ci: update permissions structure in loadDefaultInterface tests

- Refactored permissions for MEMORY and added new permissions for MARKETPLACE and PEOPLE_PICKER. - Ensured consistent structure for permissions across different types.
chore: fix ESLint issues and Test Mocks
2025-07-24 12:26:52 -04:00 · 2025-07-24 11:20:16 -04:00 · 2025-07-24 10:47:44 -04:00 · 2025-07-24 10:47:43 -04:00 · 2025-07-24 10:47:43 -04:00 · 2025-07-24 10:47:43 -04:00
474 changed files with 42154 additions and 5911 deletions
--- a/.env.example
+++ b/.env.example
@@ -349,6 +349,11 @@ REGISTRATION_VIOLATION_SCORE=1
 CONCURRENT_VIOLATION_SCORE=1
 MESSAGE_VIOLATION_SCORE=1
 NON_BROWSER_VIOLATION_SCORE=20
+TTS_VIOLATION_SCORE=0
+STT_VIOLATION_SCORE=0
+FORK_VIOLATION_SCORE=0
+IMPORT_VIOLATION_SCORE=0
+FILE_UPLOAD_VIOLATION_SCORE=0

 LOGIN_MAX=7
 LOGIN_WINDOW=5
@@ -453,8 +458,8 @@ OPENID_REUSE_TOKENS=
 OPENID_JWKS_URL_CACHE_ENABLED=
 OPENID_JWKS_URL_CACHE_TIME= # 600000 ms eq to 10 minutes leave empty to disable caching
 #Set to true to trigger token exchange flow to acquire access token for the userinfo endpoint.
-OPENID_ON_BEHALF_FLOW_FOR_USERINFRO_REQUIRED=
-OPENID_ON_BEHALF_FLOW_USERINFRO_SCOPE = "user.read" # example for Scope Needed for Microsoft Graph API
+OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=
+OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE="user.read" # example for Scope Needed for Microsoft Graph API
 # Set to true to use the OpenID Connect end session endpoint for logout
 OPENID_USE_END_SESSION_ENDPOINT=

@@ -485,6 +490,21 @@ SAML_IMAGE_URL=
 # SAML_USE_AUTHN_RESPONSE_SIGNED=


+#===============================================#
+# Microsoft Graph API / Entra ID Integration  #
+#===============================================#
+
+# Enable Entra ID people search integration in permissions/sharing system
+# When enabled, the people picker will search both local database and Entra ID
+USE_ENTRA_ID_FOR_PEOPLE_SEARCH=false
+
+# When enabled, entra id groups owners will be considered as members of the group
+ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
+
+# Microsoft Graph API scopes needed for people/group search
+# Default scopes provide access to user profiles and group memberships
+OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All
+
 # LDAP
 LDAP_URL=
 LDAP_BIND_DN=
@@ -575,6 +595,10 @@ ALLOW_SHARED_LINKS_PUBLIC=true
 # If you have another service in front of your LibreChat doing compression, disable express based compression here
 # DISABLE_COMPRESSION=true

+# If you have gzipped version of uploaded image images in the same folder, this will enable gzip scan and serving of these images
+# Note: The images folder will be scanned on startup and a ma kept in memory. Be careful for large number of images.
+# ENABLE_IMAGE_OUTPUT_GZIP_SCAN=true
+
 #===================================================#
 #                        UI                         #
 #===================================================#
@@ -592,11 +616,31 @@ HELP_AND_FAQ_URL=https://librechat.ai
 # REDIS Options #
 #===============#

-# REDIS_URI=10.10.10.10:6379
+# Enable Redis for caching and session storage
 # USE_REDIS=true

-# USE_REDIS_CLUSTER=true
-# REDIS_CA=/path/to/ca.crt
+# Single Redis instance
+# REDIS_URI=redis://127.0.0.1:6379
+
+# Redis cluster (multiple nodes)
+# REDIS_URI=redis://127.0.0.1:7001,redis://127.0.0.1:7002,redis://127.0.0.1:7003
+
+# Redis with TLS/SSL encryption and CA certificate
+# REDIS_URI=rediss://127.0.0.1:6380
+# REDIS_CA=/path/to/ca-cert.pem
+
+# Redis authentication (if required)
+# REDIS_USERNAME=your_redis_username
+# REDIS_PASSWORD=your_redis_password
+
+# Redis key prefix configuration
+# Use environment variable name for dynamic prefix (recommended for cloud deployments)
+# REDIS_KEY_PREFIX_VAR=K_REVISION
+# Or use static prefix directly
+# REDIS_KEY_PREFIX=librechat
+
+# Redis connection limits
+# REDIS_MAX_LISTENERS=40

 #==================================================#
 #                      Others                      #
--- a/.github/workflows/backend-review.yml
+++ b/.github/workflows/backend-review.yml
@@ -7,7 +7,7 @@ on:
      - release/*
    paths:
      - 'api/**'
-      - 'packages/api/**'
+      - 'packages/**'
 jobs:
  tests_Backend:
    name: Run Backend unit tests
--- a/.github/workflows/client.yml
+++ b/.github/workflows/client.yml
@@ -0,0 +1,32 @@
+name: Publish `@librechat/client` to NPM
+
+on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for manual trigger'
+        required: false
+        default: 'Manual publish requested'
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+          
+      - name: Check if client package exists
+        run: |
+          if [ -d "packages/client" ]; then
+            echo "Client package directory found"
+          else
+            echo "Client package directory not found - workflow ready for future use"
+            exit 0
+          fi
+          
+      - name: Placeholder for future publishing
+        run: echo "Client package publishing workflow is ready" 
--- a/.github/workflows/frontend-review.yml
+++ b/.github/workflows/frontend-review.yml
@@ -8,7 +8,7 @@ on:
      - release/*
    paths:
      - 'client/**'
-      - 'packages/**'
+      - 'packages/data-provider/**'

 jobs:
  tests_frontend_ubuntu:
--- a/.gitignore
+++ b/.gitignore
@@ -125,3 +125,12 @@ helm/**/.values.yaml

 # SAML Idp cert
 *.cert
+
+# AI Assistants
+/.claude/
+/.cursor/
+/.copilot/
+/.aider/
+/.openai/
+/.tabnine/
+/.codeium
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -8,7 +8,8 @@
      "skipFiles": ["<node_internals>/**"],
      "program": "${workspaceFolder}/api/server/index.js",
      "env": {
-        "NODE_ENV": "production"
+        "NODE_ENV": "production",
+        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
      },
      "console": "integratedTerminal",
      "envFile": "${workspaceFolder}/.env"
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-# v0.7.8
+# v0.7.9

 # Base node image
 FROM node:20-alpine AS node
--- a/Dockerfile.multi
+++ b/Dockerfile.multi
@@ -1,5 +1,5 @@
 # Dockerfile.multi
-# v0.7.8
+# v0.7.9

 # Base for all builds
 FROM node:20-alpine AS base-min
--- a/README.md
+++ b/README.md
@@ -52,7 +52,7 @@
 - 🖥️ **UI & Experience** inspired by ChatGPT with enhanced design and features

 - 🤖 **AI Model Selection**:  
-  - Anthropic (Claude), AWS Bedrock, OpenAI, Azure OpenAI, Google, Vertex AI, OpenAI Assistants API (incl. Azure)
+  - Anthropic (Claude), AWS Bedrock, OpenAI, Azure OpenAI, Google, Vertex AI, OpenAI Responses API (incl. Azure)
  - [Custom Endpoints](https://www.librechat.ai/docs/quick_start/custom_endpoints): Use any OpenAI-compatible API with LibreChat, no proxy required
  - Compatible with [Local & Remote AI Providers](https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints):
    - Ollama, groq, Cohere, Mistral AI, Apple MLX, koboldcpp, together.ai,
@@ -66,10 +66,9 @@
 - 🔦 **Agents & Tools Integration**:  
  - **[LibreChat Agents](https://www.librechat.ai/docs/features/agents)**:
    - No-Code Custom Assistants: Build specialized, AI-driven helpers without coding  
-    - Flexible & Extensible: Attach tools like DALL-E-3, file search, code execution, and more  
-    - Compatible with Custom Endpoints, OpenAI, Azure, Anthropic, AWS Bedrock, and more
+    - Flexible & Extensible: Use MCP Servers, tools, file search, code execution, and more  
+    - Compatible with Custom Endpoints, OpenAI, Azure, Anthropic, AWS Bedrock, Google, Vertex AI, Responses API, and more
    - [Model Context Protocol (MCP) Support](https://modelcontextprotocol.io/clients#librechat) for Tools
-  - Use LibreChat Agents and OpenAI Assistants with Files, Code Interpreter, Tools, and API Actions

 - 🔍 **Web Search**:  
  - Search the internet and retrieve relevant information to enhance your AI context
--- a/api/app/clients/BaseClient.js
+++ b/api/app/clients/BaseClient.js
@@ -13,7 +13,6 @@ const {
 const { getMessages, saveMessage, updateMessage, saveConvo, getConvo } = require('~/models');
 const { checkBalance } = require('~/models/balanceMethods');
 const { truncateToolCallOutputs } = require('./prompts');
-const { addSpaceIfNeeded } = require('~/server/utils');
 const { getFiles } = require('~/models/File');
 const TextStream = require('./TextStream');
 const { logger } = require('~/config');
@@ -109,12 +108,15 @@ class BaseClient {
  /**
   * Abstract method to record token usage. Subclasses must implement this method.
   * If a correction to the token usage is needed, the method should return an object with the corrected token counts.
+   * Should only be used if `recordCollectedUsage` was not used instead.
+   * @param {string} [model]
   * @param {number} promptTokens
   * @param {number} completionTokens
   * @returns {Promise<void>}
   */
-  async recordTokenUsage({ promptTokens, completionTokens }) {
+  async recordTokenUsage({ model, promptTokens, completionTokens }) {
    logger.debug('[BaseClient] `recordTokenUsage` not implemented.', {
+      model,
      promptTokens,
      completionTokens,
    });
@@ -198,6 +200,10 @@ class BaseClient {
      this.currentMessages[this.currentMessages.length - 1].messageId = head;
    }

+    if (opts.isRegenerate && responseMessageId.endsWith('_')) {
+      responseMessageId = crypto.randomUUID();
+    }
+
    this.responseMessageId = responseMessageId;

    return {
@@ -572,7 +578,7 @@ class BaseClient {
      });
    }

-    const { generation = '' } = opts;
+    const { editedContent } = opts;

    // It's not necessary to push to currentMessages
    // depending on subclass implementation of handling messages
@@ -587,11 +593,21 @@ class BaseClient {
          isCreatedByUser: false,
          model: this.modelOptions?.model ?? this.model,
          sender: this.sender,
-          text: generation,
        };
        this.currentMessages.push(userMessage, latestMessage);
-      } else {
-        latestMessage.text = generation;
+      } else if (editedContent != null) {
+        // Handle editedContent for content parts
+        if (editedContent && latestMessage.content && Array.isArray(latestMessage.content)) {
+          const { index, text, type } = editedContent;
+          if (index >= 0 && index < latestMessage.content.length) {
+            const contentPart = latestMessage.content[index];
+            if (type === ContentTypes.THINK && contentPart.type === ContentTypes.THINK) {
+              contentPart[ContentTypes.THINK] = text;
+            } else if (type === ContentTypes.TEXT && contentPart.type === ContentTypes.TEXT) {
+              contentPart[ContentTypes.TEXT] = text;
+            }
+          }
+        }
      }
      this.continued = true;
    } else {
@@ -672,16 +688,32 @@ class BaseClient {
    };

    if (typeof completion === 'string') {
-      responseMessage.text = addSpaceIfNeeded(generation) + completion;
+      responseMessage.text = completion;
    } else if (
      Array.isArray(completion) &&
      (this.clientName === EModelEndpoint.agents ||
        isParamEndpoint(this.options.endpoint, this.options.endpointType))
    ) {
      responseMessage.text = '';
-      responseMessage.content = completion;
+
+      if (!opts.editedContent || this.currentMessages.length === 0) {
+        responseMessage.content = completion;
+      } else {
+        const latestMessage = this.currentMessages[this.currentMessages.length - 1];
+        if (!latestMessage?.content) {
+          responseMessage.content = completion;
+        } else {
+          const existingContent = [...latestMessage.content];
+          const { type: editedType } = opts.editedContent;
+          responseMessage.content = this.mergeEditedContent(
+            existingContent,
+            completion,
+            editedType,
+          );
+        }
+      }
    } else if (Array.isArray(completion)) {
-      responseMessage.text = addSpaceIfNeeded(generation) + completion.join('');
+      responseMessage.text = completion.join('');
    }

    if (
@@ -712,9 +744,13 @@ class BaseClient {
      } else {
        responseMessage.tokenCount = this.getTokenCountForResponse(responseMessage);
        completionTokens = responseMessage.tokenCount;
+        await this.recordTokenUsage({
+          usage,
+          promptTokens,
+          completionTokens,
+          model: responseMessage.model,
+        });
      }
-
-      await this.recordTokenUsage({ promptTokens, completionTokens, usage });
    }

    if (userMessagePromise) {
@@ -1095,6 +1131,50 @@ class BaseClient {
    return numTokens;
  }

+  /**
+   * Merges completion content with existing content when editing TEXT or THINK types
+   * @param {Array} existingContent - The existing content array
+   * @param {Array} newCompletion - The new completion content
+   * @param {string} editedType - The type of content being edited
+   * @returns {Array} The merged content array
+   */
+  mergeEditedContent(existingContent, newCompletion, editedType) {
+    if (!newCompletion.length) {
+      return existingContent.concat(newCompletion);
+    }
+
+    if (editedType !== ContentTypes.TEXT && editedType !== ContentTypes.THINK) {
+      return existingContent.concat(newCompletion);
+    }
+
+    const lastIndex = existingContent.length - 1;
+    const lastExisting = existingContent[lastIndex];
+    const firstNew = newCompletion[0];
+
+    if (lastExisting?.type !== firstNew?.type || firstNew?.type !== editedType) {
+      return existingContent.concat(newCompletion);
+    }
+
+    const mergedContent = [...existingContent];
+    if (editedType === ContentTypes.TEXT) {
+      mergedContent[lastIndex] = {
+        ...mergedContent[lastIndex],
+        [ContentTypes.TEXT]:
+          (mergedContent[lastIndex][ContentTypes.TEXT] || '') + (firstNew[ContentTypes.TEXT] || ''),
+      };
+    } else {
+      mergedContent[lastIndex] = {
+        ...mergedContent[lastIndex],
+        [ContentTypes.THINK]:
+          (mergedContent[lastIndex][ContentTypes.THINK] || '') +
+          (firstNew[ContentTypes.THINK] || ''),
+      };
+    }
+
+    // Add remaining completion items
+    return mergedContent.concat(newCompletion.slice(1));
+  }
+
  async sendPayload(payload, opts = {}) {
    if (opts && typeof opts === 'object') {
      this.setOptions(opts);
--- a/api/app/clients/prompts/createContextHandlers.js
+++ b/api/app/clients/prompts/createContextHandlers.js
@@ -1,6 +1,7 @@
 const axios = require('axios');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
+const { isEnabled } = require('@librechat/api');
+const { logger } = require('@librechat/data-schemas');
+const { generateShortLivedToken } = require('~/server/services/AuthService');

 const footer = `Use the context as your learned knowledge to better answer the user.

@@ -18,7 +19,7 @@ function createContextHandlers(req, userMessageContent) {
  const queryPromises = [];
  const processedFiles = [];
  const processedIds = new Set();
-  const jwtToken = req.headers.authorization.split(' ')[1];
+  const jwtToken = generateShortLivedToken(req.user.id);
  const useFullContext = isEnabled(process.env.RAG_USE_FULL_CONTEXT);

  const query = async (file) => {
--- a/api/app/clients/prompts/formatMessages.js
+++ b/api/app/clients/prompts/formatMessages.js
@@ -237,41 +237,9 @@ const formatAgentMessages = (payload) => {
  return messages;
 };

-/**
- * Formats an array of messages for LangChain, making sure all content fields are strings
- * @param {Array<(HumanMessage|AIMessage|SystemMessage|ToolMessage)>} payload - The array of messages to format.
- * @returns {Array<(HumanMessage|AIMessage|SystemMessage|ToolMessage)>} - The array of formatted LangChain messages, including ToolMessages for tool calls.
- */
-const formatContentStrings = (payload) => {
-  const messages = [];
-
-  for (const message of payload) {
-    if (typeof message.content === 'string') {
-      continue;
-    }
-
-    if (!Array.isArray(message.content)) {
-      continue;
-    }
-
-    // Reduce text types to a single string, ignore all other types
-    const content = message.content.reduce((acc, curr) => {
-      if (curr.type === ContentTypes.TEXT) {
-        return `${acc}${curr[ContentTypes.TEXT]}\n`;
-      }
-      return acc;
-    }, '');
-
-    message.content = content.trim();
-  }
-
-  return messages;
-};
-
 module.exports = {
  formatMessage,
  formatFromLangChain,
  formatAgentMessages,
-  formatContentStrings,
  formatLangChainMessages,
 };
--- a/api/app/clients/specs/BaseClient.test.js
+++ b/api/app/clients/specs/BaseClient.test.js
@@ -422,6 +422,46 @@ describe('BaseClient', () => {
      expect(response).toEqual(expectedResult);
    });

+    test('should replace responseMessageId with new UUID when isRegenerate is true and messageId ends with underscore', async () => {
+      const mockCrypto = require('crypto');
+      const newUUID = 'new-uuid-1234';
+      jest.spyOn(mockCrypto, 'randomUUID').mockReturnValue(newUUID);
+
+      const opts = {
+        isRegenerate: true,
+        responseMessageId: 'existing-message-id_',
+      };
+
+      await TestClient.setMessageOptions(opts);
+
+      expect(TestClient.responseMessageId).toBe(newUUID);
+      expect(TestClient.responseMessageId).not.toBe('existing-message-id_');
+
+      mockCrypto.randomUUID.mockRestore();
+    });
+
+    test('should not replace responseMessageId when isRegenerate is false', async () => {
+      const opts = {
+        isRegenerate: false,
+        responseMessageId: 'existing-message-id_',
+      };
+
+      await TestClient.setMessageOptions(opts);
+
+      expect(TestClient.responseMessageId).toBe('existing-message-id_');
+    });
+
+    test('should not replace responseMessageId when it does not end with underscore', async () => {
+      const opts = {
+        isRegenerate: true,
+        responseMessageId: 'existing-message-id',
+      };
+
+      await TestClient.setMessageOptions(opts);
+
+      expect(TestClient.responseMessageId).toBe('existing-message-id');
+    });
+
    test('sendMessage should work with provided conversationId and parentMessageId', async () => {
      const userMessage = 'Second message in the conversation';
      const opts = {
--- a/api/app/clients/tools/util/fileSearch.js
+++ b/api/app/clients/tools/util/fileSearch.js
@@ -1,26 +1,41 @@
 const { z } = require('zod');
 const axios = require('axios');
 const { tool } = require('@langchain/core/tools');
+const { logger } = require('@librechat/data-schemas');
 const { Tools, EToolResources } = require('librechat-data-provider');
+const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
+const { generateShortLivedToken } = require('~/server/services/AuthService');
 const { getFiles } = require('~/models/File');
-const { logger } = require('~/config');

 /**
 *
 * @param {Object} options
 * @param {ServerRequest} options.req
 * @param {Agent['tool_resources']} options.tool_resources
+ * @param {string} [options.agentId] - The agent ID for file access control
 * @returns {Promise<{
 *   files: Array<{ file_id: string; filename: string }>,
 *   toolContext: string
 * }>}
 */
 const primeFiles = async (options) => {
-  const { tool_resources } = options;
+  const { tool_resources, req, agentId } = options;
  const file_ids = tool_resources?.[EToolResources.file_search]?.file_ids ?? [];
  const agentResourceIds = new Set(file_ids);
  const resourceFiles = tool_resources?.[EToolResources.file_search]?.files ?? [];
-  const dbFiles = ((await getFiles({ file_id: { $in: file_ids } })) ?? []).concat(resourceFiles);
+
+  // Get all files first
+  const allFiles = (await getFiles({ file_id: { $in: file_ids } }, null, { text: 0 })) ?? [];
+
+  // Filter by access if user and agent are provided
+  let dbFiles;
+  if (req?.user?.id && agentId) {
+    dbFiles = await filterFilesByAgentAccess(allFiles, req.user.id, agentId);
+  } else {
+    dbFiles = allFiles;
+  }
+
+  dbFiles = dbFiles.concat(resourceFiles);

  let toolContext = `- Note: Semantic search is available through the ${Tools.file_search} tool but no files are currently loaded. Request the user to upload documents to search through.`;

@@ -59,7 +74,7 @@ const createFileSearchTool = async ({ req, files, entity_id }) => {
      if (files.length === 0) {
        return 'No files to search. Instruct the user to add files for the search.';
      }
-      const jwtToken = req.headers.authorization.split(' ')[1];
+      const jwtToken = generateShortLivedToken(req.user.id);
      if (!jwtToken) {
        return 'There was an error authenticating the file search request.';
      }
--- a/api/app/clients/tools/util/handleTools.js
+++ b/api/app/clients/tools/util/handleTools.js
@@ -1,14 +1,9 @@
-const { mcpToolPattern } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const { SerpAPI } = require('@langchain/community/tools/serpapi');
 const { Calculator } = require('@langchain/community/tools/calculator');
+const { mcpToolPattern, loadWebSearchAuth } = require('@librechat/api');
 const { EnvVar, createCodeExecutionTool, createSearchTool } = require('@librechat/agents');
-const {
-  Tools,
-  EToolResources,
-  loadWebSearchAuth,
-  replaceSpecialVars,
-} = require('librechat-data-provider');
+const { Tools, EToolResources, replaceSpecialVars } = require('librechat-data-provider');
 const {
  availableTools,
  manifestToolMap,
@@ -235,7 +230,7 @@ const loadTools = async ({

  /** @type {Record<string, string>} */
  const toolContextMap = {};
-  const appTools = (await getCachedTools({ includeGlobal: true })) ?? {};
+  const cachedTools = (await getCachedTools({ userId: user, includeGlobal: true })) ?? {};

  for (const tool of tools) {
    if (tool === Tools.execute_code) {
@@ -245,7 +240,13 @@ const loadTools = async ({
          authFields: [EnvVar.CODE_API_KEY],
        });
        const codeApiKey = authValues[EnvVar.CODE_API_KEY];
-        const { files, toolContext } = await primeCodeFiles(options, codeApiKey);
+        const { files, toolContext } = await primeCodeFiles(
+          {
+            ...options,
+            agentId: agent?.id,
+          },
+          codeApiKey,
+        );
        if (toolContext) {
          toolContextMap[tool] = toolContext;
        }
@@ -260,7 +261,10 @@ const loadTools = async ({
      continue;
    } else if (tool === Tools.file_search) {
      requestedTools[tool] = async () => {
-        const { files, toolContext } = await primeSearchFiles(options);
+        const { files, toolContext } = await primeSearchFiles({
+          ...options,
+          agentId: agent?.id,
+        });
        if (toolContext) {
          toolContextMap[tool] = toolContext;
        }
@@ -294,7 +298,7 @@ Current Date & Time: ${replaceSpecialVars({ text: '{{iso_datetime}}' })}
        });
      };
      continue;
-    } else if (tool && appTools[tool] && mcpToolPattern.test(tool)) {
+    } else if (tool && cachedTools && mcpToolPattern.test(tool)) {
      requestedTools[tool] = async () =>
        createMCPTool({
          req: options.req,
--- a/api/cache/cacheConfig.js
+++ b/api/cache/cacheConfig.js
@@ -0,0 +1,33 @@
+const fs = require('fs');
+const { math, isEnabled } = require('@librechat/api');
+
+// To ensure that different deployments do not interfere with each other's cache, we use a prefix for the Redis keys.
+// This prefix is usually the deployment ID, which is often passed to the container or pod as an env var.
+// Set REDIS_KEY_PREFIX_VAR to the env var that contains the deployment ID.
+const REDIS_KEY_PREFIX_VAR = process.env.REDIS_KEY_PREFIX_VAR;
+const REDIS_KEY_PREFIX = process.env.REDIS_KEY_PREFIX;
+if (REDIS_KEY_PREFIX_VAR && REDIS_KEY_PREFIX) {
+  throw new Error('Only either REDIS_KEY_PREFIX_VAR or REDIS_KEY_PREFIX can be set.');
+}
+
+const USE_REDIS = isEnabled(process.env.USE_REDIS);
+if (USE_REDIS && !process.env.REDIS_URI) {
+  throw new Error('USE_REDIS is enabled but REDIS_URI is not set.');
+}
+
+const cacheConfig = {
+  USE_REDIS,
+  REDIS_URI: process.env.REDIS_URI,
+  REDIS_USERNAME: process.env.REDIS_USERNAME,
+  REDIS_PASSWORD: process.env.REDIS_PASSWORD,
+  REDIS_CA: process.env.REDIS_CA ? fs.readFileSync(process.env.REDIS_CA, 'utf8') : null,
+  REDIS_KEY_PREFIX: process.env[REDIS_KEY_PREFIX_VAR] || REDIS_KEY_PREFIX || '',
+  REDIS_MAX_LISTENERS: math(process.env.REDIS_MAX_LISTENERS, 40),
+
+  CI: isEnabled(process.env.CI),
+  DEBUG_MEMORY_CACHE: isEnabled(process.env.DEBUG_MEMORY_CACHE),
+
+  BAN_DURATION: math(process.env.BAN_DURATION, 7200000), // 2 hours
+};
+
+module.exports = { cacheConfig };
--- a/api/cache/cacheConfig.spec.js
+++ b/api/cache/cacheConfig.spec.js
@@ -0,0 +1,108 @@
+const fs = require('fs');
+
+describe('cacheConfig', () => {
+  let originalEnv;
+  let originalReadFileSync;
+
+  beforeEach(() => {
+    originalEnv = { ...process.env };
+    originalReadFileSync = fs.readFileSync;
+
+    // Clear all related env vars first
+    delete process.env.REDIS_URI;
+    delete process.env.REDIS_CA;
+    delete process.env.REDIS_KEY_PREFIX_VAR;
+    delete process.env.REDIS_KEY_PREFIX;
+    delete process.env.USE_REDIS;
+
+    // Clear require cache
+    jest.resetModules();
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+    fs.readFileSync = originalReadFileSync;
+    jest.resetModules();
+  });
+
+  describe('REDIS_KEY_PREFIX validation and resolution', () => {
+    test('should throw error when both REDIS_KEY_PREFIX_VAR and REDIS_KEY_PREFIX are set', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'DEPLOYMENT_ID';
+      process.env.REDIS_KEY_PREFIX = 'manual-prefix';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).toThrow('Only either REDIS_KEY_PREFIX_VAR or REDIS_KEY_PREFIX can be set.');
+    });
+
+    test('should resolve REDIS_KEY_PREFIX from variable reference', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'DEPLOYMENT_ID';
+      process.env.DEPLOYMENT_ID = 'test-deployment-123';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('test-deployment-123');
+    });
+
+    test('should use direct REDIS_KEY_PREFIX value', () => {
+      process.env.REDIS_KEY_PREFIX = 'direct-prefix';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('direct-prefix');
+    });
+
+    test('should default to empty string when no prefix is configured', () => {
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('');
+    });
+
+    test('should handle empty variable reference', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'EMPTY_VAR';
+      process.env.EMPTY_VAR = '';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('');
+    });
+
+    test('should handle undefined variable reference', () => {
+      process.env.REDIS_KEY_PREFIX_VAR = 'UNDEFINED_VAR';
+
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_KEY_PREFIX).toBe('');
+    });
+  });
+
+  describe('USE_REDIS and REDIS_URI validation', () => {
+    test('should throw error when USE_REDIS is enabled but REDIS_URI is not set', () => {
+      process.env.USE_REDIS = 'true';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).toThrow('USE_REDIS is enabled but REDIS_URI is not set.');
+    });
+
+    test('should not throw error when USE_REDIS is enabled and REDIS_URI is set', () => {
+      process.env.USE_REDIS = 'true';
+      process.env.REDIS_URI = 'redis://localhost:6379';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).not.toThrow();
+    });
+
+    test('should handle empty REDIS_URI when USE_REDIS is enabled', () => {
+      process.env.USE_REDIS = 'true';
+      process.env.REDIS_URI = '';
+
+      expect(() => {
+        require('./cacheConfig');
+      }).toThrow('USE_REDIS is enabled but REDIS_URI is not set.');
+    });
+  });
+
+  describe('REDIS_CA file reading', () => {
+    test('should be null when REDIS_CA is not set', () => {
+      const { cacheConfig } = require('./cacheConfig');
+      expect(cacheConfig.REDIS_CA).toBeNull();
+    });
+  });
+});
--- a/api/cache/cacheFactory.js
+++ b/api/cache/cacheFactory.js
@@ -0,0 +1,66 @@
+const KeyvRedis = require('@keyv/redis').default;
+const { Keyv } = require('keyv');
+const { cacheConfig } = require('./cacheConfig');
+const { keyvRedisClient, ioredisClient, GLOBAL_PREFIX_SEPARATOR } = require('./redisClients');
+const { Time } = require('librechat-data-provider');
+const { RedisStore: ConnectRedis } = require('connect-redis');
+const MemoryStore = require('memorystore')(require('express-session'));
+const { violationFile } = require('./keyvFiles');
+const { RedisStore } = require('rate-limit-redis');
+
+/**
+ * Creates a cache instance using Redis or a fallback store. Suitable for general caching needs.
+ * @param {string} namespace - The cache namespace.
+ * @param {number} [ttl] - Time to live for cache entries.
+ * @param {object} [fallbackStore] - Optional fallback store if Redis is not used.
+ * @returns {Keyv} Cache instance.
+ */
+const standardCache = (namespace, ttl = undefined, fallbackStore = undefined) => {
+  if (cacheConfig.USE_REDIS) {
+    const keyvRedis = new KeyvRedis(keyvRedisClient);
+    const cache = new Keyv(keyvRedis, { namespace, ttl });
+    keyvRedis.namespace = cacheConfig.REDIS_KEY_PREFIX;
+    keyvRedis.keyPrefixSeparator = GLOBAL_PREFIX_SEPARATOR;
+    return cache;
+  }
+  if (fallbackStore) return new Keyv({ store: fallbackStore, namespace, ttl });
+  return new Keyv({ namespace, ttl });
+};
+
+/**
+ * Creates a cache instance for storing violation data.
+ * Uses a file-based fallback store if Redis is not enabled.
+ * @param {string} namespace - The cache namespace for violations.
+ * @param {number} [ttl] - Time to live for cache entries.
+ * @returns {Keyv} Cache instance for violations.
+ */
+const violationCache = (namespace, ttl = undefined) => {
+  return standardCache(`violations:${namespace}`, ttl, violationFile);
+};
+
+/**
+ * Creates a session cache instance using Redis or in-memory store.
+ * @param {string} namespace - The session namespace.
+ * @param {number} [ttl] - Time to live for session entries.
+ * @returns {MemoryStore | ConnectRedis} Session store instance.
+ */
+const sessionCache = (namespace, ttl = undefined) => {
+  namespace = namespace.endsWith(':') ? namespace : `${namespace}:`;
+  if (!cacheConfig.USE_REDIS) return new MemoryStore({ ttl, checkPeriod: Time.ONE_DAY });
+  return new ConnectRedis({ client: ioredisClient, ttl, prefix: namespace });
+};
+
+/**
+ * Creates a rate limiter cache using Redis.
+ * @param {string} prefix - The key prefix for rate limiting.
+ * @returns {RedisStore|undefined} RedisStore instance or undefined if Redis is not used.
+ */
+const limiterCache = (prefix) => {
+  if (!prefix) throw new Error('prefix is required');
+  if (!cacheConfig.USE_REDIS) return undefined;
+  prefix = prefix.endsWith(':') ? prefix : `${prefix}:`;
+  return new RedisStore({ sendCommand, prefix });
+};
+const sendCommand = (...args) => ioredisClient?.call(...args);
+
+module.exports = { standardCache, sessionCache, violationCache, limiterCache };
--- a/api/cache/cacheFactory.spec.js
+++ b/api/cache/cacheFactory.spec.js
@@ -0,0 +1,270 @@
+const { Time } = require('librechat-data-provider');
+
+// Mock dependencies first
+const mockKeyvRedis = {
+  namespace: '',
+  keyPrefixSeparator: '',
+};
+
+const mockKeyv = jest.fn().mockReturnValue({ mock: 'keyv' });
+const mockConnectRedis = jest.fn().mockReturnValue({ mock: 'connectRedis' });
+const mockMemoryStore = jest.fn().mockReturnValue({ mock: 'memoryStore' });
+const mockRedisStore = jest.fn().mockReturnValue({ mock: 'redisStore' });
+
+const mockIoredisClient = {
+  call: jest.fn(),
+};
+
+const mockKeyvRedisClient = {};
+const mockViolationFile = {};
+
+// Mock modules before requiring the main module
+jest.mock('@keyv/redis', () => ({
+  default: jest.fn().mockImplementation(() => mockKeyvRedis),
+}));
+
+jest.mock('keyv', () => ({
+  Keyv: mockKeyv,
+}));
+
+jest.mock('./cacheConfig', () => ({
+  cacheConfig: {
+    USE_REDIS: false,
+    REDIS_KEY_PREFIX: 'test',
+  },
+}));
+
+jest.mock('./redisClients', () => ({
+  keyvRedisClient: mockKeyvRedisClient,
+  ioredisClient: mockIoredisClient,
+  GLOBAL_PREFIX_SEPARATOR: '::',
+}));
+
+jest.mock('./keyvFiles', () => ({
+  violationFile: mockViolationFile,
+}));
+
+jest.mock('connect-redis', () => ({ RedisStore: mockConnectRedis }));
+
+jest.mock('memorystore', () => jest.fn(() => mockMemoryStore));
+
+jest.mock('rate-limit-redis', () => ({
+  RedisStore: mockRedisStore,
+}));
+
+// Import after mocking
+const { standardCache, sessionCache, violationCache, limiterCache } = require('./cacheFactory');
+const { cacheConfig } = require('./cacheConfig');
+
+describe('cacheFactory', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    // Reset cache config mock
+    cacheConfig.USE_REDIS = false;
+    cacheConfig.REDIS_KEY_PREFIX = 'test';
+  });
+
+  describe('redisCache', () => {
+    it('should create Redis cache when USE_REDIS is true', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+
+      standardCache(namespace, ttl);
+
+      expect(require('@keyv/redis').default).toHaveBeenCalledWith(mockKeyvRedisClient);
+      expect(mockKeyv).toHaveBeenCalledWith(mockKeyvRedis, { namespace, ttl });
+      expect(mockKeyvRedis.namespace).toBe(cacheConfig.REDIS_KEY_PREFIX);
+      expect(mockKeyvRedis.keyPrefixSeparator).toBe('::');
+    });
+
+    it('should create Redis cache with undefined ttl when not provided', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'test-namespace';
+
+      standardCache(namespace);
+
+      expect(mockKeyv).toHaveBeenCalledWith(mockKeyvRedis, { namespace, ttl: undefined });
+    });
+
+    it('should use fallback store when USE_REDIS is false and fallbackStore is provided', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+      const fallbackStore = { some: 'store' };
+
+      standardCache(namespace, ttl, fallbackStore);
+
+      expect(mockKeyv).toHaveBeenCalledWith({ store: fallbackStore, namespace, ttl });
+    });
+
+    it('should create default Keyv instance when USE_REDIS is false and no fallbackStore', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'test-namespace';
+      const ttl = 3600;
+
+      standardCache(namespace, ttl);
+
+      expect(mockKeyv).toHaveBeenCalledWith({ namespace, ttl });
+    });
+
+    it('should handle namespace and ttl as undefined', () => {
+      cacheConfig.USE_REDIS = false;
+
+      standardCache();
+
+      expect(mockKeyv).toHaveBeenCalledWith({ namespace: undefined, ttl: undefined });
+    });
+  });
+
+  describe('violationCache', () => {
+    it('should create violation cache with prefixed namespace', () => {
+      const namespace = 'test-violations';
+      const ttl = 7200;
+
+      // We can't easily mock the internal redisCache call since it's in the same module
+      // But we can test that the function executes without throwing
+      expect(() => violationCache(namespace, ttl)).not.toThrow();
+    });
+
+    it('should create violation cache with undefined ttl', () => {
+      const namespace = 'test-violations';
+
+      violationCache(namespace);
+
+      // The function should call redisCache with violations: prefixed namespace
+      // Since we can't easily mock the internal redisCache call, we test the behavior
+      expect(() => violationCache(namespace)).not.toThrow();
+    });
+
+    it('should handle undefined namespace', () => {
+      expect(() => violationCache(undefined)).not.toThrow();
+    });
+  });
+
+  describe('sessionCache', () => {
+    it('should return MemoryStore when USE_REDIS is false', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'sessions';
+      const ttl = 86400;
+
+      const result = sessionCache(namespace, ttl);
+
+      expect(mockMemoryStore).toHaveBeenCalledWith({ ttl, checkPeriod: Time.ONE_DAY });
+      expect(result).toBe(mockMemoryStore());
+    });
+
+    it('should return ConnectRedis when USE_REDIS is true', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions';
+      const ttl = 86400;
+
+      const result = sessionCache(namespace, ttl);
+
+      expect(mockConnectRedis).toHaveBeenCalledWith({
+        client: mockIoredisClient,
+        ttl,
+        prefix: `${namespace}:`,
+      });
+      expect(result).toBe(mockConnectRedis());
+    });
+
+    it('should add colon to namespace if not present', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions';
+
+      sessionCache(namespace);
+
+      expect(mockConnectRedis).toHaveBeenCalledWith({
+        client: mockIoredisClient,
+        ttl: undefined,
+        prefix: 'sessions:',
+      });
+    });
+
+    it('should not add colon to namespace if already present', () => {
+      cacheConfig.USE_REDIS = true;
+      const namespace = 'sessions:';
+
+      sessionCache(namespace);
+
+      expect(mockConnectRedis).toHaveBeenCalledWith({
+        client: mockIoredisClient,
+        ttl: undefined,
+        prefix: 'sessions:',
+      });
+    });
+
+    it('should handle undefined ttl', () => {
+      cacheConfig.USE_REDIS = false;
+      const namespace = 'sessions';
+
+      sessionCache(namespace);
+
+      expect(mockMemoryStore).toHaveBeenCalledWith({
+        ttl: undefined,
+        checkPeriod: Time.ONE_DAY,
+      });
+    });
+  });
+
+  describe('limiterCache', () => {
+    it('should return undefined when USE_REDIS is false', () => {
+      cacheConfig.USE_REDIS = false;
+      const result = limiterCache('prefix');
+
+      expect(result).toBeUndefined();
+    });
+
+    it('should return RedisStore when USE_REDIS is true', () => {
+      cacheConfig.USE_REDIS = true;
+      const result = limiterCache('rate-limit');
+
+      expect(mockRedisStore).toHaveBeenCalledWith({
+        sendCommand: expect.any(Function),
+        prefix: `rate-limit:`,
+      });
+      expect(result).toBe(mockRedisStore());
+    });
+
+    it('should add colon to prefix if not present', () => {
+      cacheConfig.USE_REDIS = true;
+      limiterCache('rate-limit');
+
+      expect(mockRedisStore).toHaveBeenCalledWith({
+        sendCommand: expect.any(Function),
+        prefix: 'rate-limit:',
+      });
+    });
+
+    it('should not add colon to prefix if already present', () => {
+      cacheConfig.USE_REDIS = true;
+      limiterCache('rate-limit:');
+
+      expect(mockRedisStore).toHaveBeenCalledWith({
+        sendCommand: expect.any(Function),
+        prefix: 'rate-limit:',
+      });
+    });
+
+    it('should pass sendCommand function that calls ioredisClient.call', () => {
+      cacheConfig.USE_REDIS = true;
+      limiterCache('rate-limit');
+
+      const sendCommandCall = mockRedisStore.mock.calls[0][0];
+      const sendCommand = sendCommandCall.sendCommand;
+
+      // Test that sendCommand properly delegates to ioredisClient.call
+      const args = ['GET', 'test-key'];
+      sendCommand(...args);
+
+      expect(mockIoredisClient.call).toHaveBeenCalledWith(...args);
+    });
+
+    it('should handle undefined prefix', () => {
+      cacheConfig.USE_REDIS = true;
+      expect(() => limiterCache()).toThrow('prefix is required');
+    });
+  });
+});
--- a/api/cache/getLogStores.js
+++ b/api/cache/getLogStores.js
@@ -1,113 +1,52 @@
+const { cacheConfig } = require('./cacheConfig');
 const { Keyv } = require('keyv');
-const { isEnabled, math } = require('@librechat/api');
 const { CacheKeys, ViolationTypes, Time } = require('librechat-data-provider');
-const { logFile, violationFile } = require('./keyvFiles');
-const keyvRedis = require('./keyvRedis');
+const { logFile } = require('./keyvFiles');
 const keyvMongo = require('./keyvMongo');
-
-const { BAN_DURATION, USE_REDIS, DEBUG_MEMORY_CACHE, CI } = process.env ?? {};
-
-const duration = math(BAN_DURATION, 7200000);
-const isRedisEnabled = isEnabled(USE_REDIS);
-const debugMemoryCache = isEnabled(DEBUG_MEMORY_CACHE);
-
-const createViolationInstance = (namespace) => {
-  const config = isRedisEnabled ? { store: keyvRedis } : { store: violationFile, namespace };
-  return new Keyv(config);
-};
-
-// Serve cache from memory so no need to clear it on startup/exit
-const pending_req = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.PENDING_REQ });
-
-const config = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.CONFIG_STORE });
-
-const roles = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.ROLES });
-
-const mcpTools = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.MCP_TOOLS });
-
-const audioRuns = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TEN_MINUTES })
-  : new Keyv({ namespace: CacheKeys.AUDIO_RUNS, ttl: Time.TEN_MINUTES });
-
-const messages = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.ONE_MINUTE })
-  : new Keyv({ namespace: CacheKeys.MESSAGES, ttl: Time.ONE_MINUTE });
-
-const flows = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TWO_MINUTES })
-  : new Keyv({ namespace: CacheKeys.FLOWS, ttl: Time.ONE_MINUTE * 3 });
-
-const tokenConfig = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.THIRTY_MINUTES })
-  : new Keyv({ namespace: CacheKeys.TOKEN_CONFIG, ttl: Time.THIRTY_MINUTES });
-
-const genTitle = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TWO_MINUTES })
-  : new Keyv({ namespace: CacheKeys.GEN_TITLE, ttl: Time.TWO_MINUTES });
-
-const s3ExpiryInterval = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.THIRTY_MINUTES })
-  : new Keyv({ namespace: CacheKeys.S3_EXPIRY_INTERVAL, ttl: Time.THIRTY_MINUTES });
-
-const modelQueries = isEnabled(process.env.USE_REDIS)
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.MODEL_QUERIES });
-
-const abortKeys = isRedisEnabled
-  ? new Keyv({ store: keyvRedis })
-  : new Keyv({ namespace: CacheKeys.ABORT_KEYS, ttl: Time.TEN_MINUTES });
-
-const openIdExchangedTokensCache = isRedisEnabled
-  ? new Keyv({ store: keyvRedis, ttl: Time.TEN_MINUTES })
-  : new Keyv({ namespace: CacheKeys.OPENID_EXCHANGED_TOKENS, ttl: Time.TEN_MINUTES });
+const { standardCache, sessionCache, violationCache } = require('./cacheFactory');

