
+      // Create an agent owned by the test user
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author (owner permissions)
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when user is not the author and has no ACL entry', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other@example.com',
+        name: 'Other User',
+        username: 'otheruser',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Other User Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry for the other user (owner)
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: otherUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should allow access when user has ACL entry with sufficient permissions', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other2@example.com',
+        name: 'Other User 2',
+        username: 'otheruser2',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Shared Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting view permission to test user
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when ACL permissions are insufficient', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other3@example.com',
+        name: 'Other User 3',
+        username: 'otheruser3',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Limited Access Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting only view permission
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission only
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 2 }); // EDIT permission required
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should handle non-existent agent', async () => {
+      req.params.id = 'agent_nonexistent';
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Not Found',
+        message: 'agent not found',
+      });
+    });
+
+    test('should use custom resourceIdParam', async () => {
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Custom Param Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.agent_id = agent.id; // Using custom param name
+
+      const middleware = canAccessAgentResource({
+        requiredPermission: 1,
+        resourceIdParam: 'agent_id',
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('permission levels', () => {
+    let agent;
+
+    beforeEach(async () => {
+      agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Permission Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry with all permissions for the owner
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+    });
+
+    test('should support view permission (1)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support edit permission (2)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 2 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support delete permission (4)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 4 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support share permission (8)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 8 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support combined permissions', async () => {
+      const viewAndEdit = 1 | 2; // 3
+      const middleware = canAccessAgentResource({ requiredPermission: viewAndEdit });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+
+  describe('integration with agent operations', () => {
+    test('should work with agent CRUD operations', async () => {
+      const agentId = `agent_${Date.now()}`;
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Integration Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+        description: 'Testing integration',
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agentId;
+
+      // Test view access
+      const viewMiddleware = canAccessAgentResource({ requiredPermission: 1 });
+      await viewMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+      jest.clearAllMocks();
+
+      // Update the agent
+      const { updateAgent } = require('~/models/Agent');
+      await updateAgent({ id: agentId }, { description: 'Updated description' });
+
+      // Test edit access
+      const editMiddleware = canAccessAgentResource({ requiredPermission: 2 });
+      await editMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+});

api/server/middleware/accessResources/canAccessResource.js

@@ -0,0 +1,157 @@
+const { logger } = require('@librechat/data-schemas');
+const { SystemRoles } = require('librechat-data-provider');
+const { checkPermission } = require('~/server/services/PermissionService');
+
+/**
+ * Generic base middleware factory that creates middleware to check resource access permissions.
+ * This middleware expects MongoDB ObjectIds as resource identifiers for ACL permission checks.
+ *
+ * @param {Object} options - Configuration options
+ * @param {string} options.resourceType - The type of resource (e.g., 'agent', 'file', 'project')
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='resourceId'] - The name of the route parameter containing the resource ID
+ * @param {Function} [options.idResolver] - Optional function to resolve custom IDs to ObjectIds
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Direct usage with ObjectId (for resources that use MongoDB ObjectId in routes)
+ * router.get('/prompts/:promptId',
+ *   canAccessResource({ resourceType: 'prompt', requiredPermission: 1 }),
+ *   getPrompt
+ * );
+ *
+ * @example
+ * // Usage with custom ID resolver (for resources that use custom string IDs)
+ * router.get('/agents/:id',
+ *   canAccessResource({
+ *     resourceType: 'agent',
+ *     requiredPermission: 1,
+ *     resourceIdParam: 'id',
+ *     idResolver: (customId) => resolveAgentId(customId)
+ *   }),
+ *   getAgent
+ * );
+ */
+const canAccessResource = (options) => {
+  const {
+    resourceType,
+    requiredPermission,
+    resourceIdParam = 'resourceId',
+    idResolver = null,
+  } = options;
+
+  if (!resourceType || typeof resourceType !== 'string') {
+    throw new Error('canAccessResource: resourceType is required and must be a string');
+  }
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessResource: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      // Extract resource ID from route parameters
+      const rawResourceId = req.params[resourceIdParam];
+
+      if (!rawResourceId) {
+        logger.warn(`[canAccessResource] Missing ${resourceIdParam} in route parameters`);
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: `${resourceIdParam} is required`,
+        });
+      }
+
+      // Check if user is authenticated
+      if (!req.user || !req.user.id) {
+        logger.warn(
+          `[canAccessResource] Unauthenticated request for ${resourceType} ${rawResourceId}`,
+        );
+        return res.status(401).json({
+          error: 'Unauthorized',
+          message: 'Authentication required',
+        });
+      }
+      // if system admin let through
+      if (req.user.role === SystemRoles.ADMIN) {
+        return next();
+      }
+      const userId = req.user.id;
+      let resourceId = rawResourceId;
+      let resourceInfo = null;
+
+      // Resolve custom ID to ObjectId if resolver is provided
+      if (idResolver) {
+        logger.debug(
+          `[canAccessResource] Resolving ${resourceType} custom ID ${rawResourceId} to ObjectId`,
+        );
+
+        const resolutionResult = await idResolver(rawResourceId);
+
+        if (!resolutionResult) {
+          logger.warn(`[canAccessResource] ${resourceType} not found: ${rawResourceId}`);
+          return res.status(404).json({
+            error: 'Not Found',
+            message: `${resourceType} not found`,
+          });
+        }
+
+        // Handle different resolver return formats
+        if (typeof resolutionResult === 'string' || resolutionResult._id) {
+          resourceId = resolutionResult._id || resolutionResult;
+          resourceInfo = typeof resolutionResult === 'object' ? resolutionResult : null;
+        } else {
+          resourceId = resolutionResult;
+        }
+
+        logger.debug(
+          `[canAccessResource] Resolved ${resourceType} ${rawResourceId} to ObjectId ${resourceId}`,
+        );
+      }
+
+      // Check permissions using PermissionService with ObjectId
+      const hasPermission = await checkPermission({
+        userId,
+        resourceType,
+        resourceId,
+        requiredPermission,
+      });
+
+      if (hasPermission) {
+        logger.debug(
+          `[canAccessResource] User ${userId} has permission ${requiredPermission} on ${resourceType} ${rawResourceId} (${resourceId})`,
+        );
+
+        req.resourceAccess = {
+          resourceType,
+          resourceId, // MongoDB ObjectId for ACL operations
+          customResourceId: rawResourceId, // Original ID from route params
+          permission: requiredPermission,
+          userId,
+          ...(resourceInfo && { resourceInfo }),
+        };
+
+        return next();
+      }
+
+      logger.warn(
+        `[canAccessResource] User ${userId} denied access to ${resourceType} ${rawResourceId} ` +
+          `(required permission: ${requiredPermission})`,
+      );
+
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: `Insufficient permissions to access this ${resourceType}`,
+      });
+    } catch (error) {
+      logger.error(`[canAccessResource] Error checking access for ${resourceType}:`, error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to check resource access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessResource,
+};

api/server/middleware/accessResources/index.js

@@ -0,0 +1,9 @@
+const { canAccessResource } = require('./canAccessResource');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { canAccessAgentFromBody } = require('./canAccessAgentFromBody');
+
+module.exports = {
+  canAccessResource,
+  canAccessAgentResource,
+  canAccessAgentFromBody,
+};

api/server/middleware/buildEndpointOption.js

@@ -1,3 +1,4 @@
+const { handleError } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const {
   EndpointURLs,
@@ -14,7 +15,6 @@ const openAI = require('~/server/services/Endpoints/openAI');
 const agents = require('~/server/services/Endpoints/agents');
 const custom = require('~/server/services/Endpoints/custom');
 const google = require('~/server/services/Endpoints/google');
-const { handleError } = require('~/server/utils');
 
 const buildFunction = {
   [EModelEndpoint.openAI]: openAI.buildOptions,

api/server/middleware/checkPeoplePickerAccess.js

@@ -0,0 +1,72 @@
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to check if user has permission to access people picker functionality
+ * Checks specific permission based on the 'type' query parameter:
+ * - type=user: requires VIEW_USERS permission
+ * - type=group: requires VIEW_GROUPS permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS
+ */
+const checkPeoplePickerAccess = async (req, res, next) => {
+  try {
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const { type } = req.query;
+    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
+    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
+    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+
+    if (type === 'user') {
+      if (!canViewUsers) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for users',
+        });
+      }
+    } else if (type === 'group') {
+      if (!canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for groups',
+        });
+      }
+    } else {
+      if (!canViewUsers || !canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for both users and groups',
+        });
+      }
+    }
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkPeoplePickerAccess,
+};

api/server/middleware/concurrentLimiter.js

@@ -1,4 +1,4 @@
-const { Time, CacheKeys } = require('librechat-data-provider');
+const { Time, CacheKeys, ViolationTypes } = require('librechat-data-provider');
 const clearPendingReq = require('~/cache/clearPendingReq');
 const { logViolation, getLogStores } = require('~/cache');
 const { isEnabled } = require('~/server/utils');
@@ -37,7 +37,7 @@ const concurrentLimiter = async (req, res, next) => {
 
   const userId = req.user?.id ?? req.user?._id ?? '';
   const limit = Math.max(CONCURRENT_MESSAGE_MAX, 1);
-  const type = 'concurrent';
+  const type = ViolationTypes.CONCURRENT;
 
   const key = `${isEnabled(USE_REDIS) ? namespace : ''}:${userId}`;
   const pendingRequests = +((await cache.get(key)) ?? 0);

api/server/middleware/index.js

@@ -8,6 +8,7 @@ const concurrentLimiter = require('./concurrentLimiter');
 const validateEndpoint = require('./validateEndpoint');
 const requireLocalAuth = require('./requireLocalAuth');
 const canDeleteAccount = require('./canDeleteAccount');
+const accessResources = require('./accessResources');
 const setBalanceConfig = require('./setBalanceConfig');
 const requireLdapAuth = require('./requireLdapAuth');
 const abortMiddleware = require('./abortMiddleware');
@@ -29,6 +30,7 @@ module.exports = {
   ...validate,
   ...limiters,
   ...roles,
+  ...accessResources,
   noIndex,
   checkBan,
   uaParser,

api/server/middleware/limiters/forkLimiters.js

@@ -1,9 +1,6 @@
 const rateLimit = require('express-rate-limit');
-const { isEnabled } = require('@librechat/api');
-const { RedisStore } = require('rate-limit-redis');
-const { logger } = require('@librechat/data-schemas');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
 
 const getEnvironmentVariables = () => {
@@ -11,6 +8,7 @@ const getEnvironmentVariables = () => {
   const FORK_IP_WINDOW = parseInt(process.env.FORK_IP_WINDOW) || 1;
   const FORK_USER_MAX = parseInt(process.env.FORK_USER_MAX) || 7;
   const FORK_USER_WINDOW = parseInt(process.env.FORK_USER_WINDOW) || 1;
+  const FORK_VIOLATION_SCORE = process.env.FORK_VIOLATION_SCORE;
 
   const forkIpWindowMs = FORK_IP_WINDOW * 60 * 1000;
   const forkIpMax = FORK_IP_MAX;
@@ -27,12 +25,18 @@ const getEnvironmentVariables = () => {
     forkUserWindowMs,
     forkUserMax,
     forkUserWindowInMinutes,
+    forkViolationScore: FORK_VIOLATION_SCORE,
   };
 };
 
 const createForkHandler = (ip = true) => {
-  const { forkIpMax, forkIpWindowInMinutes, forkUserMax, forkUserWindowInMinutes } =
-    getEnvironmentVariables();
+  const {
+    forkIpMax,
+    forkUserMax,
+    forkViolationScore,
+    forkIpWindowInMinutes,
+    forkUserWindowInMinutes,
+  } = getEnvironmentVariables();
 
   return async (req, res) => {
     const type = ViolationTypes.FILE_UPLOAD_LIMIT;
@@ -43,7 +47,7 @@ const createForkHandler = (ip = true) => {
       windowInMinutes: ip ? forkIpWindowInMinutes : forkUserWindowInMinutes,
     };
 
-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, forkViolationScore);
     res.status(429).json({ message: 'Too many conversation fork requests. Try again later' });
   };
 };
@@ -55,6 +59,7 @@ const createForkLimiters = () => {
     windowMs: forkIpWindowMs,
     max: forkIpMax,
     handler: createForkHandler(),
+    store: limiterCache('fork_ip_limiter'),
   };
   const userLimiterOptions = {
     windowMs: forkUserWindowMs,
@@ -63,23 +68,9 @@ const createForkLimiters = () => {
     keyGenerator: function (req) {
       return req.user?.id;
     },
+    store: limiterCache('fork_user_limiter'),
   };
 
-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for fork rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'fork_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'fork_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
   const forkIpLimiter = rateLimit(ipLimiterOptions);
   const forkUserLimiter = rateLimit(userLimiterOptions);
   return { forkIpLimiter, forkUserLimiter };

api/server/middleware/limiters/importLimiters.js

@@ -1,9 +1,6 @@
 const rateLimit = require('express-rate-limit');
-const { isEnabled } = require('@librechat/api');
-const { RedisStore } = require('rate-limit-redis');
-const { logger } = require('@librechat/data-schemas');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
 
 const getEnvironmentVariables = () => {
@@ -11,6 +8,7 @@ const getEnvironmentVariables = () => {
   const IMPORT_IP_WINDOW = parseInt(process.env.IMPORT_IP_WINDOW) || 15;
   const IMPORT_USER_MAX = parseInt(process.env.IMPORT_USER_MAX) || 50;
   const IMPORT_USER_WINDOW = parseInt(process.env.IMPORT_USER_WINDOW) || 15;
+  const IMPORT_VIOLATION_SCORE = process.env.IMPORT_VIOLATION_SCORE;
 
   const importIpWindowMs = IMPORT_IP_WINDOW * 60 * 1000;
   const importIpMax = IMPORT_IP_MAX;
@@ -27,12 +25,18 @@ const getEnvironmentVariables = () => {
     importUserWindowMs,
     importUserMax,
     importUserWindowInMinutes,
+    importViolationScore: IMPORT_VIOLATION_SCORE,
   };
 };
 
 const createImportHandler = (ip = true) => {
-  const { importIpMax, importIpWindowInMinutes, importUserMax, importUserWindowInMinutes } =
-    getEnvironmentVariables();
+  const {
+    importIpMax,
+    importUserMax,
+    importViolationScore,
+    importIpWindowInMinutes,
+    importUserWindowInMinutes,
+  } = getEnvironmentVariables();
 
   return async (req, res) => {
     const type = ViolationTypes.FILE_UPLOAD_LIMIT;
@@ -43,7 +47,7 @@ const createImportHandler = (ip = true) => {
       windowInMinutes: ip ? importIpWindowInMinutes : importUserWindowInMinutes,
     };
 
-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, importViolationScore);
     res.status(429).json({ message: 'Too many conversation import requests. Try again later' });
   };
 };
@@ -56,6 +60,7 @@ const createImportLimiters = () => {
     windowMs: importIpWindowMs,
     max: importIpMax,
     handler: createImportHandler(),
+    store: limiterCache('import_ip_limiter'),
   };
   const userLimiterOptions = {
     windowMs: importUserWindowMs,
@@ -64,23 +69,9 @@ const createImportLimiters = () => {
     keyGenerator: function (req) {
       return req.user?.id; // Use the user ID or NULL if not available
     },
+    store: limiterCache('import_user_limiter'),
   };
 
-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for import rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'import_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'import_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
   const importIpLimiter = rateLimit(ipLimiterOptions);
   const importUserLimiter = rateLimit(userLimiterOptions);
   return { importIpLimiter, importUserLimiter };

api/server/middleware/limiters/loginLimiter.js

@@ -1,9 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { ViolationTypes } = require('librechat-data-provider');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');
 
 const { LOGIN_WINDOW = 5, LOGIN_MAX = 7, LOGIN_VIOLATION_SCORE: score } = process.env;
 const windowMs = LOGIN_WINDOW * 60 * 1000;
@@ -12,7 +11,7 @@ const windowInMinutes = windowMs / 60000;
 const message = `Too many login attempts, please try again after ${windowInMinutes} minutes.`;
 
 const handler = async (req, res) => {
-  const type = 'logins';
+  const type = ViolationTypes.LOGINS;
   const errorMessage = {
     type,
     max,
@@ -28,17 +27,9 @@ const limiterOptions = {
   max,
   handler,
   keyGenerator: removePorts,
+  store: limiterCache('login_limiter'),
 };
 
-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for login rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'login_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const loginLimiter = rateLimit(limiterOptions);
 
 module.exports = loginLimiter;

api/server/middleware/limiters/messageLimiters.js

@@ -1,16 +1,15 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
+const { ViolationTypes } = require('librechat-data-provider');
 const denyRequest = require('~/server/middleware/denyRequest');
-const ioredisClient = require('~/cache/ioredisClient');
-const { isEnabled } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');
 
 const {
   MESSAGE_IP_MAX = 40,
   MESSAGE_IP_WINDOW = 1,
   MESSAGE_USER_MAX = 40,
   MESSAGE_USER_WINDOW = 1,
+  MESSAGE_VIOLATION_SCORE: score,
 } = process.env;
 
 const ipWindowMs = MESSAGE_IP_WINDOW * 60 * 1000;
@@ -31,7 +30,7 @@ const userWindowInMinutes = userWindowMs / 60000;
  */
 const createHandler = (ip = true) => {
   return async (req, res) => {
-    const type = 'message_limit';
+    const type = ViolationTypes.MESSAGE_LIMIT;
     const errorMessage = {
       type,
       max: ip ? ipMax : userMax,
@@ -39,7 +38,7 @@ const createHandler = (ip = true) => {
       windowInMinutes: ip ? ipWindowInMinutes : userWindowInMinutes,
     };
 
-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, score);
     return await denyRequest(req, res, errorMessage);
   };
 };
@@ -51,6 +50,7 @@ const ipLimiterOptions = {
   windowMs: ipWindowMs,
   max: ipMax,
   handler: createHandler(),
+  store: limiterCache('message_ip_limiter'),
 };
 
 const userLimiterOptions = {
@@ -60,23 +60,9 @@ const userLimiterOptions = {
   keyGenerator: function (req) {
     return req.user?.id; // Use the user ID or NULL if not available
   },
+  store: limiterCache('message_user_limiter'),
 };
 
-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for message rate limiters.');
-  const sendCommand = (...args) => ioredisClient.call(...args);
-  const ipStore = new RedisStore({
-    sendCommand,
-    prefix: 'message_ip_limiter:',
-  });
-  const userStore = new RedisStore({
-    sendCommand,
-    prefix: 'message_user_limiter:',
-  });
-  ipLimiterOptions.store = ipStore;
-  userLimiterOptions.store = userStore;
-}
-
 /**
  * Message request rate limiter by IP
  */

api/server/middleware/limiters/registerLimiter.js

@@ -1,9 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { ViolationTypes } = require('librechat-data-provider');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');
 
 const { REGISTER_WINDOW = 60, REGISTER_MAX = 5, REGISTRATION_VIOLATION_SCORE: score } = process.env;
 const windowMs = REGISTER_WINDOW * 60 * 1000;
@@ -12,7 +11,7 @@ const windowInMinutes = windowMs / 60000;
 const message = `Too many accounts created, please try again after ${windowInMinutes} minutes`;
 
 const handler = async (req, res) => {
-  const type = 'registrations';
+  const type = ViolationTypes.REGISTRATIONS;
   const errorMessage = {
     type,
     max,
@@ -28,17 +27,9 @@ const limiterOptions = {
   max,
   handler,
   keyGenerator: removePorts,
+  store: limiterCache('register_limiter'),
 };
 
-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for register rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'register_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const registerLimiter = rateLimit(limiterOptions);
 
 module.exports = registerLimiter;

api/server/middleware/limiters/resetPasswordLimiter.js

@@ -1,10 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');
 
 const {
   RESET_PASSWORD_WINDOW = 2,
@@ -33,17 +31,9 @@ const limiterOptions = {
   max,
   handler,
   keyGenerator: removePorts,
+  store: limiterCache('reset_password_limiter'),
 };
 
-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for reset password rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'reset_password_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const resetPasswordLimiter = rateLimit(limiterOptions);
 
 module.exports = resetPasswordLimiter;

api/server/middleware/limiters/sttLimiters.js

@@ -1,16 +1,14 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
 
 const getEnvironmentVariables = () => {
   const STT_IP_MAX = parseInt(process.env.STT_IP_MAX) || 100;
   const STT_IP_WINDOW = parseInt(process.env.STT_IP_WINDOW) || 1;
   const STT_USER_MAX = parseInt(process.env.STT_USER_MAX) || 50;
   const STT_USER_WINDOW = parseInt(process.env.STT_USER_WINDOW) || 1;
+  const STT_VIOLATION_SCORE = process.env.STT_VIOLATION_SCORE;
 
   const sttIpWindowMs = STT_IP_WINDOW * 60 * 1000;
   const sttIpMax = STT_IP_MAX;
@@ -27,11 +25,12 @@ const getEnvironmentVariables = () => {
     sttUserWindowMs,
     sttUserMax,
     sttUserWindowInMinutes,
+    sttViolationScore: STT_VIOLATION_SCORE,
   };
 };
 
 const createSTTHandler = (ip = true) => {
-  const { sttIpMax, sttIpWindowInMinutes, sttUserMax, sttUserWindowInMinutes } =
+  const { sttIpMax, sttIpWindowInMinutes, sttUserMax, sttUserWindowInMinutes, sttViolationScore } =
     getEnvironmentVariables();
 
   return async (req, res) => {
@@ -43,7 +42,7 @@ const createSTTHandler = (ip = true) => {
       windowInMinutes: ip ? sttIpWindowInMinutes : sttUserWindowInMinutes,
     };
 
-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, sttViolationScore);
     res.status(429).json({ message: 'Too many STT requests. Try again later' });
   };
 };
@@ -55,6 +54,7 @@ const createSTTLimiters = () => {
     windowMs: sttIpWindowMs,
     max: sttIpMax,
     handler: createSTTHandler(),
+    store: limiterCache('stt_ip_limiter'),
   };
 
   const userLimiterOptions = {
@@ -64,23 +64,9 @@ const createSTTLimiters = () => {
     keyGenerator: function (req) {
       return req.user?.id; // Use the user ID or NULL if not available
     },
+    store: limiterCache('stt_user_limiter'),
   };
 
