Adds support for MCP servers like StackOverflow that use OAuth but don't
provide standard discovery metadata at .well-known endpoints.
Changes:
- Add fallback OAuth endpoints (/authorize, /token, /register) when
discoverAuthorizationServerMetadata returns undefined
- Add POST fallback in OAuth detection when HEAD returns non-401
(StackOverflow returns 405 for HEAD, 401 for POST)
- Detect OAuth requirement from WWW-Authenticate: Bearer header even
without resource_metadata URL
- Add fallback /token endpoint for token refresh when metadata
discovery fails
- Add registration_endpoint to OAuthMetadata type
This mirrors the MCP SDK's behavior where it gracefully falls back to
default OAuth endpoint paths when .well-known metadata isn't available.
Tests:
- Add unit tests for detectOAuth.ts (POST fallback, Bearer detection)
- Add unit tests for handler.ts (fallback metadata, fallback refresh)
- Add StackOverflow to integration test servers
Fixes OAuth flow for servers that:
- Return 405 for HEAD requests (only support POST)
- Return 401 with simple "Bearer" in WWW-Authenticate
- Don't have .well-known/oauth-authorization-server endpoint
- Use standard /authorize, /token, /register paths
- Added try-catch blocks to handle errors during document deletion from the RAG API.
- Implemented logging for 404 errors indicating that the document may have already been deleted.
- Improved error logging for other deletion errors in both Firebase and Local file services.
* 🔖 refactor: citation handling with support for both literal and Unicode formats
* refactor: file search messages for edge cases in documents
* 🔧 refactor: Enhance citation handling with detailed regex patterns for literal and Unicode formats
* 🔧 refactor: Simplify file search query handling by removing unnecessary parameters and improving result formatting
* ✨ test: Add comprehensive integration tests for citation processing flow with support for literal and Unicode formats
* 🔧 refactor: Improve regex match handling and add performance tests for citation processing
- Updated @librechat/api to version 1.7.0
- Updated @librechat/client to version 0.4.1
- Updated librechat-data-provider to version 0.8.200
- Updated @librechat/data-schemas to version 0.0.31
* v0.8.1
* fix: GitHub workflows for OIDC trusted publishing
- Added permissions for OIDC trusted publishing in client, data-provider, and data-schemas workflows.
- Updated npm installation to support OIDC in all workflows.
- Changed npm publish commands to include `--provenance` for better package integrity.
- Updated repository URLs in package.json files for client, data-provider, and data-schemas to remove `git+` prefix.
* 🔊 fix: Validate language format for OpenAI STT model
* fix: Normalize input language model assignment in STTService
* refactor: Enhance error logging and language validation in STT and TTS services
* fix: Improve language validation in getValidatedLanguageCode function
* Improve prompt for better citation formatting
* Provide format example
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* refactor: Simplify citation guidelines and response structure in tool loading
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Danny Avila <danny@librechat.ai>
- Created a new `bun.lock` file to manage project dependencies effectively.
- Removed the obsolete `bun.lockb` file.
- Updated `package.json` scripts to streamline the build process for the client and API, enhancing the overall development workflow.
- Introduced new build commands for the client package to improve modularity and clarity in the build process.
- Introduced `inferMimeType` utility to improve MIME type detection for uploaded files, including support for HEIC and HEIF formats.
- Updated DragDropModal to utilize the new inference logic for validating file types, ensuring compatibility with various document upload providers.
- Added comprehensive tests for `inferMimeType` to cover various scenarios, including handling of unknown extensions and preserving browser-provided types.
* 🔧 fix: Gemini as Custom Endpoint Auth. Error for OAI-compatible API
* refactor: Google Compatibility in OpenAI Config
- Added a test to ensure `googleSearch` is filtered out when `web_search` is only present in `modelOptions`, not in `addParams` or `defaultParams`.
- Updated `transformToOpenAIConfig` to preserve `googleSearch` tools if `web_search` is explicitly enabled via `addParams` or `defaultParams`.
- Refactored the filtering logic for Google-specific tools to accommodate the new behavior.
* refactor: implement sanitizeFileForTransmit and sanitizeMessageForTransmit functions for smaller payload to client transmission
* refactor: enhance sanitizeMessageForTransmit to preserve empty files array and avoid mutating original message
* refactor: update sanitizeMessageForTransmit to ensure immutability of files array and improve test clarity
* refactor: Token Limit Processing with Enhanced Efficiency
- Added a new test suite for `processTextWithTokenLimit`, ensuring comprehensive coverage of various scenarios including under, at, and exceeding token limits.
