refactor: correct type definitions for ToolInputSchema and error handling in searchFiles function

* feat: add SAML authentication

* refactor: change SAML icon

* refactor: resolve SAML metadata paths using paths.js

* test: add samlStrategy tests

* fix: update setupSaml import

* test: add SAML settings tests in config.spec.js

* test: add client tests

* refactor: improve SAML button label and fallback localization

* feat: allow only one authentication method OpenID or SAML at a time

* doc: add SAML configuration sample to docker-compose.override

* fix: require SAML_SESSION_SECRET to enable SAML

* feat: update samlStrategy

* test: update samle tests

* feat: add SAML login button label to translations and remove default value

* fix: update SAML cert file binding

* chore: update override example with SAML cert volume

* fix: update SAML session handling with Redis backend

---------

Co-authored-by: Ruben Talstra <RubenTalstra1211@outlook.com>

.env.example

@@ -443,7 +443,6 @@ OPENID_IMAGE_URL=
 # Set to true to automatically redirect to the OpenID provider when a user visits the login page
 # This will bypass the login form completely for users, only use this if OpenID is your only authentication method
 OPENID_AUTO_REDIRECT=false
-
 # Set to true to use PKCE (Proof Key for Code Exchange) for OpenID authentication
 OPENID_USE_PKCE=false
 #Set to true to reuse openid tokens for authentication management instead of using the mongodb session and the custom refresh token.
@@ -459,6 +458,33 @@ OPENID_ON_BEHALF_FLOW_USERINFRO_SCOPE = "user.read" # example for Scope Needed f
 # Set to true to use the OpenID Connect end session endpoint for logout
 OPENID_USE_END_SESSION_ENDPOINT=
 
+
+# SAML
+# Note: If OpenID is enabled, SAML authentication will be automatically disabled.
+SAML_ENTRY_POINT=
+SAML_ISSUER=
+SAML_CERT=
+SAML_CALLBACK_URL=/oauth/saml/callback
+SAML_SESSION_SECRET=
+
+# Attribute mappings (optional)
+SAML_EMAIL_CLAIM=
+SAML_USERNAME_CLAIM=
+SAML_GIVEN_NAME_CLAIM=
+SAML_FAMILY_NAME_CLAIM=
+SAML_PICTURE_CLAIM=
+SAML_NAME_CLAIM=
+
+# Logint buttion settings (optional)
+SAML_BUTTON_LABEL=
+SAML_IMAGE_URL=
+
+# Whether the SAML Response should be signed.
+# - If "true", the entire `SAML Response` will be signed.
+# - If "false" or unset, only the `SAML Assertion` will be signed (default behavior).
+# SAML_USE_AUTHN_RESPONSE_SIGNED=
+
+
 # LDAP
 LDAP_URL=
 LDAP_BIND_DN=

.gitignore

@@ -122,3 +122,5 @@ helm/**/.values.yaml
 
 !/client/src/@types/i18next.d.ts
 
+# SAML Idp cert
+*.cert

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 
 
+
 ## [Unreleased]
 
 ### ✨ New Features
@@ -15,11 +16,14 @@ All notable changes to this project will be documented in this file.
 - 🔒 feat: Add Content Security Policy using Helmet middleware by **@rubentalstra** in [#7377](https://github.com/danny-avila/LibreChat/pull/7377)
 - ✨ feat: Add Normalization for MCP Server Names by **@danny-avila** in [#7421](https://github.com/danny-avila/LibreChat/pull/7421)
 - 📊 feat: Improve Helm Chart by **@hofq** in [#3638](https://github.com/danny-avila/LibreChat/pull/3638)
+- 🦾 feat: Claude-4 Support by **@danny-avila** in [#7509](https://github.com/danny-avila/LibreChat/pull/7509)
+- 🪨 feat: Bedrock Support for Claude-4 Reasoning by **@danny-avila** in [#7517](https://github.com/danny-avila/LibreChat/pull/7517)
 
 ### 🌍 Internationalization
 
 - 🌍 i18n: Add `Danish` and `Czech` and `Catalan` localization support by **@rubentalstra** in [#7373](https://github.com/danny-avila/LibreChat/pull/7373)
 - 🌍 i18n: Update translation.json with latest translations by **@github-actions[bot]** in [#7375](https://github.com/danny-avila/LibreChat/pull/7375)
+- 🌍 i18n: Update translation.json with latest translations by **@github-actions[bot]** in [#7468](https://github.com/danny-avila/LibreChat/pull/7468)
 
 ### 🔧 Fixes
 
@@ -37,6 +41,11 @@ All notable changes to this project will be documented in this file.
 - 📜 docs: CHANGELOG for release v0.7.8 by **@github-actions[bot]** in [#7290](https://github.com/danny-avila/LibreChat/pull/7290)
 - 📦 chore: Update API Package Dependencies by **@danny-avila** in [#7359](https://github.com/danny-avila/LibreChat/pull/7359)
 - 📜 docs: Unreleased Changelog by **@github-actions[bot]** in [#7321](https://github.com/danny-avila/LibreChat/pull/7321)
+- 📜 docs: Unreleased Changelog by **@github-actions[bot]** in [#7434](https://github.com/danny-avila/LibreChat/pull/7434)
+- 🛡️ chore: `multer` v2.0.0 for CVE-2025-47935 and CVE-2025-47944 by **@danny-avila** in [#7454](https://github.com/danny-avila/LibreChat/pull/7454)
+- 📂 refactor: Improve `FileAttachment` & File Form Deletion by **@danny-avila** in [#7471](https://github.com/danny-avila/LibreChat/pull/7471)
+- 📊 chore: Remove Old Helm Chart by **@hofq** in [#7512](https://github.com/danny-avila/LibreChat/pull/7512)
+- 🪖 chore: bump helm app version to v0.7.8 by **@austin-barrington** in [#7524](https://github.com/danny-avila/LibreChat/pull/7524)
 
 
 

api/app/clients/AnthropicClient.js

@@ -74,9 +74,6 @@ class AnthropicClient extends BaseClient {
     /** Whether to use Messages API or Completions API
      * @type {boolean} */
     this.useMessages;
-    /** Whether or not the model is limited to the legacy amount of output tokens
-     * @type {boolean} */
-    this.isLegacyOutput;
     /** Whether or not the model supports Prompt Caching
      * @type {boolean} */
     this.supportsCacheControl;
@@ -118,13 +115,16 @@ class AnthropicClient extends BaseClient {
     const modelMatch = matchModelName(this.modelOptions.model, EModelEndpoint.anthropic);
     this.isClaudeLatest =
       /claude-[3-9]/.test(modelMatch) || /claude-(?:sonnet|opus|haiku)-[4-9]/.test(modelMatch);
-    this.isLegacyOutput = !(
-      /claude-3[-.]5-sonnet/.test(modelMatch) || /claude-3[-.]7/.test(modelMatch)
+    const isLegacyOutput = !(
+      /claude-3[-.]5-sonnet/.test(modelMatch) ||
+      /claude-3[-.]7/.test(modelMatch) ||
+      /claude-(?:sonnet|opus|haiku)-[4-9]/.test(modelMatch) ||
+      /claude-[4-9]/.test(modelMatch)
     );
     this.supportsCacheControl = this.options.promptCache && checkPromptCacheSupport(modelMatch);
 
     if (
-      this.isLegacyOutput &&
+      isLegacyOutput &&
       this.modelOptions.maxOutputTokens &&
       this.modelOptions.maxOutputTokens > legacy.maxOutputTokens.default
     ) {

api/app/clients/ChatGPTClient.js

@@ -244,9 +244,9 @@ class ChatGPTClient extends BaseClient {
 
       baseURL = this.langchainProxy
         ? constructAzureURL({
-          baseURL: this.langchainProxy,
-          azureOptions: this.azure,
-        })
+            baseURL: this.langchainProxy,
+            azureOptions: this.azure,
+          })
         : this.azureEndpoint.split(/(?<!\/)\/(chat|completion)\//)[0];
 
       if (this.options.forcePrompt) {
@@ -339,7 +339,6 @@ class ChatGPTClient extends BaseClient {
     opts.body = JSON.stringify(modelOptions);
 
     if (modelOptions.stream) {
-
       return new Promise(async (resolve, reject) => {
         try {
           let done = false;

api/app/clients/GoogleClient.js

@@ -236,11 +236,11 @@ class GoogleClient extends BaseClient {
       msg.content = (
         !Array.isArray(msg.content)
           ? [
-            {
-              type: ContentTypes.TEXT,
-              [ContentTypes.TEXT]: msg.content,
-            },
-          ]
+              {
+                type: ContentTypes.TEXT,
+                [ContentTypes.TEXT]: msg.content,
+              },
+            ]
           : msg.content
       ).concat(message.image_urls);
 

api/app/clients/OllamaClient.js

@@ -67,7 +67,7 @@ class OllamaClient {
       return models;
     } catch (error) {
       const logMessage =
-        'Failed to fetch models from Ollama API. If you are not using Ollama directly, and instead, through some aggregator or reverse proxy that handles fetching via OpenAI spec, ensure the name of the endpoint doesn\'t start with `ollama` (case-insensitive).';
+        "Failed to fetch models from Ollama API. If you are not using Ollama directly, and instead, through some aggregator or reverse proxy that handles fetching via OpenAI spec, ensure the name of the endpoint doesn't start with `ollama` (case-insensitive).";
       logAxiosError({ message: logMessage, error });
       return [];
     }

api/app/clients/memory/example.js

@@ -22,17 +22,17 @@
       '\n' +
       'Celestia had the power to grant one wish to anyone who dared to find her abode. Ethan, captivated by the tales he had read and yearning for something greater, approached the cottage with trepidation. When he shared his desire to embark on a grand adventure, Celestia smiled warmly and agreed to grant his wish.\n' +
       '\n' +
-      'With a wave of her wand and a sprinkle of stardust, Celestia bestowed upon Ethan a magical necklace. This necklace, adorned with a rare gemstone called the Eye of Imagination, had the power to turn dreams and imagination into reality. From that moment forward, Ethan\'s every thought and idea became manifest.\n' +
+      "With a wave of her wand and a sprinkle of stardust, Celestia bestowed upon Ethan a magical necklace. This necklace, adorned with a rare gemstone called the Eye of Imagination, had the power to turn dreams and imagination into reality. From that moment forward, Ethan's every thought and idea became manifest.\n" +
       '\n' +
       'Energized by this newfound power, Ethan continued his journey, encountering mythical creatures, solving riddles, and overcoming treacherous obstacles along the way. With the Eye of Imagination, he brought life to ancient statues, unlocked hidden doors, and even tamed fiery dragons.\n' +
       '\n' +
       'As days turned into weeks and weeks into months, Ethan became wiser and more in tune with the world around him. He learned that true adventure was not merely about seeking thrills and conquering the unknown, but also about fostering compassion, friendship, and a deep appreciation for the beauty of the ordinary.\n' +
       '\n' +
-      'Eventually, Ethan\'s journey led him back to his village. With the Eye of Imagination, he transformed the village into a place of wonders and endless possibilities. Fields blossomed into vibrant gardens, simple tools turned into intricate works of art, and the villagers felt a renewed sense of hope and inspiration.\n' +
+      "Eventually, Ethan's journey led him back to his village. With the Eye of Imagination, he transformed the village into a place of wonders and endless possibilities. Fields blossomed into vibrant gardens, simple tools turned into intricate works of art, and the villagers felt a renewed sense of hope and inspiration.\n" +
       '\n' +
-      'Ethan, now known as the Village Magician, realized that the true magic lied within everyone\'s hearts. He taught the villagers to embrace their creativity, to dream big, and to never underestimate the power of imagination. And so, the village flourished, becoming a beacon of wonder and creativity for all to see.\n' +
+      "Ethan, now known as the Village Magician, realized that the true magic lied within everyone's hearts. He taught the villagers to embrace their creativity, to dream big, and to never underestimate the power of imagination. And so, the village flourished, becoming a beacon of wonder and creativity for all to see.\n" +
       '\n' +
-      'In the years that followed, Ethan\'s adventures continued, though mostly within the confines of his beloved village. But he never forgot the thrill of that first grand adventure. And every now and then, when looking up at the starry night sky, he would allow his mind to wander, knowing that the greatest adventures were still waiting to be discovered.',
+      "In the years that followed, Ethan's adventures continued, though mostly within the confines of his beloved village. But he never forgot the thrill of that first grand adventure. And every now and then, when looking up at the starry night sky, he would allow his mind to wander, knowing that the greatest adventures were still waiting to be discovered.",
   },
   {
     role: 'user',
@@ -41,30 +41,30 @@
       '\n' +
       'Once there was a young lad by the name of Ethan, raised in a little hamlet nestled betwixt the verdant knolls, who possessed an irrepressible yearning for knowledge, a thirst unquenchable and a spirit teeming with curiosity. As the golden sun bathed the bucolic land in its effulgent light, he would tread through the village, his ears attuned to the tales spun by the townsfolk, his eyes absorbing the tapestry woven by the world surrounding him.\n' +
       '\n' +
-      'One radiant day, whilst exploring the periphery of the settlement, Ethan chanced upon a timeworn tome, ensconced amidst the roots of an ancient oak, cloaked in the shroud of neglect. The dust gathered upon it spoke of time\'s relentless march. A book of fairy tales – garnished with vivid descriptions of mystical woods, fantastical beasts, and ventures daring beyond the ordinary humdrum existence. Intrigued and beguiled, Ethan pried open the weathered pages and succumbed to their beckoning whispers.\n' +
+      "One radiant day, whilst exploring the periphery of the settlement, Ethan chanced upon a timeworn tome, ensconced amidst the roots of an ancient oak, cloaked in the shroud of neglect. The dust gathered upon it spoke of time's relentless march. A book of fairy tales – garnished with vivid descriptions of mystical woods, fantastical beasts, and ventures daring beyond the ordinary humdrum existence. Intrigued and beguiled, Ethan pried open the weathered pages and succumbed to their beckoning whispers.\n" +
       '\n' +
-      'In each tale, he was transported to a realm of enchantment and wonderment, inexorably tugging at the strings of his yearning for peripatetic exploration. Inspired by the narratives he had devoured, Ethan resolved to bid adieu to kinfolk and embark upon a sojourn, with dreams of procuring a firsthand glimpse into the domain of mystique that lay beyond the village\'s circumscribed boundary.\n' +
+      "In each tale, he was transported to a realm of enchantment and wonderment, inexorably tugging at the strings of his yearning for peripatetic exploration. Inspired by the narratives he had devoured, Ethan resolved to bid adieu to kinfolk and embark upon a sojourn, with dreams of procuring a firsthand glimpse into the domain of mystique that lay beyond the village's circumscribed boundary.\n" +
       '\n' +
       'Thus, he bade tearful farewells, girding himself for a path that guided him to a dense and captivating woodland, whispered of as a sanctuary to mythical beings and clandestine troves of treasures. As Ethan plunged deeper into the heart of the arboreal labyrinth, he felt a palpable surge of electricity, as though the sylvan sentinels whispered enigmatic secrets that only the perceptive ear could discern.\n' +
       '\n' +
-      'It wasn\'t long before his path intertwined with that of a capricious sprite christened Sparkle, bearing an impish grin and eyes sparkling with mischief. Sparkle played the role of Virgil to Ethan\'s Dante, guiding him through the intricate tapestry of arboreal scions, issuing warnings of perils concealed and spinning tales of ancient entities that called this very bosky enclave home.\n' +
+      "It wasn't long before his path intertwined with that of a capricious sprite christened Sparkle, bearing an impish grin and eyes sparkling with mischief. Sparkle played the role of Virgil to Ethan's Dante, guiding him through the intricate tapestry of arboreal scions, issuing warnings of perils concealed and spinning tales of ancient entities that called this very bosky enclave home.\n" +
       '\n' +
       'Together, they stumbled upon a luminous lake, its shimmering waters imbued with a celestial light. At the center lay a diminutive island, upon which reposed a cottage fashioned from tender petals and verdant leaves. It belonged to an ancient sorceress of considerable wisdom, Celestia by name.\n' +
       '\n' +
-      'Celestia, with her power to bestow a single wish on any intrepid soul who happened upon her abode, met Ethan\'s desire with a congenial nod, his fervor for a grand expedition not lost on her penetrating gaze. In response, she bequeathed unto him a necklace of magical manufacture – adorned with the rare gemstone known as the Eye of Imagination – whose very essence transformed dreams into vivid reality. From that moment forward, not a single cogitation nor nebulous fanciful notion of Ethan\'s ever lacked physicality.\n' +
+      "Celestia, with her power to bestow a single wish on any intrepid soul who happened upon her abode, met Ethan's desire with a congenial nod, his fervor for a grand expedition not lost on her penetrating gaze. In response, she bequeathed unto him a necklace of magical manufacture – adorned with the rare gemstone known as the Eye of Imagination – whose very essence transformed dreams into vivid reality. From that moment forward, not a single cogitation nor nebulous fanciful notion of Ethan's ever lacked physicality.\n" +
       '\n' +
       'Energized by this newfound potency, Ethan continued his sojourn, encountering mythical creatures, unraveling cerebral enigmas, and braving perils aplenty along the winding roads of destiny. Armed with the Eye of Imagination, he brought forth life from immobile statuary, unlocked forbidding portals, and even tamed the ferocious beasts of yore – their fiery breath reduced to a whisper.\n' +
       '\n' +
-      'As the weeks metamorphosed into months, Ethan grew wiser and more attuned to the ebb and flow of the world enveloping him. He gleaned that true adventure isn\'t solely confined to sating a thirst for adrenaline and conquering the unknown; indeed, it resides in fostering compassion, fostering amicable bonds, and cherishing the beauty entwined within the quotidian veld.\n' +
+      "As the weeks metamorphosed into months, Ethan grew wiser and more attuned to the ebb and flow of the world enveloping him. He gleaned that true adventure isn't solely confined to sating a thirst for adrenaline and conquering the unknown; indeed, it resides in fostering compassion, fostering amicable bonds, and cherishing the beauty entwined within the quotidian veld.\n" +
       '\n' +
-      'Eventually, Ethan\'s quest drew him homeward, back to his village. Buoying the Eye of Imagination\'s ethereal power, he imbued the hitherto unremarkable settlement with the patina of infinite possibilities. The bounteous fields bloomed into kaleidoscopic gardens, simple instruments transmuting into intricate masterpieces, and the villagers themselves clasped within their hearts a renewed ardor, a conflagration of hope and inspiration.\n' +
+      "Eventually, Ethan's quest drew him homeward, back to his village. Buoying the Eye of Imagination's ethereal power, he imbued the hitherto unremarkable settlement with the patina of infinite possibilities. The bounteous fields bloomed into kaleidoscopic gardens, simple instruments transmuting into intricate masterpieces, and the villagers themselves clasped within their hearts a renewed ardor, a conflagration of hope and inspiration.\n" +
       '\n' +
-      'Behold Ethan, at present hailed as the Village Magician – a cognomen befitting his sorcery wielded within the confines of the community he adored. His exploits may have become tethered to a geographical locale, but the flame kindled by that premier sojourn never flickered. Occasionally, beneath the veiled twilight canopy, when peering skyward toward the astral canvas bedecked with countless luminescent diamonds, he\'d allow his mind to wander, cognizant of boundless adventures yet to take flight, forever awaiting his indomitable spirit.',
+      "Behold Ethan, at present hailed as the Village Magician – a cognomen befitting his sorcery wielded within the confines of the community he adored. His exploits may have become tethered to a geographical locale, but the flame kindled by that premier sojourn never flickered. Occasionally, beneath the veiled twilight canopy, when peering skyward toward the astral canvas bedecked with countless luminescent diamonds, he'd allow his mind to wander, cognizant of boundless adventures yet to take flight, forever awaiting his indomitable spirit.",
   },
   {
     role: 'assistant',
     content:
-      'Beautifully rewritten! It captures the essence of Cormac McCarthy\'s style, with its descriptive language and evocative imagery. The story retains the spirit of adventure and the power of imagination seen in the original. Well done! If you have any more requests or if there\'s anything else I can assist you with, feel free to let me know.',
+      "Beautifully rewritten! It captures the essence of Cormac McCarthy's style, with its descriptive language and evocative imagery. The story retains the spirit of adventure and the power of imagination seen in the original. Well done! If you have any more requests or if there's anything else I can assist you with, feel free to let me know.",
   },
   {
     role: 'user',
@@ -73,19 +73,19 @@
   {
     role: 'assistant',
     content:
-      'Certainly! Here\'s a short story reflecting Cormac McCarthy\'s style:\n' +
+      "Certainly! Here's a short story reflecting Cormac McCarthy's style:\n" +
       '\n' +
       'In a desolate wasteland scarred by the sins of mankind, a lone traveler ventured forth, his name forgotten by time, etched upon the shadows of memory. He navigated the barren plains, where the sun beat down, merciless and unrelenting, scorching the parched earth beneath his weary boots.\n' +
       '\n' +
       'Desolation was his only companion, the forsaken landscape a testament to the darkness that had befallen this forsaken realm. The wind whispered secrets long lost, carrying with it the echoes of a civilization long since undone, swallowed by the abyss.\n' +
       '\n' +
-      'Amongst the shattered remnants of fallen cities, he sought solace, a glimmer of hope amidst the desolation. Rusted remnants of steel and concrete stood as sentinels of mankind\'s hubris, their jagged edges a chilling reminder of the fragility of all that was once deemed invincible.\n' +
+      "Amongst the shattered remnants of fallen cities, he sought solace, a glimmer of hope amidst the desolation. Rusted remnants of steel and concrete stood as sentinels of mankind's hubris, their jagged edges a chilling reminder of the fragility of all that was once deemed invincible.\n" +
       '\n' +
       'As twilight descended, casting a pallid hue upon the lifeless land, he happened upon a dilapidated house, its walls crumbling under the weight of time. Drawn to the desolation, he pushed open the creaking door, its rusty hinges screaming in protest.\n' +
       '\n' +
       'Inside, a world frozen in time awaited him. Dust particles danced through the air, illuminated by slivers of light that pierced the broken windows. Here, the past lay trapped, a melancholic tableau of lives lost and dreams shattered.\n' +
       '\n' +
-      'He wandered through the empty rooms, bare walls whispering stories untold. In the corner, a dilapidated piano stood, its ivory keys long since abandoned by a musician\'s touch. He approached it cautiously, a faint glimmer of anticipation igniting in his weather-worn eyes.\n' +
+      "He wandered through the empty rooms, bare walls whispering stories untold. In the corner, a dilapidated piano stood, its ivory keys long since abandoned by a musician's touch. He approached it cautiously, a faint glimmer of anticipation igniting in his weather-worn eyes.\n" +
       '\n' +
       'Determined, he carefully brushed away the dust and debris that cloaked the instrument. With trembling hands, he pressed a key, and a discordant note filled the air, mingling with the sighs of forgotten melodies. The sound echoed through the silence, bringing with it the remnants of forgotten symphonies.\n' +
       '\n' +
@@ -103,13 +103,13 @@
   {
     role: 'assistant',
     content:
-      'Thank you! I\'m glad you enjoyed it. If you have any more writing requests or if there\'s anything else I can assist you with, feel free to let me know.',
+      "Thank you! I'm glad you enjoyed it. If you have any more writing requests or if there's anything else I can assist you with, feel free to let me know.",
   },
   { role: 'user', content: 'you are very helpful' },
   {
     role: 'assistant',
     content:
-      'Thank you for your kind words! I\'m here to assist you in any way I can. If you have any more questions, need further assistance, or just want to chat, feel free to reach out.',
+      "Thank you for your kind words! I'm here to assist you in any way I can. If you have any more questions, need further assistance, or just want to chat, feel free to reach out.",
   },
   { role: 'user', content: 'no you man' },
 ];

