feat: Implement state parameter handling for OpenID authentication

* ⚡ refactor: Add Additional Chunking to Vite Config

* chore: Integrate rollup-plugin-visualizer for bundle analysis in Vite config & add @codemirror chunks

.env.example

@@ -20,8 +20,8 @@ DOMAIN_CLIENT=http://localhost:3080
 DOMAIN_SERVER=http://localhost:3080
 
 NO_INDEX=true
-# Use the address that is at most n number of hops away from the Express application. 
-# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left. 
+# Use the address that is at most n number of hops away from the Express application.
+# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
 # A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
 # Defaulted to 1.
 TRUST_PROXY=1
@@ -88,7 +88,7 @@ PROXY=
 #============#
 
 ANTHROPIC_API_KEY=user_provided
-# ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
+# ANTHROPIC_MODELS=claude-opus-4-20250514,claude-sonnet-4-20250514,claude-3-7-sonnet-20250219,claude-3-5-sonnet-20241022,claude-3-5-haiku-20241022,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307
 # ANTHROPIC_REVERSE_PROXY=
 
 #============#
@@ -444,6 +444,21 @@ OPENID_IMAGE_URL=
 # This will bypass the login form completely for users, only use this if OpenID is your only authentication method
 OPENID_AUTO_REDIRECT=false
 
+# Set to true to use PKCE (Proof Key for Code Exchange) for OpenID authentication
+OPENID_USE_PKCE=false
+#Set to true to reuse openid tokens for authentication management instead of using the mongodb session and the custom refresh token.
+OPENID_REUSE_TOKENS=
+#By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint.
+#If a signing key matching the kid is found, this will be cached and the next time this kid is requested the signing key will be served from the cache.
+#Default is true.
+OPENID_JWKS_URL_CACHE_ENABLED=
+OPENID_JWKS_URL_CACHE_TIME= # 600000 ms eq to 10 minutes leave empty to disable caching
+#Set to true to trigger token exchange flow to acquire access token for the userinfo endpoint.
+OPENID_ON_BEHALF_FLOW_FOR_USERINFRO_REQUIRED=
+OPENID_ON_BEHALF_FLOW_USERINFRO_SCOPE = "user.read" # example for Scope Needed for Microsoft Graph API
+# Set to true to use the OpenID Connect end session endpoint for logout
+OPENID_USE_END_SESSION_ENDPOINT=
+
 # LDAP
 LDAP_URL=
 LDAP_BIND_DN=
@@ -575,3 +590,33 @@ HELP_AND_FAQ_URL=https://librechat.ai
 #                  OpenWeather                        #
 #=====================================================#
 OPENWEATHER_API_KEY=
+
+#====================================#
+# LibreChat Code Interpreter API     #
+#====================================#
+
+# https://code.librechat.ai
+# LIBRECHAT_CODE_API_KEY=your-key
+
+#======================#
+# Web Search           #
+#======================#
+
+# Note: All of the following variable names can be customized.
+# Omit values to allow user to provide them.
+
+# For more information on configuration values, see:
+# https://librechat.ai/docs/features/web_search
+
+# Search Provider (Required)
+# SERPER_API_KEY=your_serper_api_key
+
+# Scraper (Required)
+# FIRECRAWL_API_KEY=your_firecrawl_api_key
+# Optional: Custom Firecrawl API URL
+# FIRECRAWL_API_URL=your_firecrawl_api_url
+
+# Reranker (Required)
+# JINA_API_KEY=your_jina_api_key
+# or
+# COHERE_API_KEY=your_cohere_api_key

.github/workflows/helmcharts.yml

@@ -26,6 +26,10 @@ jobs:
         uses: azure/setup-helm@v4
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Build Subchart Deps
+        run: |
+          cd helm/librechat-rag-api
+          helm dependency build 
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.6.0

.gitignore

@@ -52,8 +52,9 @@ bower_components/
 *.d.ts
 !vite-env.d.ts
 
-# Cline
+# AI
 .clineignore
+.cursor
 
 # Floobits
 .floo

README.md

@@ -71,6 +71,11 @@
     - [Model Context Protocol (MCP) Support](https://modelcontextprotocol.io/clients#librechat) for Tools
   - Use LibreChat Agents and OpenAI Assistants with Files, Code Interpreter, Tools, and API Actions
 
+- 🔍 **Web Search**:  
+  - Search the internet and retrieve relevant information to enhance your AI context
+  - Combines search providers, content scrapers, and result rerankers for optimal results
+  - **[Learn More →](https://www.librechat.ai/docs/features/web_search)**
+
 - 🪄 **Generative UI with Code Artifacts**:  
   - [Code Artifacts](https://youtu.be/GfTj7O4gmd0?si=WJbdnemZpJzBrJo3) allow creation of React, HTML, and Mermaid diagrams directly in chat
 

api/app/clients/AnthropicClient.js

@@ -70,7 +70,7 @@ class AnthropicClient extends BaseClient {
     this.message_delta;
     /** Whether the model is part of the Claude 3 Family
      * @type {boolean} */
-    this.isClaude3;
+    this.isClaudeLatest;
     /** Whether to use Messages API or Completions API
      * @type {boolean} */
     this.useMessages;
@@ -116,7 +116,8 @@ class AnthropicClient extends BaseClient {
     );
 
     const modelMatch = matchModelName(this.modelOptions.model, EModelEndpoint.anthropic);
-    this.isClaude3 = modelMatch.includes('claude-3');
+    this.isClaudeLatest =
+      /claude-[3-9]/.test(modelMatch) || /claude-(?:sonnet|opus|haiku)-[4-9]/.test(modelMatch);
     this.isLegacyOutput = !(
       /claude-3[-.]5-sonnet/.test(modelMatch) || /claude-3[-.]7/.test(modelMatch)
     );
@@ -130,7 +131,7 @@ class AnthropicClient extends BaseClient {
       this.modelOptions.maxOutputTokens = legacy.maxOutputTokens.default;
     }
 
-    this.useMessages = this.isClaude3 || !!this.options.attachments;
+    this.useMessages = this.isClaudeLatest || !!this.options.attachments;
 
     this.defaultVisionModel = this.options.visionModel ?? 'claude-3-sonnet-20240229';
     this.options.attachments?.then((attachments) => this.checkVisionRequest(attachments));
@@ -654,7 +655,10 @@ class AnthropicClient extends BaseClient {
       );
     };
 
-    if (this.modelOptions.model.includes('claude-3')) {
+    if (
+      /claude-[3-9]/.test(this.modelOptions.model) ||
+      /claude-(?:sonnet|opus|haiku)-[4-9]/.test(this.modelOptions.model)
+    ) {
       await buildMessagesPayload();
       processTokens();
       return {

api/app/clients/specs/AnthropicClient.test.js

@@ -15,7 +15,7 @@ describe('AnthropicClient', () => {
     {
       role: 'user',
       isCreatedByUser: true,
-      text: 'What\'s up',
+      text: "What's up",
       messageId: '3',
       parentMessageId: '2',
     },
@@ -170,7 +170,7 @@ describe('AnthropicClient', () => {
       client.options.modelLabel = 'Claude-2';
       const result = await client.buildMessages(messages, parentMessageId);
       const { prompt } = result;
-      expect(prompt).toContain('Human\'s name: John');
+      expect(prompt).toContain("Human's name: John");
       expect(prompt).toContain('You are Claude-2');
     });
   });
@@ -244,6 +244,64 @@ describe('AnthropicClient', () => {
       );
     });
 
+    describe('Claude 4 model headers', () => {
+      it('should add "prompt-caching" beta header for claude-sonnet-4 model', () => {
+        const client = new AnthropicClient('test-api-key');
+        const modelOptions = {
+          model: 'claude-sonnet-4-20250514',
+        };
+        client.setOptions({ modelOptions, promptCache: true });
+        const anthropicClient = client.getClient(modelOptions);
+        expect(anthropicClient._options.defaultHeaders).toBeDefined();
+        expect(anthropicClient._options.defaultHeaders).toHaveProperty('anthropic-beta');
+        expect(anthropicClient._options.defaultHeaders['anthropic-beta']).toBe(
+          'prompt-caching-2024-07-31',
+        );
+      });
+
+      it('should add "prompt-caching" beta header for claude-opus-4 model', () => {
+        const client = new AnthropicClient('test-api-key');
+        const modelOptions = {
+          model: 'claude-opus-4-20250514',
+        };
+        client.setOptions({ modelOptions, promptCache: true });
+        const anthropicClient = client.getClient(modelOptions);
+        expect(anthropicClient._options.defaultHeaders).toBeDefined();
+        expect(anthropicClient._options.defaultHeaders).toHaveProperty('anthropic-beta');
+        expect(anthropicClient._options.defaultHeaders['anthropic-beta']).toBe(
+          'prompt-caching-2024-07-31',
+        );
+      });
+
+      it('should add "prompt-caching" beta header for claude-4-sonnet model', () => {
+        const client = new AnthropicClient('test-api-key');
+        const modelOptions = {
+          model: 'claude-4-sonnet-20250514',
+        };
+        client.setOptions({ modelOptions, promptCache: true });
+        const anthropicClient = client.getClient(modelOptions);
+        expect(anthropicClient._options.defaultHeaders).toBeDefined();
+        expect(anthropicClient._options.defaultHeaders).toHaveProperty('anthropic-beta');
+        expect(anthropicClient._options.defaultHeaders['anthropic-beta']).toBe(
+          'prompt-caching-2024-07-31',
+        );
+      });
+
+      it('should add "prompt-caching" beta header for claude-4-opus model', () => {
+        const client = new AnthropicClient('test-api-key');
+        const modelOptions = {
+          model: 'claude-4-opus-20250514',
+        };
+        client.setOptions({ modelOptions, promptCache: true });
+        const anthropicClient = client.getClient(modelOptions);
+        expect(anthropicClient._options.defaultHeaders).toBeDefined();
+        expect(anthropicClient._options.defaultHeaders).toHaveProperty('anthropic-beta');
+        expect(anthropicClient._options.defaultHeaders['anthropic-beta']).toBe(
+          'prompt-caching-2024-07-31',
+        );
+      });
+    });
+
     it('should not add beta header for claude-3-5-sonnet-latest model', () => {
       const client = new AnthropicClient('test-api-key');
       const modelOptions = {
@@ -729,4 +787,223 @@ describe('AnthropicClient', () => {
     expect(capturedOptions).toHaveProperty('topK', 10);
     expect(capturedOptions).toHaveProperty('topP', 0.9);
   });
+
+  describe('isClaudeLatest', () => {
+    it('should set isClaudeLatest to true for claude-3 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-3-sonnet-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(true);
+    });
+
+    it('should set isClaudeLatest to true for claude-3.5 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-3.5-sonnet-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(true);
+    });
+
+    it('should set isClaudeLatest to true for claude-sonnet-4 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-sonnet-4-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(true);
+    });
+
+    it('should set isClaudeLatest to true for claude-opus-4 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-opus-4-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(true);
+    });
+
+    it('should set isClaudeLatest to true for claude-3.5-haiku models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-3.5-haiku-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(true);
+    });
+
+    it('should set isClaudeLatest to false for claude-2 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-2',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(false);
+    });
+
+    it('should set isClaudeLatest to false for claude-instant models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-instant',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(false);
+    });
+
+    it('should set isClaudeLatest to false for claude-sonnet-3 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-sonnet-3-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(false);
+    });
+
+    it('should set isClaudeLatest to false for claude-opus-3 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-opus-3-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(false);
+    });
+
+    it('should set isClaudeLatest to false for claude-haiku-3 models', () => {
+      const client = new AnthropicClient('test-api-key');
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-haiku-3-20240229',
+        },
+      });
+      expect(client.isClaudeLatest).toBe(false);
+    });
+  });
+
+  describe('configureReasoning', () => {
+    it('should enable thinking for claude-opus-4 and claude-sonnet-4 models', async () => {
+      const client = new AnthropicClient('test-api-key');
+      // Create a mock async generator function
+      async function* mockAsyncGenerator() {
+        yield { type: 'message_start', message: { usage: {} } };
+        yield { delta: { text: 'Test response' } };
+        yield { type: 'message_delta', usage: {} };
+      }
+
+      // Mock createResponse to return the async generator
+      jest.spyOn(client, 'createResponse').mockImplementation(() => {
+        return mockAsyncGenerator();
+      });
+
+      // Test claude-opus-4
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-opus-4-20250514',
+        },
+        thinking: true,
+        thinkingBudget: 2000,
+      });
+
+      let capturedOptions = null;
+      jest.spyOn(client, 'getClient').mockImplementation((options) => {
+        capturedOptions = options;
+        return {};
+      });
+
+      const payload = [{ role: 'user', content: 'Test message' }];
+      await client.sendCompletion(payload, {});
+
+      expect(capturedOptions).toHaveProperty('thinking');
+      expect(capturedOptions.thinking).toEqual({
+        type: 'enabled',
+        budget_tokens: 2000,
+      });
+
+      // Test claude-sonnet-4
+      client.setOptions({
+        modelOptions: {
+          model: 'claude-sonnet-4-20250514',
+        },
+        thinking: true,
+        thinkingBudget: 2000,
+      });
+
+      await client.sendCompletion(payload, {});
+
+      expect(capturedOptions).toHaveProperty('thinking');
+      expect(capturedOptions.thinking).toEqual({
+        type: 'enabled',
+        budget_tokens: 2000,
+      });
+    });
+  });
+});
+
+describe('Claude Model Tests', () => {
+  it('should handle Claude 3 and 4 series models correctly', () => {
+    const client = new AnthropicClient('test-key');
+    // Claude 3 series models
+    const claude3Models = [
+      'claude-3-opus-20240229',
+      'claude-3-sonnet-20240229',
+      'claude-3-haiku-20240307',
+      'claude-3-5-sonnet-20240620',
+      'claude-3-5-haiku-20240620',
+      'claude-3.5-sonnet-20240620',
+      'claude-3.5-haiku-20240620',
+      'claude-3.7-sonnet-20240620',
+      'claude-3.7-haiku-20240620',
+      'anthropic/claude-3-opus-20240229',
+      'claude-3-opus-20240229/anthropic',
+    ];
+
+    // Claude 4 series models
+    const claude4Models = [
+      'claude-sonnet-4-20250514',
+      'claude-opus-4-20250514',
+      'claude-4-sonnet-20250514',
+      'claude-4-opus-20250514',
+      'anthropic/claude-sonnet-4-20250514',
+      'claude-sonnet-4-20250514/anthropic',
+    ];
+
+    // Test Claude 3 series
+    claude3Models.forEach((model) => {
+      client.setOptions({ modelOptions: { model } });
+      expect(
+        /claude-[3-9]/.test(client.modelOptions.model) ||
+          /claude-(?:sonnet|opus|haiku)-[4-9]/.test(client.modelOptions.model),
+      ).toBe(true);
+    });
+
+    // Test Claude 4 series
+    claude4Models.forEach((model) => {
+      client.setOptions({ modelOptions: { model } });
+      expect(
+        /claude-[3-9]/.test(client.modelOptions.model) ||
+          /claude-(?:sonnet|opus|haiku)-[4-9]/.test(client.modelOptions.model),
+      ).toBe(true);
+    });
+
+    // Test non-Claude 3/4 models
+    const nonClaudeModels = ['claude-2', 'claude-instant', 'gpt-4', 'gpt-3.5-turbo'];
+
+    nonClaudeModels.forEach((model) => {
+      client.setOptions({ modelOptions: { model } });
+      expect(
+        /claude-[3-9]/.test(client.modelOptions.model) ||
+          /claude-(?:sonnet|opus|haiku)-[4-9]/.test(client.modelOptions.model),
+      ).toBe(false);
+    });
+  });
 });

api/app/clients/tools/structured/AzureAISearch.js

@@ -32,15 +32,11 @@ class AzureAISearch extends Tool {
       fields.AZURE_AI_SEARCH_SERVICE_ENDPOINT,
       'AZURE_AI_SEARCH_SERVICE_ENDPOINT',
     );
-    // Get the indexes as a comma-separated string
-    this.indexNames = this._initializeField(
+    this.indexName = this._initializeField(
       fields.AZURE_AI_SEARCH_INDEX_NAME,
       'AZURE_AI_SEARCH_INDEX_NAME',
     );
-    this.apiKey = this._initializeField(
-      fields.AZURE_AI_SEARCH_API_KEY,
-      'AZURE_AI_SEARCH_API_KEY',
-    );
+    this.apiKey = this._initializeField(fields.AZURE_AI_SEARCH_API_KEY, 'AZURE_AI_SEARCH_API_KEY');
     this.apiVersion = this._initializeField(
       fields.AZURE_AI_SEARCH_API_VERSION,
       'AZURE_AI_SEARCH_API_VERSION',
@@ -62,7 +58,7 @@ class AzureAISearch extends Tool {
     );
 
     // Check for required fields
-    if (!this.override && (!this.serviceEndpoint || !this.indexNames || !this.apiKey)) {
+    if (!this.override && (!this.serviceEndpoint || !this.indexName || !this.apiKey)) {
       throw new Error(
         'Missing AZURE_AI_SEARCH_SERVICE_ENDPOINT, AZURE_AI_SEARCH_INDEX_NAME, or AZURE_AI_SEARCH_API_KEY environment variable.',
       );
@@ -72,25 +68,12 @@ class AzureAISearch extends Tool {
       return;
     }
 
-    // Split the indexNames by comma to support multiple indexes, trim whitespace,
-    // convert to lowercase, and filter out any empty strings.
-    const indexes = this.indexNames
-      .split(',')
-      .map(index => index.trim().toLowerCase())
-      .filter(index => index.length > 0);
-
-    if (indexes.length === 0) {
-      throw new Error('No valid index names provided in AZURE_AI_SEARCH_INDEX_NAME.');
-    }
-
-    // Create a client for each index.
-    this.clients = indexes.map(index =>
-      new SearchClient(
-        this.serviceEndpoint,
-        index,
-        new AzureKeyCredential(this.apiKey),
-        { apiVersion: this.apiVersion },
-      ),
+    // Create SearchClient
+    this.client = new SearchClient(
+      this.serviceEndpoint,
+      this.indexName,
+      new AzureKeyCredential(this.apiKey),
+      { apiVersion: this.apiVersion },
     );
   }
 
@@ -105,21 +88,12 @@ class AzureAISearch extends Tool {
       if (this.select) {
         searchOption.select = this.select.split(',');
       }
-
-      // Query all indexes concurrently
-      const searchPromises = this.clients.map(async (client) => {
-        const resultDocuments = [];
-        const searchResults = await client.search(query, searchOption);
-        for await (const result of searchResults.results) {
-          resultDocuments.push(result.document);
-        }
-        return resultDocuments;
-      });
-
-      // Wait for all search promises to complete and flatten the results
-      const resultsByIndex = await Promise.all(searchPromises);
-      const combinedResults = resultsByIndex.flat();
-      return JSON.stringify(combinedResults);
+      const searchResults = await this.client.search(query, searchOption);
+      const resultDocuments = [];
+      for await (const result of searchResults.results) {
+        resultDocuments.push(result.document);
+      }
+      return JSON.stringify(resultDocuments);
     } catch (error) {
       logger.error('Azure AI Search request failed', error);
       return 'There was an error with Azure AI Search.';
@@ -127,4 +101,4 @@ class AzureAISearch extends Tool {
   }
 }
 
-module.exports = AzureAISearch;
+module.exports = AzureAISearch;

api/app/clients/tools/util/handleTools.js

@@ -1,7 +1,13 @@
 const { SerpAPI } = require('@langchain/community/tools/serpapi');
 const { Calculator } = require('@langchain/community/tools/calculator');
-const { createCodeExecutionTool, EnvVar } = require('@librechat/agents');
-const { Tools, Constants, EToolResources } = require('librechat-data-provider');
+const { EnvVar, createCodeExecutionTool, createSearchTool } = require('@librechat/agents');
+const {
+  Tools,
+  Constants,
+  EToolResources,
+  loadWebSearchAuth,
+  replaceSpecialVars,
+} = require('librechat-data-provider');
 const { getUserPluginAuthValue } = require('~/server/services/PluginService');
 const {
   availableTools,
@@ -138,7 +144,6 @@ const loadTools = async ({
   agent,
   model,
   endpoint,
-  useSpecs,
   tools = [],
   options = {},
   functions = true,
@@ -263,6 +268,33 @@ const loadTools = async ({
         return createFileSearchTool({ req: options.req, files, entity_id: agent?.id });
       };
       continue;
+    } else if (tool === Tools.web_search) {
+      const webSearchConfig = options?.req?.app?.locals?.webSearch;
+      const result = await loadWebSearchAuth({
+        userId: user,
+        loadAuthValues,
+        webSearchConfig,
+      });
+      const { onSearchResults, onGetHighlights } = options?.[Tools.web_search] ?? {};
+      requestedTools[tool] = async () => {
+        toolContextMap[tool] = `# \`${tool}\`:
+Current Date & Time: ${replaceSpecialVars({ text: '{{iso_datetime}}' })}
+1. **Execute immediately without preface** when using \`${tool}\`.
+2. **After the search, begin with a brief summary** that directly addresses the query without headers or explaining your process.
+3. **Structure your response clearly** using Markdown formatting (Level 2 headers for sections, lists for multiple points, tables for comparisons).
+4. **Cite sources properly** according to the citation anchor format, utilizing group anchors when appropriate.
+5. **Tailor your approach to the query type** (academic, news, coding, etc.) while maintaining an expert, journalistic, unbiased tone.
+6. **Provide comprehensive information** with specific details, examples, and as much relevant context as possible from search results.
+7. **Avoid moralizing language.**
+`.trim();
+        return createSearchTool({
+          ...result.authResult,
+          onSearchResults,
+          onGetHighlights,
+          logger,
+        });
+      };
+      continue;
     } else if (tool && appTools[tool] && mcpToolPattern.test(tool)) {
       requestedTools[tool] = async () =>
         createMCPTool({

api/cache/getLogStores.js

@@ -61,6 +61,10 @@ const abortKeys = isRedisEnabled
   ? new Keyv({ store: keyvRedis })
   : new Keyv({ namespace: CacheKeys.ABORT_KEYS, ttl: Time.TEN_MINUTES });
 
+const openIdExchangedTokensCache = isRedisEnabled
+  ? new Keyv({ store: keyvRedis, ttl: Time.TEN_MINUTES })
+  : new Keyv({ namespace: CacheKeys.OPENID_EXCHANGED_TOKENS, ttl: Time.TEN_MINUTES });
+
 const namespaces = {
   [CacheKeys.ROLES]: roles,
   [CacheKeys.CONFIG_STORE]: config,
@@ -98,6 +102,7 @@ const namespaces = {
   [CacheKeys.AUDIO_RUNS]: audioRuns,
   [CacheKeys.MESSAGES]: messages,
   [CacheKeys.FLOWS]: flows,
+  [CacheKeys.OPENID_EXCHANGED_TOKENS]: openIdExchangedTokensCache,
 };
 
 /**

api/cache/keyvRedis.js

@@ -76,10 +76,13 @@ if (REDIS_URI && isEnabled(USE_REDIS)) {
     keyvRedis = new KeyvRedis(REDIS_URI, keyvOpts);
   }
 