- Refactored the `processTextWithTokenLimit` function to utilize a ratio-based estimation method, significantly reducing the number of token counting function calls compared to the previous binary search approach.
- Improved handling of edge cases and variable token density, ensuring accurate truncation and performance across diverse text inputs.
- Included direct comparisons with the old implementation to validate correctness and efficiency improvements.
* refactor: Remove Tokenizer Route and Related References
- Deleted the tokenizer route from the server and removed its references from the routes index and server files, streamlining the API structure.
- This change simplifies the routing configuration by eliminating unused endpoints.
* refactor: Migrate countTokens Utility to API Module
- Removed the local countTokens utility and integrated it into the @librechat/api module for centralized access.
- Updated various files to reference the new countTokens import from the API module, ensuring consistent usage across the application.
- Cleaned up unused references and imports related to the previous countTokens implementation.
* refactor: Centralize escapeRegExp Utility in API Module
- Moved the escapeRegExp function from local utility files to the @librechat/api module for consistent usage across the application.
- Updated imports in various files to reference the new centralized escapeRegExp function, ensuring cleaner code and reducing redundancy.
- Removed duplicate implementations of escapeRegExp from multiple files, streamlining the codebase.
* refactor: Enhance Token Counting Flexibility in Text Processing
- Updated the `processTextWithTokenLimit` function to accept both synchronous and asynchronous token counting functions, improving its versatility.
- Introduced a new `TokenCountFn` type to define the token counting function signature.
- Added comprehensive tests to validate the behavior of `processTextWithTokenLimit` with both sync and async token counting functions, ensuring consistent results.
- Implemented a wrapper to track call counts for the `countTokens` function, optimizing performance and reducing unnecessary calls.
- Enhanced existing tests to compare the performance of the new implementation against the old one, demonstrating significant improvements in efficiency.
* chore: documentation for Truncation Safety Buffer in Token Processing
- Added a safety buffer multiplier to the character position estimates during text truncation to prevent overshooting token limits.
- Updated the `processTextWithTokenLimit` function to utilize the new `TRUNCATION_SAFETY_BUFFER` constant, enhancing the accuracy of token limit processing.
- Improved documentation to clarify the rationale behind the buffer and its impact on performance and efficiency in token counting.
- Updated `useChatFunctions` to derive `iconURL` from conversation data before parsing
- Modified `parseCompactConvo` to explicitly omit `iconURL` from parsed conversations, reinforcing security measures around URL handling.
* 🖥️ feat: Add Proxy Support for Tavily API Tool
- Integrated ProxyAgent from undici to enable proxy support for API requests in TavilySearch and TavilySearchResults.
- Updated fetch options to conditionally include the proxy configuration based on the environment variable, enhancing flexibility for network requests.
* ci: TavilySearchResults with Proxy Support Tests
- Added tests to verify the integration of ProxyAgent for API requests in TavilySearchResults.
- Implemented conditional logic to check for the PROXY environment variable, ensuring correct usage of ProxyAgent based on its presence.
- Updated test setup to clear mocks before each test for improved isolation and reliability.
* refactor: Add back user variable descriptions for MCP under input and not as Tooltips
- Integrated DOMPurify to sanitize HTML content in user variable descriptions, ensuring safe rendering of links and formatting.
- Updated the AuthField component to display sanitized descriptions, enhancing security and user experience.
- Removed TooltipAnchor in favor of direct label rendering for improved clarity.
* 📦 chore: Update `dompurify` to v3.3.0 in package dependencies
- Added `dompurify` version 3.3.0 to `package.json` and `package-lock.json` for improved HTML sanitization.
- Updated existing references to `dompurify` to ensure consistency across the project.
* refactor: Update tooltip styles for sanitized description in AuthField component
* 🗨️ fix: Safe Validation for Prompt Updates
- Added `safeValidatePromptGroupUpdate` function to validate and sanitize prompt group update requests, ensuring only allowed fields are processed and sensitive fields are stripped.
- Updated the `patchPromptGroup` route to utilize the new validation function, returning appropriate error messages for invalid requests.
- Introduced comprehensive tests for the validation logic, covering various scenarios including allowed and disallowed fields, enhancing overall request integrity and security.
- Created a new schema file for prompt group updates, defining validation rules and types for better maintainability.
* 🔒 feat: Add JSON parse error handling middleware
* 🔒 fix: `iconURL` in conversation parsing
- Updated the `buildEndpointOption` middleware to derive `iconURL` from model specs when not provided by the client, improving security by preventing malicious URLs.
- Modified the `parseCompactConvo` function to strip `iconURL` from conversation inputs, ensuring it is only set server-side.