-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for STT rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'stt_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'stt_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
   const sttIpLimiter = rateLimit(ipLimiterOptions);
   const sttUserLimiter = rateLimit(userLimiterOptions);
 

api/server/middleware/limiters/toolCallLimiter.js

@@ -1,10 +1,9 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
+
+const { TOOL_CALL_VIOLATION_SCORE: score } = process.env;
 
 const handler = async (req, res) => {
   const type = ViolationTypes.TOOL_CALL_LIMIT;
@@ -15,7 +14,7 @@ const handler = async (req, res) => {
     windowInMinutes: 1,
   };
 
-  await logViolation(req, res, type, errorMessage, 0);
+  await logViolation(req, res, type, errorMessage, score);
   res.status(429).json({ message: 'Too many tool call requests. Try again later' });
 };
 
@@ -26,17 +25,9 @@ const limiterOptions = {
   keyGenerator: function (req) {
     return req.user?.id;
   },
+  store: limiterCache('tool_call_limiter'),
 };
 
-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for tool call rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'tool_call_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const toolCallLimiter = rateLimit(limiterOptions);
 
 module.exports = toolCallLimiter;

api/server/middleware/limiters/ttsLimiters.js

@@ -1,16 +1,14 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
+const { limiterCache } = require('~/cache/cacheFactory');
 
 const getEnvironmentVariables = () => {
   const TTS_IP_MAX = parseInt(process.env.TTS_IP_MAX) || 100;
   const TTS_IP_WINDOW = parseInt(process.env.TTS_IP_WINDOW) || 1;
   const TTS_USER_MAX = parseInt(process.env.TTS_USER_MAX) || 50;
   const TTS_USER_WINDOW = parseInt(process.env.TTS_USER_WINDOW) || 1;
+  const TTS_VIOLATION_SCORE = process.env.TTS_VIOLATION_SCORE;
 
   const ttsIpWindowMs = TTS_IP_WINDOW * 60 * 1000;
   const ttsIpMax = TTS_IP_MAX;
@@ -27,11 +25,12 @@ const getEnvironmentVariables = () => {
     ttsUserWindowMs,
     ttsUserMax,
     ttsUserWindowInMinutes,
+    ttsViolationScore: TTS_VIOLATION_SCORE,
   };
 };
 
 const createTTSHandler = (ip = true) => {
-  const { ttsIpMax, ttsIpWindowInMinutes, ttsUserMax, ttsUserWindowInMinutes } =
+  const { ttsIpMax, ttsIpWindowInMinutes, ttsUserMax, ttsUserWindowInMinutes, ttsViolationScore } =
     getEnvironmentVariables();
 
   return async (req, res) => {
@@ -43,7 +42,7 @@ const createTTSHandler = (ip = true) => {
       windowInMinutes: ip ? ttsIpWindowInMinutes : ttsUserWindowInMinutes,
     };
 
-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, ttsViolationScore);
     res.status(429).json({ message: 'Too many TTS requests. Try again later' });
   };
 };
@@ -55,32 +54,19 @@ const createTTSLimiters = () => {
     windowMs: ttsIpWindowMs,
     max: ttsIpMax,
     handler: createTTSHandler(),
+    store: limiterCache('tts_ip_limiter'),
   };
 
   const userLimiterOptions = {
     windowMs: ttsUserWindowMs,
     max: ttsUserMax,
     handler: createTTSHandler(false),
+    store: limiterCache('tts_user_limiter'),
     keyGenerator: function (req) {
       return req.user?.id; // Use the user ID or NULL if not available
     },
   };
 
-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for TTS rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'tts_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'tts_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
   const ttsIpLimiter = rateLimit(ipLimiterOptions);
   const ttsUserLimiter = rateLimit(userLimiterOptions);
 

api/server/middleware/limiters/uploadLimiters.js

@@ -1,16 +1,14 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
 
 const getEnvironmentVariables = () => {
   const FILE_UPLOAD_IP_MAX = parseInt(process.env.FILE_UPLOAD_IP_MAX) || 100;
   const FILE_UPLOAD_IP_WINDOW = parseInt(process.env.FILE_UPLOAD_IP_WINDOW) || 15;
   const FILE_UPLOAD_USER_MAX = parseInt(process.env.FILE_UPLOAD_USER_MAX) || 50;
   const FILE_UPLOAD_USER_WINDOW = parseInt(process.env.FILE_UPLOAD_USER_WINDOW) || 15;
+  const FILE_UPLOAD_VIOLATION_SCORE = process.env.FILE_UPLOAD_VIOLATION_SCORE;
 
   const fileUploadIpWindowMs = FILE_UPLOAD_IP_WINDOW * 60 * 1000;
   const fileUploadIpMax = FILE_UPLOAD_IP_MAX;
@@ -27,6 +25,7 @@ const getEnvironmentVariables = () => {
     fileUploadUserWindowMs,
     fileUploadUserMax,
     fileUploadUserWindowInMinutes,
+    fileUploadViolationScore: FILE_UPLOAD_VIOLATION_SCORE,
   };
 };
 
@@ -36,6 +35,7 @@ const createFileUploadHandler = (ip = true) => {
     fileUploadIpWindowInMinutes,
     fileUploadUserMax,
     fileUploadUserWindowInMinutes,
+    fileUploadViolationScore,
   } = getEnvironmentVariables();
 
   return async (req, res) => {
@@ -47,7 +47,7 @@ const createFileUploadHandler = (ip = true) => {
       windowInMinutes: ip ? fileUploadIpWindowInMinutes : fileUploadUserWindowInMinutes,
     };
 
-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, fileUploadViolationScore);
     res.status(429).json({ message: 'Too many file upload requests. Try again later' });
   };
 };
@@ -60,6 +60,7 @@ const createFileLimiters = () => {
     windowMs: fileUploadIpWindowMs,
     max: fileUploadIpMax,
     handler: createFileUploadHandler(),
+    store: limiterCache('file_upload_ip_limiter'),
   };
 
   const userLimiterOptions = {
@@ -69,23 +70,9 @@ const createFileLimiters = () => {
     keyGenerator: function (req) {
       return req.user?.id; // Use the user ID or NULL if not available
     },
+    store: limiterCache('file_upload_user_limiter'),
   };
 
-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for file upload rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'file_upload_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'file_upload_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
   const fileUploadIpLimiter = rateLimit(ipLimiterOptions);
   const fileUploadUserLimiter = rateLimit(userLimiterOptions);
 

api/server/middleware/limiters/verifyEmailLimiter.js

@@ -1,10 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');
 
 const {
   VERIFY_EMAIL_WINDOW = 2,
@@ -33,17 +31,9 @@ const limiterOptions = {
   max,
   handler,
   keyGenerator: removePorts,
+  store: limiterCache('verify_email_limiter'),
 };
 
-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for verify email rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'verify_email_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const verifyEmailLimiter = rateLimit(limiterOptions);
 
 module.exports = verifyEmailLimiter;

api/server/middleware/roles/access.spec.js

@@ -0,0 +1,370 @@
+const mongoose = require('mongoose');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { checkAccess, generateCheckAccess } = require('@librechat/api');
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { Role } = require('~/db/models');
+
+// Mock the logger from @librechat/data-schemas
+jest.mock('@librechat/data-schemas', () => ({
+  ...jest.requireActual('@librechat/data-schemas'),
+  logger: {
+    warn: jest.fn(),
+    error: jest.fn(),
+    info: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+// Mock the cache to use a simple in-memory implementation
+const mockCache = new Map();
+jest.mock('~/cache/getLogStores', () => {
+  return jest.fn(() => ({
+    get: jest.fn(async (key) => mockCache.get(key)),
+    set: jest.fn(async (key, value) => mockCache.set(key, value)),
+    clear: jest.fn(async () => mockCache.clear()),
+  }));
+});
+
+describe('Access Middleware', () => {
+  let mongoServer;
+  let req, res, next;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    mockCache.clear(); // Clear the cache between tests
+
+    // Create test roles
+    await Role.create({
+      name: 'user',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: false,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    await Role.create({
+      name: 'admin',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: true,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.SHARED_GLOBAL]: true,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    // Create limited role with no AGENTS permissions
+    await Role.create({
+      name: 'limited',
+      permissions: {
+        // Explicitly set AGENTS permissions to false
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: false,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        // Has permissions for other types
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: true,
+        },
+      },
+    });
+
+    req = {
+      user: { id: 'user123', role: 'user' },
+      body: {},
+      originalUrl: '/test',
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+    jest.clearAllMocks();
+  });
+
+  describe('checkAccess', () => {
+    test('should return false if user is not provided', async () => {
+      const result = await checkAccess({
+        user: null,
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if user lacks required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if user has only some of multiple permissions', async () => {
+      // User has USE but not CREATE, so should fail when checking for both
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has all of multiple permissions', async () => {
+      // Admin has both USE and CREATE
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should check body properties when permission is not directly granted', async () => {
+      const req = { body: { id: 'agent123' } };
+      const result = await checkAccess({
+        req,
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.UPDATE],
+        bodyProps: {
+          [Permissions.UPDATE]: ['id'],
+        },
+        checkObject: req.body,
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if role is not found', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'nonexistent' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if role has no permissions for the requested type', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'limited' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should handle admin role with all permissions', async () => {
+      const createResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(createResult).toBe(true);
+
+      const shareResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      expect(shareResult).toBe(true);
+    });
+  });
+
+  describe('generateCheckAccess', () => {
+    test('should call next() when user has required permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should return 403 when user lacks permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should check body properties when configured', async () => {
+      req.body = { agentId: 'agent123', description: 'test' };
+
+      const bodyProps = {
+        [Permissions.CREATE]: ['agentId'],
+      };
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        bodyProps,
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should handle database errors gracefully', async () => {
+      // Mock getRoleByName to throw an error
+      const mockGetRoleByName = jest
+        .fn()
+        .mockRejectedValue(new Error('Database connection failed'));
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName: mockGetRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        message: expect.stringContaining('Server error:'),
+      });
+    });
+
+    test('should work with multiple permission types', async () => {
+      req.user.role = 'admin';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE, Permissions.CREATE, Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should handle missing user gracefully', async () => {
+      req.user = null;
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should handle role with no AGENTS permissions', async () => {
+      await Role.create({
+        name: 'noaccess',
+        permissions: {
+          // Explicitly set AGENTS with all permissions false
+          [PermissionTypes.AGENTS]: {
+            [Permissions.USE]: false,
+            [Permissions.CREATE]: false,
+            [Permissions.SHARED_GLOBAL]: false,
+          },
+        },
+      });
+      req.user.role = 'noaccess';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+  });
+});

api/server/middleware/uaParser.js

@@ -1,5 +1,6 @@
 const uap = require('ua-parser-js');
-const { handleError } = require('../utils');
+const { ViolationTypes } = require('librechat-data-provider');
+const { handleError } = require('@librechat/api');
 const { logViolation } = require('../../cache');
 
 /**
@@ -21,7 +22,7 @@ async function uaParser(req, res, next) {
   const ua = uap(req.headers['user-agent']);
 
   if (!ua.browser.name) {
-    const type = 'non_browser';
+    const type = ViolationTypes.NON_BROWSER;
     await logViolation(req, res, type, { type }, score);
     return handleError(res, { message: 'Illegal request' });
   }

api/server/middleware/validateEndpoint.js

@@ -1,4 +1,4 @@
-const { handleError } = require('../utils');
+const { handleError } = require('@librechat/api');
 
 function validateEndpoint(req, res, next) {
   const { endpoint: _endpoint, endpointType } = req.body;

api/server/middleware/validateModel.js

@@ -1,6 +1,6 @@
+const { handleError } = require('@librechat/api');
 const { ViolationTypes } = require('librechat-data-provider');
 const { getModelsConfig } = require('~/server/controllers/ModelController');
-const { handleError } = require('~/server/utils');
 const { logViolation } = require('~/cache');
 /**
  * Validates the model of the request.

api/server/routes/__tests__/static.spec.js

@@ -0,0 +1,162 @@
+const fs = require('fs');
+const path = require('path');
+const express = require('express');
+const request = require('supertest');
+const zlib = require('zlib');
+
+// Create test setup
+const mockTestDir = path.join(__dirname, 'test-static-route');
+
+// Mock the paths module to point to our test directory
+jest.mock('~/config/paths', () => ({
+  imageOutput: mockTestDir,
+}));
+
+describe('Static Route Integration', () => {
+  let app;
+  let staticRoute;
+  let testDir;
+  let testImagePath;
+
+  beforeAll(() => {
+    // Create a test directory and files
+    testDir = mockTestDir;
+    testImagePath = path.join(testDir, 'test-image.jpg');
+
+    if (!fs.existsSync(testDir)) {
+      fs.mkdirSync(testDir, { recursive: true });
+    }
+
+    // Create a test image file
+    fs.writeFileSync(testImagePath, 'fake-image-data');
+
+    // Create a gzipped version of the test image (for gzip scanning tests)
+    fs.writeFileSync(testImagePath + '.gz', zlib.gzipSync('fake-image-data'));
+  });
+
+  afterAll(() => {
+    // Clean up test files
+    if (fs.existsSync(testDir)) {
+      fs.rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+
+  // Helper function to set up static route with specific config
+  const setupStaticRoute = (skipGzipScan = false) => {
+    if (skipGzipScan) {
+      delete process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN;
+    } else {
+      process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN = 'true';
+    }
+
+    staticRoute = require('../static');
+    app.use('/images', staticRoute);
+  };
+
+  beforeEach(() => {
+    // Clear the module cache to get fresh imports
+    jest.resetModules();
+
+    app = express();
+
+    // Clear environment variables
+    delete process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN;
+    delete process.env.NODE_ENV;
+  });
+
+  describe('route functionality', () => {
+    it('should serve static image files', async () => {
+      process.env.NODE_ENV = 'production';
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+
+    it('should return 404 for non-existent files', async () => {
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/nonexistent.jpg');
+      expect(response.status).toBe(404);
+    });
+  });
+
+  describe('cache behavior', () => {
+    it('should set cache headers for images in production', async () => {
+      process.env.NODE_ENV = 'production';
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+    });
+
+    it('should not set cache headers in development', async () => {
+      process.env.NODE_ENV = 'development';
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      // Our middleware should not set the production cache-control header in development
+      expect(response.headers['cache-control']).not.toBe('public, max-age=172800, s-maxage=86400');
+    });
+  });
+
+  describe('gzip compression behavior', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should serve gzipped files when gzip scanning is enabled', async () => {
+      setupStaticRoute(false); // Enable gzip scanning
+
+      const response = await request(app)
+        .get('/images/test-image.jpg')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBe('gzip');
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+
+    it('should not serve gzipped files when gzip scanning is disabled', async () => {
+      setupStaticRoute(true); // Disable gzip scanning
+
+      const response = await request(app)
+        .get('/images/test-image.jpg')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBeUndefined();
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+  });
+
+  describe('path configuration', () => {
+    it('should use the configured imageOutput path', async () => {
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+
+    it('should serve from subdirectories', async () => {
+      // Create a subdirectory with a file
+      const subDir = path.join(testDir, 'thumbs');
+      fs.mkdirSync(subDir, { recursive: true });
+      const thumbPath = path.join(subDir, 'thumb.jpg');
+      fs.writeFileSync(thumbPath, 'thumbnail-data');
+
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/thumbs/thumb.jpg').expect(200);
+
+      expect(response.body.toString()).toBe('thumbnail-data');
+
+      // Clean up
+      fs.rmSync(subDir, { recursive: true, force: true });
+    });
+  });
+});

api/server/routes/accessPermissions.js

@@ -0,0 +1,63 @@
+const express = require('express');
+const { PermissionBits } = require('@librechat/data-schemas');
+const {
+  getUserEffectivePermissions,
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  searchPrincipals,
+} = require('~/server/controllers/PermissionsController');
+const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
+const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess');
+
+const router = express.Router();
+
+// Apply common middleware
+router.use(requireJwtAuth);
+router.use(checkBan);
+router.use(uaParser);
+
+/**
+ * Generic routes for resource permissions
+ * Pattern: /api/permissions/{resourceType}/{resourceId}
+ */
+
+/**
+ * GET /api/permissions/search-principals
+ * Search for users and groups to grant permissions
+ */
+router.get('/search-principals', checkPeoplePickerAccess, searchPrincipals);
+
+/**
+ * GET /api/permissions/{resourceType}/roles
+ * Get available roles for a resource type
+ */
+router.get('/:resourceType/roles', getResourceRoles);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}
+ * Get all permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId', getResourcePermissions);
+
+/**
+ * PUT /api/permissions/{resourceType}/{resourceId}
+ * Bulk update permissions for a specific resource
+ */
+router.put(
+  '/:resourceType/:resourceId',
+  canAccessResource({
+    resourceType: 'agent',
+    requiredPermission: PermissionBits.SHARE,
+    resourceIdParam: 'resourceId',
+  }),
+  updateResourcePermissions,
+);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}/effective
+ * Get user's effective permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId/effective', getUserEffectivePermissions);
+
+module.exports = router;

api/server/routes/agents/actions.js

@@ -1,19 +1,21 @@
 const express = require('express');
 const { nanoid } = require('nanoid');
-const { logger } = require('@librechat/data-schemas');
 const { generateCheckAccess } = require('@librechat/api');
+const { logger, PermissionBits } = require('@librechat/data-schemas');
 const {
-  SystemRoles,
   Permissions,
   PermissionTypes,
   actionDelimiter,
   removeNullishValues,
 } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
+const { findAccessibleResources } = require('~/server/services/PermissionService');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
 const { isActionDomainAllowed } = require('~/server/services/domains');
+const { canAccessAgentResource } = require('~/server/middleware');
 const { getAgent, updateAgent } = require('~/models/Agent');
 const { getRoleByName } = require('~/models/Role');
+const { getListAgentsByAccess } = require('~/models/Agent');
 
 const router = express.Router();
 
@@ -23,12 +25,6 @@ const checkAgentCreate = generateCheckAccess({
   getRoleByName,
 });
 
-// If the user has ADMIN role
-// then action edition is possible even if not owner of the assistant
-const isAdmin = (req) => {
-  return req.user.role === SystemRoles.ADMIN;
-};
-
 /**
  * Retrieves all user's actions
  * @route GET /actions/
@@ -37,10 +33,22 @@ const isAdmin = (req) => {
  */
 router.get('/', async (req, res) => {
   try {
-    const admin = isAdmin(req);
-    // If admin, get all actions, otherwise only user's actions
-    const searchParams = admin ? {} : { user: req.user.id };
-    res.json(await getActions(searchParams));
+    const userId = req.user.id;
+    const editableAgentObjectIds = await findAccessibleResources({
+      userId,
+      resourceType: 'agent',
+      requiredPermissions: PermissionBits.EDIT,
+    });
+
+    const agentsResponse = await getListAgentsByAccess({
+      accessibleIds: editableAgentObjectIds,
+    });
+
+    const editableAgentIds = agentsResponse.data.map((agent) => agent.id);
+    const actions =
+      editableAgentIds.length > 0 ? await getActions({ agent_id: { $in: editableAgentIds } }) : [];
+
+    res.json(actions);
   } catch (error) {
     res.status(500).json({ error: error.message });
   }
@@ -55,106 +63,111 @@ router.get('/', async (req, res) => {
  * @param {ActionMetadata} req.body.metadata - Metadata for the action.
  * @returns {Object} 200 - success response - application/json
  */
-router.post('/:agent_id', checkAgentCreate, async (req, res) => {
-  try {
-    const { agent_id } = req.params;
+router.post(
+  '/:agent_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id } = req.params;
 
-    /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
-    const { functions, action_id: _action_id, metadata: _metadata } = req.body;
-    if (!functions.length) {
-      return res.status(400).json({ message: 'No functions provided' });
-    }
-
-    let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
-    const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
-    if (!isDomainAllowed) {
-      return res.status(400).json({ message: 'Domain not allowed' });
-    }
-
-    let { domain } = metadata;
-    domain = await domainParser(domain, true);
-
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
-    }
-
-    const action_id = _action_id ?? nanoid();
-    const initialPromises = [];
-    const admin = isAdmin(req);
-
-    // If admin, can edit any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    // TODO: share agents
-    initialPromises.push(getAgent(agentQuery));
-    if (_action_id) {
-      initialPromises.push(getActions({ action_id }, true));
-    }
-
-    /** @type {[Agent, [Action|undefined]]} */
-    const [agent, actions_result] = await Promise.all(initialPromises);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for adding action' });
-    }
-
-    if (actions_result && actions_result.length) {
-      const action = actions_result[0];
-      metadata = { ...action.metadata, ...metadata };
-    }
-
-    const { actions: _actions = [], author: agent_author } = agent ?? {};
-    const actions = [];
-    for (const action of _actions) {
-      const [_action_domain, current_action_id] = action.split(actionDelimiter);
-      if (current_action_id === action_id) {
-        continue;
+      /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
+      const { functions, action_id: _action_id, metadata: _metadata } = req.body;
+      if (!functions.length) {
+        return res.status(400).json({ message: 'No functions provided' });
       }
 
-      actions.push(action);
-    }
-
-    actions.push(`${domain}${actionDelimiter}${action_id}`);
-
-    /** @type {string[]}} */
-    const { tools: _tools = [] } = agent;
-
-    const tools = _tools
-      .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
-      .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
-
-    // Force version update since actions are changing
-    const updatedAgent = await updateAgent(
-      agentQuery,
-      { tools, actions },
-      {
-        updatingUserId: req.user.id,
-        forceVersion: true,
-      },
-    );
-
-    // Only update user field for new actions
-    const actionUpdateData = { metadata, agent_id };
-    if (!actions_result || !actions_result.length) {
-      // For new actions, use the agent owner's user ID
-      actionUpdateData.user = agent_author || req.user.id;
-    }
-
-    /** @type {[Action]} */
-    const updatedAction = await updateAction({ action_id }, actionUpdateData);
-
-    const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
-    for (let field of sensitiveFields) {
-      if (updatedAction.metadata[field]) {
-        delete updatedAction.metadata[field];
+      let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
+      const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
+      if (!isDomainAllowed) {
+        return res.status(400).json({ message: 'Domain not allowed' });
       }
-    }
 