api/app/clients/memory/summaryBuffer.demo.js

@@ -9,7 +9,7 @@ const chatPromptMemory = new ConversationSummaryBufferMemory({
 });
 
 (async () => {
-  await chatPromptMemory.saveContext({ input: 'hi my name\'s Danny' }, { output: 'whats up' });
+  await chatPromptMemory.saveContext({ input: "hi my name's Danny" }, { output: 'whats up' });
   await chatPromptMemory.saveContext({ input: 'not much you' }, { output: 'not much' });
   await chatPromptMemory.saveContext(
     { input: 'are you excited for the olympics?' },

api/app/clients/output_parsers/addImages.spec.js

@@ -74,7 +74,7 @@ describe('addImages', () => {
 
   it('should append correctly from a real scenario', () => {
     responseMessage.text =
-      'Here is the generated image based on your request. It depicts a surreal landscape filled with floating musical notes. The style is impressionistic, with vibrant sunset hues dominating the scene. At the center, there\'s a silhouette of a grand piano, adding a dreamy emotion to the overall image. This could serve as a unique and creative music album cover. Would you like to make any changes or generate another image?';
+      "Here is the generated image based on your request. It depicts a surreal landscape filled with floating musical notes. The style is impressionistic, with vibrant sunset hues dominating the scene. At the center, there's a silhouette of a grand piano, adding a dreamy emotion to the overall image. This could serve as a unique and creative music album cover. Would you like to make any changes or generate another image?";
     const originalText = responseMessage.text;
     const imageMarkdown = '![generated image](/images/img-RnVWaYo2Yg4x3e0isICiMuf5.png)';
     intermediateSteps.push({ observation: imageMarkdown });

api/app/clients/output_parsers/handleOutputs.js

@@ -65,14 +65,14 @@ function buildPromptPrefix({ result, message, functionsAgent }) {
   const preliminaryAnswer =
     result.output?.length > 0 ? `Preliminary Answer: "${result.output.trim()}"` : '';
   const prefix = preliminaryAnswer
-    ? 'review and improve the answer you generated using plugins in response to the User Message below. The user hasn\'t seen your answer or thoughts yet.'
+    ? "review and improve the answer you generated using plugins in response to the User Message below. The user hasn't seen your answer or thoughts yet."
     : 'respond to the User Message below based on your preliminary thoughts & actions.';
 
   return `As a helpful AI Assistant, ${prefix}${errorMessage}\n${internalActions}
 ${preliminaryAnswer}
 Reply conversationally to the User based on your ${
-  preliminaryAnswer ? 'preliminary answer, ' : ''
-}internal actions, thoughts, and observations, making improvements wherever possible, but do not modify URLs.
+    preliminaryAnswer ? 'preliminary answer, ' : ''
+  }internal actions, thoughts, and observations, making improvements wherever possible, but do not modify URLs.
 ${
   preliminaryAnswer
     ? ''

api/app/clients/prompts/addCacheControl.spec.js

@@ -6,7 +6,7 @@ describe('addCacheControl', () => {
       { role: 'user', content: [{ type: 'text', text: 'Hello' }] },
       { role: 'assistant', content: [{ type: 'text', text: 'Hi there' }] },
       { role: 'user', content: [{ type: 'text', text: 'How are you?' }] },
-      { role: 'assistant', content: [{ type: 'text', text: 'I\'m doing well, thanks!' }] },
+      { role: 'assistant', content: [{ type: 'text', text: "I'm doing well, thanks!" }] },
       { role: 'user', content: [{ type: 'text', text: 'Great!' }] },
     ];
 
@@ -22,7 +22,7 @@ describe('addCacheControl', () => {
       { role: 'user', content: 'Hello' },
       { role: 'assistant', content: 'Hi there' },
       { role: 'user', content: 'How are you?' },
-      { role: 'assistant', content: 'I\'m doing well, thanks!' },
+      { role: 'assistant', content: "I'm doing well, thanks!" },
       { role: 'user', content: 'Great!' },
     ];
 
@@ -140,7 +140,7 @@ describe('addCacheControl', () => {
       { role: 'user', content: 'Hello' },
       { role: 'assistant', content: 'Hi there' },
       { role: 'user', content: [{ type: 'text', text: 'How are you?' }] },
-      { role: 'assistant', content: 'I\'m doing well, thanks!' },
+      { role: 'assistant', content: "I'm doing well, thanks!" },
       { role: 'user', content: 'Great!' },
     ];
 
@@ -160,7 +160,7 @@ describe('addCacheControl', () => {
       },
     ]);
     expect(result[1].content).toBe('Hi there');
-    expect(result[3].content).toBe('I\'m doing well, thanks!');
+    expect(result[3].content).toBe("I'm doing well, thanks!");
   });
 
   test('should handle edge case with multiple content types', () => {

api/app/clients/prompts/artifacts.js

@@ -3,7 +3,6 @@ const { EModelEndpoint, ArtifactModes } = require('librechat-data-provider');
 const { generateShadcnPrompt } = require('~/app/clients/prompts/shadcn-docs/generate');
 const { components } = require('~/app/clients/prompts/shadcn-docs/components');
 
-// eslint-disable-next-line no-unused-vars
 const artifactsPromptV1 = dedent`The assistant can create and reference artifacts during conversations.
   
 Artifacts are for substantial, self-contained content that users might modify or reuse, displayed in a separate UI window for clarity.

api/app/clients/prompts/createContextHandlers.js

@@ -96,35 +96,35 @@ function createContextHandlers(req, userMessageContent) {
         resolvedQueries.length === 0
           ? '\n\tThe semantic search did not return any results.'
           : resolvedQueries
-            .map((queryResult, index) => {
-              const file = processedFiles[index];
-              let contextItems = queryResult.data;
+              .map((queryResult, index) => {
+                const file = processedFiles[index];
+                let contextItems = queryResult.data;
 
-              const generateContext = (currentContext) =>
-                `
+                const generateContext = (currentContext) =>
+                  `
           <file>
             <filename>${file.filename}</filename>
             <context>${currentContext}
             </context>
           </file>`;
 
-              if (useFullContext) {
-                return generateContext(`\n${contextItems}`);
-              }
+                if (useFullContext) {
+                  return generateContext(`\n${contextItems}`);
+                }
 
-              contextItems = queryResult.data
-                .map((item) => {
-                  const pageContent = item[0].page_content;
-                  return `
+                contextItems = queryResult.data
+                  .map((item) => {
+                    const pageContent = item[0].page_content;
+                    return `
             <contextItem>
               <![CDATA[${pageContent?.trim()}]]>
             </contextItem>`;
-                })
-                .join('');
+                  })
+                  .join('');
 
-              return generateContext(contextItems);
-            })
-            .join('');
+                return generateContext(contextItems);
+              })
+              .join('');
 
       if (useFullContext) {
         const prompt = `${header}

api/app/clients/prompts/formatAgentMessages.spec.js

@@ -130,7 +130,7 @@ describe('formatAgentMessages', () => {
         content: [
           {
             type: ContentTypes.TEXT,
-            [ContentTypes.TEXT]: 'I\'ll search for that information.',
+            [ContentTypes.TEXT]: "I'll search for that information.",
             tool_call_ids: ['search_1'],
           },
           {
@@ -144,7 +144,7 @@ describe('formatAgentMessages', () => {
           },
           {
             type: ContentTypes.TEXT,
-            [ContentTypes.TEXT]: 'Now, I\'ll convert the temperature.',
+            [ContentTypes.TEXT]: "Now, I'll convert the temperature.",
             tool_call_ids: ['convert_1'],
           },
           {
@@ -156,7 +156,7 @@ describe('formatAgentMessages', () => {
               output: '23.89°C',
             },
           },
-          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'Here\'s your answer.' },
+          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: "Here's your answer." },
         ],
       },
     ];
@@ -171,7 +171,7 @@ describe('formatAgentMessages', () => {
     expect(result[4]).toBeInstanceOf(AIMessage);
 
     // Check first AIMessage
-    expect(result[0].content).toBe('I\'ll search for that information.');
+    expect(result[0].content).toBe("I'll search for that information.");
     expect(result[0].tool_calls).toHaveLength(1);
     expect(result[0].tool_calls[0]).toEqual({
       id: 'search_1',
@@ -187,7 +187,7 @@ describe('formatAgentMessages', () => {
     );
 
     // Check second AIMessage
-    expect(result[2].content).toBe('Now, I\'ll convert the temperature.');
+    expect(result[2].content).toBe("Now, I'll convert the temperature.");
     expect(result[2].tool_calls).toHaveLength(1);
     expect(result[2].tool_calls[0]).toEqual({
       id: 'convert_1',
@@ -202,7 +202,7 @@ describe('formatAgentMessages', () => {
 
     // Check final AIMessage
     expect(result[4].content).toStrictEqual([
-      { [ContentTypes.TEXT]: 'Here\'s your answer.', type: ContentTypes.TEXT },
+      { [ContentTypes.TEXT]: "Here's your answer.", type: ContentTypes.TEXT },
     ]);
   });
 
@@ -217,7 +217,7 @@ describe('formatAgentMessages', () => {
         role: 'assistant',
         content: [{ type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'How can I help you?' }],
       },
-      { role: 'user', content: 'What\'s the weather?' },
+      { role: 'user', content: "What's the weather?" },
       {
         role: 'assistant',
         content: [
@@ -240,7 +240,7 @@ describe('formatAgentMessages', () => {
       {
         role: 'assistant',
         content: [
-          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: 'Here\'s the weather information.' },
+          { type: ContentTypes.TEXT, [ContentTypes.TEXT]: "Here's the weather information." },
         ],
       },
     ];
@@ -265,12 +265,12 @@ describe('formatAgentMessages', () => {
       { [ContentTypes.TEXT]: 'How can I help you?', type: ContentTypes.TEXT },
     ]);
     expect(result[2].content).toStrictEqual([
-      { [ContentTypes.TEXT]: 'What\'s the weather?', type: ContentTypes.TEXT },
+      { [ContentTypes.TEXT]: "What's the weather?", type: ContentTypes.TEXT },
     ]);
     expect(result[3].content).toBe('Let me check that for you.');
     expect(result[4].content).toBe('Sunny, 75°F');
     expect(result[5].content).toStrictEqual([
-      { [ContentTypes.TEXT]: 'Here\'s the weather information.', type: ContentTypes.TEXT },
+      { [ContentTypes.TEXT]: "Here's the weather information.", type: ContentTypes.TEXT },
     ]);
 
     // Check that there are no consecutive AIMessages

api/app/clients/prompts/instructions.js

@@ -1,8 +1,8 @@
 module.exports = {
   instructions:
-    'Remember, all your responses MUST be in the format described. Do not respond unless it\'s in the format described, using the structure of Action, Action Input, etc.',
+    "Remember, all your responses MUST be in the format described. Do not respond unless it's in the format described, using the structure of Action, Action Input, etc.",
   errorInstructions:
-    '\nYou encountered an error in attempting a response. The user is not aware of the error so you shouldn\'t mention it.\nReview the actions taken carefully in case there is a partial or complete answer within them.\nError Message:',
+    "\nYou encountered an error in attempting a response. The user is not aware of the error so you shouldn't mention it.\nReview the actions taken carefully in case there is a partial or complete answer within them.\nError Message:",
   imageInstructions:
     'You must include the exact image paths from above, formatted in Markdown syntax: ![alt-text](URL)',
   completionInstructions:

api/app/clients/prompts/shadcn-docs/generate.js

@@ -18,17 +18,17 @@ function generateShadcnPrompt(options) {
     Here are the components that are available, along with how to import them, and how to use them:
 
     ${Object.values(components)
-    .map((component) => {
-      if (useXML) {
-        return dedent`
+      .map((component) => {
+        if (useXML) {
+          return dedent`
             <component>
               <name>${component.componentName}</name>
               <import-instructions>${component.importDocs}</import-instructions>
               <usage-instructions>${component.usageDocs}</usage-instructions>
             </component>
           `;
-      } else {
-        return dedent`
+        } else {
+          return dedent`
             # ${component.componentName}
 
             ## Import Instructions
@@ -37,9 +37,9 @@ function generateShadcnPrompt(options) {
             ## Usage Instructions
             ${component.usageDocs}
           `;
-      }
-    })
-    .join('\n\n')}
+        }
+      })
+      .join('\n\n')}
   `;
 
   return systemPrompt;

api/app/clients/specs/AnthropicClient.test.js

@@ -514,6 +514,34 @@ describe('AnthropicClient', () => {
       expect(client.modelOptions.maxOutputTokens).toBe(highTokenValue);
     });
 
+    it('should not cap maxOutputTokens for Claude 4 Sonnet models', () => {
+      const client = new AnthropicClient('test-api-key');
+      const highTokenValue = anthropicSettings.legacy.maxOutputTokens.default * 10; // 40,960 tokens
+
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-sonnet-4-20250514',
+          maxOutputTokens: highTokenValue,
+        },
+      });
+
+      expect(client.modelOptions.maxOutputTokens).toBe(highTokenValue);
+    });
+
+    it('should not cap maxOutputTokens for Claude 4 Opus models', () => {
+      const client = new AnthropicClient('test-api-key');
+      const highTokenValue = anthropicSettings.legacy.maxOutputTokens.default * 6; // 24,576 tokens (under 32K limit)
+
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-opus-4-20250514',
+          maxOutputTokens: highTokenValue,
+        },
+      });
+
+      expect(client.modelOptions.maxOutputTokens).toBe(highTokenValue);
+    });
+
     it('should cap maxOutputTokens for Claude 3.5 Haiku models', () => {
       const client = new AnthropicClient('test-api-key');
       const highTokenValue = anthropicSettings.legacy.maxOutputTokens.default * 2;

api/app/clients/specs/BaseClient.test.js

@@ -52,7 +52,7 @@ const messageHistory = [
   {
     role: 'user',
     isCreatedByUser: true,
-    text: 'What\'s up',
+    text: "What's up",
     messageId: '3',
     parentMessageId: '2',
   },
@@ -456,7 +456,7 @@ describe('BaseClient', () => {
 
       const chatMessages2 = await TestClient.loadHistory(conversationId, '3');
       expect(TestClient.currentMessages).toHaveLength(3);
-      expect(chatMessages2[chatMessages2.length - 1].text).toEqual('What\'s up');
+      expect(chatMessages2[chatMessages2.length - 1].text).toEqual("What's up");
     });
 