-  const pingInterval = setInterval(() => {
-    logger.debug('KeyvRedis ping');
-    keyvRedis.client.ping().catch(err => logger.error('Redis keep-alive ping failed:', err));
-  }, 5 * 60 * 1000);
+  const pingInterval = setInterval(
+    () => {
+      logger.debug('KeyvRedis ping');
+      keyvRedis.client.ping().catch((err) => logger.error('Redis keep-alive ping failed:', err));
+    },
+    5 * 60 * 1000,
+  );
 
   keyvRedis.on('ready', () => {
     logger.info('KeyvRedis connection ready');

api/jest.config.js

@@ -11,5 +11,8 @@ module.exports = {
   moduleNameMapper: {
     '~/(.*)': '<rootDir>/$1',
     '~/data/auth.json': '<rootDir>/__mocks__/auth.mock.json',
+    '^openid-client/passport$': '<rootDir>/test/__mocks__/openid-client-passport.js', // Mock for the passport strategy part
+    '^openid-client$': '<rootDir>/test/__mocks__/openid-client.js',
   },
+  transformIgnorePatterns: ['/node_modules/(?!(openid-client|oauth4webapi|jose)/).*/'],
 };

api/models/Agent.js

@@ -21,7 +21,7 @@ const Agent = mongoose.model('agent', agentSchema);
  * @throws {Error} If the agent creation fails.
  */
 const createAgent = async (agentData) => {
-  const { versions, ...versionData } = agentData;
+  const { author, ...versionData } = agentData;
   const timestamp = new Date();
   const initialAgentData = {
     ...agentData,
@@ -60,12 +60,17 @@ const loadEphemeralAgent = ({ req, agent_id, endpoint, model_parameters: _m }) =
   const { model, ...model_parameters } = _m;
   /** @type {Record<string, FunctionTool>} */
   const availableTools = req.app.locals.availableTools;
-  const mcpServers = new Set(req.body.ephemeralAgent?.mcp);
+  /** @type {TEphemeralAgent | null} */
+  const ephemeralAgent = req.body.ephemeralAgent;
+  const mcpServers = new Set(ephemeralAgent?.mcp);
   /** @type {string[]} */
   const tools = [];
-  if (req.body.ephemeralAgent?.execute_code === true) {
+  if (ephemeralAgent?.execute_code === true) {
     tools.push(Tools.execute_code);
   }
+  if (ephemeralAgent?.web_search === true) {
+    tools.push(Tools.web_search);
+  }
 
   if (mcpServers.size > 0) {
     for (const toolName of Object.keys(availableTools)) {
@@ -158,6 +163,7 @@ const isDuplicateVersion = (updateData, currentData, versions) => {
     'createdAt',
     'updatedAt',
     'author',
+    'updatedBy',
     'created_at',
     'updated_at',
     '__v',
@@ -243,15 +249,16 @@ const isDuplicateVersion = (updateData, currentData, versions) => {
  * @param {string} searchParameter.id - The ID of the agent to update.
  * @param {string} [searchParameter.author] - The user ID of the agent's author.
  * @param {Object} updateData - An object containing the properties to update.
+ * @param {string} [updatingUserId] - The ID of the user performing the update (used for tracking non-author updates).
  * @returns {Promise<Agent>} The updated or newly created agent document as a plain object.
  * @throws {Error} If the update would create a duplicate version
  */
-const updateAgent = async (searchParameter, updateData) => {
+const updateAgent = async (searchParameter, updateData, updatingUserId = null) => {
   const options = { new: true, upsert: false };
 
   const currentAgent = await Agent.findOne(searchParameter);
   if (currentAgent) {
-    const { __v, _id, id, versions, ...versionData } = currentAgent.toObject();
+    const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
     const { $push, $pull, $addToSet, ...directUpdates } = updateData;
 
     if (Object.keys(directUpdates).length > 0 && versions && versions.length > 0) {
@@ -271,13 +278,20 @@ const updateAgent = async (searchParameter, updateData) => {
       }
     }
 
+    const versionEntry = {
+      ...versionData,
+      ...directUpdates,
+      updatedAt: new Date(),
+    };
+
+    // Always store updatedBy field to track who made the change
+    if (updatingUserId) {
+      versionEntry.updatedBy = new mongoose.Types.ObjectId(updatingUserId);
+    }
+
     updateData.$push = {
       ...($push || {}),
-      versions: {
-        ...versionData,
-        ...directUpdates,
-        updatedAt: new Date(),
-      },
+      versions: versionEntry,
     };
   }
 
@@ -293,7 +307,7 @@ const updateAgent = async (searchParameter, updateData) => {
  * @param {string} params.file_id
  * @returns {Promise<Agent>} The updated agent.
  */
-const addAgentResourceFile = async ({ agent_id, tool_resource, file_id }) => {
+const addAgentResourceFile = async ({ req, agent_id, tool_resource, file_id }) => {
   const searchParameter = { id: agent_id };
   let agent = await getAgent(searchParameter);
   if (!agent) {
@@ -319,7 +333,7 @@ const addAgentResourceFile = async ({ agent_id, tool_resource, file_id }) => {
     },
   };
 
-  const updatedAgent = await updateAgent(searchParameter, updateData);
+  const updatedAgent = await updateAgent(searchParameter, updateData, req?.user?.id);
   if (updatedAgent) {
     return updatedAgent;
   } else {
@@ -483,7 +497,7 @@ const updateAgentProjects = async ({ user, agentId, projectIds, removeProjectIds
     delete updateQuery.author;
   }
 
-  const updatedAgent = await updateAgent(updateQuery, updateOps);
+  const updatedAgent = await updateAgent(updateQuery, updateOps, user.id);
   if (updatedAgent) {
     return updatedAgent;
   }
@@ -528,6 +542,8 @@ const revertAgentVersion = async (searchParameter, versionIndex) => {
   delete updateData._id;
   delete updateData.id;
   delete updateData.versions;
+  delete updateData.author;
+  delete updateData.updatedBy;
 
   return Agent.findOneAndUpdate(searchParameter, updateData, { new: true }).lean();
 };

api/models/Agent.spec.js

@@ -679,7 +679,7 @@ describe('Agent Version History', () => {
     expect(updatedAgent.versions[0]._id).toBeUndefined();
     expect(updatedAgent.versions[0].__v).toBeUndefined();
     expect(updatedAgent.versions[0].name).toBe('Test Agent');
-    expect(updatedAgent.versions[0].author).toBeDefined();
+    expect(updatedAgent.versions[0].author).toBeUndefined();
 
     expect(updatedAgent.versions[1]._id).toBeUndefined();
     expect(updatedAgent.versions[1].__v).toBeUndefined();
@@ -885,4 +885,141 @@ describe('Agent Version History', () => {
       console.error = originalConsoleError;
     }
   });
+
+  test('should track updatedBy when a different user updates an agent', async () => {
+    const agentId = `agent_${uuidv4()}`;
+    const originalAuthor = new mongoose.Types.ObjectId();
+    const updatingUser = new mongoose.Types.ObjectId();
+
+    await createAgent({
+      id: agentId,
+      name: 'Original Agent',
+      provider: 'test',
+      model: 'test-model',
+      author: originalAuthor,
+      description: 'Original description',
+    });
+
+    const updatedAgent = await updateAgent(
+      { id: agentId },
+      { name: 'Updated Agent', description: 'Updated description' },
+      updatingUser.toString(),
+    );
+
+    expect(updatedAgent.versions).toHaveLength(2);
+    expect(updatedAgent.versions[1].updatedBy.toString()).toBe(updatingUser.toString());
+    expect(updatedAgent.author.toString()).toBe(originalAuthor.toString());
+  });
+
+  test('should include updatedBy even when the original author updates the agent', async () => {
+    const agentId = `agent_${uuidv4()}`;
+    const originalAuthor = new mongoose.Types.ObjectId();
+
+    await createAgent({
+      id: agentId,
+      name: 'Original Agent',
+      provider: 'test',
+      model: 'test-model',
+      author: originalAuthor,
+      description: 'Original description',
+    });
+
+    const updatedAgent = await updateAgent(
+      { id: agentId },
+      { name: 'Updated Agent', description: 'Updated description' },
+      originalAuthor.toString(),
+    );
+
+    expect(updatedAgent.versions).toHaveLength(2);
+    expect(updatedAgent.versions[1].updatedBy.toString()).toBe(originalAuthor.toString());
+    expect(updatedAgent.author.toString()).toBe(originalAuthor.toString());
+  });
+
+  test('should track multiple different users updating the same agent', async () => {
+    const agentId = `agent_${uuidv4()}`;
+    const originalAuthor = new mongoose.Types.ObjectId();
+    const user1 = new mongoose.Types.ObjectId();
+    const user2 = new mongoose.Types.ObjectId();
+    const user3 = new mongoose.Types.ObjectId();
+
+    await createAgent({
+      id: agentId,
+      name: 'Original Agent',
+      provider: 'test',
+      model: 'test-model',
+      author: originalAuthor,
+      description: 'Original description',
+    });
+
+    // User 1 makes an update
+    await updateAgent(
+      { id: agentId },
+      { name: 'Updated by User 1', description: 'First update' },
+      user1.toString(),
+    );
+
+    // Original author makes an update
+    await updateAgent(
+      { id: agentId },
+      { description: 'Updated by original author' },
+      originalAuthor.toString(),
+    );
+
+    // User 2 makes an update
+    await updateAgent(
+      { id: agentId },
+      { name: 'Updated by User 2', model: 'new-model' },
+      user2.toString(),
+    );
+
+    // User 3 makes an update
+    const finalAgent = await updateAgent(
+      { id: agentId },
+      { description: 'Final update by User 3' },
+      user3.toString(),
+    );
+
+    expect(finalAgent.versions).toHaveLength(5);
+    expect(finalAgent.author.toString()).toBe(originalAuthor.toString());
+
+    // Check that each version has the correct updatedBy
+    expect(finalAgent.versions[0].updatedBy).toBeUndefined(); // Initial creation has no updatedBy
+    expect(finalAgent.versions[1].updatedBy.toString()).toBe(user1.toString());
+    expect(finalAgent.versions[2].updatedBy.toString()).toBe(originalAuthor.toString());
+    expect(finalAgent.versions[3].updatedBy.toString()).toBe(user2.toString());
+    expect(finalAgent.versions[4].updatedBy.toString()).toBe(user3.toString());
+
+    // Verify the final state
+    expect(finalAgent.name).toBe('Updated by User 2');
+    expect(finalAgent.description).toBe('Final update by User 3');
+    expect(finalAgent.model).toBe('new-model');
+  });
+
+  test('should preserve original author during agent restoration', async () => {
+    const agentId = `agent_${uuidv4()}`;
+    const originalAuthor = new mongoose.Types.ObjectId();
+    const updatingUser = new mongoose.Types.ObjectId();
+
+    await createAgent({
+      id: agentId,
+      name: 'Original Agent',
+      provider: 'test',
+      model: 'test-model',
+      author: originalAuthor,
+      description: 'Original description',
+    });
+
+    await updateAgent(
+      { id: agentId },
+      { name: 'Updated Agent', description: 'Updated description' },
+      updatingUser.toString(),
+    );
+
+    const { revertAgentVersion } = require('./Agent');
+    const revertedAgent = await revertAgentVersion({ id: agentId }, 0);
+
+    expect(revertedAgent.author.toString()).toBe(originalAuthor.toString());
+    expect(revertedAgent.name).toBe('Original Agent');
+    expect(revertedAgent.description).toBe('Original description');
+  });
 });

api/models/tx.js

@@ -100,6 +100,8 @@ const tokenValues = Object.assign(
     'claude-3-5-haiku': { prompt: 0.8, completion: 4 },
     'claude-3.5-haiku': { prompt: 0.8, completion: 4 },
     'claude-3-haiku': { prompt: 0.25, completion: 1.25 },
+    'claude-sonnet-4': { prompt: 3, completion: 15 },
+    'claude-opus-4': { prompt: 15, completion: 75 },
     'claude-2.1': { prompt: 8, completion: 24 },
     'claude-2': { prompt: 8, completion: 24 },
     'claude-instant': { prompt: 0.8, completion: 2.4 },
@@ -162,6 +164,8 @@ const cacheTokenValues = {
   'claude-3.5-haiku': { write: 1, read: 0.08 },
   'claude-3-5-haiku': { write: 1, read: 0.08 },
   'claude-3-haiku': { write: 0.3, read: 0.03 },
+  'claude-sonnet-4': { write: 3.75, read: 0.3 },
+  'claude-opus-4': { write: 18.75, read: 1.5 },
 };
 
 /**

api/models/tx.spec.js

@@ -664,3 +664,97 @@ describe('Grok Model Tests - Pricing', () => {
     });
   });
 });
+
+describe('Claude Model Tests', () => {
+  it('should return correct prompt and completion rates for Claude 4 models', () => {
+    expect(getMultiplier({ model: 'claude-sonnet-4', tokenType: 'prompt' })).toBe(
+      tokenValues['claude-sonnet-4'].prompt,
+    );
+    expect(getMultiplier({ model: 'claude-sonnet-4', tokenType: 'completion' })).toBe(
+      tokenValues['claude-sonnet-4'].completion,
+    );
+    expect(getMultiplier({ model: 'claude-opus-4', tokenType: 'prompt' })).toBe(
+      tokenValues['claude-opus-4'].prompt,
+    );
+    expect(getMultiplier({ model: 'claude-opus-4', tokenType: 'completion' })).toBe(
+      tokenValues['claude-opus-4'].completion,
+    );
+  });
+
+  it('should handle Claude 4 model name variations with different prefixes and suffixes', () => {
+    const modelVariations = [
+      'claude-sonnet-4',
+      'claude-sonnet-4-20240229',
+      'claude-sonnet-4-latest',
+      'anthropic/claude-sonnet-4',
+      'claude-sonnet-4/anthropic',
+      'claude-sonnet-4-preview',
+      'claude-sonnet-4-20240229-preview',
+      'claude-opus-4',
+      'claude-opus-4-20240229',
+      'claude-opus-4-latest',
+      'anthropic/claude-opus-4',
+      'claude-opus-4/anthropic',
+      'claude-opus-4-preview',
+      'claude-opus-4-20240229-preview',
+    ];
+
+    modelVariations.forEach((model) => {
+      const valueKey = getValueKey(model);
+      const isSonnet = model.includes('sonnet');
+      const expectedKey = isSonnet ? 'claude-sonnet-4' : 'claude-opus-4';
+
+      expect(valueKey).toBe(expectedKey);
+      expect(getMultiplier({ model, tokenType: 'prompt' })).toBe(tokenValues[expectedKey].prompt);
+      expect(getMultiplier({ model, tokenType: 'completion' })).toBe(
+        tokenValues[expectedKey].completion,
+      );
+    });
+  });
+
+  it('should return correct cache rates for Claude 4 models', () => {
+    expect(getCacheMultiplier({ model: 'claude-sonnet-4', cacheType: 'write' })).toBe(
+      cacheTokenValues['claude-sonnet-4'].write,
+    );
+    expect(getCacheMultiplier({ model: 'claude-sonnet-4', cacheType: 'read' })).toBe(
+      cacheTokenValues['claude-sonnet-4'].read,
+    );
+    expect(getCacheMultiplier({ model: 'claude-opus-4', cacheType: 'write' })).toBe(
+      cacheTokenValues['claude-opus-4'].write,
+    );
+    expect(getCacheMultiplier({ model: 'claude-opus-4', cacheType: 'read' })).toBe(
+      cacheTokenValues['claude-opus-4'].read,
+    );
+  });
+
+  it('should handle Claude 4 model cache rates with different prefixes and suffixes', () => {
+    const modelVariations = [
+      'claude-sonnet-4',
+      'claude-sonnet-4-20240229',
+      'claude-sonnet-4-latest',
+      'anthropic/claude-sonnet-4',
+      'claude-sonnet-4/anthropic',
+      'claude-sonnet-4-preview',
+      'claude-sonnet-4-20240229-preview',
+      'claude-opus-4',
+      'claude-opus-4-20240229',
+      'claude-opus-4-latest',
+      'anthropic/claude-opus-4',
+      'claude-opus-4/anthropic',
+      'claude-opus-4-preview',
+      'claude-opus-4-20240229-preview',
+    ];
+
+    modelVariations.forEach((model) => {
+      const isSonnet = model.includes('sonnet');
+      const expectedKey = isSonnet ? 'claude-sonnet-4' : 'claude-opus-4';
+
+      expect(getCacheMultiplier({ model, cacheType: 'write' })).toBe(
+        cacheTokenValues[expectedKey].write,
+      );
+      expect(getCacheMultiplier({ model, cacheType: 'read' })).toBe(
+        cacheTokenValues[expectedKey].read,
+      );
+    });
+  });
+});

api/package.json

@@ -43,12 +43,12 @@
     "@google/generative-ai": "^0.23.0",
     "@googleapis/youtube": "^20.0.0",
     "@keyv/redis": "^4.3.3",
-    "@langchain/community": "^0.3.42",
-    "@langchain/core": "^0.3.55",
-    "@langchain/google-genai": "^0.2.8",
-    "@langchain/google-vertexai": "^0.2.8",
+    "@langchain/community": "^0.3.44",
+    "@langchain/core": "^0.3.57",
+    "@langchain/google-genai": "^0.2.9",
+    "@langchain/google-vertexai": "^0.2.9",
     "@langchain/textsplitters": "^0.1.0",
-    "@librechat/agents": "^2.4.317",
+    "@librechat/agents": "^2.4.37",
     "@librechat/data-schemas": "*",
     "@waylaidwanderer/fetch-event-source": "^3.0.1",
     "axios": "^1.8.2",
@@ -75,6 +75,7 @@
     "ioredis": "^5.3.2",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
+    "jwks-rsa": "^3.2.0",
     "keyv": "^5.3.2",
     "keyv-file": "^5.1.2",
     "klona": "^2.0.6",
@@ -92,7 +93,7 @@
     "ollama": "^0.5.0",
     "openai": "^4.96.2",
     "openai-chat-tokens": "^0.2.8",
-    "openid-client": "^5.4.2",
+    "openid-client": "^6.5.0",
     "passport": "^0.6.0",
     "passport-apple": "^2.0.2",
     "passport-discord": "^0.1.4",

api/server/cleanup.js

@@ -16,17 +16,17 @@ const FinalizationRegistry = global.FinalizationRegistry || null;
  */
 const clientRegistry = FinalizationRegistry
   ? new FinalizationRegistry((heldValue) => {
-    try {
-      // This will run when the client is garbage collected
-      if (heldValue && heldValue.userId) {
-        logger.debug(`[FinalizationRegistry] Cleaning up client for user ${heldValue.userId}`);
-      } else {
-        logger.debug('[FinalizationRegistry] Cleaning up client');
+      try {
+        // This will run when the client is garbage collected
+        if (heldValue && heldValue.userId) {
+          logger.debug(`[FinalizationRegistry] Cleaning up client for user ${heldValue.userId}`);
+        } else {
+          logger.debug('[FinalizationRegistry] Cleaning up client');
+        }
+      } catch (e) {
+        // Ignore errors
       }
-    } catch (e) {
-      // Ignore errors
-    }
-  })
+    })
   : null;
 
 /**
@@ -134,8 +134,8 @@ function disposeClient(client) {
     if (client.message_delta) {
       client.message_delta = null;
     }
-    if (client.isClaude3 !== undefined) {
-      client.isClaude3 = null;
+    if (client.isClaudeLatest !== undefined) {
+      client.isClaudeLatest = null;
     }
     if (client.useMessages !== undefined) {
       client.useMessages = null;

api/server/controllers/AuthController.js

@@ -1,3 +1,4 @@
+const openIdClient = require('openid-client');
 const cookies = require('cookie');
 const jwt = require('jsonwebtoken');
 const {
@@ -5,9 +6,12 @@ const {
   resetPassword,
   setAuthTokens,
   requestPasswordReset,
+  setOpenIDAuthTokens,
 } = require('~/server/services/AuthService');
-const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
+const { findSession, getUserById, deleteAllUserSessions, findUser } = require('~/models');
+const { getOpenIdConfig } = require('~/strategies');
 const { logger } = require('~/config');
+const { isEnabled } = require('~/server/utils');
 
 const registrationController = async (req, res) => {
   try {
@@ -55,10 +59,28 @@ const resetPasswordController = async (req, res) => {
 
 const refreshController = async (req, res) => {
   const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
+  const token_provider = req.headers.cookie
+    ? cookies.parse(req.headers.cookie).token_provider
+    : null;
   if (!refreshToken) {
     return res.status(200).send('Refresh token not provided');
   }
-
+  if (token_provider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS) === true) {
+    try {
+      const openIdConfig = getOpenIdConfig();
+      const tokenset = await openIdClient.refreshTokenGrant(openIdConfig, refreshToken);
+      const claims = tokenset.claims();
+      const user = await findUser({ email: claims.email });
+      if (!user) {
+        return res.status(401).redirect('/login');
+      }
+      const token = setOpenIDAuthTokens(tokenset, res);
+      return res.status(200).send({ token, user });
+    } catch (error) {
+      logger.error('[refreshController] OpenID token refresh error', error);
+      return res.status(403).send('Invalid OpenID refresh token');
+    }
+  }
   try {
     const payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
     const user = await getUserById(payload.id, '-password -__v -totpSecret');

api/server/controllers/UserController.js

@@ -1,4 +1,10 @@
-const { FileSources } = require('librechat-data-provider');
+const {
+  Tools,
+  Constants,
+  FileSources,
+  webSearchKeys,
+  extractWebSearchEnvVars,
+} = require('librechat-data-provider');
 const {
   Balance,
   getFiles,
@@ -83,7 +89,6 @@ const deleteUserFiles = async (req) => {
 const updateUserPluginsController = async (req, res) => {
   const { user } = req;
   const { pluginKey, action, auth, isEntityTool } = req.body;
-  let authService;
   try {
     if (!isEntityTool) {
       const userPluginsService = await updateUserPluginsService(user, pluginKey, action);
@@ -95,32 +100,55 @@ const updateUserPluginsController = async (req, res) => {
       }
     }
 
-    if (auth) {
-      const keys = Object.keys(auth);
-      const values = Object.values(auth);
-      if (action === 'install' && keys.length > 0) {
-        for (let i = 0; i < keys.length; i++) {
-          authService = await updateUserPluginAuth(user.id, keys[i], pluginKey, values[i]);
-          if (authService instanceof Error) {
-            logger.error('[authService]', authService);
-            const { status, message } = authService;
-            res.status(status).send({ message });
-          }
+    if (auth == null) {
+      return res.status(200).send();
+    }
+
+    let keys = Object.keys(auth);
+    if (keys.length === 0 && pluginKey !== Tools.web_search) {
+      return res.status(200).send();
+    }
+    const values = Object.values(auth);
+
+    /** @type {number} */
+    let status = 200;
+    /** @type {string} */
+    let message;
+    /** @type {IPluginAuth | Error} */
+    let authService;
+
+    if (pluginKey === Tools.web_search) {
+      /** @type  {TCustomConfig['webSearch']} */
+      const webSearchConfig = req.app.locals?.webSearch;
+      keys = extractWebSearchEnvVars({
+        keys: action === 'install' ? keys : webSearchKeys,
+        config: webSearchConfig,
+      });
+    }
+
+    if (action === 'install') {
+      for (let i = 0; i < keys.length; i++) {
+        authService = await updateUserPluginAuth(user.id, keys[i], pluginKey, values[i]);
+        if (authService instanceof Error) {
+          logger.error('[authService]', authService);
+          ({ status, message } = authService);
         }
       }
-      if (action === 'uninstall' && keys.length > 0) {
-        for (let i = 0; i < keys.length; i++) {
-          authService = await deleteUserPluginAuth(user.id, keys[i]);
-          if (authService instanceof Error) {
-            logger.error('[authService]', authService);
-            const { status, message } = authService;
-            res.status(status).send({ message });
-          }
+    } else if (action === 'uninstall') {
+      for (let i = 0; i < keys.length; i++) {
+        authService = await deleteUserPluginAuth(user.id, keys[i]);
+        if (authService instanceof Error) {
+          logger.error('[authService]', authService);
+          ({ status, message } = authService);
         }
       }
     }
 
