* fix: Convert `const` to `enum` in MCP tool schemas for Gemini/Vertex AI compatibility
Gemini/Vertex AI rejects the JSON Schema `const` keyword in function declarations
with a 400 error. Previously, the Zod conversion layer accidentally stripped `const`,
but after migrating to pass raw JSON schemas directly to providers, the unsupported
keyword now reaches Gemini verbatim.
Add `normalizeJsonSchema` to recursively convert `const: X` → `enum: [X]`, which is
semantically equivalent per the JSON Schema spec and supported by all providers.
* fix: Update secure cookie handling in AuthService to use dynamic secure flag
Replaced the static `secure: isProduction` with a call to `shouldUseSecureCookie()` in the `setOpenIDAuthTokens` function. This change ensures that the secure cookie setting is evaluated at runtime, improving cookie handling in development environments while maintaining security in production.
* refactor: Simplify MCP tool key formatting and remove unused mocks in tests
- Updated MCP test suite to replace static tool key formatting with a dynamic delimiter from Constants, enhancing consistency and maintainability.
- Removed unused mock implementations for `@langchain/core/tools` and `@librechat/agents`, streamlining the test setup.
- Adjusted related test cases to reflect the new tool key format, ensuring all tests remain functional.
* chore: import order
- Introduced new model entries for 'moonshotai.kimi' and 'moonshotai.kimi-k2.5' in tokens.ts.
- Updated parameterSettings.ts to include configurations for MoonshotAI and ZAI providers.
- Enhanced schemas.ts by adding MoonshotAI and ZAI to the BedrockProviders enum for better integration.
* fix(openid): distinguish ID tokens from access tokens in federated auth
Fix OpenID Connect token handling to properly distinguish ID tokens from access tokens. ID tokens and access tokens are now stored and propagated separately, preventing token placeholders from resolving to identical values.
- AuthService.js: Added idToken field to session storage
- openIdJwtStrategy.js: Updated to read idToken from session
- openidStrategy.js: Explicitly included id_token in federatedTokens
- Test suites: Added comprehensive test coverage for token distinction
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(openid): add separate openid_id_token cookie for ID token storage
Store the OIDC ID token in its own cookie rather than relying solely on
the access token, ensuring correct token type is used for identity
verification vs API authorization.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* test(openid): add JWT strategy cookie fallback tests
Cover the token source resolution logic in openIdJwtStrategy:
session-only, cookie-only, partial session fallback, raw Bearer
fallback, and distinct id_token/access_token from cookies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Fixed an issue where memory agents would fail with 'Provider Ollama not supported'
error when using Ollama as a custom endpoint. The getCustomEndpointConfig function
was only normalizing the endpoint config name but not the endpoint parameter
during comparison.
Changes:
- Modified getCustomEndpointConfig to normalize both sides of the endpoint comparison
- Added comprehensive test coverage for getCustomEndpointConfig including:
- Test for case-insensitive Ollama endpoint matching (main fix)
- Tests for various edge cases and error handling
This ensures that endpoint name matching works correctly for Ollama regardless
of case sensitivity in the configuration.
* 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService
Two independent bugs in `api/server/services/AuthService.js` cause complete
authentication failure when using `OPENID_REUSE_TOKENS=true` with Microsoft
Entra ID (or Auth0) on `http://localhost` with `NODE_ENV=production`:
Bug 1: `secure: isProduction` prevents auth cookies on localhost
PR #11518 introduced `shouldUseSecureCookie()` in `socialLogins.js` to handle
the case where `NODE_ENV=production` but the server runs on `http://localhost`.
However, `AuthService.js` was not updated — it still used `secure: isProduction`
in 6 cookie locations across `setAuthTokens()` and `setOpenIDAuthTokens()`.
The `token_provider` cookie being dropped is critical: without it,
`requireJwtAuth` middleware defaults to the `jwt` strategy instead of
`openidJwt`, causing all authenticated requests to return 401.
Bug 2: `setOpenIDAuthTokens()` returns `access_token` instead of `id_token`
The `openIdJwtStrategy` validates the Bearer token via JWKS. For Entra ID
without `OPENID_AUDIENCE`, the `access_token` is a Microsoft Graph API token
(opaque or signed for a different audience), which fails JWKS validation.
The `id_token` is always a standard JWT signed by the IdP's JWKS keys with
the app's `client_id` as audience — which is what the strategy expects.
This is the same root cause as issue #8796 (Auth0 encrypted access tokens).
Changes:
- Consolidate `shouldUseSecureCookie()` into `packages/api/src/oauth/csrf.ts`
as a shared, typed utility exported from `@librechat/api`, replacing the
duplicate definitions in `AuthService.js` and `socialLogins.js`
- Move `isProduction` check inside the function body so it is evaluated at
call time rather than module load time
- Fix `packages/api/src/oauth/csrf.ts` which also used bare
`secure: isProduction` for CSRF and session cookies (same localhost bug)
- Return `tokenset.id_token || tokenset.access_token` from
`setOpenIDAuthTokens()` so JWKS validation works with standard OIDC
providers; falls back to `access_token` for backward compatibility
- Add 15 tests for `shouldUseSecureCookie()` covering production/dev modes,
localhost variants, edge cases, and a documented IPv6 bracket limitation
- Add 13 tests for `setOpenIDAuthTokens()` covering token selection,
session storage, cookie secure flag delegation, and edge cases
Refs: #8796, #11518, #11236, #9931
* chore: Adjust Import Order and Type Definitions in AgentPanel Component
- Reordered imports in `AgentPanel.tsx` for better organization and clarity.