     /* Most of the new sendMessage logic revolving around edited/continued AI messages

api/app/clients/specs/OpenAIClient.test.js

@@ -462,17 +462,17 @@ describe('OpenAIClient', () => {
         role: 'system',
         name: 'example_user',
         content:
-          'Let\'s circle back when we have more bandwidth to touch base on opportunities for increased leverage.',
+          "Let's circle back when we have more bandwidth to touch base on opportunities for increased leverage.",
       },
       {
         role: 'system',
         name: 'example_assistant',
-        content: 'Let\'s talk later when we\'re less busy about how to do better.',
+        content: "Let's talk later when we're less busy about how to do better.",
       },
       {
         role: 'user',
         content:
-          'This late pivot means we don\'t have time to boil the ocean for the client deliverable.',
+          "This late pivot means we don't have time to boil the ocean for the client deliverable.",
       },
     ];
 

api/app/clients/tools/structured/AzureAISearch.js

@@ -18,7 +18,7 @@ class AzureAISearch extends Tool {
     super();
     this.name = 'azure-ai-search';
     this.description =
-      'Use the \'azure-ai-search\' tool to retrieve search results relevant to your input';
+      "Use the 'azure-ai-search' tool to retrieve search results relevant to your input";
     /* Used to initialize the Tool without necessary variables. */
     this.override = fields.override ?? false;
 

api/app/clients/tools/structured/DALLE3.js

@@ -11,7 +11,7 @@ const extractBaseURL = require('~/utils/extractBaseURL');
 const { logger } = require('~/config');
 
 const displayMessage =
-  'DALL-E displayed an image. All generated images are already plainly visible, so don\'t repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.';
+  "DALL-E displayed an image. All generated images are already plainly visible, so don't repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.";
 class DALLE3 extends Tool {
   constructor(fields = {}) {
     super();

api/app/clients/tools/structured/FluxAPI.js

@@ -8,7 +8,7 @@ const { FileContext, ContentTypes } = require('librechat-data-provider');
 const { logger } = require('~/config');
 
 const displayMessage =
-  'Flux displayed an image. All generated images are already plainly visible, so don\'t repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.';
+  "Flux displayed an image. All generated images are already plainly visible, so don't repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.";
 
 /**
  * FluxAPI - A tool for generating high-quality images from text prompts using the Flux API.

api/app/clients/tools/structured/OpenAIImageTools.js

@@ -64,7 +64,7 @@ const DEFAULT_IMAGE_EDIT_PROMPT_DESCRIPTION = `Describe the changes, enhancement
       Always base this prompt on the most recently uploaded reference images.`;
 
 const displayMessage =
-  'The tool displayed an image. All generated images are already plainly visible, so don\'t repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.';
+  "The tool displayed an image. All generated images are already plainly visible, so don't repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.";
 
 /**
  * Replaces unwanted characters from the input string

api/app/clients/tools/structured/OpenWeather.js

@@ -232,7 +232,7 @@ class OpenWeather extends Tool {
 
       if (['current_forecast', 'timestamp', 'daily_aggregation', 'overview'].includes(action)) {
         if (typeof finalLat !== 'number' || typeof finalLon !== 'number') {
-          return 'Error: lat and lon are required and must be numbers for this action (or specify \'city\').';
+          return "Error: lat and lon are required and must be numbers for this action (or specify 'city').";
         }
       }
 
@@ -243,7 +243,7 @@ class OpenWeather extends Tool {
       let dt;
       if (action === 'timestamp') {
         if (!date) {
-          return 'Error: For timestamp action, a \'date\' in YYYY-MM-DD format is required.';
+          return "Error: For timestamp action, a 'date' in YYYY-MM-DD format is required.";
         }
         dt = this.convertDateToUnix(date);
       }

api/app/clients/tools/structured/StableDiffusion.js

@@ -11,7 +11,7 @@ const paths = require('~/config/paths');
 const { logger } = require('~/config');
 
 const displayMessage =
-  'Stable Diffusion displayed an image. All generated images are already plainly visible, so don\'t repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.';
+  "Stable Diffusion displayed an image. All generated images are already plainly visible, so don't repeat the descriptions in detail. Do not list download links as they are available in the UI already. The user may download the images by clicking on them, but do not mention anything about downloading to the user.";
 
 class StableDiffusionAPI extends Tool {
   constructor(fields) {
@@ -44,7 +44,7 @@ class StableDiffusionAPI extends Tool {
 // "negative_prompt":"semi-realistic, cgi, 3d, render, sketch, cartoon, drawing, anime, out of frame, low quality, ugly, mutation, deformed"
 // - Generate images only once per human query unless explicitly requested by the user`;
     this.description =
-      'You can generate images using text with \'stable-diffusion\'. This tool is exclusively for visual content.';
+      "You can generate images using text with 'stable-diffusion'. This tool is exclusively for visual content.";
     this.schema = z.object({
       prompt: z
         .string()

api/app/clients/tools/structured/TraversaalSearch.js

@@ -21,7 +21,7 @@ class TraversaalSearch extends Tool {
       query: z
         .string()
         .describe(
-          'A properly written sentence to be interpreted by an AI to search the web according to the user\'s request.',
+          "A properly written sentence to be interpreted by an AI to search the web according to the user's request.",
         ),
     });
 
@@ -38,7 +38,6 @@ class TraversaalSearch extends Tool {
     return apiKey;
   }
 
-  // eslint-disable-next-line no-unused-vars
   async _call({ query }, _runManager) {
     const body = {
       query: [query],

api/app/clients/tools/structured/YouTube.js

@@ -29,7 +29,7 @@ function parseTranscript(transcriptResponse) {
     .map((entry) => entry.text.trim())
     .filter((text) => text)
     .join(' ')
-    .replaceAll(''', '\'');
+    .replaceAll(''', "'");
 }
 
 function createYouTubeTools(fields = {}) {

api/app/clients/tools/util/fileSearch.js

@@ -135,7 +135,7 @@ const createFileSearchTool = async ({ req, files, entity_id }) => {
         query: z
           .string()
           .describe(
-            'A natural language query to search for relevant information in the files. Be specific and use keywords related to the information you\'re looking for. The query will be used for semantic similarity matching against the file contents.',
+            "A natural language query to search for relevant information in the files. Be specific and use keywords related to the information you're looking for. The query will be used for semantic similarity matching against the file contents.",
           ),
       }),
     },

api/app/clients/tools/util/handleTools.test.js

@@ -218,7 +218,6 @@ describe('Tool Handlers', () => {
       try {
         await loadTool2();
       } catch (error) {
-        // eslint-disable-next-line jest/no-conditional-expect
         expect(error).toBeDefined();
       }
     });

api/models/Agent.js

@@ -1,6 +1,7 @@
 const mongoose = require('mongoose');
+const crypto = require('node:crypto');
 const { agentSchema } = require('@librechat/data-schemas');
-const { SystemRoles, Tools } = require('librechat-data-provider');
+const { SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
 const { GLOBAL_PROJECT_NAME, EPHEMERAL_AGENT_ID, mcp_delimiter } =
   require('librechat-data-provider').Constants;
 const { CONFIG_STORE, STARTUP_CONFIG } = require('librechat-data-provider').CacheKeys;
@@ -11,6 +12,8 @@ const {
   removeAgentFromAllProjects,
 } = require('./Project');
 const getLogStores = require('~/cache/getLogStores');
+const { getActions } = require('./Action');
+const { logger } = require('~/config');
 
 const Agent = mongoose.model('agent', agentSchema);
 
@@ -149,10 +152,12 @@ const loadAgent = async ({ req, agent_id, endpoint, model_parameters }) => {
 /**
  * Check if a version already exists in the versions array, excluding timestamp and author fields
  * @param {Object} updateData - The update data to compare
+ * @param {Object} currentData - The current agent data
  * @param {Array} versions - The existing versions array
+ * @param {string} [actionsHash] - Hash of current action metadata
  * @returns {Object|null} - The matching version if found, null otherwise
  */
-const isDuplicateVersion = (updateData, currentData, versions) => {
+const isDuplicateVersion = (updateData, currentData, versions, actionsHash = null) => {
   if (!versions || versions.length === 0) {
     return null;
   }
@@ -169,17 +174,22 @@ const isDuplicateVersion = (updateData, currentData, versions) => {
     '__v',
     'agent_ids',
     'versions',
+    'actionsHash', // Exclude actionsHash from direct comparison
   ];
 
   const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
-  if (Object.keys(directUpdates).length === 0) {
+  if (Object.keys(directUpdates).length === 0 && !actionsHash) {
     return null;
   }
 
   const wouldBeVersion = { ...currentData, ...directUpdates };
   const lastVersion = versions[versions.length - 1];
 
+  if (actionsHash && lastVersion.actionsHash !== actionsHash) {
+    return null;
+  }
+
   const allFields = new Set([...Object.keys(wouldBeVersion), ...Object.keys(lastVersion)]);
 
   const importantFields = Array.from(allFields).filter((field) => !excludeFields.includes(field));
@@ -249,21 +259,58 @@ const isDuplicateVersion = (updateData, currentData, versions) => {
  * @param {string} searchParameter.id - The ID of the agent to update.
  * @param {string} [searchParameter.author] - The user ID of the agent's author.
  * @param {Object} updateData - An object containing the properties to update.
- * @param {string} [updatingUserId] - The ID of the user performing the update (used for tracking non-author updates).
+ * @param {Object} [options] - Optional configuration object.
+ * @param {string} [options.updatingUserId] - The ID of the user performing the update (used for tracking non-author updates).
+ * @param {boolean} [options.forceVersion] - Force creation of a new version even if no fields changed.
  * @returns {Promise<Agent>} The updated or newly created agent document as a plain object.
  * @throws {Error} If the update would create a duplicate version
  */
-const updateAgent = async (searchParameter, updateData, updatingUserId = null) => {
-  const options = { new: true, upsert: false };
+const updateAgent = async (searchParameter, updateData, options = {}) => {
+  const { updatingUserId = null, forceVersion = false } = options;
+  const mongoOptions = { new: true, upsert: false };
 
   const currentAgent = await Agent.findOne(searchParameter);
   if (currentAgent) {
     const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
     const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
-    if (Object.keys(directUpdates).length > 0 && versions && versions.length > 0) {
-      const duplicateVersion = isDuplicateVersion(updateData, versionData, versions);
-      if (duplicateVersion) {
+    let actionsHash = null;
+
+    // Generate actions hash if agent has actions
+    if (currentAgent.actions && currentAgent.actions.length > 0) {
+      // Extract action IDs from the format "domain_action_id"
+      const actionIds = currentAgent.actions
+        .map((action) => {
+          const parts = action.split(actionDelimiter);
+          return parts[1]; // Get just the action ID part
+        })
+        .filter(Boolean);
+
+      if (actionIds.length > 0) {
+        try {
+          const actions = await getActions(
+            {
+              action_id: { $in: actionIds },
+            },
+            true,
+          ); // Include sensitive data for hash
+
+          actionsHash = await generateActionMetadataHash(currentAgent.actions, actions);
+        } catch (error) {
+          logger.error('Error fetching actions for hash generation:', error);
+        }
+      }
+    }
+
+    const shouldCreateVersion =
+      forceVersion ||
+      (versions &&
+        versions.length > 0 &&
+        (Object.keys(directUpdates).length > 0 || $push || $pull || $addToSet));
+
+    if (shouldCreateVersion) {
+      const duplicateVersion = isDuplicateVersion(updateData, versionData, versions, actionsHash);
+      if (duplicateVersion && !forceVersion) {
         const error = new Error(
           'Duplicate version: This would create a version identical to an existing one',
         );
@@ -284,18 +331,25 @@ const updateAgent = async (searchParameter, updateData, updatingUserId = null) =
       updatedAt: new Date(),
     };
 
+    // Include actions hash in version if available
+    if (actionsHash) {
+      versionEntry.actionsHash = actionsHash;
+    }
+
     // Always store updatedBy field to track who made the change
     if (updatingUserId) {
       versionEntry.updatedBy = new mongoose.Types.ObjectId(updatingUserId);
     }
 
-    updateData.$push = {
-      ...($push || {}),
-      versions: versionEntry,
-    };
+    if (shouldCreateVersion || forceVersion) {
+      updateData.$push = {
+        ...($push || {}),
+        versions: versionEntry,
+      };
+    }
   }
 
-  return Agent.findOneAndUpdate(searchParameter, updateData, options).lean();
+  return Agent.findOneAndUpdate(searchParameter, updateData, mongoOptions).lean();
 };
 
 /**
@@ -333,7 +387,9 @@ const addAgentResourceFile = async ({ req, agent_id, tool_resource, file_id }) =
     },
   };
 
-  const updatedAgent = await updateAgent(searchParameter, updateData, req?.user?.id);
+  const updatedAgent = await updateAgent(searchParameter, updateData, {
+    updatingUserId: req?.user?.id,
+  });
   if (updatedAgent) {
     return updatedAgent;
   } else {
@@ -497,7 +553,7 @@ const updateAgentProjects = async ({ user, agentId, projectIds, removeProjectIds
     delete updateQuery.author;
   }
 
-  const updatedAgent = await updateAgent(updateQuery, updateOps, user.id);
+  const updatedAgent = await updateAgent(updateQuery, updateOps, { updatingUserId: user.id });
   if (updatedAgent) {
     return updatedAgent;
   }
@@ -548,6 +604,63 @@ const revertAgentVersion = async (searchParameter, versionIndex) => {
   return Agent.findOneAndUpdate(searchParameter, updateData, { new: true }).lean();
 };
 
+/**
+ * Generates a hash of action metadata for version comparison
+ * @param {string[]} actionIds - Array of action IDs in format "domain_action_id"
+ * @param {Action[]} actions - Array of action documents
+ * @returns {Promise<string>} - SHA256 hash of the action metadata
+ */
+const generateActionMetadataHash = async (actionIds, actions) => {
+  if (!actionIds || actionIds.length === 0) {
+    return '';
+  }
+
+  // Create a map of action_id to metadata for quick lookup
+  const actionMap = new Map();
+  actions.forEach((action) => {
+    actionMap.set(action.action_id, action.metadata);
+  });
+
+  // Sort action IDs for consistent hashing
+  const sortedActionIds = [...actionIds].sort();
+
+  // Build a deterministic string representation of all action metadata
+  const metadataString = sortedActionIds
+    .map((actionFullId) => {
+      // Extract just the action_id part (after the delimiter)
+      const parts = actionFullId.split(actionDelimiter);
+      const actionId = parts[1];
+
+      const metadata = actionMap.get(actionId);
+      if (!metadata) {
+        return `${actionId}:null`;
+      }
+
+      // Sort metadata keys for deterministic output
+      const sortedKeys = Object.keys(metadata).sort();
+      const metadataStr = sortedKeys
+        .map((key) => `${key}:${JSON.stringify(metadata[key])}`)
+        .join(',');
+      return `${actionId}:{${metadataStr}}`;
+    })
+    .join(';');
+
+  // Use Web Crypto API to generate hash
+  const encoder = new TextEncoder();
+  const data = encoder.encode(metadataString);
+  const hashBuffer = await crypto.webcrypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+
+  return hashHex;
+};
+
+/**
+ * Load a default agent based on the endpoint
+ * @param {string} endpoint
+ * @returns {Agent | null}
+ */
+
 module.exports = {
   Agent,
   getAgent,
@@ -556,8 +669,9 @@ module.exports = {
   updateAgent,
   deleteAgent,
   getListAgents,
+  revertAgentVersion,
   updateAgentProjects,
   addAgentResourceFile,
   removeAgentResourceFiles,
-  revertAgentVersion,
+  generateActionMetadataHash,
 };

api/models/Agent.spec.js

@@ -903,7 +903,7 @@ describe('Agent Version History', () => {
     const updatedAgent = await updateAgent(
       { id: agentId },
       { name: 'Updated Agent', description: 'Updated description' },
-      updatingUser.toString(),
+      { updatingUserId: updatingUser.toString() },
     );
 
     expect(updatedAgent.versions).toHaveLength(2);
@@ -927,7 +927,7 @@ describe('Agent Version History', () => {
     const updatedAgent = await updateAgent(
       { id: agentId },
       { name: 'Updated Agent', description: 'Updated description' },
-      originalAuthor.toString(),
+      { updatingUserId: originalAuthor.toString() },
     );
 
     expect(updatedAgent.versions).toHaveLength(2);
@@ -955,28 +955,28 @@ describe('Agent Version History', () => {
     await updateAgent(
       { id: agentId },
       { name: 'Updated by User 1', description: 'First update' },
-      user1.toString(),
+      { updatingUserId: user1.toString() },
     );
 
     // Original author makes an update
     await updateAgent(
       { id: agentId },
       { description: 'Updated by original author' },
-      originalAuthor.toString(),
+      { updatingUserId: originalAuthor.toString() },
     );
 
     // User 2 makes an update
     await updateAgent(
       { id: agentId },
       { name: 'Updated by User 2', model: 'new-model' },
-      user2.toString(),
+      { updatingUserId: user2.toString() },
     );
 
     // User 3 makes an update
     const finalAgent = await updateAgent(
       { id: agentId },
       { description: 'Final update by User 3' },
-      user3.toString(),
+      { updatingUserId: user3.toString() },
     );
 
     expect(finalAgent.versions).toHaveLength(5);
@@ -1012,7 +1012,7 @@ describe('Agent Version History', () => {
     await updateAgent(
       { id: agentId },
       { name: 'Updated Agent', description: 'Updated description' },
-      updatingUser.toString(),
+      { updatingUserId: updatingUser.toString() },
     );
 
     const { revertAgentVersion } = require('./Agent');
@@ -1022,4 +1022,55 @@ describe('Agent Version History', () => {
     expect(revertedAgent.name).toBe('Original Agent');
     expect(revertedAgent.description).toBe('Original description');
   });
+
+  test('should detect action metadata changes and force version update', async () => {
+    const agentId = `agent_${uuidv4()}`;
+    const authorId = new mongoose.Types.ObjectId();
+    const actionId = 'testActionId123';
+
+    // Create agent with actions
+    await createAgent({
+      id: agentId,
+      name: 'Agent with Actions',
+      provider: 'test',
+      model: 'test-model',
+      author: authorId,
+      actions: [`test.com_action_${actionId}`],
+      tools: ['listEvents_action_test.com', 'createEvent_action_test.com'],
+    });
+
+    // First update with forceVersion should create a version
+    const firstUpdate = await updateAgent(
+      { id: agentId },
+      { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
+      { updatingUserId: authorId.toString(), forceVersion: true },
+    );
+
+    expect(firstUpdate.versions).toHaveLength(2);
+
+    // Second update with same data but forceVersion should still create a version
+    const secondUpdate = await updateAgent(
+      { id: agentId },
+      { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
+      { updatingUserId: authorId.toString(), forceVersion: true },
+    );
+
+    expect(secondUpdate.versions).toHaveLength(3);
+
+    // Update without forceVersion and no changes should not create a version
+    let error;
+    try {
+      await updateAgent(
+        { id: agentId },
+        { tools: ['listEvents_action_test.com', 'createEvent_action_test.com'] },
+        { updatingUserId: authorId.toString(), forceVersion: false },
+      );
+    } catch (e) {
+      error = e;
+    }
+
+    expect(error).toBeDefined();
+    expect(error.message).toContain('Duplicate version');
+    expect(error.statusCode).toBe(409);
+  });
 });

api/models/ConversationTag.js

@@ -140,13 +140,13 @@ const adjustPositions = async (user, oldPosition, newPosition) => {
   const position =
     oldPosition < newPosition
       ? {
-        $gt: Math.min(oldPosition, newPosition),
-        $lte: Math.max(oldPosition, newPosition),
-      }
+          $gt: Math.min(oldPosition, newPosition),
+          $lte: Math.max(oldPosition, newPosition),
+        }
       : {
-        $gte: Math.min(oldPosition, newPosition),
-        $lt: Math.max(oldPosition, newPosition),
-      };
+          $gte: Math.min(oldPosition, newPosition),
+          $lt: Math.max(oldPosition, newPosition),
+        };
 
   await ConversationTag.updateMany(
     {

api/models/Message.spec.js

@@ -153,7 +153,7 @@ describe('Message Operations', () => {
   });
 
   describe('Conversation Hijacking Prevention', () => {
-    it('should not allow editing a message in another user\'s conversation', async () => {
+    it("should not allow editing a message in another user's conversation", async () => {
       const attackerReq = { user: { id: 'attacker123' } };
       const victimConversationId = 'victim-convo-123';
       const victimMessageId = 'victim-msg-123';
@@ -175,7 +175,7 @@ describe('Message Operations', () => {
       );
     });
 