-    res.status(200).send();
+    if (status === 200) {
+      return res.status(status).send();
+    }
+
+    res.status(status).send({ message });
   } catch (err) {
     logger.error('[updateUserPluginsController]', err);
     return res.status(500).json({ message: 'Something went wrong.' });

api/server/controllers/agents/callbacks.js

@@ -237,6 +237,30 @@ function createToolEndCallback({ req, res, artifactPromises }) {
       return;
     }
 
+    if (output.artifact[Tools.web_search]) {
+      artifactPromises.push(
+        (async () => {
+          const name = `${output.name}_${output.tool_call_id}_${nanoid()}`;
+          const attachment = {
+            name,
+            type: Tools.web_search,
+            messageId: metadata.run_id,
+            toolCallId: output.tool_call_id,
+            conversationId: metadata.thread_id,
+            [Tools.web_search]: { ...output.artifact[Tools.web_search] },
+          };
+          if (!res.headersSent) {
+            return attachment;
+          }
+          res.write(`event: attachment\ndata: ${JSON.stringify(attachment)}\n\n`);
+          return attachment;
+        })().catch((error) => {
+          logger.error('Error processing artifact content:', error);
+          return null;
+        }),
+      );
+    }
+
     if (output.artifact.content) {
       /** @type {FormattedContent[]} */
       const content = output.artifact.content;

api/server/controllers/agents/client.js

@@ -39,9 +39,6 @@ const BaseClient = require('~/app/clients/BaseClient');
 const { logger, sendEvent } = require('~/config');
 const { createRun } = require('./run');
 
-/** @typedef {import('@librechat/agents').MessageContentComplex} MessageContentComplex */
-/** @typedef {import('@langchain/core/runnables').RunnableConfig} RunnableConfig */
-
 /**
  * @param {ServerRequest} req
  * @param {Agent} agent
@@ -543,7 +540,7 @@ class AgentClient extends BaseClient {
   }
 
   async chatCompletion({ payload, abortController = null }) {
-    /** @type {Partial<RunnableConfig> & { version: 'v1' | 'v2'; run_id?: string; streamMode: string }} */
+    /** @type {Partial<GraphRunnableConfig>} */
     let config;
     /** @type {ReturnType<createRun>} */
     let run;

api/server/controllers/agents/v1.js

@@ -111,7 +111,7 @@ const getAgentHandler = async (req, res) => {
       const originalUrl = agent.avatar.filepath;
       agent.avatar.filepath = await refreshS3Url(agent.avatar);
       if (originalUrl !== agent.avatar.filepath) {
-        await updateAgent({ id }, { avatar: agent.avatar });
+        await updateAgent({ id }, { avatar: agent.avatar }, req.user.id);
       }
     }
 
@@ -169,7 +169,9 @@ const updateAgentHandler = async (req, res) => {
     }
 
     let updatedAgent =
-      Object.keys(updateData).length > 0 ? await updateAgent({ id }, updateData) : existingAgent;
+      Object.keys(updateData).length > 0
+        ? await updateAgent({ id }, updateData, req.user.id)
+        : existingAgent;
 
     if (projectIds || removeProjectIds) {
       updatedAgent = await updateAgentProjects({
@@ -405,7 +407,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
       },
     };
 
-    promises.push(await updateAgent({ id: agent_id, author: req.user.id }, data));
+    promises.push(await updateAgent({ id: agent_id, author: req.user.id }, data, req.user.id));
 
     const resolved = await Promise.all(promises);
     res.status(201).json(resolved[0]);

api/server/controllers/auth/LogoutController.js

@@ -1,5 +1,5 @@
 const cookies = require('cookie');
-const { Issuer } = require('openid-client');
+const { getOpenIdConfig } = require('~/strategies');
 const { logoutUser } = require('~/server/services/AuthService');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
@@ -10,20 +10,29 @@ const logoutController = async (req, res) => {
     const logout = await logoutUser(req, refreshToken);
     const { status, message } = logout;
     res.clearCookie('refreshToken');
+    res.clearCookie('token_provider');
     const response = { message };
     if (
       req.user.openidId != null &&
       isEnabled(process.env.OPENID_USE_END_SESSION_ENDPOINT) &&
       process.env.OPENID_ISSUER
     ) {
-      const issuer = await Issuer.discover(process.env.OPENID_ISSUER);
-      const redirect = issuer.metadata.end_session_endpoint;
-      if (!redirect) {
+      const openIdConfig = getOpenIdConfig();
+      if (!openIdConfig) {
         logger.warn(
-          '[logoutController] end_session_endpoint not found in OpenID issuer metadata. Please verify that the issuer is correct.',
+          '[logoutController] OpenID config not found. Please verify that the open id configuration and initialization are correct.',
         );
       } else {
-        response.redirect = redirect;
+        const endSessionEndpoint = openIdConfig
+          ? openIdConfig.serverMetadata().end_session_endpoint
+          : null;
+        if (endSessionEndpoint) {
+          response.redirect = endSessionEndpoint;
+        } else {
+          logger.warn(
+            '[logoutController] end_session_endpoint not found in OpenID issuer metadata. Please verify that the issuer is correct.',
+          );
+        }
       }
     }
     return res.status(status).send(response);

api/server/controllers/tools.js

@@ -6,6 +6,7 @@ const {
   Permissions,
   ToolCallTypes,
   PermissionTypes,
+  loadWebSearchAuth,
 } = require('librechat-data-provider');
 const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/process');
 const { processCodeOutput } = require('~/server/services/Files/Code/process');
@@ -24,6 +25,36 @@ const toolAccessPermType = {
   [Tools.execute_code]: PermissionTypes.RUN_CODE,
 };
 
+/**
+ * Verifies web search authentication, ensuring each category has at least
+ * one fully authenticated service.
+ *
+ * @param {ServerRequest} req - The request object
+ * @param {ServerResponse} res - The response object
+ * @returns {Promise<void>} A promise that resolves when the function has completed
+ */
+const verifyWebSearchAuth = async (req, res) => {
+  try {
+    const userId = req.user.id;
+    /** @type {TCustomConfig['webSearch']} */
+    const webSearchConfig = req.app.locals?.webSearch || {};
+    const result = await loadWebSearchAuth({
+      userId,
+      loadAuthValues,
+      webSearchConfig,
+      throwError: false,
+    });
+
+    return res.status(200).json({
+      authenticated: result.authenticated,
+      authTypes: result.authTypes,
+    });
+  } catch (error) {
+    console.error('Error in verifyWebSearchAuth:', error);
+    return res.status(500).json({ message: error.message });
+  }
+};
+
 /**
  * @param {ServerRequest} req - The request object, containing information about the HTTP request.
  * @param {ServerResponse} res - The response object, used to send back the desired HTTP response.
@@ -32,6 +63,9 @@ const toolAccessPermType = {
 const verifyToolAuth = async (req, res) => {
   try {
     const { toolId } = req.params;
+    if (toolId === Tools.web_search) {
+      return await verifyWebSearchAuth(req, res);
+    }
     const authFields = fieldsMap[toolId];
     if (!authFields) {
       res.status(404).json({ message: 'Tool not found' });

api/server/index.js

@@ -75,7 +75,7 @@ const startServer = async () => {
 
   /* OAUTH */
   app.use(passport.initialize());
-  passport.use(await jwtLogin());
+  passport.use(jwtLogin());
   passport.use(passportLogin());
 
   /* LDAP Auth */
@@ -84,7 +84,7 @@ const startServer = async () => {
   }
 
   if (isEnabled(ALLOW_SOCIAL_LOGIN)) {
-    configureSocialLogins(app);
+    await configureSocialLogins(app);
   }
 
   app.use('/oauth', routes.oauth);

api/server/middleware/optionalJwtAuth.js

@@ -1,9 +1,13 @@
+const cookies = require('cookie');
+const { isEnabled } = require('~/server/utils');
 const passport = require('passport');
 
 // This middleware does not require authentication,
 // but if the user is authenticated, it will set the user object.
 const optionalJwtAuth = (req, res, next) => {
-  passport.authenticate('jwt', { session: false }, (err, user) => {
+  const cookieHeader = req.headers.cookie;
+  const tokenProvider = cookieHeader ? cookies.parse(cookieHeader).token_provider : null;
+  const callback = (err, user) => {
     if (err) {
       return next(err);
     }
@@ -11,7 +15,11 @@ const optionalJwtAuth = (req, res, next) => {
       req.user = user;
     }
     next();
-  })(req, res, next);
+  };
+  if (tokenProvider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+    return passport.authenticate('openidJwt', { session: false }, callback)(req, res, next);
+  }
+  passport.authenticate('jwt', { session: false }, callback)(req, res, next);
 };
 
 module.exports = optionalJwtAuth;

api/server/middleware/requireJwtAuth.js

@@ -1,5 +1,23 @@
 const passport = require('passport');
+const cookies = require('cookie');
+const { isEnabled } = require('~/server/utils');
 
-const requireJwtAuth = passport.authenticate('jwt', { session: false });
+/**
+ * Custom Middleware to handle JWT authentication, with support for OpenID token reuse
+ * Switches between JWT and OpenID authentication based on cookies and environment settings
+ */
+const requireJwtAuth = (req, res, next) => {
+  // Check if token provider is specified in cookies
+  const cookieHeader = req.headers.cookie;
+  const tokenProvider = cookieHeader ? cookies.parse(cookieHeader).token_provider : null;
+
+  // Use OpenID authentication if token provider is OpenID and OPENID_REUSE_TOKENS is enabled
+  if (tokenProvider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+    return passport.authenticate('openidJwt', { session: false })(req, res, next);
+  }
+
+  // Default to standard JWT authentication
+  return passport.authenticate('jwt', { session: false })(req, res, next);
+};
 
 module.exports = requireJwtAuth;

api/server/routes/__tests__/config.spec.js

@@ -1,11 +1,11 @@
 jest.mock('~/cache/getLogStores');
 const request = require('supertest');
 const express = require('express');
-const routes = require('../');
+const configRoute = require('../config');
 // file deepcode ignore UseCsurfForExpress/test: test
 const app = express();
 app.disable('x-powered-by');
-app.use('/api/config', routes.config);
+app.use('/api/config', configRoute);
 
 afterEach(() => {
   delete process.env.APP_TITLE;

api/server/routes/agents/actions.js

@@ -107,7 +107,7 @@ router.post('/:agent_id', async (req, res) => {
       .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
       .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
 
-    const updatedAgent = await updateAgent(agentQuery, { tools, actions });
+    const updatedAgent = await updateAgent(agentQuery, { tools, actions }, req.user.id);
 
     // Only update user field for new actions
     const actionUpdateData = { metadata, agent_id };
@@ -172,7 +172,7 @@ router.delete('/:agent_id/:action_id', async (req, res) => {
 
     const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
 
-    await updateAgent(agentQuery, { tools: updatedTools, actions: updatedActions });
+    await updateAgent(agentQuery, { tools: updatedTools, actions: updatedActions }, req.user.id);
     // If admin, can delete any action, otherwise only user's actions
     const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
     await deleteAction(actionQuery);

api/server/routes/config.js

@@ -85,6 +85,26 @@ router.get('/', async function (req, res) {
       bundlerURL: process.env.SANDPACK_BUNDLER_URL,
       staticBundlerURL: process.env.SANDPACK_STATIC_BUNDLER_URL,
     };
+    /** @type {TCustomConfig['webSearch']} */
+    const webSearchConfig = req.app.locals.webSearch;
+    if (
+      webSearchConfig != null &&
+      (webSearchConfig.searchProvider ||
+        webSearchConfig.scraperType ||
+        webSearchConfig.rerankerType)
+    ) {
+      payload.webSearch = {};
+    }
+
+    if (webSearchConfig?.searchProvider) {
+      payload.webSearch.searchProvider = webSearchConfig.searchProvider;
+    }
+    if (webSearchConfig?.scraperType) {
+      payload.webSearch.scraperType = webSearchConfig.scraperType;
+    }
+    if (webSearchConfig?.rerankerType) {
+      payload.webSearch.rerankerType = webSearchConfig.rerankerType;
+    }
 
     if (ldap) {
       payload.ldap = ldap;

api/server/routes/convos.js

@@ -74,7 +74,7 @@ router.post('/gen_title', async (req, res) => {
     res.status(200).json({ title });
   } else {
     res.status(404).json({
-      message: 'Title not found or method not implemented for the conversation\'s endpoint',
+      message: "Title not found or method not implemented for the conversation's endpoint",
     });
   }
 });

api/server/routes/oauth.js

@@ -1,6 +1,8 @@
 // file deepcode ignore NoRateLimitingForLogin: Rate limiting is handled by the `loginLimiter` middleware
 const express = require('express');
+const jwt = require('jsonwebtoken');
 const passport = require('passport');
+const client = require('openid-client');
 const {
   checkBan,
   logHeaders,
@@ -8,8 +10,9 @@ const {
   setBalanceConfig,
   checkDomainAllowed,
 } = require('~/server/middleware');
-const { setAuthTokens } = require('~/server/services/AuthService');
+const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
 const { logger } = require('~/config');
+const { isEnabled } = require('~/server/utils');
 
 const router = express.Router();
 
@@ -18,6 +21,8 @@ const domains = {
   server: process.env.DOMAIN_SERVER,
 };
 
+const JWT_SECRET = process.env.JWT_SECRET || process.env.OPENID_SESSION_SECRET;
+
 router.use(logHeaders);
 router.use(loginLimiter);
 
@@ -28,7 +33,15 @@ const oauthHandler = async (req, res) => {
     if (req.banned) {
       return;
     }
-    await setAuthTokens(req.user._id, res);
+    if (
+      req.user &&
+      req.user.provider == 'openid' &&
+      isEnabled(process.env.OPENID_REUSE_TOKENS) === true
+    ) {
+      setOpenIDAuthTokens(req.user.tokenset, res);
+    } else {
+      await setAuthTokens(req.user._id, res);
+    }
     res.redirect(domains.client);
   } catch (err) {
     logger.error('Error in setting authentication tokens:', err);
@@ -94,20 +107,71 @@ router.get(
 /**
  * OpenID Routes
  */
-router.get(
-  '/openid',
-  passport.authenticate('openid', {
-    session: false,
-  }),
-);
+router.get('/openid', (req, res, next) => {
+  const state = client.randomState();
+
+  try {
+    const stateToken = jwt.sign(
+      {
+        state: state,
+        timestamp: Date.now(),
+      },
+      JWT_SECRET,
+      { expiresIn: '10m' },
+    );
+
+    res.cookie('oauth_state', stateToken, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      signed: false,
+      maxAge: 10 * 60 * 1000,
+      sameSite: 'lax',
+    });
+    passport.authenticate('openid', {
+      session: false,
+      state: state,
+    })(req, res, next);
+  } catch (error) {
+    logger.error('Error creating state token for OpenID authentication', error);
+    return res.redirect(`${domains.client}/oauth/error`);
+  }
+});
 
 router.get(
   '/openid/callback',
-  passport.authenticate('openid', {
-    failureRedirect: `${domains.client}/oauth/error`,
-    failureMessage: true,
-    session: false,
-  }),
+  (req, res, next) => {
+    if (!req.query.state) {
+      logger.error('Missing state parameter in OpenID callback');
+      return res.redirect(`${domains.client}/oauth/error`);
+    }
+
+    const stateToken = req.cookies.oauth_state;
+    if (!stateToken) {
+      logger.error('No state cookie found for OpenID callback');
+      return res.redirect(`${domains.client}/oauth/error`);
+    }
+
+    try {
+      const decodedState = jwt.verify(stateToken, JWT_SECRET);
+      if (req.query.state !== decodedState.state) {
+        logger.error('Invalid state parameter in OpenID callback', {
+          received: req.query.state,
+          expected: decodedState.state,
+        });
+        return res.redirect(`${domains.client}/oauth/error`);
+      }
+      res.clearCookie('oauth_state');
+      passport.authenticate('openid', {
+        failureRedirect: `${domains.client}/oauth/error`,
+        failureMessage: true,
+        session: false,
+      })(req, res, next);
+    } catch (error) {
+      logger.error('Invalid or expired state token in OpenID callback', error);
+      res.clearCookie('oauth_state');
+      return res.redirect(`${domains.client}/oauth/error`);
+    }
+  },
   setBalanceConfig,
   oauthHandler,
 );

api/server/services/AppService.interface.spec.js

@@ -25,6 +25,7 @@ jest.mock('./start/checks', () => ({
   checkHealth: jest.fn(),
   checkConfig: jest.fn(),
   checkAzureVariables: jest.fn(),
+  checkWebSearchConfig: jest.fn(),
 }));
 
 const AppService = require('./AppService');

api/server/services/AppService.js

@@ -1,11 +1,18 @@
 const {
   FileSources,
-  EModelEndpoint,
   loadOCRConfig,
   processMCPEnv,
+  EModelEndpoint,
   getConfigDefaults,
+  loadWebSearchConfig,
 } = require('librechat-data-provider');
-const { checkVariables, checkHealth, checkConfig, checkAzureVariables } = require('./start/checks');
+const {
+  checkHealth,
+  checkConfig,
+  checkVariables,
+  checkAzureVariables,
+  checkWebSearchConfig,
+} = require('./start/checks');
 const { azureAssistantsDefaults, assistantsConfigSetup } = require('./start/assistants');
 const { initializeAzureBlobService } = require('./Files/Azure/initialize');
 const { initializeFirebase } = require('./Files/Firebase/initialize');
@@ -35,6 +42,8 @@ const AppService = async (app) => {
   const configDefaults = getConfigDefaults();
 
   const ocr = loadOCRConfig(config.ocr);
+  const webSearch = loadWebSearchConfig(config.webSearch);
+  checkWebSearchConfig(webSearch);
   const filteredTools = config.filteredTools;
   const includedTools = config.includedTools;
   const fileStrategy = config.fileStrategy ?? configDefaults.fileStrategy;
@@ -79,6 +88,7 @@ const AppService = async (app) => {
   const defaultLocals = {
     ocr,
     paths,
+    webSearch,
     fileStrategy,
     socialLogins,
     filteredTools,

api/server/services/AppService.spec.js

@@ -141,6 +141,14 @@ describe('AppService', () => {
       balance: { enabled: true },
       filteredTools: undefined,
       includedTools: undefined,
+      webSearch: {
+        cohereApiKey: '${COHERE_API_KEY}',
+        firecrawlApiKey: '${FIRECRAWL_API_KEY}',
+        firecrawlApiUrl: '${FIRECRAWL_API_URL}',
+        jinaApiKey: '${JINA_API_KEY}',
+        safeSearch: 1,
+        serperApiKey: '${SERPER_API_KEY}',
+      },
     });
   });
 
@@ -537,7 +545,7 @@ describe('AppService updating app.locals and issuing warnings', () => {
     const { logger } = require('~/config');
     expect(logger.warn).toHaveBeenCalledWith(
       expect.stringContaining(
-        'The \'assistants\' endpoint has both \'supportedIds\' and \'excludedIds\' defined.',
+        "The 'assistants' endpoint has both 'supportedIds' and 'excludedIds' defined.",
       ),
     );
   });
@@ -559,7 +567,7 @@ describe('AppService updating app.locals and issuing warnings', () => {
     const { logger } = require('~/config');
     expect(logger.warn).toHaveBeenCalledWith(
       expect.stringContaining(
-        'The \'assistants\' endpoint has both \'privateAssistants\' and \'supportedIds\' or \'excludedIds\' defined.',
+        "The 'assistants' endpoint has both 'privateAssistants' and 'supportedIds' or 'excludedIds' defined.",
       ),
     );
   });

api/server/services/AuthService.js

@@ -377,13 +377,62 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
       secure: isProduction,
       sameSite: 'strict',
     });
-
+    res.cookie('token_provider', 'librechat', {
+      expires: new Date(refreshTokenExpires),
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'strict',
+    });
     return token;
   } catch (error) {
     logger.error('[setAuthTokens] Error in setting authentication tokens:', error);
     throw error;
   }
 };
+/**
+ * @function setOpenIDAuthTokens
+ * Set OpenID Authentication Tokens
+ * //type tokenset from openid-client
+ * @param {import('openid-client').TokenEndpointResponse & import('openid-client').TokenEndpointResponseHelpers} tokenset
+ * - The tokenset object containing access and refresh tokens
+ * @param {Object} res - response object
+ * @returns {String} - access token
+ */
+const setOpenIDAuthTokens = (tokenset, res) => {
+  try {
+    if (!tokenset) {
+      logger.error('[setOpenIDAuthTokens] No tokenset found in request');
+      return;
+    }
+    const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
+    const expiryInMilliseconds = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7; // 7 days default
+    const expirationDate = new Date(Date.now() + expiryInMilliseconds);
+    if (tokenset == null) {
+      logger.error('[setOpenIDAuthTokens] No tokenset found in request');
+      return;
+    }
+    if (!tokenset.access_token || !tokenset.refresh_token) {
+      logger.error('[setOpenIDAuthTokens] No access or refresh token found in tokenset');
+      return;
+    }
+    res.cookie('refreshToken', tokenset.refresh_token, {
+      expires: expirationDate,
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'strict',
+    });
+    res.cookie('token_provider', 'openid', {
+      expires: expirationDate,
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'strict',
+    });
+    return tokenset.access_token;
+  } catch (error) {
+    logger.error('[setOpenIDAuthTokens] Error in setting authentication tokens:', error);
+    throw error;
+  }
+};
 
 /**
  * Resend Verification Email
@@ -452,4 +501,5 @@ module.exports = {
   resetPassword,
   requestPasswordReset,
   resendVerificationEmail,
+  setOpenIDAuthTokens,
 };

api/server/services/Endpoints/anthropic/helpers.js

@@ -15,20 +15,14 @@ function checkPromptCacheSupport(modelName) {
     return false;
   }
 
-  if (
-    modelMatch === 'claude-3-7-sonnet' ||
-    modelMatch === 'claude-3-5-sonnet' ||
-    modelMatch === 'claude-3-5-haiku' ||
-    modelMatch === 'claude-3-haiku' ||
-    modelMatch === 'claude-3-opus' ||
-    modelMatch === 'claude-3.7-sonnet' ||
-    modelMatch === 'claude-3.5-sonnet' ||
-    modelMatch === 'claude-3.5-haiku'
-  ) {
-    return true;
-  }
-
-  return false;
+  return (
+    /claude-3[-.]7/.test(modelMatch) ||
+    /claude-3[-.]5-(?:sonnet|haiku)/.test(modelMatch) ||
+    /claude-3-(?:sonnet|haiku|opus)?/.test(modelMatch) ||
+    /claude-(?:sonnet|opus|haiku)-[4-9]/.test(modelMatch) ||
+    /claude-[4-9]-(?:sonnet|opus|haiku)?/.test(modelMatch) ||
+    /claude-4(?:-(?:sonnet|opus|haiku))?/.test(modelMatch)
+  );
 }
 