-    res.json([updatedAgent, updatedAction]);
-  } catch (error) {
-    const message = 'Trouble updating the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+      let { domain } = metadata;
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const action_id = _action_id ?? nanoid();
+      const initialPromises = [];
+
+      // Permissions already validated by middleware - load agent directly
+      initialPromises.push(getAgent({ id: agent_id }));
+      if (_action_id) {
+        initialPromises.push(getActions({ action_id }, true));
+      }
+
+      /** @type {[Agent, [Action|undefined]]} */
+      const [agent, actions_result] = await Promise.all(initialPromises);
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for adding action' });
+      }
+
+      if (actions_result && actions_result.length) {
+        const action = actions_result[0];
+        metadata = { ...action.metadata, ...metadata };
+      }
+
+      const { actions: _actions = [], author: agent_author } = agent ?? {};
+      const actions = [];
+      for (const action of _actions) {
+        const [_action_domain, current_action_id] = action.split(actionDelimiter);
+        if (current_action_id === action_id) {
+          continue;
+        }
+
+        actions.push(action);
+      }
+
+      actions.push(`${domain}${actionDelimiter}${action_id}`);
+
+      /** @type {string[]}} */
+      const { tools: _tools = [] } = agent;
+
+      const tools = _tools
+        .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
+        .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
+
+      // Force version update since actions are changing
+      const updatedAgent = await updateAgent(
+        { id: agent_id },
+        { tools, actions },
+        {
+          updatingUserId: req.user.id,
+          forceVersion: true,
+        },
+      );
+
+      // Only update user field for new actions
+      const actionUpdateData = { metadata, agent_id };
+      if (!actions_result || !actions_result.length) {
+        // For new actions, use the agent owner's user ID
+        actionUpdateData.user = agent_author || req.user.id;
+      }
+
+      /** @type {[Action]} */
+      const updatedAction = await updateAction({ action_id }, actionUpdateData);
+
+      const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
+      for (let field of sensitiveFields) {
+        if (updatedAction.metadata[field]) {
+          delete updatedAction.metadata[field];
+        }
+      }
+
+      res.json([updatedAgent, updatedAction]);
+    } catch (error) {
+      const message = 'Trouble updating the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
+    }
+  },
+);
 
 /**
  * Deletes an action for a specific agent.
@@ -163,52 +176,56 @@ router.post('/:agent_id', checkAgentCreate, async (req, res) => {
  * @param {string} req.params.action_id - The ID of the action to delete.
  * @returns {Object} 200 - success response - application/json
  */
-router.delete('/:agent_id/:action_id', checkAgentCreate, async (req, res) => {
-  try {
-    const { agent_id, action_id } = req.params;
-    const admin = isAdmin(req);
+router.delete(
+  '/:agent_id/:action_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id, action_id } = req.params;
 
-    // If admin, can delete any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    const agent = await getAgent(agentQuery);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for deleting action' });
-    }
-
-    const { tools = [], actions = [] } = agent;
-
-    let domain = '';
-    const updatedActions = actions.filter((action) => {
-      if (action.includes(action_id)) {
-        [domain] = action.split(actionDelimiter);
-        return false;
+      // Permissions already validated by middleware - load agent directly
+      const agent = await getAgent({ id: agent_id });
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for deleting action' });
       }
-      return true;
-    });
 
-    domain = await domainParser(domain, true);
+      const { tools = [], actions = [] } = agent;
 
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
+      let domain = '';
+      const updatedActions = actions.filter((action) => {
+        if (action.includes(action_id)) {
+          [domain] = action.split(actionDelimiter);
+          return false;
+        }
+        return true;
+      });
+
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
+
+      // Force version update since actions are being removed
+      await updateAgent(
+        { id: agent_id },
+        { tools: updatedTools, actions: updatedActions },
+        { updatingUserId: req.user.id, forceVersion: true },
+      );
+      await deleteAction({ action_id });
+      res.status(200).json({ message: 'Action deleted successfully' });
+    } catch (error) {
+      const message = 'Trouble deleting the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
     }
-
-    const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
-
-    // Force version update since actions are being removed
-    await updateAgent(
-      agentQuery,
-      { tools: updatedTools, actions: updatedActions },
-      { updatingUserId: req.user.id, forceVersion: true },
-    );
-    // If admin, can delete any action, otherwise only user's actions
-    const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
-    await deleteAction(actionQuery);
-    res.status(200).json({ message: 'Action deleted successfully' });
-  } catch (error) {
-    const message = 'Trouble deleting the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+  },
+);
 
 module.exports = router;

api/server/routes/agents/chat.js

@@ -1,4 +1,5 @@
 const express = require('express');
+const { PermissionBits } = require('@librechat/data-schemas');
 const { generateCheckAccess, skipAgentCheck } = require('@librechat/api');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
 const {
@@ -7,6 +8,7 @@ const {
   // validateModel,
   validateConvoAccess,
   buildEndpointOption,
+  canAccessAgentFromBody,
 } = require('~/server/middleware');
 const { initializeClient } = require('~/server/services/Endpoints/agents');
 const AgentController = require('~/server/controllers/agents/request');
@@ -23,8 +25,12 @@ const checkAgentAccess = generateCheckAccess({
   skipCheck: skipAgentCheck,
   getRoleByName,
 });
+const checkAgentResourceAccess = canAccessAgentFromBody({
+  requiredPermission: PermissionBits.VIEW,
+});
 
 router.use(checkAgentAccess);
+router.use(checkAgentResourceAccess);
 router.use(validateConvoAccess);
 router.use(buildEndpointOption);
 router.use(setHeaders);

api/server/routes/agents/index.js

@@ -37,4 +37,6 @@ if (isEnabled(LIMIT_MESSAGE_USER)) {
 chatRouter.use('/', chat);
 router.use('/chat', chatRouter);
 
+// Add marketplace routes
+
 module.exports = router;

api/server/routes/agents/v1.js

@@ -1,7 +1,8 @@
 const express = require('express');
 const { generateCheckAccess } = require('@librechat/api');
+const { PermissionBits } = require('@librechat/data-schemas');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
-const { requireJwtAuth } = require('~/server/middleware');
+const { requireJwtAuth, canAccessAgentResource } = require('~/server/middleware');
 const v1 = require('~/server/controllers/agents/v1');
 const { getRoleByName } = require('~/models/Role');
 const actions = require('./actions');
@@ -44,6 +45,11 @@ router.use('/actions', actions);
  */
 router.use('/tools', tools);
 
+/**
+ * Get all agent categories with counts
+ * @route GET /agents/marketplace/categories
+ */
+router.get('/categories', v1.getAgentCategories);
 /**
  * Creates an agent.
  * @route POST /agents
@@ -53,13 +59,38 @@ router.use('/tools', tools);
 router.post('/', checkAgentCreate, v1.createAgent);
 
 /**
- * Retrieves an agent.
+ * Retrieves basic agent information (VIEW permission required).
+ * Returns safe, non-sensitive agent data for viewing purposes.
  * @route GET /agents/:id
  * @param {string} req.params.id - Agent identifier.
- * @returns {Agent} 200 - Success response - application/json
+ * @returns {Agent} 200 - Basic agent info - application/json
  */
-router.get('/:id', checkAgentAccess, v1.getAgent);
+router.get(
+  '/:id',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.getAgent,
+);
 
+/**
+ * Retrieves full agent details including sensitive configuration (EDIT permission required).
+ * Returns complete agent data for editing/configuration purposes.
+ * @route GET /agents/:id/expanded
+ * @param {string} req.params.id - Agent identifier.
+ * @returns {Agent} 200 - Full agent details - application/json
+ */
+router.get(
+  '/:id/expanded',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  (req, res) => v1.getAgent(req, res, true), // Expanded version
+);
 /**
  * Updates an agent.
  * @route PATCH /agents/:id
@@ -67,7 +98,15 @@ router.get('/:id', checkAgentAccess, v1.getAgent);
  * @param {AgentUpdateParams} req.body - The agent update parameters.
  * @returns {Agent} 200 - Success response - application/json
  */
-router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
+router.patch(
+  '/:id',
+  checkGlobalAgentShare,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  v1.updateAgent,
+);
 
 /**
  * Duplicates an agent.
@@ -75,7 +114,15 @@ router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
  * @param {string} req.params.id - Agent identifier.
  * @returns {Agent} 201 - Success response - application/json
  */
-router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
+router.post(
+  '/:id/duplicate',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.duplicateAgent,
+);
 
 /**
  * Deletes an agent.
@@ -83,7 +130,15 @@ router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
  * @param {string} req.params.id - Agent identifier.
  * @returns {Agent} 200 - success response - application/json
  */
-router.delete('/:id', checkAgentCreate, v1.deleteAgent);
+router.delete(
+  '/:id',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.DELETE,
+    resourceIdParam: 'id',
+  }),
+  v1.deleteAgent,
+);
 
 /**
  * Reverts an agent to a previous version.
@@ -110,6 +165,14 @@ router.get('/', checkAgentAccess, v1.getListAgents);
  * @param {string} [req.body.metadata] - Optional metadata for the agent's avatar.
  * @returns {Object} 200 - success response - application/json
  */
-avatar.post('/:agent_id/avatar/', checkAgentAccess, v1.uploadAgentAvatar);
+avatar.post(
+  '/:agent_id/avatar/',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  v1.uploadAgentAvatar,
+);
 
 module.exports = { v1: router, avatar };

api/server/routes/files/files.agents.test.js

@@ -0,0 +1,342 @@
+const express = require('express');
+const request = require('supertest');
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { PERMISSION_BITS } = require('librechat-data-provider');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { createMethods } = require('@librechat/data-schemas');
+const { createAgent } = require('~/models/Agent');
+const { createFile } = require('~/models/File');
+
+// Only mock the external dependencies that we don't want to test
+jest.mock('~/server/services/Files/process', () => ({
+  processDeleteRequest: jest.fn().mockResolvedValue({}),
+  filterFile: jest.fn(),
+  processFileUpload: jest.fn(),
+  processAgentFileUpload: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(() => ({})),
+}));
+
+jest.mock('~/server/controllers/assistants/helpers', () => ({
+  getOpenAIClient: jest.fn(),
+}));
+
+jest.mock('~/server/services/Tools/credentials', () => ({
+  loadAuthValues: jest.fn(),
+}));
+
+// Import the router
+const router = require('~/server/routes/files/files');
+
+describe('File Routes - Agent Files Endpoint', () => {
+  let app;
+  let mongoServer;
+  let authorId;
+  let otherUserId;
+  let agentId;
+  let fileId1;
+  let fileId2;
+  let fileId3;
+  let File;
+  let User;
+  let Agent;
+  let methods;
+  let AclEntry;
+  // eslint-disable-next-line no-unused-vars
+  let AccessRole;
+  let modelsToCleanup = [];
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize all models using createModels
+    const { createModels } = require('@librechat/data-schemas');
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    Object.assign(mongoose.models, models);
+
+    // Create methods with our test mongoose instance
+    methods = createMethods(mongoose);
+
+    // Now we can access models from the db/models
+    File = models.File;
+    Agent = models.Agent;
+    AclEntry = models.AclEntry;
+    User = models.User;
+    AccessRole = models.AccessRole;
+
+    // Seed default roles using our methods
+    await methods.seedDefaultRoles();
+
+    app = express();
+    app.use(express.json());
+
+    // Mock authentication middleware
+    app.use((req, res, next) => {
+      req.user = { id: otherUserId || 'default-user' };
+      req.app = { locals: {} };
+      next();
+    });
+
+    app.use('/files', router);
+  });
+
+  afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    // Clean up all test data
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await User.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
+
+    // Create test users
+    authorId = new mongoose.Types.ObjectId();
+    otherUserId = new mongoose.Types.ObjectId();
+    agentId = uuidv4();
+    fileId1 = uuidv4();
+    fileId2 = uuidv4();
+    fileId3 = uuidv4();
+
+    // Create users in database
+    await User.create({
+      _id: authorId,
+      username: 'author',
+      email: 'author@test.com',
+    });
+
+    await User.create({
+      _id: otherUserId,
+      username: 'other',
+      email: 'other@test.com',
+    });
+
+    // Create files
+    await createFile({
+      user: authorId,
+      file_id: fileId1,
+      filename: 'file1.txt',
+      filepath: '/uploads/file1.txt',
+      bytes: 100,
+      type: 'text/plain',
+    });
+
+    await createFile({
+      user: authorId,
+      file_id: fileId2,
+      filename: 'file2.txt',
+      filepath: '/uploads/file2.txt',
+      bytes: 200,
+      type: 'text/plain',
+    });
+
+    await createFile({
+      user: otherUserId,
+      file_id: fileId3,
+      filename: 'file3.txt',
+      filepath: '/uploads/file3.txt',
+      bytes: 300,
+      type: 'text/plain',
+    });
+  });
+
+  describe('GET /files/agent/:agent_id', () => {
+    it('should return files accessible through the agent for non-author with EDIT permission', async () => {
+      // Create an agent with files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent using PermissionService
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      // Mock req.user for this request
+      app.use((req, res, next) => {
+        req.user = { id: otherUserId.toString() };
+        next();
+      });
+
+      const response = await request(app).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId1);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId2);
+    });
+
+    it('should return 400 when agent_id is not provided', async () => {
+      const response = await request(app).get('/files/agent/');
+
+      expect(response.status).toBe(404); // Express returns 404 for missing route parameter
+    });
+
+    it('should return empty array for non-existent agent', async () => {
+      const response = await request(app).get('/files/agent/non-existent-agent');
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toEqual([]);
+    });
+
+    it('should return empty array when user only has VIEW permission', async () => {
+      // Create an agent with files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
+      // Grant only VIEW permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_viewer',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toEqual([]);
+    });
+
+    it('should return agent files for agent author', async () => {
+      // Create an agent with files attached
+      await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
+      // Create a new app instance with author authentication
+      const authorApp = express();
+      authorApp.use(express.json());
+      authorApp.use((req, res, next) => {
+        req.user = { id: authorId.toString() };
+        req.app = { locals: {} };
+        next();
+      });
+      authorApp.use('/files', router);
+
+      const response = await request(authorApp).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+    });
+
+    it('should return files uploaded by other users to shared agent for author', async () => {
+      const anotherUserId = new mongoose.Types.ObjectId();
+      const otherUserFileId = uuidv4();
+
+      await User.create({
+        _id: anotherUserId,
+        username: 'another',
+        email: 'another@test.com',
+      });
+
+      await createFile({
+        user: anotherUserId,
+        file_id: otherUserFileId,
+        filename: 'other-user-file.txt',
+        filepath: '/uploads/other-user-file.txt',
+        bytes: 400,
+        type: 'text/plain',
+      });
+
+      // Create agent to include the file uploaded by another user
+      await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, otherUserFileId],
+          },
+        },
+      });
+
+      // Create a new app instance with author authentication
+      const authorApp = express();
+      authorApp.use(express.json());
+      authorApp.use((req, res, next) => {
+        req.user = { id: authorId.toString() };
+        req.app = { locals: {} };
+        next();
+      });
+      authorApp.use('/files', router);
+
+      const response = await request(authorApp).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId1);
+      expect(response.body.map((f) => f.file_id)).toContain(otherUserFileId);
+    });
+  });
+});

api/server/routes/files/files.js

@@ -6,6 +6,7 @@ const {
   isUUID,
   CacheKeys,
   FileSources,
+  PERMISSION_BITS,
   EModelEndpoint,
   isAgentsEndpoint,
   checkOpenAIStorage,
@@ -18,8 +19,10 @@ const {
 } = require('~/server/services/Files/process');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
+const { checkPermission } = require('~/server/services/PermissionService');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { refreshS3FileUrls } = require('~/server/services/Files/S3/crud');
+const { hasAccessToFilesViaAgent } = require('~/server/services/Files');
 const { getFiles, batchUpdateFiles } = require('~/models/File');
 const { getAssistant } = require('~/models/Assistant');
 const { getAgent } = require('~/models/Agent');
@@ -50,6 +53,69 @@ router.get('/', async (req, res) => {
   }
 });
 
+/**
+ * Get files specific to an agent
+ * @route GET /files/agent/:agent_id
+ * @param {string} agent_id - The agent ID to get files for
+ * @returns {Promise<TFile[]>} Array of files attached to the agent
+ */
+router.get('/agent/:agent_id', async (req, res) => {
+  try {
+    const { agent_id } = req.params;
+    const userId = req.user.id;
+
+    if (!agent_id) {
+      return res.status(400).json({ error: 'Agent ID is required' });
+    }
+
+    // Get the agent to check ownership and attached files
+    const agent = await getAgent({ id: agent_id });
+
+    if (!agent) {
+      // No agent found, return empty array
+      return res.status(200).json([]);
+    }
+
+    // Check if user has access to the agent
+    if (agent.author.toString() !== userId) {
+      // Non-authors need at least EDIT permission to view agent files
+      const hasEditPermission = await checkPermission({
+        userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        requiredPermission: PERMISSION_BITS.EDIT,
+      });
+
+      if (!hasEditPermission) {
+        return res.status(200).json([]);
+      }
+    }
+
+    // Collect all file IDs from agent's tool resources
+    const agentFileIds = [];
+    if (agent.tool_resources) {
+      for (const [, resource] of Object.entries(agent.tool_resources)) {
+        if (resource?.file_ids && Array.isArray(resource.file_ids)) {
+          agentFileIds.push(...resource.file_ids);
+        }
+      }
+    }
+
+    // If no files attached to agent, return empty array
+    if (agentFileIds.length === 0) {
+      return res.status(200).json([]);
+    }
+
+    // Get only the files attached to this agent
+    const files = await getFiles({ file_id: { $in: agentFileIds } }, null, { text: 0 });
+
+    res.status(200).json(files);
+  } catch (error) {
+    logger.error('[/files/agent/:agent_id] Error fetching agent files:', error);
+    res.status(500).json({ error: 'Failed to fetch agent files' });
+  }
+});
+
 router.get('/config', async (req, res) => {
   try {
     res.status(200).json(req.app.locals.fileConfig);
@@ -86,11 +152,62 @@ router.delete('/', async (req, res) => {
 
     const fileIds = files.map((file) => file.file_id);
     const dbFiles = await getFiles({ file_id: { $in: fileIds } });
-    const unauthorizedFiles = dbFiles.filter((file) => file.user.toString() !== req.user.id);
+
+    const ownedFiles = [];
+    const nonOwnedFiles = [];
+    const fileMap = new Map();
+
+    for (const file of dbFiles) {
+      fileMap.set(file.file_id, file);
+      if (file.user.toString() === req.user.id) {
+        ownedFiles.push(file);
+      } else {
+        nonOwnedFiles.push(file);
+      }
+    }
+
+    // If all files are owned by the user, no need for further checks
+    if (nonOwnedFiles.length === 0) {
+      await processDeleteRequest({ req, files: ownedFiles });
+      logger.debug(
+        `[/files] Files deleted successfully: ${ownedFiles
+          .filter((f) => f.file_id)
+          .map((f) => f.file_id)
+          .join(', ')}`,
+      );
+      res.status(200).json({ message: 'Files deleted successfully' });
+      return;
+    }
+
+    // Check access for non-owned files
+    let authorizedFiles = [...ownedFiles];
+    let unauthorizedFiles = [];
+
+    if (req.body.agent_id && nonOwnedFiles.length > 0) {
+      // Batch check access for all non-owned files
+      const nonOwnedFileIds = nonOwnedFiles.map((f) => f.file_id);
+      const accessMap = await hasAccessToFilesViaAgent(
+        req.user.id,
+        nonOwnedFileIds,
+        req.body.agent_id,
+      );
+
+      // Separate authorized and unauthorized files
+      for (const file of nonOwnedFiles) {
+        if (accessMap.get(file.file_id)) {
+          authorizedFiles.push(file);
+        } else {
+          unauthorizedFiles.push(file);
+        }
+      }
+    } else {
+      // No agent context, all non-owned files are unauthorized
+      unauthorizedFiles = nonOwnedFiles;
+    }
 
     if (unauthorizedFiles.length > 0) {
       return res.status(403).json({
-        message: 'You can only delete your own files',
+        message: 'You can only delete files you have access to',
         unauthorizedFiles: unauthorizedFiles.map((f) => f.file_id),
       });
     }
@@ -131,10 +248,10 @@ router.delete('/', async (req, res) => {
         .json({ message: 'File associations removed successfully from Azure Assistant' });
     }
 
