feat: Implement prompt permissions management and access control middleware
fix: agent deletion process to remove associated permissions and ACL entries
fix: Import Permissions for enhanced access control in GrantAccessDialog
feat: use PromptGroup for access control
- Added migration script for PromptGroup permissions, categorizing groups into global view access and private groups.
- Created unit tests for the migration script to ensure correct categorization and permission granting.
- Introduced middleware for checking access permissions on PromptGroups and prompts via their groups.
- Updated routes to utilize new access control middleware for PromptGroups.
- Enhanced access role definitions to include roles specific to PromptGroups.
- Modified ACL entry schema and types to accommodate PromptGroup resource type.
- Updated data provider to include new access role identifiers for PromptGroups.
feat: add generic access management dialogs and hooks for resource permissions
fix: remove duplicate imports in FileContext component
fix: remove duplicate mongoose dependency in package.json
feat: add access permissions handling for dynamic resource types and add promptGroup roles
feat: implement centralized role localization and update access role types
refactor: simplify author handling in prompt group routes and enhance ACL checks
feat: implement addPromptToGroup functionality and update PromptForm to use it
feat: enhance permission handling in ChatGroupItem, DashGroupItem, and PromptForm components
chore: rename migration script for prompt group permissions and update package.json scripts
chore: update prompt tests
bugfix: Enhance Agent and AgentCategory schemas with new fields for category, support contact, and promotion status
refactored and moved agent category methods and schema to data-schema package
🔧 fix: Merge and Rebase Conflicts
- Move AgentCategory from api/models to @packages/data-schemas structure
- Add schema, types, methods, and model following codebase conventions
- Implement auto-seeding of default categories during AppService startup
- Update marketplace controller to use new data-schemas methods
- Remove old model file and standalone seed script
refactor: unify agent marketplace to single endpoint with cursor pagination
- Replace multiple marketplace routes with unified /marketplace endpoint
- Add query string controls: category, search, limit, cursor, promoted, requiredPermission
- Implement cursor-based pagination replacing page-based system
- Integrate ACL permissions for proper access control
- Fix ObjectId constructor error in Agent model
- Update React components to use unified useGetMarketplaceAgentsQuery hook
- Enhance type safety and remove deprecated useDynamicAgentQuery
- Update tests for new marketplace architecture
-Known issues:
see more button after category switching + Unit tests
feat: add icon property to ProcessedAgentCategory interface
- Add useMarketplaceAgentsInfiniteQuery and useGetAgentCategoriesQuery to client/src/data-provider/Agents/
- Replace manual pagination in AgentGrid with infinite query pattern
- Update imports to use local data provider instead of librechat-data-provider
- Add proper permission handling with PERMISSION_BITS.VIEW/EDIT constants
- Improve agent access control by adding requiredPermission validation in backend
- Remove manual cursor/state management in favor of infinite query built-ins
- Maintain existing search and category filtering functionality
refactor: consolidate agent marketplace endpoints into main agents API and improve data management consistency
- Remove dedicated marketplace controller and routes, merging functionality into main agents v1 API
- Add countPromotedAgents function to Agent model for promoted agents count
- Enhance getListAgents handler with marketplace filtering (category, search, promoted status)
- Move getAgentCategories from marketplace to v1 controller with same functionality
- Update agent mutations to invalidate marketplace queries and handle multiple permission levels
- Improve cache management by updating all agent query variants (VIEW/EDIT permissions)
- Consolidate agent data access patterns for better maintainability and consistency
- Remove duplicate marketplace route definitions and middleware
selected view only agents injected in the drop down
fix: remove minlength validation for support contact name in agent schema
feat: add validation and error messages for agent name in AgentConfig and AgentPanel
fix: update agent permission check logic in AgentPanel to simplify condition
Fix linting WIP
Fix Unit tests WIP
ESLint fixes
eslint fix
refactor: enhance isDuplicateVersion function in Agent model for improved comparison logic
- Introduced handling for undefined/null values in array and object comparisons.
- Normalized array comparisons to treat undefined/null as empty arrays.
- Added deep comparison for objects and improved handling of primitive values.
