@exulu/backend 1.58.0 → 1.60.0

package/dist/index.js

@@ -2,18 +2,22 @@ import {
   ExuluContext,
   ExuluStorage,
   ExuluTool,
+  ResolveModelError,
   STATISTICS_TYPE_ENUM,
   applyAccessControl,
   applyFilters,
   applySorting,
   authentication,
+  buildTags,
   checkLicense,
+  checkRecordAccess,
   convertContextToTableDefinition,
   convertExuluToolsToAiSdkTools,
   copyS3Object,
   coreSchemas,
   createAgenticRetrievalToolV3,
   createProjectItemsRetrievalTool,
+  createTaggedFetch,
   createUppyRoutes,
   deleteS3Object,
   downloadKeyIntoSandbox,
@@ -26,18 +30,26 @@ import {
   getS3SignedUploadUrl,
   getTableName,
   getToken,
+  isLiteLLMEnabled,
   listS3ObjectsByPrefix,
   mapType,
   postgresClient,
   reportSystemDependencies,
+  resolveModel,
   sanitizeName,
   sanitizeToolName,
+  setLiteLLMPackageRoot,
+  startLiteLLMSupervisor,
   trajectoryRegistry,
   updateStatistic,
   uploadFile,
   vectorSearch,
+  waitForLiteLLMReady,
   withRetry
-} from "./chunk-RVLZ5EL3.js";
+} from "./chunk-23YNGK3V.js";
+import {
+  findLiteLLMModel
+} from "./chunk-YS27XOXI.js";
 
 // src/index.ts
 import "dotenv/config";
@@ -267,71 +279,15 @@ import { makeExecutableSchema } from "@graphql-tools/schema";
 import GraphQLJSON from "graphql-type-json";
 import cron from "cron-validator";
 
-// src/utils/check-record-access.ts
-var checkRecordAccessCache = /* @__PURE__ */ new Map();
-var checkRecordAccess = async (record, request, user) => {
-  const setRecordAccessCache = (hasAccess2) => {
-    checkRecordAccessCache.set(`${record.id}-${request}-${user?.id}`, {
-      hasAccess: hasAccess2,
-      expiresAt: new Date(Date.now() + 1e3 * 60 * 1)
-      // 1 minute
-    });
-  };
-  const cachedAccess = checkRecordAccessCache.get(`${record.id}-${request}-${user?.id}`);
-  if (cachedAccess && cachedAccess.expiresAt > /* @__PURE__ */ new Date()) {
-    return cachedAccess.hasAccess;
-  }
-  const isPublic = record.rights_mode === "public";
-  const byUsers = record.rights_mode === "users";
-  const byRoles = record.rights_mode === "roles";
-  const createdBy = typeof record.created_by === "string" ? record.created_by : record.created_by?.toString();
-  const isCreator = user ? createdBy === user.id.toString() : false;
-  const isAdmin = user ? user.super_admin : false;
-  const isApi = user ? user.type === "api" : false;
-  const isAdminApi = isApi && (!user.scope_mode || user.scope_mode === "admin");
-  const isAgentsScopedApi = isApi && user.scope_mode === "agents" && request === "read" && Array.isArray(user.agent_ids) && user.agent_ids.includes(String(record.id));
-  let hasAccess = "none";
-  if (isPublic || isCreator || isAdmin || isAdminApi || isAgentsScopedApi) {
-    setRecordAccessCache(true);
-    return true;
-  }
-  if (byUsers) {
-    if (!user) {
-      setRecordAccessCache(false);
-      return false;
-    }
-    hasAccess = record.RBAC?.users?.find((x) => x.id === user.id)?.rights || "none";
-    if (!hasAccess || hasAccess === "none" || hasAccess !== request) {
-      console.error(
-        `[EXULU] Your current user ${user.id} does not have access to this record, current access type is: ${hasAccess}.`
-      );
-      setRecordAccessCache(false);
-      return false;
-    } else {
-      setRecordAccessCache(true);
-      return true;
-    }
-  }
-  if (byRoles) {
-    if (!user) {
-      setRecordAccessCache(false);
-      return false;
-    }
-    hasAccess = record.RBAC?.roles?.find((x) => x.id === user.role?.id)?.rights || "none";
-    if (!hasAccess || hasAccess === "none" || hasAccess !== request) {
-      console.error(
-        `[EXULU] Your current role ${user.role?.name} does not have access to this record, current access type is: ${hasAccess}.`
-      );
-      setRecordAccessCache(false);
-      return false;
-    } else {
-      setRecordAccessCache(true);
-      return true;
-    }
-  }
-  setRecordAccessCache(false);
-  return false;
-};
+// src/exulu/resolve-agent-provider.ts
+async function resolveAgentProvider(agent, providers) {
+  if (isLiteLLMEnabled()) return void 0;
+  if (!agent.model) return void 0;
+  const { db } = await postgresClient();
+  const modelRow = await db.from("models").where({ id: agent.model }).first();
+  if (!modelRow?.provider) return void 0;
+  return providers.find((p) => p.id === modelRow.provider);
+}
 
 // ee/queues/queues.ts
 import { Queue } from "bullmq";
@@ -577,15 +533,26 @@ var exuluProviderFields = [
 
 // src/graphql/utilities/sanitize-and-hydrate-fields.ts
 var addProviderFields = async (args, requestedFields, providers, result, tools, user, contexts, rerankers) => {
-  let provider = providers.find((a) => a.id === result?.provider);
+  let provider;
+  let modelRow;
+  let litellmEntry;
+  if (isLiteLLMEnabled() && result?.model) {
+    litellmEntry = await findLiteLLMModel(result.model);
+  } else if (result?.model) {
+    const { db } = await postgresClient();
+    modelRow = await db.from("models").where({ id: result.model }).first();
+    if (modelRow?.provider) {
+      provider = providers.find((a) => a.id === modelRow.provider);
+    }
+  }
   if (requestedFields.includes("providerName")) {
-    result.providerName = provider?.providerName || "";
+    result.providerName = isLiteLLMEnabled() ? "LiteLLM" : provider?.providerName || "";
   }
   if (requestedFields.includes("modelName")) {
-    result.modelName = provider?.modelName || "";
+    result.modelName = isLiteLLMEnabled() ? result?.model ?? "" : modelRow?.name || provider?.modelName || "";
   }
   if (requestedFields.includes("slug")) {
-    result.slug = provider?.slug || "";
+    result.slug = isLiteLLMEnabled() ? "/agents/litellm/run" : provider?.slug || "";
   }
   if (requestedFields.includes("rateLimit")) {
     result.rateLimit = provider?.rateLimit || "";
@@ -594,9 +561,9 @@ var addProviderFields = async (args, requestedFields, providers, result, tools,
     if (result.tools) {
       result.tools = await Promise.all(
         result.tools.map(
-          async (tool) => {
+          async (tool2) => {
             let hydrated;
-            if (tool.id === "agentic_context_search") {
+            if (tool2.id === "agentic_context_search") {
               const instance = createAgenticRetrievalToolV3({
                 contexts: [],
                 rerankers: [],
@@ -612,38 +579,60 @@ var addProviderFields = async (args, requestedFields, providers, result, tools,
                 name: instance.name,
                 description: instance.description,
                 category: instance.category,
-                config: tool.config
+                config: tool2.config
               };
             }
-            if (tool.type === "agent") {
-              if (tool.id === result.id) {
+            if (tool2.type === "agent") {
+              if (tool2.id === result.id) {
                 return null;
               }
-              const instance = await exuluApp.get().agent(tool.id);
+              const instance = await exuluApp.get().agent(tool2.id);
               if (!instance) {
                 throw new Error(
-                  "Trying to load a tool of type 'agent', but the associated agent with id " + tool.id + " was not found in the database."
+                  "Trying to load a tool of type 'agent', but the associated agent with id " + tool2.id + " was not found in the database."
                 );
               }
-              const provider2 = providers.find((a) => a.id === instance.provider);
-              if (!provider2) {
+              if (!instance.model) {
                 throw new Error(
-                  "Trying to load a tool of type 'agent', but the associated agent with id " + tool.id + " does not have a provider set for it."
+                  "Trying to load a tool of type 'agent', but the associated agent with id " + tool2.id + " does not have a model set for it."
                 );
               }
               const hasAccessToAgent = await checkRecordAccess(instance, "read", user);
               if (!hasAccessToAgent) {
                 return null;
               }
-              hydrated = await provider2.tool(instance.id, providers, contexts, rerankers);
+              if (isLiteLLMEnabled()) {
+                hydrated = {
+                  id: instance.id,
+                  name: instance.name,
+                  description: `This tool calls an agent named: ${instance.name}. The agent does the following: ${instance.description ?? ""}.`,
+                  type: "agent",
+                  category: "agents"
+                };
+              } else {
+                const { db } = await postgresClient();
+                const innerModelRow = await db.from("models").where({ id: instance.model }).first();
+                const provider2 = innerModelRow?.provider ? providers.find((a) => a.id === innerModelRow.provider) : void 0;
+                if (!provider2) {
+                  throw new Error(
+                    "Trying to load a tool of type 'agent', but the model referenced by agent with id " + tool2.id + " does not point at a registered ExuluProvider."
+                  );
+                }
+                hydrated = await provider2.tool(
+                  instance.id,
+                  providers,
+                  contexts,
+                  rerankers
+                );
+              }
             } else {
-              hydrated = tools.find((t) => t.id === tool.id);
+              hydrated = tools.find((t) => t.id === tool2.id);
             }
             const hydratedTool = {
-              ...tool,
+              ...tool2,
               name: hydrated?.name || "",
               description: hydrated?.description || "",
-              category: tool?.category || "default"
+              category: tool2?.category || "default"
             };
             console.log("[EXULU] hydratedTool", hydratedTool);
             return hydratedTool;
@@ -661,28 +650,42 @@ var addProviderFields = async (args, requestedFields, providers, result, tools,
           result.tools.unshift(projectTool);
         }
       }
-      result.tools = result.tools.filter((tool) => tool !== null);
+      result.tools = result.tools.filter((tool2) => tool2 !== null);
     } else {
       result.tools = [];
     }
   }
   if (requestedFields.includes("streaming")) {
-    result.streaming = provider?.streaming || false;
+    result.streaming = isLiteLLMEnabled() ? true : provider?.streaming || false;
   }
   if (requestedFields.includes("capabilities")) {
-    result.capabilities = provider?.capabilities || [];
+    if (isLiteLLMEnabled()) {
+      result.capabilities = {
+        text: true,
+        images: litellmEntry?.supports_vision ? [".png", ".jpg", ".jpeg", ".webp", ".gif"] : [],
+        files: litellmEntry?.supports_pdf_input ? [".pdf"] : [],
+        audio: litellmEntry?.supports_audio_input ? [".mp3", ".wav", ".m4a"] : [],
+        video: []
+      };
+    } else {
+      result.capabilities = provider?.capabilities || [];
+    }
   }
   if (requestedFields.includes("maxContextLength")) {
-    result.maxContextLength = provider?.maxContextLength || 0;
+    if (isLiteLLMEnabled()) {
+      result.maxContextLength = litellmEntry?.max_input_tokens ?? litellmEntry?.max_tokens ?? 0;
+    } else {
+      result.maxContextLength = provider?.maxContextLength || 0;
+    }
   }
   if (requestedFields.includes("authenticationInformation")) {
-    result.authenticationInformation = provider?.authenticationInformation || "";
+    result.authenticationInformation = isLiteLLMEnabled() ? "" : provider?.authenticationInformation || "";
   }
   if (requestedFields.includes("provider")) {
-    result.provider = provider?.provider || "";
+    result.provider = isLiteLLMEnabled() ? "litellm" : provider?.provider || "";
   }
   if (requestedFields.includes("systemInstructions")) {
-    result.systemInstructions = provider?.config?.instructions || void 0;
+    result.systemInstructions = isLiteLLMEnabled() ? void 0 : provider?.config?.instructions || void 0;
   }
   if (!requestedFields.includes("provider")) {
     delete result.provider;
@@ -690,7 +693,7 @@ var addProviderFields = async (args, requestedFields, providers, result, tools,
   if (requestedFields.includes("workflows")) {
     let enabled = false;
     let queueName = void 0;
-    if (provider?.workflows) {
+    if (!isLiteLLMEnabled() && provider?.workflows) {
       enabled = provider?.workflows?.enabled || false;
       if (provider?.workflows?.queue) {
         const queue = await provider?.workflows?.queue;
@@ -859,7 +862,7 @@ var itemsPaginationRequest = async ({
 };
 var removeProviderFields = (requestedFields) => {
   const filtered = requestedFields.filter((field) => !exuluProviderFields.includes(field));
-  filtered.push("provider");
+  filtered.push("model");
   return filtered;
 };
 var sanitizeRequestedFields = (table, requestedFields) => {
@@ -2167,7 +2170,7 @@ var getEnabledTools = async (agent, allExuluTools, allContexts, allRerankers, di
   }
   console.log("[EXULU] available tools", enabledTools?.length);
   console.log("[EXULU] disabled tools", disabledTools?.length);
-  enabledTools = enabledTools.filter((tool) => !disabledTools.includes(tool.id));
+  enabledTools = enabledTools.filter((tool2) => !disabledTools.includes(tool2.id));
   return enabledTools;
 };
 