-    await processDeleteRequest({ req, files: dbFiles });
+    await processDeleteRequest({ req, files: authorizedFiles });
 
     logger.debug(
-      `[/files] Files deleted successfully: ${files
+      `[/files] Files deleted successfully: ${authorizedFiles
         .filter((f) => f.file_id)
         .map((f) => f.file_id)
         .join(', ')}`,

api/server/routes/files/files.test.js

@@ -0,0 +1,423 @@
+const express = require('express');
+const request = require('supertest');
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { createMethods } = require('@librechat/data-schemas');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { createAgent } = require('~/models/Agent');
+const { createFile } = require('~/models/File');
+
+// Only mock the external dependencies that we don't want to test
+jest.mock('~/server/services/Files/process', () => ({
+  processDeleteRequest: jest.fn().mockResolvedValue({}),
+  filterFile: jest.fn(),
+  processFileUpload: jest.fn(),
+  processAgentFileUpload: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(() => ({})),
+}));
+
+jest.mock('~/server/controllers/assistants/helpers', () => ({
+  getOpenAIClient: jest.fn(),
+}));
+
+jest.mock('~/server/services/Tools/credentials', () => ({
+  loadAuthValues: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/S3/crud', () => ({
+  refreshS3FileUrls: jest.fn(),
+}));
+
+jest.mock('~/cache', () => ({
+  getLogStores: jest.fn(() => ({
+    get: jest.fn(),
+    set: jest.fn(),
+  })),
+}));
+
+jest.mock('~/config', () => ({
+  logger: {
+    error: jest.fn(),
+    warn: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+const { processDeleteRequest } = require('~/server/services/Files/process');
+
+// Import the router after mocks
+const router = require('./files');
+
+describe('File Routes - Delete with Agent Access', () => {
+  let app;
+  let mongoServer;
+  let authorId;
+  let otherUserId;
+  let fileId;
+  let File;
+  let Agent;
+  let AclEntry;
+  let User;
+  let AccessRole;
+  let methods;
+  let modelsToCleanup = [];
+  // eslint-disable-next-line no-unused-vars
+  let agentId;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize all models using createModels
+    const { createModels } = require('@librechat/data-schemas');
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    Object.assign(mongoose.models, models);
+
+    // Create methods with our test mongoose instance
+    methods = createMethods(mongoose);
+
+    // Now we can access models from the db/models
+    File = models.File;
+    Agent = models.Agent;
+    AclEntry = models.AclEntry;
+    User = models.User;
+    AccessRole = models.AccessRole;
+
+    // Seed default roles using our methods
+    await methods.seedDefaultRoles();
+
+    app = express();
+    app.use(express.json());
+
+    // Mock authentication middleware
+    app.use((req, res, next) => {
+      req.user = { id: otherUserId ? otherUserId.toString() : 'default-user' };
+      req.app = { locals: {} };
+      next();
+    });
+
+    app.use('/files', router);
+  });
+
+  afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    jest.clearAllMocks();
+
+    // Clear database - clean up all test data
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await User.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
+
+    // Create test data
+    authorId = new mongoose.Types.ObjectId();
+    otherUserId = new mongoose.Types.ObjectId();
+    agentId = uuidv4();
+    fileId = uuidv4();
+
+    // Create users in database
+    await User.create({
+      _id: authorId,
+      username: 'author',
+      email: 'author@test.com',
+    });
+
+    await User.create({
+      _id: otherUserId,
+      username: 'other',
+      email: 'other@test.com',
+    });
+
+    // Create a file owned by the author
+    await createFile({
+      user: authorId,
+      file_id: fileId,
+      filename: 'test.txt',
+      filepath: '/uploads/test.txt',
+      bytes: 100,
+      type: 'text/plain',
+    });
+  });
+
+  describe('DELETE /files', () => {
+    it('should allow deleting files owned by the user', async () => {
+      // Create a file owned by the current user
+      const userFileId = uuidv4();
+      await createFile({
+        user: otherUserId,
+        file_id: userFileId,
+        filename: 'user-file.txt',
+        filepath: '/uploads/user-file.txt',
+        bytes: 200,
+        type: 'text/plain',
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          files: [
+            {
+              file_id: userFileId,
+              filepath: '/uploads/user-file.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('Files deleted successfully');
+      expect(processDeleteRequest).toHaveBeenCalled();
+    });
+
+    it('should prevent deleting files not owned by user without agent context', async () => {
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          files: [
+            {
+              file_id: fileId,
+              filepath: '/uploads/test.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(fileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+
+    it('should allow deleting files accessible through shared agent', async () => {
+      // Create an agent with the file attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            {
+              file_id: fileId,
+              filepath: '/uploads/test.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('Files deleted successfully');
+      expect(processDeleteRequest).toHaveBeenCalled();
+    });
+
+    it('should prevent deleting files not attached to the specified agent', async () => {
+      // Create another file not attached to the agent
+      const unattachedFileId = uuidv4();
+      await createFile({
+        user: authorId,
+        file_id: unattachedFileId,
+        filename: 'unattached.txt',
+        filepath: '/uploads/unattached.txt',
+        bytes: 300,
+        type: 'text/plain',
+      });
+
+      // Create an agent without the unattached file
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId], // Only fileId, not unattachedFileId
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            {
+              file_id: unattachedFileId,
+              filepath: '/uploads/unattached.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(unattachedFileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+
+    it('should handle mixed authorized and unauthorized files', async () => {
+      // Create a file owned by the current user
+      const userFileId = uuidv4();
+      await createFile({
+        user: otherUserId,
+        file_id: userFileId,
+        filename: 'user-file.txt',
+        filepath: '/uploads/user-file.txt',
+        bytes: 200,
+        type: 'text/plain',
+      });
+
+      // Create an unauthorized file
+      const unauthorizedFileId = uuidv4();
+      await createFile({
+        user: authorId,
+        file_id: unauthorizedFileId,
+        filename: 'unauthorized.txt',
+        filepath: '/uploads/unauthorized.txt',
+        bytes: 400,
+        type: 'text/plain',
+      });
+
+      // Create an agent with only fileId attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            { file_id: userFileId, filepath: '/uploads/user-file.txt' },
+            { file_id: fileId, filepath: '/uploads/test.txt' },
+            { file_id: unauthorizedFileId, filepath: '/uploads/unauthorized.txt' },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(unauthorizedFileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+
+    it('should prevent deleting files when user lacks EDIT permission on agent', async () => {
+      // Create an agent with the file attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant only VIEW permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_viewer',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            {
+              file_id: fileId,
+              filepath: '/uploads/test.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(fileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+  });
+});

api/server/routes/index.js

@@ -1,3 +1,4 @@
+const accessPermissions = require('./accessPermissions');
 const assistants = require('./assistants');
 const categories = require('./categories');
 const tokenizer = require('./tokenizer');
@@ -28,6 +29,7 @@ const user = require('./user');
 const mcp = require('./mcp');
 
 module.exports = {
+  mcp,
   edit,
   auth,
   keys,
@@ -55,5 +57,5 @@ module.exports = {
   assistants,
   categories,
   staticRoute,
-  mcp,
+  accessPermissions,
 };

api/server/routes/memories.js

@@ -172,40 +172,68 @@ router.patch('/preferences', checkMemoryOptOut, async (req, res) => {
 /**
  * PATCH /memories/:key
  * Updates the value of an existing memory entry for the authenticated user.
- * Body: { value: string }
+ * Body: { key?: string, value: string }
  * Returns 200 and { updated: true, memory: <updatedDoc> } when successful.
  */
 router.patch('/:key', checkMemoryUpdate, async (req, res) => {
-  const { key } = req.params;
-  const { value } = req.body || {};
+  const { key: urlKey } = req.params;
+  const { key: bodyKey, value } = req.body || {};
 
   if (typeof value !== 'string' || value.trim() === '') {
     return res.status(400).json({ error: 'Value is required and must be a non-empty string.' });
   }
 
+  // Use the key from the body if provided, otherwise use the key from the URL
+  const newKey = bodyKey || urlKey;
+
   try {
     const tokenCount = Tokenizer.getTokenCount(value, 'o200k_base');
 
     const memories = await getAllUserMemories(req.user.id);
-    const existingMemory = memories.find((m) => m.key === key);
+    const existingMemory = memories.find((m) => m.key === urlKey);
 
     if (!existingMemory) {
       return res.status(404).json({ error: 'Memory not found.' });
     }
 
-    const result = await setMemory({
-      userId: req.user.id,
-      key,
-      value,
-      tokenCount,
-    });
+    // If the key is changing, we need to handle it specially
+    if (newKey !== urlKey) {
+      const keyExists = memories.find((m) => m.key === newKey);
+      if (keyExists) {
+        return res.status(409).json({ error: 'Memory with this key already exists.' });
+      }
 
-    if (!result.ok) {
-      return res.status(500).json({ error: 'Failed to update memory.' });
+      const createResult = await createMemory({
+        userId: req.user.id,
+        key: newKey,
+        value,
+        tokenCount,
+      });
+
+      if (!createResult.ok) {
+        return res.status(500).json({ error: 'Failed to create new memory.' });
+      }
+
+      const deleteResult = await deleteMemory({ userId: req.user.id, key: urlKey });
+      if (!deleteResult.ok) {
+        return res.status(500).json({ error: 'Failed to delete old memory.' });
+      }
+    } else {
+      // Key is not changing, just update the value
+      const result = await setMemory({
+        userId: req.user.id,
+        key: newKey,
+        value,
+        tokenCount,
+      });
+
+      if (!result.ok) {
+        return res.status(500).json({ error: 'Failed to update memory.' });
+      }
     }
 
     const updatedMemories = await getAllUserMemories(req.user.id);
-    const updatedMemory = updatedMemories.find((m) => m.key === key);
+    const updatedMemory = updatedMemories.find((m) => m.key === newKey);
 
     res.json({ updated: true, memory: updatedMemory });
   } catch (error) {

api/server/routes/oauth.js

@@ -9,6 +9,7 @@ const {
   setBalanceConfig,
   checkDomainAllowed,
 } = require('~/server/middleware');
+const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
 const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
@@ -35,6 +36,7 @@ const oauthHandler = async (req, res) => {
       req.user.provider == 'openid' &&
       isEnabled(process.env.OPENID_REUSE_TOKENS) === true
     ) {
+      await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
       setOpenIDAuthTokens(req.user.tokenset, res);
     } else {
       await setAuthTokens(req.user._id, res);

api/server/routes/static.js

@@ -1,8 +1,11 @@
 const express = require('express');
 const staticCache = require('../utils/staticCache');
 const paths = require('~/config/paths');
+const { isEnabled } = require('~/server/utils');
+
+const skipGzipScan = !isEnabled(process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN);
 
 const router = express.Router();
-router.use(staticCache(paths.imageOutput));
+router.use(staticCache(paths.imageOutput, { skipGzipScan }));
 
 module.exports = router;

api/server/services/AppService.interface.spec.js

@@ -1,5 +1,7 @@
 jest.mock('~/models', () => ({
   initializeRoles: jest.fn(),
+  seedDefaultRoles: jest.fn(),
+  ensureDefaultCategories: jest.fn(),
 }));
 jest.mock('~/models/Role', () => ({
   updateAccessPermissions: jest.fn(),

api/server/services/AppService.js

@@ -1,12 +1,11 @@
+const { agentsConfigSetup, loadWebSearchConfig } = require('@librechat/api');
 const {
   FileSources,
   loadOCRConfig,
   EModelEndpoint,
   loadMemoryConfig,
   getConfigDefaults,
-  loadWebSearchConfig,
 } = require('librechat-data-provider');
-const { agentsConfigSetup } = require('@librechat/api');
 const {
   checkHealth,
   checkConfig,
@@ -17,6 +16,7 @@ const {
 const { azureAssistantsDefaults, assistantsConfigSetup } = require('./start/assistants');
 const { initializeAzureBlobService } = require('./Files/Azure/initialize');
 const { initializeFirebase } = require('./Files/Firebase/initialize');
+const { seedDefaultRoles, initializeRoles, ensureDefaultCategories } = require('~/models');
 const loadCustomConfig = require('./Config/loadCustomConfig');
 const handleRateLimits = require('./Config/handleRateLimits');
 const { loadDefaultInterface } = require('./start/interface');
@@ -26,7 +26,6 @@ const { processModelSpecs } = require('./start/modelSpecs');
 const { initializeS3 } = require('./Files/S3/initialize');
 const { loadAndFormatTools } = require('./ToolService');
 const { isEnabled } = require('~/server/utils');
-const { initializeRoles } = require('~/models');
 const { setCachedTools } = require('./Config');
 const paths = require('~/config/paths');
 
@@ -37,6 +36,8 @@ const paths = require('~/config/paths');
  */
 const AppService = async (app) => {
   await initializeRoles();
+  await seedDefaultRoles();
+  await ensureDefaultCategories();
   /** @type {TCustomConfig} */
   const config = (await loadCustomConfig()) ?? {};
   const configDefaults = getConfigDefaults();

api/server/services/AppService.spec.js

@@ -28,6 +28,8 @@ jest.mock('./Files/Firebase/initialize', () => ({
 }));
 jest.mock('~/models', () => ({
   initializeRoles: jest.fn(),
+  seedDefaultRoles: jest.fn(),
+  ensureDefaultCategories: jest.fn(),
 }));
 jest.mock('~/models/Role', () => ({
   updateAccessPermissions: jest.fn(),

api/server/services/Config/getCustomConfig.js

@@ -1,10 +1,9 @@
 const { logger } = require('@librechat/data-schemas');
-const { getUserMCPAuthMap } = require('@librechat/api');
+const { isEnabled, getUserMCPAuthMap } = require('@librechat/api');
 const { CacheKeys, EModelEndpoint } = require('librechat-data-provider');
-const { normalizeEndpointName, isEnabled } = require('~/server/utils');
+const { normalizeEndpointName } = require('~/server/utils');
 const loadCustomConfig = require('./loadCustomConfig');
 const { getCachedTools } = require('./getCachedTools');
-const { findPluginAuthsByKeys } = require('~/models');
 const getLogStores = require('~/cache/getLogStores');
 
 /**
@@ -55,46 +54,48 @@ const getCustomEndpointConfig = async (endpoint) => {
   );
 };
 
-async function createGetMCPAuthMap() {
+/**
+ * @param {Object} params
+ * @param {string} params.userId
+ * @param {GenericTool[]} [params.tools]
+ * @param {import('@librechat/data-schemas').PluginAuthMethods['findPluginAuthsByKeys']} params.findPluginAuthsByKeys
+ * @returns {Promise<Record<string, Record<string, string>> | undefined>}
+ */
+async function getMCPAuthMap({ userId, tools, findPluginAuthsByKeys }) {
+  try {
+    if (!tools || tools.length === 0) {
+      return;
+    }
+    const appTools = await getCachedTools({
+      userId,
+    });
+    return await getUserMCPAuthMap({
+      tools,
+      userId,
+      appTools,
+      findPluginAuthsByKeys,
+    });
+  } catch (err) {
+    logger.error(
+      `[api/server/controllers/agents/client.js #chatCompletion] Error getting custom user vars for agent`,
+      err,
+    );
+  }
+}
+
+/**
+ * @returns {Promise<boolean>}
+ */
+async function hasCustomUserVars() {
   const customConfig = await getCustomConfig();
   const mcpServers = customConfig?.mcpServers;
-  const hasCustomUserVars = Object.values(mcpServers ?? {}).some((server) => server.customUserVars);
-  if (!hasCustomUserVars) {
-    return;
-  }
-
-  /**
-   * @param {Object} params
-   * @param {GenericTool[]} [params.tools]
-   * @param {string} params.userId
-   * @returns {Promise<Record<string, Record<string, string>> | undefined>}
-   */
-  return async function ({ tools, userId }) {
-    try {
-      if (!tools || tools.length === 0) {
-        return;
-      }
-      const appTools = await getCachedTools({
-        userId,
-      });
-      return await getUserMCPAuthMap({
-        tools,
-        userId,
-        appTools,
-        findPluginAuthsByKeys,
-      });
-    } catch (err) {
-      logger.error(
-        `[api/server/controllers/agents/client.js #chatCompletion] Error getting custom user vars for agent`,
-        err,
-      );
-    }
-  };
+  return Object.values(mcpServers ?? {}).some((server) => server.customUserVars);
 }
 
 module.exports = {
+  getMCPAuthMap,
   getCustomConfig,
   getBalanceConfig,
-  createGetMCPAuthMap,
+  hasCustomUserVars,
   getCustomEndpointConfig,
 };

api/server/services/Config/loadAsyncEndpoints.js

@@ -22,8 +22,7 @@ async function loadAsyncEndpoints(req) {
   } else {
     /** Only attempt to load service key if GOOGLE_KEY is not provided */
     const serviceKeyPath =
-      process.env.GOOGLE_SERVICE_KEY_FILE_PATH ||
-      path.join(__dirname, '../../..', 'data', 'auth.json');
+      process.env.GOOGLE_SERVICE_KEY_FILE || path.join(__dirname, '../../..', 'data', 'auth.json');
 
     try {
       serviceKey = await loadServiceKey(serviceKeyPath);

api/server/services/Endpoints/agents/agent.js

@@ -8,11 +8,12 @@ const {
   ErrorTypes,
   EModelEndpoint,
   EToolResources,
+  isAgentsEndpoint,
   replaceSpecialVars,
   providerEndpointMap,
 } = require('librechat-data-provider');
-const { getProviderConfig } = require('~/server/services/Endpoints');
 const generateArtifactsPrompt = require('~/app/clients/prompts/artifacts');
+const { getProviderConfig } = require('~/server/services/Endpoints');
 const { processFiles } = require('~/server/services/Files/process');
 const { getFiles, getToolFilesByIds } = require('~/models/File');
 const { getConvoFiles } = require('~/models/Conversation');
@@ -42,7 +43,11 @@ const initializeAgent = async ({
   allowedProviders,
   isInitialAgent = false,
 }) => {
-  if (allowedProviders.size > 0 && !allowedProviders.has(agent.provider)) {
+  if (
+    isAgentsEndpoint(endpointOption?.endpoint) &&
+    allowedProviders.size > 0 &&
+    !allowedProviders.has(agent.provider)
+  ) {
     throw new Error(
       `{ "type": "${ErrorTypes.INVALID_AGENT_PROVIDER}", "info": "${agent.provider}" }`,
     );
@@ -82,6 +87,7 @@ const initializeAgent = async ({
     attachments: currentFiles,
     tool_resources: agent.tool_resources,
     requestFileSet: new Set(requestFiles?.map((file) => file.file_id)),
+    agentId: agent.id,
   });
 
   const provider = agent.provider;
@@ -180,10 +186,11 @@ const initializeAgent = async ({
 
   return {
     ...agent,
+    tools,
     attachments,
     resendFiles,
     toolContextMap,
-    tools,
+    useLegacyContent: !!options.useLegacyContent,
     maxContextTokens: (agentMaxContextTokens - maxTokens) * 0.9,
   };
 };

api/server/services/Endpoints/custom/initialize.js

@@ -139,6 +139,9 @@ const initializeClient = async ({ req, res, endpointOption, optionsOnly, overrid
       );
       clientOptions.modelOptions.user = req.user.id;
       const options = getOpenAIConfig(apiKey, clientOptions, endpoint);
+      if (options != null) {
+        options.useLegacyContent = true;
+      }
       if (!customOptions.streamRate) {
         return options;
       }
@@ -156,6 +159,7 @@ const initializeClient = async ({ req, res, endpointOption, optionsOnly, overrid
     }
 
     return {
+      useLegacyContent: true,
       llmConfig: modelOptions,
     };
   }

api/server/services/Endpoints/google/initialize.js

@@ -25,7 +25,7 @@ const initializeClient = async ({ req, res, endpointOption, overrideModel, optio
     /** Only attempt to load service key if GOOGLE_KEY is not provided */
     try {
       const serviceKeyPath =
-        process.env.GOOGLE_SERVICE_KEY_FILE_PATH ||
+        process.env.GOOGLE_SERVICE_KEY_FILE ||
         path.join(__dirname, '../../../..', 'data', 'auth.json');
       serviceKey = await loadServiceKey(serviceKeyPath);
       if (!serviceKey) {

api/server/services/Endpoints/openAI/initialize.js

@@ -65,19 +65,20 @@ const initializeClient = async ({
   const isAzureOpenAI = endpoint === EModelEndpoint.azureOpenAI;
   /** @type {false | TAzureConfig} */
   const azureConfig = isAzureOpenAI && req.app.locals[EModelEndpoint.azureOpenAI];
-
+  let serverless = false;
   if (isAzureOpenAI && azureConfig) {
     const { modelGroupMap, groupMap } = azureConfig;
     const {
       azureOptions,
       baseURL,
       headers = {},
-      serverless,
+      serverless: _serverless,
     } = mapModelToAzureConfig({
       modelName,
       modelGroupMap,
       groupMap,
     });
+    serverless = _serverless;
 
     clientOptions.reverseProxyUrl = baseURL ?? clientOptions.reverseProxyUrl;
     clientOptions.headers = resolveHeaders(
@@ -143,6 +144,9 @@ const initializeClient = async ({
     clientOptions = Object.assign({ modelOptions }, clientOptions);
     clientOptions.modelOptions.user = req.user.id;
     const options = getOpenAIConfig(apiKey, clientOptions);
+    if (options != null && serverless === true) {
+      options.useLegacyContent = true;
+    }
     const streamRate = clientOptions.streamRate;
     if (!streamRate) {
       return options;

api/server/services/Files/Code/process.js

@@ -11,6 +11,7 @@ const {
   imageExtRegex,
   EToolResources,
 } = require('librechat-data-provider');
+const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { convertImage } = require('~/server/services/Files/images/convert');
 const { createFile, getFiles, updateFile } = require('~/models/File');
@@ -152,6 +153,7 @@ async function getSessionInfo(fileIdentifier, apiKey) {
  * @param {Object} options
  * @param {ServerRequest} options.req
  * @param {Agent['tool_resources']} options.tool_resources
+ * @param {string} [options.agentId] - The agent ID for file access control
  * @param {string} apiKey
  * @returns {Promise<{
  * files: Array<{ id: string; session_id: string; name: string }>,
@@ -159,11 +161,23 @@ async function getSessionInfo(fileIdentifier, apiKey) {
  * }>}
  */
 const primeFiles = async (options, apiKey) => {
-  const { tool_resources } = options;
+  const { tool_resources, req, agentId } = options;
   const file_ids = tool_resources?.[EToolResources.execute_code]?.file_ids ?? [];
   const agentResourceIds = new Set(file_ids);
   const resourceFiles = tool_resources?.[EToolResources.execute_code]?.files ?? [];
-  const dbFiles = ((await getFiles({ file_id: { $in: file_ids } })) ?? []).concat(resourceFiles);
+
+  // Get all files first
+  const allFiles = (await getFiles({ file_id: { $in: file_ids } }, null, { text: 0 })) ?? [];
+
+  // Filter by access if user and agent are provided
+  let dbFiles;
+  if (req?.user?.id && agentId) {
+    dbFiles = await filterFilesByAgentAccess(allFiles, req.user.id, agentId);
+  } else {
+    dbFiles = allFiles;
+  }
+
+  dbFiles = dbFiles.concat(resourceFiles);
 
   const files = [];
   const sessions = new Map();

api/server/services/Files/index.js

@@ -0,0 +1,12 @@
+const { processCodeFile } = require('./Code/process');
+const { processFileUpload } = require('./process');
+const { uploadImageBuffer } = require('./images');
+const { hasAccessToFilesViaAgent, filterFilesByAgentAccess } = require('./permissions');
+
+module.exports = {
+  processCodeFile,
+  processFileUpload,
+  uploadImageBuffer,
+  hasAccessToFilesViaAgent,
+  filterFilesByAgentAccess,
+};