 const namespaces = {
-  [CacheKeys.ROLES]: roles,
-  [CacheKeys.MCP_TOOLS]: mcpTools,
-  [CacheKeys.CONFIG_STORE]: config,
-  [CacheKeys.PENDING_REQ]: pending_req,
-  [ViolationTypes.BAN]: new Keyv({ store: keyvMongo, namespace: CacheKeys.BANS, ttl: duration }),
-  [CacheKeys.ENCODED_DOMAINS]: new Keyv({
+  [ViolationTypes.GENERAL]: new Keyv({ store: logFile, namespace: 'violations' }),
+  [ViolationTypes.LOGINS]: violationCache(ViolationTypes.LOGINS),
+  [ViolationTypes.CONCURRENT]: violationCache(ViolationTypes.CONCURRENT),
+  [ViolationTypes.NON_BROWSER]: violationCache(ViolationTypes.NON_BROWSER),
+  [ViolationTypes.MESSAGE_LIMIT]: violationCache(ViolationTypes.MESSAGE_LIMIT),
+  [ViolationTypes.REGISTRATIONS]: violationCache(ViolationTypes.REGISTRATIONS),
+  [ViolationTypes.TOKEN_BALANCE]: violationCache(ViolationTypes.TOKEN_BALANCE),
+  [ViolationTypes.TTS_LIMIT]: violationCache(ViolationTypes.TTS_LIMIT),
+  [ViolationTypes.STT_LIMIT]: violationCache(ViolationTypes.STT_LIMIT),
+  [ViolationTypes.CONVO_ACCESS]: violationCache(ViolationTypes.CONVO_ACCESS),
+  [ViolationTypes.TOOL_CALL_LIMIT]: violationCache(ViolationTypes.TOOL_CALL_LIMIT),
+  [ViolationTypes.FILE_UPLOAD_LIMIT]: violationCache(ViolationTypes.FILE_UPLOAD_LIMIT),
+  [ViolationTypes.VERIFY_EMAIL_LIMIT]: violationCache(ViolationTypes.VERIFY_EMAIL_LIMIT),
+  [ViolationTypes.RESET_PASSWORD_LIMIT]: violationCache(ViolationTypes.RESET_PASSWORD_LIMIT),
+  [ViolationTypes.ILLEGAL_MODEL_REQUEST]: violationCache(ViolationTypes.ILLEGAL_MODEL_REQUEST),
+  [ViolationTypes.BAN]: new Keyv({
    store: keyvMongo,
-    namespace: CacheKeys.ENCODED_DOMAINS,
-    ttl: 0,
+    namespace: CacheKeys.BANS,
+    ttl: cacheConfig.BAN_DURATION,
  }),
-  general: new Keyv({ store: logFile, namespace: 'violations' }),
-  concurrent: createViolationInstance('concurrent'),
-  non_browser: createViolationInstance('non_browser'),
-  message_limit: createViolationInstance('message_limit'),
-  token_balance: createViolationInstance(ViolationTypes.TOKEN_BALANCE),
-  registrations: createViolationInstance('registrations'),
-  [ViolationTypes.TTS_LIMIT]: createViolationInstance(ViolationTypes.TTS_LIMIT),
-  [ViolationTypes.STT_LIMIT]: createViolationInstance(ViolationTypes.STT_LIMIT),
-  [ViolationTypes.CONVO_ACCESS]: createViolationInstance(ViolationTypes.CONVO_ACCESS),
-  [ViolationTypes.TOOL_CALL_LIMIT]: createViolationInstance(ViolationTypes.TOOL_CALL_LIMIT),
-  [ViolationTypes.FILE_UPLOAD_LIMIT]: createViolationInstance(ViolationTypes.FILE_UPLOAD_LIMIT),
-  [ViolationTypes.VERIFY_EMAIL_LIMIT]: createViolationInstance(ViolationTypes.VERIFY_EMAIL_LIMIT),
-  [ViolationTypes.RESET_PASSWORD_LIMIT]: createViolationInstance(
-    ViolationTypes.RESET_PASSWORD_LIMIT,
+
+  [CacheKeys.OPENID_SESSION]: sessionCache(CacheKeys.OPENID_SESSION),
+  [CacheKeys.SAML_SESSION]: sessionCache(CacheKeys.SAML_SESSION),
+
+  [CacheKeys.ROLES]: standardCache(CacheKeys.ROLES),
+  [CacheKeys.MCP_TOOLS]: standardCache(CacheKeys.MCP_TOOLS),
+  [CacheKeys.CONFIG_STORE]: standardCache(CacheKeys.CONFIG_STORE),
+  [CacheKeys.PENDING_REQ]: standardCache(CacheKeys.PENDING_REQ),
+  [CacheKeys.ENCODED_DOMAINS]: new Keyv({ store: keyvMongo, namespace: CacheKeys.ENCODED_DOMAINS }),
+  [CacheKeys.ABORT_KEYS]: standardCache(CacheKeys.ABORT_KEYS, Time.TEN_MINUTES),
+  [CacheKeys.TOKEN_CONFIG]: standardCache(CacheKeys.TOKEN_CONFIG, Time.THIRTY_MINUTES),
+  [CacheKeys.GEN_TITLE]: standardCache(CacheKeys.GEN_TITLE, Time.TWO_MINUTES),
+  [CacheKeys.S3_EXPIRY_INTERVAL]: standardCache(CacheKeys.S3_EXPIRY_INTERVAL, Time.THIRTY_MINUTES),
+  [CacheKeys.MODEL_QUERIES]: standardCache(CacheKeys.MODEL_QUERIES),
+  [CacheKeys.AUDIO_RUNS]: standardCache(CacheKeys.AUDIO_RUNS, Time.TEN_MINUTES),
+  [CacheKeys.MESSAGES]: standardCache(CacheKeys.MESSAGES, Time.ONE_MINUTE),
+  [CacheKeys.FLOWS]: standardCache(CacheKeys.FLOWS, Time.ONE_MINUTE * 3),
+  [CacheKeys.OPENID_EXCHANGED_TOKENS]: standardCache(
+    CacheKeys.OPENID_EXCHANGED_TOKENS,
+    Time.TEN_MINUTES,
  ),
-  [ViolationTypes.ILLEGAL_MODEL_REQUEST]: createViolationInstance(
-    ViolationTypes.ILLEGAL_MODEL_REQUEST,
-  ),
-  logins: createViolationInstance('logins'),
-  [CacheKeys.ABORT_KEYS]: abortKeys,
-  [CacheKeys.TOKEN_CONFIG]: tokenConfig,
-  [CacheKeys.GEN_TITLE]: genTitle,
-  [CacheKeys.S3_EXPIRY_INTERVAL]: s3ExpiryInterval,
-  [CacheKeys.MODEL_QUERIES]: modelQueries,
-  [CacheKeys.AUDIO_RUNS]: audioRuns,
-  [CacheKeys.MESSAGES]: messages,
-  [CacheKeys.FLOWS]: flows,
-  [CacheKeys.OPENID_EXCHANGED_TOKENS]: openIdExchangedTokensCache,
 };

 /**
@@ -116,7 +55,10 @@ const namespaces = {
 */
 function getTTLStores() {
  return Object.values(namespaces).filter(
-    (store) => store instanceof Keyv && typeof store.opts?.ttl === 'number' && store.opts.ttl > 0,
+    (store) =>
+      store instanceof Keyv &&
+      parseInt(store.opts?.ttl ?? '0') > 0 &&
+      !store.opts?.store?.constructor?.name?.includes('Redis'), // Only include non-Redis stores
  );
 }

@@ -152,18 +94,18 @@ async function clearExpiredFromCache(cache) {
      if (data?.expires && data.expires <= expiryTime) {
        const deleted = await cache.opts.store.delete(key);
        if (!deleted) {
-          debugMemoryCache &&
+          cacheConfig.DEBUG_MEMORY_CACHE &&
            console.warn(`[Cache] Error deleting entry: ${key} from ${cache.opts.namespace}`);
          continue;
        }
        cleared++;
      }
    } catch (error) {
-      debugMemoryCache &&
+      cacheConfig.DEBUG_MEMORY_CACHE &&
        console.log(`[Cache] Error processing entry from ${cache.opts.namespace}:`, error);
      const deleted = await cache.opts.store.delete(key);
      if (!deleted) {
-        debugMemoryCache &&
+        cacheConfig.DEBUG_MEMORY_CACHE &&
          console.warn(`[Cache] Error deleting entry: ${key} from ${cache.opts.namespace}`);
        continue;
      }
@@ -172,7 +114,7 @@ async function clearExpiredFromCache(cache) {
  }

  if (cleared > 0) {
-    debugMemoryCache &&
+    cacheConfig.DEBUG_MEMORY_CACHE &&
      console.log(
        `[Cache] Cleared ${cleared} entries older than ${ttl}ms from ${cache.opts.namespace}`,
      );
@@ -213,7 +155,7 @@ async function clearAllExpiredFromCache() {
  }
 }

-if (!isRedisEnabled && !isEnabled(CI)) {
+if (!cacheConfig.USE_REDIS && !cacheConfig.CI) {
  /** @type {Set<NodeJS.Timeout>} */
  const cleanupIntervals = new Set();

@@ -224,7 +166,7 @@ if (!isRedisEnabled && !isEnabled(CI)) {

  cleanupIntervals.add(cleanup);

-  if (debugMemoryCache) {
+  if (cacheConfig.DEBUG_MEMORY_CACHE) {
    const monitor = setInterval(() => {
      const ttlStores = getTTLStores();
      const memory = process.memoryUsage();
@@ -245,13 +187,13 @@ if (!isRedisEnabled && !isEnabled(CI)) {
  }

  const dispose = () => {
-    debugMemoryCache && console.log('[Cache] Cleaning up and shutting down...');
+    cacheConfig.DEBUG_MEMORY_CACHE && console.log('[Cache] Cleaning up and shutting down...');
    cleanupIntervals.forEach((interval) => clearInterval(interval));
    cleanupIntervals.clear();

    // One final cleanup before exit
    clearAllExpiredFromCache().then(() => {
-      debugMemoryCache && console.log('[Cache] Final cleanup completed');
+      cacheConfig.DEBUG_MEMORY_CACHE && console.log('[Cache] Final cleanup completed');
      process.exit(0);
    });
  };
--- a/api/cache/ioredisClient.js
+++ b/api/cache/ioredisClient.js
@@ -1,92 +0,0 @@
-const fs = require('fs');
-const Redis = require('ioredis');
-const { isEnabled } = require('~/server/utils');
-const logger = require('~/config/winston');
-
-const { REDIS_URI, USE_REDIS, USE_REDIS_CLUSTER, REDIS_CA, REDIS_MAX_LISTENERS } = process.env;
-
-/** @type {import('ioredis').Redis | import('ioredis').Cluster} */
-let ioredisClient;
-const redis_max_listeners = Number(REDIS_MAX_LISTENERS) || 40;
-
-function mapURI(uri) {
-  const regex =
-    /^(?:(?<scheme>\w+):\/\/)?(?:(?<user>[^:@]+)(?::(?<password>[^@]+))?@)?(?<host>[\w.-]+)(?::(?<port>\d{1,5}))?$/;
-  const match = uri.match(regex);
-
-  if (match) {
-    const { scheme, user, password, host, port } = match.groups;
-
-    return {
-      scheme: scheme || 'none',
-      user: user || null,
-      password: password || null,
-      host: host || null,
-      port: port || null,
-    };
-  } else {
-    const parts = uri.split(':');
-    if (parts.length === 2) {
-      return {
-        scheme: 'none',
-        user: null,
-        password: null,
-        host: parts[0],
-        port: parts[1],
-      };
-    }
-
-    return {
-      scheme: 'none',
-      user: null,
-      password: null,
-      host: uri,
-      port: null,
-    };
-  }
-}
-
-if (REDIS_URI && isEnabled(USE_REDIS)) {
-  let redisOptions = null;
-
-  if (REDIS_CA) {
-    const ca = fs.readFileSync(REDIS_CA);
-    redisOptions = { tls: { ca } };
-  }
-
-  if (isEnabled(USE_REDIS_CLUSTER)) {
-    const hosts = REDIS_URI.split(',').map((item) => {
-      var value = mapURI(item);
-
-      return {
-        host: value.host,
-        port: value.port,
-      };
-    });
-    ioredisClient = new Redis.Cluster(hosts, { redisOptions });
-  } else {
-    ioredisClient = new Redis(REDIS_URI, redisOptions);
-  }
-
-  ioredisClient.on('ready', () => {
-    logger.info('IoRedis connection ready');
-  });
-  ioredisClient.on('reconnecting', () => {
-    logger.info('IoRedis connection reconnecting');
-  });
-  ioredisClient.on('end', () => {
-    logger.info('IoRedis connection ended');
-  });
-  ioredisClient.on('close', () => {
-    logger.info('IoRedis connection closed');
-  });
-  ioredisClient.on('error', (err) => logger.error('IoRedis connection error:', err));
-  ioredisClient.setMaxListeners(redis_max_listeners);
-  logger.info(
-    '[Optional] IoRedis initialized for rate limiters. If you have issues, disable Redis or restart the server.',
-  );
-} else {
-  logger.info('[Optional] IoRedis not initialized for rate limiters.');
-}
-
-module.exports = ioredisClient;
--- a/api/cache/keyvRedis.js
+++ b/api/cache/keyvRedis.js
@@ -1,109 +0,0 @@
-const fs = require('fs');
-const ioredis = require('ioredis');
-const KeyvRedis = require('@keyv/redis').default;
-const { isEnabled } = require('~/server/utils');
-const logger = require('~/config/winston');
-
-const { REDIS_URI, USE_REDIS, USE_REDIS_CLUSTER, REDIS_CA, REDIS_KEY_PREFIX, REDIS_MAX_LISTENERS } =
-  process.env;
-
-let keyvRedis;
-const redis_prefix = REDIS_KEY_PREFIX || '';
-const redis_max_listeners = Number(REDIS_MAX_LISTENERS) || 40;
-
-function mapURI(uri) {
-  const regex =
-    /^(?:(?<scheme>\w+):\/\/)?(?:(?<user>[^:@]+)(?::(?<password>[^@]+))?@)?(?<host>[\w.-]+)(?::(?<port>\d{1,5}))?$/;
-  const match = uri.match(regex);
-
-  if (match) {
-    const { scheme, user, password, host, port } = match.groups;
-
-    return {
-      scheme: scheme || 'none',
-      user: user || null,
-      password: password || null,
-      host: host || null,
-      port: port || null,
-    };
-  } else {
-    const parts = uri.split(':');
-    if (parts.length === 2) {
-      return {
-        scheme: 'none',
-        user: null,
-        password: null,
-        host: parts[0],
-        port: parts[1],
-      };
-    }
-
-    return {
-      scheme: 'none',
-      user: null,
-      password: null,
-      host: uri,
-      port: null,
-    };
-  }
-}
-
-if (REDIS_URI && isEnabled(USE_REDIS)) {
-  let redisOptions = null;
-  /** @type {import('@keyv/redis').KeyvRedisOptions} */
-  let keyvOpts = {
-    useRedisSets: false,
-    keyPrefix: redis_prefix,
-  };
-
-  if (REDIS_CA) {
-    const ca = fs.readFileSync(REDIS_CA);
-    redisOptions = { tls: { ca } };
-  }
-
-  if (isEnabled(USE_REDIS_CLUSTER)) {
-    const hosts = REDIS_URI.split(',').map((item) => {
-      var value = mapURI(item);
-
-      return {
-        host: value.host,
-        port: value.port,
-      };
-    });
-    const cluster = new ioredis.Cluster(hosts, { redisOptions });
-    keyvRedis = new KeyvRedis(cluster, keyvOpts);
-  } else {
-    keyvRedis = new KeyvRedis(REDIS_URI, keyvOpts);
-  }
-
-  const pingInterval = setInterval(
-    () => {
-      logger.debug('KeyvRedis ping');
-      keyvRedis.client.ping().catch((err) => logger.error('Redis keep-alive ping failed:', err));
-    },
-    5 * 60 * 1000,
-  );
-
-  keyvRedis.on('ready', () => {
-    logger.info('KeyvRedis connection ready');
-  });
-  keyvRedis.on('reconnecting', () => {
-    logger.info('KeyvRedis connection reconnecting');
-  });
-  keyvRedis.on('end', () => {
-    logger.info('KeyvRedis connection ended');
-  });
-  keyvRedis.on('close', () => {
-    clearInterval(pingInterval);
-    logger.info('KeyvRedis connection closed');
-  });
-  keyvRedis.on('error', (err) => logger.error('KeyvRedis connection error:', err));
-  keyvRedis.setMaxListeners(redis_max_listeners);
-  logger.info(
-    '[Optional] Redis initialized. If you have issues, or seeing older values, disable it or flush cache to refresh values.',
-  );
-} else {
-  logger.info('[Optional] Redis not initialized.');
-}
-
-module.exports = keyvRedis;
--- a/api/cache/logViolation.js
+++ b/api/cache/logViolation.js
@@ -1,4 +1,5 @@
 const { isEnabled } = require('~/server/utils');
+const { ViolationTypes } = require('librechat-data-provider');
 const getLogStores = require('./getLogStores');
 const banViolation = require('./banViolation');

@@ -9,14 +10,14 @@ const banViolation = require('./banViolation');
 * @param {Object} res - Express response object.
 * @param {string} type - The type of violation.
 * @param {Object} errorMessage - The error message to log.
- * @param {number} [score=1] - The severity of the violation. Defaults to 1
+ * @param {number | string} [score=1] - The severity of the violation. Defaults to 1
 */
 const logViolation = async (req, res, type, errorMessage, score = 1) => {
  const userId = req.user?.id ?? req.user?._id;
  if (!userId) {
    return;
  }
-  const logs = getLogStores('general');
+  const logs = getLogStores(ViolationTypes.GENERAL);
  const violationLogs = getLogStores(type);
  const key = isEnabled(process.env.USE_REDIS) ? `${type}:${userId}` : userId;

--- a/api/cache/redisClients.js
+++ b/api/cache/redisClients.js
@@ -0,0 +1,57 @@
+const IoRedis = require('ioredis');
+const { cacheConfig } = require('./cacheConfig');
+const { createClient, createCluster } = require('@keyv/redis');
+
+const GLOBAL_PREFIX_SEPARATOR = '::';
+
+const urls = cacheConfig.REDIS_URI?.split(',').map((uri) => new URL(uri));
+const username = urls?.[0].username || cacheConfig.REDIS_USERNAME;
+const password = urls?.[0].password || cacheConfig.REDIS_PASSWORD;
+const ca = cacheConfig.REDIS_CA;
+
+/** @type {import('ioredis').Redis | import('ioredis').Cluster | null} */
+let ioredisClient = null;
+if (cacheConfig.USE_REDIS) {
+  const redisOptions = {
+    username: username,
+    password: password,
+    tls: ca ? { ca } : undefined,
+    keyPrefix: `${cacheConfig.REDIS_KEY_PREFIX}${GLOBAL_PREFIX_SEPARATOR}`,
+    maxListeners: cacheConfig.REDIS_MAX_LISTENERS,
+  };
+
+  ioredisClient =
+    urls.length === 1
+      ? new IoRedis(cacheConfig.REDIS_URI, redisOptions)
+      : new IoRedis.Cluster(cacheConfig.REDIS_URI, { redisOptions });
+
+  // Pinging the Redis server every 5 minutes to keep the connection alive
+  const pingInterval = setInterval(() => ioredisClient.ping(), 5 * 60 * 1000);
+  ioredisClient.on('close', () => clearInterval(pingInterval));
+  ioredisClient.on('end', () => clearInterval(pingInterval));
+}
+
+/** @type {import('@keyv/redis').RedisClient | import('@keyv/redis').RedisCluster | null} */
+let keyvRedisClient = null;
+if (cacheConfig.USE_REDIS) {
+  // ** WARNING ** Keyv Redis client does not support Prefix like ioredis above.
+  // The prefix feature will be handled by the Keyv-Redis store in cacheFactory.js
+  const redisOptions = { username, password, socket: { tls: ca != null, ca } };
+
+  keyvRedisClient =
+    urls.length === 1
+      ? createClient({ url: cacheConfig.REDIS_URI, ...redisOptions })
+      : createCluster({
+          rootNodes: cacheConfig.REDIS_URI.split(',').map((url) => ({ url })),
+          defaults: redisOptions,
+        });
+
+  keyvRedisClient.setMaxListeners(cacheConfig.REDIS_MAX_LISTENERS);
+
+  // Pinging the Redis server every 5 minutes to keep the connection alive
+  const keyvPingInterval = setInterval(() => keyvRedisClient.ping(), 5 * 60 * 1000);
+  keyvRedisClient.on('disconnect', () => clearInterval(keyvPingInterval));
+  keyvRedisClient.on('end', () => clearInterval(keyvPingInterval));
+}
+
+module.exports = { ioredisClient, keyvRedisClient, GLOBAL_PREFIX_SEPARATOR };
--- a/api/jest.config.js
+++ b/api/jest.config.js
@@ -3,6 +3,7 @@ module.exports = {
  clearMocks: true,
  roots: ['<rootDir>'],
  coverageDirectory: 'coverage',
+  testTimeout: 30000, // 30 seconds timeout for all tests
  setupFiles: [
    './test/jestSetup.js',
    './test/__mocks__/logger.js',
--- a/api/models/Agent.js
+++ b/api/models/Agent.js
@@ -4,7 +4,7 @@ const { logger } = require('@librechat/data-schemas');
 const { SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
 const { GLOBAL_PROJECT_NAME, EPHEMERAL_AGENT_ID, mcp_delimiter } =
  require('librechat-data-provider').Constants;
-const { CONFIG_STORE, STARTUP_CONFIG } = require('librechat-data-provider').CacheKeys;
+// Default category value for new agents
 const {
  getProjectByName,
  addAgentIdsToProject,
@@ -12,7 +12,9 @@ const {
  removeAgentFromAllProjects,
 } = require('./Project');
 const { getCachedTools } = require('~/server/services/Config');
-const getLogStores = require('~/cache/getLogStores');
+
+// Category values are now imported from shared constants
+// Schema fields (category, support_contact, is_promoted) are defined in @librechat/data-schemas
 const { getActions } = require('./Action');
 const { Agent } = require('~/db/models');

@@ -23,7 +25,7 @@ const { Agent } = require('~/db/models');
 * @throws {Error} If the agent creation fails.
 */
 const createAgent = async (agentData) => {
-  const { author, ...versionData } = agentData;
+  const { author: _author, ...versionData } = agentData;
  const timestamp = new Date();
  const initialAgentData = {
    ...agentData,
@@ -34,7 +36,9 @@ const createAgent = async (agentData) => {
        updatedAt: timestamp,
      },
    ],
+    category: agentData.category || 'general',
  };
+
  return (await Agent.create(initialAgentData)).toObject();
 };

@@ -61,7 +65,7 @@ const getAgent = async (searchParameter) => await Agent.findOne(searchParameter)
 const loadEphemeralAgent = async ({ req, agent_id, endpoint, model_parameters: _m }) => {
  const { model, ...model_parameters } = _m;
  /** @type {Record<string, FunctionTool>} */
-  const availableTools = await getCachedTools({ includeGlobal: true });
+  const availableTools = await getCachedTools({ userId: req.user.id, includeGlobal: true });
  /** @type {TEphemeralAgent | null} */
  const ephemeralAgent = req.body.ephemeralAgent;
  const mcpServers = new Set(ephemeralAgent?.mcp);
@@ -90,7 +94,7 @@ const loadEphemeralAgent = async ({ req, agent_id, endpoint, model_parameters: _
  }

  const instructions = req.body.promptPrefix;
-  return {
+  const result = {
    id: agent_id,
    instructions,
    provider: endpoint,
@@ -98,6 +102,11 @@ const loadEphemeralAgent = async ({ req, agent_id, endpoint, model_parameters: _
    model,
    tools,
  };
+
+  if (ephemeralAgent?.artifacts != null && ephemeralAgent.artifacts) {
+    result.artifacts = ephemeralAgent.artifacts;
+  }
+  return result;
 };

 /**
@@ -126,29 +135,7 @@ const loadAgent = async ({ req, agent_id, endpoint, model_parameters }) => {
  }

  agent.version = agent.versions ? agent.versions.length : 0;
-
-  if (agent.author.toString() === req.user.id) {
-    return agent;
-  }
-
-  if (!agent.projectIds) {
-    return null;
-  }
-
-  const cache = getLogStores(CONFIG_STORE);
-  /** @type {TStartupConfig} */
-  const cachedStartupConfig = await cache.get(STARTUP_CONFIG);
-  let { instanceProjectId } = cachedStartupConfig ?? {};
-  if (!instanceProjectId) {
-    instanceProjectId = (await getProjectByName(GLOBAL_PROJECT_NAME, '_id'))._id.toString();
-  }
-
-  for (const projectObjectId of agent.projectIds) {
-    const projectId = projectObjectId.toString();
-    if (projectId === instanceProjectId) {
-      return agent;
-    }
-  }
+  return agent;
 };

 /**
@@ -178,7 +165,7 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
    'actionsHash', // Exclude actionsHash from direct comparison
  ];

-  const { $push, $pull, $addToSet, ...directUpdates } = updateData;
+  const { $push: _$push, $pull: _$pull, $addToSet: _$addToSet, ...directUpdates } = updateData;

  if (Object.keys(directUpdates).length === 0 && !actionsHash) {
    return null;
@@ -197,54 +184,116 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul

  let isMatch = true;
  for (const field of importantFields) {
-    if (!wouldBeVersion[field] && !lastVersion[field]) {
+    const wouldBeValue = wouldBeVersion[field];
+    const lastVersionValue = lastVersion[field];
+
+    // Skip if both are undefined/null
+    if (!wouldBeValue && !lastVersionValue) {
      continue;
    }

-    if (Array.isArray(wouldBeVersion[field]) && Array.isArray(lastVersion[field])) {
-      if (wouldBeVersion[field].length !== lastVersion[field].length) {
+    // Handle arrays
+    if (Array.isArray(wouldBeValue) || Array.isArray(lastVersionValue)) {
+      // Normalize: treat undefined/null as empty array for comparison
+      let wouldBeArr;
+      if (Array.isArray(wouldBeValue)) {
+        wouldBeArr = wouldBeValue;
+      } else if (wouldBeValue == null) {
+        wouldBeArr = [];
+      } else {
+        wouldBeArr = [wouldBeValue];
+      }
+
+      let lastVersionArr;
+      if (Array.isArray(lastVersionValue)) {
+        lastVersionArr = lastVersionValue;
+      } else if (lastVersionValue == null) {
+        lastVersionArr = [];
+      } else {
+        lastVersionArr = [lastVersionValue];
+      }
+
+      if (wouldBeArr.length !== lastVersionArr.length) {
        isMatch = false;
        break;
      }

      // Special handling for projectIds (MongoDB ObjectIds)
      if (field === 'projectIds') {
-        const wouldBeIds = wouldBeVersion[field].map((id) => id.toString()).sort();
-        const versionIds = lastVersion[field].map((id) => id.toString()).sort();
+        const wouldBeIds = wouldBeArr.map((id) => id.toString()).sort();
+        const versionIds = lastVersionArr.map((id) => id.toString()).sort();

        if (!wouldBeIds.every((id, i) => id === versionIds[i])) {
          isMatch = false;
          break;
        }
      }
-      // Handle arrays of objects like tool_kwargs
-      else if (typeof wouldBeVersion[field][0] === 'object' && wouldBeVersion[field][0] !== null) {
-        const sortedWouldBe = [...wouldBeVersion[field]].map((item) => JSON.stringify(item)).sort();
-        const sortedVersion = [...lastVersion[field]].map((item) => JSON.stringify(item)).sort();
+      // Handle arrays of objects
+      else if (
+        wouldBeArr.length > 0 &&
+        typeof wouldBeArr[0] === 'object' &&
+        wouldBeArr[0] !== null
+      ) {
+        const sortedWouldBe = [...wouldBeArr].map((item) => JSON.stringify(item)).sort();
+        const sortedVersion = [...lastVersionArr].map((item) => JSON.stringify(item)).sort();

        if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
          isMatch = false;
          break;
        }
      } else {
-        const sortedWouldBe = [...wouldBeVersion[field]].sort();
-        const sortedVersion = [...lastVersion[field]].sort();
+        const sortedWouldBe = [...wouldBeArr].sort();
+        const sortedVersion = [...lastVersionArr].sort();

        if (!sortedWouldBe.every((item, i) => item === sortedVersion[i])) {
          isMatch = false;
          break;
        }
      }
-    } else if (field === 'model_parameters') {
-      const wouldBeParams = wouldBeVersion[field] || {};
-      const lastVersionParams = lastVersion[field] || {};
-      if (JSON.stringify(wouldBeParams) !== JSON.stringify(lastVersionParams)) {
+    }
+    // Handle objects
+    else if (typeof wouldBeValue === 'object' && wouldBeValue !== null) {
+      const lastVersionObj =
+        typeof lastVersionValue === 'object' && lastVersionValue !== null ? lastVersionValue : {};
+
+      // For empty objects, normalize the comparison
+      const wouldBeKeys = Object.keys(wouldBeValue);
+      const lastVersionKeys = Object.keys(lastVersionObj);
+
+      // If both are empty objects, they're equal
+      if (wouldBeKeys.length === 0 && lastVersionKeys.length === 0) {
+        continue;
+      }
+
+      // Otherwise do a deep comparison
+      if (JSON.stringify(wouldBeValue) !== JSON.stringify(lastVersionObj)) {
+        isMatch = false;
+        break;
+      }
+    }
+    // Handle primitive values
+    else {
+      // For primitives, handle the case where one is undefined and the other is a default value
+      if (wouldBeValue !== lastVersionValue) {
+        // Special handling for boolean false vs undefined
+        if (
+          typeof wouldBeValue === 'boolean' &&
+          wouldBeValue === false &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
+        // Special handling for empty string vs undefined
+        if (
+          typeof wouldBeValue === 'string' &&
+          wouldBeValue === '' &&
+          lastVersionValue === undefined
+        ) {
+          continue;
+        }
        isMatch = false;
        break;
      }
-    } else if (wouldBeVersion[field] !== lastVersion[field]) {
-      isMatch = false;
-      break;
    }
  }

@@ -273,7 +322,14 @@ const updateAgent = async (searchParameter, updateData, options = {}) => {

  const currentAgent = await Agent.findOne(searchParameter);
  if (currentAgent) {
-    const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
+    const {
+      __v,
+      _id,
+      id: __id,
+      versions,
+      author: _author,
+      ...versionData
+    } = currentAgent.toObject();
    const { $push, $pull, $addToSet, ...directUpdates } = updateData;

    let actionsHash = null;
@@ -464,8 +520,113 @@ const deleteAgent = async (searchParameter) => {
  return agent;
 };

+/**
+ * Get agents by accessible IDs with optional cursor-based pagination.
+ * @param {Object} params - The parameters for getting accessible agents.
+ * @param {Array} [params.accessibleIds] - Array of agent ObjectIds the user has ACL access to.
+ * @param {Object} [params.otherParams] - Additional query parameters (including author filter).
+ * @param {number} [params.limit] - Number of agents to return (max 100). If not provided, returns all agents.
+ * @param {string} [params.after] - Cursor for pagination - get agents after this cursor. // base64 encoded JSON string with updatedAt and _id.
+ * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
+ */
+const getListAgentsByAccess = async ({
+  accessibleIds = [],
+  otherParams = {},
+  limit = null,
+  after = null,
+}) => {
+  const isPaginated = limit !== null && limit !== undefined;
+  const normalizedLimit = isPaginated ? Math.min(Math.max(1, parseInt(limit) || 20), 100) : null;
+
+  // Build base query combining ACL accessible agents with other filters
+  const baseQuery = { ...otherParams };
+
+  if (accessibleIds.length > 0) {
+    baseQuery._id = { $in: accessibleIds };
+  }
+
+  // Add cursor condition
+  if (after) {
+    try {
+      const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
+      const { updatedAt, _id } = cursor;
+
+      const cursorCondition = {
+        $or: [
+          { updatedAt: { $lt: new Date(updatedAt) } },
+          { updatedAt: new Date(updatedAt), _id: { $gt: new mongoose.Types.ObjectId(_id) } },
+        ],
+      };
+
+      // Merge cursor condition with base query
+      if (Object.keys(baseQuery).length > 0) {
+        baseQuery.$and = [{ ...baseQuery }, cursorCondition];
+        // Remove the original conditions from baseQuery to avoid duplication
+        Object.keys(baseQuery).forEach((key) => {
+          if (key !== '$and') delete baseQuery[key];
+        });
+      } else {
+        Object.assign(baseQuery, cursorCondition);
+      }
+    } catch (error) {
+      logger.warn('Invalid cursor:', error.message);
+    }
+  }
+
+  let query = Agent.find(baseQuery, {
+    id: 1,
+    _id: 1,
+    name: 1,
+    avatar: 1,
+    author: 1,
+    projectIds: 1,
+    description: 1,
+    updatedAt: 1,
+    category: 1,
+    support_contact: 1,
+    is_promoted: 1,
+  }).sort({ updatedAt: -1, _id: 1 });
+
+  // Only apply limit if pagination is requested
+  if (isPaginated) {
+    query = query.limit(normalizedLimit + 1);
+  }
+
+  const agents = await query.lean();
+
+  const hasMore = isPaginated ? agents.length > normalizedLimit : false;
+  const data = (isPaginated ? agents.slice(0, normalizedLimit) : agents).map((agent) => {
+    if (agent.author) {
+      agent.author = agent.author.toString();
+    }
+    return agent;
+  });
+
+  // Generate next cursor only if paginated
+  let nextCursor = null;
+  if (isPaginated && hasMore && data.length > 0) {
+    const lastAgent = agents[normalizedLimit - 1];
+    nextCursor = Buffer.from(
+      JSON.stringify({
+        updatedAt: lastAgent.updatedAt.toISOString(),
+        _id: lastAgent._id.toString(),
+      }),
+    ).toString('base64');
+  }
+
+  return {
+    object: 'list',
+    data,
+    first_id: data.length > 0 ? data[0].id : null,
+    last_id: data.length > 0 ? data[data.length - 1].id : null,
+    has_more: hasMore,
+    after: nextCursor,
+  };
+};
+
 /**
 * Get all agents.
+ * @deprecated Use getListAgentsByAccess for ACL-aware agent listing
 * @param {Object} searchParameter - The search parameters to find matching agents.
 * @param {string} searchParameter.author - The user ID of the agent's author.
 * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
@@ -484,13 +645,15 @@ const getListAgents = async (searchParameter) => {
  const agents = (
    await Agent.find(query, {
      id: 1,
-      _id: 0,
+      _id: 1,
      name: 1,
      avatar: 1,
      author: 1,
      projectIds: 1,
      description: 1,
+      // @deprecated - isCollaborative replaced by ACL permissions
      isCollaborative: 1,
+      category: 1,
    }).lean()
  ).map((agent) => {
    if (agent.author?.toString() !== author) {
@@ -656,6 +819,14 @@ const generateActionMetadataHash = async (actionIds, actions) => {

  return hashHex;
 };
+/**
+ * Counts the number of promoted agents.
+ * @returns  {Promise<number>} - The count of promoted agents
+ */
+const countPromotedAgents = async () => {
+  const count = await Agent.countDocuments({ is_promoted: true });
+  return count;
+};

 /**
 * Load a default agent based on the endpoint
@@ -673,6 +844,8 @@ module.exports = {
  revertAgentVersion,
  updateAgentProjects,
  addAgentResourceFile,
+  getListAgentsByAccess,
  removeAgentResourceFiles,
  generateActionMetadataHash,
+  countPromotedAgents,
 };
--- a/api/models/Agent.spec.js
+++ b/api/models/Agent.spec.js
@@ -1258,6 +1258,328 @@ describe('models/Agent', () => {
      expect(secondUpdate.versions).toHaveLength(3);
    });

+    test('should detect changes in support_contact fields', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with initial support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Agent with Support Contact',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Support',
+          email: 'initial@support.com',
+        },
+      });
+
+      // Update support_contact name only
+      const firstUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'initial@support.com',
+          },
+        },
+      );
+
+      expect(firstUpdate.versions).toHaveLength(2);
+      expect(firstUpdate.support_contact.name).toBe('Updated Support');
+      expect(firstUpdate.support_contact.email).toBe('initial@support.com');
+
+      // Update support_contact email only
+      const secondUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Updated Support',
+            email: 'updated@support.com',
+          },
+        },
+      );
+
+      expect(secondUpdate.versions).toHaveLength(3);
+      expect(secondUpdate.support_contact.email).toBe('updated@support.com');
+
+      // Try to update with same support_contact - should be detected as duplicate
+      await expect(
+        updateAgent(
+          { id: agentId },
+          {
+            support_contact: {
+              name: 'Updated Support',
+              email: 'updated@support.com',
+            },
+          },
+        ),
+      ).rejects.toThrow('Duplicate version');
+    });
+
+    test('should handle support_contact from empty to populated', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent without support_contact
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Agent without Support',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+      });
+
+      // Verify support_contact is undefined since it wasn't provided
+      expect(agent.support_contact).toBeUndefined();
+
+      // Update to add support_contact
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Support Team',
+            email: 'support@example.com',
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Support Team');
+      expect(updated.support_contact.email).toBe('support@example.com');
+    });
+
+    test('should handle support_contact edge cases in isDuplicateVersion', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Edge Case Agent',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Support',
+          email: 'support@test.com',
+        },
+      });
+
+      // Update to empty support_contact
+      const emptyUpdate = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {},
+        },
+      );
+
+      expect(emptyUpdate.versions).toHaveLength(2);
+      expect(emptyUpdate.support_contact).toEqual({});
+
+      // Update back to populated support_contact
+      const repopulated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Support',
+            email: 'support@test.com',
+          },
+        },
+      );
+
+      expect(repopulated.versions).toHaveLength(3);
+
+      // Verify all versions have correct support_contact
+      const finalAgent = await getAgent({ id: agentId });
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({});
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Support',
+        email: 'support@test.com',
+      });
+    });
+
+    test('should preserve support_contact in version history', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent
+      await createAgent({
+        id: agentId,
+        name: 'Version History Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Initial Contact',
+          email: 'initial@test.com',
+        },
+      });
+
+      // Multiple updates with different support_contact values
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Second Contact',
+            email: 'second@test.com',
+          },
+        },
+      );
+
+      await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'Third Contact',
+            email: 'third@test.com',
+          },
+        },
+      );
+
+      const finalAgent = await getAgent({ id: agentId });
+
+      // Verify version history
+      expect(finalAgent.versions).toHaveLength(3);
+      expect(finalAgent.versions[0].support_contact).toEqual({
+        name: 'Initial Contact',
+        email: 'initial@test.com',
+      });
+      expect(finalAgent.versions[1].support_contact).toEqual({
+        name: 'Second Contact',
+        email: 'second@test.com',
+      });
+      expect(finalAgent.versions[2].support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+
+      // Current state should match last version
+      expect(finalAgent.support_contact).toEqual({
+        name: 'Third Contact',
+        email: 'third@test.com',
+      });
+    });
+
+    test('should handle partial support_contact updates', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent with full support_contact
+      await createAgent({
+        id: agentId,
+        name: 'Partial Update Test',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        support_contact: {
+          name: 'Original Name',
+          email: 'original@email.com',
+        },
+      });
+
+      // MongoDB's findOneAndUpdate will replace the entire support_contact object
+      // So we need to verify that partial updates still work correctly
+      const updated = await updateAgent(
+        { id: agentId },
+        {
+          support_contact: {
+            name: 'New Name',
+            email: '', // Empty email
+          },
+        },
+      );
+
+      expect(updated.versions).toHaveLength(2);
+      expect(updated.support_contact.name).toBe('New Name');
+      expect(updated.support_contact.email).toBe('');
+
+      // Verify isDuplicateVersion works with partial changes
+      await expect(
+        updateAgent(
+          { id: agentId },
+          {
+            support_contact: {
+              name: 'New Name',
+              email: '',
+            },
+          },
+        ),
+      ).rejects.toThrow('Duplicate version');
+    });
+
+    // Edge Cases
+    describe.each([
+      {
+        operation: 'add',
+        name: 'empty file_id',
+        needsAgent: true,
+        params: { tool_resource: 'file_search', file_id: '' },
+        shouldResolve: true,
+      },
+      {
+        operation: 'add',
+        name: 'non-existent agent',
+        needsAgent: false,
+        params: { tool_resource: 'file_search', file_id: 'file123' },
+        shouldResolve: false,
+        error: 'Agent not found for adding resource file',
+      },
+    ])('addAgentResourceFile with $name', ({ needsAgent, params, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          await expect(addAgentResourceFile({ agent_id, ...params })).resolves.toBeDefined();
+        } else {
+          await expect(addAgentResourceFile({ agent_id, ...params })).rejects.toThrow(error);
+        }
+      });
+    });
+
+    describe.each([
+      {
+        name: 'empty files array',
+        files: [],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent tool_resource',
+        files: [{ tool_resource: 'non_existent_tool', file_id: 'file123' }],
+        needsAgent: true,
+        shouldResolve: true,
+      },
+      {
+        name: 'non-existent agent',
+        files: [{ tool_resource: 'file_search', file_id: 'file123' }],
+        needsAgent: false,
+        shouldResolve: false,
+        error: 'Agent not found for removing resource files',
+      },
+    ])('removeAgentResourceFiles with $name', ({ files, needsAgent, shouldResolve, error }) => {
+      test(`should ${shouldResolve ? 'resolve' : 'reject'}`, async () => {
+        const agent = needsAgent ? await createBasicAgent() : null;
+        const agent_id = needsAgent ? agent.id : `agent_${uuidv4()}`;
+
+        if (shouldResolve) {
+          const result = await removeAgentResourceFiles({ agent_id, files });
+          expect(result).toBeDefined();
+          if (agent) {
+            expect(result.id).toBe(agent.id);
+          }
+        } else {
+          await expect(removeAgentResourceFiles({ agent_id, files })).rejects.toThrow(error);
+        }
+      });
+    });
+
    describe('Edge Cases', () => {
      test('should handle extremely large version history', async () => {
        const agentId = `agent_${uuidv4()}`;
@@ -1633,7 +1955,7 @@ describe('models/Agent', () => {
      expect(result.version).toBe(1);
    });