@@ -2175,7 +2178,7 @@ var getEnabledTools = async (agent, allExuluTools, allContexts, allRerankers, di
 import "@opentelemetry/api";
 import { v4 as uuidv4 } from "uuid";
 import "ai";
-import CryptoJS2 from "crypto-js";
+import "crypto-js";
 var redisConnection;
 var unhandledRejectionHandlerInstalled = false;
 var poolMonitoringInterval;
@@ -2312,7 +2315,7 @@ var createWorkers = async (providers, queues2, config, contexts, rerankers, eval
             );
             if (attempt < retries) {
               const backoffMs = 500 * Math.pow(2, attempt - 1);
-              await new Promise((resolve3) => setTimeout(resolve3, backoffMs));
+              await new Promise((resolve4) => setTimeout(resolve4, backoffMs));
             }
           }
         }
@@ -2516,7 +2519,7 @@ var createWorkers = async (providers, queues2, config, contexts, rerankers, eval
               } = await validateWorkflowPayload(data, providers);
               const retries2 = 3;
               let attempts = 0;
-              const promise = new Promise(async (resolve3, reject) => {
+              const promise = new Promise(async (resolve4, reject) => {
                 while (attempts < retries2) {
                   try {
                     const messages2 = await processUiMessagesFlow({
@@ -2531,7 +2534,7 @@ var createWorkers = async (providers, queues2, config, contexts, rerankers, eval
                       config,
                       variables: data.inputs
                     });
-                    resolve3(messages2);
+                    resolve4(messages2);
                     break;
                   } catch (error) {
                     console.error(
@@ -2542,7 +2545,7 @@ var createWorkers = async (providers, queues2, config, contexts, rerankers, eval
                     if (attempts >= retries2) {
                       reject(new Error(error instanceof Error ? error.message : String(error)));
                     }
-                    await new Promise((resolve4) => setTimeout((resolve5) => resolve5(true), 2e3));
+                    await new Promise((resolve5) => setTimeout((resolve6) => resolve6(true), 2e3));
                   }
                 }
               });
@@ -2592,7 +2595,7 @@ var createWorkers = async (providers, queues2, config, contexts, rerankers, eval
               } = await validateEvalPayload(data, providers);
               const retries2 = 3;
               let attempts = 0;
-              const promise = new Promise(async (resolve3, reject) => {
+              const promise = new Promise(async (resolve4, reject) => {
                 while (attempts < retries2) {
                   try {
                     const messages2 = await processUiMessagesFlow({
@@ -2606,7 +2609,7 @@ var createWorkers = async (providers, queues2, config, contexts, rerankers, eval
                       tools,
                       config
                     });
-                    resolve3(messages2);
+                    resolve4(messages2);
                     break;
                   } catch (error) {
                     console.error(
@@ -2617,7 +2620,7 @@ var createWorkers = async (providers, queues2, config, contexts, rerankers, eval
                     if (attempts >= retries2) {
                       reject(new Error(error instanceof Error ? error.message : String(error)));
                     }
-                    await new Promise((resolve4) => setTimeout((resolve5) => resolve5(true), 2e3));
+                    await new Promise((resolve5) => setTimeout((resolve6) => resolve6(true), 2e3));
                   }
                 }
               });
@@ -3092,7 +3095,7 @@ var pollJobResult = async ({
     attempts++;
     const job = await Job.fromId(queue.queue, jobId);
     if (!job) {
-      await new Promise((resolve3) => setTimeout((resolve4) => resolve4(true), 2e3));
+      await new Promise((resolve4) => setTimeout((resolve5) => resolve5(true), 2e3));
       continue;
     }
     const elapsedTime = Date.now() - startTime;
@@ -3122,7 +3125,7 @@ var pollJobResult = async ({
       console.log(`[EXULU] eval function ${job.id} result: ${result}`);
       break;
     }
-    await new Promise((resolve3) => setTimeout(() => resolve3(true), 2e3));
+    await new Promise((resolve4) => setTimeout(() => resolve4(true), 2e3));
   }
   return result;
 };
@@ -3158,27 +3161,19 @@ var processUiMessagesFlow = async ({
     "[EXULU] enabled tools",
     enabledTools?.map((x) => x.name + " (" + x.id + ")")
   );
-  const variableName = agent.providerapikey;
-  const { db } = await postgresClient();
-  let providerapikey;
-  if (variableName) {
-    const variable = await db.from("variables").where({ name: variableName }).first();
-    if (!variable) {
-      throw new Error(
-        `Provider API key variable not found for agent ${agent.name} (${agent.id}).`
-      );
-    }
-    providerapikey = variable.value;
-    if (!variable.encrypted) {
-      throw new Error(
-        `Provider API key variable not encrypted for agent ${agent.name} (${agent.id}), for security reasons you are only allowed to use encrypted variables for provider API keys.`
-      );
-    }
-    if (variable.encrypted) {
-      const bytes = CryptoJS2.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-      providerapikey = bytes.toString(CryptoJS2.enc.Utf8);
-    }
+  if (!agent.model) {
+    throw new Error(
+      `Agent ${agent.name} (${agent.id}) has no model configured.`
+    );
   }
+  const resolved = await resolveModel({
+    modelId: agent.model,
+    user,
+    providers,
+    agent: { id: agent.id }
+  });
+  const providerapikey = resolved.apiKey;
+  const resolvedLanguageModel = resolved.languageModel;
   const messagesWithoutPlaceholder = inputMessages.filter(
     (message) => message.metadata?.type !== "placeholder"
   );
@@ -3208,18 +3203,18 @@ var processUiMessagesFlow = async ({
         const text = part.text;
         const variableNames = [...text.matchAll(/{([^}]+)}/g)].map((match) => match[1]);
         if (variableNames) {
-          for (const variableName2 of variableNames) {
-            if (!variableName2) {
+          for (const variableName of variableNames) {
+            if (!variableName) {
               continue;
             }
-            console.log("[EXULU] variableName", variableName2);
-            const variableValue = variables?.[variableName2];
+            console.log("[EXULU] variableName", variableName);
+            const variableValue = variables?.[variableName];
             console.log("[EXULU] variableValue", variableValue);
             if (variableValue) {
-              part.text = part.text.replaceAll(`{${variableName2}}`, variableValue);
+              part.text = part.text.replaceAll(`{${variableName}}`, variableValue);
             } else {
               throw new Error(
-                `Value for variable ${variableName2} not provided in variables for processing message flow. Either remove it from the messages, or provide it as an argument.`
+                `Value for variable ${variableName} not provided in variables for processing message flow. Either remove it from the messages, or provide it as an argument.`
               );
             }
           }
@@ -3230,7 +3225,7 @@ var processUiMessagesFlow = async ({
       label: agent.name,
       trigger: "agent"
     };
-    messageHistory = await new Promise(async (resolve3, reject) => {
+    messageHistory = await new Promise(async (resolve4, reject) => {
       const startTime = Date.now();
       try {
         const result = await provider.generateStream({
@@ -3238,13 +3233,14 @@ var processUiMessagesFlow = async ({
           rerankers,
           agent,
           user,
-          approvedTools: tools.map((tool) => "tool-" + sanitizeToolName(tool.name)),
+          approvedTools: tools.map((tool2) => "tool-" + sanitizeToolName(tool2.name)),
           instructions: agent.instructions,
           session: void 0,
           previousMessages: messageHistory.messages,
           message: currentMessage,
           currentTools: enabledTools,
           allExuluTools: tools,
+          languageModel: resolvedLanguageModel,
           providerapikey,
           toolConfigs: agent.tools,
           exuluConfig: config
@@ -3307,7 +3303,7 @@ var processUiMessagesFlow = async ({
                 })
               ] : []
             ]);
-            resolve3({
+            resolve4({
               messages,
               metadata: {
                 tokens: {
@@ -3361,6 +3357,7 @@ function getAverage(arr) {
 }
 