api/server/services/Files/permissions.js

@@ -0,0 +1,123 @@
+const { logger } = require('@librechat/data-schemas');
+const { PERMISSION_BITS } = require('librechat-data-provider');
+const { checkPermission } = require('~/server/services/PermissionService');
+const { getAgent } = require('~/models/Agent');
+
+/**
+ * Checks if a user has access to multiple files through a shared agent (batch operation)
+ * @param {string} userId - The user ID to check access for
+ * @param {string[]} fileIds - Array of file IDs to check
+ * @param {string} agentId - The agent ID that might grant access
+ * @returns {Promise<Map<string, boolean>>} Map of fileId to access status
+ */
+const hasAccessToFilesViaAgent = async (userId, fileIds, agentId) => {
+  const accessMap = new Map();
+
+  // Initialize all files as no access
+  fileIds.forEach((fileId) => accessMap.set(fileId, false));
+
+  try {
+    const agent = await getAgent({ id: agentId });
+
+    if (!agent) {
+      return accessMap;
+    }
+
+    // Check if user is the author - if so, grant access to all files
+    if (agent.author.toString() === userId) {
+      fileIds.forEach((fileId) => accessMap.set(fileId, true));
+      return accessMap;
+    }
+
+    // Check if user has at least VIEW permission on the agent
+    const hasViewPermission = await checkPermission({
+      userId,
+      resourceType: 'agent',
+      resourceId: agent._id,
+      requiredPermission: PERMISSION_BITS.VIEW,
+    });
+
+    if (!hasViewPermission) {
+      return accessMap;
+    }
+
+    // Check if user has EDIT permission (which would indicate collaborative access)
+    const hasEditPermission = await checkPermission({
+      userId,
+      resourceType: 'agent',
+      resourceId: agent._id,
+      requiredPermission: PERMISSION_BITS.EDIT,
+    });
+
+    // If user only has VIEW permission, they can't access files
+    // Only users with EDIT permission or higher can access agent files
+    if (!hasEditPermission) {
+      return accessMap;
+    }
+
+    // User has edit permissions - check which files are actually attached
+    const attachedFileIds = new Set();
+    if (agent.tool_resources) {
+      for (const [_resourceType, resource] of Object.entries(agent.tool_resources)) {
+        if (resource?.file_ids && Array.isArray(resource.file_ids)) {
+          resource.file_ids.forEach((fileId) => attachedFileIds.add(fileId));
+        }
+      }
+    }
+
+    // Grant access only to files that are attached to this agent
+    fileIds.forEach((fileId) => {
+      if (attachedFileIds.has(fileId)) {
+        accessMap.set(fileId, true);
+      }
+    });
+
+    return accessMap;
+  } catch (error) {
+    logger.error('[hasAccessToFilesViaAgent] Error checking file access:', error);
+    return accessMap;
+  }
+};
+
+/**
+ * Filter files based on user access through agents
+ * @param {Array<MongoFile>} files - Array of file documents
+ * @param {string} userId - User ID for access control
+ * @param {string} agentId - Agent ID that might grant access to files
+ * @returns {Promise<Array<MongoFile>>} Filtered array of accessible files
+ */
+const filterFilesByAgentAccess = async (files, userId, agentId) => {
+  if (!userId || !agentId || !files || files.length === 0) {
+    return files;
+  }
+
+  // Separate owned files from files that need access check
+  const filesToCheck = [];
+  const ownedFiles = [];
+
+  for (const file of files) {
+    if (file.user && file.user.toString() === userId) {
+      ownedFiles.push(file);
+    } else {
+      filesToCheck.push(file);
+    }
+  }
+
+  if (filesToCheck.length === 0) {
+    return ownedFiles;
+  }
+
+  // Batch check access for all non-owned files
+  const fileIds = filesToCheck.map((f) => f.file_id);
+  const accessMap = await hasAccessToFilesViaAgent(userId, fileIds, agentId);
+
+  // Filter files based on access
+  const accessibleFiles = filesToCheck.filter((file) => accessMap.get(file.file_id));
+
+  return [...ownedFiles, ...accessibleFiles];
+};
+
+module.exports = {
+  hasAccessToFilesViaAgent,
+  filterFilesByAgentAccess,
+};

api/server/services/GraphApiService.js

@@ -0,0 +1,525 @@
+const client = require('openid-client');
+const { isEnabled } = require('@librechat/api');
+const { logger } = require('@librechat/data-schemas');
+const { CacheKeys } = require('librechat-data-provider');
+const { Client } = require('@microsoft/microsoft-graph-client');
+const { getOpenIdConfig } = require('~/strategies/openidStrategy');
+const getLogStores = require('~/cache/getLogStores');
+
+/**
+ * @import { TPrincipalSearchResult, TGraphPerson, TGraphUser, TGraphGroup, TGraphPeopleResponse, TGraphUsersResponse, TGraphGroupsResponse } from 'librechat-data-provider'
+ */
+
+/**
+ * Checks if Entra ID principal search feature is enabled based on environment variables and user authentication
+ * @param {Object} user - User object from request
+ * @param {string} user.provider - Authentication provider
+ * @param {string} user.openidId - OpenID subject identifier
+ * @returns {boolean} True if Entra ID principal search is enabled and user is authenticated via OpenID
+ */
+const entraIdPrincipalFeatureEnabled = (user) => {
+  return (
+    isEnabled(process.env.USE_ENTRA_ID_FOR_PEOPLE_SEARCH) &&
+    isEnabled(process.env.OPENID_REUSE_TOKENS) &&
+    user?.provider === 'openid' &&
+    user?.openidId
+  );
+};
+
+/**
+ * Creates a Microsoft Graph client with on-behalf-of token exchange
+ * @param {string} accessToken - OpenID Connect access token from user
+ * @param {string} sub - Subject identifier from token claims
+ * @returns {Promise<Client>} Authenticated Graph API client
+ */
+const createGraphClient = async (accessToken, sub) => {
+  try {
+    // Reason: Use existing OpenID configuration and token exchange pattern from openidStrategy.js
+    const openidConfig = getOpenIdConfig();
+    const exchangedToken = await exchangeTokenForGraphAccess(openidConfig, accessToken, sub);
+
+    const graphClient = Client.init({
+      authProvider: (done) => {
+        done(null, exchangedToken);
+      },
+    });
+
+    return graphClient;
+  } catch (error) {
+    logger.error('[createGraphClient] Error creating Graph client:', error);
+    throw error;
+  }
+};
+
+/**
+ * Exchange OpenID token for Graph API access using on-behalf-of flow
+ * Similar to exchangeAccessTokenIfNeeded in openidStrategy.js but for Graph scopes
+ * @param {Configuration} config - OpenID configuration
+ * @param {string} accessToken - Original access token
+ * @param {string} sub - Subject identifier
+ * @returns {Promise<string>} Graph API access token
+ */
+const exchangeTokenForGraphAccess = async (config, accessToken, sub) => {
+  try {
+    const tokensCache = getLogStores(CacheKeys.OPENID_EXCHANGED_TOKENS);
+    const cacheKey = `${sub}:graph`;
+
+    const cachedToken = await tokensCache.get(cacheKey);
+    if (cachedToken) {
+      return cachedToken.access_token;
+    }
+
+    const graphScopes = process.env.OPENID_GRAPH_SCOPES || 'User.Read,People.Read,Group.Read.All';
+    const scopeString = graphScopes
+      .split(',')
+      .map((scope) => `https://graph.microsoft.com/${scope}`)
+      .join(' ');
+
+    const grantResponse = await client.genericGrantRequest(
+      config,
+      'urn:ietf:params:oauth:grant-type:jwt-bearer',
+      {
+        scope: scopeString,
+        assertion: accessToken,
+        requested_token_use: 'on_behalf_of',
+      },
+    );
+
+    await tokensCache.set(
+      cacheKey,
+      {
+        access_token: grantResponse.access_token,
+      },
+      grantResponse.expires_in * 1000,
+    );
+
+    return grantResponse.access_token;
+  } catch (error) {
+    logger.error('[exchangeTokenForGraphAccess] Token exchange failed:', error);
+    throw error;
+  }
+};
+
+/**
+ * Search for principals (people and groups) using Microsoft Graph API
+ * Uses searchContacts first, then searchUsers and searchGroups to fill remaining slots
+ * @param {string} accessToken - OpenID Connect access token
+ * @param {string} sub - Subject identifier
+ * @param {string} query - Search query string
+ * @param {string} type - Type filter ('users', 'groups', or 'all')
+ * @param {number} limit - Maximum number of results
+ * @returns {Promise<TPrincipalSearchResult[]>} Array of principal search results
+ */
+const searchEntraIdPrincipals = async (accessToken, sub, query, type = 'all', limit = 10) => {
+  try {
+    if (!query || query.trim().length < 2) {
+      return [];
+    }
+    const graphClient = await createGraphClient(accessToken, sub);
+    let allResults = [];
+
+    if (type === 'users' || type === 'all') {
+      const contactResults = await searchContacts(graphClient, query, limit);
+      allResults.push(...contactResults);
+    }
+    if (allResults.length >= limit) {
+      return allResults.slice(0, limit);
+    }
+
+    if (type === 'users') {
+      const userResults = await searchUsers(graphClient, query, limit);
+      allResults.push(...userResults);
+    } else if (type === 'groups') {
+      const groupResults = await searchGroups(graphClient, query, limit);
+      allResults.push(...groupResults);
+    } else if (type === 'all') {
+      const [userResults, groupResults] = await Promise.all([
+        searchUsers(graphClient, query, limit),
+        searchGroups(graphClient, query, limit),
+      ]);
+
+      allResults.push(...userResults, ...groupResults);
+    }
+
+    const seenIds = new Set();
+    const uniqueResults = allResults.filter((result) => {
+      if (seenIds.has(result.idOnTheSource)) {
+        return false;
+      }
+      seenIds.add(result.idOnTheSource);
+      return true;
+    });
+
+    return uniqueResults.slice(0, limit);
+  } catch (error) {
+    logger.error('[searchEntraIdPrincipals] Error searching principals:', error);
+    return [];
+  }
+};
+
+/**
+ * Get current user's Entra ID group memberships from Microsoft Graph
+ * Uses /me/memberOf endpoint to get groups the user is a member of
+ * @param {string} accessToken - OpenID Connect access token
+ * @param {string} sub - Subject identifier
+ * @returns {Promise<Array<string>>} Array of group ID strings (GUIDs)
+ */
+const getUserEntraGroups = async (accessToken, sub) => {
+  try {
+    const graphClient = await createGraphClient(accessToken, sub);
+
+    const groupsResponse = await graphClient.api('/me/memberOf').select('id').get();
+
+    return (groupsResponse.value || []).map((group) => group.id);
+  } catch (error) {
+    logger.error('[getUserEntraGroups] Error fetching user groups:', error);
+    return [];
+  }
+};
+
+/**
+ * Get current user's owned Entra ID groups from Microsoft Graph
+ * Uses /me/ownedObjects/microsoft.graph.group endpoint to get groups the user owns
+ * @param {string} accessToken - OpenID Connect access token
+ * @param {string} sub - Subject identifier
+ * @returns {Promise<Array<string>>} Array of group ID strings (GUIDs)
+ */
+const getUserOwnedEntraGroups = async (accessToken, sub) => {
+  try {
+    const graphClient = await createGraphClient(accessToken, sub);
+
+    const groupsResponse = await graphClient
+      .api('/me/ownedObjects/microsoft.graph.group')
+      .select('id')
+      .get();
+
+    return (groupsResponse.value || []).map((group) => group.id);
+  } catch (error) {
+    logger.error('[getUserOwnedEntraGroups] Error fetching user owned groups:', error);
+    return [];
+  }
+};
+
+/**
+ * Get group members from Microsoft Graph API
+ * Recursively fetches all members using pagination (@odata.nextLink)
+ * @param {string} accessToken - OpenID Connect access token
+ * @param {string} sub - Subject identifier
+ * @param {string} groupId - Entra ID group object ID
+ * @returns {Promise<Array>} Array of member IDs (idOnTheSource values)
+ */
+const getGroupMembers = async (accessToken, sub, groupId) => {
+  try {
+    const graphClient = await createGraphClient(accessToken, sub);
+    const allMembers = [];
+    let nextLink = `/groups/${groupId}/members`;
+
+    while (nextLink) {
+      const membersResponse = await graphClient.api(nextLink).select('id').top(999).get();
+
+      const members = membersResponse.value || [];
+      allMembers.push(...members.map((member) => member.id));
+
+      nextLink = membersResponse['@odata.nextLink']
+        ? membersResponse['@odata.nextLink'].split('/v1.0')[1]
+        : null;
+    }
+
+    return allMembers;
+  } catch (error) {
+    logger.error('[getGroupMembers] Error fetching group members:', error);
+    return [];
+  }
+};
+/**
+ * Get group owners from Microsoft Graph API
+ * Recursively fetches all owners using pagination (@odata.nextLink)
+ * @param {string} accessToken - OpenID Connect access token
+ * @param {string} sub - Subject identifier
+ * @param {string} groupId - Entra ID group object ID
+ * @returns {Promise<Array>} Array of owner IDs (idOnTheSource values)
+ */
+const getGroupOwners = async (accessToken, sub, groupId) => {
+  try {
+    const graphClient = await createGraphClient(accessToken, sub);
+    const allOwners = [];
+    let nextLink = `/groups/${groupId}/owners`;
+
+    while (nextLink) {
+      const ownersResponse = await graphClient.api(nextLink).select('id').top(999).get();
+
+      const owners = ownersResponse.value || [];
+      allOwners.push(...owners.map((member) => member.id));
+
+      nextLink = ownersResponse['@odata.nextLink']
+        ? ownersResponse['@odata.nextLink'].split('/v1.0')[1]
+        : null;
+    }
+
+    return allOwners;
+  } catch (error) {
+    logger.error('[getGroupOwners] Error fetching group owners:', error);
+    return [];
+  }
+};
+/**
+ * Search for contacts (users only) using Microsoft Graph /me/people endpoint
+ * Returns mapped TPrincipalSearchResult objects for users only
+ * @param {Client} graphClient - Authenticated Microsoft Graph client
+ * @param {string} query - Search query string
+ * @param {number} limit - Maximum number of results (default: 10)
+ * @returns {Promise<TPrincipalSearchResult[]>} Array of mapped user contact results
+ */
+const searchContacts = async (graphClient, query, limit = 10) => {
+  try {
+    if (!query || query.trim().length < 2) {
+      return [];
+    }
+    if (
+      process.env.OPENID_GRAPH_SCOPES &&
+      !process.env.OPENID_GRAPH_SCOPES.toLowerCase().includes('people.read')
+    ) {
+      logger.warn('[searchContacts] People.Read scope is not enabled, skipping contact search');
+      return [];
+    }
+    // Reason: Search only for OrganizationUser (person) type, not groups
+    const filter = "personType/subclass eq 'OrganizationUser'";
+
+    let apiCall = graphClient
+      .api('/me/people')
+      .search(`"${query}"`)
+      .select(
+        'id,displayName,givenName,surname,userPrincipalName,jobTitle,department,companyName,scoredEmailAddresses,personType,phones',
+      )
+      .header('ConsistencyLevel', 'eventual')
+      .filter(filter)
+      .top(limit);
+
+    const contactsResponse = await apiCall.get();
+    return (contactsResponse.value || []).map(mapContactToTPrincipalSearchResult);
+  } catch (error) {
+    logger.error('[searchContacts] Error searching contacts:', error);
+    return [];
+  }
+};
+
+/**
+ * Search for users using Microsoft Graph /users endpoint
+ * Returns mapped TPrincipalSearchResult objects
+ * @param {Client} graphClient - Authenticated Microsoft Graph client
+ * @param {string} query - Search query string
+ * @param {number} limit - Maximum number of results (default: 10)
+ * @returns {Promise<TPrincipalSearchResult[]>} Array of mapped user results
+ */
+const searchUsers = async (graphClient, query, limit = 10) => {
+  try {
+    if (!query || query.trim().length < 2) {
+      return [];
+    }
+
+    // Reason: Search users by display name, email, and user principal name
+    const usersResponse = await graphClient
+      .api('/users')
+      .search(
+        `"displayName:${query}" OR "userPrincipalName:${query}" OR "mail:${query}" OR "givenName:${query}" OR "surname:${query}"`,
+      )
+      .select(
+        'id,displayName,givenName,surname,userPrincipalName,jobTitle,department,companyName,mail,phones',
+      )
+      .header('ConsistencyLevel', 'eventual')
+      .top(limit)
+      .get();
+
+    return (usersResponse.value || []).map(mapUserToTPrincipalSearchResult);
+  } catch (error) {
+    logger.error('[searchUsers] Error searching users:', error);
+    return [];
+  }
+};
+
+/**
+ * Search for groups using Microsoft Graph /groups endpoint
+ * Returns mapped TPrincipalSearchResult objects, includes all group types
+ * @param {Client} graphClient - Authenticated Microsoft Graph client
+ * @param {string} query - Search query string
+ * @param {number} limit - Maximum number of results (default: 10)
+ * @returns {Promise<TPrincipalSearchResult[]>} Array of mapped group results
+ */
+const searchGroups = async (graphClient, query, limit = 10) => {
+  try {
+    if (!query || query.trim().length < 2) {
+      return [];
+    }
+
+    // Reason: Search all groups by display name and email without filtering group types
+    const groupsResponse = await graphClient
+      .api('/groups')
+      .search(`"displayName:${query}" OR "mail:${query}" OR "mailNickname:${query}"`)
+      .select('id,displayName,mail,mailNickname,description,groupTypes,resourceProvisioningOptions')
+      .header('ConsistencyLevel', 'eventual')
+      .top(limit)
+      .get();
+
+    return (groupsResponse.value || []).map(mapGroupToTPrincipalSearchResult);
+  } catch (error) {
+    logger.error('[searchGroups] Error searching groups:', error);
+    return [];
+  }
+};
+
+/**
+ * Test Graph API connectivity and permissions
+ * @param {string} accessToken - OpenID Connect access token
+ * @param {string} sub - Subject identifier
+ * @returns {Promise<Object>} Test results with available permissions
+ */
+const testGraphApiAccess = async (accessToken, sub) => {
+  try {
+    const graphClient = await createGraphClient(accessToken, sub);
+    const results = {
+      userAccess: false,
+      peopleAccess: false,
+      groupsAccess: false,
+      usersEndpointAccess: false,
+      groupsEndpointAccess: false,
+      errors: [],
+    };
+
+    // Test User.Read permission
+    try {
+      await graphClient.api('/me').select('id,displayName').get();
+      results.userAccess = true;
+    } catch (error) {
+      results.errors.push(`User.Read: ${error.message}`);
+    }
+
+    // Test People.Read permission with OrganizationUser filter
+    try {
+      await graphClient
+        .api('/me/people')
+        .filter("personType/subclass eq 'OrganizationUser'")
+        .top(1)
+        .get();
+      results.peopleAccess = true;
+    } catch (error) {
+      results.errors.push(`People.Read (OrganizationUser): ${error.message}`);
+    }
+
+    // Test People.Read permission with UnifiedGroup filter
+    try {
+      await graphClient
+        .api('/me/people')
+        .filter("personType/subclass eq 'UnifiedGroup'")
+        .top(1)
+        .get();
+      results.groupsAccess = true;
+    } catch (error) {
+      results.errors.push(`People.Read (UnifiedGroup): ${error.message}`);
+    }
+
+    // Test /users endpoint access (requires User.Read.All or similar)
+    try {
+      await graphClient
+        .api('/users')
+        .search('"displayName:test"')
+        .select('id,displayName,userPrincipalName')
+        .top(1)
+        .get();
+      results.usersEndpointAccess = true;
+    } catch (error) {
+      results.errors.push(`Users endpoint: ${error.message}`);
+    }
+
+    // Test /groups endpoint access (requires Group.Read.All or similar)
+    try {
+      await graphClient
+        .api('/groups')
+        .search('"displayName:test"')
+        .select('id,displayName,mail')
+        .top(1)
+        .get();
+      results.groupsEndpointAccess = true;
+    } catch (error) {
+      results.errors.push(`Groups endpoint: ${error.message}`);
+    }
+
+    return results;
+  } catch (error) {
+    logger.error('[testGraphApiAccess] Error testing Graph API access:', error);
+    return {
+      userAccess: false,
+      peopleAccess: false,
+      groupsAccess: false,
+      usersEndpointAccess: false,
+      groupsEndpointAccess: false,
+      errors: [error.message],
+    };
+  }
+};
+
+/**
+ * Map Graph API user object to TPrincipalSearchResult format
+ * @param {TGraphUser} user - Raw user object from Graph API
+ * @returns {TPrincipalSearchResult} Mapped user result
+ */
+const mapUserToTPrincipalSearchResult = (user) => {
+  return {
+    id: null,
+    type: 'user',
+    name: user.displayName,
+    email: user.mail || user.userPrincipalName,
+    username: user.userPrincipalName,
+    source: 'entra',
+    idOnTheSource: user.id,
+  };
+};
+
+/**
+ * Map Graph API group object to TPrincipalSearchResult format
+ * @param {TGraphGroup} group - Raw group object from Graph API
+ * @returns {TPrincipalSearchResult} Mapped group result
+ */
+const mapGroupToTPrincipalSearchResult = (group) => {
+  return {
+    id: null,
+    type: 'group',
+    name: group.displayName,
+    email: group.mail || group.userPrincipalName,
+    description: group.description,
+    source: 'entra',
+    idOnTheSource: group.id,
+  };
+};
+
+/**
+ * Map Graph API /me/people contact object to TPrincipalSearchResult format
+ * Handles both user and group contacts from the people endpoint
+ * @param {TGraphPerson} contact - Raw contact object from Graph API /me/people
+ * @returns {TPrincipalSearchResult} Mapped contact result
+ */
+const mapContactToTPrincipalSearchResult = (contact) => {
+  const isGroup = contact.personType?.class === 'Group';
+  const primaryEmail = contact.scoredEmailAddresses?.[0]?.address;
+
+  return {
+    id: null,
+    type: isGroup ? 'group' : 'user',
+    name: contact.displayName,
+    email: primaryEmail,
+    username: !isGroup ? contact.userPrincipalName : undefined,
+    source: 'entra',
+    idOnTheSource: contact.id,
+  };
+};
+
+module.exports = {
+  getGroupMembers,
+  getGroupOwners,
+  createGraphClient,
+  getUserEntraGroups,
+  getUserOwnedEntraGroups,
+  testGraphApiAccess,
+  searchEntraIdPrincipals,
+  exchangeTokenForGraphAccess,
+  entraIdPrincipalFeatureEnabled,
+};