- Updated type imports to ensure proper usage of `FieldNamesMarkedBoolean` and `TranslationKeys`.
- Removed redundant imports to streamline the codebase.
* 🐳 feat: Expose enableServiceLinks in Helm Deployment templates (#11740)
Allow users to disable Kubernetes service link injection via enableServiceLinks
in both LibreChat and RAG API Helm charts. This prevents pod startup failures
caused by "argument list too long" errors in namespaces with many services.
* Update helm/librechat/templates/deployment.yaml
* Update helm/librechat-rag-api/templates/rag-deployment.yaml
* set enableServiceLinks default to true
---------
Co-authored-by: Ganesh Bhat <ganesh.bhat@fullscript.com>
* 🔧 fix: Optimize job update logic in RedisJobStore
- Refactored the updateJob method to use a Lua script for atomic updates, ensuring that jobs are only updated if they exist in Redis.
- Removed redundant existence check and streamlined the serialization process for better performance and clarity.
* 🔧 test: Add race condition tests for RedisJobStore
- Introduced tests to verify behavior of updateJob after deleteJob, ensuring no job hash is recreated post-deletion.
- Added checks for orphan keys when concurrent deleteJob and updateJob operations occur, enhancing reliability in job management.
* 🔧 test: Refactor Redis client readiness checks in violationCache tests
- Introduced a new helper function `waitForRedisClients` to streamline the readiness checks for Redis clients in the violationCache integration tests.
- Removed redundant Redis client readiness checks from individual test cases, improving code clarity and maintainability.
* 🔧 fix: Update RedisJobStore to use hset instead of hmset
- Replaced instances of `hmset` with `hset` in the RedisJobStore implementation to align with the latest Redis command updates.
- Updated Lua script in the eval method to reflect the change, ensuring consistent job handling in both cluster and non-cluster modes.
* 🔧 feat: Update user key handling in keys route and add comprehensive tests
- Enhanced the PUT /api/keys route to destructure request body for better clarity and maintainability.
- Introduced a new test suite for keys route, covering key update, deletion, and retrieval functionalities, ensuring robust validation and IDOR prevention.
- Added tests to verify handling of extraneous fields and missing optional parameters in requests.
* 🔧 fix: Enhance conversation deletion route with parameter validation
- Updated the DELETE /api/convos route to handle cases where the request body is empty or the 'arg' parameter is null/undefined, returning a 400 status with an appropriate error message for DoS prevention.
- Added corresponding tests to ensure proper validation and error handling for these scenarios, enhancing the robustness of the API.
* 🔧 fix: Improve request body validation in keys and convos routes
- Updated the DELETE /api/convos and PUT /api/keys routes to validate the request body, returning a 400 status for null or invalid bodies to enhance security and prevent potential DoS attacks.
- Added corresponding tests to ensure proper error handling for these scenarios, improving the robustness of the API.
* fix: document with undefined _meiliIndex not synced
missing property _meiliIndex is not being synced into meilisearch
* fix: updated comments to reflect changes to fix_meiliSearch property usage
* 🔧 refactor: Consolidate aggregateContent calls in agent handlers
- Moved aggregateContent function calls to the beginning of the event handling functions in the agent callbacks to ensure consistent data aggregation before processing events. This change improves code clarity and maintains the intended functionality without redundancy.
* 🔧 chore: Update @librechat/agents to version 3.1.40 in package.json and package-lock.json across multiple packages
* 🔧 fix: Increase default recursion limit in AgentClient from 25 to 50 for improved processing capability
* 🔧 fix: Update OAuth error message for clarity
- Changed the default error message in the OAuth error route from 'Unknown error' to 'Unknown OAuth error' to provide clearer context during authentication failures.
* 🔒 feat: Enhance OAuth flow with CSRF protection and session management
- Implemented CSRF protection for OAuth flows by introducing `generateOAuthCsrfToken`, `setOAuthCsrfCookie`, and `validateOAuthCsrf` functions.
- Added session management for OAuth with `setOAuthSession` and `validateOAuthSession` middleware.
- Updated routes to bind CSRF tokens for MCP and action OAuth flows, ensuring secure authentication.
- Enhanced tests to validate CSRF handling and session management in OAuth processes.
* 🔧 refactor: Invalidate cached tools after user plugin disconnection
- Added a call to `invalidateCachedTools` in the `updateUserPluginsController` to ensure that cached tools are refreshed when a user disconnects from an MCP server after a plugin authentication update. This change improves the accuracy of tool data for users.
* chore: imports order
* fix: domain separator regex usage in ToolService
- Moved the declaration of `domainSeparatorRegex` to avoid redundancy in the `loadActionToolsForExecution` function, improving code clarity and performance.
* chore: OAuth flow error handling and CSRF token generation
- Enhanced the OAuth callback route to validate the flow ID format, ensuring proper error handling for invalid states.
- Updated the CSRF token generation function to require a JWT secret, throwing an error if not provided, which improves security and clarity in token generation.
- Adjusted tests to reflect changes in flow ID handling and ensure robust validation across various scenarios.
* 🔧 refactor: Introduce TOOL_CACHE for isolated caching of tools
- Added TOOL_CACHE key to CacheKeys enum for managing tool-related cache.