 // src/graphql/schemas/index.ts
+import "fs";
 function createExuluContextsTypeDefs(table) {
   const enumDefs = table.fields.filter((field) => field.type === "enum" && field.enumValues).map((field) => {
     if (!field.enumValues) {
@@ -3730,6 +3727,9 @@ type PageInfo {
   typeDefs += `
    providers: ProviderPaginationResult
     `;
+  typeDefs += `
+    litellmCatalog: [LiteLLMModel!]!
+    `;
   typeDefs += `
     workflowSchedule(workflow: ID!): WorkflowScheduleResult
     `;
@@ -3793,6 +3793,24 @@ type RateLimitUsageRow {
   inputTokens: Int!
   outputTokens: Int!
 }
+`;
+  modelDefs += `
+type LiteLLMModel {
+  model_name: String!
+  upstream_model: String
+  active: Boolean
+  tags: [String!]
+  type: String
+  brand: String
+  region: String
+  max_tokens: Int
+  max_input_tokens: Int
+  max_output_tokens: Int
+  supports_vision: Boolean
+  supports_function_calling: Boolean
+  supports_pdf_input: Boolean
+  supports_audio_input: Boolean
+}
 `;
   resolvers.Query["agentRateLimitUsage"] = async (_, args, context) => {
     if (!checkLicense()["rate-limits"]) return [];
@@ -3846,6 +3864,10 @@ type RateLimitUsageRow {
       })
     };
   };
+  resolvers.Query["litellmCatalog"] = async () => {
+    const { fetchLiteLLMCatalog } = await import("./catalog-EOKGOHTY.js");
+    return fetchLiteLLMCatalog();
+  };
   resolvers.Query["workflowSchedule"] = async (_, args, context, info) => {
     if (!args.workflow) {
       throw new Error("Workflow template ID is required");
@@ -3866,10 +3888,10 @@ type RateLimitUsageRow {
     if (!agent) {
       throw new Error("Agent instance not found for workflow template.");
     }
-    const provider = providers.find((provider2) => provider2.id === agent.provider);
+    const provider = await resolveAgentProvider(agent, providers);
     if (!provider) {
       throw new Error(
-        "Agent provider: " + agent.provider + " not found for agent instance " + agent.id + "."
+        "ExuluProvider not registered for the model configured on agent instance " + agent.id + "."
       );
     }
     let queue;
@@ -3941,10 +3963,10 @@ type RateLimitUsageRow {
     if (!agent) {
       throw new Error("Agent instance not found for workflow template.");
     }
-    const provider = providers.find((provider2) => provider2.id === agent.provider);
+    const provider = await resolveAgentProvider(agent, providers);
     if (!provider) {
       throw new Error(
-        "Agent provider: " + agent.provider + " not found for agent instance " + agent.id + "."
+        "ExuluProvider not registered for the model configured on agent instance " + agent.id + "."
       );
     }
     let queue;
@@ -3982,10 +4004,10 @@ type RateLimitUsageRow {
     if (!agent) {
       throw new Error("Agent instance not found for workflow template.");
     }
-    const provider = providers.find((provider2) => provider2.id === agent.provider);
+    const provider = await resolveAgentProvider(agent, providers);
     if (!provider) {
       throw new Error(
-        "Provider: " + agent.provider + " not found for agent instance " + agent.id + "."
+        "ExuluProvider not registered for the model configured on agent instance " + agent.id + "."
       );
     }
     let queue;
@@ -4046,10 +4068,10 @@ type RateLimitUsageRow {
     if (!agent) {
       throw new Error("Agent instance not found for workflow template.");
     }
-    const provider = providers.find((provider2) => provider2.id === agent.provider);
+    const provider = await resolveAgentProvider(agent, providers);
     if (!provider) {
       throw new Error(
-        "Agent provider: " + agent.provider + " not found for agent instance " + agent.id + "."
+        "ExuluProvider not registered for the model configured on agent instance " + agent.id + "."
       );
     }
     let queue;
@@ -4107,7 +4129,7 @@ type RateLimitUsageRow {
         } = await validateWorkflowPayload(jobData, providers);
         const retries = 3;
         let attempts = 0;
-        const promise = new Promise(async (resolve3, reject) => {
+        const promise = new Promise(async (resolve4, reject) => {
           while (attempts < retries) {
             try {
               const messages2 = await processUiMessagesFlow({
@@ -4122,7 +4144,7 @@ type RateLimitUsageRow {
                 config,
                 variables: args.variables
               });
-              resolve3(messages2);
+              resolve4(messages2);
               break;
             } catch (error) {
               console.error(
@@ -4136,7 +4158,7 @@ type RateLimitUsageRow {
               if (attempts >= retries) {
                 reject(error instanceof Error ? error : new Error(String(error)));
               }
-              await new Promise((resolve4) => setTimeout((resolve5) => resolve5(true), 2e3));
+              await new Promise((resolve5) => setTimeout((resolve6) => resolve6(true), 2e3));
             }
           }
         });
@@ -4389,10 +4411,10 @@ type RateLimitUsageRow {
       contexts.map(async (context2) => {
         let processor = null;
         if (context2.processor) {
-          processor = await new Promise(async (resolve3, reject) => {
+          processor = await new Promise(async (resolve4, reject) => {
             const config2 = context2.processor?.config;
             const queue = await config2?.queue;
-            resolve3({
+            resolve4({
               name: context2.processor.name,
               description: context2.processor.description,
               queue: queue?.queue?.name || void 0,
@@ -4473,10 +4495,10 @@ type RateLimitUsageRow {
     }
     let processor = null;
     if (data.processor) {
-      processor = await new Promise(async (resolve3, reject) => {
+      processor = await new Promise(async (resolve4, reject) => {
         const config2 = data.processor?.config;
         const queue = await config2?.queue;
-        resolve3({
+        resolve4({
           name: data.processor.name,
           description: data.processor.description,
           queue: queue?.queue?.name || void 0,
@@ -4557,7 +4579,7 @@ type RateLimitUsageRow {
     const instances = await exuluApp.get().agents();
     let agentTools = await Promise.all(
       instances.map(async (agent) => {
-        const provider = providers.find((a) => a.id === agent.provider);
+        const provider = await resolveAgentProvider(agent, providers);
         if (!provider) {
           return null;
         }
@@ -4565,7 +4587,7 @@ type RateLimitUsageRow {
       })
     );
     let agenticRetrievalTool = void 0;
-    const filtered = agentTools.filter((tool) => tool !== null);
+    const filtered = agentTools.filter((tool2) => tool2 !== null);
     let allTools = [...filtered, ...tools];
     if (contexts?.length) {
       agenticRetrievalTool = createAgenticRetrievalToolV3({
@@ -4583,21 +4605,21 @@ type RateLimitUsageRow {
     if (search && search.trim()) {
       const searchTerm = search.toLowerCase().trim();
       allTools = allTools.filter(
-        (tool) => tool.name?.toLowerCase().includes(searchTerm) || tool.description?.toLowerCase().includes(searchTerm)
+        (tool2) => tool2.name?.toLowerCase().includes(searchTerm) || tool2.description?.toLowerCase().includes(searchTerm)
       );
     }
     if (category && category.trim()) {
-      allTools = allTools.filter((tool) => tool.category === category);
+      allTools = allTools.filter((tool2) => tool2.category === category);
     }
     const total = allTools.length;
     const start = page * limit;
     const end = start + limit;
     const paginatedTools = allTools.slice(start, end);
     return {
-      items: paginatedTools.map((tool) => {
+      items: paginatedTools.map((tool2) => {
         const object = {};
         requestedFields.forEach((field) => {
-          object[field] = tool[field];
+          object[field] = tool2[field];
         });
         return object;
       }),
@@ -4607,7 +4629,7 @@ type RateLimitUsageRow {
     };
   };
   resolvers.Query["toolCategories"] = async () => {
-    const array = tools.map((tool) => tool.category).filter((category) => category && typeof category === "string");
+    const array = tools.map((tool2) => tool2.category).filter((category) => category && typeof category === "string");
     array.push("contexts");
     array.push("agents");
     return [...new Set(array)].sort();
@@ -4798,6 +4820,9 @@ type Provider {
   provider: String
   modelName: String
   type: EnumProviderType!
+  authenticationInformation: String
+  maxContextLength: Int
+  capabilities: JSON
 }
 
 type Eval {
@@ -5158,37 +5183,10 @@ import { InMemoryLRUCache } from "@apollo/utils.keyvaluecache";
 import bodyParser from "body-parser";
 import CryptoJS5 from "crypto-js";
 import OpenAI from "openai";
-import fs2 from "fs";
+import fs3 from "fs";
 import { randomUUID as randomUUID2 } from "crypto";
 import "@opentelemetry/api";
-import Anthropic from "@anthropic-ai/sdk";
-
-// src/utils/claude-messages.ts
-var CLAUDE_MESSAGES = {
-  anthropic_token_variable_not_encrypted: `
-\x1B[41m -- Anthropic token variable set by your admin is not encrypted. This poses a security risk. Please contact your admin to fix the variable used for your key. --
-\x1B[0m`,
-  anthropic_token_variable_not_found: `
-\x1B[41m -- Anthropic token variable not found. Please contact your Exulu adminto fix the variable used for the key. --
-\x1B[0m`,
-  authentication_error: `
-\x1B[41m -- Authentication error please check your IMP token and try again. --
-\x1B[0m`,
-  missing_body: `
-\x1B[41m -- Missing body Anthropic response. --
-\x1B[0m`,
-  missing_nextauth_secret: `
-\x1B[41m -- Missing NEXTAUTH_SECRET in environment variables on the server. --
-\x1B[0m`,
-  not_enabled: `
-\x1B[41m -- The agent you selected does not have a valid API key set for it. --
-\x1B[0m`,
-  missing_project: `
-\x1B[41m -- Project not found or you do not have access to it. --
-\x1B[0m`
-};
-
-// src/exulu/routes.ts
+import JSZip2 from "jszip";
 import { createIdGenerator } from "ai";
 import cookieParser from "cookie-parser";
 
@@ -5196,7 +5194,6 @@ import cookieParser from "cookie-parser";
 import { z } from "zod";
 import {
   convertToModelMessages,
-  Output,
   generateText as generateText2,
   streamText,
   validateUIMessages,
@@ -5212,7 +5209,7 @@ function generateSlug(name) {
 }
 
 // src/exulu/provider.ts
-import CryptoJS3 from "crypto-js";
+import "crypto-js";
 import { parseOfficeAsync } from "officeparser";
 
 // src/exulu/task-description.ts
@@ -5258,7 +5255,7 @@ async function clearSessionCurrentTask(session) {
 }
 