api/server/services/GraphApiService.spec.js

@@ -0,0 +1,720 @@
+jest.mock('@microsoft/microsoft-graph-client');
+jest.mock('~/strategies/openidStrategy');
+jest.mock('~/cache/getLogStores');
+jest.mock('@librechat/data-schemas', () => ({
+  ...jest.requireActual('@librechat/data-schemas'),
+  logger: {
+    error: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+jest.mock('~/config', () => ({
+  logger: {
+    error: jest.fn(),
+    debug: jest.fn(),
+  },
+  createAxiosInstance: jest.fn(() => ({
+    create: jest.fn(),
+    defaults: {},
+  })),
+}));
+jest.mock('~/utils', () => ({
+  logAxiosError: jest.fn(),
+}));
+
+jest.mock('~/server/services/Config', () => ({}));
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(),
+}));
+
+const mongoose = require('mongoose');
+const client = require('openid-client');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { Client } = require('@microsoft/microsoft-graph-client');
+const { getOpenIdConfig } = require('~/strategies/openidStrategy');
+const getLogStores = require('~/cache/getLogStores');
+const GraphApiService = require('./GraphApiService');
+
+describe('GraphApiService', () => {
+  let mongoServer;
+  let mockGraphClient;
+  let mockTokensCache;
+  let mockOpenIdConfig;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  afterEach(() => {
+    // Clean up environment variables
+    delete process.env.OPENID_GRAPH_SCOPES;
+  });
+
+  beforeEach(async () => {
+    jest.clearAllMocks();
+    await mongoose.connection.dropDatabase();
+
+    // Set up environment variable for People.Read scope
+    process.env.OPENID_GRAPH_SCOPES = 'User.Read,People.Read,Group.Read.All';
+
+    // Mock Graph client
+    mockGraphClient = {
+      api: jest.fn().mockReturnThis(),
+      search: jest.fn().mockReturnThis(),
+      filter: jest.fn().mockReturnThis(),
+      select: jest.fn().mockReturnThis(),
+      header: jest.fn().mockReturnThis(),
+      top: jest.fn().mockReturnThis(),
+      get: jest.fn(),
+    };
+
+    Client.init.mockReturnValue(mockGraphClient);
+
+    // Mock tokens cache
+    mockTokensCache = {
+      get: jest.fn(),
+      set: jest.fn(),
+    };
+    getLogStores.mockReturnValue(mockTokensCache);
+
+    // Mock OpenID config
+    mockOpenIdConfig = {
+      client_id: 'test-client-id',
+      issuer: 'https://test-issuer.com',
+    };
+    getOpenIdConfig.mockReturnValue(mockOpenIdConfig);
+
+    // Mock openid-client (using the existing jest mock configuration)
+    if (client.genericGrantRequest) {
+      client.genericGrantRequest.mockResolvedValue({
+        access_token: 'mocked-graph-token',
+        expires_in: 3600,
+      });
+    }
+  });
+
+  describe('Dependency Contract Tests', () => {
+    it('should fail if getOpenIdConfig interface changes', () => {
+      // Reason: Ensure getOpenIdConfig returns expected structure
+      const config = getOpenIdConfig();
+
+      expect(config).toBeDefined();
+      expect(typeof config).toBe('object');
+      // Add specific property checks that GraphApiService depends on
+      expect(config).toHaveProperty('client_id');
+      expect(config).toHaveProperty('issuer');
+
+      // Ensure the function is callable
+      expect(typeof getOpenIdConfig).toBe('function');
+    });
+
+    it('should fail if openid-client.genericGrantRequest interface changes', () => {
+      // Reason: Ensure client.genericGrantRequest maintains expected signature
+      if (client.genericGrantRequest) {
+        expect(typeof client.genericGrantRequest).toBe('function');
+
+        // Test that it accepts the expected parameters
+        const mockCall = client.genericGrantRequest(
+          mockOpenIdConfig,
+          'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          {
+            scope: 'test-scope',
+            assertion: 'test-token',
+            requested_token_use: 'on_behalf_of',
+          },
+        );
+
+        expect(mockCall).toBeDefined();
+      }
+    });
+
+    it('should fail if Microsoft Graph Client interface changes', () => {
+      // Reason: Ensure Graph Client maintains expected fluent API
+      expect(typeof Client.init).toBe('function');
+
+      const client = Client.init({ authProvider: jest.fn() });
+      expect(client).toHaveProperty('api');
+      expect(typeof client.api).toBe('function');
+    });
+  });
+
+  describe('createGraphClient', () => {
+    it('should create graph client with exchanged token', async () => {
+      const accessToken = 'test-access-token';
+      const sub = 'test-user-id';
+
+      const result = await GraphApiService.createGraphClient(accessToken, sub);
+
+      expect(getOpenIdConfig).toHaveBeenCalled();
+      expect(Client.init).toHaveBeenCalledWith({
+        authProvider: expect.any(Function),
+      });
+      expect(result).toBe(mockGraphClient);
+    });
+
+    it('should handle token exchange errors gracefully', async () => {
+      if (client.genericGrantRequest) {
+        client.genericGrantRequest.mockRejectedValue(new Error('Token exchange failed'));
+      }
+
+      await expect(GraphApiService.createGraphClient('invalid-token', 'test-user')).rejects.toThrow(
+        'Token exchange failed',
+      );
+    });
+  });
+
+  describe('exchangeTokenForGraphAccess', () => {
+    it('should return cached token if available', async () => {
+      const cachedToken = { access_token: 'cached-token' };
+      mockTokensCache.get.mockResolvedValue(cachedToken);
+
+      const result = await GraphApiService.exchangeTokenForGraphAccess(
+        mockOpenIdConfig,
+        'test-token',
+        'test-user',
+      );
+
+      expect(result).toBe('cached-token');
+      expect(mockTokensCache.get).toHaveBeenCalledWith('test-user:graph');
+      if (client.genericGrantRequest) {
+        expect(client.genericGrantRequest).not.toHaveBeenCalled();
+      }
+    });
+
+    it('should exchange token and cache result', async () => {
+      mockTokensCache.get.mockResolvedValue(null);
+
+      const result = await GraphApiService.exchangeTokenForGraphAccess(
+        mockOpenIdConfig,
+        'test-token',
+        'test-user',
+      );
+
+      if (client.genericGrantRequest) {
+        expect(client.genericGrantRequest).toHaveBeenCalledWith(
+          mockOpenIdConfig,
+          'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          {
+            scope:
+              'https://graph.microsoft.com/User.Read https://graph.microsoft.com/People.Read https://graph.microsoft.com/Group.Read.All',
+            assertion: 'test-token',
+            requested_token_use: 'on_behalf_of',
+          },
+        );
+      }
+
+      expect(mockTokensCache.set).toHaveBeenCalledWith(
+        'test-user:graph',
+        { access_token: 'mocked-graph-token' },
+        3600000,
+      );
+
+      expect(result).toBe('mocked-graph-token');
+    });
+
+    it('should use custom scopes from environment', async () => {
+      const originalEnv = process.env.OPENID_GRAPH_SCOPES;
+      process.env.OPENID_GRAPH_SCOPES = 'Custom.Read,Custom.Write';
+
+      mockTokensCache.get.mockResolvedValue(null);
+
+      await GraphApiService.exchangeTokenForGraphAccess(
+        mockOpenIdConfig,
+        'test-token',
+        'test-user',
+      );
+
+      if (client.genericGrantRequest) {
+        expect(client.genericGrantRequest).toHaveBeenCalledWith(
+          mockOpenIdConfig,
+          'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          {
+            scope:
+              'https://graph.microsoft.com/Custom.Read https://graph.microsoft.com/Custom.Write',
+            assertion: 'test-token',
+            requested_token_use: 'on_behalf_of',
+          },
+        );
+      }
+
+      process.env.OPENID_GRAPH_SCOPES = originalEnv;
+    });
+  });
+
+  describe('searchEntraIdPrincipals', () => {
+    // Mock data used by multiple tests
+    const mockContactsResponse = {
+      value: [
+        {
+          id: 'contact-user-1',
+          displayName: 'John Doe',
+          userPrincipalName: 'john@company.com',
+          mail: 'john@company.com',
+          personType: { class: 'Person', subclass: 'OrganizationUser' },
+          scoredEmailAddresses: [{ address: 'john@company.com', relevanceScore: 0.9 }],
+        },
+        {
+          id: 'contact-group-1',
+          displayName: 'Marketing Team',
+          mail: 'marketing@company.com',
+          personType: { class: 'Group', subclass: 'UnifiedGroup' },
+          scoredEmailAddresses: [{ address: 'marketing@company.com', relevanceScore: 0.8 }],
+        },
+      ],
+    };
+
+    const mockUsersResponse = {
+      value: [
+        {
+          id: 'dir-user-1',
+          displayName: 'Jane Smith',
+          userPrincipalName: 'jane@company.com',
+          mail: 'jane@company.com',
+        },
+      ],
+    };
+
+    const mockGroupsResponse = {
+      value: [
+        {
+          id: 'dir-group-1',
+          displayName: 'Development Team',
+          mail: 'dev@company.com',
+        },
+      ],
+    };
+
+    beforeEach(() => {
+      // Reset mock call history for each test
+      jest.clearAllMocks();
+
+      // Re-apply the Client.init mock after clearAllMocks
+      Client.init.mockReturnValue(mockGraphClient);
+
+      // Re-apply openid-client mock
+      if (client.genericGrantRequest) {
+        client.genericGrantRequest.mockResolvedValue({
+          access_token: 'mocked-graph-token',
+          expires_in: 3600,
+        });
+      }
+
+      // Re-apply cache mock
+      mockTokensCache.get.mockResolvedValue(null); // Force token exchange
+      mockTokensCache.set.mockResolvedValue();
+      getLogStores.mockReturnValue(mockTokensCache);
+      getOpenIdConfig.mockReturnValue(mockOpenIdConfig);
+    });
+
+    it('should return empty results for short queries', async () => {
+      const result = await GraphApiService.searchEntraIdPrincipals('token', 'user', 'a', 'all', 10);
+
+      expect(result).toEqual([]);
+      expect(mockGraphClient.api).not.toHaveBeenCalled();
+    });
+
+    it('should search contacts first and additional users for users type', async () => {
+      // Mock responses for this specific test
+      const contactsFilteredResponse = {
+        value: [
+          {
+            id: 'contact-user-1',
+            displayName: 'John Doe',
+            userPrincipalName: 'john@company.com',
+            mail: 'john@company.com',
+            personType: { class: 'Person', subclass: 'OrganizationUser' },
+            scoredEmailAddresses: [{ address: 'john@company.com', relevanceScore: 0.9 }],
+          },
+        ],
+      };
+
+      mockGraphClient.get
+        .mockResolvedValueOnce(contactsFilteredResponse) // contacts call
+        .mockResolvedValueOnce(mockUsersResponse); // users call
+
+      const result = await GraphApiService.searchEntraIdPrincipals(
+        'token',
+        'user',
+        'john',
+        'users',
+        10,
+      );
+
+      // Should call contacts first with user filter
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people');
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"john"');
+      expect(mockGraphClient.filter).toHaveBeenCalledWith(
+        "personType/subclass eq 'OrganizationUser'",
+      );
+
+      // Should call users endpoint for additional results
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/users');
+      expect(mockGraphClient.search).toHaveBeenCalledWith(
+        '"displayName:john" OR "userPrincipalName:john" OR "mail:john" OR "givenName:john" OR "surname:john"',
+      );
+
+      // Should return TPrincipalSearchResult array
+      expect(Array.isArray(result)).toBe(true);
+      expect(result).toHaveLength(2); // 1 from contacts + 1 from users
+      expect(result[0]).toMatchObject({
+        id: null,
+        type: 'user',
+        name: 'John Doe',
+        email: 'john@company.com',
+        source: 'entra',
+        idOnTheSource: 'contact-user-1',
+      });
+    });
+
+    it('should search groups endpoint only for groups type', async () => {
+      // Mock responses for this specific test - only groups endpoint called
+      mockGraphClient.get.mockResolvedValueOnce(mockGroupsResponse); // only groups call
+
+      const result = await GraphApiService.searchEntraIdPrincipals(
+        'token',
+        'user',
+        'team',
+        'groups',
+        10,
+      );
+
+      // Should NOT call contacts for groups type
+      expect(mockGraphClient.api).not.toHaveBeenCalledWith('/me/people');
+
+      // Should call groups endpoint only
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/groups');
+      expect(mockGraphClient.search).toHaveBeenCalledWith(
+        '"displayName:team" OR "mail:team" OR "mailNickname:team"',
+      );
+
+      expect(Array.isArray(result)).toBe(true);
+      expect(result).toHaveLength(1); // 1 from groups only
+    });
+
+    it('should search all endpoints for all type', async () => {
+      // Mock responses for this specific test
+      mockGraphClient.get
+        .mockResolvedValueOnce(mockContactsResponse) // contacts call (both user and group)
+        .mockResolvedValueOnce(mockUsersResponse) // users call
+        .mockResolvedValueOnce(mockGroupsResponse); // groups call
+
+      const result = await GraphApiService.searchEntraIdPrincipals(
+        'token',
+        'user',
+        'test',
+        'all',
+        10,
+      );
+
+      // Should call contacts first with user filter
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people');
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"test"');
+      expect(mockGraphClient.filter).toHaveBeenCalledWith(
+        "personType/subclass eq 'OrganizationUser'",
+      );
+
+      // Should call both users and groups endpoints
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/users');
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/groups');
+
+      expect(Array.isArray(result)).toBe(true);
+      expect(result).toHaveLength(4); // 2 from contacts + 1 from users + 1 from groups
+    });
+
+    it('should early exit if contacts reach limit', async () => {
+      // Mock contacts to return exactly the limit
+      const limitedContactsResponse = {
+        value: Array(10).fill({
+          id: 'contact-1',
+          displayName: 'Contact User',
+          mail: 'contact@company.com',
+          personType: { class: 'Person', subclass: 'OrganizationUser' },
+        }),
+      };
+
+      mockGraphClient.get.mockResolvedValueOnce(limitedContactsResponse);
+
+      const result = await GraphApiService.searchEntraIdPrincipals(
+        'token',
+        'user',
+        'test',
+        'all',
+        10,
+      );
+
+      // Should call contacts first
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people');
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"test"');
+      // Should not call users endpoint since limit was reached
+      expect(mockGraphClient.api).not.toHaveBeenCalledWith('/users');
+
+      expect(result).toHaveLength(10);
+    });
+
+    it('should deduplicate results based on idOnTheSource', async () => {
+      // Mock responses with duplicate IDs
+      const duplicateContactsResponse = {
+        value: [
+          {
+            id: 'duplicate-id',
+            displayName: 'John Doe',
+            mail: 'john@company.com',
+            personType: { class: 'Person', subclass: 'OrganizationUser' },
+          },
+        ],
+      };
+
+      const duplicateUsersResponse = {
+        value: [
+          {
+            id: 'duplicate-id', // Same ID as contact
+            displayName: 'John Doe',
+            mail: 'john@company.com',
+          },
+        ],
+      };
+
+      mockGraphClient.get
+        .mockResolvedValueOnce(duplicateContactsResponse)
+        .mockResolvedValueOnce(duplicateUsersResponse);
+
+      const result = await GraphApiService.searchEntraIdPrincipals(
+        'token',
+        'user',
+        'john',
+        'users',
+        10,
+      );
+
+      // Should only return one result despite duplicate IDs
+      expect(result).toHaveLength(1);
+      expect(result[0].idOnTheSource).toBe('duplicate-id');
+    });
+
+    it('should handle Graph API errors gracefully', async () => {
+      mockGraphClient.get.mockRejectedValue(new Error('Graph API error'));
+
+      const result = await GraphApiService.searchEntraIdPrincipals(
+        'token',
+        'user',
+        'test',
+        'all',
+        10,
+      );
+
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('getUserEntraGroups', () => {
+    it('should fetch user groups from memberOf endpoint', async () => {
+      const mockGroupsResponse = {
+        value: [
+          {
+            id: 'group-1',
+          },
+          {
+            id: 'group-2',
+          },
+        ],
+      };
+
+      mockGraphClient.get.mockResolvedValue(mockGroupsResponse);
+
+      const result = await GraphApiService.getUserEntraGroups('token', 'user');
+
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/me/memberOf');
+      expect(mockGraphClient.select).toHaveBeenCalledWith('id');
+
+      expect(result).toHaveLength(2);
+      expect(result).toEqual(['group-1', 'group-2']);
+    });
+
+    it('should return empty array on error', async () => {
+      mockGraphClient.get.mockRejectedValue(new Error('API error'));
+
+      const result = await GraphApiService.getUserEntraGroups('token', 'user');
+
+      expect(result).toEqual([]);
+    });
+
+    it('should handle empty response', async () => {
+      const mockGroupsResponse = {
+        value: [],
+      };
+
+      mockGraphClient.get.mockResolvedValue(mockGroupsResponse);
+
+      const result = await GraphApiService.getUserEntraGroups('token', 'user');
+
+      expect(result).toEqual([]);
+    });
+
+    it('should handle missing value property', async () => {
+      mockGraphClient.get.mockResolvedValue({});
+
+      const result = await GraphApiService.getUserEntraGroups('token', 'user');
+
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('testGraphApiAccess', () => {
+    beforeEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it('should test all permissions and return success results', async () => {
+      // Mock successful responses for all tests
+      mockGraphClient.get
+        .mockResolvedValueOnce({ id: 'user-123', displayName: 'Test User' }) // /me test
+        .mockResolvedValueOnce({ value: [] }) // people OrganizationUser test
+        .mockResolvedValueOnce({ value: [] }) // people UnifiedGroup test
+        .mockResolvedValueOnce({ value: [] }) // /users endpoint test
+        .mockResolvedValueOnce({ value: [] }); // /groups endpoint test
+
+      const result = await GraphApiService.testGraphApiAccess('token', 'user');
+
+      expect(result).toEqual({
+        userAccess: true,
+        peopleAccess: true,
+        groupsAccess: true,
+        usersEndpointAccess: true,
+        groupsEndpointAccess: true,
+        errors: [],
+      });
+
+      // Verify all endpoints were tested
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/me');
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/me/people');
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/users');
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/groups');
+      expect(mockGraphClient.filter).toHaveBeenCalledWith(
+        "personType/subclass eq 'OrganizationUser'",
+      );
+      expect(mockGraphClient.filter).toHaveBeenCalledWith("personType/subclass eq 'UnifiedGroup'");
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"displayName:test"');
+    });
+
+    it('should handle partial failures and record errors', async () => {
+      // Mock mixed success/failure responses
+      mockGraphClient.get
+        .mockResolvedValueOnce({ id: 'user-123', displayName: 'Test User' }) // /me success
+        .mockRejectedValueOnce(new Error('People access denied')) // people OrganizationUser fail
+        .mockResolvedValueOnce({ value: [] }) // people UnifiedGroup success
+        .mockRejectedValueOnce(new Error('Users endpoint access denied')) // /users fail
+        .mockResolvedValueOnce({ value: [] }); // /groups success
+
+      const result = await GraphApiService.testGraphApiAccess('token', 'user');
+
+      expect(result).toEqual({
+        userAccess: true,
+        peopleAccess: false,
+        groupsAccess: true,
+        usersEndpointAccess: false,
+        groupsEndpointAccess: true,
+        errors: [
+          'People.Read (OrganizationUser): People access denied',
+          'Users endpoint: Users endpoint access denied',
+        ],
+      });
+    });
+
+    it('should handle complete Graph client creation failure', async () => {
+      // Mock token exchange failure to test error handling
+      if (client.genericGrantRequest) {
+        client.genericGrantRequest.mockRejectedValue(new Error('Token exchange failed'));
+      }
+
+      const result = await GraphApiService.testGraphApiAccess('invalid-token', 'user');
+
+      expect(result).toEqual({
+        userAccess: false,
+        peopleAccess: false,
+        groupsAccess: false,
+        usersEndpointAccess: false,
+        groupsEndpointAccess: false,
+        errors: ['Token exchange failed'],
+      });
+    });
+
+    it('should record all permission errors', async () => {
+      // Mock all requests to fail
+      mockGraphClient.get
+        .mockRejectedValueOnce(new Error('User.Read denied'))
+        .mockRejectedValueOnce(new Error('People.Read OrganizationUser denied'))
+        .mockRejectedValueOnce(new Error('People.Read UnifiedGroup denied'))
+        .mockRejectedValueOnce(new Error('Users directory access denied'))
+        .mockRejectedValueOnce(new Error('Groups directory access denied'));
+
+      const result = await GraphApiService.testGraphApiAccess('token', 'user');
+
+      expect(result).toEqual({
+        userAccess: false,
+        peopleAccess: false,
+        groupsAccess: false,
+        usersEndpointAccess: false,
+        groupsEndpointAccess: false,
+        errors: [
+          'User.Read: User.Read denied',
+          'People.Read (OrganizationUser): People.Read OrganizationUser denied',
+          'People.Read (UnifiedGroup): People.Read UnifiedGroup denied',
+          'Users endpoint: Users directory access denied',
+          'Groups endpoint: Groups directory access denied',
+        ],
+      });
+    });
+
+    it('should test new endpoints with correct search patterns', async () => {
+      // Mock successful responses for endpoint testing
+      mockGraphClient.get
+        .mockResolvedValueOnce({ id: 'user-123', displayName: 'Test User' }) // /me
+        .mockResolvedValueOnce({ value: [] }) // people OrganizationUser
+        .mockResolvedValueOnce({ value: [] }) // people UnifiedGroup
+        .mockResolvedValueOnce({ value: [] }) // /users
+        .mockResolvedValueOnce({ value: [] }); // /groups
+
+      await GraphApiService.testGraphApiAccess('token', 'user');
+
+      // Verify /users endpoint test
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/users');
+      expect(mockGraphClient.search).toHaveBeenCalledWith('"displayName:test"');
+      expect(mockGraphClient.select).toHaveBeenCalledWith('id,displayName,userPrincipalName');
+
+      // Verify /groups endpoint test
+      expect(mockGraphClient.api).toHaveBeenCalledWith('/groups');
+      expect(mockGraphClient.select).toHaveBeenCalledWith('id,displayName,mail');
+    });
+
+    it('should handle endpoint-specific permission failures', async () => {
+      // Mock specific endpoint failures
+      mockGraphClient.get
+        .mockResolvedValueOnce({ id: 'user-123', displayName: 'Test User' }) // /me success
+        .mockResolvedValueOnce({ value: [] }) // people OrganizationUser success
+        .mockResolvedValueOnce({ value: [] }) // people UnifiedGroup success
+        .mockRejectedValueOnce(new Error('Insufficient privileges')) // /users fail (User.Read.All needed)
+        .mockRejectedValueOnce(new Error('Access denied to groups')); // /groups fail (Group.Read.All needed)
+
+      const result = await GraphApiService.testGraphApiAccess('token', 'user');
+
+      expect(result).toEqual({
+        userAccess: true,
+        peopleAccess: true,
+        groupsAccess: true,
+        usersEndpointAccess: false,
+        groupsEndpointAccess: false,
+        errors: [
+          'Users endpoint: Insufficient privileges',
+          'Groups endpoint: Access denied to groups',
+        ],
+      });
+    });
+  });
+});

api/server/services/MCP.js

@@ -2,16 +2,16 @@ const { z } = require('zod');
 const { tool } = require('@langchain/core/tools');
 const { logger } = require('@librechat/data-schemas');
 const { Time, CacheKeys, StepTypes } = require('librechat-data-provider');
-const { sendEvent, normalizeServerName, MCPOAuthHandler } = require('@librechat/api');
 const { Constants: AgentConstants, Providers, GraphEvents } = require('@librechat/agents');
+const { Constants, ContentTypes, isAssistantsEndpoint } = require('librechat-data-provider');
 const {
-  Constants,
-  ContentTypes,
-  isAssistantsEndpoint,
-  convertJsonSchemaToZod,
-} = require('librechat-data-provider');
-const { getMCPManager, getFlowStateManager } = require('~/config');
+  sendEvent,
+  MCPOAuthHandler,
+  normalizeServerName,
+  convertWithResolvedRefs,
+} = require('@librechat/api');
 const { findToken, createToken, updateToken } = require('~/models');
+const { getMCPManager, getFlowStateManager } = require('~/config');
 const { getCachedTools } = require('./Config');
 const { getLogStores } = require('~/cache');
 