 /**
@@ -51,6 +45,14 @@ function getClaudeHeaders(model, supportsCacheControl) {
       'anthropic-beta':
         'token-efficient-tools-2025-02-19,output-128k-2025-02-19,prompt-caching-2024-07-31',
     };
+  } else if (
+    /claude-(?:sonnet|opus|haiku)-[4-9]/.test(model) ||
+    /claude-[4-9]-(?:sonnet|opus|haiku)?/.test(model) ||
+    /claude-4(?:-(?:sonnet|opus|haiku))?/.test(model)
+  ) {
+    return {
+      'anthropic-beta': 'prompt-caching-2024-07-31',
+    };
   } else {
     return {
       'anthropic-beta': 'prompt-caching-2024-07-31',
@@ -72,7 +74,8 @@ function configureReasoning(anthropicInput, extendedOptions = {}) {
   if (
     extendedOptions.thinking &&
     updatedOptions?.model &&
-    /claude-3[-.]7/.test(updatedOptions.model)
+    (/claude-3[-.]7/.test(updatedOptions.model) ||
+      /claude-(?:sonnet|opus|haiku)-[4-9]/.test(updatedOptions.model))
   ) {
     updatedOptions.thinking = {
       type: 'enabled',

api/server/services/Endpoints/bedrock/options.js

@@ -25,10 +25,10 @@ const getOptions = async ({ req, overrideModel, endpointOption }) => {
   let credentials = isUserProvided
     ? await getUserKey({ userId: req.user.id, name: EModelEndpoint.bedrock })
     : {
-      accessKeyId: BEDROCK_AWS_ACCESS_KEY_ID,
-      secretAccessKey: BEDROCK_AWS_SECRET_ACCESS_KEY,
-      ...(BEDROCK_AWS_SESSION_TOKEN && { sessionToken: BEDROCK_AWS_SESSION_TOKEN }),
-    };
+        accessKeyId: BEDROCK_AWS_ACCESS_KEY_ID,
+        secretAccessKey: BEDROCK_AWS_SECRET_ACCESS_KEY,
+        ...(BEDROCK_AWS_SESSION_TOKEN && { sessionToken: BEDROCK_AWS_SESSION_TOKEN }),
+      };
 
   if (!credentials) {
     throw new Error('Bedrock credentials not provided. Please provide them again.');

api/server/services/Files/MistralOCR/crud.js

@@ -2,7 +2,12 @@
 const fs = require('fs');
 const path = require('path');
 const FormData = require('form-data');
-const { FileSources, envVarRegex, extractEnvVariable } = require('librechat-data-provider');
+const {
+  FileSources,
+  envVarRegex,
+  extractEnvVariable,
+  extractVariableName,
+} = require('librechat-data-provider');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { logger, createAxiosInstance } = require('~/config');
 const { logAxiosError } = require('~/utils/axios');
@@ -108,11 +113,6 @@ async function performOCR({
     });
 }
 
-function extractVariableName(str) {
-  const match = str.match(envVarRegex);
-  return match ? match[1] : null;
-}
-
 /**
  * Uploads a file to the Mistral OCR API and processes the OCR result.
  *

api/server/services/PluginService.js

@@ -66,16 +66,26 @@ const getUserPluginAuthValue = async (userId, authField, throwError = true) => {
 //   }
 // };
 
+/**
+ *
+ * @async
+ * @param {string} userId
+ * @param {string} authField
+ * @param {string} pluginKey
+ * @param {string} value
+ * @returns {Promise<IPluginAuth>}
+ * @throws {Error}
+ */
 const updateUserPluginAuth = async (userId, authField, pluginKey, value) => {
   try {
     const encryptedValue = await encrypt(value);
     const pluginAuth = await PluginAuth.findOne({ userId, authField }).lean();
     if (pluginAuth) {
-      const pluginAuth = await PluginAuth.updateOne(
+      return await PluginAuth.findOneAndUpdate(
         { userId, authField },
         { $set: { value: encryptedValue } },
-      );
-      return pluginAuth;
+        { new: true, upsert: true },
+      ).lean();
     } else {
       const newPluginAuth = await new PluginAuth({
         userId,
@@ -84,7 +94,7 @@ const updateUserPluginAuth = async (userId, authField, pluginKey, value) => {
         pluginKey,
       });
       await newPluginAuth.save();
-      return newPluginAuth;
+      return newPluginAuth.toObject();
     }
   } catch (err) {
     logger.error('[updateUserPluginAuth]', err);
@@ -92,6 +102,14 @@ const updateUserPluginAuth = async (userId, authField, pluginKey, value) => {
   }
 };
 
+/**
+ * @async
+ * @param {string} userId
+ * @param {string} authField
+ * @param {boolean} [all]
+ * @returns {Promise<import('mongoose').DeleteResult>}
+ * @throws {Error}
+ */
 const deleteUserPluginAuth = async (userId, authField, all = false) => {
   if (all) {
     try {

api/server/services/ToolService.js

@@ -1,8 +1,8 @@
 const fs = require('fs');
 const path = require('path');
 const { zodToJsonSchema } = require('zod-to-json-schema');
-const { tool: toolFn, Tool, DynamicStructuredTool } = require('@langchain/core/tools');
 const { Calculator } = require('@langchain/community/tools/calculator');
+const { tool: toolFn, Tool, DynamicStructuredTool } = require('@langchain/core/tools');
 const {
   Tools,
   ErrorTypes,
@@ -29,6 +29,7 @@ const {
   toolkits,
 } = require('~/app/clients/tools');
 const { processFileURL, uploadImageBuffer } = require('~/server/services/Files/process');
+const { createOnSearchResults } = require('~/server/services/Tools/search');
 const { isActionDomainAllowed } = require('~/server/services/domains');
 const { getEndpointsConfig } = require('~/server/services/Config');
 const { recordUsage } = require('~/server/services/Threads');
@@ -504,11 +505,15 @@ async function loadAgentTools({ req, res, agent, tool_resources, openAIApiKey })
   const checkCapability = (capability) => enabledCapabilities.has(capability);
   const areToolsEnabled = checkCapability(AgentCapabilities.tools);
 
+  let includesWebSearch = false;
   const _agentTools = agent.tools?.filter((tool) => {
     if (tool === Tools.file_search) {
       return checkCapability(AgentCapabilities.file_search);
     } else if (tool === Tools.execute_code) {
       return checkCapability(AgentCapabilities.execute_code);
+    } else if (tool === Tools.web_search) {
+      includesWebSearch = checkCapability(AgentCapabilities.web_search);
+      return includesWebSearch;
     } else if (!areToolsEnabled && !tool.includes(actionDelimiter)) {
       return false;
     }
@@ -518,7 +523,11 @@ async function loadAgentTools({ req, res, agent, tool_resources, openAIApiKey })
   if (!_agentTools || _agentTools.length === 0) {
     return {};
   }
-
+  /** @type {ReturnType<createOnSearchResults>} */
+  let webSearchCallbacks;
+  if (includesWebSearch) {
+    webSearchCallbacks = createOnSearchResults(res);
+  }
   const { loadedTools, toolContextMap } = await loadTools({
     agent,
     functions: true,
@@ -532,6 +541,7 @@ async function loadAgentTools({ req, res, agent, tool_resources, openAIApiKey })
       uploadImageBuffer,
       returnMetadata: true,
       fileStrategy: req.app.locals.fileStrategy,
+      [Tools.web_search]: webSearchCallbacks,
     },
   });
 

api/server/services/Tools/search.js

@@ -0,0 +1,122 @@
+const { nanoid } = require('nanoid');
+const { Tools } = require('librechat-data-provider');
+const { logger } = require('~/config');
+
+/**
+ * Creates a function to handle search results and stream them as attachments
+ * @param {import('http').ServerResponse} res - The HTTP server response object
+ * @returns {{ onSearchResults: function(SearchResult, GraphRunnableConfig): void; onGetHighlights: function(string): void}} - Function that takes search results and returns or streams an attachment
+ */
+function createOnSearchResults(res) {
+  const context = {
+    sourceMap: new Map(),
+    searchResultData: undefined,
+    toolCallId: undefined,
+    attachmentName: undefined,
+    messageId: undefined,
+    conversationId: undefined,
+  };
+
+  /**
+   * @param {SearchResult} results
+   * @param {GraphRunnableConfig} runnableConfig
+   */
+  function onSearchResults(results, runnableConfig) {
+    logger.info(
+      `[onSearchResults] user: ${runnableConfig.metadata.user_id} | thread_id: ${runnableConfig.metadata.thread_id} | run_id: ${runnableConfig.metadata.run_id}`,
+      results,
+    );
+
+    if (!results.success) {
+      logger.error(
+        `[onSearchResults] user: ${runnableConfig.metadata.user_id} | thread_id: ${runnableConfig.metadata.thread_id} | run_id: ${runnableConfig.metadata.run_id} | error: ${results.error}`,
+      );
+      return;
+    }
+
+    const turn = runnableConfig.toolCall?.turn ?? 0;
+    const data = { turn, ...structuredClone(results.data ?? {}) };
+    context.searchResultData = data;
+
+    // Map sources to links
+    for (let i = 0; i < data.organic.length; i++) {
+      const source = data.organic[i];
+      if (source.link) {
+        context.sourceMap.set(source.link, {
+          type: 'organic',
+          index: i,
+          turn,
+        });
+      }
+    }
+    for (let i = 0; i < data.topStories.length; i++) {
+      const source = data.topStories[i];
+      if (source.link) {
+        context.sourceMap.set(source.link, {
+          type: 'topStories',
+          index: i,
+          turn,
+        });
+      }
+    }
+
+    context.toolCallId = runnableConfig.toolCall.id;
+    context.messageId = runnableConfig.metadata.run_id;
+    context.conversationId = runnableConfig.metadata.thread_id;
+    context.attachmentName = `${runnableConfig.toolCall.name}_${context.toolCallId}_${nanoid()}`;
+
+    const attachment = buildAttachment(context);
+
+    if (!res.headersSent) {
+      return attachment;
+    }
+    res.write(`event: attachment\ndata: ${JSON.stringify(attachment)}\n\n`);
+  }
+
+  /**
+   * @param {string} link
+   * @returns {void}
+   */
+  function onGetHighlights(link) {
+    const source = context.sourceMap.get(link);
+    if (!source) {
+      return;
+    }
+    const { type, index } = source;
+    const data = context.searchResultData;
+    if (!data) {
+      return;
+    }
+    if (data[type][index] != null) {
+      data[type][index].processed = true;
+    }
+
+    const attachment = buildAttachment(context);
+    res.write(`event: attachment\ndata: ${JSON.stringify(attachment)}\n\n`);
+  }
+
+  return {
+    onSearchResults,
+    onGetHighlights,
+  };
+}
+
+/**
+ * Helper function to build an attachment object
+ * @param {object} context - The context containing attachment data
+ * @returns {object} - The attachment object
+ */
+function buildAttachment(context) {
+  return {
+    messageId: context.messageId,
+    toolCallId: context.toolCallId,
+    conversationId: context.conversationId,
+    name: context.attachmentName,
+    type: Tools.web_search,
+    [Tools.web_search]: context.searchResultData,
+  };
+}
+
+module.exports = {
+  createOnSearchResults,
+};

api/server/services/start/checks.js

@@ -1,7 +1,9 @@
 const {
   Constants,
+  webSearchKeys,
   deprecatedAzureVariables,
   conflictingAzureVariables,
+  extractVariableName,
 } = require('librechat-data-provider');
 const { isEnabled, checkEmailConfig } = require('~/server/utils');
 const { logger } = require('~/config');
@@ -141,4 +143,56 @@ function checkPasswordReset() {
   }
 }
 
-module.exports = { checkVariables, checkHealth, checkConfig, checkAzureVariables };
+/**
+ * Checks web search configuration values to ensure they are environment variable references.
+ * Warns if actual API keys or URLs are used instead of environment variable references.
+ * Logs debug information for properly configured environment variable references.
+ * @param {Object} webSearchConfig - The loaded web search configuration object.
+ */
+function checkWebSearchConfig(webSearchConfig) {
+  if (!webSearchConfig) {
+    return;
+  }
+
+  webSearchKeys.forEach((key) => {
+    const value = webSearchConfig[key];
+
+    if (typeof value === 'string') {
+      const varName = extractVariableName(value);
+
+      if (varName) {
+        // This is a proper environment variable reference
+        const actualValue = process.env[varName];
+        if (actualValue) {
+          logger.debug(`Web search ${key}: Using environment variable ${varName} with value set`);
+        } else {
+          logger.debug(
+            `Web search ${key}: Using environment variable ${varName} (not set in environment, user provided value)`,
+          );
+        }
+      } else {
+        // This is not an environment variable reference - warn user
+        logger.warn(
+          `❗ Web search configuration error: ${key} contains an actual value instead of an environment variable reference.
+          
+          Current value: "${value.substring(0, 10)}..."
+          
+          This is incorrect! You should use environment variable references in your librechat.yaml file, such as:
+          ${key}: "\${YOUR_ENV_VAR_NAME}"
+          
+          Then set the actual API key in your .env file or environment variables.
+          
+          More info: https://www.librechat.ai/docs/configuration/librechat_yaml/web_search`,
+        );
+      }
+    }
+  });
+}
+
+module.exports = {
+  checkHealth,
+  checkConfig,
+  checkVariables,
+  checkAzureVariables,
+  checkWebSearchConfig,
+};

api/server/services/start/checks.spec.js

@@ -0,0 +1,203 @@
+// Mock librechat-data-provider
+jest.mock('librechat-data-provider', () => ({
+  ...jest.requireActual('librechat-data-provider'),
+  extractVariableName: jest.fn(),
+}));
+
+// Mock the config logger
+jest.mock('~/config', () => ({
+  logger: {
+    debug: jest.fn(),
+    warn: jest.fn(),
+  },
+}));
+
+const { checkWebSearchConfig } = require('./checks');
+const { logger } = require('~/config');
+const { extractVariableName } = require('librechat-data-provider');
+
+describe('checkWebSearchConfig', () => {
+  let originalEnv;
+
+  beforeEach(() => {
+    // Clear all mocks
+    jest.clearAllMocks();
+
+    // Store original environment
+    originalEnv = process.env;
+
+    // Reset process.env
+    process.env = { ...originalEnv };
+  });
+
+  afterEach(() => {
+    // Restore original environment
+    process.env = originalEnv;
+  });
+
+  describe('when webSearchConfig is undefined or null', () => {
+    it('should return early without logging when config is undefined', () => {
+      checkWebSearchConfig(undefined);
+
+      expect(logger.debug).not.toHaveBeenCalled();
+      expect(logger.warn).not.toHaveBeenCalled();
+    });
+
+    it('should return early without logging when config is null', () => {
+      checkWebSearchConfig(null);
+
+      expect(logger.debug).not.toHaveBeenCalled();
+      expect(logger.warn).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('when config values are proper environment variable references', () => {
+    it('should log debug message for each valid environment variable with value set', () => {
+      const config = {
+        serperApiKey: '${SERPER_API_KEY}',
+        jinaApiKey: '${JINA_API_KEY}',
+      };
+
+      extractVariableName.mockReturnValueOnce('SERPER_API_KEY').mockReturnValueOnce('JINA_API_KEY');
+
+      process.env.SERPER_API_KEY = 'test-serper-key';
+      process.env.JINA_API_KEY = 'test-jina-key';
+
+      checkWebSearchConfig(config);
+
+      expect(extractVariableName).toHaveBeenCalledWith('${SERPER_API_KEY}');
+      expect(extractVariableName).toHaveBeenCalledWith('${JINA_API_KEY}');
+      expect(logger.debug).toHaveBeenCalledWith(
+        'Web search serperApiKey: Using environment variable SERPER_API_KEY with value set',
+      );
+      expect(logger.debug).toHaveBeenCalledWith(
+        'Web search jinaApiKey: Using environment variable JINA_API_KEY with value set',
+      );
+      expect(logger.warn).not.toHaveBeenCalled();
+    });
+
+    it('should log debug message for environment variables not set in environment', () => {
+      const config = {
+        cohereApiKey: '${COHERE_API_KEY}',
+      };
+
+      extractVariableName.mockReturnValue('COHERE_API_KEY');
+
+      delete process.env.COHERE_API_KEY;
+
+      checkWebSearchConfig(config);
+
+      expect(logger.debug).toHaveBeenCalledWith(
+        'Web search cohereApiKey: Using environment variable COHERE_API_KEY (not set in environment, user provided value)',
+      );
+      expect(logger.warn).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('when config values are actual values instead of environment variable references', () => {
+    it('should warn when serperApiKey contains actual API key', () => {
+      const config = {
+        serperApiKey: 'sk-1234567890abcdef',
+      };
+
+      extractVariableName.mockReturnValue(null);
+
+      checkWebSearchConfig(config);
+
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining(
+          '❗ Web search configuration error: serperApiKey contains an actual value',
+        ),
+      );
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Current value: "sk-1234567..."'),
+      );
+      expect(logger.debug).not.toHaveBeenCalled();
+    });
+
+    it('should warn when firecrawlApiUrl contains actual URL', () => {
+      const config = {
+        firecrawlApiUrl: 'https://api.firecrawl.dev',
+      };
+
+      extractVariableName.mockReturnValue(null);
+
+      checkWebSearchConfig(config);
+
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining(
+          '❗ Web search configuration error: firecrawlApiUrl contains an actual value',
+        ),
+      );
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Current value: "https://ap..."'),
+      );
+    });
+
+    it('should include documentation link in warning message', () => {
+      const config = {
+        firecrawlApiKey: 'fc-actual-key',
+      };
+
+      extractVariableName.mockReturnValue(null);
+
+      checkWebSearchConfig(config);
+
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining(
+          'More info: https://www.librechat.ai/docs/configuration/librechat_yaml/web_search',
+        ),
+      );
+    });
+  });
+
+  describe('when config contains mixed value types', () => {
+    it('should only process string values and ignore non-string values', () => {
+      const config = {
+        serperApiKey: '${SERPER_API_KEY}',
+        safeSearch: 1,
+        scraperTimeout: 7500,
+        jinaApiKey: 'actual-key',
+      };
+
+      extractVariableName.mockReturnValueOnce('SERPER_API_KEY').mockReturnValueOnce(null);
+
+      process.env.SERPER_API_KEY = 'test-key';
+
+      checkWebSearchConfig(config);
+
+      expect(extractVariableName).toHaveBeenCalledTimes(2);
+      expect(logger.debug).toHaveBeenCalledTimes(1);
+      expect(logger.warn).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should handle config with no web search keys', () => {
+      const config = {
+        someOtherKey: 'value',
+        anotherKey: '${SOME_VAR}',
+      };
+
+      checkWebSearchConfig(config);
+
+      expect(extractVariableName).not.toHaveBeenCalled();
+      expect(logger.debug).not.toHaveBeenCalled();
+      expect(logger.warn).not.toHaveBeenCalled();
+    });
+
+    it('should truncate long values in warning messages', () => {
+      const config = {
+        serperApiKey: 'this-is-a-very-long-api-key-that-should-be-truncated-in-the-warning-message',
+      };
+
+      extractVariableName.mockReturnValue(null);
+
+      checkWebSearchConfig(config);
+
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Current value: "this-is-a-..."'),
+      );
+    });
+  });
+});

api/server/services/start/interface.js

@@ -38,6 +38,7 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     agents: interfaceConfig?.agents ?? defaults.agents,
     temporaryChat: interfaceConfig?.temporaryChat ?? defaults.temporaryChat,
     runCode: interfaceConfig?.runCode ?? defaults.runCode,
+    webSearch: interfaceConfig?.webSearch ?? defaults.webSearch,
     customWelcome: interfaceConfig?.customWelcome ?? defaults.customWelcome,
   });
 
@@ -48,6 +49,7 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     [PermissionTypes.AGENTS]: { [Permissions.USE]: loadedInterface.agents },
     [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
     [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
+    [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
   });
   await updateAccessPermissions(SystemRoles.ADMIN, {
     [PermissionTypes.PROMPTS]: { [Permissions.USE]: loadedInterface.prompts },
@@ -56,6 +58,7 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     [PermissionTypes.AGENTS]: { [Permissions.USE]: loadedInterface.agents },
     [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
     [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
+    [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
   });
 
   let i = 0;
@@ -74,7 +77,7 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
   // warn about config.modelSpecs.prioritize if true and presets are enabled, that default presets will conflict with prioritizing model specs.
   if (config?.modelSpecs?.prioritize && loadedInterface.presets) {
     logger.warn(
-      'Note: Prioritizing model specs can conflict with default presets if a default preset is set. It\'s recommended to disable presets from the interface or disable use of a default preset.',
+      "Note: Prioritizing model specs can conflict with default presets if a default preset is set. It's recommended to disable presets from the interface or disable use of a default preset.",
     );
     i === 0 && i++;
   }
@@ -88,14 +91,14 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
       loadedInterface.parameters)
   ) {
     logger.warn(
-      'Note: Enforcing model specs can conflict with the interface options: endpointsMenu, modelSelect, presets, and parameters. It\'s recommended to disable these options from the interface or disable enforcing model specs.',
+      "Note: Enforcing model specs can conflict with the interface options: endpointsMenu, modelSelect, presets, and parameters. It's recommended to disable these options from the interface or disable enforcing model specs.",
     );
     i === 0 && i++;
   }
   // warn if enforce is true and prioritize is not, that enforcing model specs without prioritizing them can lead to unexpected behavior.
   if (config?.modelSpecs?.enforce && !config?.modelSpecs?.prioritize) {
     logger.warn(
-      'Note: Enforcing model specs without prioritizing them can lead to unexpected behavior. It\'s recommended to enable prioritizing model specs if enforcing them.',
+      "Note: Enforcing model specs without prioritizing them can lead to unexpected behavior. It's recommended to enable prioritizing model specs if enforcing them.",
     );
     i === 0 && i++;
   }

api/server/services/start/interface.spec.js

@@ -16,6 +16,7 @@ describe('loadDefaultInterface', () => {
         agents: true,
         temporaryChat: true,
         runCode: true,
+        webSearch: true,
       },
     };
     const configDefaults = { interface: {} };
@@ -29,6 +30,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
     });
   });
 
@@ -41,6 +43,7 @@ describe('loadDefaultInterface', () => {
         agents: false,
         temporaryChat: false,
         runCode: false,
+        webSearch: false,
       },
     };
     const configDefaults = { interface: {} };
@@ -54,6 +57,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: false },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: false },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: false },
     });
   });
 
@@ -70,6 +74,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
     });
   });
 
@@ -82,6 +87,7 @@ describe('loadDefaultInterface', () => {
         agents: undefined,
         temporaryChat: undefined,
         runCode: undefined,
+        webSearch: undefined,
       },
     };
     const configDefaults = { interface: {} };
@@ -95,6 +101,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
     });
   });
 
@@ -107,6 +114,7 @@ describe('loadDefaultInterface', () => {
         agents: true,
         temporaryChat: undefined,
         runCode: false,
+        webSearch: true,
       },
     };
     const configDefaults = { interface: {} };
@@ -120,6 +128,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
     });
   });
 
@@ -133,6 +142,7 @@ describe('loadDefaultInterface', () => {
         agents: true,
         temporaryChat: true,
         runCode: true,
+        webSearch: true,
       },
     };
 
@@ -145,6 +155,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
     });
   });
 
@@ -161,6 +172,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
     });
   });
 
@@ -177,6 +189,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
     });
   });
 
@@ -193,6 +206,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
     });
   });
 
@@ -218,6 +232,7 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: false },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
     });
   });
 
@@ -231,6 +246,7 @@ describe('loadDefaultInterface', () => {
         agents: undefined,
         temporaryChat: undefined,
         runCode: undefined,
+        webSearch: undefined,
       },
     };
 