-    test('should return null when user is not author and agent has no projectIds', async () => {
+    test('should return agent even when user is not author (permissions checked at route level)', async () => {
      const authorId = new mongoose.Types.ObjectId();
      const userId = new mongoose.Types.ObjectId();
      const agentId = `agent_${uuidv4()}`;
@@ -1654,7 +1976,11 @@ describe('models/Agent', () => {
        model_parameters: { model: 'gpt-4' },
      });

-      expect(result).toBeFalsy();
+      // With the new permission system, loadAgent returns the agent regardless of permissions
+      // Permission checks are handled at the route level via middleware
+      expect(result).toBeTruthy();
+      expect(result.id).toBe(agentId);
+      expect(result.name).toBe('Test Agent');
    });

    test('should handle ephemeral agent with no MCP servers', async () => {
@@ -1762,7 +2088,7 @@ describe('models/Agent', () => {
        }
      });

-      test('should handle loadAgent with agent from different project', async () => {
+      test('should return agent from different project (permissions checked at route level)', async () => {
        const authorId = new mongoose.Types.ObjectId();
        const userId = new mongoose.Types.ObjectId();
        const agentId = `agent_${uuidv4()}`;
@@ -1785,7 +2111,11 @@ describe('models/Agent', () => {
          model_parameters: { model: 'gpt-4' },
        });

-        expect(result).toBeFalsy();
+        // With the new permission system, loadAgent returns the agent regardless of permissions
+        // Permission checks are handled at the route level via middleware
+        expect(result).toBeTruthy();
+        expect(result.id).toBe(agentId);
+        expect(result.name).toBe('Project Agent');
      });
    });
  });
@@ -2570,6 +2900,93 @@ describe('models/Agent', () => {
  });
 });

+describe('Support Contact Field', () => {
+  let mongoServer;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
+    await mongoose.connect(mongoUri);
+  }, 20000);
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await Agent.deleteMany({});
+  });
+
+  it('should not create subdocument with ObjectId for support_contact', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {
+        name: 'Support Team',
+        email: 'support@example.com',
+      },
+    };
+
+    // Create agent
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is stored correctly
+    expect(agent.support_contact).toBeDefined();
+    expect(agent.support_contact.name).toBe('Support Team');
+    expect(agent.support_contact.email).toBe('support@example.com');
+
+    // Verify no _id field is created in support_contact
+    expect(agent.support_contact._id).toBeUndefined();
+
+    // Fetch from database to double-check
+    const dbAgent = await Agent.findOne({ id: agentData.id });
+    expect(dbAgent.support_contact).toBeDefined();
+    expect(dbAgent.support_contact.name).toBe('Support Team');
+    expect(dbAgent.support_contact.email).toBe('support@example.com');
+    expect(dbAgent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle empty support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_empty_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+      support_contact: {},
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify empty support_contact is stored as empty object
+    expect(agent.support_contact).toEqual({});
+    expect(agent.support_contact._id).toBeUndefined();
+  });
+
+  it('should handle missing support_contact correctly', async () => {
+    const userId = new mongoose.Types.ObjectId();
+    const agentData = {
+      id: 'agent_test_no_support',
+      name: 'Test Agent',
+      provider: 'openai',
+      model: 'gpt-4',
+      author: userId,
+    };
+
+    const agent = await createAgent(agentData);
+
+    // Verify support_contact is undefined when not provided
+    expect(agent.support_contact).toBeUndefined();
+  });
+});
+
 function createBasicAgent(overrides = {}) {
  const defaults = {
    id: `agent_${uuidv4()}`,
--- a/api/models/Conversation.js
+++ b/api/models/Conversation.js
@@ -1,6 +1,6 @@
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const getCustomConfig = require('~/server/services/Config/loadCustomConfig');
+const getCustomConfig = require('~/server/services/Config/getCustomConfig');
 const { getMessages, deleteMessages } = require('./Message');
 const { Conversation } = require('~/db/models');

--- a/api/models/File.spec.js
+++ b/api/models/File.spec.js
@@ -0,0 +1,373 @@
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { createModels } = require('@librechat/data-schemas');
+const { getFiles, createFile } = require('./File');
+const { createAgent } = require('./Agent');
+const { grantPermission } = require('~/server/services/PermissionService');
+const { seedDefaultRoles } = require('~/models');
+
+let File;
+let Agent;
+let AclEntry;
+let User;
+let modelsToCleanup = [];
+
+describe('File Access Control', () => {
+  let mongoServer;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize all models
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    const dbModels = require('~/db/models');
+    Object.assign(mongoose.models, dbModels);
+
+    File = dbModels.File;
+    Agent = dbModels.Agent;
+    AclEntry = dbModels.AclEntry;
+    User = dbModels.User;
+
+    // Seed default roles
+    await seedDefaultRoles();
+  });
+
+  afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await AclEntry.deleteMany({});
+    await User.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
+  });
+
+  describe('hasAccessToFilesViaAgent', () => {
+    it('should efficiently check access for multiple files at once', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4(), uuidv4(), uuidv4()];
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create files
+      for (const fileId of fileIds) {
+        await createFile({
+          user: authorId,
+          file_id: fileId,
+          filename: `file-${fileId}.txt`,
+          filepath: `/uploads/${fileId}`,
+        });
+      }
+
+      // Create agent with only first two files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [fileIds[0], fileIds[1]],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      // Check access for all files
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(userId.toString(), fileIds, agentId);
+
+      // Should have access only to the first two files
+      expect(accessMap.get(fileIds[0])).toBe(true);
+      expect(accessMap.get(fileIds[1])).toBe(true);
+      expect(accessMap.get(fileIds[2])).toBe(false);
+      expect(accessMap.get(fileIds[3])).toBe(false);
+    });
+
+    it('should grant access to all files when user is the agent author', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4(), uuidv4()];
+
+      // Create author user
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent
+      await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [fileIds[0]], // Only one file attached
+          },
+        },
+      });
+
+      // Check access as the author
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(authorId.toString(), fileIds, agentId);
+
+      // Author should have access to all files
+      expect(accessMap.get(fileIds[0])).toBe(true);
+      expect(accessMap.get(fileIds[1])).toBe(true);
+      expect(accessMap.get(fileIds[2])).toBe(true);
+    });
+
+    it('should handle non-existent agent gracefully', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const fileIds = [uuidv4(), uuidv4()];
+
+      // Create user
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(
+        userId.toString(),
+        fileIds,
+        'non-existent-agent',
+      );
+
+      // Should have no access to any files
+      expect(accessMap.get(fileIds[0])).toBe(false);
+      expect(accessMap.get(fileIds[1])).toBe(false);
+    });
+
+    it('should deny access when user only has VIEW permission', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4()];
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent with files
+      const agent = await createAgent({
+        id: agentId,
+        name: 'View-Only Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: fileIds,
+          },
+        },
+      });
+
+      // Grant only VIEW permission to user on the agent
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_viewer',
+        grantedBy: authorId,
+      });
+
+      // Check access for files
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent(userId.toString(), fileIds, agentId);
+
+      // Should have no access to any files when only VIEW permission
+      expect(accessMap.get(fileIds[0])).toBe(false);
+      expect(accessMap.get(fileIds[1])).toBe(false);
+    });
+  });
+
+  describe('getFiles with agent access control', () => {
+    test('should return files owned by user and files accessible through agent', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const userId = new mongoose.Types.ObjectId();
+      const agentId = `agent_${uuidv4()}`;
+      const ownedFileId = `file_${uuidv4()}`;
+      const sharedFileId = `file_${uuidv4()}`;
+      const inaccessibleFileId = `file_${uuidv4()}`;
+
+      // Create users
+      await User.create({
+        _id: userId,
+        email: 'user@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await User.create({
+        _id: authorId,
+        email: 'author@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      // Create agent with shared file
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Shared Agent',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [sharedFileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      // Create files
+      await createFile({
+        file_id: ownedFileId,
+        user: userId,
+        filename: 'owned.txt',
+        filepath: '/uploads/owned.txt',
+        type: 'text/plain',
+        bytes: 100,
+      });
+
+      await createFile({
+        file_id: sharedFileId,
+        user: authorId,
+        filename: 'shared.txt',
+        filepath: '/uploads/shared.txt',
+        type: 'text/plain',
+        bytes: 200,
+        embedded: true,
+      });
+
+      await createFile({
+        file_id: inaccessibleFileId,
+        user: authorId,
+        filename: 'inaccessible.txt',
+        filepath: '/uploads/inaccessible.txt',
+        type: 'text/plain',
+        bytes: 300,
+      });
+
+      // Get all files first
+      const allFiles = await getFiles(
+        { file_id: { $in: [ownedFileId, sharedFileId, inaccessibleFileId] } },
+        null,
+        { text: 0 },
+      );
+
+      // Then filter by access control
+      const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
+      const files = await filterFilesByAgentAccess(allFiles, userId.toString(), agentId);
+
+      expect(files).toHaveLength(2);
+      expect(files.map((f) => f.file_id)).toContain(ownedFileId);
+      expect(files.map((f) => f.file_id)).toContain(sharedFileId);
+      expect(files.map((f) => f.file_id)).not.toContain(inaccessibleFileId);
+    });
+
+    test('should return all files when no userId/agentId provided', async () => {
+      const userId = new mongoose.Types.ObjectId();
+      const fileId1 = `file_${uuidv4()}`;
+      const fileId2 = `file_${uuidv4()}`;
+
+      await createFile({
+        file_id: fileId1,
+        user: userId,
+        filename: 'file1.txt',
+        filepath: '/uploads/file1.txt',
+        type: 'text/plain',
+        bytes: 100,
+      });
+
+      await createFile({
+        file_id: fileId2,
+        user: new mongoose.Types.ObjectId(),
+        filename: 'file2.txt',
+        filepath: '/uploads/file2.txt',
+        type: 'text/plain',
+        bytes: 200,
+      });
+
+      const files = await getFiles({ file_id: { $in: [fileId1, fileId2] } });
+      expect(files).toHaveLength(2);
+    });
+  });
+});
--- a/api/models/Message.js
+++ b/api/models/Message.js
@@ -1,7 +1,7 @@
 const { z } = require('zod');
 const { logger } = require('@librechat/data-schemas');
 const { createTempChatExpirationDate } = require('@librechat/api');
-const getCustomConfig = require('~/server/services/Config/loadCustomConfig');
+const getCustomConfig = require('~/server/services/Config/getCustomConfig');
 const { Message } = require('~/db/models');

 const idSchema = z.string().uuid();
--- a/api/models/Role.js
+++ b/api/models/Role.js
@@ -2,7 +2,6 @@ const {
  CacheKeys,
  SystemRoles,
  roleDefaults,
-  PermissionTypes,
  permissionsSchema,
  removeNullishValues,
 } = require('librechat-data-provider');
--- a/api/models/tx.js
+++ b/api/models/tx.js
@@ -135,10 +135,11 @@ const tokenValues = Object.assign(
    'grok-2-1212': { prompt: 2.0, completion: 10.0 },
    'grok-2-latest': { prompt: 2.0, completion: 10.0 },
    'grok-2': { prompt: 2.0, completion: 10.0 },
-    'grok-3-mini-fast': { prompt: 0.4, completion: 4 },
+    'grok-3-mini-fast': { prompt: 0.6, completion: 4 },
    'grok-3-mini': { prompt: 0.3, completion: 0.5 },
    'grok-3-fast': { prompt: 5.0, completion: 25.0 },
    'grok-3': { prompt: 3.0, completion: 15.0 },
+    'grok-4': { prompt: 3.0, completion: 15.0 },
    'grok-beta': { prompt: 5.0, completion: 15.0 },
    'mistral-large': { prompt: 2.0, completion: 6.0 },
    'pixtral-large': { prompt: 2.0, completion: 6.0 },
--- a/api/models/tx.spec.js
+++ b/api/models/tx.spec.js
@@ -636,6 +636,15 @@ describe('Grok Model Tests - Pricing', () => {
      );
    });

+    test('should return correct prompt and completion rates for Grok 4 model', () => {
+      expect(getMultiplier({ model: 'grok-4-0709', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4'].prompt,
+      );
+      expect(getMultiplier({ model: 'grok-4-0709', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4'].completion,
+      );
+    });
+
    test('should return correct prompt and completion rates for Grok 3 models with prefixes', () => {
      expect(getMultiplier({ model: 'xai/grok-3', tokenType: 'prompt' })).toBe(
        tokenValues['grok-3'].prompt,
@@ -662,6 +671,15 @@ describe('Grok Model Tests - Pricing', () => {
        tokenValues['grok-3-mini-fast'].completion,
      );
    });
+
+    test('should return correct prompt and completion rates for Grok 4 model with prefixes', () => {
+      expect(getMultiplier({ model: 'xai/grok-4-0709', tokenType: 'prompt' })).toBe(
+        tokenValues['grok-4'].prompt,
+      );
+      expect(getMultiplier({ model: 'xai/grok-4-0709', tokenType: 'completion' })).toBe(
+        tokenValues['grok-4'].completion,
+      );
+    });
  });
 });

--- a/api/package.json
+++ b/api/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@librechat/backend",
-  "version": "v0.7.8",
+  "version": "v0.7.9",
  "description": "",
  "scripts": {
    "start": "echo 'please run this from the root directory'",
@@ -44,19 +44,21 @@
    "@googleapis/youtube": "^20.0.0",
    "@keyv/redis": "^4.3.3",
    "@langchain/community": "^0.3.47",
-    "@langchain/core": "^0.3.60",
+    "@langchain/core": "^0.3.62",
    "@langchain/google-genai": "^0.2.13",
    "@langchain/google-vertexai": "^0.2.13",
+    "@langchain/openai": "^0.5.18",
    "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^2.4.46",
+    "@librechat/agents": "^2.4.68",
    "@librechat/api": "*",
    "@librechat/data-schemas": "*",
    "@node-saml/passport-saml": "^5.0.0",
+    "@microsoft/microsoft-graph-client": "^3.0.7",
    "@waylaidwanderer/fetch-event-source": "^3.0.1",
    "axios": "^1.8.2",
    "bcryptjs": "^2.4.3",
-    "compression": "^1.7.4",
-    "connect-redis": "^7.1.0",
+    "compression": "^1.8.1",
+    "connect-redis": "^8.1.0",
    "cookie": "^0.7.2",
    "cookie-parser": "^1.4.7",
    "cors": "^2.8.5",
@@ -66,10 +68,11 @@
    "express": "^4.21.2",
    "express-mongo-sanitize": "^2.2.0",
    "express-rate-limit": "^7.4.1",
-    "express-session": "^1.18.1",
+    "express-session": "^1.18.2",
    "express-static-gzip": "^2.2.0",
    "file-type": "^18.7.0",
    "firebase": "^11.0.2",
+    "form-data": "^4.0.4",
    "googleapis": "^126.0.1",
    "handlebars": "^4.7.7",
    "https-proxy-agent": "^7.0.6",
@@ -87,12 +90,12 @@
    "mime": "^3.0.0",
    "module-alias": "^2.2.3",
    "mongoose": "^8.12.1",
-    "multer": "^2.0.1",
+    "multer": "^2.0.2",
    "nanoid": "^3.3.7",
    "node-fetch": "^2.7.0",
    "nodemailer": "^6.9.15",
    "ollama": "^0.5.0",
-    "openai": "^4.96.2",
+    "openai": "^5.10.1",
    "openai-chat-tokens": "^0.2.8",
    "openid-client": "^6.5.0",
    "passport": "^0.6.0",
--- a/api/server/controllers/ErrorController.js
+++ b/api/server/controllers/ErrorController.js
@@ -24,17 +24,23 @@ const handleValidationError = (err, res) => {
  }
 };

-// eslint-disable-next-line no-unused-vars
-module.exports = (err, req, res, next) => {
+module.exports = (err, _req, res, _next) => {
  try {
    if (err.name === 'ValidationError') {
-      return (err = handleValidationError(err, res));
+      return handleValidationError(err, res);
    }
    if (err.code && err.code == 11000) {
-      return (err = handleDuplicateKeyError(err, res));
+      return handleDuplicateKeyError(err, res);
    }
-  } catch (err) {
+    // Special handling for errors like SyntaxError
+    if (err.statusCode && err.body) {
+      return res.status(err.statusCode).send(err.body);
+    }
+
    logger.error('ErrorController => error', err);
-    res.status(500).send('An unknown error occurred.');
+    return res.status(500).send('An unknown error occurred.');
+  } catch (err) {
+    logger.error('ErrorController => processing error', err);
+    return res.status(500).send('Processing error in ErrorController.');
  }
 };
--- a/api/server/controllers/ErrorController.spec.js
+++ b/api/server/controllers/ErrorController.spec.js
@@ -0,0 +1,241 @@
+const errorController = require('./ErrorController');
+const { logger } = require('~/config');
+
+// Mock the logger
+jest.mock('~/config', () => ({
+  logger: {
+    error: jest.fn(),
+  },
+}));
+
+describe('ErrorController', () => {
+  let mockReq, mockRes, mockNext;
+
+  beforeEach(() => {
+    mockReq = {};
+    mockRes = {
+      status: jest.fn().mockReturnThis(),
+      send: jest.fn(),
+    };
+    mockNext = jest.fn();
+    logger.error.mockClear();
+  });
+
+  describe('ValidationError handling', () => {
+    it('should handle ValidationError with single error', () => {
+      const validationError = {
+        name: 'ValidationError',
+        errors: {
+          email: { message: 'Email is required', path: 'email' },
+        },
+      };
+
+      errorController(validationError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.send).toHaveBeenCalledWith({
+        messages: '["Email is required"]',
+        fields: '["email"]',
+      });
+      expect(logger.error).toHaveBeenCalledWith('Validation error:', validationError.errors);
+    });
+
+    it('should handle ValidationError with multiple errors', () => {
+      const validationError = {
+        name: 'ValidationError',
+        errors: {
+          email: { message: 'Email is required', path: 'email' },
+          password: { message: 'Password is required', path: 'password' },
+        },
+      };
+
+      errorController(validationError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.send).toHaveBeenCalledWith({
+        messages: '"Email is required Password is required"',
+        fields: '["email","password"]',
+      });
+      expect(logger.error).toHaveBeenCalledWith('Validation error:', validationError.errors);
+    });
+
+    it('should handle ValidationError with empty errors object', () => {
+      const validationError = {
+        name: 'ValidationError',
+        errors: {},
+      };
+
+      errorController(validationError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.send).toHaveBeenCalledWith({
+        messages: '[]',
+        fields: '[]',
+      });
+    });
+  });
+
+  describe('Duplicate key error handling', () => {
+    it('should handle duplicate key error (code 11000)', () => {
+      const duplicateKeyError = {
+        code: 11000,
+        keyValue: { email: 'test@example.com' },
+      };
+
+      errorController(duplicateKeyError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(409);
+      expect(mockRes.send).toHaveBeenCalledWith({
+        messages: 'An document with that ["email"] already exists.',
+        fields: '["email"]',
+      });
+      expect(logger.error).toHaveBeenCalledWith('Duplicate key error:', duplicateKeyError.keyValue);
+    });
+
+    it('should handle duplicate key error with multiple fields', () => {
+      const duplicateKeyError = {
+        code: 11000,
+        keyValue: { email: 'test@example.com', username: 'testuser' },
+      };
+
+      errorController(duplicateKeyError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(409);
+      expect(mockRes.send).toHaveBeenCalledWith({
+        messages: 'An document with that ["email","username"] already exists.',
+        fields: '["email","username"]',
+      });
+      expect(logger.error).toHaveBeenCalledWith('Duplicate key error:', duplicateKeyError.keyValue);
+    });
+
+    it('should handle error with code 11000 as string', () => {
+      const duplicateKeyError = {
+        code: '11000',
+        keyValue: { email: 'test@example.com' },
+      };
+
+      errorController(duplicateKeyError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(409);
+      expect(mockRes.send).toHaveBeenCalledWith({
+        messages: 'An document with that ["email"] already exists.',
+        fields: '["email"]',
+      });
+    });
+  });
+
+  describe('SyntaxError handling', () => {
+    it('should handle errors with statusCode and body', () => {
+      const syntaxError = {
+        statusCode: 400,
+        body: 'Invalid JSON syntax',
+      };
+
+      errorController(syntaxError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.send).toHaveBeenCalledWith('Invalid JSON syntax');
+    });
+
+    it('should handle errors with different statusCode and body', () => {
+      const customError = {
+        statusCode: 422,
+        body: { error: 'Unprocessable entity' },
+      };
+
+      errorController(customError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(422);
+      expect(mockRes.send).toHaveBeenCalledWith({ error: 'Unprocessable entity' });
+    });
+
+    it('should handle error with statusCode but no body', () => {
+      const partialError = {
+        statusCode: 400,
+      };
+
+      errorController(partialError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.send).toHaveBeenCalledWith('An unknown error occurred.');
+    });
+
+    it('should handle error with body but no statusCode', () => {
+      const partialError = {
+        body: 'Some error message',
+      };
+
+      errorController(partialError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.send).toHaveBeenCalledWith('An unknown error occurred.');
+    });
+  });
+
+  describe('Unknown error handling', () => {
+    it('should handle unknown errors', () => {
+      const unknownError = new Error('Some unknown error');
+
+      errorController(unknownError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.send).toHaveBeenCalledWith('An unknown error occurred.');
+      expect(logger.error).toHaveBeenCalledWith('ErrorController => error', unknownError);
+    });
+
+    it('should handle errors with code other than 11000', () => {
+      const mongoError = {
+        code: 11100,
+        message: 'Some MongoDB error',
+      };
+
+      errorController(mongoError, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.send).toHaveBeenCalledWith('An unknown error occurred.');
+      expect(logger.error).toHaveBeenCalledWith('ErrorController => error', mongoError);
+    });
+
+    it('should handle null/undefined errors', () => {
+      errorController(null, mockReq, mockRes, mockNext);
+
+      expect(mockRes.status).toHaveBeenCalledWith(500);
+      expect(mockRes.send).toHaveBeenCalledWith('Processing error in ErrorController.');
+      expect(logger.error).toHaveBeenCalledWith(
+        'ErrorController => processing error',
+        expect.any(Error),
+      );
+    });
+  });
+
+  describe('Catch block handling', () => {
+    beforeEach(() => {
+      // Restore logger mock to normal behavior for these tests
+      logger.error.mockRestore();
+      logger.error = jest.fn();
+    });
+
+    it('should handle errors when logger.error throws', () => {
+      // Create fresh mocks for this test
+      const freshMockRes = {
+        status: jest.fn().mockReturnThis(),
+        send: jest.fn(),
+      };
+
+      // Mock logger to throw on the first call, succeed on the second
+      logger.error
+        .mockImplementationOnce(() => {
+          throw new Error('Logger error');
+        })
+        .mockImplementation(() => {});
+
+      const testError = new Error('Test error');
+
+      errorController(testError, mockReq, freshMockRes, mockNext);
+
+      expect(freshMockRes.status).toHaveBeenCalledWith(500);
+      expect(freshMockRes.send).toHaveBeenCalledWith('Processing error in ErrorController.');
+      expect(logger.error).toHaveBeenCalledTimes(2);
+    });
+  });
+});
--- a/api/server/controllers/PermissionsController.js
+++ b/api/server/controllers/PermissionsController.js
@@ -0,0 +1,437 @@
+/**
+ * @import { TUpdateResourcePermissionsRequest, TUpdateResourcePermissionsResponse } from 'librechat-data-provider'
+ */
+
+const mongoose = require('mongoose');
+const { logger } = require('@librechat/data-schemas');
+const {
+  getAvailableRoles,
+  ensurePrincipalExists,
+  getEffectivePermissions,
+  ensureGroupPrincipalExists,
+  bulkUpdateResourcePermissions,
+} = require('~/server/services/PermissionService');
+const { AclEntry } = require('~/db/models');
+const {
+  searchPrincipals: searchLocalPrincipals,
+  sortPrincipalsByRelevance,
+  calculateRelevanceScore,
+} = require('~/models');
+const {
+  searchEntraIdPrincipals,
+  entraIdPrincipalFeatureEnabled,
+} = require('~/server/services/GraphApiService');
+
+/**
+ * Generic controller for resource permission endpoints
+ * Delegates validation and logic to PermissionService
+ */
+
+/**
+ * Bulk update permissions for a resource (grant, update, remove)
+ * @route PUT /api/{resourceType}/{resourceId}/permissions
+ * @param {Object} req - Express request object
+ * @param {Object} req.params - Route parameters
+ * @param {string} req.params.resourceType - Resource type (e.g., 'agent')
+ * @param {string} req.params.resourceId - Resource ID
+ * @param {TUpdateResourcePermissionsRequest} req.body - Request body
+ * @param {Object} res - Express response object
+ * @returns {Promise<TUpdateResourcePermissionsResponse>} Updated permissions response
+ */
+const updateResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    /** @type {TUpdateResourcePermissionsRequest} */
+    const { updated, removed, public: isPublic, publicAccessRoleId } = req.body;
+    const { id: userId } = req.user;
+
+    // Prepare principals for the service call
+    const updatedPrincipals = [];
+    const revokedPrincipals = [];
+
+    // Add updated principals
+    if (updated && Array.isArray(updated)) {
+      updatedPrincipals.push(...updated);
+    }
+
+    // Add public permission if enabled
+    if (isPublic && publicAccessRoleId) {
+      updatedPrincipals.push({
+        type: 'public',
+        id: null,
+        accessRoleId: publicAccessRoleId,
+      });
+    }
+
+    // Prepare authentication context for enhanced group member fetching
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+    const authHeader = req.headers.authorization;
+    const accessToken =
+      authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+    const authContext =
+      useEntraId && accessToken
+        ? {
+            accessToken,
+            sub: req.user.openidId,
+          }
+        : null;
+
+    // Ensure updated principals exist in the database before processing permissions
+    const validatedPrincipals = [];
+    for (const principal of updatedPrincipals) {
+      try {
+        let principalId;
+
+        if (principal.type === 'public') {
+          principalId = null; // Public principals don't need database records
+        } else if (principal.type === 'user') {
+          principalId = await ensurePrincipalExists(principal);
+        } else if (principal.type === 'group') {
+          // Pass authContext to enable member fetching for Entra ID groups when available
+          principalId = await ensureGroupPrincipalExists(principal, authContext);
+        } else {
+          logger.error(`Unsupported principal type: ${principal.type}`);
+          continue; // Skip invalid principal types
+        }
+
+        // Update the principal with the validated ID for ACL operations
+        validatedPrincipals.push({
+          ...principal,
+          id: principalId,
+        });
+      } catch (error) {
+        logger.error('Error ensuring principal exists:', {
+          principal: {
+            type: principal.type,
+            id: principal.id,
+            name: principal.name,
+            source: principal.source,
+          },
+          error: error.message,
+        });
+        // Continue with other principals instead of failing the entire operation
+        continue;
+      }
+    }
+
+    // Add removed principals
+    if (removed && Array.isArray(removed)) {
+      revokedPrincipals.push(...removed);
+    }
+
+    // If public is disabled, add public to revoked list
+    if (!isPublic) {
+      revokedPrincipals.push({
+        type: 'public',
+        id: null,
+      });
+    }
+
+    const results = await bulkUpdateResourcePermissions({
+      resourceType,
+      resourceId,
+      updatedPrincipals: validatedPrincipals,
+      revokedPrincipals,
+      grantedBy: userId,
+    });
+
+    /** @type {TUpdateResourcePermissionsResponse} */
+    const response = {
+      message: 'Permissions updated successfully',
+      results: {
+        principals: results.granted,
+        public: isPublic || false,
+        publicAccessRoleId: isPublic ? publicAccessRoleId : undefined,
+      },
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error updating resource permissions:', error);
+    res.status(400).json({
+      error: 'Failed to update permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get principals with their permission roles for a resource (UI-friendly format)
+ * Uses efficient aggregation pipeline to join User/Group data in single query
+ * @route GET /api/permissions/{resourceType}/{resourceId}
+ */
+const getResourcePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+
+    // Use aggregation pipeline for efficient single-query data retrieval
+    const results = await AclEntry.aggregate([
+      // Match ACL entries for this resource
+      {
+        $match: {
+          resourceType,
+          resourceId: mongoose.Types.ObjectId.isValid(resourceId)
+            ? mongoose.Types.ObjectId.createFromHexString(resourceId)
+            : resourceId,
+        },
+      },
+      // Lookup AccessRole information
+      {
+        $lookup: {
+          from: 'accessroles',
+          localField: 'roleId',
+          foreignField: '_id',
+          as: 'role',
+        },
+      },
+      // Lookup User information (for user principals)
+      {
+        $lookup: {
+          from: 'users',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'userInfo',
+        },
+      },
+      // Lookup Group information (for group principals)
+      {
+        $lookup: {
+          from: 'groups',
+          localField: 'principalId',
+          foreignField: '_id',
+          as: 'groupInfo',
+        },
+      },
+      // Project final structure
+      {
+        $project: {
+          principalType: 1,
+          principalId: 1,
+          accessRoleId: { $arrayElemAt: ['$role.accessRoleId', 0] },
+          userInfo: { $arrayElemAt: ['$userInfo', 0] },
+          groupInfo: { $arrayElemAt: ['$groupInfo', 0] },
+        },
+      },
+    ]);
+
+    const principals = [];
+    let publicPermission = null;
+
+    // Process aggregation results
+    for (const result of results) {
+      if (result.principalType === 'public') {
+        publicPermission = {
+          public: true,
+          publicAccessRoleId: result.accessRoleId,
+        };
+      } else if (result.principalType === 'user' && result.userInfo) {
+        principals.push({
+          type: 'user',
+          id: result.userInfo._id.toString(),
+          name: result.userInfo.name || result.userInfo.username,
+          email: result.userInfo.email,
+          avatar: result.userInfo.avatar,
+          source: !result.userInfo._id ? 'entra' : 'local',
+          idOnTheSource: result.userInfo.idOnTheSource || result.userInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      } else if (result.principalType === 'group' && result.groupInfo) {
+        principals.push({
+          type: 'group',
+          id: result.groupInfo._id.toString(),
+          name: result.groupInfo.name,
+          email: result.groupInfo.email,
+          description: result.groupInfo.description,
+          avatar: result.groupInfo.avatar,
+          source: result.groupInfo.source || 'local',
+          idOnTheSource: result.groupInfo.idOnTheSource || result.groupInfo._id.toString(),
+          accessRoleId: result.accessRoleId,
+        });
+      }
+    }
+
+    // Return response in format expected by frontend
+    const response = {
+      resourceType,
+      resourceId,
+      principals,
+      public: publicPermission?.public || false,
+      ...(publicPermission?.publicAccessRoleId && {
+        publicAccessRoleId: publicPermission.publicAccessRoleId,
+      }),
+    };
+
+    res.status(200).json(response);
+  } catch (error) {
+    logger.error('Error getting resource permissions principals:', error);
+    res.status(500).json({
+      error: 'Failed to get permissions principals',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get available roles for a resource type
+ * @route GET /api/{resourceType}/roles
+ */
+const getResourceRoles = async (req, res) => {
+  try {
+    const { resourceType } = req.params;
+
+    const roles = await getAvailableRoles({ resourceType });
+
+    res.status(200).json(
+      roles.map((role) => ({
+        accessRoleId: role.accessRoleId,
+        name: role.name,
+        description: role.description,
+        permBits: role.permBits,
+      })),
+    );
+  } catch (error) {
+    logger.error('Error getting resource roles:', error);
+    res.status(500).json({
+      error: 'Failed to get roles',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Get user's effective permission bitmask for a resource
+ * @route GET /api/{resourceType}/{resourceId}/effective
+ */
+const getUserEffectivePermissions = async (req, res) => {
+  try {
+    const { resourceType, resourceId } = req.params;
+    const { id: userId } = req.user;
+
+    const permissionBits = await getEffectivePermissions({
+      userId,
+      resourceType,
+      resourceId,
+    });
+
+    res.status(200).json({
+      permissionBits,
+    });
+  } catch (error) {
+    logger.error('Error getting user effective permissions:', error);
+    res.status(500).json({
+      error: 'Failed to get effective permissions',
+      details: error.message,
+    });
+  }
+};
+
+/**
+ * Search for users and groups to grant permissions
+ * Supports hybrid local database + Entra ID search when configured
+ * @route GET /api/permissions/search-principals
+ */
+const searchPrincipals = async (req, res) => {
+  try {
+    const { q: query, limit = 20, type } = req.query;
+
+    if (!query || query.trim().length === 0) {
+      return res.status(400).json({
+        error: 'Query parameter "q" is required and must not be empty',
+      });
+    }
+
+    if (query.trim().length < 2) {
+      return res.status(400).json({
+        error: 'Query must be at least 2 characters long',
+      });
+    }
+
+    const searchLimit = Math.min(Math.max(1, parseInt(limit) || 10), 50);
+    const typeFilter = ['user', 'group'].includes(type) ? type : null;
+
+    const localResults = await searchLocalPrincipals(query.trim(), searchLimit, typeFilter);
+    let allPrincipals = [...localResults];
+
+    const useEntraId = entraIdPrincipalFeatureEnabled(req.user);
+
+    if (useEntraId && localResults.length < searchLimit) {
+      try {
+        const graphTypeMap = {
+          user: 'users',
+          group: 'groups',
+          null: 'all',
+        };
+
+        const authHeader = req.headers.authorization;
+        const accessToken =
+          authHeader && authHeader.startsWith('Bearer ') ? authHeader.substring(7) : null;
+
+        if (accessToken) {
+          const graphResults = await searchEntraIdPrincipals(
+            accessToken,
+            req.user.openidId,
+            query.trim(),
+            graphTypeMap[typeFilter],
+            searchLimit - localResults.length,
+          );
+
+          const localEmails = new Set(
+            localResults.map((p) => p.email?.toLowerCase()).filter(Boolean),
+          );
+          const localGroupSourceIds = new Set(
+            localResults.map((p) => p.idOnTheSource).filter(Boolean),
+          );
+
+          for (const principal of graphResults) {
+            const isDuplicateByEmail =
+              principal.email && localEmails.has(principal.email.toLowerCase());
+            const isDuplicateBySourceId =
+              principal.idOnTheSource && localGroupSourceIds.has(principal.idOnTheSource);
+
+            if (!isDuplicateByEmail && !isDuplicateBySourceId) {
+              allPrincipals.push(principal);
+            }
+          }
+        }
+      } catch (graphError) {
+        logger.warn('Graph API search failed, falling back to local results:', graphError.message);
+      }
+    }
+    const scoredResults = allPrincipals.map((item) => ({
+      ...item,
+      _searchScore: calculateRelevanceScore(item, query.trim()),
+    }));
+
+    allPrincipals = sortPrincipalsByRelevance(scoredResults)
+      .slice(0, searchLimit)
+      .map((result) => {
+        const { _searchScore, ...resultWithoutScore } = result;
+        return resultWithoutScore;
+      });
+    res.status(200).json({
+      query: query.trim(),
+      limit: searchLimit,
+      type: typeFilter,
+      results: allPrincipals,
+      count: allPrincipals.length,
+      sources: {
+        local: allPrincipals.filter((r) => r.source === 'local').length,
+        entra: allPrincipals.filter((r) => r.source === 'entra').length,
+      },
+    });
+  } catch (error) {
+    logger.error('Error searching principals:', error);
+    res.status(500).json({
+      error: 'Failed to search principals',
+      details: error.message,
+    });
+  }
+};
+
+module.exports = {
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  getUserEffectivePermissions,
+  searchPrincipals,
+};
--- a/api/server/controllers/PluginController.js
+++ b/api/server/controllers/PluginController.js
@@ -1,11 +1,10 @@
 const { logger } = require('@librechat/data-schemas');
-const { CacheKeys, AuthType } = require('librechat-data-provider');
+const { CacheKeys, AuthType, Constants } = require('librechat-data-provider');
 const { getCustomConfig, getCachedTools } = require('~/server/services/Config');
 const { getToolkitKey } = require('~/server/services/ToolService');
 const { getMCPManager, getFlowStateManager } = require('~/config');
 const { availableTools } = require('~/app/clients/tools');
 const { getLogStores } = require('~/cache');
-const { Constants } = require('librechat-data-provider');

 /**
 * Filters out duplicate plugins from the list of plugins.
@@ -139,15 +138,21 @@ function createGetServerTools() {
 */
 const getAvailableTools = async (req, res) => {
  try {
+    const userId = req.user?.id;
+    const customConfig = await getCustomConfig();
    const cache = getLogStores(CacheKeys.CONFIG_STORE);
-    const cachedTools = await cache.get(CacheKeys.TOOLS);
-    if (cachedTools) {
-      res.status(200).json(cachedTools);
+    const cachedToolsArray = await cache.get(CacheKeys.TOOLS);
+    const cachedUserTools = await getCachedTools({ userId });
+    const userPlugins = convertMCPToolsToPlugins(cachedUserTools, customConfig);
+
+    if (cachedToolsArray && userPlugins) {
+      const dedupedTools = filterUniquePlugins([...userPlugins, ...cachedToolsArray]);
+      res.status(200).json(dedupedTools);
      return;
    }

+    // If not in cache, build from manifest
    let pluginManifest = availableTools;
-    const customConfig = await getCustomConfig();
    if (customConfig?.mcpServers != null) {
      const mcpManager = getMCPManager();
      const flowsCache = getLogStores(CacheKeys.FLOWS);
@@ -173,7 +178,7 @@ const getAvailableTools = async (req, res) => {
      }
    });

-    const toolDefinitions = await getCachedTools({ includeGlobal: true });
+    const toolDefinitions = (await getCachedTools({ includeGlobal: true })) || {};

    const toolsOutput = [];
    for (const plugin of authenticatedPlugins) {
@@ -218,16 +223,70 @@ const getAvailableTools = async (req, res) => {

      toolsOutput.push(toolToAdd);
    }
-
    const finalTools = filterUniquePlugins(toolsOutput);
    await cache.set(CacheKeys.TOOLS, finalTools);
-    res.status(200).json(finalTools);
+
+    const dedupedTools = filterUniquePlugins([...userPlugins, ...finalTools]);
+
+    res.status(200).json(dedupedTools);
  } catch (error) {
    logger.error('[getAvailableTools]', error);
    res.status(500).json({ message: error.message });
  }
 };