@@ -113,7 +113,7 @@ async function createMCPTool({ req, res, toolKey, provider: _provider }) {
   /** @type {LCTool} */
   const { description, parameters } = toolDefinition;
   const isGoogle = _provider === Providers.VERTEXAI || _provider === Providers.GOOGLE;
-  let schema = convertJsonSchemaToZod(parameters, {
+  let schema = convertWithResolvedRefs(parameters, {
     allowEmptyObject: !isGoogle,
     transformOneOfAnyOf: true,
   });

api/server/services/PermissionService.js

@@ -0,0 +1,721 @@
+const mongoose = require('mongoose');
+const { getTransactionSupport, logger } = require('@librechat/data-schemas');
+const { isEnabled } = require('~/server/utils');
+const {
+  entraIdPrincipalFeatureEnabled,
+  getUserEntraGroups,
+  getUserOwnedEntraGroups,
+  getGroupMembers,
+  getGroupOwners,
+} = require('~/server/services/GraphApiService');
+const {
+  findGroupByExternalId,
+  findRoleByIdentifier,
+  getUserPrincipals,
+  createGroup,
+  createUser,
+  updateUser,
+  findUser,
+  grantPermission: grantPermissionACL,
+  findAccessibleResources: findAccessibleResourcesACL,
+  hasPermission,
+  getEffectivePermissions: getEffectivePermissionsACL,
+  findEntriesByPrincipalsAndResource,
+} = require('~/models');
+const { AclEntry, AccessRole, Group } = require('~/db/models');
+
+/** @type {boolean|null} */
+let transactionSupportCache = null;
+
+/**
+ * @import { TPrincipal } from 'librechat-data-provider'
+ */
+/**
+ * Grant a permission to a principal for a resource using a role
+ * @param {Object} params - Parameters for granting role-based permission
+ * @param {string} params.principalType - 'user', 'group', or 'public'
+ * @param {string|mongoose.Types.ObjectId|null} params.principalId - The ID of the principal (null for 'public')
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
+ * @param {string} params.accessRoleId - The ID of the role (e.g., 'agent_viewer', 'agent_editor')
+ * @param {string|mongoose.Types.ObjectId} params.grantedBy - User ID granting the permission
+ * @param {mongoose.ClientSession} [params.session] - Optional MongoDB session for transactions
+ * @returns {Promise<Object>} The created or updated ACL entry
+ */
+const grantPermission = async ({
+  principalType,
+  principalId,
+  resourceType,
+  resourceId,
+  accessRoleId,
+  grantedBy,
+  session,
+}) => {
+  try {
+    if (!['user', 'group', 'public'].includes(principalType)) {
+      throw new Error(`Invalid principal type: ${principalType}`);
+    }
+
+    if (principalType !== 'public' && !principalId) {
+      throw new Error('Principal ID is required for user and group principals');
+    }
+
+    if (principalId && !mongoose.Types.ObjectId.isValid(principalId)) {
+      throw new Error(`Invalid principal ID: ${principalId}`);
+    }
+
+    if (!resourceId || !mongoose.Types.ObjectId.isValid(resourceId)) {
+      throw new Error(`Invalid resource ID: ${resourceId}`);
+    }
+
+    // Get the role to determine permission bits
+    const role = await findRoleByIdentifier(accessRoleId);
+    if (!role) {
+      throw new Error(`Role ${accessRoleId} not found`);
+    }
+
+    // Ensure the role is for the correct resource type
+    if (role.resourceType !== resourceType) {
+      throw new Error(
+        `Role ${accessRoleId} is for ${role.resourceType} resources, not ${resourceType}`,
+      );
+    }
+    return await grantPermissionACL(
+      principalType,
+      principalId,
+      resourceType,
+      resourceId,
+      role.permBits,
+      grantedBy,
+      session,
+      role._id,
+    );
+  } catch (error) {
+    logger.error(`[PermissionService.grantPermission] Error: ${error.message}`);
+    throw error;
+  }
+};
+
+/**
+ * Check if a user has specific permission bits on a resource
+ * @param {Object} params - Parameters for checking permissions
+ * @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
+ * @param {number} params.requiredPermissions - The permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
+ * @returns {Promise<boolean>} Whether the user has the required permission bits
+ */
+const checkPermission = async ({ userId, resourceType, resourceId, requiredPermission }) => {
+  try {
+    if (typeof requiredPermission !== 'number' || requiredPermission < 1) {
+      throw new Error('requiredPermission must be a positive number');
+    }
+
+    // Get all principals for the user (user + groups + public)
+    const principals = await getUserPrincipals(userId);
+
+    if (principals.length === 0) {
+      return false;
+    }
+
+    return await hasPermission(principals, resourceType, resourceId, requiredPermission);
+  } catch (error) {
+    logger.error(`[PermissionService.checkPermission] Error: ${error.message}`);
+    // Re-throw validation errors
+    if (error.message.includes('requiredPermission must be')) {
+      throw error;
+    }
+    return false;
+  }
+};
+
+/**
+ * Get effective permission bitmask for a user on a resource
+ * @param {Object} params - Parameters for getting effective permissions
+ * @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
+ * @returns {Promise<number>} Effective permission bitmask
+ */
+const getEffectivePermissions = async ({ userId, resourceType, resourceId }) => {
+  try {
+    // Get all principals for the user (user + groups + public)
+    const principals = await getUserPrincipals(userId);
+
+    if (principals.length === 0) {
+      return 0;
+    }
+    return await getEffectivePermissionsACL(principals, resourceType, resourceId);
+  } catch (error) {
+    logger.error(`[PermissionService.getEffectivePermissions] Error: ${error.message}`);
+    return 0;
+  }
+};
+
+/**
+ * Find all resources of a specific type that a user has access to with specific permission bits
+ * @param {Object} params - Parameters for finding accessible resources
+ * @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
+ * @returns {Promise<Array>} Array of resource IDs
+ */
+const findAccessibleResources = async ({ userId, resourceType, requiredPermissions }) => {
+  try {
+    if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
+      throw new Error('requiredPermissions must be a positive number');
+    }
+
+    // Get all principals for the user (user + groups + public)
+    const principalsList = await getUserPrincipals(userId);
+
+    if (principalsList.length === 0) {
+      return [];
+    }
+    return await findAccessibleResourcesACL(principalsList, resourceType, requiredPermissions);
+  } catch (error) {
+    logger.error(`[PermissionService.findAccessibleResources] Error: ${error.message}`);
+    // Re-throw validation errors
+    if (error.message.includes('requiredPermissions must be')) {
+      throw error;
+    }
+    return [];
+  }
+};
+
+/**
+ * Find all publicly accessible resources of a specific type
+ * @param {Object} params - Parameters for finding publicly accessible resources
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
+ * @returns {Promise<Array>} Array of resource IDs
+ */
+const findPubliclyAccessibleResources = async ({ resourceType, requiredPermissions }) => {
+  try {
+    if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
+      throw new Error('requiredPermissions must be a positive number');
+    }
+
+    // Find all public ACL entries where the public principal has at least the required permission bits
+    const entries = await AclEntry.find({
+      principalType: 'public',
+      resourceType,
+      permBits: { $bitsAllSet: requiredPermissions },
+    }).distinct('resourceId');
+
+    return entries;
+  } catch (error) {
+    logger.error(`[PermissionService.findPubliclyAccessibleResources] Error: ${error.message}`);
+    // Re-throw validation errors
+    if (error.message.includes('requiredPermissions must be')) {
+      throw error;
+    }
+    return [];
+  }
+};
+
+/**
+ * Get available roles for a resource type
+ * @param {Object} params - Parameters for getting available roles
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @returns {Promise<Array>} Array of role definitions
+ */
+const getAvailableRoles = async ({ resourceType }) => {
+  try {
+    return await AccessRole.find({ resourceType }).lean();
+  } catch (error) {
+    logger.error(`[PermissionService.getAvailableRoles] Error: ${error.message}`);
+    return [];
+  }
+};
+
+/**
+ * Ensures a principal exists in the database based on TPrincipal data
+ * Creates user if it doesn't exist locally (for Entra ID users)
+ * @param {Object} principal - TPrincipal object from frontend
+ * @param {string} principal.type - 'user', 'group', or 'public'
+ * @param {string} [principal.id] - Local database ID (null for Entra ID principals not yet synced)
+ * @param {string} principal.name - Display name
+ * @param {string} [principal.email] - Email address
+ * @param {string} [principal.source] - 'local' or 'entra'
+ * @param {string} [principal.idOnTheSource] - Entra ID object ID for external principals
+ * @returns {Promise<string|null>} Returns the principalId for database operations, null for public
+ */
+const ensurePrincipalExists = async function (principal) {
+  if (principal.type === 'public') {
+    return null;
+  }
+
+  if (principal.id) {
+    return principal.id;
+  }
+
+  if (principal.type === 'user' && principal.source === 'entra') {
+    if (!principal.email || !principal.idOnTheSource) {
+      throw new Error('Entra ID user principals must have email and idOnTheSource');
+    }
+
+    let existingUser = await findUser({ idOnTheSource: principal.idOnTheSource });
+
+    if (!existingUser) {
+      existingUser = await findUser({ email: principal.email.toLowerCase() });
+    }
+
+    if (existingUser) {
+      if (!existingUser.idOnTheSource && principal.idOnTheSource) {
+        await updateUser(existingUser._id, {
+          idOnTheSource: principal.idOnTheSource,
+          provider: 'openid',
+        });
+      }
+      return existingUser._id.toString();
+    }
+
+    const userData = {
+      name: principal.name,
+      email: principal.email.toLowerCase(),
+      emailVerified: false,
+      provider: 'openid',
+      idOnTheSource: principal.idOnTheSource,
+    };
+
+    const userId = await createUser(userData, true, false);
+    return userId.toString();
+  }
+
+  if (principal.type === 'group') {
+    throw new Error('Group principals should be handled by group-specific methods');
+  }
+
+  throw new Error(`Unsupported principal type: ${principal.type}`);
+};
+
+/**
+ * Ensures a group principal exists in the database based on TPrincipal data
+ * Creates group if it doesn't exist locally (for Entra ID groups)
+ * For Entra ID groups, always synchronizes member IDs when authentication context is provided
+ * @param {Object} principal - TPrincipal object from frontend
+ * @param {string} principal.type - Must be 'group'
+ * @param {string} [principal.id] - Local database ID (null for Entra ID principals not yet synced)
+ * @param {string} principal.name - Display name
+ * @param {string} [principal.email] - Email address
+ * @param {string} [principal.description] - Group description
+ * @param {string} [principal.source] - 'local' or 'entra'
+ * @param {string} [principal.idOnTheSource] - Entra ID object ID for external principals
+ * @param {Object} [authContext] - Optional authentication context for fetching member data
+ * @param {string} [authContext.accessToken] - Access token for Graph API calls
+ * @param {string} [authContext.sub] - Subject identifier
+ * @returns {Promise<string>} Returns the groupId for database operations
+ */
+const ensureGroupPrincipalExists = async function (principal, authContext = null) {
+  if (principal.type !== 'group') {
+    throw new Error(`Invalid principal type: ${principal.type}. Expected 'group'`);
+  }
+
+  if (principal.source === 'entra') {
+    if (!principal.name || !principal.idOnTheSource) {
+      throw new Error('Entra ID group principals must have name and idOnTheSource');
+    }
+
+    let memberIds = [];
+    if (authContext && authContext.accessToken && authContext.sub) {
+      try {
+        memberIds = await getGroupMembers(
+          authContext.accessToken,
+          authContext.sub,
+          principal.idOnTheSource,
+        );
+
+        // Include group owners as members if feature is enabled
+        if (isEnabled(process.env.ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS)) {
+          const ownerIds = await getGroupOwners(
+            authContext.accessToken,
+            authContext.sub,
+            principal.idOnTheSource,
+          );
+          if (ownerIds && ownerIds.length > 0) {
+            memberIds.push(...ownerIds);
+            // Remove duplicates
+            memberIds = [...new Set(memberIds)];
+          }
+        }
+      } catch (error) {
+        logger.error('Failed to fetch group members from Graph API:', error);
+      }
+    }
+
+    let existingGroup = await findGroupByExternalId(principal.idOnTheSource, 'entra');
+
+    if (!existingGroup && principal.email) {
+      existingGroup = await Group.findOne({ email: principal.email.toLowerCase() }).lean();
+    }
+
+    if (existingGroup) {
+      const updateData = {};
+      let needsUpdate = false;
+
+      if (!existingGroup.idOnTheSource && principal.idOnTheSource) {
+        updateData.idOnTheSource = principal.idOnTheSource;
+        updateData.source = 'entra';
+        needsUpdate = true;
+      }
+
+      if (principal.description && existingGroup.description !== principal.description) {
+        updateData.description = principal.description;
+        needsUpdate = true;
+      }
+
+      if (principal.email && existingGroup.email !== principal.email.toLowerCase()) {
+        updateData.email = principal.email.toLowerCase();
+        needsUpdate = true;
+      }
+
+      if (authContext && authContext.accessToken && authContext.sub) {
+        updateData.memberIds = memberIds;
+        needsUpdate = true;
+      }
+
+      if (needsUpdate) {
+        await Group.findByIdAndUpdate(existingGroup._id, { $set: updateData }, { new: true });
+      }
+
+      return existingGroup._id.toString();
+    }
+
+    const groupData = {
+      name: principal.name,
+      source: 'entra',
+      idOnTheSource: principal.idOnTheSource,
+      memberIds: memberIds, // Store idOnTheSource values of group members (empty if no auth context)
+    };
+
+    if (principal.email) {
+      groupData.email = principal.email.toLowerCase();
+    }
+
+    if (principal.description) {
+      groupData.description = principal.description;
+    }
+
+    const newGroup = await createGroup(groupData);
+    return newGroup._id.toString();
+  }
+  if (principal.id && authContext == null) {
+    return principal.id;
+  }
+
+  throw new Error(`Unsupported group principal source: ${principal.source}`);
+};
+
+/**
+ * Synchronize user's Entra ID group memberships on sign-in
+ * Gets user's group IDs from GraphAPI and updates memberships only for existing groups in database
+ * Optionally includes groups the user owns if ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS is enabled
+ * @param {Object} user - User object with authentication context
+ * @param {string} user.openidId - User's OpenID subject identifier
+ * @param {string} user.idOnTheSource - User's Entra ID (oid from token claims)
+ * @param {string} user.provider - Authentication provider ('openid')
+ * @param {string} accessToken - Access token for Graph API calls
+ * @param {mongoose.ClientSession} [session] - Optional MongoDB session for transactions
+ * @returns {Promise<void>}
+ */
+const syncUserEntraGroupMemberships = async (user, accessToken, session = null) => {
+  try {
+    if (!entraIdPrincipalFeatureEnabled(user) || !accessToken || !user.idOnTheSource) {
+      return;
+    }
+
+    const memberGroupIds = await getUserEntraGroups(accessToken, user.openidId);
+    let allGroupIds = [...(memberGroupIds || [])];
+
+    // Include owned groups if feature is enabled
+    if (isEnabled(process.env.ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS)) {
+      const ownedGroupIds = await getUserOwnedEntraGroups(accessToken, user.openidId);
+      if (ownedGroupIds && ownedGroupIds.length > 0) {
+        allGroupIds.push(...ownedGroupIds);
+        // Remove duplicates
+        allGroupIds = [...new Set(allGroupIds)];
+      }
+    }
+
+    if (!allGroupIds || allGroupIds.length === 0) {
+      return;
+    }
+
+    const sessionOptions = session ? { session } : {};
+
+    await Group.updateMany(
+      {
+        idOnTheSource: { $in: allGroupIds },
+        source: 'entra',
+        memberIds: { $ne: user.idOnTheSource },
+      },
+      { $addToSet: { memberIds: user.idOnTheSource } },
+      sessionOptions,
+    );
+
+    await Group.updateMany(
+      {
+        source: 'entra',
+        memberIds: user.idOnTheSource,
+        idOnTheSource: { $nin: allGroupIds },
+      },
+      { $pull: { memberIds: user.idOnTheSource } },
+      sessionOptions,
+    );
+  } catch (error) {
+    logger.error(`[PermissionService.syncUserEntraGroupMemberships] Error syncing groups:`, error);
+  }
+};
+
+/**
+ * Check if public has a specific permission on a resource
+ * @param {Object} params - Parameters for checking public permission
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
+ * @param {number} params.requiredPermissions - The permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
+ * @returns {Promise<boolean>} Whether public has the required permission bits
+ */
+const hasPublicPermission = async ({ resourceType, resourceId, requiredPermissions }) => {
+  try {
+    if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
+      throw new Error('requiredPermissions must be a positive number');
+    }
+
+    // Use public principal to check permissions
+    const publicPrincipal = [{ principalType: 'public' }];
+
+    const entries = await findEntriesByPrincipalsAndResource(
+      publicPrincipal,
+      resourceType,
+      resourceId,
+    );
+
+    // Check if any entry has the required permission bits
+    return entries.some((entry) => (entry.permBits & requiredPermissions) === requiredPermissions);
+  } catch (error) {
+    logger.error(`[PermissionService.hasPublicPermission] Error: ${error.message}`);
+    // Re-throw validation errors
+    if (error.message.includes('requiredPermissions must be')) {
+      throw error;
+    }
+    return false;
+  }
+};
+
+/**
+ * Bulk update permissions for a resource (grant, update, revoke)
+ * Efficiently handles multiple permission changes in a single transaction
+ *
+ * @param {Object} params - Parameters for bulk permission update
+ * @param {string} params.resourceType - Type of resource (e.g., 'agent')
+ * @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
+ * @param {Array<TPrincipal>} params.updatedPrincipals - Array of principals to grant/update permissions for
+ * @param {Array<TPrincipal>} params.revokedPrincipals - Array of principals to revoke permissions from
+ * @param {string|mongoose.Types.ObjectId} params.grantedBy - User ID making the changes
+ * @param {mongoose.ClientSession} [params.session] - Optional MongoDB session for transactions
+ * @returns {Promise<Object>} Results object with granted, updated, revoked arrays and error details
+ */
+const bulkUpdateResourcePermissions = async ({
+  resourceType,
+  resourceId,
+  updatedPrincipals = [],
+  revokedPrincipals = [],
+  grantedBy,
+  session,
+}) => {
+  const supportsTransactions = await getTransactionSupport(mongoose, transactionSupportCache);
+  transactionSupportCache = supportsTransactions;
+  let localSession = session;
+  let shouldEndSession = false;
+
+  try {
+    if (!Array.isArray(updatedPrincipals)) {
+      throw new Error('updatedPrincipals must be an array');
+    }
+
+    if (!Array.isArray(revokedPrincipals)) {
+      throw new Error('revokedPrincipals must be an array');
+    }
+
+    if (!resourceId || !mongoose.Types.ObjectId.isValid(resourceId)) {
+      throw new Error(`Invalid resource ID: ${resourceId}`);
+    }
+
+    if (!localSession && supportsTransactions) {
+      localSession = await mongoose.startSession();
+      localSession.startTransaction();
+      shouldEndSession = true;
+    }
+
+    const sessionOptions = localSession ? { session: localSession } : {};
+
+    const roles = await AccessRole.find({ resourceType }).lean();
+    const rolesMap = new Map();
+    roles.forEach((role) => {
+      rolesMap.set(role.accessRoleId, role);
+    });
+
+    const results = {
+      granted: [],
+      updated: [],
+      revoked: [],
+      errors: [],
+    };
+
+    const bulkWrites = [];
+
+    for (const principal of updatedPrincipals) {
+      try {
+        if (!principal.accessRoleId) {
+          results.errors.push({
+            principal,
+            error: 'accessRoleId is required for updated principals',
+          });
+          continue;
+        }
+
+        const role = rolesMap.get(principal.accessRoleId);
+        if (!role) {
+          results.errors.push({
+            principal,
+            error: `Role ${principal.accessRoleId} not found`,
+          });
+          continue;
+        }
+
+        const query = {
+          principalType: principal.type,
+          resourceType,
+          resourceId,
+        };
+
+        if (principal.type !== 'public') {
+          query.principalId = principal.id;
+        }
+
+        const update = {
+          $set: {
+            permBits: role.permBits,
+            roleId: role._id,
+            grantedBy,
+            grantedAt: new Date(),
+          },
+          $setOnInsert: {
+            principalType: principal.type,
+            resourceType,
+            resourceId,
+            ...(principal.type !== 'public' && {
+              principalId: principal.id,
+              principalModel: principal.type === 'user' ? 'User' : 'Group',
+            }),
+          },
+        };
+
+        bulkWrites.push({
+          updateOne: {
+            filter: query,
+            update: update,
+            upsert: true,
+          },
+        });
+
+        results.granted.push({
+          type: principal.type,
+          id: principal.id,
+          name: principal.name,
+          email: principal.email,
+          source: principal.source,
+          avatar: principal.avatar,
+          description: principal.description,
+          idOnTheSource: principal.idOnTheSource,
+          accessRoleId: principal.accessRoleId,
+          memberCount: principal.memberCount,
+          memberIds: principal.memberIds,
+        });
+      } catch (error) {
+        results.errors.push({
+          principal,
+          error: error.message,
+        });
+      }
+    }
+
+    if (bulkWrites.length > 0) {
+      await AclEntry.bulkWrite(bulkWrites, sessionOptions);
+    }
+
+    const deleteQueries = [];
+    for (const principal of revokedPrincipals) {
+      try {
+        const query = {
+          principalType: principal.type,
+          resourceType,
+          resourceId,
+        };
+
+        if (principal.type !== 'public') {
+          query.principalId = principal.id;
+        }
+
+        deleteQueries.push(query);
+
+        results.revoked.push({
+          type: principal.type,
+          id: principal.id,
+          name: principal.name,
+          email: principal.email,
+          source: principal.source,
+          avatar: principal.avatar,
+          description: principal.description,
+          idOnTheSource: principal.idOnTheSource,
+          memberCount: principal.memberCount,
+        });
+      } catch (error) {
+        results.errors.push({
+          principal,
+          error: error.message,
+        });
+      }
+    }
+
+    if (deleteQueries.length > 0) {
+      await AclEntry.deleteMany(
+        {
+          $or: deleteQueries,
+        },
+        sessionOptions,
+      );
+    }
+
+    if (shouldEndSession && supportsTransactions) {
+      await localSession.commitTransaction();
+    }
+
+    return results;
+  } catch (error) {
+    if (shouldEndSession && supportsTransactions) {
+      await localSession.abortTransaction();
+    }
+    logger.error(`[PermissionService.bulkUpdateResourcePermissions] Error: ${error.message}`);
+    throw error;
+  } finally {
+    if (shouldEndSession && localSession) {
+      localSession.endSession();
+    }
+  }
+};
+
+module.exports = {
+  grantPermission,
+  checkPermission,
+  getEffectivePermissions,
+  findAccessibleResources,
+  findPubliclyAccessibleResources,
+  hasPublicPermission,
+  getAvailableRoles,
+  bulkUpdateResourcePermissions,
+  ensurePrincipalExists,
+  ensureGroupPrincipalExists,
+  syncUserEntraGroupMemberships,
+};

api/server/services/initializeMCP.js

@@ -44,6 +44,9 @@ async function initializeMCP(app) {
     await mcpManager.mapAvailableTools(toolsCopy, flowManager);
     await setCachedTools(toolsCopy, { isGlobal: true });
 