- Updated various services and controllers to utilize TOOL_CACHE instead of CONFIG_STORE for better separation of concerns in caching logic.
- Enhanced .env.example with comments on using in-memory cache for blue/green deployments.
* 🔧 refactor: Update cache configuration for in-memory storage handling
- Enhanced the handling of `FORCED_IN_MEMORY_CACHE_NAMESPACES` in `cacheConfig.ts` to default to `CONFIG_STORE` and `APP_CONFIG`, ensuring safer blue/green deployments.
- Updated `.env.example` with clearer comments regarding the usage of in-memory cache namespaces.
- Improved unit tests to validate the new default behavior and handling of empty strings for cache namespaces.
* refactor: better SSRF Protection in Action and Tool Services
- Added `createSSRFSafeAgents` function to create HTTP/HTTPS agents that block connections to private/reserved IP addresses, enhancing security against SSRF attacks.
- Updated `createActionTool` to accept a `useSSRFProtection` parameter, allowing the use of SSRF-safe agents during tool execution.
- Modified `processRequiredActions` and `loadAgentTools` to utilize the new SSRF protection feature based on allowed domains configuration.
- Introduced `resolveHostnameSSRF` function to validate resolved IPs against private ranges, preventing potential SSRF vulnerabilities.
- Enhanced tests for domain resolution and private IP detection to ensure robust SSRF protection mechanisms are in place.
* feat: Implement SSRF protection in MCP connections
- Added `createSSRFSafeUndiciConnect` function to provide SSRF-safe DNS lookup options for undici agents.
- Updated `MCPConnection`, `MCPConnectionFactory`, and `ConnectionsRepository` to include `useSSRFProtection` parameter, enabling SSRF protection based on server configuration.
- Enhanced `MCPManager` and `UserConnectionManager` to utilize SSRF protection when establishing connections.
- Updated tests to validate the integration of SSRF protection across various components, ensuring robust security measures are in place.
* refactor: WS MCPConnection with SSRF protection and async transport construction
- Added `resolveHostnameSSRF` to validate WebSocket hostnames against private IP addresses, enhancing SSRF protection.
- Updated `constructTransport` method to be asynchronous, ensuring proper handling of SSRF checks before establishing connections.
- Improved error handling for WebSocket transport to prevent connections to potentially unsafe addresses.
* test: Enhance ActionRequest tests for SSRF-safe agent passthrough
- Added tests to verify that httpAgent and httpsAgent are correctly passed to axios.create when provided in ActionRequest.
- Included scenarios to ensure agents are not included when no options are specified.
- Enhanced coverage for POST requests to confirm agent passthrough functionality.
- Improved overall test robustness for SSRF protection in ActionRequest execution.
* style: update input IDs in BasicInfoSection for consistency and improve accessibility
* style: add border-destructive variable for improved design consistency
* style: update error border color for title input in BasicInfoSection
* style: update delete confirmation dialog title and description for MCP Server
* style: add text-destructive variable for improved design consistency
* style: update error message and border color for URL and trust fields for consistency
* style: reorder imports and update error message styling for consistency across sections
* style: enhance MCPServerDialog with copy link functionality and UI improvements
* style: enhance MCPServerDialog with improved accessibility and loading indicators
* style: bump @librechat/client to 0.4.51 and enhance OGDialogTemplate for improved selection handling
* a11y: enhance accessibility and error handling in MCPServerDialog sections
* style: enhance MCPServerDialog accessibility and improve resource name handling
* style: improve accessibility in MCPServerDialog and AuthSection, update translation for delete confirmation
* style: update aria-invalid attributes to use string values for improved accessibility in form sections
* style: enhance accessibility in AuthSection by updating aria attributes and adding error messages
* style: remove unnecessary aria-hidden attributes from Spinner components in MCPServerDialog
* style: simplify legacy selection check in OGDialogTemplate
* 🔧 chore: Update @librechat/agents to version 3.1.39 in package.json and package-lock.json
* 🔧 chore: Update axios to version 1.13.5 in package.json and package-lock.json across multiple packages
- Increased z-index values for the DialogPrimitive overlay and content in ImagePreview.tsx to ensure proper stacking order and visibility of modal elements. This change enhances the user experience by preventing modal content from being obscured by other UI elements.
`_new` is not a recognized keyword for the `target` attribute. While
browsers treat it as a named window, `_blank` is the standard value
for opening links in a new tab/window.
* fix: prevent truncated responses when Redis resumable streams are enabled
Race condition in RedisEventTransport.subscribe() caused early events
(seq 0+) to be lost. The Redis SUBSCRIBE command was fired as
fire-and-forget, but GenerationJobManager immediately set
hasSubscriber=true, disabling the earlyEventBuffer. Events published
during the gap between subscribe() returning and the Redis subscription
actually taking effect were neither buffered nor received — they were
silently dropped by Pub/Sub.
This manifested as "timeout waiting for seq 0, force-flushing N messages"
warnings followed by truncated or missing response text in the UI.
The fix:
- IEventTransport.subscribe() now returns an optional `ready` promise
that resolves once the transport can actually receive messages
- RedisEventTransport returns the Redis SUBSCRIBE acknowledgment as the
`ready` promise instead of firing it as fire-and-forget
- GenerationJobManager.subscribe() awaits `ready` before setting
hasSubscriber=true, keeping the earlyEventBuffer active during the
subscription window so no events are lost
- GenerationJobManager.emitChunk() early-returns after buffering when no
subscriber is connected, avoiding wasteful Redis PUBLISHes that nobody
would receive
Adds 5 regression tests covering the race condition for both in-memory
and Redis transports, verifying that events emitted before subscribe are
buffered and replayed, that the ready promise contract is correct for
both transport implementations, and that no events are lost across the
subscribe boundary.