+/**
+ * Converts MCP function format tools to plugin format
+ * @param {Object} functionTools - Object with function format tools
+ * @param {Object} customConfig - Custom configuration for MCP servers
+ * @returns {Array} Array of plugin objects
+ */
+function convertMCPToolsToPlugins(functionTools, customConfig) {
+  const plugins = [];
+
+  for (const [toolKey, toolData] of Object.entries(functionTools)) {
+    if (!toolData.function || !toolKey.includes(Constants.mcp_delimiter)) {
+      continue;
+    }
+
+    const functionData = toolData.function;
+    const parts = toolKey.split(Constants.mcp_delimiter);
+    const serverName = parts[parts.length - 1];
+
+    const serverConfig = customConfig?.mcpServers?.[serverName];
+
+    const plugin = {
+      name: parts[0], // Use the tool name without server suffix
+      pluginKey: toolKey,
+      description: functionData.description || '',
+      authenticated: true,
+      icon: serverConfig?.iconPath,
+    };
+
+    // Build authConfig for MCP tools
+    if (!serverConfig?.customUserVars) {
+      plugin.authConfig = [];
+      plugins.push(plugin);
+      continue;
+    }
+
+    const customVarKeys = Object.keys(serverConfig.customUserVars);
+    if (customVarKeys.length === 0) {
+      plugin.authConfig = [];
+    } else {
+      plugin.authConfig = Object.entries(serverConfig.customUserVars).map(([key, value]) => ({
+        authField: key,
+        label: value.title || key,
+        description: value.description || '',
+      }));
+    }
+
+    plugins.push(plugin);
+  }
+
+  return plugins;
+}
+
 module.exports = {
  getAvailableTools,
  getAvailablePluginsController,
--- a/api/server/controllers/PluginController.spec.js
+++ b/api/server/controllers/PluginController.spec.js
@@ -0,0 +1,89 @@
+const { Constants } = require('librechat-data-provider');
+const { getCustomConfig, getCachedTools } = require('~/server/services/Config');
+const { getLogStores } = require('~/cache');
+
+// Mock the dependencies
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    debug: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+jest.mock('~/server/services/Config', () => ({
+  getCustomConfig: jest.fn(),
+  getCachedTools: jest.fn(),
+}));
+
+jest.mock('~/server/services/ToolService', () => ({
+  getToolkitKey: jest.fn(),
+}));
+
+jest.mock('~/config', () => ({
+  getMCPManager: jest.fn(() => ({
+    loadManifestTools: jest.fn().mockResolvedValue([]),
+  })),
+  getFlowStateManager: jest.fn(),
+}));
+
+jest.mock('~/app/clients/tools', () => ({
+  availableTools: [],
+}));
+
+jest.mock('~/cache', () => ({
+  getLogStores: jest.fn(),
+}));
+
+// Import the actual module with the function we want to test
+const { getAvailableTools } = require('./PluginController');
+
+describe('PluginController', () => {
+  describe('plugin.icon behavior', () => {
+    let mockReq, mockRes, mockCache;
+
+    const callGetAvailableToolsWithMCPServer = async (mcpServers) => {
+      mockCache.get.mockResolvedValue(null);
+      getCustomConfig.mockResolvedValue({ mcpServers });
+
+      const functionTools = {
+        [`test-tool${Constants.mcp_delimiter}test-server`]: {
+          function: { name: 'test-tool', description: 'A test tool' },
+        },
+      };
+      getCachedTools.mockResolvedValueOnce(functionTools);
+      getCachedTools.mockResolvedValueOnce({
+        [`test-tool${Constants.mcp_delimiter}test-server`]: true,
+      });
+
+      await getAvailableTools(mockReq, mockRes);
+      const responseData = mockRes.json.mock.calls[0][0];
+      return responseData.find((tool) => tool.name === 'test-tool');
+    };
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      mockReq = { user: { id: 'test-user-id' } };
+      mockRes = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+      mockCache = { get: jest.fn(), set: jest.fn() };
+      getLogStores.mockReturnValue(mockCache);
+    });
+
+    it('should set plugin.icon when iconPath is defined', async () => {
+      const mcpServers = {
+        'test-server': {
+          iconPath: '/path/to/icon.png',
+        },
+      };
+      const testTool = await callGetAvailableToolsWithMCPServer(mcpServers);
+      expect(testTool.icon).toBe('/path/to/icon.png');
+    });
+
+    it('should set plugin.icon to undefined when iconPath is not defined', async () => {
+      const mcpServers = {
+        'test-server': {},
+      };
+      const testTool = await callGetAvailableToolsWithMCPServer(mcpServers);
+      expect(testTool.icon).toBeUndefined();
+    });
+  });
+});
--- a/api/server/controllers/UserController.js
+++ b/api/server/controllers/UserController.js
@@ -1,11 +1,5 @@
-const {
-  Tools,
-  Constants,
-  FileSources,
-  webSearchKeys,
-  extractWebSearchEnvVars,
-} = require('librechat-data-provider');
 const { logger } = require('@librechat/data-schemas');
+const { webSearchKeys, extractWebSearchEnvVars } = require('@librechat/api');
 const {
  getFiles,
  updateUser,
@@ -20,6 +14,7 @@ const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/service
 const { updateUserPluginsService, deleteUserKey } = require('~/server/services/UserService');
 const { verifyEmail, resendVerificationEmail } = require('~/server/services/AuthService');
 const { needsRefresh, getNewS3URL } = require('~/server/services/Files/S3/crud');
+const { Tools, Constants, FileSources } = require('librechat-data-provider');
 const { processDeleteRequest } = require('~/server/services/Files/process');
 const { Transaction, Balance, User } = require('~/db/models');
 const { deleteToolCalls } = require('~/models/ToolCall');
@@ -180,14 +175,16 @@ const updateUserPluginsController = async (req, res) => {
        try {
          const mcpManager = getMCPManager(user.id);
          if (mcpManager) {
+            // Extract server name from pluginKey (format: "mcp_<serverName>")
+            const serverName = pluginKey.replace(Constants.mcp_prefix, '');
            logger.info(
-              `[updateUserPluginsController] Disconnecting MCP connections for user ${user.id} after plugin auth update for ${pluginKey}.`,
+              `[updateUserPluginsController] Disconnecting MCP server ${serverName} for user ${user.id} after plugin auth update for ${pluginKey}.`,
            );
-            await mcpManager.disconnectUserConnections(user.id);
+            await mcpManager.disconnectUserConnection(user.id, serverName);
          }
        } catch (disconnectError) {
          logger.error(
-            `[updateUserPluginsController] Error disconnecting MCP connections for user ${user.id} after plugin auth update:`,
+            `[updateUserPluginsController] Error disconnecting MCP connection for user ${user.id} after plugin auth update:`,
            disconnectError,
          );
          // Do not fail the request for this, but log it.
--- a/api/server/controllers/agents/tests/v1.spec.js
+++ b/api/server/controllers/agents/tests/v1.spec.js
@@ -0,0 +1,195 @@
+const { duplicateAgent } = require('../v1');
+const { getAgent, createAgent } = require('~/models/Agent');
+const { getActions } = require('~/models/Action');
+const { nanoid } = require('nanoid');
+
+jest.mock('~/models/Agent');
+jest.mock('~/models/Action');
+jest.mock('nanoid');
+
+describe('duplicateAgent', () => {
+  let req, res;
+
+  beforeEach(() => {
+    req = {
+      params: { id: 'agent_123' },
+      user: { id: 'user_456' },
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    jest.clearAllMocks();
+  });
+
+  it('should duplicate an agent successfully', async () => {
+    const mockAgent = {
+      id: 'agent_123',
+      name: 'Test Agent',
+      description: 'Test Description',
+      instructions: 'Test Instructions',
+      provider: 'openai',
+      model: 'gpt-4',
+      tools: ['file_search'],
+      actions: [],
+      author: 'user_789',
+      versions: [{ name: 'Test Agent', version: 1 }],
+      __v: 0,
+    };
+
+    const mockNewAgent = {
+      id: 'agent_new_123',
+      name: 'Test Agent (1/2/23, 12:34)',
+      description: 'Test Description',
+      instructions: 'Test Instructions',
+      provider: 'openai',
+      model: 'gpt-4',
+      tools: ['file_search'],
+      actions: [],
+      author: 'user_456',
+      versions: [
+        {
+          name: 'Test Agent (1/2/23, 12:34)',
+          description: 'Test Description',
+          instructions: 'Test Instructions',
+          provider: 'openai',
+          model: 'gpt-4',
+          tools: ['file_search'],
+          actions: [],
+          createdAt: new Date(),
+          updatedAt: new Date(),
+        },
+      ],
+    };
+
+    getAgent.mockResolvedValue(mockAgent);
+    getActions.mockResolvedValue([]);
+    nanoid.mockReturnValue('new_123');
+    createAgent.mockResolvedValue(mockNewAgent);
+
+    await duplicateAgent(req, res);
+
+    expect(getAgent).toHaveBeenCalledWith({ id: 'agent_123' });
+    expect(getActions).toHaveBeenCalledWith({ agent_id: 'agent_123' }, true);
+    expect(createAgent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        id: 'agent_new_123',
+        author: 'user_456',
+        name: expect.stringContaining('Test Agent ('),
+        description: 'Test Description',
+        instructions: 'Test Instructions',
+        provider: 'openai',
+        model: 'gpt-4',
+        tools: ['file_search'],
+        actions: [],
+      }),
+    );
+
+    expect(createAgent).toHaveBeenCalledWith(
+      expect.not.objectContaining({
+        versions: expect.anything(),
+        __v: expect.anything(),
+      }),
+    );
+
+    expect(res.status).toHaveBeenCalledWith(201);
+    expect(res.json).toHaveBeenCalledWith({
+      agent: mockNewAgent,
+      actions: [],
+    });
+  });
+
+  it('should ensure duplicated agent has clean versions array without nested fields', async () => {
+    const mockAgent = {
+      id: 'agent_123',
+      name: 'Test Agent',
+      description: 'Test Description',
+      versions: [
+        {
+          name: 'Test Agent',
+          versions: [{ name: 'Nested' }],
+          __v: 1,
+        },
+      ],
+      __v: 2,
+    };
+
+    const mockNewAgent = {
+      id: 'agent_new_123',
+      name: 'Test Agent (1/2/23, 12:34)',
+      description: 'Test Description',
+      versions: [
+        {
+          name: 'Test Agent (1/2/23, 12:34)',
+          description: 'Test Description',
+          createdAt: new Date(),
+          updatedAt: new Date(),
+        },
+      ],
+    };
+
+    getAgent.mockResolvedValue(mockAgent);
+    getActions.mockResolvedValue([]);
+    nanoid.mockReturnValue('new_123');
+    createAgent.mockResolvedValue(mockNewAgent);
+
+    await duplicateAgent(req, res);
+
+    expect(mockNewAgent.versions).toHaveLength(1);
+
+    const firstVersion = mockNewAgent.versions[0];
+    expect(firstVersion).not.toHaveProperty('versions');
+    expect(firstVersion).not.toHaveProperty('__v');
+
+    expect(mockNewAgent).not.toHaveProperty('__v');
+
+    expect(res.status).toHaveBeenCalledWith(201);
+  });
+
+  it('should return 404 if agent not found', async () => {
+    getAgent.mockResolvedValue(null);
+
+    await duplicateAgent(req, res);
+
+    expect(res.status).toHaveBeenCalledWith(404);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Agent not found',
+      status: 'error',
+    });
+  });
+
+  it('should handle tool_resources.ocr correctly', async () => {
+    const mockAgent = {
+      id: 'agent_123',
+      name: 'Test Agent',
+      tool_resources: {
+        ocr: { enabled: true, config: 'test' },
+        other: { should: 'not be copied' },
+      },
+    };
+
+    getAgent.mockResolvedValue(mockAgent);
+    getActions.mockResolvedValue([]);
+    nanoid.mockReturnValue('new_123');
+    createAgent.mockResolvedValue({ id: 'agent_new_123' });
+
+    await duplicateAgent(req, res);
+
+    expect(createAgent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        tool_resources: {
+          ocr: { enabled: true, config: 'test' },
+        },
+      }),
+    );
+  });
+
+  it('should handle errors gracefully', async () => {
+    getAgent.mockRejectedValue(new Error('Database error'));
+
+    await duplicateAgent(req, res);
+
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Database error' });
+  });
+});
--- a/api/server/controllers/agents/client.js
+++ b/api/server/controllers/agents/client.js
@@ -1,19 +1,23 @@
 require('events').EventEmitter.defaultMaxListeners = 100;
 const { logger } = require('@librechat/data-schemas');
+const { DynamicStructuredTool } = require('@langchain/core/tools');
+const { getBufferString, HumanMessage } = require('@langchain/core/messages');
 const {
  sendEvent,
  createRun,
  Tokenizer,
+  checkAccess,
  memoryInstructions,
+  formatContentStrings,
  createMemoryProcessor,
 } = require('@librechat/api');
 const {
  Callback,
  Providers,
  GraphEvents,
+  TitleMethod,
  formatMessage,
  formatAgentMessages,
-  formatContentStrings,
  getTokenCountForMessage,
  createMetadataAggregator,
 } = require('@librechat/agents');
@@ -23,24 +27,26 @@ const {
  VisionModes,
  ContentTypes,
  EModelEndpoint,
-  KnownEndpoints,
  PermissionTypes,
  isAgentsEndpoint,
  AgentCapabilities,
  bedrockInputSchema,
  removeNullishValues,
 } = require('librechat-data-provider');
-const { DynamicStructuredTool } = require('@langchain/core/tools');
-const { getBufferString, HumanMessage } = require('@langchain/core/messages');
-const { createGetMCPAuthMap, checkCapability } = require('~/server/services/Config');
+const {
+  findPluginAuthsByKeys,
+  getFormattedMemories,
+  deleteMemory,
+  setMemory,
+} = require('~/models');
+const { getMCPAuthMap, checkCapability, hasCustomUserVars } = require('~/server/services/Config');
 const { addCacheControl, createContextHandlers } = require('~/app/clients/prompts');
 const { initializeAgent } = require('~/server/services/Endpoints/agents/agent');
 const { spendTokens, spendStructuredTokens } = require('~/models/spendTokens');
-const { getFormattedMemories, deleteMemory, setMemory } = require('~/models');
 const { encodeAndFormat } = require('~/server/services/Files/images/encode');
 const { getProviderConfig } = require('~/server/services/Endpoints');
-const { checkAccess } = require('~/server/middleware/roles/access');
 const BaseClient = require('~/app/clients/BaseClient');
+const { getRoleByName } = require('~/models/Role');
 const { loadAgent } = require('~/models/Agent');
 const { getMCPManager } = require('~/config');

@@ -53,6 +59,7 @@ const omitTitleOptions = new Set([
  'thinkingBudget',
  'includeThoughts',
  'maxOutputTokens',
+  'additionalModelRequestFields',
 ]);

 /**
@@ -64,13 +71,15 @@ const payloadParser = ({ req, agent, endpoint }) => {
  if (isAgentsEndpoint(endpoint)) {
    return { model: undefined };
  } else if (endpoint === EModelEndpoint.bedrock) {
-    return bedrockInputSchema.parse(agent.model_parameters);
+    const parsedValues = bedrockInputSchema.parse(agent.model_parameters);
+    if (parsedValues.thinking == null) {
+      parsedValues.thinking = false;
+    }
+    return parsedValues;
  }
  return req.body.endpointOption.model_parameters;
 };

-const legacyContentEndpoints = new Set([KnownEndpoints.groq, KnownEndpoints.deepseek]);
-
 const noSystemModelRegex = [/\b(o1-preview|o1-mini|amazon\.titan-text)\b/gi];

 function createTokenCounter(encoding) {
@@ -401,7 +410,12 @@ class AgentClient extends BaseClient {
    if (user.personalization?.memories === false) {
      return;
    }
-    const hasAccess = await checkAccess(user, PermissionTypes.MEMORIES, [Permissions.USE]);
+    const hasAccess = await checkAccess({
+      user,
+      permissionType: PermissionTypes.MEMORIES,
+      permissions: [Permissions.USE],
+      getRoleByName,
+    });

    if (!hasAccess) {
      logger.debug(
@@ -446,6 +460,12 @@ class AgentClient extends BaseClient {
      res: this.options.res,
      agent: prelimAgent,
      allowedProviders,
+      endpointOption: {
+        endpoint:
+          prelimAgent.id !== Constants.EPHEMERAL_AGENT_ID
+            ? EModelEndpoint.agents
+            : memoryConfig.agent?.provider,
+      },
    });

    if (!agent) {
@@ -519,7 +539,10 @@ class AgentClient extends BaseClient {
          messagesToProcess = [...messages.slice(-messageWindowSize)];
        }
      }
-      return await this.processMemory(messagesToProcess);
+
+      const bufferString = getBufferString(messagesToProcess);
+      const bufferMessage = new HumanMessage(`# Current Chat:\n\n${bufferString}`);
+      return await this.processMemory([bufferMessage]);
    } catch (error) {
      logger.error('Memory Agent failed to process memory', error);
    }
@@ -691,17 +714,12 @@ class AgentClient extends BaseClient {
        version: 'v2',
      };

-      const getUserMCPAuthMap = await createGetMCPAuthMap();
-
      const toolSet = new Set((this.options.agent.tools ?? []).map((tool) => tool && tool.name));
      let { messages: initialMessages, indexTokenCountMap } = formatAgentMessages(
        payload,
        this.indexTokenCountMap,
        toolSet,
      );
-      if (legacyContentEndpoints.has(this.options.agent.endpoint?.toLowerCase())) {
-        initialMessages = formatContentStrings(initialMessages);
-      }

      /**
       *
@@ -717,6 +735,9 @@ class AgentClient extends BaseClient {
        if (i > 0) {
          this.model = agent.model_parameters.model;
        }
+        if (i > 0 && config.signal == null) {
+          config.signal = abortController.signal;
+        }
        if (agent.recursion_limit && typeof agent.recursion_limit === 'number') {
          config.recursionLimit = agent.recursion_limit;
        }
@@ -765,6 +786,9 @@ class AgentClient extends BaseClient {
        }

        let messages = _messages;
+        if (agent.useLegacyContent === true) {
+          messages = formatContentStrings(messages);
+        }
        if (
          agent.model_parameters?.clientOptions?.defaultHeaders?.['anthropic-beta']?.includes(
            'prompt-caching',
@@ -813,10 +837,11 @@ class AgentClient extends BaseClient {
        }

        try {
-          if (getUserMCPAuthMap) {
-            config.configurable.userMCPAuthMap = await getUserMCPAuthMap({
+          if (await hasCustomUserVars()) {
+            config.configurable.userMCPAuthMap = await getMCPAuthMap({
              tools: agent.tools,
              userId: this.options.req.user.id,
+              findPluginAuthsByKeys,
            });
          }
        } catch (err) {
@@ -992,25 +1017,40 @@ class AgentClient extends BaseClient {
    }
    const { handleLLMEnd, collected: collectedMetadata } = createMetadataAggregator();
    const { req, res, agent } = this.options;
-    const endpoint = agent.endpoint;
+    let endpoint = agent.endpoint;

    /** @type {import('@librechat/agents').ClientOptions} */
    let clientOptions = {
      maxTokens: 75,
-      model: agent.model_parameters.model,
+      model: agent.model || agent.model_parameters.model,
    };

-    const { getOptions, overrideProvider, customEndpointConfig } =
-      await getProviderConfig(endpoint);
+    let titleProviderConfig = await getProviderConfig(endpoint);

    /** @type {TEndpoint | undefined} */
-    const endpointConfig = req.app.locals[endpoint] ?? customEndpointConfig;
+    const endpointConfig =
+      req.app.locals.all ?? req.app.locals[endpoint] ?? titleProviderConfig.customEndpointConfig;
    if (!endpointConfig) {
      logger.warn(
        '[api/server/controllers/agents/client.js #titleConvo] Error getting endpoint config',
      );
    }

+    if (endpointConfig?.titleEndpoint && endpointConfig.titleEndpoint !== endpoint) {
+      try {
+        titleProviderConfig = await getProviderConfig(endpointConfig.titleEndpoint);
+        endpoint = endpointConfig.titleEndpoint;
+      } catch (error) {
+        logger.warn(
+          `[api/server/controllers/agents/client.js #titleConvo] Error getting title endpoint config for ${endpointConfig.titleEndpoint}, falling back to default`,
+          error,
+        );
+        // Fall back to original provider config
+        endpoint = agent.endpoint;
+        titleProviderConfig = await getProviderConfig(endpoint);
+      }
+    }
+
    if (
      endpointConfig &&
      endpointConfig.titleModel &&
@@ -1019,7 +1059,7 @@ class AgentClient extends BaseClient {
      clientOptions.model = endpointConfig.titleModel;
    }

-    const options = await getOptions({
+    const options = await titleProviderConfig.getOptions({
      req,
      res,
      optionsOnly: true,
@@ -1028,12 +1068,18 @@ class AgentClient extends BaseClient {
      endpointOption: { model_parameters: clientOptions },
    });

-    let provider = options.provider ?? overrideProvider ?? agent.provider;
+    let provider = options.provider ?? titleProviderConfig.overrideProvider ?? agent.provider;
    if (
      endpoint === EModelEndpoint.azureOpenAI &&
      options.llmConfig?.azureOpenAIApiInstanceName == null
    ) {
      provider = Providers.OPENAI;
+    } else if (
+      endpoint === EModelEndpoint.azureOpenAI &&
+      options.llmConfig?.azureOpenAIApiInstanceName != null &&
+      provider !== Providers.AZURE
+    ) {
+      provider = Providers.AZURE;
    }

    /** @type {import('@librechat/agents').ClientOptions} */
@@ -1055,16 +1101,23 @@ class AgentClient extends BaseClient {
      ),
    );

-    if (provider === Providers.GOOGLE) {
+    if (
+      provider === Providers.GOOGLE &&
+      (endpointConfig?.titleMethod === TitleMethod.FUNCTIONS ||
+        endpointConfig?.titleMethod === TitleMethod.STRUCTURED)
+    ) {
      clientOptions.json = true;
    }

    try {
      const titleResult = await this.run.generateTitle({
        provider,
+        clientOptions,
        inputText: text,
        contentParts: this.contentParts,
-        clientOptions,
+        titleMethod: endpointConfig?.titleMethod,
+        titlePrompt: endpointConfig?.titlePrompt,
+        titlePromptTemplate: endpointConfig?.titlePromptTemplate,
        chainOptions: {
          signal: abortController.signal,
          callbacks: [
@@ -1112,8 +1165,52 @@ class AgentClient extends BaseClient {
    }
  }

-  /** Silent method, as `recordCollectedUsage` is used instead */
-  async recordTokenUsage() {}
+  /**
+   * @param {object} params
+   * @param {number} params.promptTokens
+   * @param {number} params.completionTokens
+   * @param {OpenAIUsageMetadata} [params.usage]
+   * @param {string} [params.model]
+   * @param {string} [params.context='message']
+   * @returns {Promise<void>}
+   */
+  async recordTokenUsage({ model, promptTokens, completionTokens, usage, context = 'message' }) {
+    try {
+      await spendTokens(
+        {
+          model,
+          context,
+          conversationId: this.conversationId,
+          user: this.user ?? this.options.req.user?.id,
+          endpointTokenConfig: this.options.endpointTokenConfig,
+        },
+        { promptTokens, completionTokens },
+      );
+
+      if (
+        usage &&
+        typeof usage === 'object' &&
+        'reasoning_tokens' in usage &&
+        typeof usage.reasoning_tokens === 'number'
+      ) {
+        await spendTokens(
+          {
+            model,
+            context: 'reasoning',
+            conversationId: this.conversationId,
+            user: this.user ?? this.options.req.user?.id,
+            endpointTokenConfig: this.options.endpointTokenConfig,
+          },
+          { completionTokens: usage.reasoning_tokens },
+        );
+      }
+    } catch (error) {
+      logger.error(
+        '[api/server/controllers/agents/client.js #recordTokenUsage] Error recording token usage',
+        error,
+      );
+    }
+  }

  getEncoding() {
    return 'o200k_base';
--- a/api/server/controllers/agents/client.test.js
+++ b/api/server/controllers/agents/client.test.js
@@ -0,0 +1,730 @@
+const { Providers } = require('@librechat/agents');
+const { Constants, EModelEndpoint } = require('librechat-data-provider');
+const AgentClient = require('./client');
+
+jest.mock('@librechat/agents', () => ({
+  ...jest.requireActual('@librechat/agents'),
+  createMetadataAggregator: () => ({
+    handleLLMEnd: jest.fn(),
+    collected: [],
+  }),
+}));
+
+describe('AgentClient - titleConvo', () => {
+  let client;
+  let mockRun;
+  let mockReq;
+  let mockRes;
+  let mockAgent;
+  let mockOptions;
+
+  beforeEach(() => {
+    // Reset all mocks
+    jest.clearAllMocks();
+
+    // Mock run object
+    mockRun = {
+      generateTitle: jest.fn().mockResolvedValue({
+        title: 'Generated Title',
+      }),
+    };
+
+    // Mock agent - with both endpoint and provider
+    mockAgent = {
+      id: 'agent-123',
+      endpoint: EModelEndpoint.openAI, // Use a valid provider as endpoint for getProviderConfig
+      provider: EModelEndpoint.openAI, // Add provider property
+      model_parameters: {
+        model: 'gpt-4',
+      },
+    };
+
+    // Mock request and response
+    mockReq = {
+      app: {
+        locals: {
+          [EModelEndpoint.openAI]: {
+            // Match the agent endpoint
+            titleModel: 'gpt-3.5-turbo',
+            titlePrompt: 'Custom title prompt',
+            titleMethod: 'structured',
+            titlePromptTemplate: 'Template: {{content}}',
+          },
+        },
+      },
+      user: {
+        id: 'user-123',
+      },
+      body: {
+        model: 'gpt-4',
+        endpoint: EModelEndpoint.openAI,
+        key: null,
+      },
+    };
+
+    mockRes = {};
+
+    // Mock options
+    mockOptions = {
+      req: mockReq,
+      res: mockRes,
+      agent: mockAgent,
+      endpointTokenConfig: {},
+    };
+
+    // Create client instance
+    client = new AgentClient(mockOptions);
+    client.run = mockRun;
+    client.responseMessageId = 'response-123';
+    client.conversationId = 'convo-123';
+    client.contentParts = [{ type: 'text', text: 'Test content' }];
+    client.recordCollectedUsage = jest.fn().mockResolvedValue(); // Mock as async function that resolves
+  });
+
+  describe('titleConvo method', () => {
+    it('should throw error if run is not initialized', async () => {
+      client.run = null;
+
+      await expect(
+        client.titleConvo({ text: 'Test', abortController: new AbortController() }),
+      ).rejects.toThrow('Run not initialized');
+    });
+
+    it('should use titlePrompt from endpoint config', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titlePrompt: 'Custom title prompt',
+        }),
+      );
+    });
+
+    it('should use titlePromptTemplate from endpoint config', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titlePromptTemplate: 'Template: {{content}}',
+        }),
+      );
+    });
+
+    it('should use titleMethod from endpoint config', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          provider: Providers.OPENAI,
+          titleMethod: 'structured',
+        }),
+      );
+    });
+
+    it('should use titleModel from endpoint config when provided', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Check that generateTitle was called with correct clientOptions
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-3.5-turbo');
+    });
+
+    it('should handle missing endpoint config gracefully', async () => {
+      // Remove endpoint config
+      mockReq.app.locals[EModelEndpoint.openAI] = undefined;
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titlePrompt: undefined,
+          titlePromptTemplate: undefined,
+          titleMethod: undefined,
+        }),
+      );
+    });
+
+    it('should use agent model when titleModel is not provided', async () => {
+      // Remove titleModel from config
+      delete mockReq.app.locals[EModelEndpoint.openAI].titleModel;
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4'); // Should use agent's model
+    });
+
+    it('should not use titleModel when it equals CURRENT_MODEL constant', async () => {
+      mockReq.app.locals[EModelEndpoint.openAI].titleModel = Constants.CURRENT_MODEL;
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4'); // Should use agent's model
+    });
+
+    it('should pass all required parameters to generateTitle', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(mockRun.generateTitle).toHaveBeenCalledWith({
+        provider: expect.any(String),
+        inputText: text,
+        contentParts: client.contentParts,
+        clientOptions: expect.objectContaining({
+          model: 'gpt-3.5-turbo',
+        }),
+        titlePrompt: 'Custom title prompt',
+        titlePromptTemplate: 'Template: {{content}}',
+        titleMethod: 'structured',
+        chainOptions: expect.objectContaining({
+          signal: abortController.signal,
+        }),
+      });
+    });
+
+    it('should record collected usage after title generation', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      expect(client.recordCollectedUsage).toHaveBeenCalledWith({
+        model: 'gpt-3.5-turbo',
+        context: 'title',
+        collectedUsage: expect.any(Array),
+      });
+    });
+
+    it('should return the generated title', async () => {
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      const result = await client.titleConvo({ text, abortController });
+
+      expect(result).toBe('Generated Title');
+    });
+
+    it('should handle errors gracefully and return undefined', async () => {
+      mockRun.generateTitle.mockRejectedValue(new Error('Title generation failed'));
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      const result = await client.titleConvo({ text, abortController });
+
+      expect(result).toBeUndefined();
+    });
+
+    it('should pass titleEndpoint configuration to generateTitle', async () => {
+      // Mock the API key just for this test
+      const originalApiKey = process.env.ANTHROPIC_API_KEY;
+      process.env.ANTHROPIC_API_KEY = 'test-api-key';
+
+      // Add titleEndpoint to the config
+      mockReq.app.locals[EModelEndpoint.openAI].titleEndpoint = EModelEndpoint.anthropic;
+      mockReq.app.locals[EModelEndpoint.openAI].titleMethod = 'structured';
+      mockReq.app.locals[EModelEndpoint.openAI].titlePrompt = 'Custom title prompt';
+      mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate = 'Custom template';
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify generateTitle was called with the custom configuration
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titleMethod: 'structured',
+          provider: Providers.ANTHROPIC,
+          titlePrompt: 'Custom title prompt',
+          titlePromptTemplate: 'Custom template',
+        }),
+      );
+
+      // Restore the original API key
+      if (originalApiKey) {
+        process.env.ANTHROPIC_API_KEY = originalApiKey;
+      } else {
+        delete process.env.ANTHROPIC_API_KEY;
+      }
+    });
+
+    it('should use all config when endpoint config is missing', async () => {
+      // Remove endpoint-specific config
+      delete mockReq.app.locals[EModelEndpoint.openAI].titleModel;
+      delete mockReq.app.locals[EModelEndpoint.openAI].titlePrompt;
+      delete mockReq.app.locals[EModelEndpoint.openAI].titleMethod;
+      delete mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate;
+
+      // Set 'all' config
+      mockReq.app.locals.all = {
+        titleModel: 'gpt-4o-mini',
+        titlePrompt: 'All config title prompt',
+        titleMethod: 'completion',
+        titlePromptTemplate: 'All config template: {{content}}',
+      };
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify generateTitle was called with 'all' config values
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titleMethod: 'completion',
+          titlePrompt: 'All config title prompt',
+          titlePromptTemplate: 'All config template: {{content}}',
+        }),
+      );
+
+      // Check that the model was set from 'all' config
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4o-mini');
+    });
+
+    it('should prioritize all config over endpoint config for title settings', async () => {
+      // Set both endpoint and 'all' config
+      mockReq.app.locals[EModelEndpoint.openAI].titleModel = 'gpt-3.5-turbo';
+      mockReq.app.locals[EModelEndpoint.openAI].titlePrompt = 'Endpoint title prompt';
+      mockReq.app.locals[EModelEndpoint.openAI].titleMethod = 'structured';
+      // Remove titlePromptTemplate from endpoint config to test fallback
+      delete mockReq.app.locals[EModelEndpoint.openAI].titlePromptTemplate;
+
+      mockReq.app.locals.all = {
+        titleModel: 'gpt-4o-mini',
+        titlePrompt: 'All config title prompt',
+        titleMethod: 'completion',
+        titlePromptTemplate: 'All config template',
+      };
+
+      const text = 'Test conversation text';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify 'all' config takes precedence over endpoint config
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          titleMethod: 'completion',
+          titlePrompt: 'All config title prompt',
+          titlePromptTemplate: 'All config template',
+        }),
+      );
+
+      // Check that the model was set from 'all' config
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('gpt-4o-mini');
+    });
+
+    it('should use all config with titleEndpoint and verify provider switch', async () => {
+      // Mock the API key for the titleEndpoint provider
+      const originalApiKey = process.env.ANTHROPIC_API_KEY;
+      process.env.ANTHROPIC_API_KEY = 'test-anthropic-key';
+
+      // Remove endpoint-specific config to test 'all' config
+      delete mockReq.app.locals[EModelEndpoint.openAI];
+
+      // Set comprehensive 'all' config with all new title options
+      mockReq.app.locals.all = {
+        titleConvo: true,
+        titleModel: 'claude-3-haiku-20240307',
+        titleMethod: 'completion', // Testing the new default method
+        titlePrompt: 'Generate a concise, descriptive title for this conversation',
+        titlePromptTemplate: 'Conversation summary: {{content}}',
+        titleEndpoint: EModelEndpoint.anthropic, // Should switch provider to Anthropic
+      };
+
+      const text = 'Test conversation about AI and machine learning';
+      const abortController = new AbortController();
+
+      await client.titleConvo({ text, abortController });
+
+      // Verify all config values were used
+      expect(mockRun.generateTitle).toHaveBeenCalledWith(
+        expect.objectContaining({
+          provider: Providers.ANTHROPIC, // Critical: Verify provider switched to Anthropic
+          titleMethod: 'completion',
+          titlePrompt: 'Generate a concise, descriptive title for this conversation',
+          titlePromptTemplate: 'Conversation summary: {{content}}',
+          inputText: text,
+          contentParts: client.contentParts,
+        }),
+      );
+
+      // Verify the model was set from 'all' config
+      const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+      expect(generateTitleCall.clientOptions.model).toBe('claude-3-haiku-20240307');
+
+      // Verify other client options are set correctly
+      expect(generateTitleCall.clientOptions).toMatchObject({
+        model: 'claude-3-haiku-20240307',
+        // Note: Anthropic's getOptions may set its own maxTokens value
+      });
+
+      // Restore the original API key
+      if (originalApiKey) {
+        process.env.ANTHROPIC_API_KEY = originalApiKey;
+      } else {
+        delete process.env.ANTHROPIC_API_KEY;
+      }
+    });
+
+    it('should test all titleMethod options from all config', async () => {
+      // Test each titleMethod: 'completion', 'functions', 'structured'
+      const titleMethods = ['completion', 'functions', 'structured'];
+
+      for (const method of titleMethods) {
+        // Clear previous calls
+        mockRun.generateTitle.mockClear();
+
+        // Remove endpoint config
+        delete mockReq.app.locals[EModelEndpoint.openAI];
+
+        // Set 'all' config with specific titleMethod
+        mockReq.app.locals.all = {
+          titleModel: 'gpt-4o-mini',
+          titleMethod: method,
+          titlePrompt: `Testing ${method} method`,
+          titlePromptTemplate: `Template for ${method}: {{content}}`,
+        };
+
+        const text = `Test conversation for ${method} method`;
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify the correct titleMethod was used
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            titleMethod: method,
+            titlePrompt: `Testing ${method} method`,
+            titlePromptTemplate: `Template for ${method}: {{content}}`,
+          }),
+        );
+      }
+    });
+
+    describe('Azure-specific title generation', () => {
+      let originalEnv;
+
+      beforeEach(() => {
+        // Reset mocks
+        jest.clearAllMocks();
+
+        // Save original environment variables
+        originalEnv = { ...process.env };
+
+        // Mock Azure API keys
+        process.env.AZURE_OPENAI_API_KEY = 'test-azure-key';
+        process.env.AZURE_API_KEY = 'test-azure-key';
+        process.env.EASTUS_API_KEY = 'test-eastus-key';
+        process.env.EASTUS2_API_KEY = 'test-eastus2-key';
+      });
+
+      afterEach(() => {
+        // Restore environment variables
+        process.env = originalEnv;
+      });
+
+      it('should use OPENAI provider for Azure serverless endpoints', async () => {
+        // Set up Azure endpoint with serverless config
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: 'grok-3',
+          titleMethod: 'completion',
+          titlePrompt: 'Azure serverless title prompt',
+          streamRate: 35,
+          modelGroupMap: {
+            'grok-3': {
+              group: 'Azure AI Foundry',
+              deploymentName: 'grok-3',
+            },
+          },
+          groupMap: {
+            'Azure AI Foundry': {
+              apiKey: '${AZURE_API_KEY}',
+              baseURL: 'https://test.services.ai.azure.com/models',
+              version: '2024-05-01-preview',
+              serverless: true,
+              models: {
+                'grok-3': {
+                  deploymentName: 'grok-3',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'grok-3';
+
+        const text = 'Test Azure serverless conversation';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify provider was switched to OPENAI for serverless
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.OPENAI, // Should be OPENAI for serverless
+            titleMethod: 'completion',
+            titlePrompt: 'Azure serverless title prompt',
+          }),
+        );
+      });
+
+      it('should use AZURE provider for Azure endpoints with instanceName', async () => {
+        // Set up Azure endpoint
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: 'gpt-4o',
+          titleMethod: 'structured',
+          titlePrompt: 'Azure instance title prompt',
+          streamRate: 35,
+          modelGroupMap: {
+            'gpt-4o': {
+              group: 'eastus',
+              deploymentName: 'gpt-4o',
+            },
+          },
+          groupMap: {
+            eastus: {
+              apiKey: '${EASTUS_API_KEY}',
+              instanceName: 'region-instance',
+              version: '2024-02-15-preview',
+              models: {
+                'gpt-4o': {
+                  deploymentName: 'gpt-4o',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'gpt-4o';
+
+        const text = 'Test Azure instance conversation';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify provider remains AZURE with instanceName
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.AZURE,
+            titleMethod: 'structured',
+            titlePrompt: 'Azure instance title prompt',
+          }),
+        );
+      });
+
+      it('should handle Azure titleModel with CURRENT_MODEL constant', async () => {
+        // Set up Azure endpoint
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockAgent.model_parameters.model = 'gpt-4o-latest';
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: Constants.CURRENT_MODEL,
+          titleMethod: 'functions',
+          streamRate: 35,
+          modelGroupMap: {
+            'gpt-4o-latest': {
+              group: 'region-eastus',
+              deploymentName: 'gpt-4o-mini',
+              version: '2024-02-15-preview',
+            },
+          },
+          groupMap: {
+            'region-eastus': {
+              apiKey: '${EASTUS2_API_KEY}',
+              instanceName: 'test-instance',
+              version: '2024-12-01-preview',
+              models: {
+                'gpt-4o-latest': {
+                  deploymentName: 'gpt-4o-mini',
+                  version: '2024-02-15-preview',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'gpt-4o-latest';
+
+        const text = 'Test Azure current model';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify it uses the correct model when titleModel is CURRENT_MODEL
+        const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+        // When CURRENT_MODEL is used with Azure, the model gets mapped to the deployment name
+        // In this case, 'gpt-4o-latest' is mapped to 'gpt-4o-mini' deployment
+        expect(generateTitleCall.clientOptions.model).toBe('gpt-4o-mini');
+        // Also verify that CURRENT_MODEL constant was not passed as the model
+        expect(generateTitleCall.clientOptions.model).not.toBe(Constants.CURRENT_MODEL);
+      });
+
+      it('should handle Azure with multiple model groups', async () => {
+        // Set up Azure endpoint
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.app.locals[EModelEndpoint.azureOpenAI] = {
+          titleConvo: true,
+          titleModel: 'o1-mini',
+          titleMethod: 'completion',
+          streamRate: 35,
+          modelGroupMap: {
+            'gpt-4o': {
+              group: 'eastus',
+              deploymentName: 'gpt-4o',
+            },
+            'o1-mini': {
+              group: 'region-eastus',
+              deploymentName: 'o1-mini',
+            },
+            'codex-mini': {
+              group: 'codex-mini',
+              deploymentName: 'codex-mini',
+            },
+          },
+          groupMap: {
+            eastus: {
+              apiKey: '${EASTUS_API_KEY}',
+              instanceName: 'region-eastus',
+              version: '2024-02-15-preview',
+              models: {
+                'gpt-4o': {
+                  deploymentName: 'gpt-4o',
+                },
+              },
+            },
+            'region-eastus': {
+              apiKey: '${EASTUS2_API_KEY}',
+              instanceName: 'region-eastus2',
+              version: '2024-12-01-preview',
+              models: {
+                'o1-mini': {
+                  deploymentName: 'o1-mini',
+                },
+              },
+            },
+            'codex-mini': {
+              apiKey: '${AZURE_API_KEY}',
+              baseURL: 'https://example.cognitiveservices.azure.com/openai/',
+              version: '2025-04-01-preview',
+              serverless: true,
+              models: {
+                'codex-mini': {
+                  deploymentName: 'codex-mini',
+                },
+              },
+            },
+          },
+        };
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'o1-mini';
+
+        const text = 'Test Azure multi-group conversation';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify correct model and provider are used
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.AZURE,
+            titleMethod: 'completion',
+          }),
+        );
+
+        const generateTitleCall = mockRun.generateTitle.mock.calls[0][0];
+        expect(generateTitleCall.clientOptions.model).toBe('o1-mini');
+        expect(generateTitleCall.clientOptions.maxTokens).toBeUndefined(); // o1 models shouldn't have maxTokens
+      });
+
+      it('should use all config as fallback for Azure endpoints', async () => {
+        // Set up Azure endpoint with minimal config
+        mockAgent.endpoint = EModelEndpoint.azureOpenAI;
+        mockAgent.provider = EModelEndpoint.azureOpenAI;
+        mockReq.body.endpoint = EModelEndpoint.azureOpenAI;
+        mockReq.body.model = 'gpt-4';
+
+        // Remove Azure-specific config
+        delete mockReq.app.locals[EModelEndpoint.azureOpenAI];
+
+        // Set 'all' config as fallback with a serverless Azure config
+        mockReq.app.locals.all = {
+          titleConvo: true,
+          titleModel: 'gpt-4',
+          titleMethod: 'structured',
+          titlePrompt: 'Fallback title prompt from all config',
+          titlePromptTemplate: 'Template: {{content}}',
+          modelGroupMap: {
+            'gpt-4': {
+              group: 'default-group',
+              deploymentName: 'gpt-4',
+            },
+          },
+          groupMap: {
+            'default-group': {
+              apiKey: '${AZURE_API_KEY}',
+              baseURL: 'https://default.openai.azure.com/',
+              version: '2024-02-15-preview',
+              serverless: true,
+              models: {
+                'gpt-4': {
+                  deploymentName: 'gpt-4',
+                },
+              },
+            },
+          },
+        };
+
+        const text = 'Test Azure with all config fallback';
+        const abortController = new AbortController();
+
+        await client.titleConvo({ text, abortController });
+
+        // Verify all config is used
+        expect(mockRun.generateTitle).toHaveBeenCalledWith(
+          expect.objectContaining({
+            provider: Providers.OPENAI, // Should be OPENAI when no instanceName
+            titleMethod: 'structured',
+            titlePrompt: 'Fallback title prompt from all config',
+            titlePromptTemplate: 'Template: {{content}}',
+          }),
+        );
+      });
+    });
+  });
+});
--- a/api/server/controllers/agents/request.js
+++ b/api/server/controllers/agents/request.js
@@ -12,10 +12,14 @@ const { saveMessage } = require('~/models');
 const AgentController = async (req, res, next, initializeClient, addTitle) => {
  let {
    text,
+    isRegenerate,
    endpointOption,
    conversationId,
+    isContinued = false,
+    editedContent = null,
    parentMessageId = null,
    overrideParentMessageId = null,
+    responseMessageId: editedResponseMessageId = null,
  } = req.body;

  let sender;
@@ -67,7 +71,7 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
            handler();
          }
        } catch (e) {
-          // Ignore cleanup errors
+          logger.error('[AgentController] Error in cleanup handler', e);
        }
      }
    }
@@ -155,7 +159,7 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
      try {
        res.removeListener('close', closeHandler);
      } catch (e) {
-        // Ignore
+        logger.error('[AgentController] Error removing close listener', e);
      }
    });