- Added comprehensive tests to validate the stripping of `iconURL` across various endpoint types, enhancing overall input sanitization.
* ✨ feat: Add ESLint rule for unused variables
- Introduced a new ESLint rule to warn about unused variables, allowing for better code quality and maintainability.
- Configured the rule to ignore variables and arguments that start with an underscore, accommodating common coding practices.
* 🔧 chore: Update @librechat/agents to version 3.0.35
* ✨ feat: Add DeepSeek Model Pricing and Token Handling
- Introduced pricing and token limits for 'deepseek-chat' and 'deepseek-reasoner' models, including prompt and completion rates.
- Enhanced tests to validate pricing and token limits for DeepSeek models, ensuring correct handling of model variations and provider prefixes.
- Updated cache multipliers for DeepSeek models to reflect new pricing structure.
- Improved max output token handling for DeepSeek models, ensuring consistency across different endpoints.
* 🔧 fix: Handle null content parts in message processing
- Added checks to filter out null content parts in various message handling functions, ensuring robustness against undefined values.
- Updated the `extractMessageContent`, `useContentHandler`, `useEventHandlers`, and `useStepHandler` hooks to prevent errors caused by null parts.
- Enhanced the `getAllContentText` utility to only include valid content types, improving overall message integrity.
* 🔧 fix: Enhance error handling in event and SSE handlers
- Wrapped critical sections in try-catch blocks within `useEventHandlers` and `useSSE` hooks to improve error management and prevent application crashes.
- Added console error logging for better debugging and tracking of issues during message processing and conversation aborting.
- Ensured that UI states like `setIsSubmitting` and `setShowStopButton` are correctly updated in case of errors, maintaining a consistent user experience.
* 🔧 fix: Filter out null and empty content in message export
- Enhanced the `useExportConversation` hook to filter out null content parts and empty strings during message processing, ensuring only valid content is included in the export.
- This change improves the integrity of exported conversations by preventing unnecessary empty entries in the output.
* 📐 refactor: Exclude Params from OAI Reasoning Models
- Introduced a new test suite for `getOpenAILLMConfig` covering various model configurations, including basic settings, reasoning models, and web search functionality.
- Validated parameter handling for different models, ensuring correct exclusions and conversions, particularly for temperature and max_tokens.
- Enhanced tests for default and additional parameters, drop parameters, and verbosity handling, ensuring robust coverage of the configuration logic.
* ci: Update OpenAI model version in configuration tests
- Changed model references from 'gpt-5' to 'gpt-4' across multiple test cases in the `getOpenAIConfig` function.
- Adjusted related parameter handling to ensure compatibility with the updated model version, including maxTokens and temperature settings.
- Enhanced test coverage for model options and their expected configurations.
- Updated the `findUser` method to normalize email fields to lowercase and trimmed whitespace for case-insensitive matching.
- Enhanced the `normalizeEmailInCriteria` function to handle email normalization in search criteria, including `` conditions.
- Added tests to ensure email normalization works correctly across various scenarios, including case differences and whitespace handling.
* 🤖 feat: Latest Grok Model Pricing & Context Rates
- Introduced 'grok-4-fast', 'grok-4-1-fast', and 'grok-code-fast' models with their respective prompt and completion rates.
- Enhanced unit tests to validate prompt and completion rates for the new models, including variations with prefixes.
- Updated token limits for the new models in the tokens utility, ensuring accurate handling in tests.
* 🔧 refactor: Optimize JSON Export Logic in useExportConversation Hook
Updated the export logic to create a Blob from the JSON string before downloading, improving compatibility and performance for file downloads. This change enhances the handling of deeply nested exports while maintaining the file size reduction achieved in previous updates.
Updated the export logic in the useExportConversation hook to use JSON.stringify without indentation, reducing file size for deeply nested exports. Additionally, ensured safe access to text content by providing a fallback for undefined values.
* 🔧 fix: Correct URL Construction in fetchModels Function
Updated the URL construction in the fetchModels function to ensure proper formatting by removing trailing slashes from the base URL. This change prevents potential issues with API endpoint calls.
* 🔧 fix: Remove OLLAMA from Known Custom Providers
Updated the isKnownCustomProvider function and providerConfigMap to exclude OLLAMA as a known custom provider, streamlining the provider checks and configurations.
* 🔧 test: Enhance fetchModels Tests for URL Construction
Added new test cases to validate the URL construction in the fetchModels function, ensuring it handles trailing slashes correctly and appends query parameters as expected. This improves the robustness of the API endpoint calls.