 // src/exulu/provider.ts
-import fs from "fs";
+import fs2 from "fs";
 var ExuluProvider = class {
   // Must begin with a letter (a-z) or underscore (_). Subsequent characters in a name can be letters, digits (0-9), or
   // underscores and be a max length of 80 characters and at least 5 characters long.
@@ -5360,27 +5357,18 @@ var ExuluProvider = class {
           providers,
           user
         );
-        const variableName = agent.providerapikey;
-        let providerapikey;
-        if (variableName) {
-          const { db } = await postgresClient();
-          const variable = await db.from("variables").where({ name: variableName }).first();
-          if (!variable) {
-            throw new Error(
-              "Provider API key variable not found for agent: " + agent.name + " (" + agent.id + ") being called as a tool."
-            );
-          }
-          providerapikey = variable.value;
-          if (!variable.encrypted) {
-            throw new Error(
-              "Provider API key variable not encrypted for agent: " + agent.name + " (" + agent.id + ") being called as a tool, for security reasons you are only allowed to use encrypted variables for provider API keys."
-            );
-          }
-          if (variable.encrypted) {
-            const bytes = CryptoJS3.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-            providerapikey = bytes.toString(CryptoJS3.enc.Utf8);
-          }
+        if (!agent.model) {
+          throw new Error(
+            `Agent ${agent.name} (${agent.id}) has no model configured (called as a tool).`
+          );
         }
+        const resolved = await resolveModel({
+          modelId: agent.model,
+          user,
+          providers,
+          agent: { id: agent.id }
+        });
+        const providerapikey = resolved.apiKey;
         console.log(
           "[EXULU] Enabled tools for agent '" + agent.name + " (" + agent.id + ") that is being called as a tool",
           enabledTools.map((x) => x.name + " (" + x.id + ")")
@@ -5399,6 +5387,7 @@ var ExuluProvider = class {
           rerankers,
           instructions: agent.instructions,
           prompt: "The user has asked the following question: " + prompt + " and the following information is available: " + information,
+          languageModel: resolved.languageModel,
           providerapikey,
           user,
           currentTools: enabledTools,
@@ -5436,10 +5425,10 @@ var ExuluProvider = class {
     statistics,
     toolConfigs,
     providerapikey,
+    languageModel,
     contexts,
     rerankers,
     exuluConfig,
-    outputSchema,
     agent,
     instructions,
     maxStepCount,
@@ -5449,9 +5438,6 @@ var ExuluProvider = class {
       "[EXULU] Called generate sync for agent: " + this.name,
       "with prompt: " + prompt?.slice(0, 100) + "..."
     );
-    if (!this.model) {
-      throw new Error("Model is required for streaming.");
-    }
     if (!this.config) {
       throw new Error("Config is required for generating.");
     }
@@ -5468,13 +5454,7 @@ var ExuluProvider = class {
       sessionItems = sessionData.session_items;
       project = sessionData.project;
     }
-    const model = this.model.create({
-      ...providerapikey ? { apiKey: providerapikey } : {},
-      user: user?.id,
-      role: user?.role?.id,
-      project,
-      agent: agent?.id
-    });
+    const model = languageModel;
     console.log("[EXULU] Model for agent: " + this.name, " created for generating sync.");
     let messages = inputMessages || [];
     if (messages && session && user) {
@@ -5553,12 +5533,12 @@ var ExuluProvider = class {
       system += "\n\n" + memoryContext;
     }
     const includesContextSearchTool = currentTools?.some(
-      (tool) => tool.name.toLowerCase().includes("context_search") || tool.id.includes("context_search") || tool.type === "context"
+      (tool2) => tool2.name.toLowerCase().includes("context_search") || tool2.id.includes("context_search") || tool2.type === "context"
     );
     const includesWebSearchTool = currentTools?.some(
-      (tool) => tool.name.toLowerCase().includes("web_search") || tool.id.includes("web_search") || tool.type === "web_search"
+      (tool2) => tool2.name.toLowerCase().includes("web_search") || tool2.id.includes("web_search") || tool2.type === "web_search"
     );
-    console.log("[EXULU] Current tools: " + currentTools?.map((tool) => tool.name).join("\n"));
+    console.log("[EXULU] Current tools: " + currentTools?.map((tool2) => tool2.name).join("\n"));
     console.log("[EXULU] Includes context search tool: " + includesContextSearchTool);
     if (includesContextSearchTool) {
       system += `
@@ -5617,66 +5597,47 @@ When a tool execution is not approved by the user, do not retry it unless explic
       let result = { object: null, text: "" };
       let inputTokens = 0;
       let outputTokens = 0;
-      if (outputSchema) {
-        const { output, usage } = await generateText2({
-          temperature: 0,
-          // TODO Make this configurable
-          model,
-          system,
-          maxRetries: 3,
-          output: Output.object({
-            schema: outputSchema
-          }),
-          prompt,
-          stopWhen: [stepCountIs(maxStepCount || 5)]
-          // make configurable
-        });
-        result.object = output;
-        inputTokens = usage.inputTokens || 0;
-        outputTokens = usage.outputTokens || 0;
-      } else {
-        console.log(
-          "[EXULU] Generating text for agent: " + this.name,
-          "with prompt: " + prompt?.slice(0, 100) + "..."
-        );
-        const output = await generateText2({
-          temperature: 0,
-          // TODO Make this configurable
+      console.log(
+        "[EXULU] Generating text for agent: " + this.name,
+        "with prompt: " + prompt?.slice(0, 100) + "..."
+      );
+      const output = await generateText2({
+        temperature: 0,
+        // TODO Make this configurable
+        model,
+        system,
+        prompt,
+        maxRetries: 2,
+        tools: await convertExuluToolsToAiSdkTools(
+          currentTools,
+          currentSkills,
+          approvedTools,
+          allExuluTools,
+          toolConfigs,
+          providerapikey,
+          contexts,
+          rerankers,
+          user,
+          exuluConfig,
+          session,
+          req,
+          project,
+          sessionItems,
           model,
-          system,
-          prompt,
-          maxRetries: 2,
-          tools: await convertExuluToolsToAiSdkTools(
-            currentTools,
-            currentSkills,
-            approvedTools,
-            allExuluTools,
-            toolConfigs,
-            providerapikey,
-            contexts,
-            rerankers,
-            user,
-            exuluConfig,
-            session,
-            req,
-            project,
-            sessionItems,
-            model,
-            agent,
-            memoryItems
-          ),
-          stopWhen: [stepCountIs(maxStepCount || 5)]
-          // make configurable
-        });
-        console.log("[EXULU] Output: " + JSON.stringify(output, null, 2));
-        const {
-          text,
-          totalUsage
-        } = output;
-        result.text = text;
-        inputTokens = totalUsage?.inputTokens || 0;
-        outputTokens = totalUsage?.outputTokens || 0;
-      }
+          agent,
+          memoryItems
+        ),
+        stopWhen: [stepCountIs(maxStepCount || 5)]
+        // make configurable
+      });
+      console.log("[EXULU] Output: " + JSON.stringify(output, null, 2));
+      const {
+        text,
+        totalUsage
+      } = output;
+      result.text = text;
+      inputTokens = totalUsage?.inputTokens || 0;
+      outputTokens = totalUsage?.outputTokens || 0;
       if (statistics) {
         await Promise.all([
           updateStatistic({
@@ -5881,6 +5842,7 @@ ${extractedText}
     allExuluTools,
     toolConfigs,
     providerapikey,
+    languageModel,
     contexts,
     rerankers,
     exuluConfig,
@@ -5888,10 +5850,6 @@ ${extractedText}
     req,
     maxStepCount
   }) => {
-    if (!this.model) {
-      console.error("[EXULU] Model is required for streaming.");
-      throw new Error("Model is required for streaming.");
-    }
     if (!this.config) {
       console.error("[EXULU] Config is required for streaming.");
       throw new Error("Config is required for generating.");
@@ -5917,13 +5875,7 @@ ${extractedText}
       });
       previousMessagesContent = previousMessages2.map((message2) => JSON.parse(message2.content));
     }
-    const model = this.model.create({
-      ...providerapikey ? { apiKey: providerapikey } : {},
-      user: user?.id,
-      role: user?.role?.id,
-      project,
-      agent: agent?.id
-    });
+    const model = languageModel;
     messages = await validateUIMessages({
       // append the new message to the previous messages:
       messages: [...previousMessagesContent, message]
@@ -5960,7 +5912,7 @@ ${extractedText}
         // todo make this configurable?
         page: 1
       });
-      fs.writeFileSync("pre-fetched-relevant-information.json", JSON.stringify(result2, null, 2));
+      fs2.writeFileSync("pre-fetched-relevant-information.json", JSON.stringify(result2, null, 2));
       if (result2?.chunks?.length) {
         memoryItems = result2.chunks;
         memoryContext = `
@@ -5983,12 +5935,12 @@ ${extractedText}
     let system = instructions || "You are a helpful assistant. When you use a tool to answer a question do not explicitly comment on the result of the tool call unless the user has explicitly you to do something with the result.";
     system += "\n\n" + genericContext;
     const includesContextSearchTool = currentTools?.some(
-      (tool) => tool.name.toLowerCase().includes("context_search") || tool.id.includes("context_search") || tool.type === "context"
+      (tool2) => tool2.name.toLowerCase().includes("context_search") || tool2.id.includes("context_search") || tool2.type === "context"
     );
     const includesWebSearchTool = currentTools?.some(
-      (tool) => tool.name.toLowerCase().includes("web_search") || tool.id.includes("web_search") || tool.type === "web_search"
+      (tool2) => tool2.name.toLowerCase().includes("web_search") || tool2.id.includes("web_search") || tool2.type === "web_search"
     );
-    console.log("[EXULU] Current tools: " + currentTools?.map((tool) => tool.name).join("\n"));
+    console.log("[EXULU] Current tools: " + currentTools?.map((tool2) => tool2.name).join("\n"));
     console.log("[EXULU] Includes context search tool: " + includesContextSearchTool);
     console.log("[EXULU] Includes web search tool: " + includesWebSearchTool);
     if (includesContextSearchTool) {
@@ -6088,7 +6040,7 @@ ${skillsList}
 
 When a tool execution is not approved by the user, do not retry it unless explicitly asked by the user. ' +
     'Inform the user that the action was not performed.`;
-    fs.writeFileSync("system-prompt.txt", system);
+    fs2.writeFileSync("system-prompt.txt", system);
     console.log("[EXULU] Tools", currentTools?.map((x) => x.name));
     console.log("[EXULU] Skills", currentSkills?.map((x) => x.name));
     const tools = await convertExuluToolsToAiSdkTools(
@@ -6175,7 +6127,8 @@ var getSession = async ({ sessionID }) => {
 var saveChat = async ({
   session,
   user,
-  messages
+  messages,
+  model
 }) => {
   const { db } = await postgresClient();
   for (const message of messages) {
@@ -6184,13 +6137,168 @@ var saveChat = async ({
       user,
       content: JSON.stringify(message),
       message_id: message.id,
-      title: message.role === "user" ? "User" : "Assistant"
+      title: message.role === "user" ? "User" : "Assistant",
+      ...model ? { model } : {}
     }).returning("id");
     mutation.onConflict("message_id").merge();
     await mutation;
   }
 };
 
+// src/exulu/suggestions.ts
+import {
+  convertToModelMessages as convertToModelMessages2,
+  generateText as generateText3,
+  tool
+} from "ai";
+import { z as z2 } from "zod";
+var SUGGESTIONS_SYSTEM_PROMPT = "You generate short follow-up message suggestions for the user. You are NOT continuing the conversation as the assistant \u2014 you are predicting what the user might want to say next. Suggest up to 3 short follow-up questions or messages the user might want to send next. Each suggestion must be written from the user's perspective (first person) and be 12 words or fewer. You MUST submit your answer by calling the `submit_suggestions` tool exactly once. Do not emit any plain text \u2014 only the tool call.";
+var submitSuggestionsTool = tool({
+  description: "Submit the final list of follow-up message suggestions for the user. Must be called exactly once. Each suggestion is written from the user's perspective (first person) and is 12 words or fewer.",
+  inputSchema: z2.object({
+    suggestions: z2.array(z2.string()).max(3)
+  })
+});
+var MAX_CHARS_PER_MESSAGE = 1e4;
+var trimMessagesForSuggestions = (messages) => {
+  const out = [];
+  for (const m of messages) {
+    const textBlobs = [];
+    for (const p of m.parts ?? []) {
+      if (p.type === "text" && typeof p.text === "string" && p.text.trim().length > 0) {
+        textBlobs.push(p.text);
+      }
+    }
+    if (textBlobs.length === 0) continue;
+    let combined = textBlobs.join("\n\n");
+    if (combined.length > MAX_CHARS_PER_MESSAGE) {
+      combined = combined.slice(0, MAX_CHARS_PER_MESSAGE);
+    }
+    out.push({
+      ...m,
+      parts: [{ type: "text", text: combined }]
+    });
+  }
+  return out;
+};
+var generateSuggestions = async ({
+  languageModel,
+  messages,
+  agentInstructions
+}) => {
+  const system = agentInstructions ? `${agentInstructions}
+
+---
+
+${SUGGESTIONS_SYSTEM_PROMPT}` : SUGGESTIONS_SYSTEM_PROMPT;
+  const trimmed = trimMessagesForSuggestions(messages);
+  const { toolCalls, totalUsage } = await generateText3({
+    temperature: 0,
+    model: languageModel,
+    system,
+    messages: await convertToModelMessages2(trimmed, {
+      ignoreIncompleteToolCalls: true
+    }),
+    tools: { submit_suggestions: submitSuggestionsTool },
+    toolChoice: { type: "tool", toolName: "submit_suggestions" },
+    maxRetries: 3
+  });
+  const call = toolCalls.find((c) => c.toolName === "submit_suggestions");
+  const input = call?.input;
+  const suggestions = Array.isArray(input?.suggestions) ? input.suggestions.slice(0, 3).map(String) : [];
+  return {
+    suggestions,
+    usage: {
+      inputTokens: totalUsage?.inputTokens ?? 0,
+      outputTokens: totalUsage?.outputTokens ?? 0
+    }
+  };
+};
+
+// src/exulu/transcribe.ts
+var TranscriptionError = class extends Error {
+  constructor(upstreamStatus, message) {
+    super(message);
+    this.upstreamStatus = upstreamStatus;
+    this.name = "TranscriptionError";
+  }
+};
+async function transcribeAudio(args) {
+  const host = process.env.LITELLM_HOST ?? "127.0.0.1";
+  const port = process.env.LITELLM_PORT ?? "4000";
+  const masterKey = process.env.LITELLM_MASTER_KEY;
+  const model = process.env.TRANSCRIPTION_MODEL;
+  if (!masterKey) throw new Error("LITELLM_MASTER_KEY is not set");
+  if (!model) throw new Error("TRANSCRIPTION_MODEL is not set");
+  const form = new FormData();
+  form.append(
+    "file",
+    new Blob([args.file.buffer], { type: args.file.mimetype }),
+    args.file.originalname
+  );
+  form.append("model", model);
+  if (args.language) form.append("language", args.language);
+  const res = await fetch(`http://${host}:${port}/v1/audio/transcriptions`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${masterKey}` },
+    body: form
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new TranscriptionError(
+      res.status,
+      `LiteLLM transcription failed (status ${res.status}): ${body}`.trim()
+    );
+  }
+  const json = await res.json();
+  return { text: typeof json.text === "string" ? json.text : "" };
+}
+
+// src/exulu/speech.ts
+var SpeechError = class extends Error {
+  constructor(upstreamStatus, message) {
+    super(message);
+    this.upstreamStatus = upstreamStatus;
+    this.name = "SpeechError";
+  }
+};
+async function synthesizeSpeech(args) {
+  const host = process.env.LITELLM_HOST ?? "127.0.0.1";
+  const port = process.env.LITELLM_PORT ?? "4000";
+  const masterKey = process.env.LITELLM_MASTER_KEY;
+  const model = process.env.TTS_MODEL;
+  const voice = process.env.TTS_VOICE;
+  if (!masterKey) throw new Error("LITELLM_MASTER_KEY is not set");
+  if (!model) throw new Error("TTS_MODEL is not set");
+  if (!voice) throw new Error("TTS_VOICE is not set");
+  const body = {
+    model,
+    input: args.text,
+    voice,
+    response_format: "mp3"
+  };
+  const res = await fetch(`http://${host}:${port}/v1/audio/speech`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${masterKey}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new SpeechError(
+      res.status,
+      `LiteLLM speech failed (status ${res.status}): ${text}`.trim()
+    );
+  }
+  const arrayBuf = await res.arrayBuffer();
+  return Buffer.from(arrayBuf);
+}
+
+// src/exulu/routes.ts
+import multer from "multer";
+
 // src/utils/check-provider-rate-limit.ts
 var checkProviderRateLimit = async (provider) => {
   if (provider.rateLimit) {
@@ -6321,7 +6429,7 @@ async function recordAgentTokenUsage(args) {
 import "express";
 import {
   streamText as streamText2,
-  generateText as generateText3,
+  generateText as generateText4,
   stepCountIs as stepCountIs2,
   jsonSchema
 } from "ai";
@@ -6412,7 +6520,7 @@ function transformCompletion(text, inputTokens, outputTokens, ctx) {
 