-    it('should not allow deleting messages from another user\'s conversation', async () => {
+    it("should not allow deleting messages from another user's conversation", async () => {
       const attackerReq = { user: { id: 'attacker123' } };
       const victimConversationId = 'victim-convo-123';
       const victimMessageId = 'victim-msg-123';
@@ -193,7 +193,7 @@ describe('Message Operations', () => {
       });
     });
 
-    it('should not allow inserting a new message into another user\'s conversation', async () => {
+    it("should not allow inserting a new message into another user's conversation", async () => {
       const attackerReq = { user: { id: 'attacker123' } };
       const victimConversationId = uuidv4(); // Use a valid UUID
 

api/package.json

@@ -50,6 +50,7 @@
     "@langchain/textsplitters": "^0.1.0",
     "@librechat/agents": "^2.4.37",
     "@librechat/data-schemas": "*",
+    "@node-saml/passport-saml": "^5.0.0",
     "@waylaidwanderer/fetch-event-source": "^3.0.1",
     "axios": "^1.8.2",
     "bcryptjs": "^2.4.3",

api/server/cleanup.js

@@ -140,9 +140,6 @@ function disposeClient(client) {
     if (client.useMessages !== undefined) {
       client.useMessages = null;
     }
-    if (client.isLegacyOutput !== undefined) {
-      client.isLegacyOutput = null;
-    }
     if (client.supportsCacheControl !== undefined) {
       client.supportsCacheControl = null;
     }

api/server/controllers/Balance.js

@@ -1,9 +1,24 @@
 const Balance = require('~/models/Balance');
 
 async function balanceController(req, res) {
-  const { tokenCredits: balance = '' } =
-    (await Balance.findOne({ user: req.user.id }, 'tokenCredits').lean()) ?? {};
-  res.status(200).send('' + balance);
+  const balanceData = await Balance.findOne(
+    { user: req.user.id },
+    '-_id tokenCredits autoRefillEnabled refillIntervalValue refillIntervalUnit lastRefill refillAmount',
+  ).lean();
+
+  if (!balanceData) {
+    return res.status(404).json({ error: 'Balance not found' });
+  }
+
+  // If auto-refill is not enabled, remove auto-refill related fields from the response
+  if (!balanceData.autoRefillEnabled) {
+    delete balanceData.refillIntervalValue;
+    delete balanceData.refillIntervalUnit;
+    delete balanceData.lastRefill;
+    delete balanceData.refillAmount;
+  }
+
+  res.status(200).json(balanceData);
 }
 
 module.exports = balanceController;

api/server/controllers/ErrorController.js

@@ -24,7 +24,6 @@ const handleValidationError = (err, res) => {
   }
 };
 
-// eslint-disable-next-line no-unused-vars
 module.exports = (err, req, res, next) => {
   try {
     if (err.name === 'ValidationError') {

api/server/controllers/agents/errors.js

@@ -75,7 +75,7 @@ const createErrorHandler = ({ req, res, getContext, originPath = '/assistants/ch
     } else if (/Files.*are invalid/.test(error.message)) {
       const errorMessage = `Files are invalid, or may not have uploaded yet.${
         endpoint === 'azureAssistants'
-          ? ' If using Azure OpenAI, files are only available in the region of the assistant\'s model at the time of upload.'
+          ? " If using Azure OpenAI, files are only available in the region of the assistant's model at the time of upload."
           : ''
       }`;
       return sendResponse(req, res, messageData, errorMessage);

api/server/controllers/agents/request.js

@@ -228,7 +228,7 @@ const AgentController = async (req, res, next, initializeClient, addTitle) => {
     // Save user message if needed
     if (!client.skipSaveUserMessage) {
       await saveMessage(req, userMessage, {
-        context: 'api/server/controllers/agents/request.js - don\'t skip saving user message',
+        context: "api/server/controllers/agents/request.js - don't skip saving user message",
       });
     }
 

api/server/controllers/agents/v1.js

@@ -111,7 +111,7 @@ const getAgentHandler = async (req, res) => {
       const originalUrl = agent.avatar.filepath;
       agent.avatar.filepath = await refreshS3Url(agent.avatar);
       if (originalUrl !== agent.avatar.filepath) {
-        await updateAgent({ id }, { avatar: agent.avatar }, req.user.id);
+        await updateAgent({ id }, { avatar: agent.avatar }, { updatingUserId: req.user.id });
       }
     }
 
@@ -170,7 +170,7 @@ const updateAgentHandler = async (req, res) => {
 
     let updatedAgent =
       Object.keys(updateData).length > 0
-        ? await updateAgent({ id }, updateData, req.user.id)
+        ? await updateAgent({ id }, updateData, { updatingUserId: req.user.id })
         : existingAgent;
 
     if (projectIds || removeProjectIds) {
@@ -407,7 +407,11 @@ const uploadAgentAvatarHandler = async (req, res) => {
       },
     };
 
-    promises.push(await updateAgent({ id: agent_id, author: req.user.id }, data, req.user.id));
+    promises.push(
+      await updateAgent({ id: agent_id, author: req.user.id }, data, {
+        updatingUserId: req.user.id,
+      }),
+    );
 
     const resolved = await Promise.all(promises);
     res.status(201).json(resolved[0]);

api/server/controllers/assistants/errors.js

@@ -78,7 +78,7 @@ const createErrorHandler = ({ req, res, getContext, originPath = '/assistants/ch
     } else if (/Files.*are invalid/.test(error.message)) {
       const errorMessage = `Files are invalid, or may not have uploaded yet.${
         endpoint === 'azureAssistants'
-          ? ' If using Azure OpenAI, files are only available in the region of the assistant\'s model at the time of upload.'
+          ? " If using Azure OpenAI, files are only available in the region of the assistant's model at the time of upload."
           : ''
       }`;
       return sendResponse(req, res, messageData, errorMessage);

api/server/controllers/assistants/v1.js

@@ -39,12 +39,10 @@ const createAssistant = async (req, res) => {
         const toolDefinitions = req.app.locals.availableTools;
         const toolDef = toolDefinitions[tool];
         if (!toolDef && manifestToolMap[tool] && manifestToolMap[tool].toolkit === true) {
-          return (
-            Object.entries(toolDefinitions)
-              .filter(([key]) => key.startsWith(`${tool}_`))
-              // eslint-disable-next-line no-unused-vars
-              .map(([_, val]) => val)
-          );
+          return Object.entries(toolDefinitions)
+            .filter(([key]) => key.startsWith(`${tool}_`))
+
+            .map(([_, val]) => val);
         }
 
         return toolDef;
@@ -144,12 +142,10 @@ const patchAssistant = async (req, res) => {
         const toolDefinitions = req.app.locals.availableTools;
         const toolDef = toolDefinitions[tool];
         if (!toolDef && manifestToolMap[tool] && manifestToolMap[tool].toolkit === true) {
-          return (
-            Object.entries(toolDefinitions)
-              .filter(([key]) => key.startsWith(`${tool}_`))
-              // eslint-disable-next-line no-unused-vars
-              .map(([_, val]) => val)
-          );
+          return Object.entries(toolDefinitions)
+            .filter(([key]) => key.startsWith(`${tool}_`))
+
+            .map(([_, val]) => val);
         }
 
         return toolDef;

api/server/controllers/assistants/v2.js

@@ -36,12 +36,10 @@ const createAssistant = async (req, res) => {
         const toolDefinitions = req.app.locals.availableTools;
         const toolDef = toolDefinitions[tool];
         if (!toolDef && manifestToolMap[tool] && manifestToolMap[tool].toolkit === true) {
-          return (
-            Object.entries(toolDefinitions)
-              .filter(([key]) => key.startsWith(`${tool}_`))
-              // eslint-disable-next-line no-unused-vars
-              .map(([_, val]) => val)
-          );
+          return Object.entries(toolDefinitions)
+            .filter(([key]) => key.startsWith(`${tool}_`))
+
+            .map(([_, val]) => val);
         }
 
         return toolDef;
@@ -131,7 +129,7 @@ const updateAssistant = async ({ req, openai, assistant_id, updateData }) => {
     if (!actualTool && manifestToolMap[tool] && manifestToolMap[tool].toolkit === true) {
       actualTool = Object.entries(toolDefinitions)
         .filter(([key]) => key.startsWith(`${tool}_`))
-        // eslint-disable-next-line no-unused-vars
+
         .map(([_, val]) => val);
     } else if (!actualTool) {
       continue;

api/server/index.spec.js

@@ -4,6 +4,10 @@ const request = require('supertest');
 const { MongoMemoryServer } = require('mongodb-memory-server');
 const mongoose = require('mongoose');
 
+jest.mock('~/server/services/Config/loadCustomConfig', () => {
+  return jest.fn(() => Promise.resolve({}));
+});
+
 describe('Server Configuration', () => {
   // Increase the default timeout to allow for Mongo cleanup
   jest.setTimeout(30_000);

api/server/middleware/abortMiddleware.js

@@ -327,7 +327,7 @@ const handleAbortError = async (res, req, error, data) => {
     errorText = `{"type":"${ErrorTypes.INVALID_REQUEST}"}`;
   }
 
-  if (error?.message?.includes('does not support \'system\'')) {
+  if (error?.message?.includes("does not support 'system'")) {
     errorText = `{"type":"${ErrorTypes.NO_SYSTEM_MESSAGES}"}`;
   }
 

api/server/middleware/abortRun.js

@@ -34,7 +34,7 @@ async function abortRun(req, res) {
   const [thread_id, run_id] = runValues.split(':');
 
   if (!run_id) {
-    logger.warn('[abortRun] Couldn\'t find run for cancel request', { thread_id });
+    logger.warn("[abortRun] Couldn't find run for cancel request", { thread_id });
     return res.status(204).send({ message: 'Run not found' });
   } else if (run_id === 'cancelled') {
     logger.warn('[abortRun] Run already cancelled', { thread_id });

api/server/routes/__tests__/config.spec.js

@@ -24,6 +24,12 @@ afterEach(() => {
   delete process.env.GITHUB_CLIENT_SECRET;
   delete process.env.DISCORD_CLIENT_ID;
   delete process.env.DISCORD_CLIENT_SECRET;
+  delete process.env.SAML_ENTRY_POINT;
+  delete process.env.SAML_ISSUER;
+  delete process.env.SAML_CERT;
+  delete process.env.SAML_SESSION_SECRET;
+  delete process.env.SAML_BUTTON_LABEL;
+  delete process.env.SAML_IMAGE_URL;
   delete process.env.DOMAIN_SERVER;
   delete process.env.ALLOW_REGISTRATION;
   delete process.env.ALLOW_SOCIAL_LOGIN;
@@ -37,7 +43,6 @@ afterEach(() => {
 
 //TODO: This works/passes locally but http request tests fail with 404 in CI. Need to figure out why.
 
-// eslint-disable-next-line jest/no-disabled-tests
 describe.skip('GET /', () => {
   it('should return 200 and the correct body', async () => {
     process.env.APP_TITLE = 'Test Title';
@@ -55,6 +60,12 @@ describe.skip('GET /', () => {
     process.env.GITHUB_CLIENT_SECRET = 'Test Github client Secret';
     process.env.DISCORD_CLIENT_ID = 'Test Discord client Id';
     process.env.DISCORD_CLIENT_SECRET = 'Test Discord client Secret';
+    process.env.SAML_ENTRY_POINT = 'http://test-server.com';
+    process.env.SAML_ISSUER = 'Test SAML Issuer';
+    process.env.SAML_CERT = 'saml.pem';
+    process.env.SAML_SESSION_SECRET = 'Test Secret';
+    process.env.SAML_BUTTON_LABEL = 'Test SAML';
+    process.env.SAML_IMAGE_URL = 'http://test-server.com';
     process.env.DOMAIN_SERVER = 'http://test-server.com';
     process.env.ALLOW_REGISTRATION = 'true';
     process.env.ALLOW_SOCIAL_LOGIN = 'true';
@@ -70,7 +81,7 @@ describe.skip('GET /', () => {
     expect(response.statusCode).toBe(200);
     expect(response.body).toEqual({
       appTitle: 'Test Title',
-      socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+      socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
       discordLoginEnabled: true,
       facebookLoginEnabled: true,
       githubLoginEnabled: true,
@@ -78,6 +89,9 @@ describe.skip('GET /', () => {
       openidLoginEnabled: true,
       openidLabel: 'Test OpenID',
       openidImageUrl: 'http://test-server.com',
+      samlLoginEnabled: true,
+      samlLabel: 'Test SAML',
+      samlImageUrl: 'http://test-server.com',
       ldap: {
         enabled: true,
       },

api/server/routes/agents/actions.js

@@ -107,7 +107,15 @@ router.post('/:agent_id', async (req, res) => {
       .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
       .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
 
-    const updatedAgent = await updateAgent(agentQuery, { tools, actions }, req.user.id);
+    // Force version update since actions are changing
+    const updatedAgent = await updateAgent(
+      agentQuery,
+      { tools, actions },
+      {
+        updatingUserId: req.user.id,
+        forceVersion: true,
+      },
+    );
 
     // Only update user field for new actions
     const actionUpdateData = { metadata, agent_id };
@@ -172,7 +180,12 @@ router.delete('/:agent_id/:action_id', async (req, res) => {
 
     const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
 
-    await updateAgent(agentQuery, { tools: updatedTools, actions: updatedActions }, req.user.id);
+    // Force version update since actions are being removed
+    await updateAgent(
+      agentQuery,
+      { tools: updatedTools, actions: updatedActions },
+      { updatingUserId: req.user.id, forceVersion: true },
+    );
     // If admin, can delete any action, otherwise only user's actions
     const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
     await deleteAction(actionQuery);

api/server/routes/config.js

@@ -37,6 +37,18 @@ router.get('/', async function (req, res) {
   const ldap = getLdapConfig();
 
   try {
+    const isOpenIdEnabled =
+      !!process.env.OPENID_CLIENT_ID &&
+      !!process.env.OPENID_CLIENT_SECRET &&
+      !!process.env.OPENID_ISSUER &&
+      !!process.env.OPENID_SESSION_SECRET;
+
+    const isSamlEnabled =
+      !!process.env.SAML_ENTRY_POINT &&
+      !!process.env.SAML_ISSUER &&
+      !!process.env.SAML_CERT &&
+      !!process.env.SAML_SESSION_SECRET;
+
     /** @type {TStartupConfig} */
     const payload = {
       appTitle: process.env.APP_TITLE || 'LibreChat',
@@ -51,14 +63,13 @@ router.get('/', async function (req, res) {
         !!process.env.APPLE_TEAM_ID &&
         !!process.env.APPLE_KEY_ID &&
         !!process.env.APPLE_PRIVATE_KEY_PATH,
-      openidLoginEnabled:
-        !!process.env.OPENID_CLIENT_ID &&
-        !!process.env.OPENID_CLIENT_SECRET &&
-        !!process.env.OPENID_ISSUER &&
-        !!process.env.OPENID_SESSION_SECRET,
+      openidLoginEnabled: isOpenIdEnabled,
       openidLabel: process.env.OPENID_BUTTON_LABEL || 'Continue with OpenID',
       openidImageUrl: process.env.OPENID_IMAGE_URL,
       openidAutoRedirect: isEnabled(process.env.OPENID_AUTO_REDIRECT),
+      samlLoginEnabled: !isOpenIdEnabled && isSamlEnabled,
+      samlLabel: process.env.SAML_BUTTON_LABEL,
+      samlImageUrl: process.env.SAML_IMAGE_URL,
       serverDomain: process.env.DOMAIN_SERVER || 'http://localhost:3080',
       emailLoginEnabled,
       registrationEnabled: !ldap?.enabled && isEnabled(process.env.ALLOW_REGISTRATION),

api/server/routes/files/files.js

@@ -283,6 +283,10 @@ router.post('/', async (req, res) => {
       message += ': ' + error.message;
     }
 
+    if (error.message?.includes('Invalid file format')) {
+      message = error.message;
+    }
+
     // TODO: delete remote file if it exists
     try {
       await fs.unlink(req.file.path);

api/server/routes/oauth.js

@@ -1,6 +1,7 @@
 // file deepcode ignore NoRateLimitingForLogin: Rate limiting is handled by the `loginLimiter` middleware
 const express = require('express');
 const passport = require('passport');
+const { randomState } = require('openid-client');
 const {
   checkBan,
   logHeaders,
@@ -9,8 +10,8 @@ const {
   checkDomainAllowed,
 } = require('~/server/middleware');
 const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
-const { logger } = require('~/config');
 const { isEnabled } = require('~/server/utils');
+const { logger } = require('~/config');
 
 const router = express.Router();
 
@@ -103,12 +104,12 @@ router.get(
 /**
  * OpenID Routes
  */
-router.get(
-  '/openid',
-  passport.authenticate('openid', {
+router.get('/openid', (req, res, next) => {
+  return passport.authenticate('openid', {
     session: false,
-  }),
-);
+    state: randomState(),
+  })(req, res, next);
+});
 
 router.get(
   '/openid/callback',
@@ -188,4 +189,24 @@ router.post(
   oauthHandler,
 );
 