@@ -163,10 +167,15 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
      user: userId,
      onStart,
      getReqData,
+      isContinued,
+      isRegenerate,
+      editedContent,
      conversationId,
      parentMessageId,
      abortController,
      overrideParentMessageId,
+      isEdited: !!editedContent,
+      responseMessageId: editedResponseMessageId,
      progressOptions: {
        res,
      },
--- a/api/server/controllers/agents/v1.js
+++ b/api/server/controllers/agents/v1.js
@@ -1,35 +1,44 @@
+const { z } = require('zod');
 const fs = require('fs').promises;
 const { nanoid } = require('nanoid');
-const { logger } = require('@librechat/data-schemas');
+const { logger, PermissionBits } = require('@librechat/data-schemas');
+const { agentCreateSchema, agentUpdateSchema } = require('@librechat/api');
 const {
  Tools,
-  Constants,
-  FileSources,
  SystemRoles,
+  FileSources,
  EToolResources,
  actionDelimiter,
+  removeNullishValues,
 } = require('librechat-data-provider');
 const {
  getAgent,
  createAgent,
  updateAgent,
  deleteAgent,
-  getListAgents,
+  getListAgentsByAccess,
+  countPromotedAgents,
+  revertAgentVersion,
 } = require('~/models/Agent');
+const {
+  grantPermission,
+  findAccessibleResources,
+  findPubliclyAccessibleResources,
+  hasPublicPermission,
+} = require('~/server/services/PermissionService');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
 const { refreshS3Url } = require('~/server/services/Files/S3/crud');
 const { filterFile } = require('~/server/services/Files/process');
 const { updateAction, getActions } = require('~/models/Action');
 const { getCachedTools } = require('~/server/services/Config');
-const { updateAgentProjects } = require('~/models/Agent');
-const { getProjectByName } = require('~/models/Project');
-const { revertAgentVersion } = require('~/models/Agent');
 const { deleteFileByFilter } = require('~/models/File');
+const { getCategoriesWithCounts } = require('~/models');

 const systemTools = {
  [Tools.execute_code]: true,
  [Tools.file_search]: true,
+  [Tools.web_search]: true,
 };

 /**
@@ -42,9 +51,13 @@ const systemTools = {
 */
 const createAgentHandler = async (req, res) => {
  try {
-    const { tools = [], provider, name, description, instructions, model, ...agentData } = req.body;
+    const validatedData = agentCreateSchema.parse(req.body);
+    const { tools = [], ...agentData } = removeNullishValues(validatedData);
+
    const { id: userId } = req.user;

+    agentData.id = `agent_${nanoid()}`;
+    agentData.author = userId;
    agentData.tools = [];

    const availableTools = await getCachedTools({ includeGlobal: true });
@@ -58,19 +71,34 @@ const createAgentHandler = async (req, res) => {
      }
    }

-    Object.assign(agentData, {
-      author: userId,
-      name,
-      description,
-      instructions,
-      provider,
-      model,
-    });
-
-    agentData.id = `agent_${nanoid()}`;
    const agent = await createAgent(agentData);
+
+    // Automatically grant owner permissions to the creator
+    try {
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_owner',
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[createAgent] Granted owner permissions to user ${userId} for agent ${agent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[createAgent] Failed to grant owner permissions for agent ${agent.id}:`,
+        permissionError,
+      );
+    }
+
    res.status(201).json(agent);
  } catch (error) {
+    if (error instanceof z.ZodError) {
+      logger.error('[/Agents] Validation error', error.errors);
+      return res.status(400).json({ error: 'Invalid request data', details: error.errors });
+    }
    logger.error('[/Agents] Error creating agent', error);
    res.status(500).json({ error: error.message });
  }
@@ -87,21 +115,14 @@ const createAgentHandler = async (req, res) => {
 * @returns {Promise<Agent>} 200 - success response - application/json
 * @returns {Error} 404 - Agent not found
 */
-const getAgentHandler = async (req, res) => {
+const getAgentHandler = async (req, res, expandProperties = false) => {
  try {
    const id = req.params.id;
    const author = req.user.id;

-    let query = { id, author };
-
-    const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, ['agentIds']);
-    if (globalProject && (globalProject.agentIds?.length ?? 0) > 0) {
-      query = {
-        $or: [{ id, $in: globalProject.agentIds }, query],
-      };
-    }
-
-    const agent = await getAgent(query);
+    // Permissions are validated by middleware before calling this function
+    // Simply load the agent by ID
+    const agent = await getAgent({ id });

    if (!agent) {
      return res.status(404).json({ error: 'Agent not found' });
@@ -118,23 +139,45 @@ const getAgentHandler = async (req, res) => {
    }

    agent.author = agent.author.toString();
+
+    // @deprecated - isCollaborative replaced by ACL permissions
    agent.isCollaborative = !!agent.isCollaborative;

+    // Check if agent is public
+    const isPublic = await hasPublicPermission({
+      resourceType: 'agent',
+      resourceId: agent._id,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    agent.isPublic = isPublic;
+
    if (agent.author !== author) {
      delete agent.author;
    }

-    if (!agent.isCollaborative && agent.author !== author && req.user.role !== SystemRoles.ADMIN) {
+    if (!expandProperties) {
+      // VIEW permission: Basic agent info only
      return res.status(200).json({
+        _id: agent._id,
        id: agent.id,
        name: agent.name,
+        description: agent.description,
        avatar: agent.avatar,
        author: agent.author,
+        provider: agent.provider,
+        model: agent.model,
        projectIds: agent.projectIds,
+        // @deprecated - isCollaborative replaced by ACL permissions
        isCollaborative: agent.isCollaborative,
+        isPublic: agent.isPublic,
        version: agent.version,
+        // Safe metadata
+        createdAt: agent.createdAt,
+        updatedAt: agent.updatedAt,
      });
    }
+
+    // EDIT permission: Full agent details including sensitive configuration
    return res.status(200).json(agent);
  } catch (error) {
    logger.error('[/Agents/:id] Error retrieving agent', error);
@@ -154,42 +197,21 @@ const getAgentHandler = async (req, res) => {
 const updateAgentHandler = async (req, res) => {
  try {
    const id = req.params.id;
-    const { projectIds, removeProjectIds, ...updateData } = req.body;
-    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const validatedData = agentUpdateSchema.parse(req.body);
+    const { _id, ...updateData } = removeNullishValues(validatedData);
    const existingAgent = await getAgent({ id });
-    const isAuthor = existingAgent.author.toString() === req.user.id;

    if (!existingAgent) {
      return res.status(404).json({ error: 'Agent not found' });
    }
-    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
-
-    if (!hasEditPermission) {
-      return res.status(403).json({
-        error: 'You do not have permission to modify this non-collaborative agent',
-      });
-    }
-
-    /** @type {boolean} */
-    const isProjectUpdate = (projectIds?.length ?? 0) > 0 || (removeProjectIds?.length ?? 0) > 0;

    let updatedAgent =
      Object.keys(updateData).length > 0
        ? await updateAgent({ id }, updateData, {
            updatingUserId: req.user.id,
-            skipVersioning: isProjectUpdate,
          })
        : existingAgent;

-    if (isProjectUpdate) {
-      updatedAgent = await updateAgentProjects({
-        user: req.user,
-        agentId: id,
-        projectIds,
-        removeProjectIds,
-      });
-    }
-
    if (updatedAgent.author) {
      updatedAgent.author = updatedAgent.author.toString();
    }
@@ -200,6 +222,11 @@ const updateAgentHandler = async (req, res) => {

    return res.json(updatedAgent);
  } catch (error) {
+    if (error instanceof z.ZodError) {
+      logger.error('[/Agents/:id] Validation error', error.errors);
+      return res.status(400).json({ error: 'Invalid request data', details: error.errors });
+    }
+
    logger.error('[/Agents/:id] Error updating Agent', error);

    if (error.statusCode === 409) {
@@ -242,6 +269,8 @@ const duplicateAgentHandler = async (req, res) => {
      createdAt: _createdAt,
      updatedAt: _updatedAt,
      tool_resources: _tool_resources = {},
+      versions: _versions,
+      __v: _v,
      ...cloneData
    } = agent;
    cloneData.name = `${agent.name} (${new Date().toLocaleString('en-US', {
@@ -307,6 +336,26 @@ const duplicateAgentHandler = async (req, res) => {
    newAgentData.actions = agentActions;
    const newAgent = await createAgent(newAgentData);

+    // Automatically grant owner permissions to the duplicator
+    try {
+      await grantPermission({
+        principalType: 'user',
+        principalId: userId,
+        resourceType: 'agent',
+        resourceId: newAgent._id,
+        accessRoleId: 'agent_owner',
+        grantedBy: userId,
+      });
+      logger.debug(
+        `[duplicateAgent] Granted owner permissions to user ${userId} for duplicated agent ${newAgent.id}`,
+      );
+    } catch (permissionError) {
+      logger.error(
+        `[duplicateAgent] Failed to grant owner permissions for duplicated agent ${newAgent.id}:`,
+        permissionError,
+      );
+    }
+
    return res.status(201).json({
      agent: newAgent,
      actions: newActionsList,
@@ -333,7 +382,7 @@ const deleteAgentHandler = async (req, res) => {
    if (!agent) {
      return res.status(404).json({ error: 'Agent not found' });
    }
-    await deleteAgent({ id, author: req.user.id });
+    await deleteAgent({ id });
    return res.json({ message: 'Agent deleted' });
  } catch (error) {
    logger.error('[/Agents/:id] Error deleting Agent', error);
@@ -342,7 +391,7 @@ const deleteAgentHandler = async (req, res) => {
 };

 /**
- *
+ * Lists agents using ACL-aware permissions (ownership + explicit shares).
 * @route GET /Agents
 * @param {object} req - Express Request
 * @param {object} req.query - Request query
@@ -351,9 +400,64 @@ const deleteAgentHandler = async (req, res) => {
 */
 const getListAgentsHandler = async (req, res) => {
  try {
-    const data = await getListAgents({
-      author: req.user.id,
+    const userId = req.user.id;
+    const { category, search, limit, cursor, promoted } = req.query;
+    let requiredPermission = req.query.requiredPermission;
+    if (typeof requiredPermission === 'string') {
+      requiredPermission = parseInt(requiredPermission, 10);
+      if (isNaN(requiredPermission)) {
+        requiredPermission = PermissionBits.VIEW;
+      }
+    } else if (typeof requiredPermission !== 'number') {
+      requiredPermission = PermissionBits.VIEW;
+    }
+    // Base filter
+    const filter = {};
+
+    // Handle category filter - only apply if category is defined
+    if (category !== undefined && category.trim() !== '') {
+      filter.category = category;
+    }
+
+    // Handle promoted filter - only from query param
+    if (promoted === '1') {
+      filter.is_promoted = true;
+    } else if (promoted === '0') {
+      filter.is_promoted = { $ne: true };
+    }
+
+    // Handle search filter
+    if (search && search.trim() !== '') {
+      filter.$or = [
+        { name: { $regex: search.trim(), $options: 'i' } },
+        { description: { $regex: search.trim(), $options: 'i' } },
+      ];
+    }
+    // Get agent IDs the user has VIEW access to via ACL
+    const accessibleIds = await findAccessibleResources({
+      userId,
+      resourceType: 'agent',
+      requiredPermissions: requiredPermission,
    });
+    const publiclyAccessibleIds = await findPubliclyAccessibleResources({
+      resourceType: 'agent',
+      requiredPermissions: PermissionBits.VIEW,
+    });
+    // Use the new ACL-aware function
+    const data = await getListAgentsByAccess({
+      accessibleIds,
+      otherParams: filter,
+      limit,
+      after: cursor,
+    });
+    if (data?.data?.length) {
+      data.data = data.data.map((agent) => {
+        if (publiclyAccessibleIds.some((id) => id.equals(agent._id))) {
+          agent.isPublic = true;
+        }
+        return agent;
+      });
+    }
    return res.json(data);
  } catch (error) {
    logger.error('[/Agents] Error listing Agents', error);
@@ -380,6 +484,22 @@ const uploadAgentAvatarHandler = async (req, res) => {
      return res.status(400).json({ message: 'Agent ID is required' });
    }

+    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const existingAgent = await getAgent({ id: agent_id });
+
+    if (!existingAgent) {
+      return res.status(404).json({ error: 'Agent not found' });
+    }
+
+    const isAuthor = existingAgent.author.toString() === req.user.id;
+    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
+
+    if (!hasEditPermission) {
+      return res.status(403).json({
+        error: 'You do not have permission to modify this non-collaborative agent',
+      });
+    }
+
    const buffer = await fs.readFile(req.file.path);

    const fileStrategy = req.app.locals.fileStrategy;
@@ -402,14 +522,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
      source: fileStrategy,
    };

-    let _avatar;
-    try {
-      const agent = await getAgent({ id: agent_id });
-      _avatar = agent.avatar;
-    } catch (error) {
-      logger.error('[/:agent_id/avatar] Error fetching agent', error);
-      _avatar = {};
-    }
+    let _avatar = existingAgent.avatar;

    if (_avatar && _avatar.source) {
      const { deleteFile } = getStrategyFunctions(_avatar.source);
@@ -431,7 +544,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
    };

    promises.push(
-      await updateAgent({ id: agent_id, author: req.user.id }, data, {
+      await updateAgent({ id: agent_id }, data, {
        updatingUserId: req.user.id,
      }),
    );
@@ -511,7 +624,48 @@ const revertAgentVersionHandler = async (req, res) => {
    res.status(500).json({ error: error.message });
  }
 };
+/**
+ * Get all agent categories with counts
+ *
+ * @param {Object} _req - Express request object (unused)
+ * @param {Object} res - Express response object
+ */
+const getAgentCategories = async (_req, res) => {
+  try {
+    const categories = await getCategoriesWithCounts();
+    const promotedCount = await countPromotedAgents();
+    const formattedCategories = categories.map((category) => ({
+      value: category.value,
+      label: category.label,
+      count: category.agentCount,
+      description: category.description,
+    }));

+    if (promotedCount > 0) {
+      formattedCategories.unshift({
+        value: 'promoted',
+        label: 'Promoted',
+        count: promotedCount,
+        description: 'Our recommended agents',
+      });
+    }
+
+    formattedCategories.push({
+      value: 'all',
+      label: 'All',
+      description: 'All available agents',
+    });
+
+    res.status(200).json(formattedCategories);
+  } catch (error) {
+    logger.error('[/Agents/Marketplace] Error fetching agent categories:', error);
+    res.status(500).json({
+      error: 'Failed to fetch agent categories',
+      userMessage: 'Unable to load categories. Please refresh the page.',
+      suggestion: 'Try refreshing the page or check your network connection',
+    });
+  }
+};
 module.exports = {
  createAgent: createAgentHandler,
  getAgent: getAgentHandler,
@@ -521,4 +675,5 @@ module.exports = {
  getListAgents: getListAgentsHandler,
  uploadAgentAvatar: uploadAgentAvatarHandler,
  revertAgentVersion: revertAgentVersionHandler,
+  getAgentCategories,
 };
--- a/api/server/controllers/agents/v1.spec.js
+++ b/api/server/controllers/agents/v1.spec.js
@@ -0,0 +1,574 @@
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { agentSchema } = require('@librechat/data-schemas');
+
+// Only mock the dependencies that are not database-related
+jest.mock('~/server/services/Config', () => ({
+  getCachedTools: jest.fn().mockResolvedValue({
+    web_search: true,
+    execute_code: true,
+    file_search: true,
+  }),
+}));
+
+jest.mock('~/models/Project', () => ({
+  getProjectByName: jest.fn().mockResolvedValue(null),
+}));
+
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/images/avatar', () => ({
+  resizeAvatar: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/S3/crud', () => ({
+  refreshS3Url: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/process', () => ({
+  filterFile: jest.fn(),
+}));
+
+jest.mock('~/models/Action', () => ({
+  updateAction: jest.fn(),
+  getActions: jest.fn().mockResolvedValue([]),
+}));
+
+jest.mock('~/models/File', () => ({
+  deleteFileByFilter: jest.fn(),
+}));
+
+const { createAgent: createAgentHandler, updateAgent: updateAgentHandler } = require('./v1');
+
+/**
+ * @type {import('mongoose').Model<import('@librechat/data-schemas').IAgent>}
+ */
+let Agent;
+
+describe('Agent Controllers - Mass Assignment Protection', () => {
+  let mongoServer;
+  let mockReq;
+  let mockRes;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+    Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
+  }, 20000);
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await Agent.deleteMany({});
+
+    // Reset all mocks
+    jest.clearAllMocks();
+
+    // Setup mock request and response objects
+    mockReq = {
+      user: {
+        id: new mongoose.Types.ObjectId().toString(),
+        role: 'USER',
+      },
+      body: {},
+      params: {},
+      app: {
+        locals: {
+          fileStrategy: 'local',
+        },
+      },
+    };
+
+    mockRes = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn().mockReturnThis(),
+    };
+  });
+
+  describe('createAgentHandler', () => {
+    test('should create agent with allowed fields only', async () => {
+      const validData = {
+        name: 'Test Agent',
+        description: 'A test agent',
+        instructions: 'Be helpful',
+        provider: 'openai',
+        model: 'gpt-4',
+        tools: ['web_search'],
+        model_parameters: { temperature: 0.7 },
+        tool_resources: {
+          file_search: { file_ids: ['file1', 'file2'] },
+        },
+      };
+
+      mockReq.body = validData;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+      expect(mockRes.json).toHaveBeenCalled();
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+      expect(createdAgent.name).toBe('Test Agent');
+      expect(createdAgent.description).toBe('A test agent');
+      expect(createdAgent.provider).toBe('openai');
+      expect(createdAgent.model).toBe('gpt-4');
+      expect(createdAgent.author.toString()).toBe(mockReq.user.id);
+      expect(createdAgent.tools).toContain('web_search');
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: createdAgent.id });
+      expect(agentInDb).toBeDefined();
+      expect(agentInDb.name).toBe('Test Agent');
+      expect(agentInDb.author.toString()).toBe(mockReq.user.id);
+    });
+
+    test('should reject creation with unauthorized fields (mass assignment protection)', async () => {
+      const maliciousData = {
+        // Required fields
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Malicious Agent',
+
+        // Unauthorized fields that should be stripped
+        author: new mongoose.Types.ObjectId().toString(), // Should not be able to set author
+        authorName: 'Hacker', // Should be stripped
+        isCollaborative: true, // Should be stripped on creation
+        versions: [], // Should be stripped
+        _id: new mongoose.Types.ObjectId(), // Should be stripped
+        id: 'custom_agent_id', // Should be overridden
+        createdAt: new Date('2020-01-01'), // Should be stripped
+        updatedAt: new Date('2020-01-01'), // Should be stripped
+      };
+
+      mockReq.body = maliciousData;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+
+      // Verify unauthorized fields were not set
+      expect(createdAgent.author.toString()).toBe(mockReq.user.id); // Should be the request user, not the malicious value
+      expect(createdAgent.authorName).toBeUndefined();
+      expect(createdAgent.isCollaborative).toBeFalsy();
+      expect(createdAgent.versions).toHaveLength(1); // Should have exactly 1 version from creation
+      expect(createdAgent.id).not.toBe('custom_agent_id'); // Should have generated ID
+      expect(createdAgent.id).toMatch(/^agent_/); // Should have proper prefix
+
+      // Verify timestamps are recent (not the malicious dates)
+      const createdTime = new Date(createdAgent.createdAt).getTime();
+      const now = Date.now();
+      expect(now - createdTime).toBeLessThan(5000); // Created within last 5 seconds
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: createdAgent.id });
+      expect(agentInDb.author.toString()).toBe(mockReq.user.id);
+      expect(agentInDb.authorName).toBeUndefined();
+    });
+
+    test('should validate required fields', async () => {
+      const invalidData = {
+        name: 'Missing Required Fields',
+        // Missing provider and model
+      };
+
+      mockReq.body = invalidData;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          error: 'Invalid request data',
+          details: expect.any(Array),
+        }),
+      );
+
+      // Verify nothing was created in database
+      const count = await Agent.countDocuments();
+      expect(count).toBe(0);
+    });
+
+    test('should handle tool_resources validation', async () => {
+      const dataWithInvalidToolResources = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Tool Resources',
+        tool_resources: {
+          // Valid resources
+          file_search: {
+            file_ids: ['file1', 'file2'],
+            vector_store_ids: ['vs1'],
+          },
+          execute_code: {
+            file_ids: ['file3'],
+          },
+          // Invalid resource (should be stripped by schema)
+          invalid_resource: {
+            file_ids: ['file4'],
+          },
+        },
+      };
+
+      mockReq.body = dataWithInvalidToolResources;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+      expect(createdAgent.tool_resources).toBeDefined();
+      expect(createdAgent.tool_resources.file_search).toBeDefined();
+      expect(createdAgent.tool_resources.execute_code).toBeDefined();
+      expect(createdAgent.tool_resources.invalid_resource).toBeUndefined(); // Should be stripped
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: createdAgent.id });
+      expect(agentInDb.tool_resources.invalid_resource).toBeUndefined();
+    });
+
+    test('should handle avatar validation', async () => {
+      const dataWithAvatar = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Avatar',
+        avatar: {
+          filepath: 'https://example.com/avatar.png',
+          source: 's3',
+        },
+      };
+
+      mockReq.body = dataWithAvatar;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+      expect(createdAgent.avatar).toEqual({
+        filepath: 'https://example.com/avatar.png',
+        source: 's3',
+      });
+    });
+
+    test('should handle invalid avatar format', async () => {
+      const dataWithInvalidAvatar = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Agent with Invalid Avatar',
+        avatar: 'just-a-string', // Invalid format
+      };
+
+      mockReq.body = dataWithInvalidAvatar;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          error: 'Invalid request data',
+        }),
+      );
+    });
+  });
+
+  describe('updateAgentHandler', () => {
+    let existingAgentId;
+    let existingAgentAuthorId;
+
+    beforeEach(async () => {
+      // Create an existing agent for update tests
+      existingAgentAuthorId = new mongoose.Types.ObjectId();
+      const agent = await Agent.create({
+        id: `agent_${uuidv4()}`,
+        name: 'Original Agent',
+        provider: 'openai',
+        model: 'gpt-3.5-turbo',
+        author: existingAgentAuthorId,
+        description: 'Original description',
+        isCollaborative: false,
+        versions: [
+          {
+            name: 'Original Agent',
+            provider: 'openai',
+            model: 'gpt-3.5-turbo',
+            description: 'Original description',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        ],
+      });
+      existingAgentId = agent.id;
+    });
+
+    test('should update agent with allowed fields only', async () => {
+      mockReq.user.id = existingAgentAuthorId.toString(); // Set as author
+      mockReq.params.id = existingAgentId;
+      mockReq.body = {
+        name: 'Updated Agent',
+        description: 'Updated description',
+        model: 'gpt-4',
+        isCollaborative: true, // This IS allowed in updates
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).not.toHaveBeenCalledWith(400);
+      expect(mockRes.status).not.toHaveBeenCalledWith(403);
+      expect(mockRes.json).toHaveBeenCalled();
+
+      const updatedAgent = mockRes.json.mock.calls[0][0];
+      expect(updatedAgent.name).toBe('Updated Agent');
+      expect(updatedAgent.description).toBe('Updated description');
+      expect(updatedAgent.model).toBe('gpt-4');
+      expect(updatedAgent.isCollaborative).toBe(true);
+      expect(updatedAgent.author).toBe(existingAgentAuthorId.toString());
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: existingAgentId });
+      expect(agentInDb.name).toBe('Updated Agent');
+      expect(agentInDb.isCollaborative).toBe(true);
+    });
+
+    test('should reject update with unauthorized fields (mass assignment protection)', async () => {
+      mockReq.user.id = existingAgentAuthorId.toString();
+      mockReq.params.id = existingAgentId;
+      mockReq.body = {
+        name: 'Updated Name',
+
+        // Unauthorized fields that should be stripped
+        author: new mongoose.Types.ObjectId().toString(), // Should not be able to change author
+        authorName: 'Hacker', // Should be stripped
+        id: 'different_agent_id', // Should be stripped
+        _id: new mongoose.Types.ObjectId(), // Should be stripped
+        versions: [], // Should be stripped
+        createdAt: new Date('2020-01-01'), // Should be stripped
+        updatedAt: new Date('2020-01-01'), // Should be stripped
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.json).toHaveBeenCalled();
+
+      const updatedAgent = mockRes.json.mock.calls[0][0];
+
+      // Verify unauthorized fields were not changed
+      expect(updatedAgent.author).toBe(existingAgentAuthorId.toString()); // Should not have changed
+      expect(updatedAgent.authorName).toBeUndefined();
+      expect(updatedAgent.id).toBe(existingAgentId); // Should not have changed
+      expect(updatedAgent.name).toBe('Updated Name'); // Only this should have changed
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: existingAgentId });
+      expect(agentInDb.author.toString()).toBe(existingAgentAuthorId.toString());
+      expect(agentInDb.id).toBe(existingAgentId);
+    });
+
+    test('should allow admin to update any agent', async () => {
+      const adminUserId = new mongoose.Types.ObjectId().toString();
+      mockReq.user.id = adminUserId;
+      mockReq.user.role = 'ADMIN'; // Set as admin
+      mockReq.params.id = existingAgentId;
+      mockReq.body = {
+        name: 'Admin Update',
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).not.toHaveBeenCalledWith(403);
+      expect(mockRes.json).toHaveBeenCalled();
+
+      const updatedAgent = mockRes.json.mock.calls[0][0];
+      expect(updatedAgent.name).toBe('Admin Update');
+    });
+
+    test('should handle projectIds updates', async () => {
+      mockReq.user.id = existingAgentAuthorId.toString();
+      mockReq.params.id = existingAgentId;
+
+      const projectId1 = new mongoose.Types.ObjectId().toString();
+      const projectId2 = new mongoose.Types.ObjectId().toString();
+
+      mockReq.body = {
+        projectIds: [projectId1, projectId2],
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.json).toHaveBeenCalled();
+
+      const updatedAgent = mockRes.json.mock.calls[0][0];
+      expect(updatedAgent).toBeDefined();
+      // Note: updateAgentProjects requires more setup, so we just verify the handler doesn't crash
+    });
+
+    test('should validate tool_resources in updates', async () => {
+      mockReq.user.id = existingAgentAuthorId.toString();
+      mockReq.params.id = existingAgentId;
+      mockReq.body = {
+        tool_resources: {
+          ocr: {
+            file_ids: ['ocr1', 'ocr2'],
+          },
+          execute_code: {
+            file_ids: ['img1'],
+          },
+          // Invalid tool resource
+          invalid_tool: {
+            file_ids: ['invalid'],
+          },
+        },
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.json).toHaveBeenCalled();
+
+      const updatedAgent = mockRes.json.mock.calls[0][0];
+      expect(updatedAgent.tool_resources).toBeDefined();
+      expect(updatedAgent.tool_resources.ocr).toBeDefined();
+      expect(updatedAgent.tool_resources.execute_code).toBeDefined();
+      expect(updatedAgent.tool_resources.invalid_tool).toBeUndefined();
+    });
+
+    test('should return 404 for non-existent agent', async () => {
+      mockReq.user.id = existingAgentAuthorId.toString();
+      mockReq.params.id = `agent_${uuidv4()}`; // Non-existent ID
+      mockReq.body = {
+        name: 'Update Non-existent',
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(404);
+      expect(mockRes.json).toHaveBeenCalledWith({ error: 'Agent not found' });
+    });
+
+    test('should handle validation errors properly', async () => {
+      mockReq.user.id = existingAgentAuthorId.toString();
+      mockReq.params.id = existingAgentId;
+      mockReq.body = {
+        model_parameters: 'invalid-not-an-object', // Should be an object
+      };
+
+      await updateAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(400);
+      expect(mockRes.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          error: 'Invalid request data',
+          details: expect.any(Array),
+        }),
+      );
+    });
+  });
+
+  describe('Mass Assignment Attack Scenarios', () => {
+    test('should prevent setting system fields during creation', async () => {
+      const systemFields = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'System Fields Test',
+
+        // System fields that should never be settable by users
+        __v: 99,
+        _id: new mongoose.Types.ObjectId(),
+        versions: [
+          {
+            name: 'Fake Version',
+            provider: 'fake',
+            model: 'fake-model',
+          },
+        ],
+      };
+
+      mockReq.body = systemFields;
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+
+      // Verify system fields were not affected
+      expect(createdAgent.__v).not.toBe(99);
+      expect(createdAgent.versions).toHaveLength(1); // Should only have the auto-created version
+      expect(createdAgent.versions[0].name).toBe('System Fields Test'); // From actual creation
+      expect(createdAgent.versions[0].provider).toBe('openai'); // From actual creation
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: createdAgent.id });
+      expect(agentInDb.__v).not.toBe(99);
+    });
+
+    test('should prevent author hijacking', async () => {
+      const originalAuthorId = new mongoose.Types.ObjectId();
+      const attackerId = new mongoose.Types.ObjectId();
+
+      // Admin creates an agent
+      mockReq.user.id = originalAuthorId.toString();
+      mockReq.user.role = 'ADMIN';
+      mockReq.body = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Admin Agent',
+        author: attackerId.toString(), // Trying to set different author
+      };
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+
+      // Author should be the actual user, not the attempted value
+      expect(createdAgent.author.toString()).toBe(originalAuthorId.toString());
+      expect(createdAgent.author.toString()).not.toBe(attackerId.toString());
+
+      // Verify in database
+      const agentInDb = await Agent.findOne({ id: createdAgent.id });
+      expect(agentInDb.author.toString()).toBe(originalAuthorId.toString());
+    });
+
+    test('should strip unknown fields to prevent future vulnerabilities', async () => {
+      mockReq.body = {
+        provider: 'openai',
+        model: 'gpt-4',
+        name: 'Future Proof Test',
+
+        // Unknown fields that might be added in future
+        superAdminAccess: true,
+        bypassAllChecks: true,
+        internalFlag: 'secret',
+        futureFeature: 'exploit',
+      };
+
+      await createAgentHandler(mockReq, mockRes);
+
+      expect(mockRes.status).toHaveBeenCalledWith(201);
+
+      const createdAgent = mockRes.json.mock.calls[0][0];
+
+      // Verify unknown fields were stripped
+      expect(createdAgent.superAdminAccess).toBeUndefined();
+      expect(createdAgent.bypassAllChecks).toBeUndefined();
+      expect(createdAgent.internalFlag).toBeUndefined();
+      expect(createdAgent.futureFeature).toBeUndefined();
+
+      // Also check in database
+      const agentInDb = await Agent.findOne({ id: createdAgent.id }).lean();
+      expect(agentInDb.superAdminAccess).toBeUndefined();
+      expect(agentInDb.bypassAllChecks).toBeUndefined();
+      expect(agentInDb.internalFlag).toBeUndefined();
+      expect(agentInDb.futureFeature).toBeUndefined();
+    });
+  });
+});
--- a/api/server/controllers/tools.js
+++ b/api/server/controllers/tools.js
@@ -1,21 +1,21 @@
 const { nanoid } = require('nanoid');
 const { EnvVar } = require('@librechat/agents');
+const { logger } = require('@librechat/data-schemas');
+const { checkAccess, loadWebSearchAuth } = require('@librechat/api');
 const {
  Tools,
  AuthType,
  Permissions,
  ToolCallTypes,
  PermissionTypes,
-  loadWebSearchAuth,
 } = require('librechat-data-provider');
 const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/process');
 const { processCodeOutput } = require('~/server/services/Files/Code/process');
 const { createToolCall, getToolCallsByConvo } = require('~/models/ToolCall');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { loadTools } = require('~/app/clients/tools/util');
-const { checkAccess } = require('~/server/middleware');
+const { getRoleByName } = require('~/models/Role');
 const { getMessage } = require('~/models/Message');
-const { logger } = require('~/config');

 const fieldsMap = {
  [Tools.execute_code]: [EnvVar.CODE_API_KEY],
@@ -79,6 +79,7 @@ const verifyToolAuth = async (req, res) => {
        throwError: false,
      });
    } catch (error) {
+      logger.error('Error loading auth values', error);
      res.status(200).json({ authenticated: false, message: AuthType.USER_PROVIDED });
      return;
    }
@@ -132,7 +133,12 @@ const callTool = async (req, res) => {
    logger.debug(`[${toolId}/call] User: ${req.user.id}`);
    let hasAccess = true;
    if (toolAccessPermType[toolId]) {
-      hasAccess = await checkAccess(req.user, toolAccessPermType[toolId], [Permissions.USE]);
+      hasAccess = await checkAccess({
+        user: req.user,
+        permissionType: toolAccessPermType[toolId],
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
    }
    if (!hasAccess) {
      logger.warn(
--- a/api/server/index.js
+++ b/api/server/index.js
@@ -16,7 +16,7 @@ const { connectDb, indexSync } = require('~/db');
 const validateImageRequest = require('./middleware/validateImageRequest');
 const { jwtLogin, ldapLogin, passportLogin } = require('~/strategies');
 const errorController = require('./controllers/ErrorController');
-const initializeMCP = require('./services/initializeMCP');
+const initializeMCPs = require('./services/initializeMCPs');
 const configureSocialLogins = require('./socialLogins');
 const AppService = require('./services/AppService');
 const staticCache = require('./utils/staticCache');
@@ -55,7 +55,6 @@ const startServer = async () => {

  /* Middleware */
  app.use(noIndex);
-  app.use(errorController);
  app.use(express.json({ limit: '3mb' }));
  app.use(express.urlencoded({ extended: true, limit: '3mb' }));
  app.use(mongoSanitize());
@@ -118,9 +117,14 @@ const startServer = async () => {
  app.use('/api/agents', routes.agents);
  app.use('/api/banner', routes.banner);
  app.use('/api/memories', routes.memories);
+  app.use('/api/permissions', routes.accessPermissions);
+
  app.use('/api/tags', routes.tags);
  app.use('/api/mcp', routes.mcp);

+  // Add the error controller one more time after all routes
+  app.use(errorController);
+
  app.use((req, res) => {
    res.set({
      'Cache-Control': process.env.INDEX_CACHE_CONTROL || 'no-cache, no-store, must-revalidate',
@@ -144,7 +148,7 @@ const startServer = async () => {
      logger.info(`Server listening at http://${host == '0.0.0.0' ? 'localhost' : host}:${port}`);
    }

-    initializeMCP(app);
+    initializeMCPs(app);
  });
 };

--- a/api/server/index.spec.js
+++ b/api/server/index.spec.js
@@ -1,5 +1,4 @@
 const fs = require('fs');
-const path = require('path');
 const request = require('supertest');
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const mongoose = require('mongoose');
@@ -59,6 +58,30 @@ describe('Server Configuration', () => {
    expect(response.headers['pragma']).toBe('no-cache');
    expect(response.headers['expires']).toBe('0');
  });
+
+  it('should return 500 for unknown errors via ErrorController', async () => {
+    // Testing the error handling here on top of unit tests to ensure the middleware is correctly integrated
+
+    // Mock MongoDB operations to fail
+    const originalFindOne = mongoose.models.User.findOne;
+    const mockError = new Error('MongoDB operation failed');
+    mongoose.models.User.findOne = jest.fn().mockImplementation(() => {
+      throw mockError;
+    });
+
+    try {
+      const response = await request(app).post('/api/auth/login').send({
+        email: 'test@example.com',
+        password: 'password123',
+      });
+
+      expect(response.status).toBe(500);
+      expect(response.text).toBe('An unknown error occurred.');
+    } finally {
+      // Restore original function
+      mongoose.models.User.findOne = originalFindOne;
+    }
+  });
 });