 // src/exulu/openai-gateway.ts
 import { randomUUID } from "crypto";
-import CryptoJS4 from "crypto-js";
+import "crypto-js";
 import express from "express";
 function convertOpenAIToolsToAiSdkTools(tools) {
   return Object.fromEntries(
@@ -6698,41 +6806,33 @@ var registerOpenAIGatewayRoutes = async (app, providers, tools, contexts, config
           res.status(500).json({ error: { message: "Server configuration error", type: "server_error" } });
           return;
         }
-        if (!agent.providerapikey) {
-          res.status(400).json({
-            error: { message: "Agent has no API key configured", type: "invalid_request_error" }
-          });
-          return;
-        }
-        const variable = await db.from("variables").where({ name: agent.providerapikey }).first();
-        if (!variable) {
-          res.status(400).json({
-            error: { message: "API key variable not found", type: "invalid_request_error" }
-          });
-          return;
-        }
-        if (!variable.encrypted) {
+        if (!agent.model) {
           res.status(400).json({
-            error: { message: "API key variable must be encrypted", type: "invalid_request_error" }
+            error: { message: "Agent has no model configured", type: "invalid_request_error" }
           });
           return;
         }
-        const bytes = CryptoJS4.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-        const providerapikey = bytes.toString(CryptoJS4.enc.Utf8);
-        const provider = providers.find((p) => p.id === agent.provider);
-        if (!provider?.config?.model?.create) {
-          res.status(400).json({
-            error: { message: "No provider configured for this agent", type: "invalid_request_error" }
+        let resolved;
+        try {
+          resolved = await resolveModel({
+            modelId: agent.model,
+            user,
+            providers,
+            agent: { id: agent.id },
+            project: project ? { id: project.id } : void 0
           });
-          return;
+        } catch (err) {
+          if (err instanceof ResolveModelError) {
+            const status = err.code === "MODEL_FORBIDDEN" ? 403 : 400;
+            res.status(status).json({
+              error: { message: err.message, type: "invalid_request_error", code: err.code }
+            });
+            return;
+          }
+          throw err;
         }
-        const languageModel = provider.config.model.create({
-          apiKey: providerapikey,
-          user: user.id,
-          role: user.role?.id,
-          project: project?.id,
-          agent: agent.id
-        });
+        const providerapikey = resolved.apiKey;
+        const languageModel = resolved.languageModel;
         const disabledTools = req.body.disabledTools ?? [];
         const enabledTools = await getEnabledTools(
           agent,
@@ -6821,7 +6921,7 @@ ${project.description}` : ""}` : "",
           const usage = await result.usage;
           await writeStatistics(agent, project, user, usage.inputTokens ?? 0, usage.outputTokens ?? 0);
         } else {
-          const { text, usage } = await generateText3({
+          const { text, usage } = await generateText4({
             model: languageModel,
             system: systemPrompt || void 0,
             messages: coreMessages,
@@ -6842,9 +6942,6 @@ ${project.description}` : ""}` : "",
   );
 };
 