+/**
+ * SAML Routes
+ */
+router.get(
+  '/saml',
+  passport.authenticate('saml', {
+    session: false,
+  }),
+);
+
+router.post(
+  '/saml/callback',
+  passport.authenticate('saml', {
+    failureRedirect: `${domains.client}/oauth/error`,
+    failureMessage: true,
+    session: false,
+  }),
+  oauthHandler,
+);
+
 module.exports = router;

api/server/routes/share.js

@@ -54,9 +54,7 @@ router.get('/', requireJwtAuth, async (req, res) => {
       sortDirection: ['asc', 'desc'].includes(req.query.sortDirection)
         ? req.query.sortDirection
         : 'desc',
-      search: req.query.search
-        ? decodeURIComponent(req.query.search.trim())
-        : undefined,
+      search: req.query.search ? decodeURIComponent(req.query.search.trim()) : undefined,
     };
 
     const result = await getSharedLinks(

api/server/routes/types/assistants.js

@@ -3,7 +3,7 @@
  * @readonly
  * @enum {string}
  */
-// eslint-disable-next-line no-unused-vars
+
 const Tools = {
   code_interpreter: 'code_interpreter',
   retrieval: 'retrieval',

api/server/services/ActionService.js

@@ -207,7 +207,7 @@ async function createActionTool({
                     state: stateToken,
                     userId: userId,
                     client_url: metadata.auth.client_url,
-                    redirect_uri: `${process.env.DOMAIN_CLIENT}/api/actions/${action_id}/oauth/callback`,
+                    redirect_uri: `${process.env.DOMAIN_SERVER}/api/actions/${action_id}/oauth/callback`,
                     /** Encrypted values */
                     encrypted_oauth_client_id: encrypted.oauth_client_id,
                     encrypted_oauth_client_secret: encrypted.oauth_client_secret,

api/server/services/Artifacts/update.spec.js

@@ -89,9 +89,9 @@ describe('replaceArtifactContent', () => {
   };
 
   test('should replace content within artifact boundaries', () => {
-    const original = 'console.log(\'hello\')';
+    const original = "console.log('hello')";
     const artifact = createTestArtifact(original);
-    const updated = 'console.log(\'updated\')';
+    const updated = "console.log('updated')";
 
     const result = replaceArtifactContent(artifact.text, artifact, original, updated);
     expect(result).toContain(updated);

api/server/services/Config/loadAsyncEndpoints.js

@@ -32,14 +32,14 @@ async function loadAsyncEndpoints(req) {
   const gptPlugins =
     useAzure || openAIApiKey || azureOpenAIApiKey
       ? {
-        availableAgents: ['classic', 'functions'],
-        userProvide: useAzure ? false : userProvidedOpenAI,
-        userProvideURL: useAzure
-          ? false
-          : config[EModelEndpoint.openAI]?.userProvideURL ||
+          availableAgents: ['classic', 'functions'],
+          userProvide: useAzure ? false : userProvidedOpenAI,
+          userProvideURL: useAzure
+            ? false
+            : config[EModelEndpoint.openAI]?.userProvideURL ||
               config[EModelEndpoint.azureOpenAI]?.userProvideURL,
-        azure: useAzurePlugins || useAzure,
-      }
+          azure: useAzurePlugins || useAzure,
+        }
       : false;
 
   return { google, gptPlugins };

api/server/services/Endpoints/azureAssistants/build.js

@@ -3,7 +3,6 @@ const generateArtifactsPrompt = require('~/app/clients/prompts/artifacts');
 const { getAssistant } = require('~/models/Assistant');
 
 const buildOptions = async (endpoint, parsedBody) => {
-
   const { promptPrefix, assistant_id, iconURL, greeting, spec, artifacts, ...modelOptions } =
     parsedBody;
   const endpointOption = removeNullishValues({

api/server/services/Endpoints/google/initialize.js

@@ -25,9 +25,9 @@ const initializeClient = async ({ req, res, endpointOption, overrideModel, optio
   const credentials = isUserProvided
     ? userKey
     : {
-      [AuthKeys.GOOGLE_SERVICE_KEY]: serviceKey,
-      [AuthKeys.GOOGLE_API_KEY]: GOOGLE_KEY,
-    };
+        [AuthKeys.GOOGLE_SERVICE_KEY]: serviceKey,
+        [AuthKeys.GOOGLE_API_KEY]: GOOGLE_KEY,
+      };
 
   let clientOptions = {};
 

api/server/services/Endpoints/google/llm.js

@@ -94,7 +94,7 @@ function getLLMConfig(credentials, options = {}) {
   // Extract from credentials
   const serviceKeyRaw = creds[AuthKeys.GOOGLE_SERVICE_KEY] ?? {};
   const serviceKey =
-    typeof serviceKeyRaw === 'string' ? JSON.parse(serviceKeyRaw) : serviceKeyRaw ?? {};
+    typeof serviceKeyRaw === 'string' ? JSON.parse(serviceKeyRaw) : (serviceKeyRaw ?? {});
 
   const project_id = serviceKey?.project_id ?? null;
   const apiKey = creds[AuthKeys.GOOGLE_API_KEY] ?? null;

api/server/services/Endpoints/gptPlugins/initialize.spec.js

@@ -114,11 +114,11 @@ describe('gptPlugins/initializeClient', () => {
   test('should initialize PluginsClient with Azure credentials when PLUGINS_USE_AZURE is true', async () => {
     process.env.AZURE_API_KEY = 'test-azure-api-key';
     (process.env.AZURE_OPENAI_API_INSTANCE_NAME = 'some-value'),
-    (process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME = 'some-value'),
-    (process.env.AZURE_OPENAI_API_VERSION = 'some-value'),
-    (process.env.AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME = 'some-value'),
-    (process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME = 'some-value'),
-    (process.env.PLUGINS_USE_AZURE = 'true');
+      (process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME = 'some-value'),
+      (process.env.AZURE_OPENAI_API_VERSION = 'some-value'),
+      (process.env.AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME = 'some-value'),
+      (process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME = 'some-value'),
+      (process.env.PLUGINS_USE_AZURE = 'true');
     process.env.DEBUG_PLUGINS = 'false';
     process.env.OPENAI_SUMMARIZE = 'false';
 

api/server/services/Endpoints/openAI/initialize.spec.js

@@ -112,11 +112,11 @@ describe('initializeClient', () => {
   test('should initialize client with Azure credentials when endpoint is azureOpenAI', async () => {
     process.env.AZURE_API_KEY = 'test-azure-api-key';
     (process.env.AZURE_OPENAI_API_INSTANCE_NAME = 'some-value'),
-    (process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME = 'some-value'),
-    (process.env.AZURE_OPENAI_API_VERSION = 'some-value'),
-    (process.env.AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME = 'some-value'),
-    (process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME = 'some-value'),
-    (process.env.OPENAI_API_KEY = 'test-openai-api-key');
+      (process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME = 'some-value'),
+      (process.env.AZURE_OPENAI_API_VERSION = 'some-value'),
+      (process.env.AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME = 'some-value'),
+      (process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME = 'some-value'),
+      (process.env.OPENAI_API_KEY = 'test-openai-api-key');
     process.env.DEBUG_OPENAI = 'false';
     process.env.OPENAI_SUMMARIZE = 'false';
 

api/server/services/Files/MistralOCR/crud.js

@@ -47,7 +47,6 @@ async function uploadDocumentToMistral({
     })
     .then((res) => res.data)
     .catch((error) => {
-      logger.error('Error uploading document to Mistral:', error.message);
       throw error;
     });
 }
@@ -217,8 +216,16 @@ const uploadMistralOCR = async ({ req, file, file_id, entity_id }) => {
       images,
     };
   } catch (error) {
-    const message = 'Error uploading document to Mistral OCR API';
-    throw new Error(logAxiosError({ error, message }));
+    let message = 'Error uploading document to Mistral OCR API';
+    const detail = error?.response?.data?.detail;
+    if (detail && detail !== '') {
+      message = detail;
+    }
+
+    const responseMessage = error?.response?.data?.message;
+    throw new Error(
+      `${logAxiosError({ error, message })}${responseMessage && responseMessage !== '' ? ` - ${responseMessage}` : ''}`,
+    );
   }
 };
 

api/server/services/Files/MistralOCR/crud.spec.js

@@ -124,13 +124,7 @@ describe('MistralOCR Service', () => {
           fileName: 'test.pdf',
           apiKey: 'test-api-key',
         }),
-      ).rejects.toThrow();
-
-      const { logger } = require('~/config');
-      expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining('Error uploading document to Mistral:'),
-        expect.any(String),
-      );
+      ).rejects.toThrow(errorMessage);
     });
   });
 

api/server/services/Runs/StreamRunManager.js

@@ -302,7 +302,7 @@ class StreamRunManager {
 
           for (const d of delta[key]) {
             if (typeof d === 'object' && !Object.prototype.hasOwnProperty.call(d, 'index')) {
-              logger.warn('Expected an object with an \'index\' for array updates but got:', d);
+              logger.warn("Expected an object with an 'index' for array updates but got:", d);
               continue;
             }
 

api/server/services/Threads/processMessages.spec.js

@@ -255,7 +255,7 @@ describe('processMessages', () => {
             type: 'text',
             text: {
               value:
-                'The text you have uploaded is from the book "Harry Potter and the Philosopher\'s Stone" by J.K. Rowling. It follows the story of a young boy named Harry Potter who discovers that he is a wizard on his eleventh birthday. Here are some key points of the narrative:\n\n1. **Discovery and Invitation to Hogwarts**: Harry learns that he is a wizard and receives an invitation to attend Hogwarts School of Witchcraft and Wizardry【11:2†source】【11:4†source】.\n\n2. **Shopping for Supplies**: Hagrid takes Harry to Diagon Alley to buy his school supplies, including his wand from Ollivander\'s【11:9†source】【11:14†source】.\n\n3. **Introduction to Hogwarts**: Harry is introduced to Hogwarts, the magical school where he will learn about magic and discover more about his own background【11:12†source】【11:18†source】.\n\n4. **Meeting Friends and Enemies**: At Hogwarts, Harry makes friends like Ron Weasley and Hermione Granger, and enemies like Draco Malfoy【11:16†source】.\n\n5. **Uncovering the Mystery**: Harry, along with Ron and Hermione, uncovers the mystery of the Philosopher\'s Stone and its connection to the dark wizard Voldemort【11:1†source】【11:10†source】【11:7†source】.\n\nThese points highlight Harry\'s initial experiences in the magical world and set the stage for his adventures at Hogwarts.',
+                "The text you have uploaded is from the book \"Harry Potter and the Philosopher's Stone\" by J.K. Rowling. It follows the story of a young boy named Harry Potter who discovers that he is a wizard on his eleventh birthday. Here are some key points of the narrative:\n\n1. **Discovery and Invitation to Hogwarts**: Harry learns that he is a wizard and receives an invitation to attend Hogwarts School of Witchcraft and Wizardry【11:2†source】【11:4†source】.\n\n2. **Shopping for Supplies**: Hagrid takes Harry to Diagon Alley to buy his school supplies, including his wand from Ollivander's【11:9†source】【11:14†source】.\n\n3. **Introduction to Hogwarts**: Harry is introduced to Hogwarts, the magical school where he will learn about magic and discover more about his own background【11:12†source】【11:18†source】.\n\n4. **Meeting Friends and Enemies**: At Hogwarts, Harry makes friends like Ron Weasley and Hermione Granger, and enemies like Draco Malfoy【11:16†source】.\n\n5. **Uncovering the Mystery**: Harry, along with Ron and Hermione, uncovers the mystery of the Philosopher's Stone and its connection to the dark wizard Voldemort【11:1†source】【11:10†source】【11:7†source】.\n\nThese points highlight Harry's initial experiences in the magical world and set the stage for his adventures at Hogwarts.",
               annotations: [
                 {
                   type: 'file_citation',
@@ -424,7 +424,7 @@ These points highlight Harry's initial experiences in the magical world and set
             type: 'text',
             text: {
               value:
-                'The text you have uploaded is from the book "Harry Potter and the Philosopher\'s Stone" by J.K. Rowling. It follows the story of a young boy named Harry Potter who discovers that he is a wizard on his eleventh birthday. Here are some key points of the narrative:\n\n1. **Discovery and Invitation to Hogwarts**: Harry learns that he is a wizard and receives an invitation to attend Hogwarts School of Witchcraft and Wizardry【11:2†source】【11:4†source】.\n\n2. **Shopping for Supplies**: Hagrid takes Harry to Diagon Alley to buy his school supplies, including his wand from Ollivander\'s【11:9†source】【11:14†source】.\n\n3. **Introduction to Hogwarts**: Harry is introduced to Hogwarts, the magical school where he will learn about magic and discover more about his own background【11:12†source】【11:18†source】.\n\n4. **Meeting Friends and Enemies**: At Hogwarts, Harry makes friends like Ron Weasley and Hermione Granger, and enemies like Draco Malfoy【11:16†source】.\n\n5. **Uncovering the Mystery**: Harry, along with Ron and Hermione, uncovers the mystery of the Philosopher\'s Stone and its connection to the dark wizard Voldemort【11:1†source】【11:10†source】【11:7†source】.\n\nThese points highlight Harry\'s initial experiences in the magical world and set the stage for his adventures at Hogwarts.',
+                "The text you have uploaded is from the book \"Harry Potter and the Philosopher's Stone\" by J.K. Rowling. It follows the story of a young boy named Harry Potter who discovers that he is a wizard on his eleventh birthday. Here are some key points of the narrative:\n\n1. **Discovery and Invitation to Hogwarts**: Harry learns that he is a wizard and receives an invitation to attend Hogwarts School of Witchcraft and Wizardry【11:2†source】【11:4†source】.\n\n2. **Shopping for Supplies**: Hagrid takes Harry to Diagon Alley to buy his school supplies, including his wand from Ollivander's【11:9†source】【11:14†source】.\n\n3. **Introduction to Hogwarts**: Harry is introduced to Hogwarts, the magical school where he will learn about magic and discover more about his own background【11:12†source】【11:18†source】.\n\n4. **Meeting Friends and Enemies**: At Hogwarts, Harry makes friends like Ron Weasley and Hermione Granger, and enemies like Draco Malfoy【11:16†source】.\n\n5. **Uncovering the Mystery**: Harry, along with Ron and Hermione, uncovers the mystery of the Philosopher's Stone and its connection to the dark wizard Voldemort【11:1†source】【11:10†source】【11:7†source】.\n\nThese points highlight Harry's initial experiences in the magical world and set the stage for his adventures at Hogwarts.",
               annotations: [
                 {
                   type: 'file_citation',
@@ -582,7 +582,7 @@ These points highlight Harry's initial experiences in the magical world and set
             type: 'text',
             text: {
               value:
-                'This is a test ^1^ with pre-existing citation-like text. Here\'s a real citation【11:2†source】.',
+                "This is a test ^1^ with pre-existing citation-like text. Here's a real citation【11:2†source】.",
               annotations: [
                 {
                   type: 'file_citation',
@@ -610,7 +610,7 @@ These points highlight Harry's initial experiences in the magical world and set
     });
 
     const expectedText =
-      'This is a test ^1^ with pre-existing citation-like text. Here\'s a real citation^1^.\n\n^1.^ test.txt';
+      "This is a test ^1^ with pre-existing citation-like text. Here's a real citation^1^.\n\n^1.^ test.txt";
 
     expect(result.text).toBe(expectedText);
     expect(result.edited).toBe(true);

api/server/services/ToolService.js

@@ -5,6 +5,7 @@ const { Calculator } = require('@langchain/community/tools/calculator');
 const { tool: toolFn, Tool, DynamicStructuredTool } = require('@langchain/core/tools');
 const {
   Tools,
+  Constants,
   ErrorTypes,
   ContentTypes,
   imageGenTools,
@@ -14,6 +15,7 @@ const {
   ImageVisionTool,
   openapiToFunction,
   AgentCapabilities,
+  defaultAgentCapabilities,
   validateAndParseOpenAPISpec,
 } = require('librechat-data-provider');
 const {
@@ -501,8 +503,22 @@ async function loadAgentTools({ req, res, agent, tool_resources, openAIApiKey })
   }
 
   const endpointsConfig = await getEndpointsConfig(req);
-  const enabledCapabilities = new Set(endpointsConfig?.[EModelEndpoint.agents]?.capabilities ?? []);
-  const checkCapability = (capability) => enabledCapabilities.has(capability);
+  let enabledCapabilities = new Set(endpointsConfig?.[EModelEndpoint.agents]?.capabilities ?? []);
+  /** Edge case: use defined/fallback capabilities when the "agents" endpoint is not enabled */
+  if (enabledCapabilities.size === 0 && agent.id === Constants.EPHEMERAL_AGENT_ID) {
+    enabledCapabilities = new Set(
+      req.app?.locals?.[EModelEndpoint.agents]?.capabilities ?? defaultAgentCapabilities,
+    );
+  }
+  const checkCapability = (capability) => {
+    const enabled = enabledCapabilities.has(capability);
+    if (!enabled) {
+      logger.warn(
+        `Capability "${capability}" disabled${capability === AgentCapabilities.tools ? '.' : ' despite configured tool.'} User: ${req.user.id} | Agent: ${agent.id}`,
+      );
+    }
+    return enabled;
+  };
   const areToolsEnabled = checkCapability(AgentCapabilities.tools);
 
   let includesWebSearch = false;

api/server/socialLogins.js

@@ -10,6 +10,7 @@ const {
   discordLogin,
   facebookLogin,
   appleLogin,
+  setupSaml,
   openIdJwtLogin,
 } = require('~/strategies');
 const { isEnabled } = require('~/server/utils');
@@ -70,6 +71,34 @@ const configureSocialLogins = async (app) => {
     }
     logger.info('OpenID Connect configured.');
   }
+  if (
+    process.env.SAML_ENTRY_POINT &&
+    process.env.SAML_ISSUER &&
+    process.env.SAML_CERT &&
+    process.env.SAML_SESSION_SECRET
+  ) {
+    logger.info('Configuring SAML Connect...');
+    const sessionOptions = {
+      secret: process.env.SAML_SESSION_SECRET,
+      resave: false,
+      saveUninitialized: false,
+    };
+    if (isEnabled(process.env.USE_REDIS)) {
+      logger.debug('Using Redis for session storage in SAML...');
+      const keyv = new Keyv({ store: keyvRedis });
+      const client = keyv.opts.store.client;
+      sessionOptions.store = new RedisStore({ client, prefix: 'saml_session' });
+    } else {
+      sessionOptions.store = new MemoryStore({
+        checkPeriod: 86400000, // prune expired entries every 24h
+      });
+    }
+    app.use(session(sessionOptions));
+    app.use(passport.session());
+    setupSaml();
+
+    logger.info('SAML Connect configured.');
+  }
 };
 
 module.exports = configureSocialLogins;

api/server/utils/handleText.js

@@ -4,10 +4,10 @@ const {
   Capabilities,
   EModelEndpoint,
   isAgentsEndpoint,
-  AgentCapabilities,
   isAssistantsEndpoint,
   defaultRetrievalModels,
   defaultAssistantsVersion,
+  defaultAgentCapabilities,
 } = require('librechat-data-provider');
 const { Providers } = require('@librechat/agents');
 const partialRight = require('lodash/partialRight');
@@ -197,16 +197,7 @@ function generateConfig(key, baseURL, endpoint) {
   }
 
   if (agents) {
-    config.capabilities = [
-      AgentCapabilities.execute_code,
-      AgentCapabilities.file_search,
-      AgentCapabilities.web_search,
-      AgentCapabilities.artifacts,
-      AgentCapabilities.actions,
-      AgentCapabilities.tools,
-      AgentCapabilities.chain,
-      AgentCapabilities.ocr,
-    ];
+    config.capabilities = defaultAgentCapabilities;
   }
 
   if (assistants && endpoint === EModelEndpoint.azureAssistants) {

api/server/utils/staticCache.js

@@ -1,3 +1,4 @@
+const path = require('path');
 const expressStaticGzip = require('express-static-gzip');
 
 const oneDayInSeconds = 24 * 60 * 60;
@@ -5,16 +6,45 @@ const oneDayInSeconds = 24 * 60 * 60;
 const sMaxAge = process.env.STATIC_CACHE_S_MAX_AGE || oneDayInSeconds;
 const maxAge = process.env.STATIC_CACHE_MAX_AGE || oneDayInSeconds * 2;
 
