* 🛡️ fix: SSRF-validate user-provided URLs in web search auth
User-controlled URL fields (jinaApiUrl, firecrawlApiUrl, searxngInstanceUrl)
flow from plugin auth into outbound HTTP requests without validation.
Reuse existing isSSRFTarget/resolveHostnameSSRF to block private/internal
targets while preserving admin-configured (env var) internal URLs.
* 🛡️ fix: Harden web search SSRF validation
- Reject non-HTTP(S) schemes (file://, ftp://, etc.) in isSSRFUrl
- Conditional write: only assign to authResult after SSRF check passes
- Move isUserProvided tracking after SSRF gate to avoid false positives
- Add authenticated assertions for optional-field SSRF blocks in tests
- Add file:// scheme rejection test
- Wrap process.env mutation in try/finally guard
- Add JSDoc + sync-obligation comment on WEB_SEARCH_URL_KEYS
* 🛡️ fix: Correct auth-type reporting for SSRF-stripped optional URLs
SSRF-stripped optional URL fields no longer pollute isUserProvided.
Track whether the field actually contributed to authResult before
crediting it as user-provided, so categories report SYSTEM_DEFINED
when all surviving values match env vars.
* 🔧 chore: Update @librechat/agents to v2.4.84 in package.json and package-lock.json
* feat: Serper as new scraperProvider for Web Search and add firecrawlVersion support
* fix: TWebSearchKeys and ensure unique API keys extraction
* chore: Add build:packages script to streamline package builds
* chore: linting for `loadCustomConfig`
* refactor: decouple CDN init and variable/health checks from AppService
* refactor: move AppService to packages/data-schemas
* chore: update AppConfig import path to use data-schemas
* chore: update JsonSchemaType import path to use data-schemas
* refactor: update UserController to import webSearchKeys and redefine FunctionTool typedef
* chore: remove AppService.js
* refactor: update AppConfig interface to use Partial<TCustomConfig> and make paths and fileStrategies optional
* refactor: update checkConfig function to accept Partial<TCustomConfig>
* chore: fix types
* refactor: move handleRateLimits to startup checks as is an effect
* test: remove outdated rate limit tests from AppService.spec and add new handleRateLimits tests in checks.spec
* feat: added support for custom JINA_API_URL
* fixed tests
* chore: Update @librechat/agents dependency to version 2.4.77 in package-lock.json and package.json files
* fix: Update Jina API URL to use environment variable in configuration files
* Refactor AppService, web.ts, and config.ts to replace hardcoded Jina API URL with an environment variable placeholder.
* Ensure consistency across tests and configuration for Jina API URL.
* chore: alphabetical order translation.json
* fix: alphabetical order
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
- Added firecrawlOptions configuration field to librechat.yaml
- Refactored web.ts to live in packages/api rather than data-provider
- Updated imports from web.ts to reflect new location
- Added firecrawlOptions to FirecrawlConfig interface
- Added firecrawlOptions to authResult of loadWebSearchAuth so it gets properly passed to agents to be built into firecrawl payload
- Added tests for firecrawlOptions to web.spec.ts