 // Polls the /health endpoint every 30ms for up to 10 seconds to wait for the server to start completely
--- a/api/server/middleware/accessResources/canAccessAgentFromBody.js
+++ b/api/server/middleware/accessResources/canAccessAgentFromBody.js
@@ -0,0 +1,97 @@
+const { logger } = require('@librechat/data-schemas');
+const { Constants, isAgentsEndpoint } = require('librechat-data-provider');
+const { canAccessResource } = require('./canAccessResource');
+const { getAgent } = require('~/models/Agent');
+
+/**
+ * Agent ID resolver function for agent_id from request body
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ * This is used specifically for chat routes where agent_id comes from request body
+ *
+ * @param {string} agentCustomId - Custom agent ID from request body
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentIdFromBody = async (agentCustomId) => {
+  // Handle ephemeral agents - they don't need permission checks
+  if (agentCustomId === Constants.EPHEMERAL_AGENT_ID) {
+    return null; // No permission check needed for ephemeral agents
+  }
+
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Middleware factory that creates middleware to check agent access permissions from request body.
+ * This middleware is specifically designed for chat routes where the agent_id comes from req.body
+ * instead of route parameters.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for agent chat (requires VIEW permission)
+ * router.post('/chat',
+ *   canAccessAgentFromBody({ requiredPermission: PermissionBits.VIEW }),
+ *   buildEndpointOption,
+ *   chatController
+ * );
+ */
+const canAccessAgentFromBody = (options) => {
+  const { requiredPermission } = options;
+
+  // Validate required options
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentFromBody: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      const { endpoint, agent_id } = req.body;
+      let agentId = agent_id;
+
+      if (!isAgentsEndpoint(endpoint)) {
+        agentId = Constants.EPHEMERAL_AGENT_ID;
+      }
+
+      if (!agentId) {
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: 'agent_id is required in request body',
+        });
+      }
+
+      // Skip permission checks for ephemeral agents
+      if (agentId === Constants.EPHEMERAL_AGENT_ID) {
+        return next();
+      }
+
+      const agentAccessMiddleware = canAccessResource({
+        resourceType: 'agent',
+        requiredPermission,
+        resourceIdParam: 'agent_id', // This will be ignored since we use custom resolver
+        idResolver: () => resolveAgentIdFromBody(agentId),
+      });
+
+      const tempReq = {
+        ...req,
+        params: {
+          ...req.params,
+          agent_id: agentId,
+        },
+      };
+
+      return agentAccessMiddleware(tempReq, res, next);
+    } catch (error) {
+      logger.error('Failed to validate agent access permissions', error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to validate agent access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessAgentFromBody,
+};
--- a/api/server/middleware/accessResources/canAccessAgentResource.js
+++ b/api/server/middleware/accessResources/canAccessAgentResource.js
@@ -0,0 +1,58 @@
+const { getAgent } = require('~/models/Agent');
+const { canAccessResource } = require('./canAccessResource');
+
+/**
+ * Agent ID resolver function
+ * Resolves custom agent ID (e.g., "agent_abc123") to MongoDB ObjectId
+ *
+ * @param {string} agentCustomId - Custom agent ID from route parameter
+ * @returns {Promise<Object|null>} Agent document with _id field, or null if not found
+ */
+const resolveAgentId = async (agentCustomId) => {
+  return await getAgent({ id: agentCustomId });
+};
+
+/**
+ * Agent-specific middleware factory that creates middleware to check agent access permissions.
+ * This middleware extends the generic canAccessResource to handle agent custom ID resolution.
+ *
+ * @param {Object} options - Configuration options
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='id'] - The name of the route parameter containing the agent custom ID
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Basic usage for viewing agents
+ * router.get('/agents/:id',
+ *   canAccessAgentResource({ requiredPermission: 1 }),
+ *   getAgent
+ * );
+ *
+ * @example
+ * // Custom resource ID parameter and edit permission
+ * router.patch('/agents/:agent_id',
+ *   canAccessAgentResource({
+ *     requiredPermission: 2,
+ *     resourceIdParam: 'agent_id'
+ *   }),
+ *   updateAgent
+ * );
+ */
+const canAccessAgentResource = (options) => {
+  const { requiredPermission, resourceIdParam = 'id' } = options;
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessAgentResource: requiredPermission is required and must be a number');
+  }
+
+  return canAccessResource({
+    resourceType: 'agent',
+    requiredPermission,
+    resourceIdParam,
+    idResolver: resolveAgentId,
+  });
+};
+
+module.exports = {
+  canAccessAgentResource,
+};
--- a/api/server/middleware/accessResources/canAccessAgentResource.spec.js
+++ b/api/server/middleware/accessResources/canAccessAgentResource.spec.js
@@ -0,0 +1,384 @@
+const mongoose = require('mongoose');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { User, Role, AclEntry } = require('~/db/models');
+const { createAgent } = require('~/models/Agent');
+
+describe('canAccessAgentResource middleware', () => {
+  let mongoServer;
+  let req, res, next;
+  let testUser;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    await Role.create({
+      name: 'test-role',
+      permissions: {
+        AGENTS: {
+          USE: true,
+          CREATE: true,
+          SHARED_GLOBAL: false,
+        },
+      },
+    });
+
+    // Create a test user
+    testUser = await User.create({
+      email: 'test@example.com',
+      name: 'Test User',
+      username: 'testuser',
+      role: 'test-role',
+    });
+
+    req = {
+      user: { id: testUser._id.toString(), role: 'test-role' },
+      params: {},
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+
+    jest.clearAllMocks();
+  });
+
+  describe('middleware factory', () => {
+    test('should throw error if requiredPermission is not provided', () => {
+      expect(() => canAccessAgentResource({})).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should throw error if requiredPermission is not a number', () => {
+      expect(() => canAccessAgentResource({ requiredPermission: '1' })).toThrow(
+        'canAccessAgentResource: requiredPermission is required and must be a number',
+      );
+    });
+
+    test('should create middleware with default resourceIdParam', () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3); // Express middleware signature
+    });
+
+    test('should create middleware with custom resourceIdParam', () => {
+      const middleware = canAccessAgentResource({
+        requiredPermission: 2,
+        resourceIdParam: 'agent_id',
+      });
+      expect(typeof middleware).toBe('function');
+      expect(middleware.length).toBe(3);
+    });
+  });
+
+  describe('permission checking with real agents', () => {
+    test('should allow access when user is the agent author', async () => {
+      // Create an agent owned by the test user
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author (owner permissions)
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when user is not the author and has no ACL entry', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other@example.com',
+        name: 'Other User',
+        username: 'otheruser',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Other User Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry for the other user (owner)
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: otherUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should allow access when user has ACL entry with sufficient permissions', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other2@example.com',
+        name: 'Other User 2',
+        username: 'otheruser2',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Shared Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting view permission to test user
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 }); // VIEW permission
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should deny access when ACL permissions are insufficient', async () => {
+      // Create an agent owned by a different user
+      const otherUser = await User.create({
+        email: 'other3@example.com',
+        name: 'Other User 3',
+        username: 'otheruser3',
+        role: 'test-role',
+      });
+
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Limited Access Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: otherUser._id,
+      });
+
+      // Create ACL entry granting only view permission
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 1, // VIEW permission only
+        grantedBy: otherUser._id,
+      });
+
+      req.params.id = agent.id;
+
+      const middleware = canAccessAgentResource({ requiredPermission: 2 }); // EDIT permission required
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to access this agent',
+      });
+    });
+
+    test('should handle non-existent agent', async () => {
+      req.params.id = 'agent_nonexistent';
+
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Not Found',
+        message: 'agent not found',
+      });
+    });
+
+    test('should use custom resourceIdParam', async () => {
+      const agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Custom Param Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.agent_id = agent.id; // Using custom param name
+
+      const middleware = canAccessAgentResource({
+        requiredPermission: 1,
+        resourceIdParam: 'agent_id',
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('permission levels', () => {
+    let agent;
+
+    beforeEach(async () => {
+      agent = await createAgent({
+        id: `agent_${Date.now()}`,
+        name: 'Permission Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+      });
+
+      // Create ACL entry with all permissions for the owner
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions (1+2+4+8)
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agent.id;
+    });
+
+    test('should support view permission (1)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 1 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support edit permission (2)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 2 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support delete permission (4)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 4 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support share permission (8)', async () => {
+      const middleware = canAccessAgentResource({ requiredPermission: 8 });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should support combined permissions', async () => {
+      const viewAndEdit = 1 | 2; // 3
+      const middleware = canAccessAgentResource({ requiredPermission: viewAndEdit });
+      await middleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+
+  describe('integration with agent operations', () => {
+    test('should work with agent CRUD operations', async () => {
+      const agentId = `agent_${Date.now()}`;
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Integration Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: testUser._id,
+        description: 'Testing integration',
+      });
+
+      // Create ACL entry for the author
+      await AclEntry.create({
+        principalType: 'user',
+        principalId: testUser._id,
+        principalModel: 'User',
+        resourceType: 'agent',
+        resourceId: agent._id,
+        permBits: 15, // All permissions
+        grantedBy: testUser._id,
+      });
+
+      req.params.id = agentId;
+
+      // Test view access
+      const viewMiddleware = canAccessAgentResource({ requiredPermission: 1 });
+      await viewMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+      jest.clearAllMocks();
+
+      // Update the agent
+      const { updateAgent } = require('~/models/Agent');
+      await updateAgent({ id: agentId }, { description: 'Updated description' });
+
+      // Test edit access
+      const editMiddleware = canAccessAgentResource({ requiredPermission: 2 });
+      await editMiddleware(req, res, next);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+});
--- a/api/server/middleware/accessResources/canAccessResource.js
+++ b/api/server/middleware/accessResources/canAccessResource.js
@@ -0,0 +1,157 @@
+const { logger } = require('@librechat/data-schemas');
+const { SystemRoles } = require('librechat-data-provider');
+const { checkPermission } = require('~/server/services/PermissionService');
+
+/**
+ * Generic base middleware factory that creates middleware to check resource access permissions.
+ * This middleware expects MongoDB ObjectIds as resource identifiers for ACL permission checks.
+ *
+ * @param {Object} options - Configuration options
+ * @param {string} options.resourceType - The type of resource (e.g., 'agent', 'file', 'project')
+ * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
+ * @param {string} [options.resourceIdParam='resourceId'] - The name of the route parameter containing the resource ID
+ * @param {Function} [options.idResolver] - Optional function to resolve custom IDs to ObjectIds
+ * @returns {Function} Express middleware function
+ *
+ * @example
+ * // Direct usage with ObjectId (for resources that use MongoDB ObjectId in routes)
+ * router.get('/prompts/:promptId',
+ *   canAccessResource({ resourceType: 'prompt', requiredPermission: 1 }),
+ *   getPrompt
+ * );
+ *
+ * @example
+ * // Usage with custom ID resolver (for resources that use custom string IDs)
+ * router.get('/agents/:id',
+ *   canAccessResource({
+ *     resourceType: 'agent',
+ *     requiredPermission: 1,
+ *     resourceIdParam: 'id',
+ *     idResolver: (customId) => resolveAgentId(customId)
+ *   }),
+ *   getAgent
+ * );
+ */
+const canAccessResource = (options) => {
+  const {
+    resourceType,
+    requiredPermission,
+    resourceIdParam = 'resourceId',
+    idResolver = null,
+  } = options;
+
+  if (!resourceType || typeof resourceType !== 'string') {
+    throw new Error('canAccessResource: resourceType is required and must be a string');
+  }
+
+  if (!requiredPermission || typeof requiredPermission !== 'number') {
+    throw new Error('canAccessResource: requiredPermission is required and must be a number');
+  }
+
+  return async (req, res, next) => {
+    try {
+      // Extract resource ID from route parameters
+      const rawResourceId = req.params[resourceIdParam];
+
+      if (!rawResourceId) {
+        logger.warn(`[canAccessResource] Missing ${resourceIdParam} in route parameters`);
+        return res.status(400).json({
+          error: 'Bad Request',
+          message: `${resourceIdParam} is required`,
+        });
+      }
+
+      // Check if user is authenticated
+      if (!req.user || !req.user.id) {
+        logger.warn(
+          `[canAccessResource] Unauthenticated request for ${resourceType} ${rawResourceId}`,
+        );
+        return res.status(401).json({
+          error: 'Unauthorized',
+          message: 'Authentication required',
+        });
+      }
+      // if system admin let through
+      if (req.user.role === SystemRoles.ADMIN) {
+        return next();
+      }
+      const userId = req.user.id;
+      let resourceId = rawResourceId;
+      let resourceInfo = null;
+
+      // Resolve custom ID to ObjectId if resolver is provided
+      if (idResolver) {
+        logger.debug(
+          `[canAccessResource] Resolving ${resourceType} custom ID ${rawResourceId} to ObjectId`,
+        );
+
+        const resolutionResult = await idResolver(rawResourceId);
+
+        if (!resolutionResult) {
+          logger.warn(`[canAccessResource] ${resourceType} not found: ${rawResourceId}`);
+          return res.status(404).json({
+            error: 'Not Found',
+            message: `${resourceType} not found`,
+          });
+        }
+
+        // Handle different resolver return formats
+        if (typeof resolutionResult === 'string' || resolutionResult._id) {
+          resourceId = resolutionResult._id || resolutionResult;
+          resourceInfo = typeof resolutionResult === 'object' ? resolutionResult : null;
+        } else {
+          resourceId = resolutionResult;
+        }
+
+        logger.debug(
+          `[canAccessResource] Resolved ${resourceType} ${rawResourceId} to ObjectId ${resourceId}`,
+        );
+      }
+
+      // Check permissions using PermissionService with ObjectId
+      const hasPermission = await checkPermission({
+        userId,
+        resourceType,
+        resourceId,
+        requiredPermission,
+      });
+
+      if (hasPermission) {
+        logger.debug(
+          `[canAccessResource] User ${userId} has permission ${requiredPermission} on ${resourceType} ${rawResourceId} (${resourceId})`,
+        );
+
+        req.resourceAccess = {
+          resourceType,
+          resourceId, // MongoDB ObjectId for ACL operations
+          customResourceId: rawResourceId, // Original ID from route params
+          permission: requiredPermission,
+          userId,
+          ...(resourceInfo && { resourceInfo }),
+        };
+
+        return next();
+      }
+
+      logger.warn(
+        `[canAccessResource] User ${userId} denied access to ${resourceType} ${rawResourceId} ` +
+          `(required permission: ${requiredPermission})`,
+      );
+
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: `Insufficient permissions to access this ${resourceType}`,
+      });
+    } catch (error) {
+      logger.error(`[canAccessResource] Error checking access for ${resourceType}:`, error);
+      return res.status(500).json({
+        error: 'Internal Server Error',
+        message: 'Failed to check resource access permissions',
+      });
+    }
+  };
+};
+
+module.exports = {
+  canAccessResource,
+};
--- a/api/server/middleware/accessResources/index.js
+++ b/api/server/middleware/accessResources/index.js
@@ -0,0 +1,9 @@
+const { canAccessResource } = require('./canAccessResource');
+const { canAccessAgentResource } = require('./canAccessAgentResource');
+const { canAccessAgentFromBody } = require('./canAccessAgentFromBody');
+
+module.exports = {
+  canAccessResource,
+  canAccessAgentResource,
+  canAccessAgentFromBody,
+};
--- a/api/server/middleware/buildEndpointOption.js
+++ b/api/server/middleware/buildEndpointOption.js
@@ -1,3 +1,4 @@
+const { handleError } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
 const {
  EndpointURLs,
@@ -14,7 +15,6 @@ const openAI = require('~/server/services/Endpoints/openAI');
 const agents = require('~/server/services/Endpoints/agents');
 const custom = require('~/server/services/Endpoints/custom');
 const google = require('~/server/services/Endpoints/google');
-const { handleError } = require('~/server/utils');

 const buildFunction = {
  [EModelEndpoint.openAI]: openAI.buildOptions,
--- a/api/server/middleware/checkBan.js
+++ b/api/server/middleware/checkBan.js
@@ -18,7 +18,6 @@ const message = 'Your account has been temporarily banned due to violations of o
 * @function
 * @param {Object} req - Express Request object.
 * @param {Object} res - Express Response object.
- * @param {String} errorMessage - Error message to be displayed in case of /api/ask or /api/edit request.
 *
 * @returns {Promise<Object>} - Returns a Promise which when resolved sends a response status of 403 with a specific message if request is not of api/ask or api/edit types. If it is, calls `denyRequest()` function.
 */
@@ -135,6 +134,7 @@ const checkBan = async (req, res, next = () => {}) => {
    return await banResponse(req, res);
  } catch (error) {
    logger.error('Error in checkBan middleware:', error);
+    return next(error);
  }
 };

--- a/api/server/middleware/checkPeoplePickerAccess.js
+++ b/api/server/middleware/checkPeoplePickerAccess.js
@@ -0,0 +1,72 @@
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to check if user has permission to access people picker functionality
+ * Checks specific permission based on the 'type' query parameter:
+ * - type=user: requires VIEW_USERS permission
+ * - type=group: requires VIEW_GROUPS permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS
+ */
+const checkPeoplePickerAccess = async (req, res, next) => {
+  try {
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const { type } = req.query;
+    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
+    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
+    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+
+    if (type === 'user') {
+      if (!canViewUsers) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for users',
+        });
+      }
+    } else if (type === 'group') {
+      if (!canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for groups',
+        });
+      }
+    } else {
+      if (!canViewUsers || !canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for both users and groups',
+        });
+      }
+    }
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkPeoplePickerAccess,
+};
--- a/api/server/middleware/concurrentLimiter.js
+++ b/api/server/middleware/concurrentLimiter.js
@@ -1,4 +1,4 @@
-const { Time, CacheKeys } = require('librechat-data-provider');
+const { Time, CacheKeys, ViolationTypes } = require('librechat-data-provider');
 const clearPendingReq = require('~/cache/clearPendingReq');
 const { logViolation, getLogStores } = require('~/cache');
 const { isEnabled } = require('~/server/utils');
@@ -37,7 +37,7 @@ const concurrentLimiter = async (req, res, next) => {

  const userId = req.user?.id ?? req.user?._id ?? '';
  const limit = Math.max(CONCURRENT_MESSAGE_MAX, 1);
-  const type = 'concurrent';
+  const type = ViolationTypes.CONCURRENT;

  const key = `${isEnabled(USE_REDIS) ? namespace : ''}:${userId}`;
  const pendingRequests = +((await cache.get(key)) ?? 0);
--- a/api/server/middleware/index.js
+++ b/api/server/middleware/index.js
@@ -8,6 +8,7 @@ const concurrentLimiter = require('./concurrentLimiter');
 const validateEndpoint = require('./validateEndpoint');
 const requireLocalAuth = require('./requireLocalAuth');
 const canDeleteAccount = require('./canDeleteAccount');
+const accessResources = require('./accessResources');
 const setBalanceConfig = require('./setBalanceConfig');
 const requireLdapAuth = require('./requireLdapAuth');
 const abortMiddleware = require('./abortMiddleware');
@@ -29,6 +30,7 @@ module.exports = {
  ...validate,
  ...limiters,
  ...roles,
+  ...accessResources,
  noIndex,
  checkBan,
  uaParser,
--- a/api/server/middleware/limiters/forkLimiters.js
+++ b/api/server/middleware/limiters/forkLimiters.js
@@ -0,0 +1,79 @@
+const rateLimit = require('express-rate-limit');
+const { ViolationTypes } = require('librechat-data-provider');
+const { limiterCache } = require('~/cache/cacheFactory');
+const logViolation = require('~/cache/logViolation');
+
+const getEnvironmentVariables = () => {
+  const FORK_IP_MAX = parseInt(process.env.FORK_IP_MAX) || 30;
+  const FORK_IP_WINDOW = parseInt(process.env.FORK_IP_WINDOW) || 1;
+  const FORK_USER_MAX = parseInt(process.env.FORK_USER_MAX) || 7;
+  const FORK_USER_WINDOW = parseInt(process.env.FORK_USER_WINDOW) || 1;
+  const FORK_VIOLATION_SCORE = process.env.FORK_VIOLATION_SCORE;
+
+  const forkIpWindowMs = FORK_IP_WINDOW * 60 * 1000;
+  const forkIpMax = FORK_IP_MAX;
+  const forkIpWindowInMinutes = forkIpWindowMs / 60000;
+
+  const forkUserWindowMs = FORK_USER_WINDOW * 60 * 1000;
+  const forkUserMax = FORK_USER_MAX;
+  const forkUserWindowInMinutes = forkUserWindowMs / 60000;
+
+  return {
+    forkIpWindowMs,
+    forkIpMax,
+    forkIpWindowInMinutes,
+    forkUserWindowMs,
+    forkUserMax,
+    forkUserWindowInMinutes,
+    forkViolationScore: FORK_VIOLATION_SCORE,
+  };
+};
+
+const createForkHandler = (ip = true) => {
+  const {
+    forkIpMax,
+    forkUserMax,
+    forkViolationScore,
+    forkIpWindowInMinutes,
+    forkUserWindowInMinutes,
+  } = getEnvironmentVariables();
+
+  return async (req, res) => {
+    const type = ViolationTypes.FILE_UPLOAD_LIMIT;
+    const errorMessage = {
+      type,
+      max: ip ? forkIpMax : forkUserMax,
+      limiter: ip ? 'ip' : 'user',
+      windowInMinutes: ip ? forkIpWindowInMinutes : forkUserWindowInMinutes,
+    };
+
+    await logViolation(req, res, type, errorMessage, forkViolationScore);
+    res.status(429).json({ message: 'Too many conversation fork requests. Try again later' });
+  };
+};
+
+const createForkLimiters = () => {
+  const { forkIpWindowMs, forkIpMax, forkUserWindowMs, forkUserMax } = getEnvironmentVariables();
+
+  const ipLimiterOptions = {
+    windowMs: forkIpWindowMs,
+    max: forkIpMax,
+    handler: createForkHandler(),
+    store: limiterCache('fork_ip_limiter'),
+  };
+  const userLimiterOptions = {
+    windowMs: forkUserWindowMs,
+    max: forkUserMax,
+    handler: createForkHandler(false),
+    keyGenerator: function (req) {
+      return req.user?.id;
+    },
+    store: limiterCache('fork_user_limiter'),
+  };
+
+  const forkIpLimiter = rateLimit(ipLimiterOptions);
+  const forkUserLimiter = rateLimit(userLimiterOptions);
+  return { forkIpLimiter, forkUserLimiter };
+};
+
+module.exports = { createForkLimiters };
--- a/api/server/middleware/limiters/importLimiters.js
+++ b/api/server/middleware/limiters/importLimiters.js
@@ -1,16 +1,14 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');

 const getEnvironmentVariables = () => {
  const IMPORT_IP_MAX = parseInt(process.env.IMPORT_IP_MAX) || 100;
  const IMPORT_IP_WINDOW = parseInt(process.env.IMPORT_IP_WINDOW) || 15;
  const IMPORT_USER_MAX = parseInt(process.env.IMPORT_USER_MAX) || 50;
  const IMPORT_USER_WINDOW = parseInt(process.env.IMPORT_USER_WINDOW) || 15;
+  const IMPORT_VIOLATION_SCORE = process.env.IMPORT_VIOLATION_SCORE;

  const importIpWindowMs = IMPORT_IP_WINDOW * 60 * 1000;
  const importIpMax = IMPORT_IP_MAX;
@@ -27,12 +25,18 @@ const getEnvironmentVariables = () => {
    importUserWindowMs,
    importUserMax,
    importUserWindowInMinutes,
+    importViolationScore: IMPORT_VIOLATION_SCORE,
  };
 };

 const createImportHandler = (ip = true) => {
-  const { importIpMax, importIpWindowInMinutes, importUserMax, importUserWindowInMinutes } =
-    getEnvironmentVariables();
+  const {
+    importIpMax,
+    importUserMax,
+    importViolationScore,
+    importIpWindowInMinutes,
+    importUserWindowInMinutes,
+  } = getEnvironmentVariables();

  return async (req, res) => {
    const type = ViolationTypes.FILE_UPLOAD_LIMIT;
@@ -43,7 +47,7 @@ const createImportHandler = (ip = true) => {
      windowInMinutes: ip ? importIpWindowInMinutes : importUserWindowInMinutes,
    };

-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, importViolationScore);
    res.status(429).json({ message: 'Too many conversation import requests. Try again later' });
  };
 };
@@ -56,6 +60,7 @@ const createImportLimiters = () => {
    windowMs: importIpWindowMs,
    max: importIpMax,
    handler: createImportHandler(),
+    store: limiterCache('import_ip_limiter'),
  };
  const userLimiterOptions = {
    windowMs: importUserWindowMs,
@@ -64,23 +69,9 @@ const createImportLimiters = () => {
    keyGenerator: function (req) {
      return req.user?.id; // Use the user ID or NULL if not available
    },
+    store: limiterCache('import_user_limiter'),
  };

-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for import rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'import_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'import_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
  const importIpLimiter = rateLimit(ipLimiterOptions);
  const importUserLimiter = rateLimit(userLimiterOptions);
  return { importIpLimiter, importUserLimiter };
--- a/api/server/middleware/limiters/index.js
+++ b/api/server/middleware/limiters/index.js
@@ -4,6 +4,7 @@ const createSTTLimiters = require('./sttLimiters');
 const loginLimiter = require('./loginLimiter');
 const importLimiters = require('./importLimiters');
 const uploadLimiters = require('./uploadLimiters');
+const forkLimiters = require('./forkLimiters');
 const registerLimiter = require('./registerLimiter');
 const toolCallLimiter = require('./toolCallLimiter');
 const messageLimiters = require('./messageLimiters');
@@ -14,6 +15,7 @@ module.exports = {
  ...uploadLimiters,
  ...importLimiters,
  ...messageLimiters,
+  ...forkLimiters,
  loginLimiter,
  registerLimiter,
  toolCallLimiter,
--- a/api/server/middleware/limiters/loginLimiter.js
+++ b/api/server/middleware/limiters/loginLimiter.js
@@ -1,9 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { ViolationTypes } = require('librechat-data-provider');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');

 const { LOGIN_WINDOW = 5, LOGIN_MAX = 7, LOGIN_VIOLATION_SCORE: score } = process.env;
 const windowMs = LOGIN_WINDOW * 60 * 1000;
@@ -12,7 +11,7 @@ const windowInMinutes = windowMs / 60000;
 const message = `Too many login attempts, please try again after ${windowInMinutes} minutes.`;

 const handler = async (req, res) => {
-  const type = 'logins';
+  const type = ViolationTypes.LOGINS;
  const errorMessage = {
    type,
    max,
@@ -28,17 +27,9 @@ const limiterOptions = {
  max,
  handler,
  keyGenerator: removePorts,
+  store: limiterCache('login_limiter'),
 };

-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for login rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'login_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const loginLimiter = rateLimit(limiterOptions);

 module.exports = loginLimiter;
--- a/api/server/middleware/limiters/messageLimiters.js
+++ b/api/server/middleware/limiters/messageLimiters.js
@@ -1,16 +1,15 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
+const { ViolationTypes } = require('librechat-data-provider');
 const denyRequest = require('~/server/middleware/denyRequest');
-const ioredisClient = require('~/cache/ioredisClient');
-const { isEnabled } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');

 const {
  MESSAGE_IP_MAX = 40,
  MESSAGE_IP_WINDOW = 1,
  MESSAGE_USER_MAX = 40,
  MESSAGE_USER_WINDOW = 1,
+  MESSAGE_VIOLATION_SCORE: score,
 } = process.env;

 const ipWindowMs = MESSAGE_IP_WINDOW * 60 * 1000;
@@ -31,7 +30,7 @@ const userWindowInMinutes = userWindowMs / 60000;
 */
 const createHandler = (ip = true) => {
  return async (req, res) => {
-    const type = 'message_limit';
+    const type = ViolationTypes.MESSAGE_LIMIT;
    const errorMessage = {
      type,
      max: ip ? ipMax : userMax,
@@ -39,7 +38,7 @@ const createHandler = (ip = true) => {
      windowInMinutes: ip ? ipWindowInMinutes : userWindowInMinutes,
    };

-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, score);
    return await denyRequest(req, res, errorMessage);
  };
 };
@@ -51,6 +50,7 @@ const ipLimiterOptions = {
  windowMs: ipWindowMs,
  max: ipMax,
  handler: createHandler(),
+  store: limiterCache('message_ip_limiter'),
 };

 const userLimiterOptions = {
@@ -60,23 +60,9 @@ const userLimiterOptions = {
  keyGenerator: function (req) {
    return req.user?.id; // Use the user ID or NULL if not available
  },
+  store: limiterCache('message_user_limiter'),
 };

-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for message rate limiters.');
-  const sendCommand = (...args) => ioredisClient.call(...args);
-  const ipStore = new RedisStore({
-    sendCommand,
-    prefix: 'message_ip_limiter:',
-  });
-  const userStore = new RedisStore({
-    sendCommand,
-    prefix: 'message_user_limiter:',
-  });
-  ipLimiterOptions.store = ipStore;
-  userLimiterOptions.store = userStore;
-}
-
 /**
 * Message request rate limiter by IP
 */
--- a/api/server/middleware/limiters/registerLimiter.js
+++ b/api/server/middleware/limiters/registerLimiter.js
@@ -1,9 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { ViolationTypes } = require('librechat-data-provider');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');

 const { REGISTER_WINDOW = 60, REGISTER_MAX = 5, REGISTRATION_VIOLATION_SCORE: score } = process.env;
 const windowMs = REGISTER_WINDOW * 60 * 1000;
@@ -12,7 +11,7 @@ const windowInMinutes = windowMs / 60000;
 const message = `Too many accounts created, please try again after ${windowInMinutes} minutes`;

 const handler = async (req, res) => {
-  const type = 'registrations';
+  const type = ViolationTypes.REGISTRATIONS;
  const errorMessage = {
    type,
    max,
@@ -28,17 +27,9 @@ const limiterOptions = {
  max,
  handler,
  keyGenerator: removePorts,
+  store: limiterCache('register_limiter'),
 };

-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for register rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'register_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const registerLimiter = rateLimit(limiterOptions);

 module.exports = registerLimiter;
--- a/api/server/middleware/limiters/resetPasswordLimiter.js
+++ b/api/server/middleware/limiters/resetPasswordLimiter.js
@@ -1,10 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');

 const {
  RESET_PASSWORD_WINDOW = 2,
@@ -33,17 +31,9 @@ const limiterOptions = {
  max,
  handler,
  keyGenerator: removePorts,
+  store: limiterCache('reset_password_limiter'),
 };

-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for reset password rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'reset_password_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const resetPasswordLimiter = rateLimit(limiterOptions);

 module.exports = resetPasswordLimiter;
--- a/api/server/middleware/limiters/sttLimiters.js
+++ b/api/server/middleware/limiters/sttLimiters.js
@@ -1,16 +1,14 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');

 const getEnvironmentVariables = () => {
  const STT_IP_MAX = parseInt(process.env.STT_IP_MAX) || 100;
  const STT_IP_WINDOW = parseInt(process.env.STT_IP_WINDOW) || 1;
  const STT_USER_MAX = parseInt(process.env.STT_USER_MAX) || 50;
  const STT_USER_WINDOW = parseInt(process.env.STT_USER_WINDOW) || 1;
+  const STT_VIOLATION_SCORE = process.env.STT_VIOLATION_SCORE;

  const sttIpWindowMs = STT_IP_WINDOW * 60 * 1000;
  const sttIpMax = STT_IP_MAX;
@@ -27,11 +25,12 @@ const getEnvironmentVariables = () => {
    sttUserWindowMs,
    sttUserMax,
    sttUserWindowInMinutes,
+    sttViolationScore: STT_VIOLATION_SCORE,
  };
 };

 const createSTTHandler = (ip = true) => {
-  const { sttIpMax, sttIpWindowInMinutes, sttUserMax, sttUserWindowInMinutes } =
+  const { sttIpMax, sttIpWindowInMinutes, sttUserMax, sttUserWindowInMinutes, sttViolationScore } =
    getEnvironmentVariables();

  return async (req, res) => {
@@ -43,7 +42,7 @@ const createSTTHandler = (ip = true) => {
      windowInMinutes: ip ? sttIpWindowInMinutes : sttUserWindowInMinutes,
    };

-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, sttViolationScore);
    res.status(429).json({ message: 'Too many STT requests. Try again later' });
  };
 };
@@ -55,6 +54,7 @@ const createSTTLimiters = () => {
    windowMs: sttIpWindowMs,
    max: sttIpMax,
    handler: createSTTHandler(),
+    store: limiterCache('stt_ip_limiter'),
  };

  const userLimiterOptions = {
@@ -64,23 +64,9 @@ const createSTTLimiters = () => {
    keyGenerator: function (req) {
      return req.user?.id; // Use the user ID or NULL if not available
    },
+    store: limiterCache('stt_user_limiter'),
  };

-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for STT rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'stt_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'stt_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
  const sttIpLimiter = rateLimit(ipLimiterOptions);
  const sttUserLimiter = rateLimit(userLimiterOptions);

--- a/api/server/middleware/limiters/toolCallLimiter.js
+++ b/api/server/middleware/limiters/toolCallLimiter.js
@@ -1,10 +1,9 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
+
+const { TOOL_CALL_VIOLATION_SCORE: score } = process.env;

 const handler = async (req, res) => {
  const type = ViolationTypes.TOOL_CALL_LIMIT;
@@ -15,7 +14,7 @@ const handler = async (req, res) => {
    windowInMinutes: 1,
  };

-  await logViolation(req, res, type, errorMessage, 0);
+  await logViolation(req, res, type, errorMessage, score);
  res.status(429).json({ message: 'Too many tool call requests. Try again later' });
 };

@@ -26,17 +25,9 @@ const limiterOptions = {
  keyGenerator: function (req) {
    return req.user?.id;
  },
+  store: limiterCache('tool_call_limiter'),
 };

-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for tool call rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'tool_call_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const toolCallLimiter = rateLimit(limiterOptions);

 module.exports = toolCallLimiter;
--- a/api/server/middleware/limiters/ttsLimiters.js
+++ b/api/server/middleware/limiters/ttsLimiters.js
@@ -1,16 +1,14 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');
+const { limiterCache } = require('~/cache/cacheFactory');

 const getEnvironmentVariables = () => {
  const TTS_IP_MAX = parseInt(process.env.TTS_IP_MAX) || 100;
  const TTS_IP_WINDOW = parseInt(process.env.TTS_IP_WINDOW) || 1;
  const TTS_USER_MAX = parseInt(process.env.TTS_USER_MAX) || 50;
  const TTS_USER_WINDOW = parseInt(process.env.TTS_USER_WINDOW) || 1;
+  const TTS_VIOLATION_SCORE = process.env.TTS_VIOLATION_SCORE;

  const ttsIpWindowMs = TTS_IP_WINDOW * 60 * 1000;
  const ttsIpMax = TTS_IP_MAX;
@@ -27,11 +25,12 @@ const getEnvironmentVariables = () => {
    ttsUserWindowMs,
    ttsUserMax,
    ttsUserWindowInMinutes,
+    ttsViolationScore: TTS_VIOLATION_SCORE,
  };
 };

 const createTTSHandler = (ip = true) => {
-  const { ttsIpMax, ttsIpWindowInMinutes, ttsUserMax, ttsUserWindowInMinutes } =
+  const { ttsIpMax, ttsIpWindowInMinutes, ttsUserMax, ttsUserWindowInMinutes, ttsViolationScore } =
    getEnvironmentVariables();

  return async (req, res) => {
@@ -43,7 +42,7 @@ const createTTSHandler = (ip = true) => {
      windowInMinutes: ip ? ttsIpWindowInMinutes : ttsUserWindowInMinutes,
    };

-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, ttsViolationScore);
    res.status(429).json({ message: 'Too many TTS requests. Try again later' });
  };
 };
@@ -55,32 +54,19 @@ const createTTSLimiters = () => {
    windowMs: ttsIpWindowMs,
    max: ttsIpMax,
    handler: createTTSHandler(),
+    store: limiterCache('tts_ip_limiter'),
  };

  const userLimiterOptions = {
    windowMs: ttsUserWindowMs,
    max: ttsUserMax,
    handler: createTTSHandler(false),
+    store: limiterCache('tts_user_limiter'),
    keyGenerator: function (req) {
      return req.user?.id; // Use the user ID or NULL if not available
    },
  };

-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for TTS rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'tts_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'tts_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
  const ttsIpLimiter = rateLimit(ipLimiterOptions);
  const ttsUserLimiter = rateLimit(userLimiterOptions);

--- a/api/server/middleware/limiters/uploadLimiters.js
+++ b/api/server/middleware/limiters/uploadLimiters.js
@@ -1,16 +1,14 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const ioredisClient = require('~/cache/ioredisClient');
+const { limiterCache } = require('~/cache/cacheFactory');
 const logViolation = require('~/cache/logViolation');
-const { isEnabled } = require('~/server/utils');
-const { logger } = require('~/config');

 const getEnvironmentVariables = () => {
  const FILE_UPLOAD_IP_MAX = parseInt(process.env.FILE_UPLOAD_IP_MAX) || 100;
  const FILE_UPLOAD_IP_WINDOW = parseInt(process.env.FILE_UPLOAD_IP_WINDOW) || 15;
  const FILE_UPLOAD_USER_MAX = parseInt(process.env.FILE_UPLOAD_USER_MAX) || 50;
  const FILE_UPLOAD_USER_WINDOW = parseInt(process.env.FILE_UPLOAD_USER_WINDOW) || 15;
+  const FILE_UPLOAD_VIOLATION_SCORE = process.env.FILE_UPLOAD_VIOLATION_SCORE;

  const fileUploadIpWindowMs = FILE_UPLOAD_IP_WINDOW * 60 * 1000;
  const fileUploadIpMax = FILE_UPLOAD_IP_MAX;
@@ -27,6 +25,7 @@ const getEnvironmentVariables = () => {
    fileUploadUserWindowMs,
    fileUploadUserMax,
    fileUploadUserWindowInMinutes,
+    fileUploadViolationScore: FILE_UPLOAD_VIOLATION_SCORE,
  };
 };

@@ -36,6 +35,7 @@ const createFileUploadHandler = (ip = true) => {
    fileUploadIpWindowInMinutes,
    fileUploadUserMax,
    fileUploadUserWindowInMinutes,
+    fileUploadViolationScore,
  } = getEnvironmentVariables();

  return async (req, res) => {
@@ -47,7 +47,7 @@ const createFileUploadHandler = (ip = true) => {
      windowInMinutes: ip ? fileUploadIpWindowInMinutes : fileUploadUserWindowInMinutes,
    };

-    await logViolation(req, res, type, errorMessage);
+    await logViolation(req, res, type, errorMessage, fileUploadViolationScore);
    res.status(429).json({ message: 'Too many file upload requests. Try again later' });
  };
 };
@@ -60,6 +60,7 @@ const createFileLimiters = () => {
    windowMs: fileUploadIpWindowMs,
    max: fileUploadIpMax,
    handler: createFileUploadHandler(),
+    store: limiterCache('file_upload_ip_limiter'),
  };

  const userLimiterOptions = {
@@ -69,23 +70,9 @@ const createFileLimiters = () => {
    keyGenerator: function (req) {
      return req.user?.id; // Use the user ID or NULL if not available
    },
+    store: limiterCache('file_upload_user_limiter'),
  };

-  if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-    logger.debug('Using Redis for file upload rate limiters.');
-    const sendCommand = (...args) => ioredisClient.call(...args);
-    const ipStore = new RedisStore({
-      sendCommand,
-      prefix: 'file_upload_ip_limiter:',
-    });
-    const userStore = new RedisStore({
-      sendCommand,
-      prefix: 'file_upload_user_limiter:',
-    });
-    ipLimiterOptions.store = ipStore;
-    userLimiterOptions.store = userStore;
-  }
-
  const fileUploadIpLimiter = rateLimit(ipLimiterOptions);
  const fileUploadUserLimiter = rateLimit(userLimiterOptions);

--- a/api/server/middleware/limiters/verifyEmailLimiter.js
+++ b/api/server/middleware/limiters/verifyEmailLimiter.js
@@ -1,10 +1,8 @@
 const rateLimit = require('express-rate-limit');
-const { RedisStore } = require('rate-limit-redis');
 const { ViolationTypes } = require('librechat-data-provider');
-const { removePorts, isEnabled } = require('~/server/utils');
-const ioredisClient = require('~/cache/ioredisClient');
+const { removePorts } = require('~/server/utils');
+const { limiterCache } = require('~/cache/cacheFactory');
 const { logViolation } = require('~/cache');
-const { logger } = require('~/config');

 const {
  VERIFY_EMAIL_WINDOW = 2,
@@ -33,17 +31,9 @@ const limiterOptions = {
  max,
  handler,
  keyGenerator: removePorts,
+  store: limiterCache('verify_email_limiter'),
 };

-if (isEnabled(process.env.USE_REDIS) && ioredisClient) {
-  logger.debug('Using Redis for verify email rate limiter.');
-  const store = new RedisStore({
-    sendCommand: (...args) => ioredisClient.call(...args),
-    prefix: 'verify_email_limiter:',
-  });
-  limiterOptions.store = store;
-}
-
 const verifyEmailLimiter = rateLimit(limiterOptions);

 module.exports = verifyEmailLimiter;
--- a/api/server/middleware/roles/access.js
+++ b/api/server/middleware/roles/access.js
@@ -1,78 +0,0 @@
-const { getRoleByName } = require('~/models/Role');
-const { logger } = require('~/config');
-
-/**
- * Core function to check if a user has one or more required permissions
- *
- * @param {object} user - The user object
- * @param {PermissionTypes} permissionType - The type of permission to check
- * @param {Permissions[]} permissions - The list of specific permissions to check
- * @param {Record<Permissions, string[]>} [bodyProps] - An optional object where keys are permissions and values are arrays of properties to check
- * @param {object} [checkObject] - The object to check properties against
- * @returns {Promise<boolean>} Whether the user has the required permissions
- */
-const checkAccess = async (user, permissionType, permissions, bodyProps = {}, checkObject = {}) => {
-  if (!user) {
-    return false;
-  }
-
-  const role = await getRoleByName(user.role);
-  if (role && role.permissions && role.permissions[permissionType]) {
-    const hasAnyPermission = permissions.some((permission) => {
-      if (role.permissions[permissionType][permission]) {
-        return true;
-      }
-
-      if (bodyProps[permission] && checkObject) {
-        return bodyProps[permission].some((prop) =>
-          Object.prototype.hasOwnProperty.call(checkObject, prop),
-        );
-      }
-
-      return false;
-    });
-
-    return hasAnyPermission;
-  }
-
-  return false;
-};
-
-/**
- * Middleware to check if a user has one or more required permissions, optionally based on `req.body` properties.
- *
- * @param {PermissionTypes} permissionType - The type of permission to check.
- * @param {Permissions[]} permissions - The list of specific permissions to check.
- * @param {Record<Permissions, string[]>} [bodyProps] - An optional object where keys are permissions and values are arrays of `req.body` properties to check.
- * @returns {(req: ServerRequest, res: ServerResponse, next: NextFunction) => Promise<void>} Express middleware function.
- */
-const generateCheckAccess = (permissionType, permissions, bodyProps = {}) => {
-  return async (req, res, next) => {
-    try {
-      const hasAccess = await checkAccess(
-        req.user,
-        permissionType,
-        permissions,
-        bodyProps,
-        req.body,
-      );
-
-      if (hasAccess) {
-        return next();
-      }
-
-      logger.warn(
-        `[${permissionType}] Forbidden: Insufficient permissions for User ${req.user.id}: ${permissions.join(', ')}`,
-      );
-      return res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
-    } catch (error) {
-      logger.error(error);
-      return res.status(500).json({ message: `Server error: ${error.message}` });
-    }
-  };
-};
-
-module.exports = {
-  checkAccess,
-  generateCheckAccess,
-};
--- a/api/server/middleware/roles/access.spec.js
+++ b/api/server/middleware/roles/access.spec.js
@@ -0,0 +1,370 @@
+const mongoose = require('mongoose');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { checkAccess, generateCheckAccess } = require('@librechat/api');
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { Role } = require('~/db/models');
+
+// Mock the logger from @librechat/data-schemas
+jest.mock('@librechat/data-schemas', () => ({
+  ...jest.requireActual('@librechat/data-schemas'),
+  logger: {
+    warn: jest.fn(),
+    error: jest.fn(),
+    info: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+// Mock the cache to use a simple in-memory implementation
+const mockCache = new Map();
+jest.mock('~/cache/getLogStores', () => {
+  return jest.fn(() => ({
+    get: jest.fn(async (key) => mockCache.get(key)),
+    set: jest.fn(async (key, value) => mockCache.set(key, value)),
+    clear: jest.fn(async () => mockCache.clear()),
+  }));
+});
+
+describe('Access Middleware', () => {
+  let mongoServer;
+  let req, res, next;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+  });
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    await mongoose.connection.dropDatabase();
+    mockCache.clear(); // Clear the cache between tests
+
+    // Create test roles
+    await Role.create({
+      name: 'user',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: false,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    await Role.create({
+      name: 'admin',
+      permissions: {
+        [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARED_GLOBAL]: true,
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+        },
+        [PermissionTypes.MEMORIES]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.UPDATE]: true,
+          [Permissions.READ]: true,
+          [Permissions.OPT_OUT]: true,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.SHARED_GLOBAL]: true,
+        },
+        [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+        [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+        [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+        [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      },
+    });
+
+    // Create limited role with no AGENTS permissions
+    await Role.create({
+      name: 'limited',
+      permissions: {
+        // Explicitly set AGENTS permissions to false
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: false,
+          [Permissions.CREATE]: false,
+          [Permissions.SHARED_GLOBAL]: false,
+        },
+        // Has permissions for other types
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: true,
+        },
+      },
+    });
+
+    req = {
+      user: { id: 'user123', role: 'user' },
+      body: {},
+      originalUrl: '/test',
+    };
+    res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    next = jest.fn();
+    jest.clearAllMocks();
+  });
+
+  describe('checkAccess', () => {
+    test('should return false if user is not provided', async () => {
+      const result = await checkAccess({
+        user: null,
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if user lacks required permission', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if user has only some of multiple permissions', async () => {
+      // User has USE but not CREATE, so should fail when checking for both
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return true if user has all of multiple permissions', async () => {
+      // Admin has both USE and CREATE
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE, Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should check body properties when permission is not directly granted', async () => {
+      const req = { body: { id: 'agent123' } };
+      const result = await checkAccess({
+        req,
+        user: { id: 'user123', role: 'user' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.UPDATE],
+        bodyProps: {
+          [Permissions.UPDATE]: ['id'],
+        },
+        checkObject: req.body,
+        getRoleByName,
+      });
+      expect(result).toBe(true);
+    });
+
+    test('should return false if role is not found', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'nonexistent' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should return false if role has no permissions for the requested type', async () => {
+      const result = await checkAccess({
+        req: {},
+        user: { id: 'user123', role: 'limited' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      expect(result).toBe(false);
+    });
+
+    test('should handle admin role with all permissions', async () => {
+      const createResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      expect(createResult).toBe(true);
+
+      const shareResult = await checkAccess({
+        req: {},
+        user: { id: 'admin123', role: 'admin' },
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      expect(shareResult).toBe(true);
+    });
+  });
+
+  describe('generateCheckAccess', () => {
+    test('should call next() when user has required permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should return 403 when user lacks permission', async () => {
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should check body properties when configured', async () => {
+      req.body = { agentId: 'agent123', description: 'test' };
+
+      const bodyProps = {
+        [Permissions.CREATE]: ['agentId'],
+      };
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.CREATE],
+        bodyProps,
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should handle database errors gracefully', async () => {
+      // Mock getRoleByName to throw an error
+      const mockGetRoleByName = jest
+        .fn()
+        .mockRejectedValue(new Error('Database connection failed'));
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName: mockGetRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        message: expect.stringContaining('Server error:'),
+      });
+    });
+
+    test('should work with multiple permission types', async () => {
+      req.user.role = 'admin';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE, Permissions.CREATE, Permissions.SHARED_GLOBAL],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+    });
+
+    test('should handle missing user gracefully', async () => {
+      req.user = null;
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+
+    test('should handle role with no AGENTS permissions', async () => {
+      await Role.create({
+        name: 'noaccess',
+        permissions: {
+          // Explicitly set AGENTS with all permissions false
+          [PermissionTypes.AGENTS]: {
+            [Permissions.USE]: false,
+            [Permissions.CREATE]: false,
+            [Permissions.SHARED_GLOBAL]: false,
+          },
+        },
+      });
+      req.user.role = 'noaccess';
+
+      const middleware = generateCheckAccess({
+        permissionType: PermissionTypes.AGENTS,
+        permissions: [Permissions.USE],
+        getRoleByName,
+      });
+      await middleware(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
+    });
+  });
+});
--- a/api/server/middleware/roles/index.js
+++ b/api/server/middleware/roles/index.js
@@ -1,8 +1,5 @@
 const checkAdmin = require('./admin');
-const { checkAccess, generateCheckAccess } = require('./access');

 module.exports = {
  checkAdmin,
-  checkAccess,
-  generateCheckAccess,
 };
--- a/api/server/middleware/uaParser.js
+++ b/api/server/middleware/uaParser.js
@@ -1,5 +1,6 @@
 const uap = require('ua-parser-js');
-const { handleError } = require('../utils');
+const { ViolationTypes } = require('librechat-data-provider');
+const { handleError } = require('@librechat/api');
 const { logViolation } = require('../../cache');