-const staticCache = (staticPath) =>
-  expressStaticGzip(staticPath, {
-    enableBrotli: false, // disable Brotli, only using gzip
+/**
+ * Creates an Express static middleware with gzip compression and configurable caching
+ *
+ * @param {string} staticPath - The file system path to serve static files from
+ * @param {Object} [options={}] - Configuration options
+ * @param {boolean} [options.noCache=false] - If true, disables caching entirely for all files
+ * @returns {ReturnType<expressStaticGzip>} Express middleware function for serving static files
+ */
+function staticCache(staticPath, options = {}) {
+  const { noCache = false } = options;
+  return expressStaticGzip(staticPath, {
+    enableBrotli: false,
     orderPreference: ['gz'],
-    setHeaders: (res, _path) => {
-      if (process.env.NODE_ENV?.toLowerCase() === 'production') {
+    setHeaders: (res, filePath) => {
+      if (process.env.NODE_ENV?.toLowerCase() !== 'production') {
+        return;
+      }
+      if (noCache) {
+        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
+        return;
+      }
+      if (filePath.includes('/dist/images/')) {
+        return;
+      }
+      const fileName = path.basename(filePath);
+
+      if (
+        fileName === 'index.html' ||
+        fileName.endsWith('.webmanifest') ||
+        fileName === 'manifest.json' ||
+        fileName === 'sw.js'
+      ) {
+        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
+      } else {
         res.setHeader('Cache-Control', `public, max-age=${maxAge}, s-maxage=${sMaxAge}`);
       }
     },
     index: false,
   });
+}
 
 module.exports = staticCache;

api/strategies/appleStrategy.js

@@ -18,17 +18,13 @@ const getProfileDetails = ({ idToken, profile }) => {
 
   const decoded = jwt.decode(idToken);
 
-  logger.debug(
-    `Decoded Apple JWT: ${JSON.stringify(decoded, null, 2)}`,
-  );
+  logger.debug(`Decoded Apple JWT: ${JSON.stringify(decoded, null, 2)}`);
 
   return {
     email: decoded.email,
     id: decoded.sub,
     avatarUrl: null, // Apple does not provide an avatar URL
-    username: decoded.email
-      ? decoded.email.split('@')[0].toLowerCase()
-      : `user_${decoded.sub}`,
+    username: decoded.email ? decoded.email.split('@')[0].toLowerCase() : `user_${decoded.sub}`,
     name: decoded.name
       ? `${decoded.name.firstName} ${decoded.name.lastName}`
       : profile.displayName || null,

api/strategies/appleStrategy.test.js

@@ -84,9 +84,7 @@ describe('Apple Login Strategy', () => {
         email: decoded.email,
         id: decoded.sub,
         avatarUrl: null, // Apple does not provide an avatar URL
-        username: decoded.email
-          ? decoded.email.split('@')[0].toLowerCase()
-          : `user_${decoded.sub}`,
+        username: decoded.email ? decoded.email.split('@')[0].toLowerCase() : `user_${decoded.sub}`,
         name: decoded.name
           ? `${decoded.name.firstName} ${decoded.name.lastName}`
           : profile.displayName || null,
@@ -96,8 +94,12 @@ describe('Apple Login Strategy', () => {
 
     // Mock isEnabled based on environment variable
     isEnabled.mockImplementation((flag) => {
-      if (flag === 'true') { return true; }
-      if (flag === 'false') { return false; }
+      if (flag === 'true') {
+        return true;
+      }
+      if (flag === 'false') {
+        return false;
+      }
       return false;
     });
 
@@ -154,9 +156,7 @@ describe('Apple Login Strategy', () => {
       });
 
       expect(jwt.decode).toHaveBeenCalledWith('fake_id_token');
-      expect(logger.debug).toHaveBeenCalledWith(
-        expect.stringContaining('Decoded Apple JWT'),
-      );
+      expect(logger.debug).toHaveBeenCalledWith(expect.stringContaining('Decoded Apple JWT'));
       expect(profileDetails).toEqual({
         email: 'john.doe@example.com',
         id: 'apple-sub-1234',
@@ -297,7 +297,7 @@ describe('Apple Login Strategy', () => {
         appleStrategyInstance._verify(
           fakeAccessToken,
           fakeRefreshToken,
-          null,               // idToken is missing
+          null, // idToken is missing
           mockProfile,
           (err, user) => {
             mockVerifyCallback(err, user);

api/strategies/index.js

@@ -7,6 +7,7 @@ const facebookLogin = require('./facebookStrategy');
 const { setupOpenId, getOpenIdConfig } = require('./openidStrategy');
 const jwtLogin = require('./jwtStrategy');
 const ldapLogin = require('./ldapStrategy');
+const { setupSaml } = require('./samlStrategy');
 const openIdJwtLogin = require('./openIdJwtStrategy');
 
 module.exports = {
@@ -20,5 +21,6 @@ module.exports = {
   setupOpenId,
   getOpenIdConfig,
   ldapLogin,
+  setupSaml,
   openIdJwtLogin,
 };

api/strategies/openidStrategy.js

@@ -28,6 +28,13 @@ class CustomOpenIDStrategy extends OpenIDStrategy {
     const hostAndProtocol = process.env.DOMAIN_SERVER;
     return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
   }
+  authorizationRequestParams(req, options) {
+    const params = super.authorizationRequestParams(req, options);
+    if (options?.state && !params.has('state')) {
+      params.set('state', options.state);
+    }
+    return params;
+  }
 }
 
 /**

api/strategies/samlStrategy.js

@@ -0,0 +1,276 @@
+const fs = require('fs');
+const path = require('path');
+const fetch = require('node-fetch');
+const passport = require('passport');
+const { Strategy: SamlStrategy } = require('@node-saml/passport-saml');
+const { findUser, createUser, updateUser } = require('~/models/userMethods');
+const { getStrategyFunctions } = require('~/server/services/Files/strategies');
+const { hashToken } = require('~/server/utils/crypto');
+const { logger } = require('~/config');
+const paths = require('~/config/paths');
+
+let crypto;
+try {
+  crypto = require('node:crypto');
+} catch (err) {
+  logger.error('[samlStrategy] crypto support is disabled!', err);
+}
+
+/**
+ * Retrieves the certificate content from the given value.
+ *
+ * This function determines whether the provided value is a certificate string (RFC7468 format or
+ * base64-encoded without a header) or a valid file path. If the value matches one of these formats,
+ * the certificate content is returned. Otherwise, an error is thrown.
+ *
+ * @see https://github.com/node-saml/node-saml/tree/master?tab=readme-ov-file#configuration-option-idpcert
+ * @param {string} value - The certificate string or file path.
+ * @returns {string} The certificate content if valid.
+ * @throws {Error} If the value is not a valid certificate string or file path.
+ */
+function getCertificateContent(value) {
+  if (typeof value !== 'string') {
+    throw new Error('Invalid input: SAML_CERT must be a string.');
+  }
+
+  // Check if it's an RFC7468 formatted PEM certificate
+  const pemRegex = new RegExp(
+    '-----BEGIN (CERTIFICATE|PUBLIC KEY)-----\n' + // header
+      '([A-Za-z0-9+/=]{64}\n)+' + // base64 content (64 characters per line)
+      '[A-Za-z0-9+/=]{1,64}\n' + //  base64 content (last line)
+      '-----END (CERTIFICATE|PUBLIC KEY)-----', // footer
+  );
+  if (pemRegex.test(value)) {
+    logger.info('[samlStrategy] Detected RFC7468-formatted certificate string.');
+    return value;
+  }
+
+  // Check if it's a Base64-encoded certificate (no header)
+  if (/^[A-Za-z0-9+/=]+$/.test(value) && value.length % 4 === 0) {
+    logger.info('[samlStrategy] Detected base64-encoded certificate string (no header).');
+    return value;
+  }
+
+  // Check if file exists and is readable
+  const certPath = path.normalize(path.isAbsolute(value) ? value : path.join(paths.root, value));
+  if (fs.existsSync(certPath) && fs.statSync(certPath).isFile()) {
+    try {
+      logger.info(`[samlStrategy] Loading certificate from file: ${certPath}`);
+      return fs.readFileSync(certPath, 'utf8').trim();
+    } catch (error) {
+      throw new Error(`Error reading certificate file: ${error.message}`);
+    }
+  }
+
+  throw new Error('Invalid cert: SAML_CERT must be a valid file path or certificate string.');
+}
+
+/**
+ * Retrieves a SAML claim from a profile object based on environment configuration.
+ * @param {object} profile - Saml profile
+ * @param {string} envVar - Environment variable name (SAML_*)
+ * @param {string} defaultKey -  Default key to use if the environment variable is not set
+ * @returns {string}
+ */
+function getSamlClaim(profile, envVar, defaultKey) {
+  const claimKey = process.env[envVar];
+
+  // Avoids accessing `profile[""]` when the environment variable is empty string.
+  if (claimKey) {
+    return profile[claimKey] ?? profile[defaultKey];
+  }
+  return profile[defaultKey];
+}
+
+function getEmail(profile) {
+  return getSamlClaim(profile, 'SAML_EMAIL_CLAIM', 'email');
+}
+
+function getUserName(profile) {
+  return getSamlClaim(profile, 'SAML_USERNAME_CLAIM', 'username');
+}
+
+function getGivenName(profile) {
+  return getSamlClaim(profile, 'SAML_GIVEN_NAME_CLAIM', 'given_name');
+}
+
+function getFamilyName(profile) {
+  return getSamlClaim(profile, 'SAML_FAMILY_NAME_CLAIM', 'family_name');
+}
+
+function getPicture(profile) {
+  return getSamlClaim(profile, 'SAML_PICTURE_CLAIM', 'picture');
+}
+
+/**
+ * Downloads an image from a URL using an access token.
+ * @param {string} url
+ * @returns {Promise<Buffer>}
+ */
+const downloadImage = async (url) => {
+  try {
+    const response = await fetch(url);
+    if (response.ok) {
+      return await response.buffer();
+    } else {
+      throw new Error(`${response.statusText} (HTTP ${response.status})`);
+    }
+  } catch (error) {
+    logger.error(`[samlStrategy] Error downloading image at URL "${url}": ${error}`);
+    return null;
+  }
+};
+
+/**
+ * Determines the full name of a user based on SAML profile and environment configuration.
+ *
+ * @param {Object} profile - The user profile object from SAML Connect
+ * @returns {string} The determined full name of the user
+ */
+function getFullName(profile) {
+  if (process.env.SAML_NAME_CLAIM) {
+    logger.info(
+      `[samlStrategy] Using SAML_NAME_CLAIM: ${process.env.SAML_NAME_CLAIM}, profile: ${profile[process.env.SAML_NAME_CLAIM]}`,
+    );
+    return profile[process.env.SAML_NAME_CLAIM];
+  }
+
+  const givenName = getGivenName(profile);
+  const familyName = getFamilyName(profile);
+
+  if (givenName && familyName) {
+    return `${givenName} ${familyName}`;
+  }
+
+  if (givenName) {
+    return givenName;
+  }
+  if (familyName) {
+    return familyName;
+  }
+
+  return getUserName(profile) || getEmail(profile);
+}
+
+/**
+ * Converts an input into a string suitable for a username.
+ * If the input is a string, it will be returned as is.
+ * If the input is an array, elements will be joined with underscores.
+ * In case of undefined or other falsy values, a default value will be returned.
+ *
+ * @param {string | string[] | undefined} input - The input value to be converted into a username.
+ * @param {string} [defaultValue=''] - The default value to return if the input is falsy.
+ * @returns {string} The processed input as a string suitable for a username.
+ */
+function convertToUsername(input, defaultValue = '') {
+  if (typeof input === 'string') {
+    return input;
+  } else if (Array.isArray(input)) {
+    return input.join('_');
+  }
+
+  return defaultValue;
+}
+
+async function setupSaml() {
+  try {
+    const samlConfig = {
+      entryPoint: process.env.SAML_ENTRY_POINT,
+      issuer: process.env.SAML_ISSUER,
+      callbackUrl: process.env.SAML_CALLBACK_URL,
+      idpCert: getCertificateContent(process.env.SAML_CERT),
+      wantAssertionsSigned: process.env.SAML_USE_AUTHN_RESPONSE_SIGNED === 'true' ? false : true,
+      wantAuthnResponseSigned: process.env.SAML_USE_AUTHN_RESPONSE_SIGNED === 'true' ? true : false,
+    };
+
+    passport.use(
+      'saml',
+      new SamlStrategy(samlConfig, async (profile, done) => {
+        try {
+          logger.info(`[samlStrategy] SAML authentication received for NameID: ${profile.nameID}`);
+          logger.debug('[samlStrategy] SAML profile:', profile);
+
+          let user = await findUser({ samlId: profile.nameID });
+          logger.info(
+            `[samlStrategy] User ${user ? 'found' : 'not found'} with SAML ID: ${profile.nameID}`,
+          );
+
+          if (!user) {
+            const email = getEmail(profile) || '';
+            user = await findUser({ email });
+            logger.info(
+              `[samlStrategy] User ${user ? 'found' : 'not found'} with email: ${profile.email}`,
+            );
+          }
+
+          const fullName = getFullName(profile);
+
+          const username = convertToUsername(
+            getUserName(profile) || getGivenName(profile) || getEmail(profile),
+          );
+
+          if (!user) {
+            user = {
+              provider: 'saml',
+              samlId: profile.nameID,
+              username,
+              email: getEmail(profile) || '',
+              emailVerified: true,
+              name: fullName,
+            };
+            user = await createUser(user, true, true);
+          } else {
+            user.provider = 'saml';
+            user.samlId = profile.nameID;
+            user.username = username;
+            user.name = fullName;
+          }
+
+          const picture = getPicture(profile);
+          if (picture && !user.avatar?.includes('manual=true')) {
+            const imageBuffer = await downloadImage(profile.picture);
+            if (imageBuffer) {
+              let fileName;
+              if (crypto) {
+                fileName = (await hashToken(profile.nameID)) + '.png';
+              } else {
+                fileName = profile.nameID + '.png';
+              }
+
+              const { saveBuffer } = getStrategyFunctions(process.env.CDN_PROVIDER);
+              const imagePath = await saveBuffer({
+                fileName,
+                userId: user._id.toString(),
+                buffer: imageBuffer,
+              });
+              user.avatar = imagePath ?? '';
+            }
+          }
+
+          user = await updateUser(user._id, user);
+
+          logger.info(
+            `[samlStrategy] Login success SAML ID: ${user.samlId} | email: ${user.email} | username: ${user.username}`,
+            {
+              user: {
+                samlId: user.samlId,
+                username: user.username,
+                email: user.email,
+                name: user.name,
+              },
+            },
+          );
+
+          done(null, user);
+        } catch (err) {
+          logger.error('[samlStrategy] Login failed', err);
+          done(err);
+        }
+      }),
+    );
+  } catch (err) {
+    logger.error('[samlStrategy]', err);
+  }
+}
+
+module.exports = { setupSaml, getCertificateContent };