- Enhanced projectIds comparison to ensure consistent MongoDB ObjectId handling.
refactor: remove redundant properties from IAgent interface in agent schema
chore: update localization for agent detail component and clean up imports
ci: update access middleware tests
chore: remove unused PermissionTypes import from Role model
ci: update AclEntry model tests
ci: update button accessibility labels in AgentDetail tests
refactor: update exhaustive dep. lint warning
🔧 fix: Fixed agent actions access
feat: Add role-level permissions for agent sharing people picker
- Add PEOPLE_PICKER permission type with VIEW_USERS and VIEW_GROUPS permissions
- Create custom middleware for query-aware permission validation
- Implement permission-based type filtering in PeoplePicker component
- Hide people picker UI when user lacks permissions, show only public toggle
- Support granular access: users-only, groups-only, or mixed search modes
refactor: Replace marketplace interface config with permission-based system
- Add MARKETPLACE permission type to handle marketplace access control
- Update interface configuration to use role-based marketplace settings (admin/user)
- Replace direct marketplace boolean config with permission-based checks
- Modify frontend components to use marketplace permissions instead of interface config
- Update agent query hooks to use marketplace permissions for determining permission levels
- Add marketplace configuration structure similar to peoplePicker in YAML config
- Backend now sets MARKETPLACE permissions based on interface configuration
- When marketplace enabled: users get agents with EDIT permissions in dropdown lists (builder mode)
- When marketplace disabled: users get agents with VIEW permissions in dropdown lists (browse mode)
🔧 fix: Redirect to New Chat if No Marketplace Access and Required Agent Name Placeholder (#8213)
* Fix: Fix the redirect to new chat page if access to marketplace is denied
* Fixed the required agent name placeholder
---------
Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
chore: fix tests, remove unnecessary imports
refactor: Implement permission checks for file access via agents
- Updated `hasAccessToFilesViaAgent` to utilize permission checks for VIEW and EDIT access.
- Replaced project-based access validation with permission-based checks.
- Enhanced tests to cover new permission logic and ensure proper access control for files associated with agents.
- Cleaned up imports and initialized models in test files for consistency.
refactor: Enhance test setup and cleanup for file access control
- Introduced modelsToCleanup array to track models added during tests for proper cleanup.
- Updated afterAll hooks in test files to ensure all collections are cleared and only added models are deleted.
- Improved consistency in model initialization across test files.
- Added comments for clarity on cleanup processes and test data management.
chore: Update Jest configuration and test setup for improved timeout handling
- Added a global test timeout of 30 seconds in jest.config.js.
- Configured jest.setTimeout in jestSetup.js to allow individual test overrides if needed.
- Enhanced test reliability by ensuring consistent timeout settings across all tests.
refactor: Implement file access filtering based on agent permissions
- Introduced `filterFilesByAgentAccess` function to filter files based on user access through agents.
- Updated `getFiles` and `primeFiles` functions to utilize the new filtering logic.
- Moved `hasAccessToFilesViaAgent` function from the File model to permission services, adjusting imports accordingly
- Enhanced tests to ensure proper access control and filtering behavior for files associated with agents.
fix: make support_contact field a nested object rather than a sub-document
refactor: Update support_contact field initialization in agent model
- Removed handling for empty support_contact object in createAgent function.
- Changed default value of support_contact in agent schema to undefined.
test: Add comprehensive tests for support_contact field handling and versioning
refactor: remove unused avatar upload mutation field and add informational toast for success
chore: add missing SidePanelProvider for AgentMarketplace and organize imports
fix: resolve agent selection race condition in marketplace HandleStartChat
- Set agent in localStorage before newConversation to prevent useSelectorEffects from auto-selecting previous agent
fix: resolve agent dropdown showing raw ID instead of agent info from URL
- Add proactive agent fetching when agent_id is present in URL parameters
- Inject fetched agent into agents cache so dropdowns display proper name/avatar
- Use useAgentsMap dependency to ensure proper cache initialization timing
- Prevents raw agent IDs from showing in UI when visiting shared agent links
Fix: Agents endpoint renamed to "My Agent" for less confusion with the Marketplace agents.
chore: fix ESLint issues and Test Mocks
ci: update permissions structure in loadDefaultInterface tests
- Refactored permissions for MEMORY and added new permissions for MARKETPLACE and PEOPLE_PICKER.
- Ensured consistent structure for permissions across different types.
feat: support_contact validation to allow empty email strings
WIP: pre-granular-permissions commit
feat: Add category and support contact fields to Agent schema and UI components
Revert "feat: Add category and support contact fields to Agent schema and UI components"
This reverts commit c43a52b4c9.