* refactor: Update import paths in GenerationJobManager integration tests
- Refactored import statements in the GenerationJobManager integration test file to use absolute paths instead of relative paths, improving code readability and maintainability.
- Removed redundant imports and ensured consistent usage of the updated import structure across the test cases.
* chore: Remove redundant await from GenerationJobManager initialization in tests
- Updated multiple test cases to call GenerationJobManager.initialize() without awaiting, improving test performance and clarity.
- Ensured consistent initialization across various scenarios in the CollectedUsage and AbortJob test suites.
* refactor: Enhance GenerationJobManager integration tests and RedisEventTransport cleanup
- Updated GenerationJobManager integration tests to utilize dynamic Redis clients and removed unnecessary awaits from initialization calls, improving test performance.
- Refactored RedisEventTransport's destroy method to safely disconnect the subscriber, enhancing resource management and preventing potential errors during cleanup.
* feat: Enhance GenerationJobManager and RedisEventTransport for improved event handling
- Added a resetSequence method to IEventTransport and implemented it in RedisEventTransport to manage publish sequence counters effectively.
- Updated GenerationJobManager to utilize the new resetSequence method, ensuring proper event handling during stream operations.
- Introduced integration tests for GenerationJobManager to validate cross-replica event publishing and subscriber readiness in Redis, enhancing test coverage and reliability.
* test: Add integration tests for GenerationJobManager sequence reset and error recovery with Redis
- Introduced new tests to validate the behavior of GenerationJobManager during sequence resets, ensuring no stale events are received after a reset.
- Added tests to confirm that the sequence is not reset when a second subscriber joins mid-stream, maintaining event integrity.
- Implemented a test for resubscription after a Redis subscribe failure, verifying that events can still be received post-error.
- Enhanced overall test coverage for Redis-related functionalities in GenerationJobManager.
* fix: Update GenerationJobManager and RedisEventTransport for improved event synchronization
- Replaced the resetSequence method with syncReorderBuffer in GenerationJobManager to enhance cross-replica event handling without resetting the publisher sequence.
- Added a new syncReorderBuffer method in RedisEventTransport to advance the subscriber reorder buffer safely, ensuring no data loss during subscriber transitions.
- Introduced a new integration test to validate that local subscribers joining do not cause data loss for cross-replica subscribers, enhancing the reliability of event delivery.
- Updated existing tests to reflect changes in event handling logic, improving overall test coverage and robustness.
* fix: Clear flushTimeout in RedisEventTransport to prevent potential memory leaks
- Added logic to clear the flushTimeout in the reorderBuffer when resetting the sequence counters, ensuring proper resource management and preventing memory leaks during state transitions in RedisEventTransport.
* feat: Add support for Apache Parquet MIME types
- Introduced 'application/x-parquet' to the full MIME types list and code interpreter MIME types list.
- Updated application MIME types regex to include 'x-parquet' and 'vnd.apache.parquet'.
- Added mapping for '.parquet' files to 'application/x-parquet' in code type mapping, enhancing file format support.
* feat: Implement atomic file claiming for code execution outputs
- Added a new `claimCodeFile` function to atomically claim a file_id for code execution outputs, preventing duplicates by using a compound key of filename and conversationId.
- Updated `processCodeOutput` to utilize the new claiming mechanism, ensuring that concurrent calls for the same filename converge on a single record.
- Refactored related tests to validate the new atomic claiming behavior and its impact on file usage tracking and versioning.
* fix: Update image file handling to use cache-busting filepath
- Modified the `processCodeOutput` function to generate a cache-busting filepath for updated image files, improving browser caching behavior.
- Adjusted related tests to reflect the change from versioned filenames to cache-busted filepaths, ensuring accurate validation of image updates.
* fix: Update step handler to prevent undefined content for non-tool call types
- Modified the condition in useStepHandler to ensure that undefined content is only assigned for specific content types, enhancing the robustness of content handling.
* fix: Update bedrockOutputParser to handle maxTokens for adaptive models
- Modified the bedrockOutputParser logic to ensure that maxTokens is not set for adaptive models when neither maxTokens nor maxOutputTokens are provided, improving the handling of adaptive thinking configurations.
- Updated related tests to reflect these changes, ensuring accurate validation of the output for adaptive models.
* chore: Update @librechat/agents to version 3.1.38 in package.json and package-lock.json
* fix: Enhance file claiming and error handling in code processing
- Updated the `processCodeOutput` function to use a consistent file ID for claiming files, preventing duplicates and improving concurrency handling.
- Refactored the `createFileMethods` to include error handling for failed file claims, ensuring robust behavior when claiming files for conversations.
- These changes enhance the reliability of file management in the application.
* fix: Update adaptive thinking test for Opus 4.6 model
- Modified the test for configuring adaptive thinking to reflect that no default maxTokens should be set for the Opus 4.6 model.
- Updated assertions to ensure that maxTokens is undefined, aligning with the expected behavior for adaptive models.
* fix: Update parseTextParts to handle undefined content parts
- Modified the parseTextParts function to accept an array of content parts that may include undefined values.
- Implemented optional chaining to safely check for the type of each part, preventing potential runtime errors when accessing properties of undefined elements.