@@ -243,6 +259,33 @@ describe('loadDefaultInterface', () => {
       [PermissionTypes.AGENTS]: { [Permissions.USE]: undefined },
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: undefined },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: undefined },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
+    });
+  });
+
+  it('should call updateAccessPermissions with the correct parameters when WEB_SEARCH is undefined', async () => {
+    const config = {
+      interface: {
+        prompts: true,
+        bookmarks: false,
+        multiConvo: true,
+        agents: false,
+        temporaryChat: true,
+        runCode: false,
+      },
+    };
+    const configDefaults = { interface: {} };
+
+    await loadDefaultInterface(config, configDefaults);
+
+    expect(updateAccessPermissions).toHaveBeenCalledWith(SystemRoles.USER, {
+      [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
+      [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
+      [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
+      [PermissionTypes.AGENTS]: { [Permissions.USE]: false },
+      [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
+      [PermissionTypes.RUN_CODE]: { [Permissions.USE]: false },
+      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: undefined },
     });
   });
 });

api/server/services/start/turnstile.js

@@ -26,7 +26,6 @@ function loadTurnstileConfig(config, configDefaults) {
     options: customTurnstile.options ?? defaults.options,
   });
 
-
   const enabled = Boolean(loadedTurnstile.siteKey);
 
   if (enabled) {
@@ -37,7 +36,6 @@ function loadTurnstileConfig(config, configDefaults) {
     logger.info('Turnstile is DISABLED (no siteKey provided).');
   }
 
-
   return loadedTurnstile;
 }
 

api/server/socialLogins.js

@@ -10,6 +10,7 @@ const {
   discordLogin,
   facebookLogin,
   appleLogin,
+  openIdJwtLogin,
 } = require('~/strategies');
 const { isEnabled } = require('~/server/utils');
 const keyvRedis = require('~/cache/keyvRedis');
@@ -19,7 +20,7 @@ const { logger } = require('~/config');
  *
  * @param {Express.Application} app
  */
-const configureSocialLogins = (app) => {
+const configureSocialLogins = async (app) => {
   logger.info('Configuring social logins...');
 
   if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
@@ -62,8 +63,11 @@ const configureSocialLogins = (app) => {
     }
     app.use(session(sessionOptions));
     app.use(passport.session());
-    setupOpenId();
-
+    const config = await setupOpenId();
+    if (isEnabled(process.env.OPENID_REUSE_TOKENS)) {
+      logger.info('OpenID token reuse is enabled.');
+      passport.use('openidJwt', openIdJwtLogin(config));
+    }
     logger.info('OpenID Connect configured.');
   }
 };

api/server/utils/handleText.js

@@ -200,11 +200,12 @@ function generateConfig(key, baseURL, endpoint) {
     config.capabilities = [
       AgentCapabilities.execute_code,
       AgentCapabilities.file_search,
+      AgentCapabilities.web_search,
       AgentCapabilities.artifacts,
       AgentCapabilities.actions,
       AgentCapabilities.tools,
-      AgentCapabilities.ocr,
       AgentCapabilities.chain,
+      AgentCapabilities.ocr,
     ];
   }
 

api/server/utils/import/importConversations.js

@@ -1,6 +1,5 @@
 const fs = require('fs').promises;
 const { getImporter } = require('./importers');
-const { indexSync } = require('~/lib/db');
 const { logger } = require('~/config');
 
 /**
@@ -15,8 +14,6 @@ const importConversations = async (job) => {
     const jsonData = JSON.parse(fileData);
     const importer = getImporter(jsonData);
     await importer(jsonData, requestUserId);
-    // Sync Meilisearch index
-    await indexSync();
     logger.debug(`user: ${requestUserId} | Finished importing conversations`);
   } catch (error) {
     logger.error(`user: ${requestUserId} | Failed to import conversation: `, error);

api/server/utils/import/importers.spec.js

@@ -84,14 +84,14 @@ describe('importChatGptConvo', () => {
       const { parent } = jsonData[0].mapping[id];
 
       const expectedParentId = parent
-        ? idToUUIDMap.get(parent) ?? Constants.NO_PARENT
+        ? (idToUUIDMap.get(parent) ?? Constants.NO_PARENT)
         : Constants.NO_PARENT;
 
       const actualMessageId = idToUUIDMap.get(id);
       const actualParentId = actualMessageId
         ? importBatchBuilder.saveMessage.mock.calls.find(
-          (call) => call[0].messageId === actualMessageId,
-        )[0].parentMessageId
+            (call) => call[0].messageId === actualMessageId,
+          )[0].parentMessageId
         : Constants.NO_PARENT;
 
       expect(actualParentId).toBe(expectedParentId);
@@ -544,7 +544,7 @@ describe('processAssistantMessage', () => {
 
     // Expected output should have all citations replaced with markdown links
     const expectedOutput =
-      'Signal Sciences is a web application security company that was founded on March 10, 2014, by Andrew Peterson, Nick Galbreath, and Zane Lackey. It operates as a for-profit company with its legal name being Signal Sciences Corp. The company has achieved significant growth and is recognized as the fastest-growing web application security company in the world. Signal Sciences developed a next-gen web application firewall (NGWAF) and runtime application self-protection (RASP) technologies designed to increase security and maintain reliability without compromising the performance of modern web applications distributed across cloud, on-premise, edge, or hybrid environments ([Signal Sciences - Crunchbase Company Profile & Funding](https://www.crunchbase.com/organization/signal-sciences)) ([Demand More from Your WAF - Signal Sciences now part of Fastly](https://www.signalsciences.com/)).\n\nIn a major development, Fastly, Inc., a provider of an edge cloud platform, announced the completion of its acquisition of Signal Sciences on October 1, 2020. This acquisition was valued at approximately $775 million in cash and stock. By integrating Signal Sciences\' powerful web application and API security solutions with Fastly\'s edge cloud platform and existing security offerings, they aimed to form a unified suite of security solutions. The merger was aimed at expanding Fastly\'s security portfolio, particularly at a time when digital security has become paramount for businesses operating online ([Fastly Completes Acquisition of Signal Sciences | Fastly](https://www.fastly.com/press/press-releases/fastly-completes-acquisition-signal-sciences)) ([Fastly Agrees to Acquire Signal Sciences for $775 Million - Cooley](https://www.cooley.com/news/coverage/2020/2020-08-27-fastly-agrees-to-acquire-signal-sciences-for-775-million)).';
+      "Signal Sciences is a web application security company that was founded on March 10, 2014, by Andrew Peterson, Nick Galbreath, and Zane Lackey. It operates as a for-profit company with its legal name being Signal Sciences Corp. The company has achieved significant growth and is recognized as the fastest-growing web application security company in the world. Signal Sciences developed a next-gen web application firewall (NGWAF) and runtime application self-protection (RASP) technologies designed to increase security and maintain reliability without compromising the performance of modern web applications distributed across cloud, on-premise, edge, or hybrid environments ([Signal Sciences - Crunchbase Company Profile & Funding](https://www.crunchbase.com/organization/signal-sciences)) ([Demand More from Your WAF - Signal Sciences now part of Fastly](https://www.signalsciences.com/)).\n\nIn a major development, Fastly, Inc., a provider of an edge cloud platform, announced the completion of its acquisition of Signal Sciences on October 1, 2020. This acquisition was valued at approximately $775 million in cash and stock. By integrating Signal Sciences' powerful web application and API security solutions with Fastly's edge cloud platform and existing security offerings, they aimed to form a unified suite of security solutions. The merger was aimed at expanding Fastly's security portfolio, particularly at a time when digital security has become paramount for businesses operating online ([Fastly Completes Acquisition of Signal Sciences | Fastly](https://www.fastly.com/press/press-releases/fastly-completes-acquisition-signal-sciences)) ([Fastly Agrees to Acquire Signal Sciences for $775 Million - Cooley](https://www.cooley.com/news/coverage/2020/2020-08-27-fastly-agrees-to-acquire-signal-sciences-for-775-million)).";
 
     const result = processAssistantMessage(assistantMessage, messageText);
     expect(result).toBe(expectedOutput);
@@ -603,7 +603,7 @@ describe('processAssistantMessage', () => {
     // In a ReDoS vulnerability, time would roughly double with each size increase
     for (let i = 1; i < results.length; i++) {
       const ratio = results[i] / results[i - 1];
-      expect(ratio).toBeLessThan(2); // Processing time should not double
+      expect(ratio).toBeLessThan(3); // Allow for CI environment variability while still catching ReDoS
       console.log(`Size ${sizes[i]} processing time ratio: ${ratio}`);
     }
 

api/strategies/index.js

@@ -4,9 +4,10 @@ const googleLogin = require('./googleStrategy');
 const githubLogin = require('./githubStrategy');
 const discordLogin = require('./discordStrategy');
 const facebookLogin = require('./facebookStrategy');
-const setupOpenId = require('./openidStrategy');
+const { setupOpenId, getOpenIdConfig } = require('./openidStrategy');
 const jwtLogin = require('./jwtStrategy');
 const ldapLogin = require('./ldapStrategy');
+const openIdJwtLogin = require('./openIdJwtStrategy');
 
 module.exports = {
   appleLogin,
@@ -17,5 +18,7 @@ module.exports = {
   jwtLogin,
   facebookLogin,
   setupOpenId,
+  getOpenIdConfig,
   ldapLogin,
-};
+  openIdJwtLogin,
+};

api/strategies/jwtStrategy.js

@@ -4,7 +4,7 @@ const { getUserById, updateUser } = require('~/models');
 const { logger } = require('~/config');
 
 // JWT strategy
-const jwtLogin = async () =>
+const jwtLogin = () =>
   new JwtStrategy(
     {
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),

api/strategies/openIdJwtStrategy.js

@@ -0,0 +1,52 @@
+const { SystemRoles } = require('librechat-data-provider');
+const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
+const { updateUser, findUser } = require('~/models');
+const { logger } = require('~/config');
+const jwksRsa = require('jwks-rsa');
+const { isEnabled } = require('~/server/utils');
+/**
+ * @function openIdJwtLogin
+ * @param {import('openid-client').Configuration} openIdConfig - Configuration object for the JWT strategy.
+ * @returns {JwtStrategy}
+ * @description This function creates a JWT strategy for OpenID authentication.
+ * It uses the jwks-rsa library to retrieve the signing key from a JWKS endpoint.
+ * The strategy extracts the JWT from the Authorization header as a Bearer token.
+ * The JWT is then verified using the signing key, and the user is retrieved from the database.
+ */
+const openIdJwtLogin = (openIdConfig) =>
+  new JwtStrategy(
+    {
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      secretOrKeyProvider: jwksRsa.passportJwtSecret({
+        cache: isEnabled(process.env.OPENID_JWKS_URL_CACHE_ENABLED) || true,
+        cacheMaxAge: process.env.OPENID_JWKS_URL_CACHE_TIME
+          ? eval(process.env.OPENID_JWKS_URL_CACHE_TIME)
+          : 60000,
+        jwksUri: openIdConfig.serverMetadata().jwks_uri,
+      }),
+    },
+    async (payload, done) => {
+      try {
+        const user = await findUser({ openidId: payload?.sub });
+
+        if (user) {
+          user.id = user._id.toString();
+          if (!user.role) {
+            user.role = SystemRoles.USER;
+            await updateUser(user.id, { role: user.role });
+          }
+          done(null, user);
+        } else {
+          logger.warn(
+            '[openIdJwtLogin] openId JwtStrategy => no user found with the sub claims: ' +
+              payload?.sub,
+          );
+          done(null, false);
+        }
+      } catch (err) {
+        done(err, false);
+      }
+    },
+  );
+
+module.exports = openIdJwtLogin;

api/strategies/openidStrategy.js

@@ -1,28 +1,112 @@
+const { CacheKeys } = require('librechat-data-provider');
 const fetch = require('node-fetch');
 const passport = require('passport');
 const jwtDecode = require('jsonwebtoken/decode');
 const { HttpsProxyAgent } = require('https-proxy-agent');
-const { Issuer, Strategy: OpenIDStrategy, custom } = require('openid-client');
+const client = require('openid-client');
+const { Strategy: OpenIDStrategy } = require('openid-client/passport');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { findUser, createUser, updateUser } = require('~/models/userMethods');
 const { hashToken } = require('~/server/utils/crypto');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
+const getLogStores = require('~/cache/getLogStores');
 
-let crypto;
-try {
-  crypto = require('node:crypto');
-} catch (err) {
-  logger.error('[openidStrategy] crypto support is disabled!', err);
+/**
+ * @typedef {import('openid-client').ClientMetadata} ClientMetadata
+ * @typedef {import('openid-client').Configuration} Configuration
+ **/
+
+/** @typedef {Configuration | null}  */
+let openidConfig = null;
+
+//overload currenturl function because of express version 4 buggy req.host doesn't include port
+//More info https://github.com/panva/openid-client/pull/713
+
+class CustomOpenIDStrategy extends OpenIDStrategy {
+  currentUrl(req) {
+    const hostAndProtocol = process.env.DOMAIN_SERVER;
+    return new URL(`${hostAndProtocol}${req.originalUrl ?? req.url}`);
+  }
+
+  /**
+   * Override to ensure proper authorization request parameters
+   */
+  authorizationRequestParams(req, options) {
+    const params = super.authorizationRequestParams?.(req, options) || {};
+    if (options?.state != null && options.state && !params.has('state')) {
+      params.set('state', options.state);
+    }
+    return params;
+  }
 }
 
+/**
+ * Exchange the access token for a new access token using the on-behalf-of flow if required.
+ * @param {Configuration} config
+ * @param {string} accessToken access token to be exchanged if necessary
+ * @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
+ * @param {boolean} fromCache - Indicates whether to use cached tokens.
+ * @returns {Promise<string>} The new access token if exchanged, otherwise the original access token.
+ */
+const exchangeAccessTokenIfNeeded = async (config, accessToken, sub, fromCache = false) => {
+  const tokensCache = getLogStores(CacheKeys.OPENID_EXCHANGED_TOKENS);
+  const onBehalfFlowRequired = isEnabled(process.env.OPENID_ON_BEHALF_FLOW_FOR_USERINFRO_REQUIRED);
+  if (onBehalfFlowRequired) {
+    if (fromCache) {
+      const cachedToken = await tokensCache.get(sub);
+      if (cachedToken) {
+        return cachedToken.access_token;
+      }
+    }
+    const grantResponse = await client.genericGrantRequest(
+      config,
+      'urn:ietf:params:oauth:grant-type:jwt-bearer',
+      {
+        scope: process.env.OPENID_ON_BEHALF_FLOW_USERINFRO_SCOPE || 'user.read',
+        assertion: accessToken,
+        requested_token_use: 'on_behalf_of',
+      },
+    );
+    await tokensCache.set(
+      sub,
+      {
+        access_token: grantResponse.access_token,
+      },
+      grantResponse.expires_in * 1000,
+    );
+    return grantResponse.access_token;
+  }
+  return accessToken;
+};
+
+/**
+ * get user info from openid provider
+ * @param {Configuration} config
+ * @param {string} accessToken access token
+ * @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
+ * @returns {Promise<Object|null>}
+ */
+const getUserInfo = async (config, accessToken, sub) => {
+  try {
+    const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub);
+    return await client.fetchUserInfo(config, exchangedAccessToken, sub);
+  } catch (error) {
+    logger.warn(`[openidStrategy] getUserInfo: Error fetching user info: ${error}`);
+    return null;
+  }
+};
+
 /**
  * Downloads an image from a URL using an access token.
  * @param {string} url
- * @param {string} accessToken
- * @returns {Promise<Buffer>}
+ * @param {Configuration} config
+ * @param {string} accessToken access token
+ * @param {string} sub - The subject identifier of the user. usually found as "sub" in the claims of the token
+ * @returns {Promise<Buffer | string>} The image buffer or an empty string if the download fails.
  */
-const downloadImage = async (url, accessToken) => {
+const downloadImage = async (url, config, accessToken, sub) => {
+  const exchangedAccessToken = await exchangeAccessTokenIfNeeded(config, accessToken, sub, true);
   if (!url) {
     return '';
   }
@@ -31,7 +115,7 @@ const downloadImage = async (url, accessToken) => {
     const options = {
       method: 'GET',
       headers: {
-        Authorization: `Bearer ${accessToken}`,
+        Authorization: `Bearer ${exchangedAccessToken}`,
       },
     };
 
@@ -105,63 +189,68 @@ function convertToUsername(input, defaultValue = '') {
   return defaultValue;
 }
 
+/**
+ * Sets up the OpenID strategy for authentication.
+ * This function configures the OpenID client, handles proxy settings,
+ * and defines the OpenID strategy for Passport.js.
+ *
+ * @async
+ * @function setupOpenId
+ * @returns {Promise<Configuration | null>} A promise that resolves when the OpenID strategy is set up and returns the openid client config object.
+ * @throws {Error} If an error occurs during the setup process.
+ */
 async function setupOpenId() {
   try {
-    if (process.env.PROXY) {
-      const proxyAgent = new HttpsProxyAgent(process.env.PROXY);
-      custom.setHttpOptionsDefaults({
-        agent: proxyAgent,
-      });
-      logger.info(`[openidStrategy] proxy agent added: ${process.env.PROXY}`);
-    }
-    const issuer = await Issuer.discover(process.env.OPENID_ISSUER);
-    /* Supported Algorithms, openid-client v5 doesn't set it automatically as discovered from server.
-      - id_token_signed_response_alg      // defaults to 'RS256'
-      - request_object_signing_alg        // defaults to 'RS256'
-      - userinfo_signed_response_alg      // not in v5
-      - introspection_signed_response_alg // not in v5
-      - authorization_signed_response_alg // not in v5
-    */
-    /** @type {import('openid-client').ClientMetadata} */
+    /** @type {ClientMetadata} */
     const clientMetadata = {
       client_id: process.env.OPENID_CLIENT_ID,
       client_secret: process.env.OPENID_CLIENT_SECRET,
-      redirect_uris: [process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL],
     };
-    if (isEnabled(process.env.OPENID_SET_FIRST_SUPPORTED_ALGORITHM)) {
-      clientMetadata.id_token_signed_response_alg =
-        issuer.id_token_signing_alg_values_supported?.[0] || 'RS256';
+
+    /** @type {Configuration} */
+    openidConfig = await client.discovery(
+      new URL(process.env.OPENID_ISSUER),
+      process.env.OPENID_CLIENT_ID,
+      clientMetadata,
+    );
+    if (process.env.PROXY) {
+      const proxyAgent = new HttpsProxyAgent(process.env.PROXY);
+      openidConfig[client.customFetch] = (...args) => {
+        return fetch(args[0], { ...args[1], agent: proxyAgent });
+      };
+      logger.info(`[openidStrategy] proxy agent added: ${process.env.PROXY}`);
     }
-    const client = new issuer.Client(clientMetadata);
     const requiredRole = process.env.OPENID_REQUIRED_ROLE;
     const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
     const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
-    const openidLogin = new OpenIDStrategy(
+    const usePKCE = isEnabled(process.env.OPENID_USE_PKCE);
+    const openidLogin = new CustomOpenIDStrategy(
       {
-        client,
-        params: {
-          scope: process.env.OPENID_SCOPE,
-        },
+        config: openidConfig,
+        scope: process.env.OPENID_SCOPE,
+        callbackURL: process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL,
+        usePKCE,
       },
-      async (tokenset, userinfo, done) => {
+      async (tokenset, done) => {
         try {
-          logger.info(`[openidStrategy] verify login openidId: ${userinfo.sub}`);
-          logger.debug('[openidStrategy] very login tokenset and userinfo', { tokenset, userinfo });
-
-          let user = await findUser({ openidId: userinfo.sub });
+          const claims = tokenset.claims();
+          let user = await findUser({ openidId: claims.sub });
           logger.info(
-            `[openidStrategy] user ${user ? 'found' : 'not found'} with openidId: ${userinfo.sub}`,
+            `[openidStrategy] user ${user ? 'found' : 'not found'} with openidId: ${claims.sub}`,
           );
 
           if (!user) {
-            user = await findUser({ email: userinfo.email });
+            user = await findUser({ email: claims.email });
             logger.info(
               `[openidStrategy] user ${user ? 'found' : 'not found'} with email: ${
-                userinfo.email
-              } for openidId: ${userinfo.sub}`,
+                claims.email
+              } for openidId: ${claims.sub}`,
             );
           }
-
+          const userinfo = {
+            ...claims,
+            ...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
+          };
           const fullName = getFullName(userinfo);
 
           if (requiredRole) {
@@ -220,7 +309,7 @@ async function setupOpenId() {
             user.name = fullName;
           }
 
-          if (userinfo.picture && !user.avatar?.includes('manual=true')) {
+          if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {
             /** @type {string | undefined} */
             const imageUrl = userinfo.picture;
 
@@ -231,7 +320,12 @@ async function setupOpenId() {
               fileName = userinfo.sub + '.png';
             }
 
-            const imageBuffer = await downloadImage(imageUrl, tokenset.access_token);
+            const imageBuffer = await downloadImage(
+              imageUrl,
+              openidConfig,
+              tokenset.access_token,
+              userinfo.sub,
+            );
             if (imageBuffer) {
               const { saveBuffer } = getStrategyFunctions(process.env.CDN_PROVIDER);
               const imagePath = await saveBuffer({
@@ -257,18 +351,34 @@ async function setupOpenId() {
             },
           );
 
-          done(null, user);
+          done(null, { ...user, tokenset });
         } catch (err) {
           logger.error('[openidStrategy] login failed', err);
           done(err);
         }
       },
     );
-
     passport.use('openid', openidLogin);
+    return openidConfig;
   } catch (err) {
     logger.error('[openidStrategy]', err);
+    return null;
   }
 }
+/**
+ * @function getOpenIdConfig
+ * @description Returns the OpenID client instance.
+ * @throws {Error} If the OpenID client is not initialized.
+ * @returns {Configuration}
+ */
+function getOpenIdConfig() {
+  if (!openidConfig) {
+    throw new Error('OpenID client is not initialized. Please call setupOpenId first.');
+  }
+  return openidConfig;
+}
 
-module.exports = setupOpenId;
+module.exports = {
+  setupOpenId,
+  getOpenIdConfig,
+};

api/strategies/openidStrategy.spec.js

@@ -1,16 +1,13 @@
 const fetch = require('node-fetch');
 const jwtDecode = require('jsonwebtoken/decode');
-const { Issuer, Strategy: OpenIDStrategy } = require('openid-client');
 const { findUser, createUser, updateUser } = require('~/models/userMethods');
-const setupOpenId = require('./openidStrategy');
+const { setupOpenId } = require('./openidStrategy');
 
 // --- Mocks ---
 jest.mock('node-fetch');
-jest.mock('openid-client');
 jest.mock('jsonwebtoken/decode');
 jest.mock('~/server/services/Files/strategies', () => ({
   getStrategyFunctions: jest.fn(() => ({
-    // You can modify this mock as needed (here returning a dummy function)
     saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'),
   })),
 }));
@@ -23,38 +20,73 @@ jest.mock('~/server/utils/crypto', () => ({
   hashToken: jest.fn().mockResolvedValue('hashed-token'),
 }));
 jest.mock('~/server/utils', () => ({
-  isEnabled: jest.fn(() => false), // default to false, override per test if needed
+  isEnabled: jest.fn(() => false),
 }));
 jest.mock('~/config', () => ({
   logger: {
     info: jest.fn(),
     debug: jest.fn(),
     error: jest.fn(),
+    warn: jest.fn(),
+  },
+}));
+jest.mock('~/cache/getLogStores', () =>
+  jest.fn(() => ({
+    get: jest.fn(),
+    set: jest.fn(),
+  })),
+);
+jest.mock('librechat-data-provider', () => ({
+  CacheKeys: {
+    OPENID_EXCHANGED_TOKENS: 'openid-exchanged-tokens',
   },
 }));
 