api/strategies/samlStrategy.spec.js

@@ -0,0 +1,428 @@
+const fs = require('fs');
+const path = require('path');
+const fetch = require('node-fetch');
+const { Strategy: SamlStrategy } = require('@node-saml/passport-saml');
+const { findUser, createUser, updateUser } = require('~/models/userMethods');
+const { setupSaml, getCertificateContent } = require('./samlStrategy');
+
+// --- Mocks ---
+jest.mock('fs');
+jest.mock('path');
+jest.mock('node-fetch');
+jest.mock('@node-saml/passport-saml');
+jest.mock('~/models/userMethods', () => ({
+  findUser: jest.fn(),
+  createUser: jest.fn(),
+  updateUser: jest.fn(),
+}));
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(() => ({
+    saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'),
+  })),
+}));
+jest.mock('~/server/utils/crypto', () => ({
+  hashToken: jest.fn().mockResolvedValue('hashed-token'),
+}));
+jest.mock('~/server/utils', () => ({
+  isEnabled: jest.fn(() => false),
+}));
+jest.mock('~/config', () => ({
+  logger: {
+    info: jest.fn(),
+    debug: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+// To capture the verify callback from the strategy, we grab it from the mock constructor
+let verifyCallback;
+SamlStrategy.mockImplementation((options, verify) => {
+  verifyCallback = verify;
+  return { name: 'saml', options, verify };
+});
+
+describe('getCertificateContent', () => {
+  const certWithHeader = `-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUKhXaFJGJJPx466rlwYORIsqCq7MwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTAzMDQwODUxNTJaFw0yNjAz
+MDQwODUxNTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCWP09NZg0xaRiLpNygCVgV3M+4RFW2S0c5X/fg/uFT
+O5MfaVYzG5GxzhXzWRB8RtNPsxX/nlbPsoUroeHbz+SABkOsNEv6JuKRH4VXRH34
+VzjazVkPAwj+N4WqsC/Wo4EGGpKIGeGi8Zed4yvMqoTyE3mrS19fY0nMHT62wUwS
+GMm2pAQdAQePZ9WY7A5XOA1IoxW2Zh2Oxaf1p59epBkZDhoxSMu8GoSkvK27Km4A
+4UXftzdg/wHNPrNirmcYouioHdmrOtYxPjrhUBQ74AmE1/QK45B6wEgirKH1A1AW
+6C+ApLwpBMvy9+8Gbyvc8G18W3CjdEVKmAeWb9JUedSXAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRxpaqBx8VDLLc8IkHATujj8IOs6jAfBgNVHSMEGDAWgBRxpaqBx8VDLLc8
+IkHATujj8IOs6jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc
+Puk6i+yowwGccB3LhfxZ+Fz6s6/Lfx6bP/Hy4NYOxmx2/awGBgyfp1tmotjaS9Cf
+FWd67LuEru4TYtz12RNMDBF5ypcEfibvb3I8O6igOSQX/Jl5D2pMChesZxhmCift
+Qp09T41MA8PmHf1G9oMG0A3ZnjKDG5ebaJNRFImJhMHsgh/TP7V3uZy7YHTgopKX
+Hv63V3Uo3Oihav29Q7urwmf7Ly7X7J2WE86/w3vRHi5dhaWWqEqxmnAXl+H+sG4V
+meeVRI332bg1Nuy8KnnX8v3ZeJzMBkAhzvSr6Ri96R0/Un/oEFwVC5jDTq8sXVn6
+u7wlOSk+oFzDIO/UILIA
+-----END CERTIFICATE-----`;
+
+  const certWithoutHeader = certWithHeader
+    .replace(/-----BEGIN CERTIFICATE-----/g, '')
+    .replace(/-----END CERTIFICATE-----/g, '')
+    .replace(/\s+/g, '');
+
+  it('should throw an error if SAML_CERT is not set', () => {
+    process.env.SAML_CERT;
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid input: SAML_CERT must be a string.',
+    );
+  });
+
+  it('should throw an error if SAML_CERT is empty', () => {
+    process.env.SAML_CERT = '';
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid cert: SAML_CERT must be a valid file path or certificate string.',
+    );
+  });
+
+  it('should load cert from an environment variable if it is a single-line string(with header)', () => {
+    process.env.SAML_CERT = certWithHeader;
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithHeader);
+  });
+
+  it('should load cert from an environment variable if it is a single-line string(with no header)', () => {
+    process.env.SAML_CERT = certWithoutHeader;
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithoutHeader);
+  });
+
+  it('should throw an error if SAML_CERT is a single-line string (with header, no newline characters)', () => {
+    process.env.SAML_CERT = certWithHeader.replace(/\n/g, '');
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid cert: SAML_CERT must be a valid file path or certificate string.',
+    );
+  });
+
+  it('should load cert from a relative file path if SAML_CERT is valid', () => {
+    process.env.SAML_CERT = 'test.pem';
+    const resolvedPath = '/absolute/path/to/test.pem';
+
+    path.isAbsolute.mockReturnValue(false);
+    path.join.mockReturnValue(resolvedPath);
+    path.normalize.mockReturnValue(resolvedPath);
+
+    fs.existsSync.mockReturnValue(true);
+    fs.statSync.mockReturnValue({ isFile: () => true });
+    fs.readFileSync.mockReturnValue(certWithHeader);
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithHeader);
+  });
+
+  it('should load cert from an absolute file path if SAML_CERT is valid', () => {
+    process.env.SAML_CERT = '/absolute/path/to/test.pem';
+
+    path.isAbsolute.mockReturnValue(true);
+    path.normalize.mockReturnValue(process.env.SAML_CERT);
+
+    fs.existsSync.mockReturnValue(true);
+    fs.statSync.mockReturnValue({ isFile: () => true });
+    fs.readFileSync.mockReturnValue(certWithHeader);
+
+    const actual = getCertificateContent(process.env.SAML_CERT);
+    expect(actual).toBe(certWithHeader);
+  });
+
+  it('should throw an error if the file does not exist', () => {
+    process.env.SAML_CERT = 'missing.pem';
+    const resolvedPath = '/absolute/path/to/missing.pem';
+
+    path.isAbsolute.mockReturnValue(false);
+    path.join.mockReturnValue(resolvedPath);
+    path.normalize.mockReturnValue(resolvedPath);
+
+    fs.existsSync.mockReturnValue(false);
+
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Invalid cert: SAML_CERT must be a valid file path or certificate string.',
+    );
+  });
+
+  it('should throw an error if the file is not readable', () => {
+    process.env.SAML_CERT = 'unreadable.pem';
+    const resolvedPath = '/absolute/path/to/unreadable.pem';
+
+    path.isAbsolute.mockReturnValue(false);
+    path.join.mockReturnValue(resolvedPath);
+    path.normalize.mockReturnValue(resolvedPath);
+
+    fs.existsSync.mockReturnValue(true);
+    fs.statSync.mockReturnValue({ isFile: () => true });
+    fs.readFileSync.mockImplementation(() => {
+      throw new Error('Permission denied');
+    });
+
+    expect(() => getCertificateContent(process.env.SAML_CERT)).toThrow(
+      'Error reading certificate file: Permission denied',
+    );
+  });
+});
+
+describe('setupSaml', () => {
+  // Helper to wrap the verify callback in a promise
+  const validate = (profile) =>
+    new Promise((resolve, reject) => {
+      verifyCallback(profile, (err, user, details) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve({ user, details });
+        }
+      });
+    });
+
+  const baseProfile = {
+    nameID: 'saml-1234',
+    email: 'test@example.com',
+    given_name: 'First',
+    family_name: 'Last',
+    name: 'My Full Name',
+    username: 'flast',
+    picture: 'https://example.com/avatar.png',
+    custom_name: 'custom',
+  };
+
+  beforeEach(async () => {
+    jest.clearAllMocks();
+
+    const cert = `
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUKhXaFJGJJPx466rlwYORIsqCq7MwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTAzMDQwODUxNTJaFw0yNjAz
+MDQwODUxNTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCWP09NZg0xaRiLpNygCVgV3M+4RFW2S0c5X/fg/uFT
+O5MfaVYzG5GxzhXzWRB8RtNPsxX/nlbPsoUroeHbz+SABkOsNEv6JuKRH4VXRH34
+VzjazVkPAwj+N4WqsC/Wo4EGGpKIGeGi8Zed4yvMqoTyE3mrS19fY0nMHT62wUwS
+GMm2pAQdAQePZ9WY7A5XOA1IoxW2Zh2Oxaf1p59epBkZDhoxSMu8GoSkvK27Km4A
+4UXftzdg/wHNPrNirmcYouioHdmrOtYxPjrhUBQ74AmE1/QK45B6wEgirKH1A1AW
+6C+ApLwpBMvy9+8Gbyvc8G18W3CjdEVKmAeWb9JUedSXAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRxpaqBx8VDLLc8IkHATujj8IOs6jAfBgNVHSMEGDAWgBRxpaqBx8VDLLc8
+IkHATujj8IOs6jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc
+Puk6i+yowwGccB3LhfxZ+Fz6s6/Lfx6bP/Hy4NYOxmx2/awGBgyfp1tmotjaS9Cf
+FWd67LuEru4TYtz12RNMDBF5ypcEfibvb3I8O6igOSQX/Jl5D2pMChesZxhmCift
+Qp09T41MA8PmHf1G9oMG0A3ZnjKDG5ebaJNRFImJhMHsgh/TP7V3uZy7YHTgopKX
+Hv63V3Uo3Oihav29Q7urwmf7Ly7X7J2WE86/w3vRHi5dhaWWqEqxmnAXl+H+sG4V
+meeVRI332bg1Nuy8KnnX8v3ZeJzMBkAhzvSr6Ri96R0/Un/oEFwVC5jDTq8sXVn6
+u7wlOSk+oFzDIO/UILIA
+-----END CERTIFICATE-----
+    `;
+
+    // Reset environment variables
+    process.env.SAML_ENTRY_POINT = 'https://example.com/saml';
+    process.env.SAML_ISSUER = 'saml-issuer';
+    process.env.SAML_CERT = cert;
+    process.env.SAML_CALLBACK_URL = '/oauth/saml/callback';
+    delete process.env.SAML_EMAIL_CLAIM;
+    delete process.env.SAML_USERNAME_CLAIM;
+    delete process.env.SAML_GIVEN_NAME_CLAIM;
+    delete process.env.SAML_FAMILY_NAME_CLAIM;
+    delete process.env.SAML_PICTURE_CLAIM;
+    delete process.env.SAML_NAME_CLAIM;
+
+    findUser.mockResolvedValue(null);
+    createUser.mockImplementation(async (userData) => ({
+      _id: 'newUserId',
+      ...userData,
+    }));
+    updateUser.mockImplementation(async (id, userData) => ({
+      _id: id,
+      ...userData,
+    }));
+
+    // Simulate image download
+    const fakeBuffer = Buffer.from('fake image');
+    fetch.mockResolvedValue({
+      ok: true,
+      buffer: jest.fn().mockResolvedValue(fakeBuffer),
+    });
+
+    await setupSaml();
+  });
+
+  it('should create a new user with correct username when username claim exists', async () => {
+    const profile = { ...baseProfile };
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(profile.username);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({
+        provider: 'saml',
+        samlId: profile.nameID,
+        username: profile.username,
+        email: profile.email,
+        name: `${profile.given_name} ${profile.family_name}`,
+      }),
+      true,
+      true,
+    );
+  });
+
+  it('should use given_name as username when username claim is missing', async () => {
+    const profile = { ...baseProfile };
+    delete profile.username;
+    const expectUsername = profile.given_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(expectUsername);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({ username: expectUsername }),
+      true,
+      true,
+    );
+  });
+
+  it('should use email as username when username and given_name are missing', async () => {
+    const profile = { ...baseProfile };
+    delete profile.username;
+    delete profile.given_name;
+    const expectUsername = profile.email;
+
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(expectUsername);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({ username: expectUsername }),
+      true,
+      true,
+    );
+  });
+
+  it('should override username with SAML_USERNAME_CLAIM when set', async () => {
+    process.env.SAML_USERNAME_CLAIM = 'nameID';
+    const profile = { ...baseProfile };
+
+    const { user } = await validate(profile);
+
+    expect(user.username).toBe(profile.nameID);
+    expect(createUser).toHaveBeenCalledWith(
+      expect.objectContaining({ username: profile.nameID }),
+      true,
+      true,
+    );
+  });
+
+  it('should set the full name correctly when given_name and family_name exist', async () => {
+    const profile = { ...baseProfile };
+    const expectedFullName = `${profile.given_name} ${profile.family_name}`;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when given_name exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.family_name;
+    const expectedFullName = profile.given_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when family_name exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.given_name;
+    const expectedFullName = profile.family_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when username exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.family_name;
+    delete profile.given_name;
+    const expectedFullName = profile.username;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly when email only exist', async () => {
+    const profile = { ...baseProfile };
+    delete profile.family_name;
+    delete profile.given_name;
+    delete profile.username;
+    const expectedFullName = profile.email;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should set the full name correctly with SAML_NAME_CLAIM when set', async () => {
+    process.env.SAML_NAME_CLAIM = 'custom_name';
+    const profile = { ...baseProfile };
+    const expectedFullName = profile.custom_name;
+
+    const { user } = await validate(profile);
+
+    expect(user.name).toBe(expectedFullName);
+  });
+
+  it('should update an existing user on login', async () => {
+    const existingUser = {
+      _id: 'existingUserId',
+      provider: 'local',
+      email: baseProfile.email,
+      samlId: '',
+      username: '',
+      name: '',
+    };
+
+    findUser.mockImplementation(async (query) => {
+      if (query.samlId === baseProfile.nameID || query.email === baseProfile.email) {
+        return existingUser;
+      }
+      return null;
+    });
+
+    const profile = { ...baseProfile };
+    await validate(profile);
+
+    expect(updateUser).toHaveBeenCalledWith(
+      existingUser._id,
+      expect.objectContaining({
+        provider: 'saml',
+        samlId: baseProfile.nameID,
+        username: baseProfile.username,
+        name: `${baseProfile.given_name} ${baseProfile.family_name}`,
+      }),
+    );
+  });
+
+  it('should attempt to download and save the avatar if picture is provided', async () => {
+    const profile = { ...baseProfile };
+
+    const { user } = await validate(profile);
+
+    expect(fetch).toHaveBeenCalled();
+    expect(user.avatar).toBe('/fake/path/to/avatar.png');
+  });
+
+  it('should not attempt to download avatar if picture is not provided', async () => {
+    const profile = { ...baseProfile };
+    delete profile.picture;
+
+    await validate(profile);
+
+    expect(fetch).not.toHaveBeenCalled();
+  });
+});

api/strategies/validators.spec.js

@@ -258,7 +258,7 @@ describe('Zod Schemas', () => {
         email: 'john@example.com',
         password: 'password123',
         confirm_password: 'password123',
-        extraField: 'I shouldn\'t be here',
+        extraField: "I shouldn't be here",
       });
       expect(result.success).toBe(true);
     });
@@ -407,7 +407,7 @@ describe('Zod Schemas', () => {
         'john{doe}', // Contains `{` and `}`
         'j', // Only one character
         'a'.repeat(81), // More than 80 characters
-        '\' OR \'1\'=\'1\'; --', // SQL Injection
+        "' OR '1'='1'; --", // SQL Injection
         '{$ne: null}', // MongoDB Injection
         '<script>alert("XSS")</script>', // Basic XSS
         '"><script>alert("XSS")</script>', // XSS breaking out of an attribute

api/utils/axios.js

@@ -29,7 +29,7 @@ const logAxiosError = ({ message, error }) => {
         requestInfo: { method, url },
         stack,
       });
-    } else if (error?.message?.includes('Cannot read properties of undefined (reading \'status\')')) {
+    } else if (error?.message?.includes("Cannot read properties of undefined (reading 'status')")) {
       logMessage = `${message} It appears the request timed out or was unsuccessful: ${error.message}`;
       logger.error(logMessage, { stack });
     } else {

client/package.json

@@ -6,7 +6,7 @@
   "scripts": {
     "data-provider": "cd .. && npm run build:data-provider",
     "build:file": "cross-env NODE_ENV=production vite build --debug > vite-output.log 2>&1",
-    "build": "cross-env NODE_ENV=production vite build",
+    "build": "cross-env NODE_ENV=production vite build && node ./scripts/post-build.cjs",
     "build:ci": "cross-env NODE_ENV=development vite build --mode ci",
     "dev": "cross-env NODE_ENV=development vite",
     "preview-prod": "cross-env NODE_ENV=development vite preview",
@@ -139,7 +139,6 @@
     "postcss": "^8.4.31",
     "postcss-loader": "^7.1.0",
     "postcss-preset-env": "^8.2.0",
-    "rollup-plugin-visualizer": "^6.0.0",
     "tailwindcss": "^3.4.1",
     "ts-jest": "^29.2.5",
     "typescript": "^5.3.3",

client/public/assets/google.svg

@@ -0,0 +1 @@
+<svg height="56" style="flex: 0 0 auto; line-height: 1;" viewBox="0 0 24 24" width="56" xmlns="http://www.w3.org/2000/svg"><title>Gemini</title><defs><linearGradient id="lobe-icons-gemini-fill" x1="0%" x2="68.73%" y1="100%" y2="30.395%"><stop offset="0%" stop-color="#1C7DFF"></stop><stop offset="52.021%" stop-color="#1C69FF"></stop><stop offset="100%" stop-color="#F0DCD6"></stop></linearGradient></defs><path d="M12 24A14.304 14.304 0 000 12 14.304 14.304 0 0012 0a14.305 14.305 0 0012 12 14.305 14.305 0 00-12 12" fill="url(#lobe-icons-gemini-fill)" fill-rule="nonzero"></path></svg>

client/public/assets/openai.svg

@@ -0,0 +1 @@
+<svg fill="currentColor" fill-rule="evenodd" height="56" style="flex: 0 0 auto; line-height: 1;" viewBox="0 0 24 24" width="56" xmlns="http://www.w3.org/2000/svg"><title>OpenAI</title><path d="M21.55 10.004a5.416 5.416 0 00-.478-4.501c-1.217-2.09-3.662-3.166-6.05-2.66A5.59 5.59 0 0010.831 1C8.39.995 6.224 2.546 5.473 4.838A5.553 5.553 0 001.76 7.496a5.487 5.487 0 00.691 6.5 5.416 5.416 0 00.477 4.502c1.217 2.09 3.662 3.165 6.05 2.66A5.586 5.586 0 0013.168 23c2.443.006 4.61-1.546 5.361-3.84a5.553 5.553 0 003.715-2.66 5.488 5.488 0 00-.693-6.497v.001zm-8.381 11.558a4.199 4.199 0 01-2.675-.954c.034-.018.093-.05.132-.074l4.44-2.53a.71.71 0 00.364-.623v-6.176l1.877 1.069c.02.01.033.029.036.05v5.115c-.003 2.274-1.87 4.118-4.174 4.123zM4.192 17.78a4.059 4.059 0 01-.498-2.763c.032.02.09.055.131.078l4.44 2.53c.225.13.504.13.73 0l5.42-3.088v2.138a.068.068 0 01-.027.057L9.9 19.288c-1.999 1.136-4.552.46-5.707-1.51h-.001zM3.023 8.216A4.15 4.15 0 015.198 6.41l-.002.151v5.06a.711.711 0 00.364.624l5.42 3.087-1.876 1.07a.067.067 0 01-.063.005l-4.489-2.559c-1.995-1.14-2.679-3.658-1.53-5.63h.001zm15.417 3.54l-5.42-3.088L14.896 7.6a.067.067 0 01.063-.006l4.489 2.557c1.998 1.14 2.683 3.662 1.529 5.633a4.163 4.163 0 01-2.174 1.807V12.38a.71.71 0 00-.363-.623zm1.867-2.773a6.04 6.04 0 00-.132-.078l-4.44-2.53a.731.731 0 00-.729 0l-5.42 3.088V7.325a.068.068 0 01.027-.057L14.1 4.713c2-1.137 4.555-.46 5.707 1.513.487.833.664 1.809.499 2.757h.001zm-11.741 3.81l-1.877-1.068a.065.065 0 01-.036-.051V6.559c.001-2.277 1.873-4.122 4.181-4.12.976 0 1.92.338 2.671.954-.034.018-.092.05-.131.073l-4.44 2.53a.71.71 0 00-.365.623l-.003 6.173v.002zm1.02-2.168L12 9.25l2.414 1.375v2.75L12 14.75l-2.415-1.375v-2.75z"></path></svg>

client/public/assets/qwen.svg

@@ -0,0 +1 @@
+<svg height="56" style="flex: 0 0 auto; line-height: 1;" viewBox="0 0 24 24" width="56" xmlns="http://www.w3.org/2000/svg"><title>Qwen</title><defs><linearGradient id="lobe-icons-qwen-fill" x1="0%" x2="100%" y1="0%" y2="0%"><stop offset="0%" stop-color="#00055F" stop-opacity=".84"></stop><stop offset="100%" stop-color="#6F69F7" stop-opacity=".84"></stop></linearGradient></defs><path d="M12.604 1.34c.393.69.784 1.382 1.174 2.075a.18.18 0 00.157.091h5.552c.174 0 .322.11.446.327l1.454 2.57c.19.337.24.478.024.837-.26.43-.513.864-.76 1.3l-.367.658c-.106.196-.223.28-.04.512l2.652 4.637c.172.301.111.494-.043.77-.437.785-.882 1.564-1.335 2.34-.159.272-.352.375-.68.37-.777-.016-1.552-.01-2.327.016a.099.099 0 00-.081.05 575.097 575.097 0 01-2.705 4.74c-.169.293-.38.363-.725.364-.997.003-2.002.004-3.017.002a.537.537 0 01-.465-.271l-1.335-2.323a.09.09 0 00-.083-.049H4.982c-.285.03-.553-.001-.805-.092l-1.603-2.77a.543.543 0 01-.002-.54l1.207-2.12a.198.198 0 000-.197 550.951 550.951 0 01-1.875-3.272l-.79-1.395c-.16-.31-.173-.496.095-.965.465-.813.927-1.625 1.387-2.436.132-.234.304-.334.584-.335a338.3 338.3 0 012.589-.001.124.124 0 00.107-.063l2.806-4.895a.488.488 0 01.422-.246c.524-.001 1.053 0 1.583-.006L11.704 1c.341-.003.724.032.9.34zm-3.432.403a.06.06 0 00-.052.03L6.254 6.788a.157.157 0 01-.135.078H3.253c-.056 0-.07.025-.041.074l5.81 10.156c.025.042.013.062-.034.063l-2.795.015a.218.218 0 00-.2.116l-1.32 2.31c-.044.078-.021.118.068.118l5.716.008c.046 0 .08.02.104.061l1.403 2.454c.046.081.092.082.139 0l5.006-8.76.783-1.382a.055.055 0 01.096 0l1.424 2.53a.122.122 0 00.107.062l2.763-.02a.04.04 0 00.035-.02.041.041 0 000-.04l-2.9-5.086a.108.108 0 010-.113l.293-.507 1.12-1.977c.024-.041.012-.062-.035-.062H9.2c-.059 0-.073-.026-.043-.077l1.434-2.505a.107.107 0 000-.114L9.225 1.774a.06.06 0 00-.053-.031zm6.29 8.02c.046 0 .058.02.034.06l-.832 1.465-2.613 4.585a.056.056 0 01-.05.029.058.058 0 01-.05-.029L8.498 9.841c-.02-.034-.01-.052.028-.054l.216-.012 6.722-.012z" fill="url(#lobe-icons-qwen-fill)" fill-rule="nonzero"></path></svg>

client/scripts/post-build.cjs

@@ -0,0 +1,14 @@
+const fs = require('fs-extra');
+
+async function postBuild() {
+  try {
+    await fs.copy('public/assets', 'dist/assets');
+    await fs.copy('public/robots.txt', 'dist/robots.txt');
+    console.log('✅ PWA icons and robots.txt copied successfully. Glob pattern warnings resolved.');
+  } catch (err) {
+    console.error('❌ Error copying files:', err);
+    process.exit(1);
+  }
+}
+
+postBuild();

client/src/@types/i18next.d.ts

@@ -1,9 +1,9 @@
 import { defaultNS, resources } from '~/locales/i18n';
 
 declare module 'i18next' {
-    interface CustomTypeOptions {
-        defaultNS: typeof defaultNS;
-        resources: typeof resources.en;
-        strictKeyChecks: true
-    }
-}
+  interface CustomTypeOptions {
+    defaultNS: typeof defaultNS;
+    resources: typeof resources.en;
+    strictKeyChecks: true;
+  }
+}

client/src/common/menus.ts

@@ -1,4 +1,3 @@
-/* eslint-disable @typescript-eslint/no-explicit-any */
 export type RenderProp<
   P = React.HTMLAttributes<any> & {
     ref?: React.Ref<any>;

client/src/components/Artifacts/useDebounceCodeBlock.ts

@@ -9,16 +9,17 @@ export function useDebounceCodeBlock() {
   const setCodeBlocks = useSetRecoilState(codeBlocksState);
   const setCodeBlockIds = useSetRecoilState(codeBlockIdsState);
 