* refactor: Tool Call Configuration with Session Context
- Added support for including session ID and injected files in the tool call configuration when a code session context is present.
- Improved handling of tool call configurations to accommodate additional context data, enhancing the functionality of the tool execution handler.
* chore: Update @librechat/agents to version 3.1.37 in package.json and package-lock.json
* test: Add unit tests for createToolExecuteHandler
- Introduced a new test suite for the createToolExecuteHandler function, validating the handling of session context in tool calls.
- Added tests to ensure correct passing of session IDs and injected files based on the presence of codeSessionContext.
- Included scenarios for handling multiple tool calls and ensuring non-code execution tools are unaffected by session context.
* test: Update createToolExecuteHandler tests for session context handling
- Renamed test to clarify that it checks for the absence of session context in non-code-execution tools.
- Updated assertions to ensure that session_id and _injected_files are undefined when non-code-execution tools are invoked, enhancing test accuracy.
* feat: Implement new features for Claude Opus 4.6 model
- Added support for tiered pricing based on input token count for the Claude Opus 4.6 model.
- Updated token value calculations to include inputTokenCount for accurate pricing.
- Enhanced transaction handling to apply premium rates when input tokens exceed defined thresholds.
- Introduced comprehensive tests to validate pricing logic for both standard and premium rates across various scenarios.
- Updated related utility functions and models to accommodate new pricing structure.
This change improves the flexibility and accuracy of token pricing for the Claude Opus 4.6 model, ensuring users are charged appropriately based on their usage.
* feat: Add effort field to conversation and preset schemas
- Introduced a new optional `effort` field of type `String` in both the `IPreset` and `IConversation` interfaces.
- Updated the `conversationPreset` schema to include the `effort` field, enhancing the data structure for better context management.
* chore: Clean up unused variable and comments in initialize function
* chore: update dependencies and SDK versions
- Updated @anthropic-ai/sdk to version 0.73.0 in package.json and overrides.
- Updated @anthropic-ai/vertex-sdk to version 0.14.3 in packages/api/package.json.
- Updated @librechat/agents to version 3.1.34 in packages/api/package.json.
- Refactored imports in packages/api/src/endpoints/anthropic/vertex.ts for consistency.
* chore: remove postcss-loader from dependencies
* feat: Bedrock model support for adaptive thinking configuration
- Updated .env.example to include new Bedrock model IDs for Claude Opus 4.6.
- Refactored bedrockInputParser to support adaptive thinking for Opus models, allowing for dynamic thinking configurations.
- Introduced a new function to check model compatibility with adaptive thinking.
- Added an optional `effort` field to the input schemas and updated related configurations.
- Enhanced tests to validate the new adaptive thinking logic and model configurations.
* feat: Add tests for Opus 4.6 adaptive thinking configuration
* feat: Update model references for Opus 4.6 by removing version suffix
* feat: Update @librechat/agents to version 3.1.35 in package.json and package-lock.json
* chore: @librechat/agents to version 3.1.36 in package.json and package-lock.json
* feat: Normalize inputTokenCount for spendTokens and enhance transaction handling
- Introduced normalization for promptTokens to ensure inputTokenCount does not go negative.
- Updated transaction logic to reflect normalized inputTokenCount in pricing calculations.
- Added comprehensive tests to validate the new normalization logic and its impact on transaction rates for both standard and premium models.
- Refactored related functions to improve clarity and maintainability of token value calculations.
* chore: Simplify adaptive thinking configuration in helpers.ts
- Removed unnecessary type casting for the thinking property in updatedOptions.
- Ensured that adaptive thinking is directly assigned when conditions are met, improving code clarity.
* refactor: Replace hard-coded token values with dynamic retrieval from maxTokensMap in model tests
* fix: Ensure non-negative token values in spendTokens calculations
- Updated token value retrieval to use Math.max for prompt and completion tokens, preventing negative values.
- Enhanced clarity in token calculations for both prompt and completion transactions.
* test: Add test for normalization of negative structured token values in spendStructuredTokens
- Implemented a test to ensure that negative structured token values are normalized to zero during token spending.
- Verified that the transaction rates remain consistent with the expected standard values after normalization.
* refactor: Bedrock model support for adaptive thinking and context handling
- Added tests for various alternate naming conventions of Claude models to validate adaptive thinking and context support.
- Refactored `supportsAdaptiveThinking` and `supportsContext1m` functions to utilize new parsing methods for model version extraction.
- Updated `bedrockInputParser` to handle effort configurations more effectively and strip unnecessary fields for non-adaptive models.
- Improved handling of anthropic model configurations in the input parser.
* fix: Improve token value retrieval in getMultiplier function
- Updated the token value retrieval logic to use optional chaining for better safety against undefined values.
- Added a test case to ensure that the function returns the default rate when the provided valueKey does not exist in tokenValues.
* chore: linting image context file
* refactor: Event Emission with Async Handling for Redis Ordering
- Updated emitEvent and related functions to be async, ensuring proper event ordering in Redis mode.
- Refactored multiple handlers to await emitEvent calls, improving reliability for streaming deltas.
- Enhanced GenerationJobManager to await chunk emissions, critical for maintaining sequential event delivery.
- Added tests to verify that events are delivered in strict order when using Redis, addressing previous issues with out-of-order messages.
* refactor: Clear Pending Buffers and Timeouts in RedisEventTransport
- Enhanced the cleanup process in RedisEventTransport by ensuring that pending messages and flush timeouts are cleared when the last subscriber unsubscribes.