-// Mock Issuer.discover so that setupOpenId gets a fake issuer and client
-Issuer.discover = jest.fn().mockResolvedValue({
-  id_token_signing_alg_values_supported: ['RS256'],
-  Client: jest.fn().mockImplementation((clientMetadata) => {
-    return {
-      metadata: clientMetadata,
-    };
-  }),
+// Mock the openid-client module and all its dependencies
+jest.mock('openid-client', () => {
+  return {
+    discovery: jest.fn().mockResolvedValue({
+      clientId: 'fake_client_id',
+      clientSecret: 'fake_client_secret',
+      issuer: 'https://fake-issuer.com',
+      // Add any other properties needed by the implementation
+    }),
+    fetchUserInfo: jest.fn().mockImplementation((config, accessToken, sub) => {
+      // Only return additional properties, but don't override any claims
+      return Promise.resolve({
+        preferred_username: 'preferred_username',
+      });
+    }),
+    customFetch: Symbol('customFetch'),
+  };
 });
 
-// To capture the verify callback from the strategy, we grab it from the mock constructor
-let verifyCallback;
-OpenIDStrategy.mockImplementation((options, verify) => {
-  verifyCallback = verify;
-  return { name: 'openid', options, verify };
+jest.mock('openid-client/passport', () => {
+  let verifyCallback;
+  const mockStrategy = jest.fn((options, verify) => {
+    verifyCallback = verify;
+    return { name: 'openid', options, verify };
+  });
+
+  return {
+    Strategy: mockStrategy,
+    __getVerifyCallback: () => verifyCallback,
+  };
 });
 
+// Mock passport
+jest.mock('passport', () => ({
+  use: jest.fn(),
+}));
+
 describe('setupOpenId', () => {
+  // Store a reference to the verify callback once it's set up
+  let verifyCallback;
+
   // Helper to wrap the verify callback in a promise
-  const validate = (tokenset, userinfo) =>
+  const validate = (tokenset) =>
     new Promise((resolve, reject) => {
-      verifyCallback(tokenset, userinfo, (err, user, details) => {
+      verifyCallback(tokenset, (err, user, details) => {
         if (err) {
           reject(err);
         } else {
@@ -66,17 +98,16 @@ describe('setupOpenId', () => {
   const tokenset = {
     id_token: 'fake_id_token',
     access_token: 'fake_access_token',
-  };
-
-  const baseUserinfo = {
-    sub: '1234',
-    email: 'test@example.com',
-    email_verified: true,
-    given_name: 'First',
-    family_name: 'Last',
-    name: 'My Full',
-    username: 'flast',
-    picture: 'https://example.com/avatar.png',
+    claims: () => ({
+      sub: '1234',
+      email: 'test@example.com',
+      email_verified: true,
+      given_name: 'First',
+      family_name: 'Last',
+      name: 'My Full',
+      username: 'flast',
+      picture: 'https://example.com/avatar.png',
+    }),
   };
 
   beforeEach(async () => {
@@ -96,6 +127,7 @@ describe('setupOpenId', () => {
     delete process.env.OPENID_USERNAME_CLAIM;
     delete process.env.OPENID_NAME_CLAIM;
     delete process.env.PROXY;
+    delete process.env.OPENID_USE_PKCE;
 
     // Default jwtDecode mock returns a token that includes the required role.
     jwtDecode.mockReturnValue({
@@ -120,16 +152,17 @@ describe('setupOpenId', () => {
     };
     fetch.mockResolvedValue(fakeResponse);
 
-    // Finally, call the setup function so that passport.use gets called
+    // Call the setup function and capture the verify callback
     await setupOpenId();
+    verifyCallback = require('openid-client/passport').__getVerifyCallback();
   });
 
   it('should create a new user with correct username when username claim exists', async () => {
     // Arrange – our userinfo already has username 'flast'
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();
 
     // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);
 
     // Assert
     expect(user.username).toBe(userinfo.username);
@@ -148,13 +181,13 @@ describe('setupOpenId', () => {
 
   it('should use given_name as username when username claim is missing', async () => {
     // Arrange – remove username from userinfo
-    const userinfo = { ...baseUserinfo };
+    const userinfo = { ...tokenset.claims() };
     delete userinfo.username;
     // Expect the username to be the given name (unchanged case)
     const expectUsername = userinfo.given_name;
 
     // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate({ ...tokenset, claims: () => userinfo });
 
     // Assert
     expect(user.username).toBe(expectUsername);
@@ -167,13 +200,13 @@ describe('setupOpenId', () => {
 
   it('should use email as username when username and given_name are missing', async () => {
     // Arrange – remove username and given_name
-    const userinfo = { ...baseUserinfo };
+    const userinfo = { ...tokenset.claims() };
     delete userinfo.username;
     delete userinfo.given_name;
     const expectUsername = userinfo.email;
 
     // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate({ ...tokenset, claims: () => userinfo });
 
     // Assert
     expect(user.username).toBe(expectUsername);
@@ -187,10 +220,10 @@ describe('setupOpenId', () => {
   it('should override username with OPENID_USERNAME_CLAIM when set', async () => {
     // Arrange – set OPENID_USERNAME_CLAIM so that the sub claim is used
     process.env.OPENID_USERNAME_CLAIM = 'sub';
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();
 
     // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);
 
     // Assert – username should equal the sub (converted as-is)
     expect(user.username).toBe(userinfo.sub);
@@ -203,11 +236,11 @@ describe('setupOpenId', () => {
 
   it('should set the full name correctly when given_name and family_name exist', async () => {
     // Arrange
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();
     const expectedFullName = `${userinfo.given_name} ${userinfo.family_name}`;
 
     // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);
 
     // Assert
     expect(user.name).toBe(expectedFullName);
@@ -216,10 +249,10 @@ describe('setupOpenId', () => {
   it('should override full name with OPENID_NAME_CLAIM when set', async () => {
     // Arrange – use the name claim as the full name
     process.env.OPENID_NAME_CLAIM = 'name';
-    const userinfo = { ...baseUserinfo, name: 'Custom Name' };
+    const userinfo = { ...tokenset.claims(), name: 'Custom Name' };
 
     // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate({ ...tokenset, claims: () => userinfo });
 
     // Assert
     expect(user.name).toBe('Custom Name');
@@ -230,31 +263,31 @@ describe('setupOpenId', () => {
     const existingUser = {
       _id: 'existingUserId',
       provider: 'local',
-      email: baseUserinfo.email,
+      email: tokenset.claims().email,
       openidId: '',
       username: '',
       name: '',
     };
     findUser.mockImplementation(async (query) => {
-      if (query.openidId === baseUserinfo.sub || query.email === baseUserinfo.email) {
+      if (query.openidId === tokenset.claims().sub || query.email === tokenset.claims().email) {
         return existingUser;
       }
       return null;
     });
 
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();
 
     // Act
-    await validate(tokenset, userinfo);
+    await validate(tokenset);
 
     // Assert – updateUser should be called and the user object updated
     expect(updateUser).toHaveBeenCalledWith(
       existingUser._id,
       expect.objectContaining({
         provider: 'openid',
-        openidId: baseUserinfo.sub,
-        username: baseUserinfo.username,
-        name: `${baseUserinfo.given_name} ${baseUserinfo.family_name}`,
+        openidId: userinfo.sub,
+        username: userinfo.username,
+        name: `${userinfo.given_name} ${userinfo.family_name}`,
       }),
     );
   });
@@ -264,10 +297,10 @@ describe('setupOpenId', () => {
     jwtDecode.mockReturnValue({
       roles: ['SomeOtherRole'],
     });
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();
 
     // Act
-    const { user, details } = await validate(tokenset, userinfo);
+    const { user, details } = await validate(tokenset);
 
     // Assert – verify that the strategy rejects login
     expect(user).toBe(false);
@@ -276,10 +309,10 @@ describe('setupOpenId', () => {
 
   it('should attempt to download and save the avatar if picture is provided', async () => {
     // Arrange – ensure userinfo contains a picture URL
-    const userinfo = { ...baseUserinfo };
+    const userinfo = tokenset.claims();
 
     // Act
-    const { user } = await validate(tokenset, userinfo);
+    const { user } = await validate(tokenset);
 
     // Assert – verify that download was attempted and the avatar field was set via updateUser
     expect(fetch).toHaveBeenCalled();
@@ -289,14 +322,25 @@ describe('setupOpenId', () => {
 
   it('should not attempt to download avatar if picture is not provided', async () => {
     // Arrange – remove picture
-    const userinfo = { ...baseUserinfo };
+    const userinfo = { ...tokenset.claims() };
     delete userinfo.picture;
 
     // Act
-    await validate(tokenset, userinfo);
+    await validate({ ...tokenset, claims: () => userinfo });
 
     // Assert – fetch should not be called and avatar should remain undefined or empty
     expect(fetch).not.toHaveBeenCalled();
     // Depending on your implementation, user.avatar may be undefined or an empty string.
   });
+
+  it('should default to usePKCE false when OPENID_USE_PKCE is not defined', async () => {
+    const OpenIDStrategy = require('openid-client/passport').Strategy;
+
+    delete process.env.OPENID_USE_PKCE;
+    await setupOpenId();
+
+    const callOptions = OpenIDStrategy.mock.calls[OpenIDStrategy.mock.calls.length - 1][0];
+    expect(callOptions.usePKCE).toBe(false);
+    expect(callOptions.params?.code_challenge_method).toBeUndefined();
+  });
 });

api/strategies/socialLogin.js

@@ -7,7 +7,8 @@ const socialLogin =
   (provider, getProfileDetails) => async (accessToken, refreshToken, idToken, profile, cb) => {
     try {
       const { email, id, avatarUrl, username, name, emailVerified } = getProfileDetails({
-        idToken, profile,
+        idToken,
+        profile,
       });
 
       const oldUser = await findUser({ email: email.trim() });

api/test/__mocks__/openid-client-passport.js

@@ -0,0 +1,6 @@
+// api/test/__mocks__/openid-client-passport.js
+const Strategy = jest.fn().mockImplementation((options, verify) => {
+  return { name: 'mocked-openid-passport-strategy', options, verify };
+});
+
+module.exports = { Strategy };

api/test/__mocks__/openid-client.js

@@ -0,0 +1,67 @@
+// api/test/__mocks__/openid-client.js
+module.exports = {
+  Issuer: {
+    discover: jest.fn().mockResolvedValue({
+      Client: jest.fn().mockImplementation(() => ({
+        authorizationUrl: jest.fn().mockReturnValue('mock_auth_url'),
+        callback: jest.fn().mockResolvedValue({
+          access_token: 'mock_access_token',
+          id_token: 'mock_id_token',
+          claims: () => ({
+            sub: 'mock_sub',
+            email: 'mock@example.com',
+          }),
+        }),
+        userinfo: jest.fn().mockResolvedValue({
+          sub: 'mock_sub',
+          email: 'mock@example.com',
+        }),
+      })),
+    }),
+  },
+  Strategy: jest.fn().mockImplementation((options, verify) => {
+    // Store verify to call it if needed, or just mock the strategy behavior
+    return { name: 'openid-mock-strategy' };
+  }),
+  custom: {
+    setHttpOptionsDefaults: jest.fn(),
+  },
+  // Add any other exports from openid-client that are used directly
+  // For example, if your code uses `client.Issuer.discover`, then mock `Issuer`
+  // If it uses `new Strategy()`, then mock `Strategy`
+  // Based on openidStrategy.js, it uses:
+  // const client = require('openid-client'); -> client.discovery, client.fetchUserInfo, client.genericGrantRequest
+  // const { Strategy: OpenIDStrategy } = require('openid-client/passport');
+  // So the mock needs to cover these.
+  // The provided mock in openidStrategy.spec.js is a good reference.
+
+  // Simpler mock based on the spec file:
+  discovery: jest.fn().mockResolvedValue({
+    clientId: 'fake_client_id',
+    clientSecret: 'fake_client_secret',
+    issuer: 'https://fake-issuer.com',
+    Client: jest.fn().mockImplementation(() => ({
+      authorizationUrl: jest.fn().mockReturnValue('mock_auth_url'),
+      callback: jest.fn().mockResolvedValue({
+        access_token: 'mock_access_token',
+        id_token: 'mock_id_token',
+        claims: () => ({
+          sub: 'mock_sub',
+          email: 'mock@example.com',
+        }),
+      }),
+      userinfo: jest.fn().mockResolvedValue({
+        sub: 'mock_sub',
+        email: 'mock@example.com',
+      }),
+      grant: jest.fn().mockResolvedValue({ access_token: 'mock_grant_token' }), // For genericGrantRequest
+    })),
+  }),
+  fetchUserInfo: jest.fn().mockResolvedValue({
+    preferred_username: 'preferred_username',
+  }),
+  genericGrantRequest: jest
+    .fn()
+    .mockResolvedValue({ access_token: 'mock_grant_access_token', expires_in: 3600 }),
+  customFetch: Symbol('customFetch'),
+};

api/typedefs.js

@@ -55,6 +55,12 @@
  * @memberof typedefs
  */
 
+/**
+ * @exports MessageContentComplex
+ * @typedef {import('@librechat/agents').MessageContentComplex} MessageContentComplex
+ * @memberof typedefs
+ */
+
 /**
  * @exports EventHandler
  * @typedef {import('@librechat/agents').EventHandler} EventHandler
@@ -186,6 +192,8 @@
  * agent_index: number;
  * last_agent_index: number;
  * hide_sequential_outputs: boolean;
+ * version?: 'v1' | 'v2';
+ * streamMode?: string
  * }> & {
  * toolCall?: LangChainToolCall & { stepId?: string };
  * }} GraphRunnableConfig
@@ -473,6 +481,25 @@
  * @typedef {import('librechat-data-provider').Agents.MessageContentImageUrl} MessageContentImageUrl
  * @memberof typedefs
  */
+/** Web Search */
+
+/**
+ * @exports SearchResult
+ * @typedef {import('@librechat/agents').SearchResult} SearchResult
+ * @memberof typedefs
+ */
+
+/**
+ * @exports SearchResultData
+ * @typedef {import('@librechat/agents').SearchResultData} SearchResultData
+ * @memberof typedefs
+ */
+
+/**
+ * @exports ValidSource
+ * @typedef {import('librechat-data-provider').ValidSource} ValidSource
+ * @memberof typedefs
+ */
 
 /** Prompts */
 /**
@@ -848,6 +875,12 @@
  * @memberof typedefs
  */
 
+/**
+ * @exports IPluginAuth
+ * @typedef {import('@librechat/data-schemas').IPluginAuth} IPluginAuth
+ * @memberof typedefs
+ */
+
 /**
  * @exports ObjectId
  * @typedef {import('mongoose').Types.ObjectId} ObjectId
@@ -990,6 +1023,18 @@
  * @memberof typedefs
  */
 
+/**
+ * @exports TEphemeralAgent
+ * @typedef {import('librechat-data-provider').TEphemeralAgent} TEphemeralAgent
+ * @memberof typedefs
+ */
+
+/**
+ * @exports TWebSearchKeys
+ * @typedef {import('librechat-data-provider').TWebSearchKeys} TWebSearchKeys
+ * @memberof typedefs
+ */
+
 /**
  * @exports AgentToolResources
  * @typedef {import('librechat-data-provider').AgentToolResources} AgentToolResources

api/utils/tokens.js

@@ -105,6 +105,9 @@ const anthropicModels = {
   'claude-3.7-sonnet': 200000,
   'claude-3-5-sonnet-latest': 200000,
   'claude-3.5-sonnet-latest': 200000,
+  'claude-sonnet-4': 200000,
+  'claude-opus-4': 200000,
+  'claude-4': 200000,
 };
 
 const deepseekModels = {
@@ -246,6 +249,8 @@ const anthropicMaxOutputs = {
   'claude-3-haiku': 4096,
   'claude-3-sonnet': 4096,
   'claude-3-opus': 4096,
+  'claude-opus-4': 32000,
+  'claude-sonnet-4': 64000,
   'claude-3.5-sonnet': 8192,
   'claude-3-5-sonnet': 8192,
   'claude-3.7-sonnet': 128000,

api/utils/tokens.spec.js

@@ -649,3 +649,58 @@ describe('Grok Model Tests - Tokens', () => {
     });
   });
 });
+
+describe('Claude Model Tests', () => {
+  it('should return correct context length for Claude 4 models', () => {
+    expect(getModelMaxTokens('claude-sonnet-4')).toBe(200000);
+    expect(getModelMaxTokens('claude-opus-4')).toBe(200000);
+  });
+
+  it('should handle Claude 4 model name variations with different prefixes and suffixes', () => {
+    const modelVariations = [
+      'claude-sonnet-4',
+      'claude-sonnet-4-20240229',
+      'claude-sonnet-4-latest',
+      'anthropic/claude-sonnet-4',
+      'claude-sonnet-4/anthropic',
+      'claude-sonnet-4-preview',
+      'claude-sonnet-4-20240229-preview',
+      'claude-opus-4',
+      'claude-opus-4-20240229',
+      'claude-opus-4-latest',
+      'anthropic/claude-opus-4',
+      'claude-opus-4/anthropic',
+      'claude-opus-4-preview',
+      'claude-opus-4-20240229-preview',
+    ];
+
+    modelVariations.forEach((model) => {
+      expect(getModelMaxTokens(model)).toBe(200000);
+    });
+  });
+
+  it('should match model names correctly for Claude 4 models', () => {
+    const modelVariations = [
+      'claude-sonnet-4',
+      'claude-sonnet-4-20240229',
+      'claude-sonnet-4-latest',
+      'anthropic/claude-sonnet-4',
+      'claude-sonnet-4/anthropic',
+      'claude-sonnet-4-preview',
+      'claude-sonnet-4-20240229-preview',
+      'claude-opus-4',
+      'claude-opus-4-20240229',
+      'claude-opus-4-latest',
+      'anthropic/claude-opus-4',
+      'claude-opus-4/anthropic',
+      'claude-opus-4-preview',
+      'claude-opus-4-20240229-preview',
+    ];
+
+    modelVariations.forEach((model) => {
+      const isSonnet = model.includes('sonnet');
+      const expectedModel = isSonnet ? 'claude-sonnet-4' : 'claude-opus-4';
+      expect(matchModelName(model, EModelEndpoint.anthropic)).toBe(expectedModel);
+    });
+  });
+});

charts/librechat/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

charts/librechat/Chart.yaml

@@ -1,4 +0,0 @@
-apiVersion: v2
-name: librechat
-type: application
-version: 1.0.0

charts/librechat/templates/NOTES.txt

@@ -1,22 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
-  {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "librechat.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "librechat.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "librechat.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "librechat.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

charts/librechat/templates/_helpers.tpl

@@ -1,74 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "librechat.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "librechat.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "librechat.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "librechat.labels" -}}
-helm.sh/chart: {{ include "librechat.chart" . }}
-{{ include "librechat.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "librechat.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "librechat.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "librechat.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "librechat.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Print string from list split by ,
-*/}}
-{{- define "model.list" -}}
-{{- range $idx, $val := $.Values.configEndpoint.models -}}
-{{- if $idx }}
-{{- print ", "  -}} 
-{{- end -}}
-{{- $val -}}
-{{- end -}}
-{{- end -}}

charts/librechat/templates/configmap-env.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "librechat.fullname" . }}-env
-  labels:
-    {{- include "librechat.labels" . | nindent 4 }}
-data:
-{{- range $key, $val := .Values.config.env }}
-  {{ $key }}: {{ $val | quote }}
-{{- end }}

charts/librechat/templates/deployment.yaml

@@ -1,81 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "librechat.fullname" . }}
-  labels:
-    {{- include "librechat.labels" . | nindent 4 }}
-spec:
-  {{- if not .Values.autoscaling.enabled }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "librechat.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "librechat.selectorLabels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "librechat.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          envFrom:
-            {{ if .Values.config.envSecrets.secretRef }}
-            - secretRef:
-                name: {{ .Values.config.envSecrets.secretRef }}
-            {{- end }}
-            - configMapRef:
-                name: {{ include "librechat.fullname" . }}-env
-          env:
-            {{- range $secretKeyRef := .Values.config.envSecrets.secretKeyRef }}
-            - name: {{ $secretKeyRef.name }}
-              valueFrom:
-                secretKeyRef:
-                  name: {{ $secretKeyRef.secretName }}
-                  key: {{ $secretKeyRef.secretKey }}
-            {{- end }}
-          ports:
-            - name: http
-              containerPort: 3080
-              protocol: TCP
-          livenessProbe:
-            initialDelaySeconds: 5
-            httpGet:
-              path: /
-              port: http
-          readinessProbe:
-            initialDelaySeconds: 5
-            httpGet:
-              path: /
-              port: http
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

charts/librechat/templates/hpa.yaml

@@ -1,28 +0,0 @@
-{{- if .Values.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
-  name: {{ include "librechat.fullname" . }}
-  labels:
-    {{- include "librechat.labels" . | nindent 4 }}
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: {{ include "librechat.fullname" . }}
-  minReplicas: {{ .Values.autoscaling.minReplicas }}
-  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
-  metrics:
-    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: cpu
-        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
-    {{- end }}
-    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: memory
-        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
-    {{- end }}
-{{- end }}

charts/librechat/templates/ingress.yaml

@@ -1,61 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-{{- $fullName := include "librechat.fullname" . -}}
-{{- $svcPort := .Values.service.port -}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    {{- include "librechat.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.ingress.className }}
-  {{- end }}
-  {{- if .Values.ingress.tls }}
-  tls:
-    {{- range .Values.ingress.tls }}
-    - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-      secretName: {{ .secretName }}
-    {{- end }}
-  {{- end }}
-  rules:
-    {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: {{ .pathType }}
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
-              {{- end }}
-          {{- end }}
-    {{- end }}
-{{- end }}

charts/librechat/templates/service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "librechat.fullname" . }}
-  labels:
-    {{- include "librechat.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "librechat.selectorLabels" . | nindent 4 }}

charts/librechat/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "librechat.serviceAccountName" . }}
-  labels:
-    {{- include "librechat.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

charts/librechat/values.yaml

@@ -1,112 +0,0 @@
-# Default values for librechat.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  repository: ghcr.io/danny-avila/librechat
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podLabels: {}
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
-networkPolicies:
-  enabled: true
-
-service:
-  type: LoadBalancer
-  port: 80
-
-ingress:
-  enabled: true
-  className: "nginx"
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chat.example.com
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
-resources: {}
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-autoscaling:
-  enabled: false
-  minReplicas: 1
-  maxReplicas: 100
-  targetCPUUtilizationPercentage: 80
-  # targetMemoryUtilizationPercentage: 80
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-  
-config:
-  envSecrets:
-    # Use this when using one k8s secret for multiply env secrets
-    # secretRef: librechat
-
-    # Use this when using one k8s secret for each env secret
-    secretKeyRef: []
-#      - name: CREDS_IV
-#        secretName: librechat
-#        secretKey: CREDS_IV
-
-  env:
-    # Full list of possible values
-    # https://github.com/danny-avila/LibreChat/blob/main/.env.example
-    ALLOW_EMAIL_LOGIN: "true"
-    ALLOW_REGISTRATION: "true"
-    ALLOW_SOCIAL_LOGIN: "false"
-    ALLOW_SOCIAL_REGISTRATION: "false"
-    APP_TITLE: "Librechat"
-    CUSTOM_FOOTER: "Provided with ❤️"
-    DEBUG_CONSOLE: "true"
-    DEBUG_LOGGING: "true"
-    DEBUG_OPENAI: "true"
-    DEBUG_PLUGINS: "true"
-    DOMAIN_CLIENT: ""
-    DOMAIN_SERVER: ""
-    ENDPOINTS: "openAI,azureOpenAI,chatGPTBrowser,google,gptPlugins,anthropic"
-    SEARCH: false 

client/package.json

@@ -87,7 +87,7 @@
     "react-i18next": "^15.4.0",
     "react-lazy-load-image-component": "^1.6.0",
     "react-markdown": "^9.0.1",
-    "react-resizable-panels": "^2.1.8",
+    "react-resizable-panels": "^3.0.2",
     "react-router-dom": "^6.11.2",
     "react-speech-recognition": "^3.10.0",
     "react-textarea-autosize": "^8.4.0",
@@ -139,6 +139,7 @@
     "postcss": "^8.4.31",
     "postcss-loader": "^7.1.0",
     "postcss-preset-env": "^8.2.0",
+    "rollup-plugin-visualizer": "^6.0.0",
     "tailwindcss": "^3.4.1",
     "ts-jest": "^29.2.5",
     "typescript": "^5.3.3",

client/src/Providers/SearchContext.tsx

@@ -0,0 +1,9 @@
+import { createContext, useContext } from 'react';
+import type { SearchResultData } from 'librechat-data-provider';
+
+type SearchContext = {
+  searchResults?: { [key: string]: SearchResultData };
+};
+
+export const SearchContext = createContext<SearchContext>({} as SearchContext);
+export const useSearchContext = () => useContext(SearchContext);

client/src/Providers/index.ts

@@ -20,3 +20,4 @@ export * from './ArtifactContext';
 export * from './CodeBlockContext';
 export * from './ToolCallsMapContext';
 export * from './SetConvoContext';
+export * from './SearchContext';

client/src/common/agents-types.ts

@@ -10,6 +10,7 @@ export type TAgentOption = OptionWithIcon &
   };
 
 export type TAgentCapabilities = {
+  [AgentCapabilities.web_search]: boolean;
   [AgentCapabilities.file_search]: boolean;
   [AgentCapabilities.execute_code]: boolean;
   [AgentCapabilities.end_after_tools]?: boolean;

client/src/components/Auth/LoginForm.tsx

@@ -16,6 +16,7 @@ type TLoginFormProps = {
 const LoginForm: React.FC<TLoginFormProps> = ({ onSubmit, startupConfig, error, setError }) => {
   const localize = useLocalize();
   const { theme } = useContext(ThemeContext);
+
   const {
     register,
     getValues,
@@ -28,10 +29,8 @@ const LoginForm: React.FC<TLoginFormProps> = ({ onSubmit, startupConfig, error,
   const { data: config } = useGetStartupConfig();
   const useUsernameLogin = config?.ldap?.username;
   const validTheme = theme === 'dark' ? 'dark' : 'light';
-
   const requireCaptcha = Boolean(startupConfig.turnstile?.siteKey);
 