Fix: Update import for renderHook in useAgentCategories.spec.tsx
fix: Update icon rendering in AgentCategoryDisplay tests to use empty spans
refactor: Improve category synchronization logic and clean up AgentConfig component
refactor: Remove unused UI flow translations from translation.json
feat: agent marketplace features
🔐 feat: Granular Role-based Permissions + Entra ID Group Discovery (#7804)
* chore: Remove eslint-plugin-perfectionist from dependencies
* 🚌 fix: MCP Runtime Errors while Initializing
* chore: Bump @librechat/api version to 1.3.1
* chore: import order
* chore: import order
- Fix grammar in translations README: 'if has not been ran' 'if it has not been run'
- Fix spacing in JSDoc comments: 'at theend' 'at the end' (2 instances)
* fix: social login provider crossover
* feat: Enhance OpenID login handling and add tests for provider validation
* refactor: authentication error handling to use ErrorTypes.AUTH_FAILED enum
* refactor: update authentication error handling in LDAP and SAML strategies to use ErrorTypes.AUTH_FAILED enum
* ci: Add validation for login with existing email and different provider in SAML strategy
chore: Add logging for existing users with different providers in LDAP, SAML, and Social Login strategies
* fix: localization string had unused template var
* fix: add normalizeHttpError to hopefully stop UI hangs when an error is returned in UserController
- Ensures updateUserPluginsController always returns valid HTTP status codes instead of undefined
- Add normalizeHttpError() helper to safely extract status/message from errors
- Default to 400 status code when Error.status is undefined/invalid
* refactor: move normalizeHttpError to packages/api
* 🛣️ fix: Remove Title Tokens Limit for GPT-5 Models
* 🛣️ fix: Remove max_completion_tokens from modelKwargs when maxTokens is disabled
* chore: Add test-image* to .gitignore for CI/CD data
* WIP: Verbosity OpenAI Parameter
* 🔧 chore: remove unused import of extractEnvVariable from parsers.ts
* ✨ feat: add comprehensive tests for getOpenAIConfig and enhance verbosity handling
* fix: Handling for maxTokens in GPT-5+ models and add corresponding tests
* feat: Implement GPT-5+ model handling in processMemory function
* fix: add OAuth flow back in to success state
* feat: disable server clicks during initialization to prevent spam
* fix: correct new tab behavior for OAuth between one-click and normal initialization flows
* fix: stop polling on error during oauth (was infinite popping toasts because we didn't clear interval)
* fix: cleanupServerState should be called after successful cancelOauth, not before
* fix: change from completeFlow to failFlow to avoid stale client IDs on OAuth after cancellation
* fix: add logic to differentiate between cancelled and failed flows when checking status for indicators (so error triangle indicator doesn't show up on cancellaiton)
* feat: add OAuth servers to conditional rendering logic for MCPPanel in SideNav
* feat: add startup flag check to conditional rendering logic
* fix: correct improper handling of failure state in reinitialize endpoint
* fix: change MCP config components to better handle servers without customUserVars
- removes the subtle reinitialize button from config components of servers without customUserVars or OAuth
- adds a placeholder message for components where servers have no customUserVars configured
* style: swap CustomUserVarsSection and ServerInitializationSection positions
* style: fix coloring for light mode and align more with existing design patterns
* chore: remove extraneous comments
* chore: reorder imports and `isEnabled` from api package
---------
Co-authored-by: Danny Avila <danny@librechat.ai>
* ✨ feat: Enhance MCP Connection Status Management
- Introduced new functions to retrieve and manage connection status for multiple MCP servers, including OAuth flow checks and server-specific status retrieval.
- Refactored the MCP connection status endpoints to support both all servers and individual server queries.
- Replaced the old server initialization hook with a new `useMCPServerManager` hook for improved state management and handling of multiple OAuth flows.
- Updated the MCPPanel component to utilize the new context provider for better state handling and UI updates.
- Fixed a number of UI bugs when initializing servers
* 🗣️ i18n: Remove unused strings from translation.json
* refactor: move helper functions out of the route module into mcp service file
* ci: add tests for newly added functions in mcp service file
* fix: memoize setMCPValues to avoid render loop
- Refactored MCPSelect and MCPSubMenu components to utilize a new custom hook, `useMCPServerManager`, for improved state management and server initialization logic.
- Added functionality to handle simultaneous MCP server initialization requests, including cancellation and user notifications.
- Updated translation files to include new messages for initialization cancellation.
- Improved the configuration dialog handling for MCP servers, streamlining the user experience when managing server settings.