- Updated the destroy method to also clear pending messages and flush timeouts for all streams, improving resource management and preventing memory leaks.
* refactor: Update Event Emission to Async for Improved Ordering
- Refactored GenerationJobManager and RedisEventTransport to make emitDone and emitError methods async, ensuring proper event ordering in Redis mode.
- Updated all relevant calls to await these methods, enhancing reliability in event delivery.
- Adjusted tests to verify that events are processed in the correct sequence, addressing previous issues with out-of-order messages.
* refactor: Adjust RedisEventTransport for 0-Indexed Sequence Handling
- Updated sequence handling in RedisEventTransport to be 0-indexed, ensuring consistency across event emissions and buffer management.
- Modified integration tests to reflect the new sequence logic, improving the accuracy of event processing and delivery order.
- Enhanced comments for clarity on sequence management and terminal event handling.
* chore: Add Redis dump file to .gitignore
- Included dump.rdb in .gitignore to prevent accidental commits of Redis database dumps, enhancing repository cleanliness and security.
* test: Increase wait times in RedisEventTransport integration tests for CI stability
- Adjusted wait times for subscription establishment and event propagation from 100ms and 200ms to 500ms to improve reliability in CI environments.
- Enhanced code readability by formatting promise resolution lines for better clarity.
* 🔧 refactor: Update permissions handling in updateInterfacePermissions function
- Removed explicit SHARE and SHARE_PUBLIC permissions for PROMPTS when prompts are true, simplifying the permission logic.
- Adjusted the permissions structure to conditionally include SHARE and SHARE_PUBLIC based on the type of interface configuration, enhancing maintainability and clarity in permission management.
- Updated related tests to reflect the changes in permission handling for consistency and accuracy.
* 🔧 refactor: Enhance permission configuration in updateInterfacePermissions
- Introduced a new `create` property in the permission configuration object to improve flexibility in permission management.
- Updated helper functions to accommodate the new `create` property, ensuring backward compatibility with existing boolean configurations.
- Adjusted default values for prompts and agents to include the new `create` property, enhancing the overall permission structure.
* 🧪 test: Add regression tests for SHARE/SHARE_PUBLIC permission handling
- Introduced tests to ensure existing SHARE and SHARE_PUBLIC values are preserved when using boolean configuration for agents.
- Added validation to confirm that SHARE and SHARE_PUBLIC are included in the update payload when using object configuration, enhancing the accuracy of permission management.
- These tests address potential regressions and improve the robustness of the permission handling logic in the updateInterfacePermissions function.
* fix: accessing undefined regex
- Moved the creation of the domainSeparatorRegex to the beginning of the loadToolDefinitionsWrapper function for improved clarity and performance.
- Removed redundant regex initialization within the function's loop, enhancing code efficiency and maintainability.
* 🧪 test: Enhance regression tests for SHARE/SHARE_PUBLIC permission handling
- Added a new test to ensure that SHARE and SHARE_PUBLIC permissions are preserved when using object configuration without explicit share/public keys.
- Updated existing tests to validate the inclusion of SHARE and SHARE_PUBLIC in the update payload when using object configuration, improving the robustness of permission management.
- Adjusted the updateInterfacePermissions function to conditionally include SHARE and SHARE_PUBLIC based on the presence of share/public keys in the configuration, enhancing clarity and maintainability.
* 🔧 refactor: Update permission handling in updateInterfacePermissions
- Simplified the logic for including CREATE, SHARE, and SHARE_PUBLIC permissions in the update payload based on the presence of corresponding keys in the configuration object.
- Adjusted tests to reflect the changes, ensuring that only the USE permission is updated when existing permissions are present, preserving the database values for CREATE, SHARE, and SHARE_PUBLIC.
- Enhanced clarity in comments to better explain the permission management logic.
* fix: Web Search + Image Gen Tool Context
- Added `buildWebSearchContext` function to create a structured context for web search tools, including citation format instructions.
- Updated `loadTools` and `loadToolDefinitionsWrapper` functions to utilize the new web search context, improving tool initialization and response handling.
- Introduced logic to handle image editing tools with `buildImageToolContext`, enhancing the overall tool management capabilities.
- Refactored imports in `ToolService.js` to include the new context builders for better organization and maintainability.
* fix: Trim critical output escape sequence instructions in web toolkit
- Updated the critical output escape sequence instructions in the web toolkit to include a `.trim()` method, ensuring that unnecessary whitespace is removed from the output. This change enhances the consistency and reliability of the generated output.
* ✨ test: Add MCP tool definitions tests for server name variants
- Introduced new test cases for loading MCP tools with underscored and hyphenated server names, ensuring correct functionality and handling of tool definitions.
- Validated that the tool definitions are loaded accurately based on different server name formats, enhancing test coverage for the MCP tool integration.
- Included assertions to verify the expected behavior and properties of the loaded tools, improving reliability and maintainability of the tests.
* refactor: useStepHandler to support additional delta events and buffer management
- Added support for Agents.ReasoningDeltaEvent and Agents.RunStepDeltaEvent in the TStepEvent type.
- Introduced a pendingDeltaBuffer to store deltas that arrive before their corresponding run step, ensuring they are processed in the correct order.
- Updated event handling to buffer deltas when no corresponding run step is found, improving the reliability of message processing.