 /**
@@ -21,7 +22,7 @@ async function uaParser(req, res, next) {
  const ua = uap(req.headers['user-agent']);

  if (!ua.browser.name) {
-    const type = 'non_browser';
+    const type = ViolationTypes.NON_BROWSER;
    await logViolation(req, res, type, { type }, score);
    return handleError(res, { message: 'Illegal request' });
  }
--- a/api/server/middleware/validateEndpoint.js
+++ b/api/server/middleware/validateEndpoint.js
@@ -1,4 +1,4 @@
-const { handleError } = require('../utils');
+const { handleError } = require('@librechat/api');

 function validateEndpoint(req, res, next) {
  const { endpoint: _endpoint, endpointType } = req.body;
--- a/api/server/middleware/validateModel.js
+++ b/api/server/middleware/validateModel.js
@@ -1,6 +1,6 @@
+const { handleError } = require('@librechat/api');
 const { ViolationTypes } = require('librechat-data-provider');
 const { getModelsConfig } = require('~/server/controllers/ModelController');
-const { handleError } = require('~/server/utils');
 const { logViolation } = require('~/cache');
 /**
 * Validates the model of the request.
--- a/api/server/routes/tests/static.spec.js
+++ b/api/server/routes/tests/static.spec.js
@@ -0,0 +1,162 @@
+const fs = require('fs');
+const path = require('path');
+const express = require('express');
+const request = require('supertest');
+const zlib = require('zlib');
+
+// Create test setup
+const mockTestDir = path.join(__dirname, 'test-static-route');
+
+// Mock the paths module to point to our test directory
+jest.mock('~/config/paths', () => ({
+  imageOutput: mockTestDir,
+}));
+
+describe('Static Route Integration', () => {
+  let app;
+  let staticRoute;
+  let testDir;
+  let testImagePath;
+
+  beforeAll(() => {
+    // Create a test directory and files
+    testDir = mockTestDir;
+    testImagePath = path.join(testDir, 'test-image.jpg');
+
+    if (!fs.existsSync(testDir)) {
+      fs.mkdirSync(testDir, { recursive: true });
+    }
+
+    // Create a test image file
+    fs.writeFileSync(testImagePath, 'fake-image-data');
+
+    // Create a gzipped version of the test image (for gzip scanning tests)
+    fs.writeFileSync(testImagePath + '.gz', zlib.gzipSync('fake-image-data'));
+  });
+
+  afterAll(() => {
+    // Clean up test files
+    if (fs.existsSync(testDir)) {
+      fs.rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+
+  // Helper function to set up static route with specific config
+  const setupStaticRoute = (skipGzipScan = false) => {
+    if (skipGzipScan) {
+      delete process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN;
+    } else {
+      process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN = 'true';
+    }
+
+    staticRoute = require('../static');
+    app.use('/images', staticRoute);
+  };
+
+  beforeEach(() => {
+    // Clear the module cache to get fresh imports
+    jest.resetModules();
+
+    app = express();
+
+    // Clear environment variables
+    delete process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN;
+    delete process.env.NODE_ENV;
+  });
+
+  describe('route functionality', () => {
+    it('should serve static image files', async () => {
+      process.env.NODE_ENV = 'production';
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+
+    it('should return 404 for non-existent files', async () => {
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/nonexistent.jpg');
+      expect(response.status).toBe(404);
+    });
+  });
+
+  describe('cache behavior', () => {
+    it('should set cache headers for images in production', async () => {
+      process.env.NODE_ENV = 'production';
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      expect(response.headers['cache-control']).toBe('public, max-age=172800, s-maxage=86400');
+    });
+
+    it('should not set cache headers in development', async () => {
+      process.env.NODE_ENV = 'development';
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      // Our middleware should not set the production cache-control header in development
+      expect(response.headers['cache-control']).not.toBe('public, max-age=172800, s-maxage=86400');
+    });
+  });
+
+  describe('gzip compression behavior', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should serve gzipped files when gzip scanning is enabled', async () => {
+      setupStaticRoute(false); // Enable gzip scanning
+
+      const response = await request(app)
+        .get('/images/test-image.jpg')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBe('gzip');
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+
+    it('should not serve gzipped files when gzip scanning is disabled', async () => {
+      setupStaticRoute(true); // Disable gzip scanning
+
+      const response = await request(app)
+        .get('/images/test-image.jpg')
+        .set('Accept-Encoding', 'gzip')
+        .expect(200);
+
+      expect(response.headers['content-encoding']).toBeUndefined();
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+  });
+
+  describe('path configuration', () => {
+    it('should use the configured imageOutput path', async () => {
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/test-image.jpg').expect(200);
+
+      expect(response.body.toString()).toBe('fake-image-data');
+    });
+
+    it('should serve from subdirectories', async () => {
+      // Create a subdirectory with a file
+      const subDir = path.join(testDir, 'thumbs');
+      fs.mkdirSync(subDir, { recursive: true });
+      const thumbPath = path.join(subDir, 'thumb.jpg');
+      fs.writeFileSync(thumbPath, 'thumbnail-data');
+
+      setupStaticRoute();
+
+      const response = await request(app).get('/images/thumbs/thumb.jpg').expect(200);
+
+      expect(response.body.toString()).toBe('thumbnail-data');
+
+      // Clean up
+      fs.rmSync(subDir, { recursive: true, force: true });
+    });
+  });
+});
--- a/api/server/routes/accessPermissions.js
+++ b/api/server/routes/accessPermissions.js
@@ -0,0 +1,63 @@
+const express = require('express');
+const { PermissionBits } = require('@librechat/data-schemas');
+const {
+  getUserEffectivePermissions,
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  searchPrincipals,
+} = require('~/server/controllers/PermissionsController');
+const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
+const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess');
+
+const router = express.Router();
+
+// Apply common middleware
+router.use(requireJwtAuth);
+router.use(checkBan);
+router.use(uaParser);
+
+/**
+ * Generic routes for resource permissions
+ * Pattern: /api/permissions/{resourceType}/{resourceId}
+ */
+
+/**
+ * GET /api/permissions/search-principals
+ * Search for users and groups to grant permissions
+ */
+router.get('/search-principals', checkPeoplePickerAccess, searchPrincipals);
+
+/**
+ * GET /api/permissions/{resourceType}/roles
+ * Get available roles for a resource type
+ */
+router.get('/:resourceType/roles', getResourceRoles);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}
+ * Get all permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId', getResourcePermissions);
+
+/**
+ * PUT /api/permissions/{resourceType}/{resourceId}
+ * Bulk update permissions for a specific resource
+ */
+router.put(
+  '/:resourceType/:resourceId',
+  canAccessResource({
+    resourceType: 'agent',
+    requiredPermission: PermissionBits.SHARE,
+    resourceIdParam: 'resourceId',
+  }),
+  updateResourcePermissions,
+);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}/effective
+ * Get user's effective permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId/effective', getUserEffectivePermissions);
+
+module.exports = router;
--- a/api/server/routes/agents/actions.js
+++ b/api/server/routes/agents/actions.js
@@ -1,19 +1,29 @@
 const express = require('express');
 const { nanoid } = require('nanoid');
-const { actionDelimiter, SystemRoles, removeNullishValues } = require('librechat-data-provider');
+const { generateCheckAccess } = require('@librechat/api');
+const { logger, PermissionBits } = require('@librechat/data-schemas');
+const {
+  Permissions,
+  PermissionTypes,
+  actionDelimiter,
+  removeNullishValues,
+} = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
+const { findAccessibleResources } = require('~/server/services/PermissionService');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
 const { isActionDomainAllowed } = require('~/server/services/domains');
+const { canAccessAgentResource } = require('~/server/middleware');
 const { getAgent, updateAgent } = require('~/models/Agent');
-const { logger } = require('~/config');
+const { getRoleByName } = require('~/models/Role');
+const { getListAgentsByAccess } = require('~/models/Agent');

 const router = express.Router();

-// If the user has ADMIN role
-// then action edition is possible even if not owner of the assistant
-const isAdmin = (req) => {
-  return req.user.role === SystemRoles.ADMIN;
-};
+const checkAgentCreate = generateCheckAccess({
+  permissionType: PermissionTypes.AGENTS,
+  permissions: [Permissions.USE, Permissions.CREATE],
+  getRoleByName,
+});

 /**
 * Retrieves all user's actions
@@ -23,10 +33,22 @@ const isAdmin = (req) => {
 */
 router.get('/', async (req, res) => {
  try {
-    const admin = isAdmin(req);
-    // If admin, get all actions, otherwise only user's actions
-    const searchParams = admin ? {} : { user: req.user.id };
-    res.json(await getActions(searchParams));
+    const userId = req.user.id;
+    const editableAgentObjectIds = await findAccessibleResources({
+      userId,
+      resourceType: 'agent',
+      requiredPermissions: PermissionBits.EDIT,
+    });
+
+    const agentsResponse = await getListAgentsByAccess({
+      accessibleIds: editableAgentObjectIds,
+    });
+
+    const editableAgentIds = agentsResponse.data.map((agent) => agent.id);
+    const actions =
+      editableAgentIds.length > 0 ? await getActions({ agent_id: { $in: editableAgentIds } }) : [];
+
+    res.json(actions);
  } catch (error) {
    res.status(500).json({ error: error.message });
  }
@@ -41,106 +63,111 @@ router.get('/', async (req, res) => {
 * @param {ActionMetadata} req.body.metadata - Metadata for the action.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/:agent_id', async (req, res) => {
-  try {
-    const { agent_id } = req.params;
+router.post(
+  '/:agent_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id } = req.params;

-    /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
-    const { functions, action_id: _action_id, metadata: _metadata } = req.body;
-    if (!functions.length) {
-      return res.status(400).json({ message: 'No functions provided' });
-    }
-
-    let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
-    const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
-    if (!isDomainAllowed) {
-      return res.status(400).json({ message: 'Domain not allowed' });
-    }
-
-    let { domain } = metadata;
-    domain = await domainParser(domain, true);
-
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
-    }
-
-    const action_id = _action_id ?? nanoid();
-    const initialPromises = [];
-    const admin = isAdmin(req);
-
-    // If admin, can edit any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    // TODO: share agents
-    initialPromises.push(getAgent(agentQuery));
-    if (_action_id) {
-      initialPromises.push(getActions({ action_id }, true));
-    }
-
-    /** @type {[Agent, [Action|undefined]]} */
-    const [agent, actions_result] = await Promise.all(initialPromises);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for adding action' });
-    }
-
-    if (actions_result && actions_result.length) {
-      const action = actions_result[0];
-      metadata = { ...action.metadata, ...metadata };
-    }
-
-    const { actions: _actions = [], author: agent_author } = agent ?? {};
-    const actions = [];
-    for (const action of _actions) {
-      const [_action_domain, current_action_id] = action.split(actionDelimiter);
-      if (current_action_id === action_id) {
-        continue;
+      /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
+      const { functions, action_id: _action_id, metadata: _metadata } = req.body;
+      if (!functions.length) {
+        return res.status(400).json({ message: 'No functions provided' });
      }

-      actions.push(action);
-    }
-
-    actions.push(`${domain}${actionDelimiter}${action_id}`);
-
-    /** @type {string[]}} */
-    const { tools: _tools = [] } = agent;
-
-    const tools = _tools
-      .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
-      .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
-
-    // Force version update since actions are changing
-    const updatedAgent = await updateAgent(
-      agentQuery,
-      { tools, actions },
-      {
-        updatingUserId: req.user.id,
-        forceVersion: true,
-      },
-    );
-
-    // Only update user field for new actions
-    const actionUpdateData = { metadata, agent_id };
-    if (!actions_result || !actions_result.length) {
-      // For new actions, use the agent owner's user ID
-      actionUpdateData.user = agent_author || req.user.id;
-    }
-
-    /** @type {[Action]} */
-    const updatedAction = await updateAction({ action_id }, actionUpdateData);
-
-    const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
-    for (let field of sensitiveFields) {
-      if (updatedAction.metadata[field]) {
-        delete updatedAction.metadata[field];
+      let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
+      const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
+      if (!isDomainAllowed) {
+        return res.status(400).json({ message: 'Domain not allowed' });
      }
-    }

-    res.json([updatedAgent, updatedAction]);
-  } catch (error) {
-    const message = 'Trouble updating the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+      let { domain } = metadata;
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const action_id = _action_id ?? nanoid();
+      const initialPromises = [];
+
+      // Permissions already validated by middleware - load agent directly
+      initialPromises.push(getAgent({ id: agent_id }));
+      if (_action_id) {
+        initialPromises.push(getActions({ action_id }, true));
+      }
+
+      /** @type {[Agent, [Action|undefined]]} */
+      const [agent, actions_result] = await Promise.all(initialPromises);
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for adding action' });
+      }
+
+      if (actions_result && actions_result.length) {
+        const action = actions_result[0];
+        metadata = { ...action.metadata, ...metadata };
+      }
+
+      const { actions: _actions = [], author: agent_author } = agent ?? {};
+      const actions = [];
+      for (const action of _actions) {
+        const [_action_domain, current_action_id] = action.split(actionDelimiter);
+        if (current_action_id === action_id) {
+          continue;
+        }
+
+        actions.push(action);
+      }
+
+      actions.push(`${domain}${actionDelimiter}${action_id}`);
+
+      /** @type {string[]}} */
+      const { tools: _tools = [] } = agent;
+
+      const tools = _tools
+        .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
+        .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
+
+      // Force version update since actions are changing
+      const updatedAgent = await updateAgent(
+        { id: agent_id },
+        { tools, actions },
+        {
+          updatingUserId: req.user.id,
+          forceVersion: true,
+        },
+      );
+
+      // Only update user field for new actions
+      const actionUpdateData = { metadata, agent_id };
+      if (!actions_result || !actions_result.length) {
+        // For new actions, use the agent owner's user ID
+        actionUpdateData.user = agent_author || req.user.id;
+      }
+
+      /** @type {[Action]} */
+      const updatedAction = await updateAction({ action_id }, actionUpdateData);
+
+      const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
+      for (let field of sensitiveFields) {
+        if (updatedAction.metadata[field]) {
+          delete updatedAction.metadata[field];
+        }
+      }
+
+      res.json([updatedAgent, updatedAction]);
+    } catch (error) {
+      const message = 'Trouble updating the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
+    }
+  },
+);

 /**
 * Deletes an action for a specific agent.
@@ -149,52 +176,56 @@ router.post('/:agent_id', async (req, res) => {
 * @param {string} req.params.action_id - The ID of the action to delete.
 * @returns {Object} 200 - success response - application/json
 */
-router.delete('/:agent_id/:action_id', async (req, res) => {
-  try {
-    const { agent_id, action_id } = req.params;
-    const admin = isAdmin(req);
+router.delete(
+  '/:agent_id/:action_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  checkAgentCreate,
+  async (req, res) => {
+    try {
+      const { agent_id, action_id } = req.params;

-    // If admin, can delete any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    const agent = await getAgent(agentQuery);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for deleting action' });
-    }
-
-    const { tools = [], actions = [] } = agent;
-
-    let domain = '';
-    const updatedActions = actions.filter((action) => {
-      if (action.includes(action_id)) {
-        [domain] = action.split(actionDelimiter);
-        return false;
+      // Permissions already validated by middleware - load agent directly
+      const agent = await getAgent({ id: agent_id });
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for deleting action' });
      }
-      return true;
-    });

-    domain = await domainParser(domain, true);
+      const { tools = [], actions = [] } = agent;

-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
+      let domain = '';
+      const updatedActions = actions.filter((action) => {
+        if (action.includes(action_id)) {
+          [domain] = action.split(actionDelimiter);
+          return false;
+        }
+        return true;
+      });
+
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
+
+      // Force version update since actions are being removed
+      await updateAgent(
+        { id: agent_id },
+        { tools: updatedTools, actions: updatedActions },
+        { updatingUserId: req.user.id, forceVersion: true },
+      );
+      await deleteAction({ action_id });
+      res.status(200).json({ message: 'Action deleted successfully' });
+    } catch (error) {
+      const message = 'Trouble deleting the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
    }
-
-    const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
-
-    // Force version update since actions are being removed
-    await updateAgent(
-      agentQuery,
-      { tools: updatedTools, actions: updatedActions },
-      { updatingUserId: req.user.id, forceVersion: true },
-    );
-    // If admin, can delete any action, otherwise only user's actions
-    const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
-    await deleteAction(actionQuery);
-    res.status(200).json({ message: 'Action deleted successfully' });
-  } catch (error) {
-    const message = 'Trouble deleting the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+  },
+);

 module.exports = router;
--- a/api/server/routes/agents/chat.js
+++ b/api/server/routes/agents/chat.js
@@ -1,24 +1,36 @@
 const express = require('express');
+const { PermissionBits } = require('@librechat/data-schemas');
+const { generateCheckAccess, skipAgentCheck } = require('@librechat/api');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
 const {
  setHeaders,
  moderateText,
  // validateModel,
-  generateCheckAccess,
  validateConvoAccess,
  buildEndpointOption,
+  canAccessAgentFromBody,
 } = require('~/server/middleware');
 const { initializeClient } = require('~/server/services/Endpoints/agents');
 const AgentController = require('~/server/controllers/agents/request');
 const addTitle = require('~/server/services/Endpoints/agents/title');
+const { getRoleByName } = require('~/models/Role');

 const router = express.Router();

 router.use(moderateText);

-const checkAgentAccess = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
+const checkAgentAccess = generateCheckAccess({
+  permissionType: PermissionTypes.AGENTS,
+  permissions: [Permissions.USE],
+  skipCheck: skipAgentCheck,
+  getRoleByName,
+});
+const checkAgentResourceAccess = canAccessAgentFromBody({
+  requiredPermission: PermissionBits.VIEW,
+});

 router.use(checkAgentAccess);
+router.use(checkAgentResourceAccess);
 router.use(validateConvoAccess);
 router.use(buildEndpointOption);
 router.use(setHeaders);
--- a/api/server/routes/agents/index.js
+++ b/api/server/routes/agents/index.js
@@ -37,4 +37,6 @@ if (isEnabled(LIMIT_MESSAGE_USER)) {
 chatRouter.use('/', chat);
 router.use('/chat', chatRouter);

+// Add marketplace routes
+
 module.exports = router;
--- a/api/server/routes/agents/v1.js
+++ b/api/server/routes/agents/v1.js
@@ -1,29 +1,37 @@
 const express = require('express');
+const { generateCheckAccess } = require('@librechat/api');
+const { PermissionBits } = require('@librechat/data-schemas');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
-const { requireJwtAuth, generateCheckAccess } = require('~/server/middleware');
+const { requireJwtAuth, canAccessAgentResource } = require('~/server/middleware');
 const v1 = require('~/server/controllers/agents/v1');
+const { getRoleByName } = require('~/models/Role');
 const actions = require('./actions');
 const tools = require('./tools');

 const router = express.Router();
 const avatar = express.Router();

-const checkAgentAccess = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
-const checkAgentCreate = generateCheckAccess(PermissionTypes.AGENTS, [
-  Permissions.USE,
-  Permissions.CREATE,
-]);
+const checkAgentAccess = generateCheckAccess({
+  permissionType: PermissionTypes.AGENTS,
+  permissions: [Permissions.USE],
+  getRoleByName,
+});
+const checkAgentCreate = generateCheckAccess({
+  permissionType: PermissionTypes.AGENTS,
+  permissions: [Permissions.USE, Permissions.CREATE],
+  getRoleByName,
+});

-const checkGlobalAgentShare = generateCheckAccess(
-  PermissionTypes.AGENTS,
-  [Permissions.USE, Permissions.CREATE],
-  {
+const checkGlobalAgentShare = generateCheckAccess({
+  permissionType: PermissionTypes.AGENTS,
+  permissions: [Permissions.USE, Permissions.CREATE],
+  bodyProps: {
    [Permissions.SHARED_GLOBAL]: ['projectIds', 'removeProjectIds'],
  },
-);
+  getRoleByName,
+});

 router.use(requireJwtAuth);
-router.use(checkAgentAccess);

 /**
 * Agent actions route.
@@ -37,6 +45,11 @@ router.use('/actions', actions);
 */
 router.use('/tools', tools);

+/**
+ * Get all agent categories with counts
+ * @route GET /agents/marketplace/categories
+ */
+router.get('/categories', v1.getAgentCategories);
 /**
 * Creates an agent.
 * @route POST /agents
@@ -46,13 +59,38 @@ router.use('/tools', tools);
 router.post('/', checkAgentCreate, v1.createAgent);

 /**
- * Retrieves an agent.
+ * Retrieves basic agent information (VIEW permission required).
+ * Returns safe, non-sensitive agent data for viewing purposes.
 * @route GET /agents/:id
 * @param {string} req.params.id - Agent identifier.
- * @returns {Agent} 200 - Success response - application/json
+ * @returns {Agent} 200 - Basic agent info - application/json
 */
-router.get('/:id', checkAgentAccess, v1.getAgent);
+router.get(
+  '/:id',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.getAgent,
+);

+/**
+ * Retrieves full agent details including sensitive configuration (EDIT permission required).
+ * Returns complete agent data for editing/configuration purposes.
+ * @route GET /agents/:id/expanded
+ * @param {string} req.params.id - Agent identifier.
+ * @returns {Agent} 200 - Full agent details - application/json
+ */
+router.get(
+  '/:id/expanded',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  (req, res) => v1.getAgent(req, res, true), // Expanded version
+);
 /**
 * Updates an agent.
 * @route PATCH /agents/:id
@@ -60,7 +98,15 @@ router.get('/:id', checkAgentAccess, v1.getAgent);
 * @param {AgentUpdateParams} req.body - The agent update parameters.
 * @returns {Agent} 200 - Success response - application/json
 */
-router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
+router.patch(
+  '/:id',
+  checkGlobalAgentShare,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  v1.updateAgent,
+);

 /**
 * Duplicates an agent.
@@ -68,7 +114,15 @@ router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
 * @param {string} req.params.id - Agent identifier.
 * @returns {Agent} 201 - Success response - application/json
 */
-router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
+router.post(
+  '/:id/duplicate',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.duplicateAgent,
+);

 /**
 * Deletes an agent.
@@ -76,7 +130,15 @@ router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
 * @param {string} req.params.id - Agent identifier.
 * @returns {Agent} 200 - success response - application/json
 */
-router.delete('/:id', checkAgentCreate, v1.deleteAgent);
+router.delete(
+  '/:id',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.DELETE,
+    resourceIdParam: 'id',
+  }),
+  v1.deleteAgent,
+);

 /**
 * Reverts an agent to a previous version.
@@ -103,6 +165,14 @@ router.get('/', checkAgentAccess, v1.getListAgents);
 * @param {string} [req.body.metadata] - Optional metadata for the agent's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-avatar.post('/:agent_id/avatar/', checkAgentAccess, v1.uploadAgentAvatar);
+avatar.post(
+  '/:agent_id/avatar/',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  v1.uploadAgentAvatar,
+);

 module.exports = { v1: router, avatar };
--- a/api/server/routes/convos.js
+++ b/api/server/routes/convos.js
@@ -1,16 +1,17 @@
 const multer = require('multer');
 const express = require('express');
+const { sleep } = require('@librechat/agents');
+const { isEnabled } = require('@librechat/api');
+const { logger } = require('@librechat/data-schemas');
 const { CacheKeys, EModelEndpoint } = require('librechat-data-provider');
 const { getConvosByCursor, deleteConvos, getConvo, saveConvo } = require('~/models/Conversation');
 const { forkConversation, duplicateConversation } = require('~/server/utils/import/fork');
+const { createImportLimiters, createForkLimiters } = require('~/server/middleware');
 const { storage, importFileFilter } = require('~/server/routes/files/multer');
 const requireJwtAuth = require('~/server/middleware/requireJwtAuth');
 const { importConversations } = require('~/server/utils/import');
-const { createImportLimiters } = require('~/server/middleware');
 const { deleteToolCalls } = require('~/models/ToolCall');
-const { isEnabled, sleep } = require('~/server/utils');
 const getLogStores = require('~/cache/getLogStores');
-const { logger } = require('~/config');

 const assistantClients = {
  [EModelEndpoint.azureAssistants]: require('~/server/services/Endpoints/azureAssistants'),
@@ -43,6 +44,7 @@ router.get('/', async (req, res) => {
    });
    res.status(200).json(result);
  } catch (error) {
+    logger.error('Error fetching conversations', error);
    res.status(500).json({ error: 'Error fetching conversations' });
  }
 });
@@ -156,6 +158,7 @@ router.post('/update', async (req, res) => {
 });

 const { importIpLimiter, importUserLimiter } = createImportLimiters();
+const { forkIpLimiter, forkUserLimiter } = createForkLimiters();
 const upload = multer({ storage: storage, fileFilter: importFileFilter });

 /**
@@ -189,7 +192,7 @@ router.post(
 * @param {express.Response<TForkConvoResponse>} res - Express response object.
 * @returns {Promise<void>} - The response after forking the conversation.
 */
-router.post('/fork', async (req, res) => {
+router.post('/fork', forkIpLimiter, forkUserLimiter, async (req, res) => {
  try {
    /** @type {TForkConvoRequest} */
    const { conversationId, messageId, option, splitAtTarget, latestMessageId } = req.body;
--- a/api/server/routes/files/files.agents.test.js
+++ b/api/server/routes/files/files.agents.test.js
@@ -0,0 +1,341 @@
+const express = require('express');
+const request = require('supertest');
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { createMethods } = require('@librechat/data-schemas');
+const { createAgent } = require('~/models/Agent');
+const { createFile } = require('~/models/File');
+
+// Only mock the external dependencies that we don't want to test
+jest.mock('~/server/services/Files/process', () => ({
+  processDeleteRequest: jest.fn().mockResolvedValue({}),
+  filterFile: jest.fn(),
+  processFileUpload: jest.fn(),
+  processAgentFileUpload: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(() => ({})),
+}));
+
+jest.mock('~/server/controllers/assistants/helpers', () => ({
+  getOpenAIClient: jest.fn(),
+}));
+
+jest.mock('~/server/services/Tools/credentials', () => ({
+  loadAuthValues: jest.fn(),
+}));
+
+// Import the router
+const router = require('~/server/routes/files/files');
+
+describe('File Routes - Agent Files Endpoint', () => {
+  let app;
+  let mongoServer;
+  let authorId;
+  let otherUserId;
+  let agentId;
+  let fileId1;
+  let fileId2;
+  let fileId3;
+  let File;
+  let User;
+  let Agent;
+  let methods;
+  let AclEntry;
+  // eslint-disable-next-line no-unused-vars
+  let AccessRole;
+  let modelsToCleanup = [];
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize all models using createModels
+    const { createModels } = require('@librechat/data-schemas');
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    Object.assign(mongoose.models, models);
+
+    // Create methods with our test mongoose instance
+    methods = createMethods(mongoose);
+
+    // Now we can access models from the db/models
+    File = models.File;
+    Agent = models.Agent;
+    AclEntry = models.AclEntry;
+    User = models.User;
+    AccessRole = models.AccessRole;
+
+    // Seed default roles using our methods
+    await methods.seedDefaultRoles();
+
+    app = express();
+    app.use(express.json());
+
+    // Mock authentication middleware
+    app.use((req, res, next) => {
+      req.user = { id: otherUserId || 'default-user' };
+      req.app = { locals: {} };
+      next();
+    });
+
+    app.use('/files', router);
+  });
+
+  afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    // Clean up all test data
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await User.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
+
+    // Create test users
+    authorId = new mongoose.Types.ObjectId();
+    otherUserId = new mongoose.Types.ObjectId();
+    agentId = uuidv4();
+    fileId1 = uuidv4();
+    fileId2 = uuidv4();
+    fileId3 = uuidv4();
+
+    // Create users in database
+    await User.create({
+      _id: authorId,
+      username: 'author',
+      email: 'author@test.com',
+    });
+
+    await User.create({
+      _id: otherUserId,
+      username: 'other',
+      email: 'other@test.com',
+    });
+
+    // Create files
+    await createFile({
+      user: authorId,
+      file_id: fileId1,
+      filename: 'file1.txt',
+      filepath: '/uploads/file1.txt',
+      bytes: 100,
+      type: 'text/plain',
+    });
+
+    await createFile({
+      user: authorId,
+      file_id: fileId2,
+      filename: 'file2.txt',
+      filepath: '/uploads/file2.txt',
+      bytes: 200,
+      type: 'text/plain',
+    });
+
+    await createFile({
+      user: otherUserId,
+      file_id: fileId3,
+      filename: 'file3.txt',
+      filepath: '/uploads/file3.txt',
+      bytes: 300,
+      type: 'text/plain',
+    });
+  });
+
+  describe('GET /files/agent/:agent_id', () => {
+    it('should return files accessible through the agent for non-author with EDIT permission', async () => {
+      // Create an agent with files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent using PermissionService
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      // Mock req.user for this request
+      app.use((req, res, next) => {
+        req.user = { id: otherUserId.toString() };
+        next();
+      });
+
+      const response = await request(app).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId1);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId2);
+    });
+
+    it('should return 400 when agent_id is not provided', async () => {
+      const response = await request(app).get('/files/agent/');
+
+      expect(response.status).toBe(404); // Express returns 404 for missing route parameter
+    });
+
+    it('should return empty array for non-existent agent', async () => {
+      const response = await request(app).get('/files/agent/non-existent-agent');
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toEqual([]);
+    });
+
+    it('should return empty array when user only has VIEW permission', async () => {
+      // Create an agent with files attached
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
+      // Grant only VIEW permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_viewer',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toEqual([]);
+    });
+
+    it('should return agent files for agent author', async () => {
+      // Create an agent with files attached
+      await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, fileId2],
+          },
+        },
+      });
+
+      // Create a new app instance with author authentication
+      const authorApp = express();
+      authorApp.use(express.json());
+      authorApp.use((req, res, next) => {
+        req.user = { id: authorId.toString() };
+        req.app = { locals: {} };
+        next();
+      });
+      authorApp.use('/files', router);
+
+      const response = await request(authorApp).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+    });
+
+    it('should return files uploaded by other users to shared agent for author', async () => {
+      const anotherUserId = new mongoose.Types.ObjectId();
+      const otherUserFileId = uuidv4();
+
+      await User.create({
+        _id: anotherUserId,
+        username: 'another',
+        email: 'another@test.com',
+      });
+
+      await createFile({
+        user: anotherUserId,
+        file_id: otherUserFileId,
+        filename: 'other-user-file.txt',
+        filepath: '/uploads/other-user-file.txt',
+        bytes: 400,
+        type: 'text/plain',
+      });
+
+      // Create agent to include the file uploaded by another user
+      await createAgent({
+        id: agentId,
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId1, otherUserFileId],
+          },
+        },
+      });
+
+      // Create a new app instance with author authentication
+      const authorApp = express();
+      authorApp.use(express.json());
+      authorApp.use((req, res, next) => {
+        req.user = { id: authorId.toString() };
+        req.app = { locals: {} };
+        next();
+      });
+      authorApp.use('/files', router);
+
+      const response = await request(authorApp).get(`/files/agent/${agentId}`);
+
+      expect(response.status).toBe(200);
+      expect(Array.isArray(response.body)).toBe(true);
+      expect(response.body).toHaveLength(2);
+      expect(response.body.map((f) => f.file_id)).toContain(fileId1);
+      expect(response.body.map((f) => f.file_id)).toContain(otherUserFileId);
+    });
+  });
+});
--- a/api/server/routes/files/files.js
+++ b/api/server/routes/files/files.js
@@ -6,6 +6,7 @@ const {
  isUUID,
  CacheKeys,
  FileSources,
+  PERMISSION_BITS,
  EModelEndpoint,
  isAgentsEndpoint,
  checkOpenAIStorage,
@@ -18,8 +19,10 @@ const {
 } = require('~/server/services/Files/process');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
+const { checkPermission } = require('~/server/services/PermissionService');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { refreshS3FileUrls } = require('~/server/services/Files/S3/crud');
+const { hasAccessToFilesViaAgent } = require('~/server/services/Files');
 const { getFiles, batchUpdateFiles } = require('~/models/File');
 const { getAssistant } = require('~/models/Assistant');
 const { getAgent } = require('~/models/Agent');
@@ -50,6 +53,69 @@ router.get('/', async (req, res) => {
  }
 });

+/**
+ * Get files specific to an agent
+ * @route GET /files/agent/:agent_id
+ * @param {string} agent_id - The agent ID to get files for
+ * @returns {Promise<TFile[]>} Array of files attached to the agent
+ */
+router.get('/agent/:agent_id', async (req, res) => {
+  try {
+    const { agent_id } = req.params;
+    const userId = req.user.id;
+
+    if (!agent_id) {
+      return res.status(400).json({ error: 'Agent ID is required' });
+    }
+
+    // Get the agent to check ownership and attached files
+    const agent = await getAgent({ id: agent_id });
+
+    if (!agent) {
+      // No agent found, return empty array
+      return res.status(200).json([]);
+    }
+
+    // Check if user has access to the agent
+    if (agent.author.toString() !== userId) {
+      // Non-authors need at least EDIT permission to view agent files
+      const hasEditPermission = await checkPermission({
+        userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        requiredPermission: PERMISSION_BITS.EDIT,
+      });
+
+      if (!hasEditPermission) {
+        return res.status(200).json([]);
+      }
+    }
+
+    // Collect all file IDs from agent's tool resources
+    const agentFileIds = [];
+    if (agent.tool_resources) {
+      for (const [, resource] of Object.entries(agent.tool_resources)) {
+        if (resource?.file_ids && Array.isArray(resource.file_ids)) {
+          agentFileIds.push(...resource.file_ids);
+        }
+      }
+    }
+
+    // If no files attached to agent, return empty array
+    if (agentFileIds.length === 0) {
+      return res.status(200).json([]);
+    }
+
+    // Get only the files attached to this agent
+    const files = await getFiles({ file_id: { $in: agentFileIds } }, null, { text: 0 });
+
+    res.status(200).json(files);
+  } catch (error) {
+    logger.error('[/files/agent/:agent_id] Error fetching agent files:', error);
+    res.status(500).json({ error: 'Failed to fetch agent files' });
+  }
+});
+
 router.get('/config', async (req, res) => {
  try {
    res.status(200).json(req.app.locals.fileConfig);
@@ -86,11 +152,62 @@ router.delete('/', async (req, res) => {

    const fileIds = files.map((file) => file.file_id);
    const dbFiles = await getFiles({ file_id: { $in: fileIds } });
-    const unauthorizedFiles = dbFiles.filter((file) => file.user.toString() !== req.user.id);
+
+    const ownedFiles = [];
+    const nonOwnedFiles = [];
+    const fileMap = new Map();
+
+    for (const file of dbFiles) {
+      fileMap.set(file.file_id, file);
+      if (file.user.toString() === req.user.id) {
+        ownedFiles.push(file);
+      } else {
+        nonOwnedFiles.push(file);
+      }
+    }
+
+    // If all files are owned by the user, no need for further checks
+    if (nonOwnedFiles.length === 0) {
+      await processDeleteRequest({ req, files: ownedFiles });
+      logger.debug(
+        `[/files] Files deleted successfully: ${ownedFiles
+          .filter((f) => f.file_id)
+          .map((f) => f.file_id)
+          .join(', ')}`,
+      );
+      res.status(200).json({ message: 'Files deleted successfully' });
+      return;
+    }
+
+    // Check access for non-owned files
+    let authorizedFiles = [...ownedFiles];
+    let unauthorizedFiles = [];
+
+    if (req.body.agent_id && nonOwnedFiles.length > 0) {
+      // Batch check access for all non-owned files
+      const nonOwnedFileIds = nonOwnedFiles.map((f) => f.file_id);
+      const accessMap = await hasAccessToFilesViaAgent(
+        req.user.id,
+        nonOwnedFileIds,
+        req.body.agent_id,
+      );
+
+      // Separate authorized and unauthorized files
+      for (const file of nonOwnedFiles) {
+        if (accessMap.get(file.file_id)) {
+          authorizedFiles.push(file);
+        } else {
+          unauthorizedFiles.push(file);
+        }
+      }
+    } else {
+      // No agent context, all non-owned files are unauthorized
+      unauthorizedFiles = nonOwnedFiles;
+    }

    if (unauthorizedFiles.length > 0) {
      return res.status(403).json({
-        message: 'You can only delete your own files',
+        message: 'You can only delete files you have access to',
        unauthorizedFiles: unauthorizedFiles.map((f) => f.file_id),
      });
    }
@@ -131,10 +248,10 @@ router.delete('/', async (req, res) => {
        .json({ message: 'File associations removed successfully from Azure Assistant' });
    }