-// src/exulu/routes.ts
-import { convertJsonSchemaToZod } from "zod-from-json-schema";
-
 // src/utils/enabled-skills.ts
 var getEnabledSkills = async (agent, disabledSkills = []) => {
   let enabledSkills = [];
@@ -6862,7 +6959,7 @@ var REQUEST_SIZE_LIMIT = "50mb";
 var getExuluVersionNumber = async () => {
   try {
     const path2 = process.cwd();
-    const packageJson = fs2.readFileSync(path2 + "/package.json", "utf8");
+    const packageJson = fs3.readFileSync(path2 + "/package.json", "utf8");
     const packageData = JSON.parse(packageJson);
     const exuluVersion = packageData.dependencies["@exulu/backend"];
     console.log(`[EXULU] Installed exulu-backend version: ${exuluVersion}`);
@@ -6885,6 +6982,7 @@ var {
   platformConfigurationsSchema,
   agentSessionsSchema,
   agentMessagesSchema,
+  modelsSchema,
   rolesSchema,
   usersSchema,
   skillsSchema,
@@ -6949,6 +7047,7 @@ var createExpressRoutes = async (app, providers, tools, contexts, config, evals,
       testCasesSchema(),
       agentSessionsSchema(),
       agentMessagesSchema(),
+      modelsSchema(),
       variablesSchema(),
       workflowTemplatesSchema(),
       statisticsSchema(),
@@ -7209,12 +7308,13 @@ Mood: friendly and intelligent.
         },
         redisHost: process.env.REDIS_HOST,
         enabled: config?.workers?.enabled
+      },
+      liteLLM: {
+        enabled: process.env.EXULU_USE_LITELLM === "true"
       }
     });
   });
-  providers.forEach((provider) => {
-    const slug = provider.slug;
-    if (!slug) return;
+  const registerAgentRunRoute = (slug, provider) => {
     app.post(slug + "/:instance", async (req, res) => {
       console.log("[EXULU] POST " + slug + "/:instance", req.body);
       const headers = {
@@ -7310,39 +7410,33 @@ Mood: friendly and intelligent.
         providers,
         user
       );
-      if (req.body.outputSchema && !!headers.stream) {
-        throw new Error("Providing a outputSchema in the POST body is not allowed when using the streaming API, set 'stream' to false in the headers when defining a response schema.");
-      }
-      let outputSchema;
-      if (req.body.outputSchema) {
-        if (typeof req.body.outputSchema === "string") {
-          req.body.outputSchema = JSON.parse(req.body.outputSchema);
-        }
-        outputSchema = convertJsonSchemaToZod(req.body.outputSchema);
-      }
-      let providerapikey;
-      const variableName = agent.providerapikey;
-      if (variableName) {
-        console.log("[EXULU] provider api key variable name", variableName);
-        const variable = await db.from("variables").where({ name: variableName }).first();
-        if (!variable) {
-          res.status(400).json({
-            message: "Provider API key variable not found for " + agent.name + " (" + agent.id + ")."
-          });
-          return;
-        }
-        providerapikey = variable.value;
-        if (!variable.encrypted) {
-          res.status(400).json({
-            message: "Provider API key variable not encrypted, for security reasons you are only allowed to use encrypted variables for provider API keys."
-          });
+      const overrideModelId = req.headers["x-exulu-model-override"];
+      const modelId = overrideModelId ?? agent.model;
+      if (!modelId) {
+        res.status(400).json({
+          message: `Agent ${agent.name} (${agent.id}) has no model configured.`
+        });
+        return;
+      }
+      let resolved;
+      try {
+        resolved = await resolveModel({
+          modelId,
+          user,
+          providers,
+          agent: { id: agent.id }
+        });
+      } catch (err) {
+        if (err instanceof ResolveModelError) {
+          const status = err.code === "MODEL_FORBIDDEN" ? 403 : 400;
+          res.status(status).json({ message: err.message, code: err.code });
           return;
         }
-        if (variable.encrypted) {
-          const bytes = CryptoJS5.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-          providerapikey = bytes.toString(CryptoJS5.enc.Utf8);
-        }
+        throw err;
       }
+      const providerapikey = resolved.apiKey;
+      const resolvedLanguageModel = resolved.languageModel;
+      const resolvedModelId = resolved.model.id;
       if (!!headers.stream) {
         const statistics = {
           label: agent.name,
@@ -7374,6 +7468,7 @@ ${customInstructions}` : agent.instructions;
           currentSkills: enabledSkills,
           approvedTools,
           allExuluTools: tools,
+          languageModel: resolvedLanguageModel,
           providerapikey,
           toolConfigs: agent.tools,
           exuluConfig: config,
@@ -7422,7 +7517,8 @@ ${customInstructions}` : agent.instructions;
               await saveChat({
                 session: headers.session,
                 user: user.id,
-                messages
+                messages,
+                model: resolvedModelId
               });
               clearSessionCurrentTask(headers.session).catch(() => {
               });
@@ -7484,7 +7580,6 @@ ${customInstructions}` : agent.instructions;
         const response = await provider.generateSync({
           contexts,
           rerankers: rerankers || [],
-          outputSchema,
           agent,
           user,
           req,
@@ -7494,6 +7589,7 @@ ${customInstructions}` : agent.instructions;
           currentTools: enabledTools,
           currentSkills: enabledSkills,
           allExuluTools: tools,
+          languageModel: resolvedLanguageModel,
           providerapikey,
           exuluConfig: config,
           toolConfigs: agent.tools,
@@ -7515,289 +7611,414 @@ ${customInstructions}` : agent.instructions;
         return;
       }
     });
+  };
+  providers.forEach((provider) => {
+    const slug = provider.slug;
+    if (!slug) return;
+    registerAgentRunRoute(slug, provider);
   });
-  if (config?.fileUploads && config?.fileUploads?.s3region && config?.fileUploads?.s3key && config?.fileUploads?.s3secret && config?.fileUploads?.s3Bucket) {
-    await createUppyRoutes(app, config);
-  } else {
-    console.log(
-      "[EXULU] skipping uppy file upload routes, because no S3 compatible region, key or secret is set in ExuluApp instance."
-    );
+  if (isLiteLLMEnabled() && providers.length > 0) {
+    registerAgentRunRoute("/agents/litellm/run", providers[0]);
   }
-  app.get("/config", async (req, res) => {
-    res.status(200).json({
-      message: "Config fetched successfully.",
-      config: {
-        workers: {
-          enabled: config?.workers?.enabled || false
-        }
-      }
+  app.post("/agents/suggestions/:agentId", async (req, res) => {
+    const agentId = req.params.agentId;
+    if (!agentId) {
+      res.status(400).json({ detail: "Missing agentId" });
+      return;
+    }
+    const agent = await exuluApp.get().agent(agentId);
+    if (!agent) {
+      res.status(404).json({ detail: `Agent ${agentId} not found.` });
+      return;
+    }
+    if (!agent.suggestions_enabled) {
+      res.status(400).json({ detail: "Suggestions are not enabled for this agent." });
+      return;
+    }
+    const authenticationResult = await requestValidators.authenticate(req);
+    if (!authenticationResult.user?.id && agent.rights_mode !== "public") {
+      res.status(authenticationResult.code || 500).json({ detail: `${authenticationResult.message}` });
+      return;
+    }
+    const user = authenticationResult.user;
+    const scopeCheck = checkApiKeyScope(user, agentId);
+    if (!scopeCheck.allowed) {
+      res.status(scopeCheck.code).json({ detail: scopeCheck.reason });
+      return;
+    }
+    const hasAccessToAgent = await checkRecordAccess(agent, "read", user);
+    if (!hasAccessToAgent) {
+      res.status(401).json({ detail: "You don't have access to this agent." });
+      return;
+    }
+    const callerId = resolveCallerId(req, user?.id);
+    const rateLimitsEnabled = checkLicense()["rate-limits"] === true;
+    const effectiveLimits = rateLimitsEnabled ? agent.rate_limits ?? null : null;
+    const preCheck = await preCheckAgentRateLimit({
+      agentId,
+      callerId,
+      limits: effectiveLimits
     });
-  });
-  app.use(
-    "/gateway/anthropic/:agent/:project",
-    express2.raw({ type: "*/*", limit: REQUEST_SIZE_LIMIT }),
-    async (req, res) => {
-      try {
-        if (!req.body.tools) {
-          req.body.tools = [];
-        }
-        const { db } = await postgresClient();
-        const authenticationResult = await requestValidators.authenticate(req);
-        if (!authenticationResult.user?.id) {
-          console.log("[EXULU] failed authentication result", authenticationResult);
-          res.status(authenticationResult.code || 500).json({ detail: `${authenticationResult.message}` });
-          return;
-        }
-        const user = authenticationResult.user;
-        let agentQuery = db("agents");
-        agentQuery.select("*");
-        agentQuery = applyAccessControl(agentsSchema(), agentQuery, authenticationResult.user);
-        agentQuery.where({ id: req.params.agent });
-        const agent = await agentQuery.first();
-        if (!agent) {
-          const arrayBuffer = createCustomAnthropicStreamingMessage(`
-\x1B[41m -- Agent ${req.params.agent} not found or you do not have access to it. --
-\x1B[0m`);
-          res.setHeader("Content-Type", "application/json");
-          res.end(Buffer.from(arrayBuffer));
-          return;
-        }
-        let project = null;
-        if (!req.params.project || req.params.project === "DEFAULT") {
-          project = null;
-        } else {
-          let projectQuery = db("projects");
-          projectQuery.select("*");
-          projectQuery = applyAccessControl(
-            projectsSchema(),
-            projectQuery,
-            authenticationResult.user
-          );
-          projectQuery.where({ id: req.params.project });
-          project = await projectQuery.first();
-          if (!project) {
-            const arrayBuffer = createCustomAnthropicStreamingMessage(
-              CLAUDE_MESSAGES.missing_project
-            );
-            res.setHeader("Content-Type", "application/json");
-            res.end(Buffer.from(arrayBuffer));
-            return;
-          }
-        }
-        console.log("[EXULU] anthropic proxy called for agent:", agent?.name);
-        if (!process.env.NEXTAUTH_SECRET) {
-          const arrayBuffer = createCustomAnthropicStreamingMessage(
-            CLAUDE_MESSAGES.missing_nextauth_secret
-          );
-          res.setHeader("Content-Type", "application/json");
-          res.end(Buffer.from(arrayBuffer));
+    if (!preCheck.ok) {
+      res.setHeader("Retry-After", String(preCheck.retryAfter));
+      res.status(429).json({
+        detail: `Rate limit exceeded for ${preCheck.metric} on agent ${agent.name}.`,
+        metric: preCheck.metric,
+        retryAfter: preCheck.retryAfter
+      });
+      return;
+    }
+    const messages = Array.isArray(req.body.messages) ? req.body.messages : [];
+    if (messages.length === 0) {
+      res.status(400).json({ detail: "Missing messages in request body." });
+      return;
+    }
+    if (!agent.model) {
+      res.status(400).json({
+        detail: `Agent ${agent.name} (${agent.id}) has no model configured.`
+      });
+      return;
+    }
+    let resolved;
+    try {
+      resolved = await resolveModel({
+        modelId: agent.model,
+        user,
+        providers,
+        agent: { id: agent.id }
+      });
+    } catch (err) {
+      if (err instanceof ResolveModelError) {
+        const status = err.code === "MODEL_FORBIDDEN" ? 403 : 400;
+        res.status(status).json({ detail: err.message, code: err.code });
+        return;
+      }
+      throw err;
+    }
+    try {
+      const { suggestions, usage } = await generateSuggestions({
+        languageModel: resolved.languageModel,
+        messages,
+        agentInstructions: agent.instructions
+      });
+      await Promise.all([
+        updateStatistic({
+          name: "count",
+          label: agent.name,
+          type: STATISTICS_TYPE_ENUM.AGENT_RUN,
+          trigger: "agent",
+          count: 1,
+          user: user?.id,
+          role: user?.role?.id
+        }),
+        ...usage.inputTokens ? [
+          updateStatistic({
+            name: "inputTokens",
+            label: agent.name,
+            type: STATISTICS_TYPE_ENUM.AGENT_RUN,
+            trigger: "agent",
+            count: usage.inputTokens,
+            user: user?.id,
+            role: user?.role?.id
+          })
+        ] : [],
+        ...usage.outputTokens ? [
+          updateStatistic({
+            name: "outputTokens",
+            label: agent.name,
+            type: STATISTICS_TYPE_ENUM.AGENT_RUN,
+            trigger: "agent",
+            count: usage.outputTokens
+          })
+        ] : [],
+        recordAgentTokenUsage({
+          agentId,
+          callerId,
+          limits: effectiveLimits,
+          inputTokens: usage.inputTokens,
+          outputTokens: usage.outputTokens
+        })
+      ]);
+      res.status(200).json({ suggestions });
+    } catch (err) {
+      console.error("[EXULU] suggestions generation failed", err);
+      res.status(500).json({
+        detail: err instanceof Error ? err.message : "Failed to generate suggestions."
+      });
+    }
+  });
+  const MAX_TRANSCRIBE_BYTES = 25 * 1024 * 1024;
+  const transcribeUpload = multer({
+    storage: multer.memoryStorage(),
+    limits: { fileSize: MAX_TRANSCRIBE_BYTES }
+  });
+  app.post(
+    "/transcribe",
+    (req, res, next) => {
+      transcribeUpload.single("file")(req, res, (err) => {
+        if (!err) return next();
+        const code = err?.code;
+        if (code === "LIMIT_FILE_SIZE") {
+          res.status(413).json({ detail: "Recording too large. Please record a shorter clip." });
           return;
         }
-        if (!agent.providerapikey) {
-          const arrayBuffer = createCustomAnthropicStreamingMessage(CLAUDE_MESSAGES.not_enabled);
-          res.setHeader("Content-Type", "application/json");
-          res.end(Buffer.from(arrayBuffer));
+        res.status(400).json({ detail: err instanceof Error ? err.message : "Upload failed." });
+      });
+    },
+    async (req, res) => {
+      if (!isLiteLLMEnabled() || !process.env.TRANSCRIPTION_MODEL) {
+        res.status(503).json({
+          detail: "Speech-to-text is not enabled on this deployment. Set EXULU_USE_LITELLM=true and TRANSCRIPTION_MODEL in the environment."
+        });
+        return;
+      }
+      const authenticationResult = await requestValidators.authenticate(req);
+      if (!authenticationResult.user?.id) {
+        res.status(authenticationResult.code || 401).json({ detail: authenticationResult.message });
+        return;
+      }
+      const file = req.file;
+      if (!file) {
+        res.status(400).json({ detail: "No audio file provided in 'file' field." });
+        return;
+      }
+      if (!file.mimetype.startsWith("audio/")) {
+        res.status(400).json({
+          detail: `Unsupported mimetype: ${file.mimetype}. Expected audio/*.`
+        });
+        return;
+      }
+      try {
+        await Promise.race([
+          waitForLiteLLMReady(),
+          new Promise(
+            (_, reject) => setTimeout(() => reject(new Error("LiteLLM not ready")), 5e3)
+          )
+        ]);
+      } catch {
+        res.status(503).json({ detail: "Transcription service is not ready. Try again shortly." });
+        return;
+      }
+      const language = typeof req.body?.language === "string" && /^[a-z]{2}$/.test(req.body.language) ? req.body.language : void 0;
+      try {
+        const { text } = await transcribeAudio({ file, language });
+        res.status(200).json({ text });
+      } catch (err) {
+        if (err instanceof TranscriptionError) {
+          const code = err.upstreamStatus >= 500 ? 502 : err.upstreamStatus;
+          res.status(code).json({ detail: err.message });
           return;
         }
-        const variableName = agent.providerapikey;
-        const variable = await db.from("variables").where({ name: variableName }).first();
-        if (!variable) {
-          const arrayBuffer = createCustomAnthropicStreamingMessage(
-            CLAUDE_MESSAGES.anthropic_token_variable_not_found
-          );
-          res.setHeader("Content-Type", "application/json");
-          res.end(Buffer.from(arrayBuffer));
+        console.error("[EXULU] /transcribe failed", err);
+        res.status(500).json({
+          detail: err instanceof Error ? err.message : "Transcription failed."
+        });
+      }
+    }
+  );
+  const MAX_TTS_INPUT_CHARS = 4e3;
+  app.post(
+    "/speech",
+    bodyParser.json({ limit: "64kb" }),
+    async (req, res) => {
+      if (!isLiteLLMEnabled() || !process.env.TTS_MODEL || !process.env.TTS_VOICE) {
+        res.status(503).json({
+          detail: "Text-to-speech is not enabled on this deployment. Set EXULU_USE_LITELLM=true, TTS_MODEL, and TTS_VOICE in the environment."
+        });
+        return;
+      }
+      const authenticationResult = await requestValidators.authenticate(req);
+      if (!authenticationResult.user?.id) {
+        res.status(authenticationResult.code || 401).json({ detail: authenticationResult.message });
+        return;
+      }
+      const text = typeof req.body?.text === "string" ? req.body.text.trim() : "";
+      if (!text) {
+        res.status(400).json({ detail: "Missing 'text' in request body." });
+        return;
+      }
+      if (text.length > MAX_TTS_INPUT_CHARS) {
+        res.status(400).json({
+          detail: `Text too long (${text.length} chars). Max ${MAX_TTS_INPUT_CHARS}.`
+        });
+        return;
+      }
+      try {
+        await Promise.race([
+          waitForLiteLLMReady(),
+          new Promise(
+            (_, reject) => setTimeout(() => reject(new Error("LiteLLM not ready")), 5e3)
+          )
+        ]);
+      } catch {
+        res.status(503).json({ detail: "Speech service is not ready. Try again shortly." });
+        return;
+      }
+      try {
+        const audio = await synthesizeSpeech({ text });
+        res.status(200);
+        res.setHeader("Content-Type", "audio/mpeg");
+        res.setHeader("Content-Length", String(audio.length));
+        res.setHeader("Cache-Control", "no-store");
+        res.send(audio);
+      } catch (err) {
+        if (err instanceof SpeechError) {
+          const code = err.upstreamStatus >= 500 ? 502 : err.upstreamStatus;
+          res.status(code).json({ detail: err.message });
           return;
         }
-        let anthropicApiKey = variable.value;
-        if (!variable.encrypted) {
-          const arrayBuffer = createCustomAnthropicStreamingMessage(
-            CLAUDE_MESSAGES.anthropic_token_variable_not_encrypted
-          );
-          res.setHeader("Content-Type", "application/json");
-          res.end(Buffer.from(arrayBuffer));
+        console.error("[EXULU] /speech failed", err);
+        res.status(500).json({
+          detail: err instanceof Error ? err.message : "Speech generation failed."
+        });
+      }
+    }
+  );
+  app.use("/litellm/:project", async (req, res) => {
+    if (!isLiteLLMEnabled()) {
+      res.status(503).json({
+        detail: "LiteLLM is not enabled on this deployment. Set EXULU_USE_LITELLM=true."
+      });
+      return;
+    }
+    const masterKey = process.env.LITELLM_MASTER_KEY;
+    if (!masterKey) {
+      res.status(503).json({ detail: "LITELLM_MASTER_KEY is not configured." });
+      return;
+    }
+    const authenticationResult = await requestValidators.authenticate(req);
+    if (!authenticationResult.user?.id) {
+      console.log("[EXULU] /litellm failed authentication", authenticationResult);
+      res.status(authenticationResult.code || 401).json({ detail: authenticationResult.message });
+      return;
+    }
+    const user = authenticationResult.user;
+    if (!req.path.startsWith("/v1/")) {
+      res.status(403).json({
+        detail: `Path ${req.path} is not exposed through the Exulu LiteLLM proxy.`
+      });
+      return;
+    }
+    let project = null;
+    if (req.params.project && req.params.project !== "DEFAULT") {
+      const { db } = await postgresClient();
+      let projectQuery = db("projects");
+      projectQuery.select("*");
+      projectQuery = applyAccessControl(
+        projectsSchema(),
+        projectQuery,
+        authenticationResult.user
+      );
+      projectQuery.where({ id: req.params.project });
+      project = await projectQuery.first();
+      if (!project) {
+        res.status(404).json({
+          detail: "Project not found or you do not have access to it."
+        });
+        return;
+      }
+    }
+    const host = process.env.LITELLM_HOST ?? "127.0.0.1";
+    const port = process.env.LITELLM_PORT ?? "4000";
+    const upstreamUrl = `http://${host}:${port}${req.url}`;
+    const upstreamHeaders = {};
+    for (const [name, value] of Object.entries(req.headers)) {
+      if (value === void 0) continue;
+      const lower = name.toLowerCase();
+      if (lower === "authorization" || lower === "host" || lower === "content-length" || lower === "connection" || lower === "transfer-encoding" || lower === "accept-encoding")
+        continue;
+      upstreamHeaders[name] = Array.isArray(value) ? value.join(", ") : value;
+    }
+    upstreamHeaders["authorization"] = `Bearer ${masterKey}`;
+    const methodHasBody = !["GET", "HEAD"].includes(req.method);
+    let body;
+    if (methodHasBody && req.body && typeof req.body === "object" && Object.keys(req.body).length > 0) {
+      body = JSON.stringify(req.body);
+      upstreamHeaders["content-type"] = "application/json";
+    }
+    const tags = buildTags({
+      user_id: user.id,
+      role_id: user.role?.id,
+      project_id: project?.id,
+      user_name: user.email,
+      role_name: user.role?.name,
+      project_name: project?.name
+    });
+    if (tags?.length) {
+      upstreamHeaders["x-litellm-tags"] = tags.join(",");
+      upstreamHeaders["x-litellm-spend-logs-metadata"] = JSON.stringify({
+        user_id: user.id,
+        role_id: user.role?.id,
+        project_id: project?.id || "DEFAULT",
+        user_name: user.email,
+        role_name: user.role?.name,
+        project_name: project?.name
+      });
+    }
+    console.log("[EXULU] Built tags", tags);
+    const taggedFetch = createTaggedFetch(tags);
+    try {
+      const upstream = await taggedFetch(upstreamUrl, {
+        method: req.method,
+        headers: upstreamHeaders,
+        body
+      });
+      res.status(upstream.status);
+      upstream.headers.forEach((value, name) => {
+        const lower = name.toLowerCase();
+        if (lower === "content-encoding" || lower === "content-length" || lower === "transfer-encoding" || lower === "connection")
           return;
+        res.setHeader(name, value);
+      });
+      if (!upstream.body) {
+        res.end();
+        return;
+      }
+      const reader = upstream.body.getReader();
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          if (value) res.write(value);
         }
-        if (variable.encrypted) {
-          const bytes = CryptoJS5.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-          anthropicApiKey = bytes.toString(CryptoJS5.enc.Utf8);
-        }
-        const headers = {
-          "x-api-key": anthropicApiKey,
-          "anthropic-version": "2023-06-01",
-          "content-type": req.headers["content-type"] || "application/json"
-        };
-        if (req.headers["accept"]) headers["accept"] = req.headers["accept"];
-        if (req.headers["user-agent"]) headers["user-agent"] = req.headers["user-agent"];
-        const client2 = new Anthropic({
-          apiKey: anthropicApiKey
+      } finally {
+        reader.releaseLock();
+      }
+      res.end();
+    } catch (err) {
+      console.error("[EXULU] /litellm proxy failed", err);
+      if (!res.headersSent) {
+        res.status(502).json({
+          detail: err instanceof Error ? err.message : "LiteLLM proxy failed."
         });
-        const tokens = {};
-        const disabledTools = req.body.disabledTools ? req.body.disabledTools : [];
-        let enabledTools = await getEnabledTools(
-          agent,
-          tools,
-          contexts || [],
-          rerankers || [],
-          disabledTools,
-          providers,
-          user
-        );
-        const customInstructions = req.body.customInstructions ? typeof req.body.customInstructions === "string" ? req.body.customInstructions : JSON.stringify(req.body.customInstructions) : "";
-        const agentInstructions = customInstructions ? `${agent?.instructions}
-
-${customInstructions}` : agent?.instructions;
-        let system = req.body.system;
-        if (Array.isArray(req.body.system)) {
-          system = [
-            ...req.body.system,
-            ...agent ? [
-              {
-                type: "text",
-                text: `
-                            You are an agent named: ${agent?.name}
-                            Here are some additional instructions for you: ${agentInstructions}`
-              }
-            ] : [],
-            ...project ? [
-              {
-                type: "text",
-                text: `Additional information:
-
-                            The project you are working on is: ${project?.name}
-                            Here is some additional information about the project: ${project?.description}`
-              }
-            ] : []
-          ];
-        } else {
-          system = `${req.body.system}
-
-
-                ${agent ? `You are an agent named: ${agent?.name}
-                Here are some additional instructions for you: ${agentInstructions}` : ""}
-
-                ${project?.id ? `Additional information:
-
-                The project you are working on is: ${project?.name}
-                The project description is: ${project?.description}` : ""}
-                `;
-        }
-        for await (const event of client2.messages.stream({
-          ...req.body,
-          system
-        })) {
-          if (event.message?.id) {
-            tokens[event.message.id] = {
-              input_tokens: event.message.usage.input_tokens,
-              cache_creation_input_tokens: event.message.usage.cache_creation_input_tokens,
-              cache_read_input_tokens: event.message.usage.cache_read_input_tokens,
-              output_tokens: event.message.usage.output_tokens
-            };
-          }
-          if (event.message?.type === "tool_use" && event.message?.name?.includes("exulu_")) {
-            const toolName = event.message?.name;
-            console.log("[EXULU] Using tool", toolName);
-            const inputs = event.message?.input;
-            const id = event.message?.id;
-            const tool = enabledTools.find(
-              (tool2) => tool2.id === toolName.replace("exulu_", "")
-            );
-            if (!tool || !tool.tool.execute) {
-              console.error("[EXULU] Tool not found or not enabled.", toolName);
-              continue;
-            }
-            const toolResult = await tool.tool.execute(inputs, {
-              toolCallId: id,
-              messages: [
-                {
-                  ...event.message,
-                  role: "tool"
-                }
-              ]
-            });
-            console.log("[EXULU] Tool result", toolResult);
-            const toolResultMessage = {
-              role: "user",
-              content: [
-                {
-                  type: "tool_result",
-                  tool_use_id: id,
-                  content: toolResult
-                }
-              ]
-            };
-            res.write(`event: tool_result
-data: ${JSON.stringify(toolResultMessage)}
-
-`);
-          } else {
-            const msg = `event: ${event.type}
-data: ${JSON.stringify(event)}
-
-`;
-            res.write(msg);
-          }
-        }
-        let totalInputTokens = 0;
-        let totalOutputTokens = 0;
-        for (const token of Object.values(tokens)) {
-          totalInputTokens += token.input_tokens;
-          totalOutputTokens += token.output_tokens;
-        }
-        const statistics = {
-          label: agent.name,
-          trigger: "agent"
-        };
-        await Promise.all([
-          updateStatistic({
-            name: "count",
-            label: statistics.label,
-            type: STATISTICS_TYPE_ENUM.AGENT_RUN,
-            trigger: statistics.trigger,
-            count: 1,
-            user: user.id,
-            role: user?.role?.id,
-            ...project ? { project: project.id } : {}
-          }),
-          ...totalInputTokens ? [
-            updateStatistic({
-              name: "inputTokens",
-              label: statistics.label,
-              type: STATISTICS_TYPE_ENUM.AGENT_RUN,
-              trigger: statistics.trigger,
-              count: totalInputTokens,
-              user: user.id,
-              role: user?.role?.id,
-              ...project ? { project: project.id } : {}
-            })
-          ] : [],
-          ...totalOutputTokens ? [
-            updateStatistic({
-              name: "outputTokens",
-              label: statistics.label,
-              type: STATISTICS_TYPE_ENUM.AGENT_RUN,
-              trigger: statistics.trigger,
-              count: totalInputTokens,
-              user: user.id,
-              role: user?.role?.id,
-              ...project ? { project: project.id } : {}
-            })
-          ] : []
-        ]);
-        res.write("event: done\ndata: [DONE]\n\n");
+      } else {
         res.end();
-      } catch (error) {
-        console.error("[PROXY] Manual proxy error:", error);
-        if (!res.headersSent) {
-          if (error?.message === "Invalid token") {
-            res.status(500).json({ error: "Authentication error, please check your IMP token and try again." });
-          } else {
-            res.status(500).json({ error: error.message });
-          }
-        }
       }
     }
-  );
+  });
+  if (config?.fileUploads && config?.fileUploads?.s3region && config?.fileUploads?.s3key && config?.fileUploads?.s3secret && config?.fileUploads?.s3Bucket) {
+    await createUppyRoutes(app, config);
+  } else {
+    console.log(
+      "[EXULU] skipping uppy file upload routes, because no S3 compatible region, key or secret is set in ExuluApp instance."
+    );
+  }
+  app.get("/config", async (req, res) => {
+    res.status(200).json({
+      message: "Config fetched successfully.",
+      config: {
+        workers: {
+          enabled: config?.workers?.enabled || false
+        }
+      }
+    });
+  });
+  app.use("/gateway/anthropic/:agent/:project", (req, res) => {
+    console.warn("[EXULU] DEPRECATED: Received a request to /gateway/anthropic/:agent/:project, this is a deprecated path and will be removed in a future version. Please use /litellm/:project instead.");
+    const suffix = req.url;
+    req.url = `/litellm/${encodeURIComponent(req.params.project)}${suffix}`;
+    app.handle(req, res);
+  });
   function buildFileTree(files, stripPrefix) {
     const root = { name: "/", path: "/", key: "", type: "folder", children: [] };
     for (const file of files) {
@@ -8513,13 +8734,139 @@ data: ${JSON.stringify(event)}
       }
     }
   );
-  app.use(express2.static("public"));
-  await registerOpenAIGatewayRoutes(app, providers, tools, contexts, config, rerankers);
-  return app;
-};
-function buildUnifiedDiff(fromLines, toLines, fromLabel, toLabel) {
-  function lcs(a, b) {
-    const m = a.length;
+  async function resolveTargetUser(req, res, opts) {
+    const authResult = await requestValidators.authenticate(req);
+    if (!authResult.user?.id) {
+      res.status(authResult.code ?? 401).json({ detail: authResult.message });
+      return null;
+    }
+    if (!authResult.user.super_admin) {
+      res.status(403).json({ detail: "Super admin access required." });
+      return null;
+    }
+    const targetId = Number.parseInt(req.params.id ?? "", 10);
+    if (!Number.isFinite(targetId)) {
+      res.status(400).json({ detail: "Invalid user id." });
+      return null;
+    }
+    if (!opts.allowSelf && targetId === authResult.user.id) {
+      res.status(403).json({ detail: "Super admins cannot delete their own account." });
+      return null;
+    }
+    const { db } = await postgresClient();
+    const targetUser = await db.from("users").where({ id: targetId }).first();
+    if (!targetUser) {
+      res.status(404).json({ detail: "User not found." });
+      return null;
+    }
+    return { targetUser, db };
+  }
+  app.get("/users/:id/data-export", async (req, res) => {
+    const resolved = await resolveTargetUser(req, res, { allowSelf: true });
+    if (!resolved) return;
+    const { targetUser, db } = resolved;
+    try {
+      const role = targetUser.role ? await db.from("roles").where({ id: targetUser.role }).first() : null;
+      const userExport = { ...targetUser, role: role ?? targetUser.role };
+      delete userExport.password;
+      delete userExport.apikey;
+      delete userExport.temporary_token;
+      delete userExport.anthropic_token;
+      const sessions = await db.from("agent_sessions").where({ user: targetUser.id });
+      const sessionIds = sessions.map((s) => s.id);
+      const messages = sessionIds.length ? await db.from("agent_messages").whereIn("session", sessionIds).orderBy("createdAt", "asc") : [];
+      const messagesBySession = /* @__PURE__ */ new Map();
+      for (const m of messages) {
+        const list = messagesBySession.get(m.session) ?? [];
+        list.push(m);
+        messagesBySession.set(m.session, list);
+      }
+      const sessionsWithMessages = sessions.map((s) => ({
+        ...s,
+        messages: messagesBySession.get(s.id) ?? []
+      }));
+      const [feedback, promptFavorites, tracking] = await Promise.all([
+        db.from("feedback").where({ user: targetUser.id }).catch(() => []),
+        db.from("prompt_favorites").where({ user_id: targetUser.id }).catch(() => []),
+        db.from("tracking").where({ user: targetUser.id }).catch(() => [])
+      ]);
+      const exportedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const readme = [
+        `Exulu user data export`,
+        ``,
+        `User id: ${targetUser.id}`,
+        `Exported at: ${exportedAt}`,
+        ``,
+        `This archive contains the personal data Exulu holds for the user`,
+        `referenced above, provided in fulfilment of DSGVO Art. 15`,
+        `(Recht auf Auskunft / GDPR right of access).`,
+        ``,
+        `Files:`,
+        `  - user_data.json        account row (password/api-key hashes stripped)`,
+        `  - sessions.json         chat sessions with messages inlined`,
+        `  - feedback.json         feedback the user submitted`,
+        `  - prompt_favorites.json prompt-library favourites`,
+        `  - tracking.json         tracking events linked to the user`,
+        ``
+      ].join("\n");
+      const zip = new JSZip2();
+      zip.file("README.txt", readme);
+      zip.file("user_data.json", JSON.stringify(userExport, null, 2));
+      zip.file("sessions.json", JSON.stringify(sessionsWithMessages, null, 2));
+      zip.file("feedback.json", JSON.stringify(feedback, null, 2));
+      zip.file(
+        "prompt_favorites.json",
+        JSON.stringify(promptFavorites, null, 2)
+      );
+      zip.file("tracking.json", JSON.stringify(tracking, null, 2));
+      const buffer = await zip.generateAsync({ type: "nodebuffer" });
+      const filename = `user-${targetUser.id}-export-${exportedAt.replace(/[:.]/g, "-")}.zip`;
+      res.setHeader("Content-Type", "application/zip");
+      res.setHeader(
+        "Content-Disposition",
+        `attachment; filename="${filename}"`
+      );
+      res.send(buffer);
+    } catch (err) {
+      console.error("[GDPR] Failed to build data export", err);
+      res.status(500).json({ detail: "Failed to build data export." });
+    }
+  });
+  app.delete("/users/:id", async (req, res) => {
+    const resolved = await resolveTargetUser(req, res, { allowSelf: false });
+    if (!resolved) return;
+    const { targetUser, db } = resolved;
+    try {
+      await db.transaction(async (trx) => {
+        await trx("agent_messages").where({ user: targetUser.id }).delete();
+        await trx("agent_sessions").where({ user: targetUser.id }).delete();
+        await trx("feedback").where({ user: targetUser.id }).delete();
+        await trx("prompt_favorites").where({ user_id: targetUser.id }).delete();
+        await trx("tracking").where({ user: targetUser.id }).delete();
+        await trx("rbac").where({ user_id: targetUser.id }).delete();
+        await trx("users").where({ id: targetUser.id }).delete();
+      });
+    } catch (err) {
+      console.error("[GDPR] Failed to delete user", err);
+      res.status(500).json({ detail: "Failed to delete user." });
+      return;
+    }
+    try {
+      const prefix = `user_${targetUser.id}/`;
+      const files = await listS3ObjectsByPrefix(prefix, config);
+      await Promise.all(files.map((f) => deleteS3Object(f.key, config)));
+    } catch (err) {
+      console.error("[GDPR] DB delete succeeded but S3 cleanup failed", err);
+    }
+    res.status(204).send();
+  });
+  app.use(express2.static("public"));
+  await registerOpenAIGatewayRoutes(app, providers, tools, contexts, config, rerankers);
+  return app;
+};
+function buildUnifiedDiff(fromLines, toLines, fromLabel, toLabel) {
+  function lcs(a, b) {
+    const m = a.length;
     const n = b.length;
     const dp = Array.from({ length: m + 1 }, () => new Array(n + 1).fill(0));
     for (let i = 1; i <= m; i++) {
@@ -8577,20 +8924,6 @@ function buildUnifiedDiff(fromLines, toLines, fromLabel, toLabel) {
   }
   return lines.join("\n");
 }
-var createCustomAnthropicStreamingMessage = (message) => {
-  const responseData = {
-    type: "message",
-    content: [
-      {
-        type: "text",
-        text: message
-      }
-    ]
-  };
-  const jsonString = JSON.stringify(responseData);
-  const arrayBuffer = new TextEncoder().encode(jsonString).buffer;
-  return arrayBuffer;
-};
 