- Cleared the pendingDeltaBuffer during cleanup to prevent memory leaks.
- Bumped the version of @librechat/agents to 3.1.32 across multiple package.json and package-lock.json files to ensure compatibility and access to the latest features.
- This update enhances the functionality and stability of the application by integrating the latest improvements from the @librechat/agents package.
* fix: Implement single-flight deduplication for getAllServerConfigs and optimize Redis getAll method
- Added a pending promises map in MCPServersRegistry to handle concurrent calls to getAllServerConfigs, ensuring that multiple requests for the same userId are deduplicated.
- Introduced a new fetchAllServerConfigs method to streamline the fetching process and improve performance.
- Enhanced the getAll method in ServerConfigsCacheRedis to utilize MGET for batch fetching, significantly reducing Redis roundtrips and improving efficiency.
- Added comprehensive tests for deduplication and performance optimizations, ensuring consistent results across concurrent calls and validating the new implementation.
* refactor: Enhance logging in ServerConfigsCacheRedis for getAll method
- Added debug logging to track the execution time and key retrieval in the getAll method of ServerConfigsCacheRedis.
- Improved import organization by consolidating related imports for better clarity and maintainability.
* test: Update MCPServersRegistry and ServerConfigsCacheRedis tests for call count assertions
- Modified MCPServersRegistry integration tests to assert specific call counts for cache retrieval, ensuring accurate tracking of Redis interactions.
- Refactored ServerConfigsCacheRedis integration tests to rename the test suite for clarity and improved focus on parallel fetching optimizations.
- Enhanced the getAll method in ServerConfigsCacheRedis to utilize batching for improved performance during key retrieval.
* chore: Simplify key extraction in ServerConfigsCacheRedis
- Streamlined the key extraction logic in the getAll method of ServerConfigsCacheRedis by consolidating the mapping function into a single line, enhancing code readability and maintainability.
* Add files via upload
add more padding to maskable icon
* add more padding to maskable icon
Added more padding to maskable icon, since it's broken on one ui 8 phone.
* refactor: Reorganize imports in MCPTools component
- Updated import statements in MCPTools.tsx for improved clarity and maintainability.
- Moved `useAgentPanelContext` import above others and adjusted the order of `PermissionTypes` and `Permissions` imports to enhance readability.
* chore: imports
* refactor: Update MCPToolItem component props and styles
- Added new props: onToggleDefer, onToggleSelect, and onToggleProgrammatic for improved functionality.
- Adjusted class names for DropdownMenuLabel and text spans to enhance visual consistency and clarity.
- Increased width of DropdownMenuContent for better layout.
* refactor: Update DropdownMenu styles for improved visual consistency
- Changed background color of DropdownMenuContent and DropdownMenuSubContent from secondary to primary for better alignment with design standards.
- Updated text color to ensure readability against the new background, enhancing overall user experience.
* refactor: Update Mention component styles and interaction handling
- Increased ROW_HEIGHT in Mention and PromptsCommand components for improved layout consistency.
- Enhanced MentionItem component with touch event handling to improve mobile interaction experience.
- Updated button styles to ensure better visual alignment and responsiveness.
* refactor: Enhance MentionItem component event handling and button attributes
- Updated the onClick prop type in MentionItem to support both mouse and touch events, improving mobile interaction.
- Added a button type attribute for better accessibility and compliance with HTML standards.
- Refined event handling to ensure consistent behavior across different input methods.
* refactor: Add button type attribute to MentionItem for improved accessibility
- Added a type="button" attribute to the MentionItem component to enhance accessibility and compliance with HTML standards.
- This change ensures better interaction behavior across different input methods.
* refactor: Simplify MentionItem event handling for improved clarity
- Removed touch event handling from the MentionItem component, streamlining the onClick prop to only accept mouse events.
- This change simplifies the interaction logic, enhancing maintainability while retaining functionality for mouse interactions.
* 📦 chore: Update @librechat/agents to v3.1.31
- Bumped the version of @librechat/agents across multiple package.json and package-lock.json files to ensure compatibility and access to the latest features.
- This update enhances the functionality and stability of the application by integrating the latest improvements from the @librechat/agents package.
* 📦 chore: npm audit fix - Update @isaacs/brace-expansion to v5.0.1 in package-lock.json
- Bumped the version of @isaacs/brace-expansion to 5.0.1 to incorporate the latest improvements and fixes.
- This update ensures compatibility with the latest features and enhances the stability of the application.
- Removed `forcePrompt` parameter from various configuration files including `librechat.example.yaml`, `initialize.js`, `values.yaml`, and `initialize.ts`.
- This change simplifies the configuration by eliminating unused options, enhancing clarity and maintainability across the codebase.
* ✨ feat: Add Moonshot Provider Support
- Updated the `isKnownCustomProvider` function to include `Providers.MOONSHOT` in the list of recognized custom providers.
- Enhanced the `providerConfigMap` to initialize `MOONSHOT` with the custom initialization function.
- Introduced `MoonshotIcon` component for visual representation in the UI, integrated into the `UnknownIcon` component.
- Updated various files across the API and client to support the new `MOONSHOT` provider, including configuration and response handling.
This update expands the capabilities of the application by integrating support for the Moonshot provider, enhancing both backend and frontend functionalities.
* ✨ feat: Add Moonshot/Kimi Model Pricing and Tests
- Introduced new pricing configurations for Moonshot and Kimi models in `tx.js`, including various model variations and their respective prompt and completion values.