+    const cache = getLogStores(CacheKeys.CONFIG_STORE);
+    await cache.delete(CacheKeys.TOOLS);
+    logger.debug('Cleared tools array cache after MCP initialization');
     logger.info('MCP servers initialized successfully');
   } catch (error) {
     logger.error('Failed to initialize MCP servers:', error);

api/server/services/start/checks.js

@@ -1,6 +1,6 @@
+const { webSearchKeys } = require('@librechat/api');
 const {
   Constants,
-  webSearchKeys,
   deprecatedAzureVariables,
   conflictingAzureVariables,
   extractVariableName,

api/server/services/start/interface.js

@@ -51,6 +51,24 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     runCode: interfaceConfig?.runCode ?? defaults.runCode,
     webSearch: interfaceConfig?.webSearch ?? defaults.webSearch,
     customWelcome: interfaceConfig?.customWelcome ?? defaults.customWelcome,
+    peoplePicker: {
+      admin: {
+        users: interfaceConfig?.peoplePicker?.admin?.users ?? defaults.peoplePicker?.admin.users,
+        groups: interfaceConfig?.peoplePicker?.admin?.groups ?? defaults.peoplePicker?.admin.groups,
+      },
+      user: {
+        users: interfaceConfig?.peoplePicker?.user?.users ?? defaults.peoplePicker?.user.users,
+        groups: interfaceConfig?.peoplePicker?.user?.groups ?? defaults.peoplePicker?.user.groups,
+      },
+    },
+    marketplace: {
+      admin: {
+        use: interfaceConfig?.marketplace?.admin?.use ?? defaults.marketplace?.admin.use,
+      },
+      user: {
+        use: interfaceConfig?.marketplace?.user?.use ?? defaults.marketplace?.user.use,
+      },
+    },
   });
 
   await updateAccessPermissions(roleName, {
@@ -65,6 +83,13 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
     [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
     [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: loadedInterface.peoplePicker.user?.users,
+      [Permissions.VIEW_GROUPS]: loadedInterface.peoplePicker.user?.groups,
+    },
+    [PermissionTypes.MARKETPLACE]: {
+      [Permissions.USE]: loadedInterface.marketplace.user?.use,
+    },
   });
   await updateAccessPermissions(SystemRoles.ADMIN, {
     [PermissionTypes.PROMPTS]: { [Permissions.USE]: loadedInterface.prompts },
@@ -78,6 +103,13 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
     [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
     [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: loadedInterface.peoplePicker.admin?.users,
+      [Permissions.VIEW_GROUPS]: loadedInterface.peoplePicker.admin?.groups,
+    },
+    [PermissionTypes.MARKETPLACE]: {
+      [Permissions.USE]: loadedInterface.marketplace.admin?.use,
+    },
   });
 
   let i = 0;

api/server/services/start/interface.spec.js

@@ -27,12 +27,17 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true },
+      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true, [Permissions.OPT_OUT]: undefined },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -56,12 +61,17 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: false },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: false },
+      [PermissionTypes.MEMORIES]: { [Permissions.USE]: false, [Permissions.OPT_OUT]: undefined },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: false },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: false },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: false },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: false },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -74,12 +84,20 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: undefined },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MEMORIES]: {
+        [Permissions.USE]: undefined,
+        [Permissions.OPT_OUT]: undefined,
+      },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: undefined },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -103,12 +121,20 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: undefined },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MEMORIES]: {
+        [Permissions.USE]: undefined,
+        [Permissions.OPT_OUT]: undefined,
+      },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: undefined },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -132,12 +158,17 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true },
+      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true, [Permissions.OPT_OUT]: undefined },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: undefined },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -161,12 +192,17 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true },
+      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true, [Permissions.OPT_OUT]: undefined },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -179,12 +215,20 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: undefined },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MEMORIES]: {
+        [Permissions.USE]: undefined,
+        [Permissions.OPT_OUT]: undefined,
+      },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -197,12 +241,20 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: undefined },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MEMORIES]: {
+        [Permissions.USE]: undefined,
+        [Permissions.OPT_OUT]: undefined,
+      },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: false },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -215,12 +267,20 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: undefined },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MEMORIES]: {
+        [Permissions.USE]: undefined,
+        [Permissions.OPT_OUT]: undefined,
+      },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: undefined },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -243,12 +303,17 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true },
+      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true, [Permissions.OPT_OUT]: undefined },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: false },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -272,12 +337,17 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: false },
+      [PermissionTypes.MEMORIES]: { [Permissions.USE]: false, [Permissions.OPT_OUT]: undefined },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: false },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 
@@ -300,12 +370,17 @@ describe('loadDefaultInterface', () => {
     expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
       [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
-      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true },
+      [PermissionTypes.MEMORIES]: { [Permissions.USE]: true, [Permissions.OPT_OUT]: undefined },
       [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
       [PermissionTypes.AGENTS]: { [Permissions.USE]: false },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+      [PermissionTypes.MARKETPLACE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_GROUPS]: undefined,
+        [Permissions.VIEW_USERS]: undefined,
+      },
     });
   });
 });

api/server/socialLogins.js

@@ -1,8 +1,5 @@
-const { Keyv } = require('keyv');
 const passport = require('passport');
 const session = require('express-session');
-const MemoryStore = require('memorystore')(session);
-const RedisStore = require('connect-redis').default;
 const {
   setupOpenId,
   googleLogin,
@@ -14,8 +11,9 @@ const {
   openIdJwtLogin,
 } = require('~/strategies');
 const { isEnabled } = require('~/server/utils');
-const keyvRedis = require('~/cache/keyvRedis');
 const { logger } = require('~/config');
+const { getLogStores } = require('~/cache');
+const { CacheKeys } = require('librechat-data-provider');
 
 /**
  *
@@ -51,17 +49,8 @@ const configureSocialLogins = async (app) => {
       secret: process.env.OPENID_SESSION_SECRET,
       resave: false,
       saveUninitialized: false,
+      store: getLogStores(CacheKeys.OPENID_SESSION),
     };
-    if (isEnabled(process.env.USE_REDIS)) {
-      logger.debug('Using Redis for session storage in OpenID...');
-      const keyv = new Keyv({ store: keyvRedis });
-      const client = keyv.opts.store.client;
-      sessionOptions.store = new RedisStore({ client, prefix: 'openid_session' });
-    } else {
-      sessionOptions.store = new MemoryStore({
-        checkPeriod: 86400000, // prune expired entries every 24h
-      });
-    }
     app.use(session(sessionOptions));
     app.use(passport.session());
     const config = await setupOpenId();
@@ -82,17 +71,8 @@ const configureSocialLogins = async (app) => {
       secret: process.env.SAML_SESSION_SECRET,
       resave: false,
       saveUninitialized: false,
+      store: getLogStores(CacheKeys.SAML_SESSION),
     };
-    if (isEnabled(process.env.USE_REDIS)) {
-      logger.debug('Using Redis for session storage in SAML...');
-      const keyv = new Keyv({ store: keyvRedis });
-      const client = keyv.opts.store.client;
-      sessionOptions.store = new RedisStore({ client, prefix: 'saml_session' });
-    } else {
-      sessionOptions.store = new MemoryStore({
-        checkPeriod: 86400000, // prune expired entries every 24h
-      });
-    }
     app.use(session(sessionOptions));
     app.use(passport.session());
     setupSaml();

api/server/utils/__tests__/staticCache.spec.js

@@ -0,0 +1,407 @@
+const fs = require('fs');
+const path = require('path');
+const express = require('express');
+const request = require('supertest');
+const zlib = require('zlib');
+const staticCache = require('../staticCache');
+
+describe('staticCache', () => {
+  let app;
+  let testDir;
+  let testFile;
+  let indexFile;
+  let manifestFile;
+  let swFile;
+
+  beforeAll(() => {
+    // Create a test directory and files
+    testDir = path.join(__dirname, 'test-static');
+    if (!fs.existsSync(testDir)) {
+      fs.mkdirSync(testDir, { recursive: true });
+    }
+
+    // Create test files
+    testFile = path.join(testDir, 'test.js');
+    indexFile = path.join(testDir, 'index.html');
+    manifestFile = path.join(testDir, 'manifest.json');
+    swFile = path.join(testDir, 'sw.js');
+
+    const jsContent = 'console.log("test");';
+    const htmlContent = '<html><body>Test</body></html>';
+    const jsonContent = '{"name": "test"}';
+    const swContent = 'self.addEventListener("install", () => {});';
+
+    fs.writeFileSync(testFile, jsContent);
+    fs.writeFileSync(indexFile, htmlContent);
+    fs.writeFileSync(manifestFile, jsonContent);
+    fs.writeFileSync(swFile, swContent);
+
+    // Create gzipped versions of some files
+    fs.writeFileSync(testFile + '.gz', zlib.gzipSync(jsContent));
+    fs.writeFileSync(path.join(testDir, 'test.css'), 'body { color: red; }');
+    fs.writeFileSync(path.join(testDir, 'test.css.gz'), zlib.gzipSync('body { color: red; }'));
+
+    // Create a file that only exists in gzipped form
+    fs.writeFileSync(
+      path.join(testDir, 'only-gzipped.js.gz'),
+      zlib.gzipSync('console.log("only gzipped");'),
+    );
+
+    // Create a subdirectory for dist/images testing
+    const distImagesDir = path.join(testDir, 'dist', 'images');
+    fs.mkdirSync(distImagesDir, { recursive: true });
+    fs.writeFileSync(path.join(distImagesDir, 'logo.png'), 'fake-png-data');
+  });
+
+  afterAll(() => {
+    // Clean up test files
+    if (fs.existsSync(testDir)) {
+      fs.rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+
+  beforeEach(() => {
+    app = express();
+
+    // Clear environment variables
+    delete process.env.NODE_ENV;
+    delete process.env.STATIC_CACHE_S_MAX_AGE;
+    delete process.env.STATIC_CACHE_MAX_AGE;
+  });
+  describe('cache headers in production', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should set standard cache headers for regular files', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/test.js').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+    });
+
+    it('should set no-cache headers for index.html', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/index.html').expect(200);
+
+      expect(response.headers['cache-control']).toBe('no-store, no-cache, must-revalidate');
+    });
+
+    it('should set no-cache headers for manifest.json', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/manifest.json').expect(200);
+
+      expect(response.headers['cache-control']).toBe('no-store, no-cache, must-revalidate');
+    });
+
+    it('should set no-cache headers for sw.js', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/sw.js').expect(200);
+
+      expect(response.headers['cache-control']).toBe('no-store, no-cache, must-revalidate');
+    });
+
+    it('should not set cache headers for /dist/images/ files', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/dist/images/logo.png').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=0');
+    });
+
+    it('should set no-cache headers when noCache option is true', async () => {
+      app.use(staticCache(testDir, { noCache: true }));
+
+      const response = await request(app).get('/test.js').expect(200);
+
+      expect(response.headers['cache-control']).toBe('no-store, no-cache, must-revalidate');
+    });
+  });
+
+  describe('cache headers in non-production', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'development';
+    });
+
+    it('should not set cache headers in development', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/test.js').expect(200);
+
+      // Our middleware should not set cache-control in non-production
+      // Express static might set its own default headers
+      const cacheControl = response.headers['cache-control'];
+      expect(cacheControl).toBe('public, max-age=0');
+    });
+  });
+
+  describe('environment variable configuration', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should use custom s-maxage from environment', async () => {
+      process.env.STATIC_CACHE_S_MAX_AGE = '3600';
+
+      // Need to re-require to pick up new env vars
+      jest.resetModules();
+      const freshStaticCache = require('../staticCache');
+
+      app.use(freshStaticCache(testDir));
+
+      const response = await request(app).get('/test.js').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=3600');
+    });
+
+    it('should use custom max-age from environment', async () => {
+      process.env.STATIC_CACHE_MAX_AGE = '7200';
+
+      // Need to re-require to pick up new env vars
+      jest.resetModules();
+      const freshStaticCache = require('../staticCache');
+
+      app.use(freshStaticCache(testDir));
+
+      const response = await request(app).get('/test.js').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=7200, s-maxage=86400');
+    });
+
+    it('should use both custom values from environment', async () => {
+      process.env.STATIC_CACHE_S_MAX_AGE = '1800';
+      process.env.STATIC_CACHE_MAX_AGE = '3600';
+
+      // Need to re-require to pick up new env vars
+      jest.resetModules();
+      const freshStaticCache = require('../staticCache');
+
+      app.use(freshStaticCache(testDir));
+
+      const response = await request(app).get('/test.js').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=3600, s-maxage=1800');
+    });
+  });
+
+  describe('express-static-gzip behavior', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should serve gzipped files when client accepts gzip encoding', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const response = await request(app)
+        .get('/test.js')
+        .set('Accept-Encoding', 'gzip, deflate')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBe('gzip');
+      expect(response.headers['content-type']).toMatch(/javascript/);
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+      // Content should be decompressed by supertest
+      expect(response.text).toBe('console.log("test");');
+    });
+
+    it('should fall back to uncompressed files when client does not accept gzip', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const response = await request(app)
+        .get('/test.js')
+        .set('Accept-Encoding', 'identity')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBeUndefined();
+      expect(response.headers['content-type']).toMatch(/javascript/);
+      expect(response.text).toBe('console.log("test");');
+    });
+
+    it('should serve gzipped CSS files with correct content-type', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const response = await request(app)
+        .get('/test.css')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBe('gzip');
+      expect(response.headers['content-type']).toMatch(/css/);
+      expect(response.text).toBe('body { color: red; }');
+    });
+
+    it('should serve uncompressed files when no gzipped version exists', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const response = await request(app)
+        .get('/manifest.json')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBeUndefined();
+      expect(response.headers['content-type']).toMatch(/json/);
+      expect(response.text).toBe('{"name": "test"}');
+    });
+
+    it('should handle files that only exist in gzipped form', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const response = await request(app)
+        .get('/only-gzipped.js')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBe('gzip');
+      expect(response.headers['content-type']).toMatch(/javascript/);
+      expect(response.text).toBe('console.log("only gzipped");');
+    });
+
+    it('should return 404 for gzip-only files when client does not accept gzip', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const response = await request(app)
+        .get('/only-gzipped.js')
+        .set('Accept-Encoding', 'identity');
+      expect(response.status).toBe(404);
+    });
+
+    it('should handle cache headers correctly for gzipped content', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const response = await request(app)
+        .get('/test.js')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBe('gzip');
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+      expect(response.headers['content-type']).toMatch(/javascript/);
+    });
+
+    it('should preserve original MIME types for gzipped files', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: false }));
+
+      const jsResponse = await request(app)
+        .get('/test.js')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      const cssResponse = await request(app)
+        .get('/test.css')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(jsResponse.headers['content-type']).toMatch(/javascript/);
+      expect(cssResponse.headers['content-type']).toMatch(/css/);
+      expect(jsResponse.headers['content-encoding']).toBe('gzip');
+      expect(cssResponse.headers['content-encoding']).toBe('gzip');
+    });
+  });
+
+  describe('skipGzipScan option comparison', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should use express.static (no gzip) when skipGzipScan is true', async () => {
+      app.use(staticCache(testDir, { skipGzipScan: true }));
+
+      const response = await request(app)
+        .get('/test.js')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      // Should NOT serve gzipped version even though client accepts it
+      expect(response.headers['content-encoding']).toBeUndefined();
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+      expect(response.text).toBe('console.log("test");');
+    });
+
+    it('should use expressStaticGzip when skipGzipScan is false', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app)
+        .get('/test.js')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      // Should serve gzipped version when client accepts it
+      expect(response.headers['content-encoding']).toBe('gzip');
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+      expect(response.text).toBe('console.log("test");');
+    });
+  });
+
+  describe('file serving', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should serve files correctly', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/test.js').expect(200);
+
+      expect(response.text).toBe('console.log("test");');
+      expect(response.headers['content-type']).toMatch(/javascript|text/);
+    });
+
+    it('should return 404 for non-existent files', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/nonexistent.js');
+      expect(response.status).toBe(404);
+    });
+
+    it('should serve HTML files', async () => {
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/index.html').expect(200);
+
+      expect(response.text).toBe('<html><body>Test</body></html>');
+      expect(response.headers['content-type']).toMatch(/html/);
+    });
+  });
+
+  describe('edge cases', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should handle webmanifest files', async () => {
+      // Create a webmanifest file
+      const webmanifestFile = path.join(testDir, 'site.webmanifest');
+      fs.writeFileSync(webmanifestFile, '{"name": "test app"}');
+
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/site.webmanifest').expect(200);
+
+      expect(response.headers['cache-control']).toBe('no-store, no-cache, must-revalidate');
+
+      // Clean up
+      fs.unlinkSync(webmanifestFile);
+    });
+
+    it('should handle files in subdirectories', async () => {
+      const subDir = path.join(testDir, 'subdir');
+      fs.mkdirSync(subDir, { recursive: true });
+      const subFile = path.join(subDir, 'nested.js');
+      fs.writeFileSync(subFile, 'console.log("nested");');
+
+      app.use(staticCache(testDir));
+
+      const response = await request(app).get('/subdir/nested.js').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+      expect(response.text).toBe('console.log("nested");');
+
+      // Clean up
+      fs.rmSync(subDir, { recursive: true, force: true });
+    });
+  });
+});

api/server/utils/staticCache.js

@@ -1,4 +1,5 @@
 const path = require('path');
+const express = require('express');
 const expressStaticGzip = require('express-static-gzip');
 
 const oneDayInSeconds = 24 * 60 * 60;
@@ -7,44 +8,55 @@ const sMaxAge = process.env.STATIC_CACHE_S_MAX_AGE || oneDayInSeconds;
 const maxAge = process.env.STATIC_CACHE_MAX_AGE || oneDayInSeconds * 2;
 
 /**
- * Creates an Express static middleware with gzip compression and configurable caching
+ * Creates an Express static middleware with optional gzip compression and configurable caching
  *
  * @param {string} staticPath - The file system path to serve static files from
  * @param {Object} [options={}] - Configuration options
  * @param {boolean} [options.noCache=false] - If true, disables caching entirely for all files
- * @returns {ReturnType<expressStaticGzip>} Express middleware function for serving static files
+ * @param {boolean} [options.skipGzipScan=false] - If true, skips expressStaticGzip middleware
+ * @returns {ReturnType<expressStaticGzip>|ReturnType<express.static>} Express middleware function for serving static files
  */
 function staticCache(staticPath, options = {}) {
-  const { noCache = false } = options;
-  return expressStaticGzip(staticPath, {
-    enableBrotli: false,
-    orderPreference: ['gz'],
-    setHeaders: (res, filePath) => {
-      if (process.env.NODE_ENV?.toLowerCase() !== 'production') {
-        return;
-      }
-      if (noCache) {
-        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
-        return;
-      }
-      if (filePath.includes('/dist/images/')) {
-        return;
-      }
-      const fileName = path.basename(filePath);
+  const { noCache = false, skipGzipScan = false } = options;
 
-      if (
-        fileName === 'index.html' ||
-        fileName.endsWith('.webmanifest') ||
-        fileName === 'manifest.json' ||
-        fileName === 'sw.js'
-      ) {
-        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
-      } else {
-        res.setHeader('Cache-Control', `public, max-age=${maxAge}, s-maxage=${sMaxAge}`);
-      }
-    },
-    index: false,
-  });
+  const setHeaders = (res, filePath) => {
+    if (process.env.NODE_ENV?.toLowerCase() !== 'production') {
+      return;
+    }
+    if (noCache) {
+      res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
+      return;
+    }
+    if (filePath && filePath.includes('/dist/images/')) {
+      return;
+    }
+    const fileName = filePath ? path.basename(filePath) : '';
+
+    if (
+      fileName === 'index.html' ||
+      fileName.endsWith('.webmanifest') ||
+      fileName === 'manifest.json' ||
+      fileName === 'sw.js'
+    ) {
+      res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
+    } else {
+      res.setHeader('Cache-Control', `public, max-age=${maxAge}, s-maxage=${sMaxAge}`);
+    }
+  };
+
+  if (skipGzipScan) {
+    return express.static(staticPath, {
+      setHeaders,
+      index: false,
+    });
+  } else {
+    return expressStaticGzip(staticPath, {
+      enableBrotli: false,
+      orderPreference: ['gz'],
+      setHeaders,
+      index: false,
+    });
+  }
 }
 
 module.exports = staticCache;

api/strategies/openidStrategy.js

@@ -365,6 +365,7 @@ async function setupOpenId() {
               email: userinfo.email || '',
               emailVerified: userinfo.email_verified || false,
               name: fullName,
+              idOnTheSource: userinfo.oid,
             };
 
             const balanceConfig = await getBalanceConfig();
@@ -375,6 +376,7 @@ async function setupOpenId() {
             user.openidId = userinfo.sub;
             user.username = username;
             user.name = fullName;
+            user.idOnTheSource = userinfo.oid;
           }
 
           if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {

api/test/jestSetup.js

@@ -10,3 +10,8 @@ process.env.JWT_SECRET = 'test';
 process.env.JWT_REFRESH_SECRET = 'test';
 process.env.CREDS_KEY = 'test';
 process.env.CREDS_IV = 'test';
+process.env.ALLOW_EMAIL_LOGIN = 'true';
+
+// Set global test timeout to 30 seconds
+// This can be overridden in individual tests if needed
+jest.setTimeout(30000);