-
   useEffect(() => {
     if (error && error.includes('422') && !showResendLink) {
       setShowResendLink(true);
@@ -151,7 +150,6 @@ const LoginForm: React.FC<TLoginFormProps> = ({ onSubmit, startupConfig, error,
           </a>
         )}
 
-
         {requireCaptcha && (
           <div className="my-4 flex justify-center">
             <Turnstile

client/src/components/Auth/Registration.tsx

@@ -32,6 +32,7 @@ const Registration: React.FC = () => {
   const queryParams = new URLSearchParams(location.search);
   const token = queryParams.get('token');
   const validTheme = theme === 'dark' ? 'dark' : 'light';
+
   // only require captcha if we have a siteKey
   const requireCaptcha = Boolean(startupConfig?.turnstile?.siteKey);
 
@@ -178,7 +179,6 @@ const Registration: React.FC = () => {
             })}
 
             {startupConfig?.turnstile?.siteKey && (
-
               <div className="my-4 flex justify-center">
                 <Turnstile
                   siteKey={startupConfig.turnstile.siteKey}
@@ -198,7 +198,6 @@ const Registration: React.FC = () => {
                 disabled={
                   Object.keys(errors).length > 0 ||
                   isSubmitting ||
-
                   (requireCaptcha && !turnstileToken)
                 }
                 type="submit"

client/src/components/Chat/Input/BadgeRow.tsx

@@ -15,6 +15,7 @@ import type { BadgeItem } from '~/common';
 import { useChatBadges } from '~/hooks';
 import { Badge } from '~/components/ui';
 import MCPSelect from './MCPSelect';
+import WebSearch from './WebSearch';
 import store from '~/store';
 
 interface BadgeRowProps {
@@ -354,6 +355,7 @@ function BadgeRow({
       )}
       {showEphemeralBadges === true && (
         <>
+          <WebSearch conversationId={conversationId} />
           <CodeInterpreter conversationId={conversationId} />
           <MCPSelect conversationId={conversationId} />
         </>

client/src/components/Chat/Input/CodeInterpreter.tsx

@@ -1,5 +1,5 @@
 import debounce from 'lodash/debounce';
-import React, { memo, useMemo, useCallback } from 'react';
+import React, { memo, useMemo, useCallback, useRef } from 'react';
 import { useRecoilState } from 'recoil';
 import { TerminalSquareIcon } from 'lucide-react';
 import {
@@ -32,6 +32,7 @@ const storageCondition = (value: unknown, rawCurrentValue?: string | null) => {
 };
 
 function CodeInterpreter({ conversationId }: { conversationId?: string | null }) {
+  const triggerRef = useRef<HTMLInputElement>(null);
   const localize = useLocalize();
   const key = conversationId ?? Constants.NEW_CONVO;
 
@@ -73,9 +74,10 @@ function CodeInterpreter({ conversationId }: { conversationId?: string | null })
   );
 
   const handleChange = useCallback(
-    (isChecked: boolean) => {
+    (e: React.ChangeEvent<HTMLInputElement>, isChecked: boolean) => {
       if (!isAuthenticated) {
         setIsDialogOpen(true);
+        e.preventDefault();
         return;
       }
       setRunCode(isChecked);
@@ -95,6 +97,7 @@ function CodeInterpreter({ conversationId }: { conversationId?: string | null })
   return (
     <>
       <CheckboxButton
+        ref={triggerRef}
         className="max-w-fit"
         defaultChecked={runCode}
         setValue={debouncedChange}
@@ -105,6 +108,7 @@ function CodeInterpreter({ conversationId }: { conversationId?: string | null })
       <ApiKeyDialog
         onSubmit={onSubmit}
         isOpen={isDialogOpen}
+        triggerRef={triggerRef}
         register={methods.register}
         onRevoke={handleRevokeApiKey}
         onOpenChange={setIsDialogOpen}

client/src/components/Chat/Input/PopoverButtons.tsx

@@ -26,7 +26,7 @@ export default function PopoverButtons({
   buttonClass?: string;
   iconClass?: string;
   endpoint?: EModelEndpoint | string;
-  endpointType?: EModelEndpoint | string;
+  endpointType?: EModelEndpoint | string | null;
   model?: string | null;
 }) {
   const {

client/src/components/Chat/Input/WebSearch.tsx

@@ -0,0 +1,123 @@
+import React, { memo, useRef, useMemo, useCallback } from 'react';
+import { Globe } from 'lucide-react';
+import debounce from 'lodash/debounce';
+import { useRecoilState } from 'recoil';
+import {
+  Tools,
+  AuthType,
+  Constants,
+  Permissions,
+  PermissionTypes,
+  LocalStorageKeys,
+} from 'librechat-data-provider';
+import ApiKeyDialog from '~/components/SidePanel/Agents/Search/ApiKeyDialog';
+import { useLocalize, useHasAccess, useSearchApiKeyForm } from '~/hooks';
+import CheckboxButton from '~/components/ui/CheckboxButton';
+import useLocalStorage from '~/hooks/useLocalStorageAlt';
+import { useVerifyAgentToolAuth } from '~/data-provider';
+import { ephemeralAgentByConvoId } from '~/store';
+
+const storageCondition = (value: unknown, rawCurrentValue?: string | null) => {
+  if (rawCurrentValue) {
+    try {
+      const currentValue = rawCurrentValue?.trim() ?? '';
+      if (currentValue === 'true' && value === false) {
+        return true;
+      }
+    } catch (e) {
+      console.error(e);
+    }
+  }
+  return value !== undefined && value !== null && value !== '' && value !== false;
+};
+
+function WebSearch({ conversationId }: { conversationId?: string | null }) {
+  const triggerRef = useRef<HTMLInputElement>(null);
+  const localize = useLocalize();
+  const key = conversationId ?? Constants.NEW_CONVO;
+
+  const canUseWebSearch = useHasAccess({
+    permissionType: PermissionTypes.WEB_SEARCH,
+    permission: Permissions.USE,
+  });
+  const [ephemeralAgent, setEphemeralAgent] = useRecoilState(ephemeralAgentByConvoId(key));
+  const isWebSearchToggleEnabled = useMemo(() => {
+    return ephemeralAgent?.web_search ?? false;
+  }, [ephemeralAgent?.web_search]);
+
+  const { data } = useVerifyAgentToolAuth(
+    { toolId: Tools.web_search },
+    {
+      retry: 1,
+    },
+  );
+  const authTypes = useMemo(() => data?.authTypes ?? [], [data?.authTypes]);
+  const isAuthenticated = useMemo(() => data?.authenticated ?? false, [data?.authenticated]);
+  const { methods, onSubmit, isDialogOpen, setIsDialogOpen, handleRevokeApiKey } =
+    useSearchApiKeyForm({});
+
+  const setValue = useCallback(
+    (isChecked: boolean) => {
+      setEphemeralAgent((prev) => ({
+        ...prev,
+        web_search: isChecked,
+      }));
+    },
+    [setEphemeralAgent],
+  );
+
+  const [webSearch, setWebSearch] = useLocalStorage<boolean>(
+    `${LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_}${key}`,
+    isWebSearchToggleEnabled,
+    setValue,
+    storageCondition,
+  );
+
+  const handleChange = useCallback(
+    (e: React.ChangeEvent<HTMLInputElement>, isChecked: boolean) => {
+      if (!isAuthenticated) {
+        setIsDialogOpen(true);
+        e.preventDefault();
+        return;
+      }
+      setWebSearch(isChecked);
+    },
+    [setWebSearch, setIsDialogOpen, isAuthenticated],
+  );
+
+  const debouncedChange = useMemo(
+    () => debounce(handleChange, 50, { leading: true }),
+    [handleChange],
+  );
+
+  if (!canUseWebSearch) {
+    return null;
+  }
+
+  return (
+    <>
+      <CheckboxButton
+        ref={triggerRef}
+        className="max-w-fit"
+        defaultChecked={webSearch}
+        setValue={debouncedChange}
+        label={localize('com_ui_search')}
+        isCheckedClassName="border-blue-600/40 bg-blue-500/10 hover:bg-blue-700/10"
+        icon={<Globe className="icon-md" />}
+      />
+      <ApiKeyDialog
+        onSubmit={onSubmit}
+        authTypes={authTypes}
+        isOpen={isDialogOpen}
+        triggerRef={triggerRef}
+        register={methods.register}
+        onRevoke={handleRevokeApiKey}
+        onOpenChange={setIsDialogOpen}
+        handleSubmit={methods.handleSubmit}
+        isToolAuthenticated={isAuthenticated}
+      />
+    </>
+  );
+}
+
+export default memo(WebSearch);

client/src/components/Chat/Menus/Presets/EditPresetDialog.tsx

@@ -10,10 +10,16 @@ import {
   mapEndpoints,
   getConvoSwitchLogic,
 } from '~/utils';
-import { Input, Label, SelectDropDown, Dialog, DialogClose, DialogButton } from '~/components';
+import {
+  Input,
+  Label,
+  OGDialog,
+  OGDialogTitle,
+  SelectDropDown,
+  OGDialogContent,
+} from '~/components';
 import { useSetIndexOptions, useLocalize, useDebouncedInput } from '~/hooks';
 import PopoverButtons from '~/components/Chat/Input/PopoverButtons';
-import DialogTemplate from '~/components/ui/DialogTemplate';
 import { EndpointSettings } from '~/components/Endpoints';
 import { useGetEndpointsQuery } from '~/data-provider';
 import { useChatContext } from '~/Providers';
@@ -117,111 +123,107 @@ const EditPresetDialog = ({
     [queryClient, setOptions],
   );
 
+  const handleOpenChange = (open: boolean) => {
+    setPresetModalVisible(open);
+    if (!open) {
+      setPreset(null);
+    }
+  };
+
   const { endpoint: _endpoint, endpointType, model } = preset || {};
   const endpoint = _endpoint ?? '';
+
   if (!endpoint) {
     return null;
-  } else if (isAgentsEndpoint(endpoint)) {
+  }
+
+  if (isAgentsEndpoint(endpoint)) {
     return null;
   }
 
   return (
-    <Dialog
-      open={presetModalVisible}
-      onOpenChange={(open) => {
-        setPresetModalVisible(open);
-        if (!open) {
-          setPreset(null);
-        }
-      }}
-    >
-      <DialogTemplate
-        title={`${localize('com_ui_edit') + ' ' + localize('com_endpoint_preset')} - ${
-          preset?.title
-        }`}
-        className="h-full max-w-full overflow-y-auto pb-4 sm:w-[680px] sm:pb-0 md:h-[720px] md:w-[750px] md:overflow-y-hidden lg:w-[950px] xl:h-[720px]"
-        main={
-          <div className="flex w-full flex-col items-center gap-2 md:h-[550px] md:overflow-y-auto">
-            <div className="grid w-full">
-              <div className="col-span-4 flex flex-col items-start justify-start gap-6 pb-4 md:flex-row">
-                <div className="flex w-full flex-col">
-                  <Label htmlFor="preset-name" className="mb-1 text-left text-sm font-medium">
-                    {localize('com_endpoint_preset_name')}
-                  </Label>
-                  <Input
-                    id="preset-name"
-                    value={(title as string | undefined) ?? ''}
-                    onChange={onTitleChange}
-                    placeholder={localize('com_endpoint_set_custom_name')}
-                    className={cn(
-                      defaultTextProps,
-                      'flex h-10 max-h-10 w-full resize-none px-3 py-2',
-                      removeFocusOutlines,
-                    )}
-                  />
-                </div>
-                <div className="flex w-full flex-col">
-                  <Label htmlFor="endpoint" className="mb-1 text-left text-sm font-medium">
-                    {localize('com_endpoint')}
-                  </Label>
-                  <SelectDropDown
-                    value={endpoint || ''}
-                    setValue={switchEndpoint}
-                    showLabel={false}
-                    emptyTitle={true}
-                    searchPlaceholder={localize('com_endpoint_search')}
-                    availableValues={availableEndpoints}
-                  />
-                </div>
-              </div>
-              <div className="col-span-2 flex items-start justify-between gap-4 sm:col-span-4">
-                <div className="flex w-full flex-col">
-                  <Label
-                    htmlFor="endpoint"
-                    className="mb-1 hidden text-left text-sm font-medium sm:block"
-                  >
-                    {'ㅤ'}
-                  </Label>
-                  <PopoverButtons
-                    buttonClass="ml-0 w-full border border-border-medium p-2 h-[40px] justify-center mt-0"
-                    iconClass="hidden lg:block w-4 "
-                    endpoint={endpoint}
-                    endpointType={endpointType}
-                    model={model}
-                  />
-                </div>
-              </div>
+    <OGDialog open={presetModalVisible} onOpenChange={handleOpenChange}>
+      <OGDialogContent className="h-[100dvh] max-h-[100dvh] w-full max-w-full overflow-y-auto bg-white dark:border-gray-700 dark:bg-gray-850 dark:text-gray-300 md:h-auto md:max-h-[90vh] md:max-w-[75vw] md:rounded-lg lg:max-w-[950px]">
+        <OGDialogTitle>
+          {`${localize('com_ui_edit')} ${localize('com_endpoint_preset')} - ${preset?.title}`}
+        </OGDialogTitle>
+
+        <div className="flex w-full flex-col gap-2 px-1 pb-4 md:gap-4">
+          {/* Header section with preset name and endpoint */}
+          <div className="grid w-full gap-2 md:grid-cols-2 md:gap-4">
+            <div className="flex w-full flex-col">
+              <Label htmlFor="preset-name" className="mb-1 text-left text-sm font-medium">
+                {localize('com_endpoint_preset_name')}
+              </Label>
+              <Input
+                id="preset-name"
+                value={(title as string | undefined) ?? ''}
+                onChange={onTitleChange}
+                placeholder={localize('com_endpoint_set_custom_name')}
+                className={cn(
+                  defaultTextProps,
+                  'flex h-10 max-h-10 w-full resize-none px-3 py-2',
+                  removeFocusOutlines,
+                )}
+              />
             </div>
-            <div className="my-4 w-full border-t border-border-medium" />
-            <div className="w-full p-0">
-              <EndpointSettings
-                conversation={preset}
-                setOption={setOption}
-                isPreset={true}
-                className="h-full text-text-primary md:mb-4 md:h-[440px]"
+            <div className="flex w-full flex-col">
+              <Label htmlFor="endpoint" className="mb-1 text-left text-sm font-medium">
+                {localize('com_endpoint')}
+              </Label>
+              <SelectDropDown
+                value={endpoint || ''}
+                setValue={switchEndpoint}
+                showLabel={false}
+                emptyTitle={true}
+                searchPlaceholder={localize('com_endpoint_search')}
+                availableValues={availableEndpoints}
               />
             </div>
           </div>
-        }
-        buttons={
-          <div className="mb-6 md:mb-2">
-            <DialogButton
+
+          {/* PopoverButtons section */}
+          <div className="flex w-full">
+            <PopoverButtons
+              buttonClass="ml-0 w-full border border-border-medium p-2 h-[40px] justify-center mt-0"
+              iconClass="hidden lg:block w-4"
+              endpoint={endpoint}
+              endpointType={endpointType}
+              model={model}
+            />
+          </div>
+
+          {/* Separator */}
+          <div className="w-full border-t border-border-medium" />
+
+          {/* Settings section */}
+          <div className="w-full flex-1">
+            <EndpointSettings
+              conversation={preset}
+              setOption={setOption}
+              isPreset={true}
+              className="text-text-primary"
+            />
+          </div>
+
+          {/* Action buttons */}
+          <div className="flex justify-end gap-2 border-t border-border-medium pt-2 md:pt-4">
+            <button
               onClick={exportPreset}
-              className="border-gray-100 hover:bg-gray-100 dark:border-gray-600 dark:hover:bg-gray-600"
+              className="rounded-md border border-gray-300 bg-white px-3 py-2 text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2 dark:border-gray-600 dark:bg-gray-800 dark:text-gray-300 dark:hover:bg-gray-700 md:px-4"
             >
               {localize('com_endpoint_export')}
-            </DialogButton>
-            <DialogClose
+            </button>
+            <button
               onClick={submitPreset}
-              className="ml-2 bg-green-500 text-white hover:bg-green-600 dark:hover:bg-green-600"
+              className="rounded-md bg-green-500 px-3 py-2 text-sm font-medium text-white hover:bg-green-600 focus:outline-none focus:ring-2 focus:ring-green-500 focus:ring-offset-2 md:px-4"
             >
               {localize('com_ui_save')}
-            </DialogClose>
+            </button>
           </div>
-        }
-        footerClassName="bg-white dark:bg-gray-700"
-      />
-    </Dialog>
+        </div>
+      </OGDialogContent>
+    </OGDialog>
   );
 };
 

client/src/components/Chat/Messages/Content/ContentParts.tsx

@@ -1,11 +1,17 @@
 import { memo, useMemo, useState } from 'react';
-import { useRecoilValue, useRecoilState } from 'recoil';
+import { useRecoilState } from 'recoil';
 import { ContentTypes } from 'librechat-data-provider';
-import type { TMessageContentParts, TAttachment, Agents } from 'librechat-data-provider';
+import type {
+  TMessageContentParts,
+  SearchResultData,
+  TAttachment,
+  Agents,
+} from 'librechat-data-provider';
 import { ThinkingButton } from '~/components/Artifacts/Thinking';
+import { MessageContext, SearchContext } from '~/Providers';
+import Sources from '~/components/Web/Sources';
 import useLocalize from '~/hooks/useLocalize';
 import { mapAttachments } from '~/utils/map';
-import { MessageContext } from '~/Providers';
 import { EditTextPart } from './Parts';
 import store from '~/store';
 import Part from './Part';
@@ -15,6 +21,7 @@ type ContentPartsProps = {
   messageId: string;
   conversationId?: string | null;
   attachments?: TAttachment[];
+  searchResults?: { [key: string]: SearchResultData };
   isCreatedByUser: boolean;
   isLast: boolean;
   isSubmitting: boolean;
@@ -33,6 +40,7 @@ const ContentParts = memo(
     messageId,
     conversationId,
     attachments,
+    searchResults,
     isCreatedByUser,
     isLast,
     isSubmitting,
@@ -44,11 +52,7 @@ const ContentParts = memo(
     const localize = useLocalize();
     const [showThinking, setShowThinking] = useRecoilState<boolean>(store.showThinking);
     const [isExpanded, setIsExpanded] = useState(showThinking);
-    const messageAttachmentsMap = useRecoilValue(store.messageAttachmentsMap);
-    const attachmentMap = useMemo(
-      () => mapAttachments(attachments ?? messageAttachmentsMap[messageId] ?? []),
-      [attachments, messageAttachmentsMap, messageId],
-    );
+    const attachmentMap = useMemo(() => mapAttachments(attachments ?? []), [attachments]);
 
     const hasReasoningParts = useMemo(() => {
       const hasThinkPart = content?.some((part) => part?.type === ContentTypes.THINK) ?? false;
@@ -98,53 +102,56 @@ const ContentParts = memo(
 
     return (
       <>
-        {hasReasoningParts && (
-          <div className="mb-5">
-            <ThinkingButton
-              isExpanded={isExpanded}
-              onClick={() =>
-                setIsExpanded((prev) => {
-                  const val = !prev;
-                  setShowThinking(val);
-                  return val;
-                })
-              }
-              label={
-                isSubmitting && isLast ? localize('com_ui_thinking') : localize('com_ui_thoughts')
-              }
-            />
-          </div>
-        )}
-        {content
-          .filter((part) => part)
-          .map((part, idx) => {
-            const toolCallId =
-              (part?.[ContentTypes.TOOL_CALL] as Agents.ToolCall | undefined)?.id ?? '';
-            const attachments = attachmentMap[toolCallId];
+        <SearchContext.Provider value={{ searchResults }}>
+          <Sources />
+          {hasReasoningParts && (
+            <div className="mb-5">
+              <ThinkingButton
+                isExpanded={isExpanded}
+                onClick={() =>
+                  setIsExpanded((prev) => {
+                    const val = !prev;
+                    setShowThinking(val);
+                    return val;
+                  })
+                }
+                label={
+                  isSubmitting && isLast ? localize('com_ui_thinking') : localize('com_ui_thoughts')
+                }
+              />
+            </div>
+          )}
+          {content
+            .filter((part) => part)
+            .map((part, idx) => {
+              const toolCallId =
+                (part?.[ContentTypes.TOOL_CALL] as Agents.ToolCall | undefined)?.id ?? '';
+              const attachments = attachmentMap[toolCallId];
 