- Expanded unit tests in `tx.spec.js` and `tokens.spec.js` to validate pricing and token limits for the newly added Moonshot/Kimi models, ensuring accurate calculations and handling of model variations.
- Updated utility functions to support the new model structures and ensure compatibility with existing functionalities.
This update enhances the pricing model capabilities and improves test coverage for the Moonshot/Kimi integration.
* ✨ feat: Enhance Token Pricing Documentation and Configuration
- Added comprehensive documentation for token pricing configuration in `tx.js` and `tokens.ts`, emphasizing the importance of key ordering for pattern matching.
- Clarified the process for defining base and specific patterns to ensure accurate pricing retrieval based on model names.
- Improved code comments to guide future additions of model families, enhancing maintainability and understanding of the pricing structure.
This update improves the clarity and usability of the token pricing configuration, facilitating better integration and future enhancements.
* chore: import order
* chore: linting
* fix: Execute code files not visible in event-driven mode
Fixes regression from #11588 where primeResources became non-mutating
but callers weren't updated to use returned values.
Changes:
- Add tool_resources to InitializedAgent type and return object
- Prime execute_code files in loadToolDefinitionsWrapper
- Pass tool_resources to loadToolDefinitionsWrapper
- Capture and return toolContextMap from loadToolsForExecution
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: Reorganize imports and enhance tool loading logic in ToolService.js
- Moved domainSeparatorRegex declaration to a more appropriate location for clarity.
- Reorganized import statements for better readability and maintainability.
- Removed unused variables and streamlined the loadToolsForExecution function by eliminating the regularToolContextMap, improving performance and code clarity.
- Updated loadActionToolsForExecution to ensure consistent handling of domain separator regex.
This refactor improves the overall structure and efficiency of the ToolService module.
* fix: file search tool priming in loadToolDefinitionsWrapper
- Added functionality to prime file search tools within the loadToolDefinitionsWrapper function, enhancing the tool context map for event-driven mode.
- Implemented error handling for the file search priming process to improve robustness and logging.
- Updated the tool context map to include the newly primed file search tool, ensuring it is available for subsequent operations.
This enhancement improves the tool loading capabilities by incorporating file search tools, facilitating better integration and functionality in the application.
* chore: import order
* refactor: Update agent initialization structure for improved clarity and functionality
- Rearranged properties in the InitializedAgent object to enhance readability and maintainability.
- Moved toolRegistry to the correct position and ensured tools and attachments are set appropriately.
- This refactor improves the overall structure of the agent initialization process, facilitating better integration and future enhancements.
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Danny Avila <danny@librechat.ai>
- Bumped versions of several AWS SDK packages in package-lock.json and package.json to ensure compatibility and access to the latest features.
- Updated @librechat/agents to version 3.1.30 across multiple package.json files for improved functionality.
- Added fast-xml-parser dependency in package.json for enhanced XML parsing capabilities.
- Adjusted various AWS SDK dependencies to their latest versions, improving performance and security.
This update ensures that the project utilizes the most recent and stable versions of its dependencies, enhancing overall reliability and functionality.
* feat: MCP Tool Functionality with Tool Options Management
- Introduced `MCPToolItem` component for better handling of individual tool options, including selection, deferral, and programmatic invocation.
- Added `useMCPToolOptions` hook to manage tool options state, enabling deferred loading and programmatic calling for tools.
- Updated `MCPTool` component to integrate new tool options management, improving user interaction with tool selection and settings.
- Enhanced localization support for new tool options in translation files.
This update streamlines the management of MCP tools, allowing for more flexible configurations and improved user experience.
* feat: MCP Tool UI for Programmatic Tools
- Added support for programmatic tools in the MCPTool and MCPToolItem components, allowing for conditional rendering based on the availability of programmatic capabilities.
- Updated the useAgentCapabilities hook to include programmaticToolsEnabled, enhancing the capability checks for agents.
- Enhanced unit tests for useAgentCapabilities to validate the new programmatic tools functionality.
- Improved localization for programmatic tool descriptions, ensuring clarity in user interactions.
This update improves the flexibility and usability of the MCP Tool, enabling users to leverage programmatic tools effectively.
* fix: Update localization for MCP Tool UI
- Removed outdated descriptions for programmatic tool interactions in the translation file.
- Enhanced clarity in user-facing text for tool options, ensuring accurate representation of functionality.
This update improves the user experience by providing clearer instructions and descriptions for programmatic tools in the MCP Tool UI.
* chore: ESLint fix
* feat: Add unit tests for useMCPToolOptions hook
- Introduced comprehensive tests for the useMCPToolOptions hook, covering functionalities such as tool deferral and programmatic calling.
- Implemented tests for toggling tool options, ensuring correct state management and preservation of existing configurations.
- Enhanced mock implementations for useFormContext and useWatch to facilitate testing scenarios.
This update improves test coverage and reliability for the MCP Tool options management, ensuring robust validation of expected behaviors.
* fix: Adjust gap spacing in MCPToolItem component
- Updated the gap spacing in the MCPToolItem component from 1 to 1.5 for improved layout consistency.
- This change enhances the visual alignment of icons and text within the component, contributing to a better user interface experience.
* fix: Comment out programmatic tools in default agent capabilities
- Commented out the inclusion of programmatic_tools in the defaultAgentCapabilities array, as it requires the latest Code Interpreter API.
- This change ensures compatibility and prevents potential issues until the necessary API updates are integrated.