-  const updateCodeBlock = useCallback((codeBlock: CodeBlock) => {
-    console.log('Updating code block:', codeBlock);
-    setCodeBlocks((prev) => ({
-      ...prev,
-      [codeBlock.id]: codeBlock,
-    }));
-    setCodeBlockIds((prev) =>
-      prev.includes(codeBlock.id) ? prev : [...prev, codeBlock.id],
-    );
-  }, [setCodeBlocks, setCodeBlockIds]);
+  const updateCodeBlock = useCallback(
+    (codeBlock: CodeBlock) => {
+      console.log('Updating code block:', codeBlock);
+      setCodeBlocks((prev) => ({
+        ...prev,
+        [codeBlock.id]: codeBlock,
+      }));
+      setCodeBlockIds((prev) => (prev.includes(codeBlock.id) ? prev : [...prev, codeBlock.id]));
+    },
+    [setCodeBlocks, setCodeBlockIds],
+  );
 
   const debouncedUpdateCodeBlock = useCallback(
     debounce((codeBlock: CodeBlock) => {

client/src/components/Auth/AuthLayout.tsx

@@ -87,8 +87,8 @@ function AuthLayout({
           {children}
           {!pathname.includes('2fa') &&
             (pathname.includes('login') || pathname.includes('register')) && (
-            <SocialLoginRender startupConfig={startupConfig} />
-          )}
+              <SocialLoginRender startupConfig={startupConfig} />
+            )}
         </div>
       </div>
       <Footer startupConfig={startupConfig} />

client/src/components/Auth/LoginForm.tsx

@@ -16,7 +16,6 @@ type TLoginFormProps = {
 const LoginForm: React.FC<TLoginFormProps> = ({ onSubmit, startupConfig, error, setError }) => {
   const localize = useLocalize();
   const { theme } = useContext(ThemeContext);
-
   const {
     register,
     getValues,

client/src/components/Auth/RequestPasswordReset.tsx

@@ -105,23 +105,12 @@ function RequestPasswordReset() {
               },
             })}
             aria-invalid={!!errors.email}
-            className="
-              peer w-full rounded-lg border border-gray-300 bg-transparent px-4 py-3
-              text-base text-gray-900 placeholder-transparent transition-all
-              focus:border-green-500 focus:outline-none focus:ring-2 focus:ring-green-500/20
-              dark:border-gray-700 dark:text-white dark:focus:border-green-500
-            "
+            className="peer w-full rounded-lg border border-gray-300 bg-transparent px-4 py-3 text-base text-gray-900 placeholder-transparent transition-all focus:border-green-500 focus:outline-none focus:ring-2 focus:ring-green-500/20 dark:border-gray-700 dark:text-white dark:focus:border-green-500"
             placeholder="email@example.com"
           />
           <label
             htmlFor="email"
-            className="
-              absolute -top-2 left-2 z-10 bg-white px-2 text-sm text-gray-600
-              transition-all peer-placeholder-shown:top-3 peer-placeholder-shown:text-base
-              peer-placeholder-shown:text-gray-500 peer-focus:-top-2 peer-focus:text-sm
-              peer-focus:text-green-600 dark:bg-gray-900 dark:text-gray-400
-              dark:peer-focus:text-green-500
-            "
+            className="absolute -top-2 left-2 z-10 bg-white px-2 text-sm text-gray-600 transition-all peer-placeholder-shown:top-3 peer-placeholder-shown:text-base peer-placeholder-shown:text-gray-500 peer-focus:-top-2 peer-focus:text-sm peer-focus:text-green-600 dark:bg-gray-900 dark:text-gray-400 dark:peer-focus:text-green-500"
           >
             {localize('com_auth_email_address')}
           </label>
@@ -136,12 +125,7 @@ function RequestPasswordReset() {
         <button
           type="submit"
           disabled={!!errors.email}
-          className="
-            w-full rounded-2xl bg-green-600 px-4 py-3 text-sm font-medium text-white
-            transition-colors hover:bg-green-700 focus:outline-none focus:ring-2
-            focus:ring-green-500 focus:ring-offset-2 disabled:opacity-50
-            disabled:hover:bg-green-600 dark:bg-green-600 dark:hover:bg-green-700
-          "
+          className="w-full rounded-2xl bg-green-600 px-4 py-3 text-sm font-medium text-white transition-colors hover:bg-green-700 focus:outline-none focus:ring-2 focus:ring-green-500 focus:ring-offset-2 disabled:opacity-50 disabled:hover:bg-green-600 dark:bg-green-600 dark:hover:bg-green-700"
         >
           {localize('com_auth_continue')}
         </button>

client/src/components/Auth/ResetPassword.tsx

@@ -89,20 +89,12 @@ function ResetPassword() {
               },
             })}
             aria-invalid={!!errors.password}
-            className="
-              webkit-dark-styles transition-color peer w-full rounded-2xl border border-border-light
-              bg-surface-primary px-3.5 pb-2.5 pt-3 text-text-primary duration-200 focus:border-green-500 focus:outline-none
-           "
+            className="webkit-dark-styles transition-color peer w-full rounded-2xl border border-border-light bg-surface-primary px-3.5 pb-2.5 pt-3 text-text-primary duration-200 focus:border-green-500 focus:outline-none"
             placeholder=" "
           />
           <label
             htmlFor="password"
-            className="
-              absolute start-3 top-1.5 z-10 origin-[0] -translate-y-4 scale-75 transform bg-surface-primary px-2 text-sm text-text-secondary-alt duration-200
-              peer-placeholder-shown:top-1/2 peer-placeholder-shown:-translate-y-1/2 peer-placeholder-shown:scale-100
-              peer-focus:top-1.5 peer-focus:-translate-y-4 peer-focus:scale-75 peer-focus:px-2 peer-focus:text-green-500
-              rtl:peer-focus:left-auto rtl:peer-focus:translate-x-1/4
-          "
+            className="absolute start-3 top-1.5 z-10 origin-[0] -translate-y-4 scale-75 transform bg-surface-primary px-2 text-sm text-text-secondary-alt duration-200 peer-placeholder-shown:top-1/2 peer-placeholder-shown:-translate-y-1/2 peer-placeholder-shown:scale-100 peer-focus:top-1.5 peer-focus:-translate-y-4 peer-focus:scale-75 peer-focus:px-2 peer-focus:text-green-500 rtl:peer-focus:left-auto rtl:peer-focus:translate-x-1/4"
           >
             {localize('com_auth_password')}
           </label>
@@ -124,20 +116,12 @@ function ResetPassword() {
               validate: (value) => value === password || localize('com_auth_password_not_match'),
             })}
             aria-invalid={!!errors.confirm_password}
-            className="
-            webkit-dark-styles transition-color peer w-full rounded-2xl border border-border-light
-            bg-surface-primary px-3.5 pb-2.5 pt-3 text-text-primary duration-200 focus:border-green-500 focus:outline-none
-            "
+            className="webkit-dark-styles transition-color peer w-full rounded-2xl border border-border-light bg-surface-primary px-3.5 pb-2.5 pt-3 text-text-primary duration-200 focus:border-green-500 focus:outline-none"
             placeholder=" "
           />
           <label
             htmlFor="confirm_password"
-            className="
-              absolute start-3 top-1.5 z-10 origin-[0] -translate-y-4 scale-75 transform bg-surface-primary px-2 text-sm text-text-secondary-alt duration-200
-              peer-placeholder-shown:top-1/2 peer-placeholder-shown:-translate-y-1/2 peer-placeholder-shown:scale-100
-              peer-focus:top-1.5 peer-focus:-translate-y-4 peer-focus:scale-75 peer-focus:px-2 peer-focus:text-green-500
-              rtl:peer-focus:left-auto rtl:peer-focus:translate-x-1/4
-            "
+            className="absolute start-3 top-1.5 z-10 origin-[0] -translate-y-4 scale-75 transform bg-surface-primary px-2 text-sm text-text-secondary-alt duration-200 peer-placeholder-shown:top-1/2 peer-placeholder-shown:-translate-y-1/2 peer-placeholder-shown:scale-100 peer-focus:top-1.5 peer-focus:-translate-y-4 peer-focus:scale-75 peer-focus:px-2 peer-focus:text-green-500 rtl:peer-focus:left-auto rtl:peer-focus:translate-x-1/4"
           >
             {localize('com_auth_password_confirm')}
           </label>
@@ -163,12 +147,7 @@ function ResetPassword() {
           disabled={!!errors.password || !!errors.confirm_password}
           type="submit"
           aria-label={localize('com_auth_submit_registration')}
-          className="
-            w-full rounded-2xl bg-green-600 px-4 py-3 text-sm font-medium text-white
-            transition-colors hover:bg-green-700 focus:outline-none focus:ring-2
-            focus:ring-green-500 focus:ring-offset-2 disabled:opacity-50
-            disabled:hover:bg-green-600 dark:bg-green-600 dark:hover:bg-green-700
-          "
+          className="w-full rounded-2xl bg-green-600 px-4 py-3 text-sm font-medium text-white transition-colors hover:bg-green-700 focus:outline-none focus:ring-2 focus:ring-green-500 focus:ring-offset-2 disabled:opacity-50 disabled:hover:bg-green-600 dark:bg-green-600 dark:hover:bg-green-700"
         >
           {localize('com_auth_continue')}
         </button>

client/src/components/Auth/SocialLoginRender.tsx

@@ -1,4 +1,12 @@
-import { GoogleIcon, FacebookIcon, OpenIDIcon, GithubIcon, DiscordIcon, AppleIcon } from '~/components';
+import {
+  GoogleIcon,
+  FacebookIcon,
+  OpenIDIcon,
+  GithubIcon,
+  DiscordIcon,
+  AppleIcon,
+  SamlIcon,
+} from '~/components';
 
 import SocialButton from './SocialButton';
 
@@ -90,6 +98,23 @@ function SocialLoginRender({
         id="openid"
       />
     ),
+    saml: startupConfig.samlLoginEnabled && (
+      <SocialButton
+        key="saml"
+        enabled={startupConfig.samlLoginEnabled}
+        serverDomain={startupConfig.serverDomain}
+        oauthPath="saml"
+        Icon={() =>
+          startupConfig.samlImageUrl ? (
+            <img src={startupConfig.samlImageUrl} alt="SAML Logo" className="h-5 w-5" />
+          ) : (
+            <SamlIcon />
+          )
+        }
+        label={startupConfig.samlLabel ? startupConfig.samlLabel : localize('com_auth_saml_login')}
+        id="saml"
+      />
+    ),
   };
 
   return (

client/src/components/Auth/__tests__/Login.spec.tsx

@@ -16,7 +16,7 @@ const mockStartupConfig = {
   isLoading: false,
   isError: false,
   data: {
-    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
     discordLoginEnabled: true,
     facebookLoginEnabled: true,
     githubLoginEnabled: true,
@@ -24,6 +24,9 @@ const mockStartupConfig = {
     openidLoginEnabled: true,
     openidLabel: 'Test OpenID',
     openidImageUrl: 'http://test-server.com',
+    samlLoginEnabled: true,
+    samlLabel: 'Test SAML',
+    samlImageUrl: 'http://test-server.com',
     ldap: {
       enabled: false,
     },
@@ -143,6 +146,11 @@ test('renders login form', () => {
     'href',
     'mock-server/oauth/discord',
   );
+  expect(getByRole('link', { name: /Test SAML/i })).toBeInTheDocument();
+  expect(getByRole('link', { name: /Test SAML/i })).toHaveAttribute(
+    'href',
+    'mock-server/oauth/saml',
+  );
 });
 
 test('calls loginUser.mutate on login', async () => {

client/src/components/Auth/__tests__/LoginForm.spec.tsx

@@ -12,7 +12,7 @@ jest.mock('librechat-data-provider/react-query');
 const mockLogin = jest.fn();
 
 const mockStartupConfig: TStartupConfig = {
-  socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+  socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
   discordLoginEnabled: true,
   facebookLoginEnabled: true,
   githubLoginEnabled: true,
@@ -20,6 +20,9 @@ const mockStartupConfig: TStartupConfig = {
   openidLoginEnabled: true,
   openidLabel: 'Test OpenID',
   openidImageUrl: 'http://test-server.com',
+  samlLoginEnabled: true,
+  samlLabel: 'Test SAML',
+  samlImageUrl: 'http://test-server.com',
   registrationEnabled: true,
   emailLoginEnabled: true,
   socialLoginEnabled: true,

client/src/components/Auth/__tests__/Registration.spec.tsx

@@ -17,7 +17,7 @@ const mockStartupConfig = {
   isLoading: false,
   isError: false,
   data: {
-    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
     discordLoginEnabled: true,
     facebookLoginEnabled: true,
     githubLoginEnabled: true,
@@ -25,6 +25,9 @@ const mockStartupConfig = {
     openidLoginEnabled: true,
     openidLabel: 'Test OpenID',
     openidImageUrl: 'http://test-server.com',
+    samlLoginEnabled: true,
+    samlLabel: 'Test SAML',
+    samlImageUrl: 'http://test-server.com',
     registrationEnabled: true,
     socialLoginEnabled: true,
     serverDomain: 'mock-server',
@@ -146,9 +149,13 @@ test('renders registration form', () => {
     'href',
     'mock-server/oauth/discord',
   );
+  expect(getByRole('link', { name: /Test SAML/i })).toBeInTheDocument();
+  expect(getByRole('link', { name: /Test SAML/i })).toHaveAttribute(
+    'href',
+    'mock-server/oauth/saml',
+  );
 });
 
-// eslint-disable-next-line jest/no-commented-out-tests
 // test('calls registerUser.mutate on registration', async () => {
 //   const mutate = jest.fn();
 //   const { getByTestId, getByRole, history } = setup({

client/src/components/Chat/Input/Files/AttachFileMenu.tsx

@@ -1,7 +1,7 @@
 import * as Ariakit from '@ariakit/react';
 import React, { useRef, useState, useMemo } from 'react';
-import { EToolResources, EModelEndpoint } from 'librechat-data-provider';
 import { FileSearch, ImageUpIcon, TerminalSquareIcon, FileType2Icon } from 'lucide-react';
+import { EToolResources, EModelEndpoint, defaultAgentCapabilities } from 'librechat-data-provider';
 import { FileUpload, TooltipAnchor, DropdownPopup, AttachmentIcon } from '~/components';
 import { useGetEndpointsQuery } from '~/data-provider';
 import { useLocalize, useFileHandling } from '~/hooks';
@@ -22,6 +22,10 @@ const AttachFile = ({ disabled }: AttachFileProps) => {
     overrideEndpoint: EModelEndpoint.agents,
   });
 
+  /** TODO: Ephemeral Agent Capabilities
+   * Allow defining agent capabilities on a per-endpoint basis
+   * Use definition for agents endpoint for ephemeral agents
+   * */
   const capabilities = useMemo(
     () => endpointsConfig?.[EModelEndpoint.agents]?.capabilities ?? [],
     [endpointsConfig],

client/src/components/Chat/Input/Files/DragDropOverlay.tsx

@@ -1,12 +1,6 @@
 export default function DragDropOverlay() {
   return (
-    <div
-      className="bg-surface-primary/85 fixed inset-0 z-[9999] flex flex-col items-center justify-center
-        gap-2 text-text-primary
-        backdrop-blur-[4px] transition-all duration-200
-        ease-in-out animate-in fade-in
-        zoom-in-95 hover:backdrop-blur-sm"
-    >
+    <div className="bg-surface-primary/85 fixed inset-0 z-[9999] flex flex-col items-center justify-center gap-2 text-text-primary backdrop-blur-[4px] transition-all duration-200 ease-in-out animate-in fade-in zoom-in-95 hover:backdrop-blur-sm">
       <svg
         xmlns="http://www.w3.org/2000/svg"
         viewBox="0 0 132 108"
@@ -55,8 +49,8 @@ export default function DragDropOverlay() {
           </clipPath>
         </defs>
       </svg>
-      <h3>Add anything</h3>
-      <h4>Drop any file here to add it to the conversation</h4>
+      <h3>{localize('com_ui_add_anything')}</h3>
+      <h4>{localize('com_ui_add_anything_description')}</h4>
     </div>
   );
 }

client/src/components/Chat/Input/Files/ImagePreview.tsx

@@ -93,9 +93,9 @@ const ImagePreview = ({
 
   const style: styleProps = imageUrl
     ? {
-      ...baseStyle,
-      backgroundImage: `url(${imageUrl})`,
-    }
+        ...baseStyle,
+        backgroundImage: `url(${imageUrl})`,
+      }
     : baseStyle;
 
   if (typeof style.backgroundImage !== 'string' || style.backgroundImage.length === 0) {

client/src/components/Chat/Input/StreamAudio.tsx

@@ -39,7 +39,7 @@ export default function StreamAudio({ index = 0 }) {
   const { pauseGlobalAudio } = usePauseGlobalAudio();
 
   const { conversationId: paramId } = useParams();
-  const queryParam = paramId === 'new' ? paramId : latestMessage?.conversationId ?? paramId ?? '';
+  const queryParam = paramId === 'new' ? paramId : (latestMessage?.conversationId ?? paramId ?? '');
 
   const queryClient = useQueryClient();
   const getMessages = useCallback(

client/src/components/Chat/Menus/Endpoints/CustomMenu.tsx

@@ -44,7 +44,7 @@ export const CustomMenu = React.forwardRef<HTMLDivElement, CustomMenuProps>(func
         {...props}
         className={cn(
           !parent &&
-            'flex h-10 w-full items-center justify-center gap-2 rounded-xl border border-border-light px-3 py-2 text-sm text-text-primary focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-white',
+            'flex h-10 w-full items-center justify-center gap-2 rounded-xl border border-border-light px-3 py-2 text-sm text-text-primary',
           menuStore.useState('open')
             ? 'bg-surface-tertiary hover:bg-surface-tertiary'
             : 'bg-surface-secondary hover:bg-surface-tertiary',

client/src/components/Chat/Menus/Endpoints/ModelSelector.tsx

@@ -52,7 +52,7 @@ function ModelSelectorContent() {
 
   const trigger = (
     <button
-      className="my-1 flex h-10 w-full max-w-[70vw] items-center justify-center gap-2 rounded-xl border border-border-light bg-surface-secondary px-3 py-2 text-sm text-text-primary hover:bg-surface-tertiary focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-white"
+      className="my-1 flex h-10 w-full max-w-[70vw] items-center justify-center gap-2 rounded-xl border border-border-light bg-surface-secondary px-3 py-2 text-sm text-text-primary hover:bg-surface-tertiary"
       aria-label={localize('com_ui_select_model')}
     >
       {selectedIcon && React.isValidElement(selectedIcon) && (