-            return (
-              <MessageContext.Provider
-                key={`provider-${messageId}-${idx}`}
-                value={{
-                  messageId,
-                  conversationId,
-                  partIndex: idx,
-                  isExpanded,
-                  nextType: content[idx + 1]?.type,
-                }}
-              >
-                <Part
-                  part={part}
-                  attachments={attachments}
-                  isSubmitting={isSubmitting}
-                  key={`part-${messageId}-${idx}`}
-                  isCreatedByUser={isCreatedByUser}
-                  isLast={idx === content.length - 1}
-                  showCursor={idx === content.length - 1 && isLast}
-                />
-              </MessageContext.Provider>
-            );
-          })}
+              return (
+                <MessageContext.Provider
+                  key={`provider-${messageId}-${idx}`}
+                  value={{
+                    messageId,
+                    isExpanded,
+                    conversationId,
+                    partIndex: idx,
+                    nextType: content[idx + 1]?.type,
+                  }}
+                >
+                  <Part
+                    part={part}
+                    attachments={attachments}
+                    isSubmitting={isSubmitting}
+                    key={`part-${messageId}-${idx}`}
+                    isCreatedByUser={isCreatedByUser}
+                    isLast={idx === content.length - 1}
+                    showCursor={idx === content.length - 1 && isLast}
+                  />
+                </MessageContext.Provider>
+              );
+            })}
+        </SearchContext.Provider>
       </>
     );
   },

client/src/components/Chat/Messages/Content/Markdown.tsx

@@ -15,10 +15,12 @@ import {
   CodeBlockProvider,
   useCodeBlockContext,
 } from '~/Providers';
+import { Citation, CompositeCitation, HighlightedText } from '~/components/Web/Citation';
 import { Artifact, artifactPlugin } from '~/components/Artifacts/Artifact';
 import { langSubset, preprocessLaTeX, handleDoubleClick } from '~/utils';
 import CodeBlock from '~/components/Messages/Content/CodeBlock';
 import useHasAccess from '~/hooks/Roles/useHasAccess';
+import { unicodeCitation } from '~/components/Web';
 import { useFileDownload } from '~/data-provider';
 import useLocalize from '~/hooks/useLocalize';
 import store from '~/store';
@@ -197,16 +199,14 @@ const Markdown = memo(({ content = '', isLatestMessage }: TContentProps) => {
     [],
   );
 
-  const remarkPlugins: Pluggable[] = useMemo(
-    () => [
-      supersub,
-      remarkGfm,
-      remarkDirective,
-      artifactPlugin,
-      [remarkMath, { singleDollarTextMath: true }],
-    ],
-    [],
-  );
+  const remarkPlugins: Pluggable[] = [
+    supersub,
+    remarkGfm,
+    remarkDirective,
+    artifactPlugin,
+    [remarkMath, { singleDollarTextMath: true }],
+    unicodeCitation,
+  ];
 
   if (isInitializing) {
     return (
@@ -232,6 +232,9 @@ const Markdown = memo(({ content = '', isLatestMessage }: TContentProps) => {
               a,
               p,
               artifact: Artifact,
+              citation: Citation,
+              'highlighted-text': HighlightedText,
+              'composite-citation': CompositeCitation,
             } as {
               [nodeType: string]: React.ElementType;
             }

client/src/components/Chat/Messages/Content/Part.tsx

@@ -12,6 +12,7 @@ import { ErrorMessage } from './MessageContent';
 import RetrievalCall from './RetrievalCall';
 import CodeAnalyze from './CodeAnalyze';
 import Container from './Container';
+import WebSearch from './WebSearch';
 import ToolCall from './ToolCall';
 import ImageGen from './ImageGen';
 import Image from './Image';
@@ -107,6 +108,16 @@ const Part = memo(
             attachments={attachments}
           />
         );
+      } else if (isToolCall && toolCall.name === Tools.web_search) {
+        return (
+          <WebSearch
+            output={toolCall.output ?? ''}
+            initialProgress={toolCall.progress ?? 0.1}
+            isSubmitting={isSubmitting}
+            attachments={attachments}
+            isLast={isLast}
+          />
+        );
       } else if (isToolCall) {
         return (
           <ToolCall

client/src/components/Chat/Messages/Content/Parts/Attachment.tsx

@@ -1,5 +1,5 @@
 import { memo, useState, useEffect } from 'react';
-import { imageExtRegex } from 'librechat-data-provider';
+import { imageExtRegex, Tools } from 'librechat-data-provider';
 import type { TAttachment, TFile, TAttachmentMetadata } from 'librechat-data-provider';
 import FileContainer from '~/components/Chat/Input/Files/FileContainer';
 import Image from '~/components/Chat/Messages/Content/Image';
@@ -7,12 +7,12 @@ import { useAttachmentLink } from './LogLink';
 import { cn } from '~/utils';
 
 const FileAttachment = memo(({ attachment }: { attachment: Partial<TAttachment> }) => {
+  const [isVisible, setIsVisible] = useState(false);
   const { handleDownload } = useAttachmentLink({
     href: attachment.filepath ?? '',
     filename: attachment.filename ?? '',
   });
   const extension = attachment.filename?.split('.').pop();
-  const [isVisible, setIsVisible] = useState(false);
 
   useEffect(() => {
     const timer = setTimeout(() => setIsVisible(true), 50);
@@ -84,6 +84,9 @@ export default function Attachment({ attachment }: { attachment?: TAttachment })
   if (!attachment) {
     return null;
   }
+  if (attachment.type === Tools.web_search) {
+    return null;
+  }
 
   const { width, height, filepath = null } = attachment as TFile & TAttachmentMetadata;
   const isImage =
@@ -115,7 +118,7 @@ export function AttachmentGroup({ attachments }: { attachments?: TAttachment[] }
 
     if (isImage) {
       imageAttachments.push(attachment);
-    } else {
+    } else if (attachment.type !== Tools.web_search) {
       fileAttachments.push(attachment);
     }
   });

client/src/components/Chat/Messages/Content/SearchContent.tsx

@@ -1,26 +1,40 @@
 import { Suspense, useMemo } from 'react';
 import { useRecoilValue } from 'recoil';
 import { ContentTypes } from 'librechat-data-provider';
-import type { Agents, TMessage, TMessageContentParts } from 'librechat-data-provider';
+import type {
+  Agents,
+  TMessage,
+  TAttachment,
+  SearchResultData,
+  TMessageContentParts,
+} from 'librechat-data-provider';
 import { UnfinishedMessage } from './MessageContent';
 import { DelayedRender } from '~/components/ui';
-import MarkdownLite from './MarkdownLite';
+import Sources from '~/components/Web/Sources';
 import { cn, mapAttachments } from '~/utils';
+import { SearchContext } from '~/Providers';
+import MarkdownLite from './MarkdownLite';
 import store from '~/store';
 import Part from './Part';
 
-const SearchContent = ({ message }: { message: TMessage }) => {
+const SearchContent = ({
+  message,
+  attachments,
+  searchResults,
+}: {
+  message: TMessage;
+  attachments?: TAttachment[];
+  searchResults?: { [key: string]: SearchResultData };
+}) => {
   const enableUserMsgMarkdown = useRecoilValue(store.enableUserMsgMarkdown);
   const { messageId } = message;
-  const messageAttachmentsMap = useRecoilValue(store.messageAttachmentsMap);
-  const attachmentMap = useMemo(
-    () => mapAttachments(message?.attachments ?? messageAttachmentsMap[messageId] ?? []),
-    [message?.attachments, messageAttachmentsMap, messageId],
-  );
+
+  const attachmentMap = useMemo(() => mapAttachments(attachments ?? []), [attachments]);
 
   if (Array.isArray(message.content) && message.content.length > 0) {
     return (
-      <>
+      <SearchContext.Provider value={{ searchResults }}>
+        <Sources />
         {message.content
           .filter((part: TMessageContentParts | undefined) => part)
           .map((part: TMessageContentParts | undefined, idx: number) => {
@@ -49,7 +63,7 @@ const SearchContent = ({ message }: { message: TMessage }) => {
             </DelayedRender>
           </Suspense>
         )}
-      </>
+      </SearchContext.Provider>
     );
   }
 

client/src/components/Chat/Messages/Content/ToolCall.tsx

@@ -157,7 +157,11 @@ export default function ToolCall({
         <ProgressText
           progress={progress}
           onClick={() => setShowInfo((prev) => !prev)}
-          inProgressText={localize('com_assistants_running_action')}
+          inProgressText={
+            function_name
+              ? localize('com_assistants_running_var', { 0: function_name })
+              : localize('com_assistants_running_action')
+          }
           authText={
             !cancelled && authDomain.length > 0 ? localize('com_ui_requires_auth') : undefined
           }

client/src/components/Chat/Messages/Content/WebSearch.tsx

@@ -0,0 +1,91 @@
+import { useMemo } from 'react';
+import type { TAttachment } from 'librechat-data-provider';
+import { StackedFavicons } from '~/components/Web/Sources';
+import { useSearchContext } from '~/Providers';
+import ProgressText from './ProgressText';
+import { useLocalize } from '~/hooks';
+
+type ProgressKeys =
+  | 'com_ui_web_searching'
+  | 'com_ui_web_searching_again'
+  | 'com_ui_web_search_processing'
+  | 'com_ui_web_search_reading';
+
+export default function WebSearch({
+  initialProgress: progress = 0.1,
+  isSubmitting,
+  isLast,
+  output,
+}: {
+  isLast?: boolean;
+  isSubmitting: boolean;
+  output?: string | null;
+  initialProgress: number;
+  attachments?: TAttachment[];
+}) {
+  const localize = useLocalize();
+  const { searchResults } = useSearchContext();
+  const error = typeof output === 'string' && output.toLowerCase().includes('error processing');
+  const cancelled = (!isSubmitting && progress < 1) || error === true;
+
+  const complete = !isLast && progress === 1;
+  const finalizing = isSubmitting && isLast && progress === 1;
+  const processedSources = useMemo(() => {
+    if (complete && !finalizing) {
+      return [];
+    }
+    if (!searchResults) return [];
+    const values = Object.values(searchResults);
+    const result = values[values.length - 1];
+    if (!result) return [];
+    if (finalizing) {
+      return [...(result.organic || []), ...(result.topStories || [])];
+    }
+    return [...(result.organic || []), ...(result.topStories || [])].filter(
+      (source) => source.processed === true,
+    );
+  }, [searchResults, complete, finalizing]);
+  const turns = useMemo(() => {
+    if (!searchResults) return 0;
+    return Object.values(searchResults).length;
+  }, [searchResults]);
+
+  const clampedProgress = useMemo(() => {
+    return Math.min(progress, 0.99);
+  }, [progress]);
+
+  const showSources = processedSources.length > 0;
+  const progressText = useMemo(() => {
+    let text: ProgressKeys = turns > 1 ? 'com_ui_web_searching_again' : 'com_ui_web_searching';
+    if (showSources) {
+      text = 'com_ui_web_search_processing';
+    }
+    if (finalizing) {
+      text = 'com_ui_web_search_reading';
+    }
+    return localize(text);
+  }, [turns, localize, showSources, finalizing]);
+
+  if (complete || cancelled) {
+    return null;
+  }
+  return (
+    <>
+      <div className="relative my-2.5 flex size-5 shrink-0 items-center gap-2.5">
+        {showSources && (
+          <div className="mr-2">
+            <StackedFavicons sources={processedSources} start={-5} />
+          </div>
+        )}
+        <ProgressText
+          finishedText=""
+          hasInput={false}
+          error={cancelled}
+          isExpanded={false}
+          progress={clampedProgress}
+          inProgressText={progressText}
+        />
+      </div>
+    </>
+  );
+}

client/src/components/Chat/Messages/MessageParts.tsx

@@ -2,8 +2,8 @@ import React, { useMemo } from 'react';
 import { useRecoilValue } from 'recoil';
 import type { TMessageContentParts } from 'librechat-data-provider';
 import type { TMessageProps, TMessageIcon } from '~/common';
+import { useMessageHelpers, useLocalize, useAttachments } from '~/hooks';
 import MessageIcon from '~/components/Chat/Messages/MessageIcon';
-import { useMessageHelpers, useLocalize } from '~/hooks';
 import ContentParts from './Content/ContentParts';
 import SiblingSwitch from './SiblingSwitch';
 
@@ -17,7 +17,10 @@ export default function Message(props: TMessageProps) {
   const localize = useLocalize();
   const { message, siblingIdx, siblingCount, setSiblingIdx, currentEditId, setCurrentEditId } =
     props;
-
+  const { attachments, searchResults } = useAttachments({
+    messageId: message?.messageId,
+    attachments: message?.attachments,
+  });
   const {
     edit,
     index,
@@ -91,7 +94,7 @@ export default function Message(props: TMessageProps) {
       >
         <div className="m-auto justify-center p-4 py-2 md:gap-6">
           <div
-            id={messageId}
+            id={messageId ?? ''}
             aria-label={`message-${message.depth}-${messageId}`}
             className={cn(baseClasses.common, baseClasses.chat, 'message-render')}
           >
@@ -116,10 +119,11 @@ export default function Message(props: TMessageProps) {
                     isLast={isLast}
                     enterEdit={enterEdit}
                     siblingIdx={siblingIdx}
-                    messageId={message.messageId}
+                    attachments={attachments}
                     isSubmitting={isSubmitting}
+                    searchResults={searchResults}
+                    messageId={message.messageId}
                     setSiblingIdx={setSiblingIdx}
-                    attachments={message.attachments}
                     isCreatedByUser={message.isCreatedByUser}
                     conversationId={conversation?.conversationId}
                     content={message.content as Array<TMessageContentParts | undefined>}

client/src/components/Chat/Messages/MinimalHoverButtons.tsx

@@ -1,16 +1,21 @@
 import { useState } from 'react';
-import type { TMessage } from 'librechat-data-provider';
+import type { TMessage, TAttachment, SearchResultData } from 'librechat-data-provider';
 import { useLocalize, useCopyToClipboard } from '~/hooks';
 import { Clipboard, CheckMark } from '~/components/svg';
 
 type THoverButtons = {
   message: TMessage;
+  searchResults?: { [key: string]: SearchResultData };
 };
 
-export default function MinimalHoverButtons({ message }: THoverButtons) {
+export default function MinimalHoverButtons({ message, searchResults }: THoverButtons) {
   const localize = useLocalize();
   const [isCopied, setIsCopied] = useState(false);
-  const copyToClipboard = useCopyToClipboard({ text: message.text, content: message.content });
+  const copyToClipboard = useCopyToClipboard({
+    text: message.text,
+    content: message.content,
+    searchResults,
+  });
 
   return (
     <div className="visible mt-0 flex justify-center gap-1 self-end text-gray-400 lg:justify-start">

client/src/components/Chat/Messages/ui/MessageRender.tsx

@@ -94,10 +94,10 @@ const MessageRender = memo(
       () =>
         showCardRender && !isLatestMessage
           ? () => {
-            logger.log(`Message Card click: Setting ${msg?.messageId} as latest message`);
-            logger.dir(msg);
-            setLatestMessage(msg!);
-          }
+              logger.log(`Message Card click: Setting ${msg?.messageId} as latest message`);
+              logger.dir(msg);
+              setLatestMessage(msg!);
+            }
           : undefined,
       [showCardRender, isLatestMessage, msg, setLatestMessage],
     );

client/src/components/Messages/ContentRender.tsx

@@ -7,8 +7,8 @@ import PlaceholderRow from '~/components/Chat/Messages/ui/PlaceholderRow';
 import SiblingSwitch from '~/components/Chat/Messages/SiblingSwitch';
 import HoverButtons from '~/components/Chat/Messages/HoverButtons';
 import MessageIcon from '~/components/Chat/Messages/MessageIcon';
+import { useAttachments, useMessageActions } from '~/hooks';
 import SubRow from '~/components/Chat/Messages/SubRow';
-import { useMessageActions } from '~/hooks';
 import { cn, logger } from '~/utils';
 import store from '~/store';
 
@@ -34,6 +34,10 @@ const ContentRender = memo(
     setCurrentEditId,
     isSubmittingFamily = false,
   }: ContentRenderProps) => {
+    const { attachments, searchResults } = useAttachments({
+      messageId: msg?.messageId,
+      attachments: msg?.attachments,
+    });
     const {
       edit,
       index,
@@ -50,6 +54,7 @@ const ContentRender = memo(
       regenerateMessage,
     } = useMessageActions({
       message: msg,
+      searchResults,
       currentEditId,
       isMultiMessage,
       setCurrentEditId,
@@ -91,10 +96,10 @@ const ContentRender = memo(
       () =>
         showCardRender && !isLatestMessage
           ? () => {
-            logger.log(`Message Card click: Setting ${msg?.messageId} as latest message`);
-            logger.dir(msg);
-            setLatestMessage(msg!);
-          }
+              logger.log(`Message Card click: Setting ${msg?.messageId} as latest message`);
+              logger.dir(msg);
+              setLatestMessage(msg!);
+            }
           : undefined,
       [showCardRender, isLatestMessage, msg, setLatestMessage],
     );
@@ -164,9 +169,10 @@ const ContentRender = memo(
                 enterEdit={enterEdit}
                 siblingIdx={siblingIdx}
                 messageId={msg.messageId}
+                attachments={attachments}
                 isSubmitting={isSubmitting}
+                searchResults={searchResults}
                 setSiblingIdx={setSiblingIdx}
-                attachments={msg.attachments}
                 isCreatedByUser={msg.isCreatedByUser}
                 conversationId={conversation?.conversationId}
                 content={msg.content as Array<TMessageContentParts | undefined>}

client/src/components/Share/Message.tsx

@@ -7,7 +7,8 @@ import SiblingSwitch from '~/components/Chat/Messages/SiblingSwitch';
 import { Plugin } from '~/components/Messages/Content';
 import SubRow from '~/components/Chat/Messages/SubRow';
 import { MessageContext } from '~/Providers';
-// eslint-disable-next-line import/no-cycle
+import { useAttachments } from '~/hooks';
+
 import MultiMessage from './MultiMessage';
 import { cn } from '~/utils';
 import store from '~/store';
@@ -25,6 +26,11 @@ export default function Message(props: TMessageProps) {
     setCurrentEditId,
   } = props;
 
+  const { attachments, searchResults } = useAttachments({
+    messageId: message?.messageId,
+    attachments: message?.attachments,
+  });
+
   if (!message) {
     return null;
   }
@@ -48,8 +54,8 @@ export default function Message(props: TMessageProps) {
   return (
     <>
       <div className="text-token-text-primary w-full border-0 bg-transparent dark:border-0 dark:bg-transparent">
-        <div className="m-auto justify-center p-4 py-2 md:gap-6 ">
-          <div className="final-completion group mx-auto flex flex-1 gap-3 md:max-w-3xl md:px-5 lg:max-w-[40rem] lg:px-1 xl:max-w-[48rem] xl:px-5">
+        <div className="m-auto justify-center p-4 py-2 md:gap-6">
+          <div className="final-completion group mx-auto flex flex-1 gap-3 md:max-w-[47rem] md:px-5 lg:px-1 xl:max-w-[55rem] xl:px-5">
             <div className="relative flex flex-shrink-0 flex-col items-end">
               <div>
                 <div className="pt-0.5">
@@ -68,13 +74,18 @@ export default function Message(props: TMessageProps) {
                   <MessageContext.Provider
                     value={{
                       messageId,
+                      isExpanded: false,
                       conversationId: conversation?.conversationId,
                     }}
                   >
                     {/* Legacy Plugins */}
                     {message.plugin && <Plugin plugin={message.plugin} />}
                     {message.content ? (
-                      <SearchContent message={message} />
+                      <SearchContent
+                        message={message}
+                        attachments={attachments}
+                        searchResults={searchResults}
+                      />
                     ) : (
                       <MessageContent
                         edit={false}
@@ -100,7 +111,7 @@ export default function Message(props: TMessageProps) {
                   siblingCount={siblingCount}
                   setSiblingIdx={setSiblingIdx}
                 />
-                <MinimalHoverButtons message={message} />
+                <MinimalHoverButtons message={message} searchResults={searchResults} />
               </SubRow>
             </div>
           </div>

client/src/components/Share/ShareView.tsx

@@ -15,7 +15,7 @@ function SharedView() {
   const { shareId } = useParams();
   const { data, isLoading } = useGetSharedMessages(shareId ?? '');
   const dataTree = data && buildTree({ messages: data.messages });
-  const messagesTree = dataTree?.length === 0 ? null : dataTree ?? null;
+  const messagesTree = dataTree?.length === 0 ? null : (dataTree ?? null);
 
   // configure document title
   let docTitle = '';
@@ -37,7 +37,7 @@ function SharedView() {
   } else if (data && messagesTree && messagesTree.length !== 0) {
     content = (
       <>
-        <div className="final-completion group mx-auto flex min-w-[40rem] flex-col gap-3 pb-6 pt-4 md:max-w-3xl md:px-5 lg:max-w-[40rem] lg:px-1 xl:max-w-[48rem] xl:px-5">
+        <div className="final-completion group mx-auto flex min-w-[40rem] flex-col gap-3 pb-6 pt-4 md:max-w-[47rem] md:px-5 lg:px-1 xl:max-w-[55rem] xl:px-5">
           <h1 className="text-4xl font-bold">{data.title}</h1>
           <div className="border-b border-border-medium pb-6 text-base text-text-secondary">
             {new Date(data.createdAt).toLocaleDateString('en-US', {
@@ -53,7 +53,7 @@ function SharedView() {
     );
   } else {
     content = (
-      <div className="flex h-screen items-center justify-center ">
+      <div className="flex h-screen items-center justify-center">
         {localize('com_ui_shared_link_not_found')}
       </div>
     );

client/src/components/SidePanel/Agents/AgentConfig.tsx

@@ -13,6 +13,7 @@ import { processAgentOption } from '~/utils';
 import Instructions from './Instructions';
 import AgentAvatar from './AgentAvatar';
 import FileContext from './FileContext';
+import SearchForm from './Search/Form';
 import { useLocalize } from '~/hooks';
 import FileSearch from './FileSearch';
 import Artifacts from './Artifacts';
@@ -73,6 +74,10 @@ export default function AgentConfig({
     () => agentsConfig?.capabilities?.includes(AgentCapabilities.file_search) ?? false,
     [agentsConfig],
   );
+  const webSearchEnabled = useMemo(
+    () => agentsConfig?.capabilities?.includes(AgentCapabilities.web_search) ?? false,
+    [agentsConfig],
+  );
   const codeEnabled = useMemo(
     () => agentsConfig?.capabilities?.includes(AgentCapabilities.execute_code) ?? false,
     [agentsConfig],
@@ -257,13 +262,19 @@ export default function AgentConfig({
             </div>
           </button>
         </div>
-        {(codeEnabled || fileSearchEnabled || artifactsEnabled || ocrEnabled) && (
+        {(codeEnabled ||
+          fileSearchEnabled ||
+          artifactsEnabled ||
+          ocrEnabled ||
+          webSearchEnabled) && (
           <div className="mb-4 flex w-full flex-col items-start gap-3">
             <label className="text-token-text-primary block font-medium">
               {localize('com_assistants_capabilities')}
             </label>
             {/* Code Execution */}
             {codeEnabled && <CodeForm agent_id={agent_id} files={code_files} />}
+            {/* Web Search */}
+            {webSearchEnabled && <SearchForm />}
             {/* File Context (OCR) */}
             {ocrEnabled && <FileContext agent_id={agent_id} files={context_files} />}
             {/* Artifacts */}

client/src/components/SidePanel/Agents/AgentFooter.tsx

@@ -53,7 +53,6 @@ export default function AgentFooter({
   const showButtons = activePanel === Panel.builder;
 
   return (
-
     <div className="mb-1 flex w-full flex-col gap-2">
       {showButtons && <AdvancedButton setActivePanel={setActivePanel} />}
       {showButtons && agent_id && <VersionButton setActivePanel={setActivePanel} />}

client/src/components/SidePanel/Agents/AgentPanel.tsx

@@ -162,6 +162,9 @@ export default function AgentPanel({
       if (data.file_search === true) {
         tools.push(Tools.file_search);
       }
+      if (data.web_search === true) {
+        tools.push(Tools.web_search);
+      }
 
       const {
         name,