* chore: remove ollama provider-specific handling
* chore: Refactor imports to use isUserProvided from @librechat/api
* ✨ v0.8.1-rc2
- Updated version numbers in Dockerfile, Dockerfile.multi, package.json, and various package.json files for client, api, and data-provider.
- Adjusted appVersion in Chart.yaml and constants in config.ts to reflect the new version.
- Incremented versions for @librechat/api, @librechat/client, and librechat-data-provider packages.
* chore: Update Chart version to 1.9.3
- Incremented the chart version in Chart.yaml to reflect the latest changes.
Removed unnecessary debug logging statements in the extractOpenIDTokenInfo function to streamline the code and improve readability. This change enhances the clarity of the function's logic without altering its functionality.
* fix: exclude the currently edited bookmark from duplicate checks
* ci: Add comprehensive tests for BookmarkForm component
- Introduced a new test suite for the BookmarkForm component to validate bookmark editing functionality.
- Implemented tests for various scenarios including editing descriptions, renaming tags, and handling duplicate tags.
- Ensured proper feedback through toasts for error cases and successful submissions.
- Mocked necessary hooks and context to isolate component behavior during tests.
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
When using direct endpoints (e.g., Google) instead of Agents, `this.options.agent` is undefined, causing provider detection to fail. This resulted in "Unknown content type document" errors for Google/Gemini PDF uploads.
Added `?? this.options.endpoint` fallback in addDocuments(), addVideos(), and addAudios() methods to ensure correct provider detection for all endpoint types.
* feat: shift collapse chevron inside ChatForm input area
* feat: add soft gradient on bottom of collapsed text input so there isn't a hard cut off when text overflows
* feat: add better scroll bar behavior for main chat input
* fix: smooth out purple gradient for temporary chats
* feat: better colors for gradient
* feat: use blur instead of colors
* chore: address copilot comments
* fix: increase RAG API text parsing timeout for large files
* ci: Update text.spec.ts
---------
Co-authored-by: Rosen Simov <rosen.simov@endurosat.com>
Co-authored-by: Danny Avila <danny@librechat.ai>
* fix: remove side panel elements from screen reader when hidden
There's both left & right side panels; elements of both of them
are hidden when dismissed. However, currently they are being hidden
by using classes to hide their UI (such as making the sidebar
zero width).
That works for visually dismissing these elements, but they can still
be viewed by a screen reader (using the tab key to jump between
interactable elements). That can be a rather confusing experience
for anyone visually impaired (such as duplicate buttons, or buttons
that do nothing).
--------
I've changed it so hidden elements are fully removed from the render.
This prevents them from being interactable via keyboard.
I leveraged Motion to duplicate the animations as they happened before.
I subtly cleaned up the animations while I was at it.
* Implemented reasonable suggestions from Copilot review
* 🤖 feat: Claude Opus 4.5 Token Rates and Window Limits
- Introduced new model 'claude-opus-4-5' with defined prompt and completion values in tokenValues and cacheTokenValues.
- Updated tests to validate prompt, completion, and cache rates for the new model.
- Enhanced model name handling to accommodate variations for 'claude-opus-4-5' across different contexts.
- Adjusted schemas to ensure correct max output token limits for the new model.
* ci: Add tests for "prompt-caching" beta header in Claude Opus 4.5 models
- Implemented tests to verify the addition of the "prompt-caching" beta header for the 'claude-opus-4-5' model and its variations.
- Updated future-proofing logic to ensure correct max token limits for Claude 4.x and 5.x Opus models, adjusting defaults to 64K where applicable.
- Enhanced existing tests to reflect changes in expected max token values for future Claude models.
* chore: Remove redundant max output check for Anthropic settings
- Eliminated the unnecessary check for ANTHROPIC_MAX_OUTPUT in the anthropicSettings schema, streamlining the logic for handling max output values.
* fix: Header and Environment Variable Handling Bug from #9931
* refactor: Remove warning log for missing tokens in extractOpenIDTokenInfo function
* feat: Enhance resolveNestedObject function for improved placeholder processing
- Added a new function `resolveNestedObject` to recursively process nested objects, replacing placeholders in string values while preserving the original structure.
- Updated `createTestUser` to use `IUser` type and modified user ID generation.
- Added comprehensive unit tests for `resolveNestedObject` to cover various scenarios, including nested structures, arrays, and custom user variables.
- Improved type handling in `processMCPEnv` to ensure correct processing of mixed numeric and placeholder values.
* refactor: Remove unnecessary manipulation of Bedrock options introduced in #9931
- Eliminated the resolveHeaders function call from the getOptions method in options.js, as it was no longer necessary for processing additional model request fields.
- This change simplifies the code and improves maintainability.