-    await processDeleteRequest({ req, files: dbFiles });
+    await processDeleteRequest({ req, files: authorizedFiles });

    logger.debug(
-      `[/files] Files deleted successfully: ${files
+      `[/files] Files deleted successfully: ${authorizedFiles
        .filter((f) => f.file_id)
        .map((f) => f.file_id)
        .join(', ')}`,
--- a/api/server/routes/files/files.test.js
+++ b/api/server/routes/files/files.test.js
@@ -0,0 +1,423 @@
+const express = require('express');
+const request = require('supertest');
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { createMethods } = require('@librechat/data-schemas');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { createAgent } = require('~/models/Agent');
+const { createFile } = require('~/models/File');
+
+// Only mock the external dependencies that we don't want to test
+jest.mock('~/server/services/Files/process', () => ({
+  processDeleteRequest: jest.fn().mockResolvedValue({}),
+  filterFile: jest.fn(),
+  processFileUpload: jest.fn(),
+  processAgentFileUpload: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(() => ({})),
+}));
+
+jest.mock('~/server/controllers/assistants/helpers', () => ({
+  getOpenAIClient: jest.fn(),
+}));
+
+jest.mock('~/server/services/Tools/credentials', () => ({
+  loadAuthValues: jest.fn(),
+}));
+
+jest.mock('~/server/services/Files/S3/crud', () => ({
+  refreshS3FileUrls: jest.fn(),
+}));
+
+jest.mock('~/cache', () => ({
+  getLogStores: jest.fn(() => ({
+    get: jest.fn(),
+    set: jest.fn(),
+  })),
+}));
+
+jest.mock('~/config', () => ({
+  logger: {
+    error: jest.fn(),
+    warn: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+const { processDeleteRequest } = require('~/server/services/Files/process');
+
+// Import the router after mocks
+const router = require('./files');
+
+describe('File Routes - Delete with Agent Access', () => {
+  let app;
+  let mongoServer;
+  let authorId;
+  let otherUserId;
+  let fileId;
+  let File;
+  let Agent;
+  let AclEntry;
+  let User;
+  let AccessRole;
+  let methods;
+  let modelsToCleanup = [];
+  // eslint-disable-next-line no-unused-vars
+  let agentId;
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+    await mongoose.connect(mongoUri);
+
+    // Initialize all models using createModels
+    const { createModels } = require('@librechat/data-schemas');
+    const models = createModels(mongoose);
+
+    // Track which models we're adding
+    modelsToCleanup = Object.keys(models);
+
+    // Register models on mongoose.models so methods can access them
+    Object.assign(mongoose.models, models);
+
+    // Create methods with our test mongoose instance
+    methods = createMethods(mongoose);
+
+    // Now we can access models from the db/models
+    File = models.File;
+    Agent = models.Agent;
+    AclEntry = models.AclEntry;
+    User = models.User;
+    AccessRole = models.AccessRole;
+
+    // Seed default roles using our methods
+    await methods.seedDefaultRoles();
+
+    app = express();
+    app.use(express.json());
+
+    // Mock authentication middleware
+    app.use((req, res, next) => {
+      req.user = { id: otherUserId ? otherUserId.toString() : 'default-user' };
+      req.app = { locals: {} };
+      next();
+    });
+
+    app.use('/files', router);
+  });
+
+  afterAll(async () => {
+    // Clean up all collections before disconnecting
+    const collections = mongoose.connection.collections;
+    for (const key in collections) {
+      await collections[key].deleteMany({});
+    }
+
+    // Clear only the models we added
+    for (const modelName of modelsToCleanup) {
+      if (mongoose.models[modelName]) {
+        delete mongoose.models[modelName];
+      }
+    }
+
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    jest.clearAllMocks();
+
+    // Clear database - clean up all test data
+    await File.deleteMany({});
+    await Agent.deleteMany({});
+    await User.deleteMany({});
+    await AclEntry.deleteMany({});
+    // Don't delete AccessRole as they are seeded defaults needed for tests
+
+    // Create test data
+    authorId = new mongoose.Types.ObjectId();
+    otherUserId = new mongoose.Types.ObjectId();
+    agentId = uuidv4();
+    fileId = uuidv4();
+
+    // Create users in database
+    await User.create({
+      _id: authorId,
+      username: 'author',
+      email: 'author@test.com',
+    });
+
+    await User.create({
+      _id: otherUserId,
+      username: 'other',
+      email: 'other@test.com',
+    });
+
+    // Create a file owned by the author
+    await createFile({
+      user: authorId,
+      file_id: fileId,
+      filename: 'test.txt',
+      filepath: '/uploads/test.txt',
+      bytes: 100,
+      type: 'text/plain',
+    });
+  });
+
+  describe('DELETE /files', () => {
+    it('should allow deleting files owned by the user', async () => {
+      // Create a file owned by the current user
+      const userFileId = uuidv4();
+      await createFile({
+        user: otherUserId,
+        file_id: userFileId,
+        filename: 'user-file.txt',
+        filepath: '/uploads/user-file.txt',
+        bytes: 200,
+        type: 'text/plain',
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          files: [
+            {
+              file_id: userFileId,
+              filepath: '/uploads/user-file.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('Files deleted successfully');
+      expect(processDeleteRequest).toHaveBeenCalled();
+    });
+
+    it('should prevent deleting files not owned by user without agent context', async () => {
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          files: [
+            {
+              file_id: fileId,
+              filepath: '/uploads/test.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(fileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+
+    it('should allow deleting files accessible through shared agent', async () => {
+      // Create an agent with the file attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            {
+              file_id: fileId,
+              filepath: '/uploads/test.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('Files deleted successfully');
+      expect(processDeleteRequest).toHaveBeenCalled();
+    });
+
+    it('should prevent deleting files not attached to the specified agent', async () => {
+      // Create another file not attached to the agent
+      const unattachedFileId = uuidv4();
+      await createFile({
+        user: authorId,
+        file_id: unattachedFileId,
+        filename: 'unattached.txt',
+        filepath: '/uploads/unattached.txt',
+        bytes: 300,
+        type: 'text/plain',
+      });
+
+      // Create an agent without the unattached file
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId], // Only fileId, not unattachedFileId
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            {
+              file_id: unattachedFileId,
+              filepath: '/uploads/unattached.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(unattachedFileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+
+    it('should handle mixed authorized and unauthorized files', async () => {
+      // Create a file owned by the current user
+      const userFileId = uuidv4();
+      await createFile({
+        user: otherUserId,
+        file_id: userFileId,
+        filename: 'user-file.txt',
+        filepath: '/uploads/user-file.txt',
+        bytes: 200,
+        type: 'text/plain',
+      });
+
+      // Create an unauthorized file
+      const unauthorizedFileId = uuidv4();
+      await createFile({
+        user: authorId,
+        file_id: unauthorizedFileId,
+        filename: 'unauthorized.txt',
+        filepath: '/uploads/unauthorized.txt',
+        bytes: 400,
+        type: 'text/plain',
+      });
+
+      // Create an agent with only fileId attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant EDIT permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_editor',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            { file_id: userFileId, filepath: '/uploads/user-file.txt' },
+            { file_id: fileId, filepath: '/uploads/test.txt' },
+            { file_id: unauthorizedFileId, filepath: '/uploads/unauthorized.txt' },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(unauthorizedFileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+
+    it('should prevent deleting files when user lacks EDIT permission on agent', async () => {
+      // Create an agent with the file attached
+      const agent = await createAgent({
+        id: uuidv4(),
+        name: 'Test Agent',
+        provider: 'openai',
+        model: 'gpt-4',
+        author: authorId,
+        tool_resources: {
+          file_search: {
+            file_ids: [fileId],
+          },
+        },
+      });
+
+      // Grant only VIEW permission to user on the agent
+      const { grantPermission } = require('~/server/services/PermissionService');
+      await grantPermission({
+        principalType: 'user',
+        principalId: otherUserId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_viewer',
+        grantedBy: authorId,
+      });
+
+      const response = await request(app)
+        .delete('/files')
+        .send({
+          agent_id: agent.id,
+          files: [
+            {
+              file_id: fileId,
+              filepath: '/uploads/test.txt',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(403);
+      expect(response.body.message).toBe('You can only delete files you have access to');
+      expect(response.body.unauthorizedFiles).toContain(fileId);
+      expect(processDeleteRequest).not.toHaveBeenCalled();
+    });
+  });
+});
--- a/api/server/routes/files/multer.spec.js
+++ b/api/server/routes/files/multer.spec.js
@@ -477,7 +477,9 @@ describe('Multer Configuration', () => {
        done(new Error('Expected mkdirSync to throw an error but no error was thrown'));
      } catch (error) {
        // This is the expected behavior - mkdirSync throws synchronously for invalid paths
-        expect(error.code).toBe('EACCES');
+        // On Linux, this typically returns EACCES (permission denied)
+        // On macOS/Darwin, this returns ENOENT (no such file or directory)
+        expect(['EACCES', 'ENOENT']).toContain(error.code);
        done();
      }
    });
--- a/api/server/routes/index.js
+++ b/api/server/routes/index.js
@@ -1,3 +1,4 @@
+const accessPermissions = require('./accessPermissions');
 const assistants = require('./assistants');
 const categories = require('./categories');
 const tokenizer = require('./tokenizer');
@@ -28,6 +29,7 @@ const user = require('./user');
 const mcp = require('./mcp');

 module.exports = {
+  mcp,
  edit,
  auth,
  keys,
@@ -55,5 +57,5 @@ module.exports = {
  assistants,
  categories,
  staticRoute,
-  mcp,
+  accessPermissions,
 };
--- a/api/server/routes/mcp.js
+++ b/api/server/routes/mcp.js
@@ -1,9 +1,12 @@
 const { Router } = require('express');
-const { MCPOAuthHandler } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
-const { CacheKeys } = require('librechat-data-provider');
+const { MCPOAuthHandler } = require('@librechat/api');
+const { CacheKeys, Constants } = require('librechat-data-provider');
+const { findToken, updateToken, createToken, deleteTokens } = require('~/models');
+const { setCachedTools, getCachedTools, loadCustomConfig } = require('~/server/services/Config');
+const { getUserPluginAuthValue } = require('~/server/services/PluginService');
+const { getMCPManager, getFlowStateManager } = require('~/config');
 const { requireJwtAuth } = require('~/server/middleware');
-const { getFlowStateManager } = require('~/config');
 const { getLogStores } = require('~/cache');

 const router = Router();
@@ -117,9 +120,73 @@ router.get('/:serverName/oauth/callback', async (req, res) => {
    const tokens = await MCPOAuthHandler.completeOAuthFlow(flowId, code, flowManager);
    logger.info('[MCP OAuth] OAuth flow completed, tokens received in callback route');

-    // For system-level OAuth, we need to store the tokens and retry the connection
-    if (flowState.userId === 'system') {
-      logger.debug(`[MCP OAuth] System-level OAuth completed for ${serverName}`);
+    // Try to establish the MCP connection with the new tokens
+    try {
+      const mcpManager = getMCPManager(flowState.userId);
+      logger.debug(`[MCP OAuth] Attempting to reconnect ${serverName} with new OAuth tokens`);
+
+      // For user-level OAuth, try to establish the connection
+      if (flowState.userId !== 'system') {
+        // We need to get the user object - in this case we'll need to reconstruct it
+        const user = { id: flowState.userId };
+
+        // Try to establish connection with the new tokens
+        const userConnection = await mcpManager.getUserConnection({
+          user,
+          serverName,
+          flowManager,
+          tokenMethods: {
+            findToken,
+            updateToken,
+            createToken,
+            deleteTokens,
+          },
+        });
+
+        logger.info(
+          `[MCP OAuth] Successfully reconnected ${serverName} for user ${flowState.userId}`,
+        );
+
+        // Fetch and cache tools now that we have a successful connection
+        const userTools = (await getCachedTools({ userId: flowState.userId })) || {};
+
+        // Remove any old tools from this server in the user's cache
+        const mcpDelimiter = Constants.mcp_delimiter;
+        for (const key of Object.keys(userTools)) {
+          if (key.endsWith(`${mcpDelimiter}${serverName}`)) {
+            delete userTools[key];
+          }
+        }
+
+        // Add the new tools from this server
+        const tools = await userConnection.fetchTools();
+        for (const tool of tools) {
+          const name = `${tool.name}${Constants.mcp_delimiter}${serverName}`;
+          userTools[name] = {
+            type: 'function',
+            ['function']: {
+              name,
+              description: tool.description,
+              parameters: tool.inputSchema,
+            },
+          };
+        }
+
+        // Save the updated user tool cache
+        await setCachedTools(userTools, { userId: flowState.userId });
+
+        logger.debug(
+          `[MCP OAuth] Cached ${tools.length} tools for ${serverName} user ${flowState.userId}`,
+        );
+      } else {
+        logger.debug(`[MCP OAuth] System-level OAuth completed for ${serverName}`);
+      }
+    } catch (error) {
+      // Don't fail the OAuth callback if reconnection fails - the tokens are still saved
+      logger.warn(
+        `[MCP OAuth] Failed to reconnect ${serverName} after OAuth, but tokens are saved:`,
+        error,
+      );
    }

    /** ID of the flow that the tool/connection is waiting for */
@@ -202,4 +269,359 @@ router.get('/oauth/status/:flowId', async (req, res) => {
  }
 });

+/**
+ * Cancel OAuth flow
+ * This endpoint cancels a pending OAuth flow
+ */
+router.post('/oauth/cancel/:serverName', requireJwtAuth, async (req, res) => {
+  try {
+    const { serverName } = req.params;
+    const user = req.user;
+
+    if (!user?.id) {
+      return res.status(401).json({ error: 'User not authenticated' });
+    }
+
+    logger.info(`[MCP OAuth Cancel] Cancelling OAuth flow for ${serverName} by user ${user.id}`);
+
+    const flowsCache = getLogStores(CacheKeys.FLOWS);
+    const flowManager = getFlowStateManager(flowsCache);
+
+    // Generate the flow ID for this user/server combination
+    const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName);
+
+    // Check if flow exists
+    const flowState = await flowManager.getFlowState(flowId, 'mcp_oauth');
+
+    if (!flowState) {
+      logger.debug(`[MCP OAuth Cancel] No active flow found for ${serverName}`);
+      return res.json({
+        success: true,
+        message: 'No active OAuth flow to cancel',
+      });
+    }
+
+    // Cancel the flow by marking it as failed
+    await flowManager.completeFlow(flowId, 'mcp_oauth', null, 'User cancelled OAuth flow');
+
+    logger.info(`[MCP OAuth Cancel] Successfully cancelled OAuth flow for ${serverName}`);
+
+    res.json({
+      success: true,
+      message: `OAuth flow for ${serverName} cancelled successfully`,
+    });
+  } catch (error) {
+    logger.error('[MCP OAuth Cancel] Failed to cancel OAuth flow', error);
+    res.status(500).json({ error: 'Failed to cancel OAuth flow' });
+  }
+});
+
+/**
+ * Reinitialize MCP server
+ * This endpoint allows reinitializing a specific MCP server
+ */
+router.post('/:serverName/reinitialize', requireJwtAuth, async (req, res) => {
+  try {
+    const { serverName } = req.params;
+    const user = req.user;
+
+    if (!user?.id) {
+      return res.status(401).json({ error: 'User not authenticated' });
+    }
+
+    logger.info(`[MCP Reinitialize] Reinitializing server: ${serverName}`);
+
+    const config = await loadCustomConfig();
+    if (!config || !config.mcpServers || !config.mcpServers[serverName]) {
+      return res.status(404).json({
+        error: `MCP server '${serverName}' not found in configuration`,
+      });
+    }
+
+    const flowsCache = getLogStores(CacheKeys.FLOWS);
+    const flowManager = getFlowStateManager(flowsCache);
+    const mcpManager = getMCPManager();
+
+    await mcpManager.disconnectServer(serverName);
+    logger.info(`[MCP Reinitialize] Disconnected existing server: ${serverName}`);
+
+    const serverConfig = config.mcpServers[serverName];
+    mcpManager.mcpConfigs[serverName] = serverConfig;
+    let customUserVars = {};
+    if (serverConfig.customUserVars && typeof serverConfig.customUserVars === 'object') {
+      for (const varName of Object.keys(serverConfig.customUserVars)) {
+        try {
+          const value = await getUserPluginAuthValue(user.id, varName, false);
+          if (value) {
+            customUserVars[varName] = value;
+          }
+        } catch (err) {
+          logger.error(`[MCP Reinitialize] Error fetching ${varName} for user ${user.id}:`, err);
+        }
+      }
+    }
+
+    let userConnection = null;
+    let oauthRequired = false;
+    let oauthUrl = null;
+
+    try {
+      userConnection = await mcpManager.getUserConnection({
+        user,
+        serverName,
+        flowManager,
+        customUserVars,
+        tokenMethods: {
+          findToken,
+          updateToken,
+          createToken,
+          deleteTokens,
+        },
+        returnOnOAuth: true, // Return immediately when OAuth is initiated
+        // Add OAuth handlers to capture the OAuth URL when needed
+        oauthStart: async (authURL) => {
+          logger.info(`[MCP Reinitialize] OAuth URL received: ${authURL}`);
+          oauthUrl = authURL;
+          oauthRequired = true;
+        },
+      });
+
+      logger.info(`[MCP Reinitialize] Successfully established connection for ${serverName}`);
+    } catch (err) {
+      logger.info(`[MCP Reinitialize] getUserConnection threw error: ${err.message}`);
+      logger.info(
+        `[MCP Reinitialize] OAuth state - oauthRequired: ${oauthRequired}, oauthUrl: ${oauthUrl ? 'present' : 'null'}`,
+      );
+
+      // Check if this is an OAuth error - if so, the flow state should be set up now
+      const isOAuthError =
+        err.message?.includes('OAuth') ||
+        err.message?.includes('authentication') ||
+        err.message?.includes('401');
+
+      const isOAuthFlowInitiated = err.message === 'OAuth flow initiated - return early';
+
+      if (isOAuthError || oauthRequired || isOAuthFlowInitiated) {
+        logger.info(
+          `[MCP Reinitialize] OAuth required for ${serverName} (isOAuthError: ${isOAuthError}, oauthRequired: ${oauthRequired}, isOAuthFlowInitiated: ${isOAuthFlowInitiated})`,
+        );
+        oauthRequired = true;
+        // Don't return error - continue so frontend can handle OAuth
+      } else {
+        logger.error(
+          `[MCP Reinitialize] Error initializing MCP server ${serverName} for user:`,
+          err,
+        );
+        return res.status(500).json({ error: 'Failed to reinitialize MCP server for user' });
+      }
+    }
+
+    // Only fetch and cache tools if we successfully connected (no OAuth required)
+    if (userConnection && !oauthRequired) {
+      const userTools = (await getCachedTools({ userId: user.id })) || {};
+
+      // Remove any old tools from this server in the user's cache
+      const mcpDelimiter = Constants.mcp_delimiter;
+      for (const key of Object.keys(userTools)) {
+        if (key.endsWith(`${mcpDelimiter}${serverName}`)) {
+          delete userTools[key];
+        }
+      }
+
+      // Add the new tools from this server
+      const tools = await userConnection.fetchTools();
+      for (const tool of tools) {
+        const name = `${tool.name}${Constants.mcp_delimiter}${serverName}`;
+        userTools[name] = {
+          type: 'function',
+          ['function']: {
+            name,
+            description: tool.description,
+            parameters: tool.inputSchema,
+          },
+        };
+      }
+
+      // Save the updated user tool cache
+      await setCachedTools(userTools, { userId: user.id });
+    }
+
+    logger.debug(
+      `[MCP Reinitialize] Sending response for ${serverName} - oauthRequired: ${oauthRequired}, oauthUrl: ${oauthUrl ? 'present' : 'null'}`,
+    );
+
+    res.json({
+      success: true,
+      message: oauthRequired
+        ? `MCP server '${serverName}' ready for OAuth authentication`
+        : `MCP server '${serverName}' reinitialized successfully`,
+      serverName,
+      oauthRequired,
+      oauthUrl,
+    });
+  } catch (error) {
+    logger.error('[MCP Reinitialize] Unexpected error', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * Get connection status for all MCP servers
+ * This endpoint returns the actual connection status from MCPManager without disconnecting idle connections
+ */
+router.get('/connection/status', requireJwtAuth, async (req, res) => {
+  try {
+    const user = req.user;
+
+    if (!user?.id) {
+      return res.status(401).json({ error: 'User not authenticated' });
+    }
+
+    const mcpManager = getMCPManager(user.id);
+    const connectionStatus = {};
+
+    const printConfig = false;
+    const config = await loadCustomConfig(printConfig);
+    const mcpConfig = config?.mcpServers;
+
+    const appConnections = mcpManager.getAllConnections() || new Map();
+    const userConnections = mcpManager.getUserConnections(user.id) || new Map();
+    const oauthServers = mcpManager.getOAuthServers() || new Set();
+
+    if (!mcpConfig) {
+      return res.status(404).json({ error: 'MCP config not found' });
+    }
+
+    // Get flow manager to check for active/timed-out OAuth flows
+    const flowsCache = getLogStores(CacheKeys.FLOWS);
+    const flowManager = getFlowStateManager(flowsCache);
+
+    for (const [serverName] of Object.entries(mcpConfig)) {
+      const getConnectionState = (serverName) =>
+        appConnections.get(serverName)?.connectionState ??
+        userConnections.get(serverName)?.connectionState ??
+        'disconnected';
+
+      const baseConnectionState = getConnectionState(serverName);
+
+      let hasActiveOAuthFlow = false;
+      let hasFailedOAuthFlow = false;
+
+      if (baseConnectionState === 'disconnected' && oauthServers.has(serverName)) {
+        try {
+          // Check for user-specific OAuth flows
+          const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName);
+          const flowState = await flowManager.getFlowState(flowId, 'mcp_oauth');
+          if (flowState) {
+            // Check if flow failed or timed out
+            const flowAge = Date.now() - flowState.createdAt;
+            const flowTTL = flowState.ttl || 180000; // Default 3 minutes
+
+            if (flowState.status === 'FAILED' || flowAge > flowTTL) {
+              hasFailedOAuthFlow = true;
+              logger.debug(`[MCP Connection Status] Found failed OAuth flow for ${serverName}`, {
+                flowId,
+                status: flowState.status,
+                flowAge,
+                flowTTL,
+                timedOut: flowAge > flowTTL,
+              });
+            } else if (flowState.status === 'PENDING') {
+              hasActiveOAuthFlow = true;
+              logger.debug(`[MCP Connection Status] Found active OAuth flow for ${serverName}`, {
+                flowId,
+                flowAge,
+                flowTTL,
+              });
+            }
+          }
+        } catch (error) {
+          logger.error(
+            `[MCP Connection Status] Error checking OAuth flows for ${serverName}:`,
+            error,
+          );
+        }
+      }
+
+      // Determine the final connection state
+      let finalConnectionState = baseConnectionState;
+      if (hasFailedOAuthFlow) {
+        finalConnectionState = 'error'; // Report as error if OAuth failed
+      } else if (hasActiveOAuthFlow && baseConnectionState === 'disconnected') {
+        finalConnectionState = 'connecting'; // Still waiting for OAuth
+      }
+
+      connectionStatus[serverName] = {
+        requiresOAuth: oauthServers.has(serverName),
+        connectionState: finalConnectionState,
+      };
+    }
+
+    res.json({
+      success: true,
+      connectionStatus,
+    });
+  } catch (error) {
+    logger.error('[MCP Connection Status] Failed to get connection status', error);
+    res.status(500).json({ error: 'Failed to get connection status' });
+  }
+});
+
+/**
+ * Check which authentication values exist for a specific MCP server
+ * This endpoint returns only boolean flags indicating if values are set, not the actual values
+ */
+router.get('/:serverName/auth-values', requireJwtAuth, async (req, res) => {
+  try {
+    const { serverName } = req.params;
+    const user = req.user;
+
+    if (!user?.id) {
+      return res.status(401).json({ error: 'User not authenticated' });
+    }
+
+    const printConfig = false;
+    const config = await loadCustomConfig(printConfig);
+    if (!config || !config.mcpServers || !config.mcpServers[serverName]) {
+      return res.status(404).json({
+        error: `MCP server '${serverName}' not found in configuration`,
+      });
+    }
+
+    const serverConfig = config.mcpServers[serverName];
+    const pluginKey = `${Constants.mcp_prefix}${serverName}`;
+    const authValueFlags = {};
+
+    // Check existence of saved values for each custom user variable (don't fetch actual values)
+    if (serverConfig.customUserVars && typeof serverConfig.customUserVars === 'object') {
+      for (const varName of Object.keys(serverConfig.customUserVars)) {
+        try {
+          const value = await getUserPluginAuthValue(user.id, varName, false, pluginKey);
+          // Only store boolean flag indicating if value exists
+          authValueFlags[varName] = !!(value && value.length > 0);
+        } catch (err) {
+          logger.error(
+            `[MCP Auth Value Flags] Error checking ${varName} for user ${user.id}:`,
+            err,
+          );
+          // Default to false if we can't check
+          authValueFlags[varName] = false;
+        }
+      }
+    }
+
+    res.json({
+      success: true,
+      serverName,
+      authValueFlags,
+    });
+  } catch (error) {
+    logger.error(
+      `[MCP Auth Value Flags] Failed to check auth value flags for ${req.params.serverName}`,
+      error,
+    );
+    res.status(500).json({ error: 'Failed to check auth value flags' });
+  }
+});
+
 module.exports = router;
--- a/api/server/routes/memories.js
+++ b/api/server/routes/memories.js
@@ -1,37 +1,43 @@
 const express = require('express');
-const { Tokenizer } = require('@librechat/api');
+const { Tokenizer, generateCheckAccess } = require('@librechat/api');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
 const {
  getAllUserMemories,
  toggleUserMemories,
  createMemory,
-  setMemory,
  deleteMemory,
+  setMemory,
 } = require('~/models');
-const { requireJwtAuth, generateCheckAccess } = require('~/server/middleware');
+const { requireJwtAuth } = require('~/server/middleware');
+const { getRoleByName } = require('~/models/Role');

 const router = express.Router();

-const checkMemoryRead = generateCheckAccess(PermissionTypes.MEMORIES, [
-  Permissions.USE,
-  Permissions.READ,
-]);
-const checkMemoryCreate = generateCheckAccess(PermissionTypes.MEMORIES, [
-  Permissions.USE,
-  Permissions.CREATE,
-]);
-const checkMemoryUpdate = generateCheckAccess(PermissionTypes.MEMORIES, [
-  Permissions.USE,
-  Permissions.UPDATE,
-]);
-const checkMemoryDelete = generateCheckAccess(PermissionTypes.MEMORIES, [
-  Permissions.USE,
-  Permissions.UPDATE,
-]);
-const checkMemoryOptOut = generateCheckAccess(PermissionTypes.MEMORIES, [
-  Permissions.USE,
-  Permissions.OPT_OUT,
-]);
+const checkMemoryRead = generateCheckAccess({
+  permissionType: PermissionTypes.MEMORIES,
+  permissions: [Permissions.USE, Permissions.READ],
+  getRoleByName,
+});
+const checkMemoryCreate = generateCheckAccess({
+  permissionType: PermissionTypes.MEMORIES,
+  permissions: [Permissions.USE, Permissions.CREATE],
+  getRoleByName,
+});
+const checkMemoryUpdate = generateCheckAccess({
+  permissionType: PermissionTypes.MEMORIES,
+  permissions: [Permissions.USE, Permissions.UPDATE],
+  getRoleByName,
+});
+const checkMemoryDelete = generateCheckAccess({
+  permissionType: PermissionTypes.MEMORIES,
+  permissions: [Permissions.USE, Permissions.UPDATE],
+  getRoleByName,
+});
+const checkMemoryOptOut = generateCheckAccess({
+  permissionType: PermissionTypes.MEMORIES,
+  permissions: [Permissions.USE, Permissions.OPT_OUT],
+  getRoleByName,
+});

 router.use(requireJwtAuth);

@@ -166,40 +172,68 @@ router.patch('/preferences', checkMemoryOptOut, async (req, res) => {
 /**
 * PATCH /memories/:key
 * Updates the value of an existing memory entry for the authenticated user.
- * Body: { value: string }
+ * Body: { key?: string, value: string }
 * Returns 200 and { updated: true, memory: <updatedDoc> } when successful.
 */
 router.patch('/:key', checkMemoryUpdate, async (req, res) => {
-  const { key } = req.params;
-  const { value } = req.body || {};
+  const { key: urlKey } = req.params;
+  const { key: bodyKey, value } = req.body || {};

  if (typeof value !== 'string' || value.trim() === '') {
    return res.status(400).json({ error: 'Value is required and must be a non-empty string.' });
  }

+  // Use the key from the body if provided, otherwise use the key from the URL
+  const newKey = bodyKey || urlKey;
+
  try {
    const tokenCount = Tokenizer.getTokenCount(value, 'o200k_base');

    const memories = await getAllUserMemories(req.user.id);
-    const existingMemory = memories.find((m) => m.key === key);
+    const existingMemory = memories.find((m) => m.key === urlKey);

    if (!existingMemory) {
      return res.status(404).json({ error: 'Memory not found.' });
    }

-    const result = await setMemory({
-      userId: req.user.id,
-      key,
-      value,
-      tokenCount,
-    });
+    // If the key is changing, we need to handle it specially
+    if (newKey !== urlKey) {
+      const keyExists = memories.find((m) => m.key === newKey);
+      if (keyExists) {
+        return res.status(409).json({ error: 'Memory with this key already exists.' });
+      }

-    if (!result.ok) {
-      return res.status(500).json({ error: 'Failed to update memory.' });
+      const createResult = await createMemory({
+        userId: req.user.id,
+        key: newKey,
+        value,
+        tokenCount,
+      });
+
+      if (!createResult.ok) {
+        return res.status(500).json({ error: 'Failed to create new memory.' });
+      }
+
+      const deleteResult = await deleteMemory({ userId: req.user.id, key: urlKey });
+      if (!deleteResult.ok) {
+        return res.status(500).json({ error: 'Failed to delete old memory.' });
+      }
+    } else {
+      // Key is not changing, just update the value
+      const result = await setMemory({
+        userId: req.user.id,
+        key: newKey,
+        value,
+        tokenCount,
+      });
+
+      if (!result.ok) {
+        return res.status(500).json({ error: 'Failed to update memory.' });
+      }
    }

    const updatedMemories = await getAllUserMemories(req.user.id);
-    const updatedMemory = updatedMemories.find((m) => m.key === key);
+    const updatedMemory = updatedMemories.find((m) => m.key === newKey);

    res.json({ updated: true, memory: updatedMemory });
  } catch (error) {
--- a/api/server/routes/messages.js
+++ b/api/server/routes/messages.js
@@ -235,12 +235,13 @@ router.put('/:conversationId/:messageId', validateMessageReq, async (req, res) =
      return res.status(400).json({ error: 'Content part not found' });
    }

-    if (updatedContent[index].type !== ContentTypes.TEXT) {
+    const currentPartType = updatedContent[index].type;
+    if (currentPartType !== ContentTypes.TEXT && currentPartType !== ContentTypes.THINK) {
      return res.status(400).json({ error: 'Cannot update non-text content' });
    }

-    const oldText = updatedContent[index].text;
-    updatedContent[index] = { type: ContentTypes.TEXT, text };
+    const oldText = updatedContent[index][currentPartType];
+    updatedContent[index] = { type: currentPartType, [currentPartType]: text };

    let tokenCount = message.tokenCount;
    if (tokenCount !== undefined) {
--- a/api/server/routes/oauth.js
+++ b/api/server/routes/oauth.js
@@ -9,6 +9,7 @@ const {
  setBalanceConfig,
  checkDomainAllowed,
 } = require('~/server/middleware');
+const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
 const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
@@ -35,6 +36,7 @@ const oauthHandler = async (req, res) => {
      req.user.provider == 'openid' &&
      isEnabled(process.env.OPENID_REUSE_TOKENS) === true
    ) {
+      await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
      setOpenIDAuthTokens(req.user.tokenset, res);
    } else {
      await setAuthTokens(req.user._id, res);
--- a/api/server/routes/prompts.js
+++ b/api/server/routes/prompts.js
@@ -1,5 +1,7 @@
 const express = require('express');
-const { PermissionTypes, Permissions, SystemRoles } = require('librechat-data-provider');
+const { logger } = require('@librechat/data-schemas');
+const { generateCheckAccess } = require('@librechat/api');
+const { Permissions, SystemRoles, PermissionTypes } = require('librechat-data-provider');
 const {
  getPrompt,
  getPrompts,
@@ -14,24 +16,30 @@ const {
  // updatePromptLabels,
  makePromptProduction,
 } = require('~/models/Prompt');
-const { requireJwtAuth, generateCheckAccess } = require('~/server/middleware');
-const { logger } = require('~/config');
+const { requireJwtAuth } = require('~/server/middleware');
+const { getRoleByName } = require('~/models/Role');

 const router = express.Router();

-const checkPromptAccess = generateCheckAccess(PermissionTypes.PROMPTS, [Permissions.USE]);
-const checkPromptCreate = generateCheckAccess(PermissionTypes.PROMPTS, [
-  Permissions.USE,
-  Permissions.CREATE,
-]);
+const checkPromptAccess = generateCheckAccess({
+  permissionType: PermissionTypes.PROMPTS,
+  permissions: [Permissions.USE],
+  getRoleByName,
+});
+const checkPromptCreate = generateCheckAccess({
+  permissionType: PermissionTypes.PROMPTS,
+  permissions: [Permissions.USE, Permissions.CREATE],
+  getRoleByName,
+});

-const checkGlobalPromptShare = generateCheckAccess(
-  PermissionTypes.PROMPTS,
-  [Permissions.USE, Permissions.CREATE],
-  {
+const checkGlobalPromptShare = generateCheckAccess({
+  permissionType: PermissionTypes.PROMPTS,
+  permissions: [Permissions.USE, Permissions.CREATE],
+  bodyProps: {
    [Permissions.SHARED_GLOBAL]: ['projectIds', 'removeProjectIds'],
  },
-);
+  getRoleByName,
+});

 router.use(requireJwtAuth);
 router.use(checkPromptAccess);
--- a/api/server/routes/static.js
+++ b/api/server/routes/static.js
@@ -1,8 +1,11 @@
 const express = require('express');
 const staticCache = require('../utils/staticCache');
 const paths = require('~/config/paths');
+const { isEnabled } = require('~/server/utils');
+
+const skipGzipScan = !isEnabled(process.env.ENABLE_IMAGE_OUTPUT_GZIP_SCAN);

 const router = express.Router();
-router.use(staticCache(paths.imageOutput));
+router.use(staticCache(paths.imageOutput, { skipGzipScan }));

 module.exports = router;
--- a/api/server/routes/tags.js
+++ b/api/server/routes/tags.js
@@ -1,18 +1,24 @@
 const express = require('express');
+const { logger } = require('@librechat/data-schemas');
+const { generateCheckAccess } = require('@librechat/api');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
 const {
-  getConversationTags,
+  updateTagsForConversation,
  updateConversationTag,
  createConversationTag,
  deleteConversationTag,
-  updateTagsForConversation,
+  getConversationTags,
 } = require('~/models/ConversationTag');
-const { requireJwtAuth, generateCheckAccess } = require('~/server/middleware');
-const { logger } = require('~/config');
+const { requireJwtAuth } = require('~/server/middleware');
+const { getRoleByName } = require('~/models/Role');

 const router = express.Router();

-const checkBookmarkAccess = generateCheckAccess(PermissionTypes.BOOKMARKS, [Permissions.USE]);
+const checkBookmarkAccess = generateCheckAccess({
+  permissionType: PermissionTypes.BOOKMARKS,
+  permissions: [Permissions.USE],
+  getRoleByName,
+});

 router.use(requireJwtAuth);
 router.use(checkBookmarkAccess);
--- a/api/server/services/AppService.interface.spec.js
+++ b/api/server/services/AppService.interface.spec.js
@@ -1,5 +1,7 @@
 jest.mock('~/models', () => ({
  initializeRoles: jest.fn(),
+  seedDefaultRoles: jest.fn(),
+  ensureDefaultCategories: jest.fn(),
 }));
 jest.mock('~/models/Role', () => ({
  updateAccessPermissions: jest.fn(),
--- a/api/server/services/AppService.js
+++ b/api/server/services/AppService.js
@@ -1,12 +1,11 @@
+const { agentsConfigSetup, loadWebSearchConfig } = require('@librechat/api');
 const {
  FileSources,
  loadOCRConfig,
  EModelEndpoint,
  loadMemoryConfig,
  getConfigDefaults,
-  loadWebSearchConfig,
 } = require('librechat-data-provider');
-const { agentsConfigSetup } = require('@librechat/api');
 const {
  checkHealth,
  checkConfig,
@@ -17,6 +16,7 @@ const {
 const { azureAssistantsDefaults, assistantsConfigSetup } = require('./start/assistants');
 const { initializeAzureBlobService } = require('./Files/Azure/initialize');
 const { initializeFirebase } = require('./Files/Firebase/initialize');
+const { seedDefaultRoles, initializeRoles, ensureDefaultCategories } = require('~/models');
 const loadCustomConfig = require('./Config/loadCustomConfig');
 const handleRateLimits = require('./Config/handleRateLimits');
 const { loadDefaultInterface } = require('./start/interface');
@@ -26,7 +26,6 @@ const { processModelSpecs } = require('./start/modelSpecs');
 const { initializeS3 } = require('./Files/S3/initialize');
 const { loadAndFormatTools } = require('./ToolService');
 const { isEnabled } = require('~/server/utils');
-const { initializeRoles } = require('~/models');
 const { setCachedTools } = require('./Config');
 const paths = require('~/config/paths');

@@ -37,6 +36,8 @@ const paths = require('~/config/paths');
 */
 const AppService = async (app) => {
  await initializeRoles();
+  await seedDefaultRoles();
+  await ensureDefaultCategories();
  /** @type {TCustomConfig} */
  const config = (await loadCustomConfig()) ?? {};
  const configDefaults = getConfigDefaults();
@@ -158,6 +159,10 @@ const AppService = async (app) => {
    }
  });

+  if (endpoints?.all) {
+    endpointLocals.all = endpoints.all;
+  }
+
  app.locals = {
    ...defaultLocals,
    fileConfig: config?.fileConfig,
--- a/api/server/services/AppService.spec.js
+++ b/api/server/services/AppService.spec.js
@@ -28,6 +28,8 @@ jest.mock('./Files/Firebase/initialize', () => ({
 }));
 jest.mock('~/models', () => ({
  initializeRoles: jest.fn(),
+  seedDefaultRoles: jest.fn(),
+  ensureDefaultCategories: jest.fn(),
 }));
 jest.mock('~/models/Role', () => ({
  updateAccessPermissions: jest.fn(),
@@ -152,12 +154,14 @@ describe('AppService', () => {
      filteredTools: undefined,
      includedTools: undefined,
      webSearch: {
+        safeSearch: 1,
+        jinaApiKey: '${JINA_API_KEY}',
        cohereApiKey: '${COHERE_API_KEY}',
+        serperApiKey: '${SERPER_API_KEY}',
+        searxngApiKey: '${SEARXNG_API_KEY}',
        firecrawlApiKey: '${FIRECRAWL_API_KEY}',
        firecrawlApiUrl: '${FIRECRAWL_API_URL}',
-        jinaApiKey: '${JINA_API_KEY}',
-        safeSearch: 1,
-        serperApiKey: '${SERPER_API_KEY}',
+        searxngInstanceUrl: '${SEARXNG_INSTANCE_URL}',
      },
      memory: undefined,
      agents: {
@@ -541,6 +545,206 @@ describe('AppService', () => {
    expect(process.env.IMPORT_USER_MAX).toEqual('initialUserMax');
    expect(process.env.IMPORT_USER_WINDOW).toEqual('initialUserWindow');
  });
+
+  it('should correctly configure endpoint with titlePrompt, titleMethod, and titlePromptTemplate', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            titleModel: 'gpt-3.5-turbo',
+            titleMethod: 'structured',
+            titlePrompt: 'Custom title prompt for conversation',
+            titlePromptTemplate: 'Summarize this conversation: {{conversation}}',
+          },
+          [EModelEndpoint.assistants]: {
+            titleMethod: 'functions',
+            titlePrompt: 'Generate a title for this assistant conversation',
+            titlePromptTemplate: 'Assistant conversation template: {{messages}}',
+          },
+          [EModelEndpoint.azureOpenAI]: {
+            groups: azureGroups,
+            titleConvo: true,
+            titleMethod: 'completion',
+            titleModel: 'gpt-4',
+            titlePrompt: 'Azure title prompt',
+            titlePromptTemplate: 'Azure conversation: {{context}}',
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    // Check OpenAI endpoint configuration
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toEqual(
+      expect.objectContaining({
+        titleConvo: true,
+        titleModel: 'gpt-3.5-turbo',
+        titleMethod: 'structured',
+        titlePrompt: 'Custom title prompt for conversation',
+        titlePromptTemplate: 'Summarize this conversation: {{conversation}}',
+      }),
+    );
+
+    // Check Assistants endpoint configuration
+    expect(app.locals).toHaveProperty(EModelEndpoint.assistants);
+    expect(app.locals[EModelEndpoint.assistants]).toMatchObject({
+      titleMethod: 'functions',
+      titlePrompt: 'Generate a title for this assistant conversation',
+      titlePromptTemplate: 'Assistant conversation template: {{messages}}',
+    });
+
+    // Check Azure OpenAI endpoint configuration
+    expect(app.locals).toHaveProperty(EModelEndpoint.azureOpenAI);
+    expect(app.locals[EModelEndpoint.azureOpenAI]).toEqual(
+      expect.objectContaining({
+        titleConvo: true,
+        titleMethod: 'completion',
+        titleModel: 'gpt-4',
+        titlePrompt: 'Azure title prompt',
+        titlePromptTemplate: 'Azure conversation: {{context}}',
+      }),
+    );
+  });
+
+  it('should configure Agent endpoint with title generation settings', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.agents]: {
+            disableBuilder: false,
+            titleConvo: true,
+            titleModel: 'gpt-4',
+            titleMethod: 'structured',
+            titlePrompt: 'Generate a descriptive title for this agent conversation',
+            titlePromptTemplate: 'Agent conversation summary: {{content}}',
+            recursionLimit: 15,
+            capabilities: [AgentCapabilities.tools, AgentCapabilities.actions],
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    expect(app.locals).toHaveProperty(EModelEndpoint.agents);
+    expect(app.locals[EModelEndpoint.agents]).toMatchObject({
+      disableBuilder: false,
+      titleConvo: true,
+      titleModel: 'gpt-4',
+      titleMethod: 'structured',
+      titlePrompt: 'Generate a descriptive title for this agent conversation',
+      titlePromptTemplate: 'Agent conversation summary: {{content}}',
+      recursionLimit: 15,
+      capabilities: expect.arrayContaining([AgentCapabilities.tools, AgentCapabilities.actions]),
+    });
+  });
+
+  it('should handle missing title configuration options with defaults', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            // titlePrompt and titlePromptTemplate are not provided
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toMatchObject({
+      titleConvo: true,
+    });
+    // Check that the optional fields are undefined when not provided
+    expect(app.locals[EModelEndpoint.openAI].titlePrompt).toBeUndefined();
+    expect(app.locals[EModelEndpoint.openAI].titlePromptTemplate).toBeUndefined();
+    expect(app.locals[EModelEndpoint.openAI].titleMethod).toBeUndefined();
+  });
+
+  it('should correctly configure titleEndpoint when specified', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            titleModel: 'gpt-3.5-turbo',
+            titleEndpoint: EModelEndpoint.anthropic,
+            titlePrompt: 'Generate a concise title',
+          },
+          [EModelEndpoint.agents]: {
+            titleEndpoint: 'custom-provider',
+            titleMethod: 'structured',
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    // Check OpenAI endpoint has titleEndpoint
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toMatchObject({
+      titleConvo: true,
+      titleModel: 'gpt-3.5-turbo',
+      titleEndpoint: EModelEndpoint.anthropic,
+      titlePrompt: 'Generate a concise title',
+    });
+
+    // Check Agents endpoint has titleEndpoint
+    expect(app.locals).toHaveProperty(EModelEndpoint.agents);
+    expect(app.locals[EModelEndpoint.agents]).toMatchObject({
+      titleEndpoint: 'custom-provider',
+      titleMethod: 'structured',
+    });
+  });
+
+  it('should correctly configure all endpoint when specified', async () => {
+    require('./Config/loadCustomConfig').mockImplementationOnce(() =>
+      Promise.resolve({
+        endpoints: {
+          all: {
+            titleConvo: true,
+            titleModel: 'gpt-4o-mini',
+            titleMethod: 'structured',
+            titlePrompt: 'Default title prompt for all endpoints',
+            titlePromptTemplate: 'Default template: {{conversation}}',
+            titleEndpoint: EModelEndpoint.anthropic,
+            streamRate: 50,
+          },
+          [EModelEndpoint.openAI]: {
+            titleConvo: true,
+            titleModel: 'gpt-3.5-turbo',
+          },
+        },
+      }),
+    );
+
+    await AppService(app);
+
+    // Check that 'all' endpoint config is loaded
+    expect(app.locals).toHaveProperty('all');
+    expect(app.locals.all).toMatchObject({
+      titleConvo: true,
+      titleModel: 'gpt-4o-mini',
+      titleMethod: 'structured',
+      titlePrompt: 'Default title prompt for all endpoints',
+      titlePromptTemplate: 'Default template: {{conversation}}',
+      titleEndpoint: EModelEndpoint.anthropic,
+      streamRate: 50,
+    });
+
+    // Check that OpenAI endpoint has its own config
+    expect(app.locals).toHaveProperty(EModelEndpoint.openAI);
+    expect(app.locals[EModelEndpoint.openAI]).toMatchObject({
+      titleConvo: true,
+      titleModel: 'gpt-3.5-turbo',
+    });
+  });
 });

 describe('AppService updating app.locals and issuing warnings', () => {
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@@ -1,4 +1,5 @@
 const bcrypt = require('bcryptjs');
+const jwt = require('jsonwebtoken');
 const { webcrypto } = require('node:crypto');
 const { isEnabled } = require('@librechat/api');
 const { logger } = require('@librechat/data-schemas');
@@ -499,6 +500,18 @@ const resendVerificationEmail = async (req) => {
    };
  }
 };
+/**
+ * Generate a short-lived JWT token
+ * @param {String} userId - The ID of the user
+ * @param {String} [expireIn='5m'] - The expiration time for the token (default is 5 minutes)
+ * @returns {String} - The generated JWT token
+ */
+const generateShortLivedToken = (userId, expireIn = '5m') => {
+  return jwt.sign({ id: userId }, process.env.JWT_SECRET, {
+    expiresIn: expireIn,
+    algorithm: 'HS256',
+  });
+};

 module.exports = {
  logoutUser,
@@ -506,7 +519,8 @@ module.exports = {
  registerUser,
  setAuthTokens,
  resetPassword,
+  setOpenIDAuthTokens,
  requestPasswordReset,
  resendVerificationEmail,
-  setOpenIDAuthTokens,
+  generateShortLivedToken,
 };
--- a/Show More
+++ b/Show More