* ✨ feat: Add support for forced in-memory cache keys configuration
* refactor: Update cache keys to use uppercase constants and moved cache for `librechat.yaml` into its own cache namespace (STATIC_CONFIG) and with a more descriptive key (LIBRECHAT_YAML_CONFIG)
* refactor: prefer `agent.model` (user-facing value) over `agent.model_parameters.model` to ensure Azure mapping
* chore: update @librechat/agents to version 2.4.68 to use new default title prompt for completion title method
* ✨ feat: Add connection status endpoint for MCP servers
- Implemented a new endpoint to retrieve the connection status of all MCP servers without disconnecting idle connections.
- Enhanced MCPManager class with a method to get all user-specific connections.
* feat: add silencer arg to loadCustomConfig function to conditionally print config details
- Modified loadCustomConfig to accept a printConfig parameter that allows me to prevent the entire custom config being printed every time it is called
* fix: new status endpoint actually works now, changes to manager.ts to support it
- Updated the connection status endpoint to utilize Maps for app and user connections, rather than incorrectly treating them as objects.
- Introduced a new method + variable in MCPManager to track servers requiring OAuth discovered at startup.
- Stopped OAuth flow from continuing once detected during startup for a new connection
* refactor: Remove hasAuthConfig since we can get that on the frontend without needing to use the endpoint
* feat: Add MCP connection status query and query key for new endpoint
- Introduced a new query hook `useMCPConnectionStatusQuery` to fetch the connection status of MCP servers.
- Added request in data-service
- Defined the API endpoint for retrieving MCP connection status in api-endpoints.ts.
- Defined new types for MCP connection status responses in the types module.
- Added mcpConnectionStatus key
* feat: Enhance MCPSelect component with connection status and server configuration
- Added connection status handling for MCP servers using the new `useMCPConnectionStatusQuery` hook.
- Implemented logic to display appropriate status icons based on connection state and authentication configuration.
- Updated the server selection logic to utilize configured MCP servers from the startup configuration.
- Refactored the rendering of configuration buttons and status indicators for improved user interaction.
* refactor: move MCPConfigDialog to its own MCP subdir in ui and update import
* refactor: silence loadCustomConfig in status endpoint
* feat: Add optional pluginKey parameter to getUserPluginAuthValue
* feat: Add MCP authentication values endpoint and related queries
- Implemented a new endpoint to check authentication value flags for specific MCP servers, returning boolean indicators for each custom user variable.
- Added a corresponding query hook `useMCPAuthValuesQuery` to fetch authentication values from the frontend.
- Defined the API endpoint for retrieving MCP authentication values in api-endpoints.ts.
- Updated data-service to include a method for fetching MCP authentication values.
- Introduced new types for MCP authentication values responses in the types module.
- Added a new query key for MCP authentication values.
* feat: Localize MCPSelect component status labels and aria attributes
- Updated the MCPSelect component to use localized strings for connection status labels and aria attributes, enhancing accessibility and internationalization support.
- Added new translation keys for various connection states in the translation.json file.
* feat: Implement filtered MCP values selection based on connection status in MCPSelect
- Added a new `filteredSetMCPValues` function to ensure only connected servers are selectable in the MCPSelect component.
- Updated the rendering logic to visually indicate the connection status of servers by adjusting opacity.
- Enhanced accessibility by localizing the aria-label for the configuration button.
* feat: Add CustomUserVarsSection component for managing user variables
- Introduced a new `CustomUserVarsSection` component to allow users to configure custom variables for MCP servers.
- Integrated localization for user interface elements and added new translation keys for variable management.
- Added functionality to save and revoke user variables, with visual indicators for set/unset states.
* feat: Enhance MCPSelect and MCPConfigDialog with improved state management and UI updates
- Integrated `useQueryClient` to refetch queries for tools, authentication values, and connection status upon successful plugin updates in MCPSelect.
- Simplified plugin key handling by directly using the formatted plugin key in save and revoke operations.
- Updated MCPConfigDialog to include server status indicators and improved dialog content structure for better user experience.
- Added new translation key for active status in the localization files.
* feat: Enhance MCPConfigDialog with dynamic server status badges and localization updates
- Added a helper function to render status badges based on the connection state of the MCP server, improving user feedback on connection status.
- Updated the localization files to include new translation keys for connection states such as "Connecting" and "Offline".
- Refactored the dialog to utilize the new status rendering function for better code organization and readability.
* feat: Implement OAuth handling and server initialization in MCP reinitialize flow
- Added OAuth handling to the MCP reinitialize endpoint, allowing the server to capture and return OAuth URLs when required.