 // src/mcp/index.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -8599,8 +8932,7 @@ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
 import "express";
 import "@opentelemetry/api";
-import CryptoJS6 from "crypto-js";
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 var SESSION_ID_HEADER = "mcp-session-id";
 var ExuluMCP = class {
   server = {};
@@ -8638,61 +8970,53 @@ var ExuluMCP = class {
       allProviders,
       user
     );
-    const provider = allProviders.find((a) => a.id === agent.provider);
-    if (!provider) {
+    if (!agent.model) {
       throw new Error(
-        "Agent provider not found for agent " + agent.name + " (" + agent.id + ")."
+        "Agent has no model configured for agent " + agent.name + " (" + agent.id + ")."
       );
     }
-    const agentTool = await provider.tool(agent.id, allProviders, allContexts, allRerankers);
-    if (agentTool) {
-      enabledTools = [...enabledTools, agentTool];
-    }
-    const variableName = agent.providerapikey;
-    const { db } = await postgresClient();
-    let providerapikey;
-    if (variableName) {
-      const variable = await db.from("variables").where({ name: variableName }).first();
-      if (!variable) {
-        throw new Error(
-          "Provider API key variable not found for " + agent.name + " (" + agent.id + ")."
-        );
-      }
-      providerapikey = variable.value;
-      if (!variable.encrypted) {
-        throw new Error(
-          "Provider API key variable not encrypted, for security reasons you are only allowed to use encrypted variables for provider API keys."
-        );
-      }
-      if (variable.encrypted) {
-        const bytes = CryptoJS6.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-        providerapikey = bytes.toString(CryptoJS6.enc.Utf8);
+    const resolved = await resolveModel({
+      modelId: agent.model,
+      user,
+      providers: allProviders,
+      agent: { id: agent.id }
+    });
+    const providerapikey = resolved.apiKey;
+    if (!isLiteLLMEnabled()) {
+      const agentTool = await resolved.exuluProvider.tool(
+        agent.id,
+        allProviders,
+        allContexts,
+        allRerankers
+      );
+      if (agentTool) {
+        enabledTools = [...enabledTools, agentTool];
       }
     }
     console.log(
       "[EXULU] Enabled tools",
       enabledTools?.map((x) => x.name + " (" + x.id + ")")
     );
-    for (const tool of enabledTools || []) {
-      if (server.tools[tool.id]) {
+    for (const tool2 of enabledTools || []) {
+      if (server.tools[tool2.id]) {
         continue;
       }
       server.mcp.registerTool(
-        sanitizeToolName(tool.name + "_agent_" + tool.id),
+        sanitizeToolName(tool2.name + "_agent_" + tool2.id),
         {
-          title: tool.name + " agent",
-          description: tool.description,
+          title: tool2.name + " agent",
+          description: tool2.description,
           inputSchema: {
-            inputs: tool.inputSchema || z2.object({})
+            inputs: tool2.inputSchema || z3.object({})
           }
         },
         async ({ inputs }, args) => {
-          console.log("[EXULU] MCP tool name", tool.name);
+          console.log("[EXULU] MCP tool name", tool2.name);
           console.log("[EXULU] MCP tool inputs", inputs);
           console.log("[EXULU] MCP tool args", args);
           const configValues = agent.tools;
           const tools = await convertExuluToolsToAiSdkTools(
-            [tool],
+            [tool2],
             [],
             [],
             allTools,
@@ -8706,13 +9030,13 @@ var ExuluMCP = class {
             void 0,
             void 0
           );
-          const convertedTool = tools[sanitizeToolName(tool.name)];
+          const convertedTool = tools[sanitizeToolName(tool2.name)];
           if (!convertedTool?.execute) {
             console.error("[EXULU] Tool not found in converted tools array.", tools);
             throw new Error("Tool not found in converted tools array.");
           }
           const iterator = await convertedTool.execute(inputs, {
-            toolCallId: tool.id + "_" + randomUUID3(),
+            toolCallId: tool2.id + "_" + randomUUID3(),
             messages: []
           });
           let result;
@@ -8726,7 +9050,7 @@ var ExuluMCP = class {
           };
         }
       );
-      server.tools[tool.id] = tool.name;
+      server.tools[tool2.id] = tool2.name;
     }
     const getListOfPromptTemplatesName = "getListOfPromptTemplates";
     if (!server.tools[getListOfPromptTemplatesName]) {
@@ -8736,13 +9060,13 @@ var ExuluMCP = class {
           title: "Get List of Prompt Templates",
           description: "Retrieves a list of prompt templates available for this agent. Returns the name, description, and ID of each template.",
           inputSchema: {
-            inputs: z2.object({})
+            inputs: z3.object({})
           }
         },
         async ({ inputs }, args) => {
           console.log("[EXULU] Getting list of prompt templates for agent", agent.id);
-          const { db: db2 } = await postgresClient();
-          const prompts = await db2.from("prompt_library").select("id", "name", "description").whereRaw("assigned_agents @> ?::jsonb", [JSON.stringify(agent.id)]).orderBy("updatedAt", "desc");
+          const { db } = await postgresClient();
+          const prompts = await db.from("prompt_library").select("id", "name", "description").whereRaw("assigned_agents @> ?::jsonb", [JSON.stringify(agent.id)]).orderBy("updatedAt", "desc");
           console.log("[EXULU] Found", prompts.length, "prompt templates");
           return {
             content: [
@@ -8782,15 +9106,15 @@ var ExuluMCP = class {
           title: "Get Prompt Template Details",
           description: "Retrieves the full details of a specific prompt template by ID, including the actual template content with variables.",
           inputSchema: {
-            inputs: z2.object({
-              id: z2.string().describe("The ID of the prompt template to retrieve")
+            inputs: z3.object({
+              id: z3.string().describe("The ID of the prompt template to retrieve")
             })
           }
         },
         async ({ inputs }, args) => {
           console.log("[EXULU] Getting prompt template details for ID", inputs.id);
-          const { db: db2 } = await postgresClient();
-          const prompt = await db2.from("prompt_library").select(
+          const { db } = await postgresClient();
+          const prompt = await db.from("prompt_library").select(
             "id",
             "name",
             "description",
@@ -8803,7 +9127,7 @@ var ExuluMCP = class {
           if (!prompt) {
             throw new Error(`Prompt template with ID ${inputs.id} not found`);
           }
-          const isAssignedToAgent = await db2.from("prompt_library").select("id").where({ id: inputs.id }).whereRaw("assigned_agents @> ?::jsonb", [JSON.stringify(agent.id)]).first();
+          const isAssignedToAgent = await db.from("prompt_library").select("id").where({ id: inputs.id }).whereRaw("assigned_agents @> ?::jsonb", [JSON.stringify(agent.id)]).first();
           console.log("[EXULU] Prompt template found:", prompt.name);
           return {
             content: [
@@ -9886,7 +10210,7 @@ var ExuluEval = class {
 };
 