- Updated the MCPConfigDialog to include a new ServerInitializationSection for managing server initialization and OAuth flow.
- Enhanced the user experience by providing feedback on server status and OAuth requirements through localized messages.
- Introduced new translation keys for OAuth-related messages in the localization files.
- Refactored the MCPSelect component to remove unused authentication configuration props.
* feat: Make OAuth actually work / update after OAuth link authorized
- Improved the handling of OAuth flows in the MCP reinitialize process, allowing for immediate return when OAuth is initiated.
- Updated the UserController to extract server names from plugin keys for better logging and connection management.
- Enhanced the MCPSelect component to reflect authentication status based on OAuth requirements.
- Implemented polling for OAuth completion in the ServerInitializationSection to improve user feedback during the connection process.
- Refactored MCPManager to support new OAuth flow initiation logic and connection handling.
* refactor: Simplify MCPPanel component and enhance server status display
- Removed unused imports and state management related to user plugins and server reinitialization.
- Integrated connection status handling directly into the MCPPanel for improved user feedback.
- Updated the rendering logic to display server connection states with visual indicators.
- Refactored the editing view to utilize new components for server initialization and custom user variables management.
* chore: remove comments
* chore: remove unused translation key for MCP panel
* refactor: Rename returnOnOAuthInitiated to returnOnOAuth for clarity
* refactor: attempt initialize on server click
* feat: add cancel OAuth flow functionality and related UI updates
* refactor: move server status icon logic into its own component
* chore: remove old localization strings (makes more sense for icon labels to just use configure stirng since thats where it leads to)
* fix: fix accessibility issues with MCPSelect
* fix: add missing save/revoke mutation logic to MCPPanel
* styling: add margin to checkmark in MultiSelect
* fix: add back in customUserVars check to hide gear config icon for servers without customUserVars
---------
Co-authored-by: Dustin Healy <dustinhealy1@gmail.com>
Co-authored-by: Dustin Healy <54083382+dustinhealy@users.noreply.github.com>
* ✨ feat: Add MCP Reinitialization to MCPPanel
- Refactored tool caching to include user-specific tools in various service files.
- Refactored MCPManager class for clarity
- Added a new endpoint for reinitializing MCP servers, allowing for dynamic updates of server configurations.
- Enhanced the MCPPanel component to support server reinitialization with user feedback.
* 🔃 refactor: Simplify Plugin Deduplication and Clear Cache Post-MCP Initialization
- Replaced manual deduplication of tools with the dedicated `filterUniquePlugins` function for improved readability.
- Added back cache clearing for tools after MCP initialization to ensure fresh data is used.
- Removed unused exports from `PluginController.js` to clean up the codebase.
* 🏗️ refactor: Extract reasoning key logic into separate function
* refactor: Ensure `overrideProvider` is always defined in `getProviderConfig` result, and only used in `initializeAgent` if different from `agent.provider`
* feat: new title configuration options across services
- titlePrompt
- titleEndpoint
- titlePromptTemplate
- new "completion" titleMethod (new default)
* chore: update @librechat/agents and conform openai version to prevent SDK errors
* chore: add form-data package as a dependency and override to v4.0.4 to address CVE-2025-7783
* feat: add support for 'all' endpoint configuration in AppService and corresponding tests
* refactor: replace HttpsProxyAgent with ProxyAgent from undici for improved proxy handling in assistant initialization
* chore: update frontend review workflow to limit package paths to data-provider
* chore: update backend review workflow to include all package paths
- Added firecrawlOptions configuration field to librechat.yaml
- Refactored web.ts to live in packages/api rather than data-provider
- Updated imports from web.ts to reflect new location
- Added firecrawlOptions to FirecrawlConfig interface
- Added firecrawlOptions to authResult of loadWebSearchAuth so it gets properly passed to agents to be built into firecrawl payload
- Added tests for firecrawlOptions to web.spec.ts
* wip: first pass content strings
* 📦 chore: update @langchain/core to v0.3.62 for data-provider dev dep.
* 📦 chore: bump @langchain/core to v0.3.62 for api dep.
* 📦 chore: move @langchain/core to peerDependencies in package.json and package-lock.json
* fix: update formatContentStrings to create HumanMessage directly from formatted content
* chore: import order
* 🕒 refactor: Use Legacy Content for Custom Endpoints to Improve Compatibility
- Also applies to Azure serverless endpoints from AI Foundry
* chore: move useLegacyContent condition before early return
* fix: Ensure useLegacyContent is set only when options are available