 // src/templates/evals/index.ts
-import { z as z3 } from "zod";
+import { z as z4 } from "zod";
 var llmAsJudgeEval = () => {
   if (process.env.REDIS_HOST?.length && process.env.REDIS_PORT?.length) {
     return new ExuluEval({
@@ -9919,21 +10243,28 @@ var llmAsJudgeEval = () => {
         }
         prompt = prompt.replace("{actual_output}", lastMessage);
         prompt = prompt.replace("{expected_output}", testCase.expected_output);
-        if (!agent.providerapikey) {
+        if (!agent.model) {
           throw new Error(
-            `Provider API key for agent ${agent.name} is required, variable name is ${agent.providerapikey} but it is not set.`
+            `Agent ${agent.name} has no model configured (required for llm-as-judge eval).`
           );
         }
-        const providerapikey = await ExuluVariables.get(agent.providerapikey);
+        const resolved = await resolveModel({
+          modelId: agent.model,
+          providers: exuluApp.get().providers,
+          agent: { id: agent.id },
+          rbacBypass: true
+        });
+        const providerapikey = resolved.apiKey;
         console.log("[EXULU] prompt", prompt);
         const response = await provider.generateSync({
           agent,
           contexts: [],
           rerankers: [],
           prompt,
-          outputSchema: z3.object({
-            score: z3.number().min(0).max(100).describe("The score between 0 and 100.")
+          outputSchema: z4.object({
+            score: z4.number().min(0).max(100).describe("The score between 0 and 100.")
           }),
+          languageModel: resolved.languageModel,
           providerapikey
         });
         console.log("[EXULU] response", response);
@@ -10160,12 +10491,12 @@ Usage:
 - If no todos exist yet, an empty list will be returned`;
 
 // src/templates/tools/todo/todo.ts
-import z4 from "zod";
-var TodoSchema = z4.object({
-  content: z4.string().describe("Brief description of the task"),
-  status: z4.string().describe("Current status of the task: pending, in_progress, completed, cancelled"),
-  priority: z4.string().describe("Priority level of the task: high, medium, low"),
-  id: z4.string().describe("Unique identifier for the todo item")
+import z5 from "zod";
+var TodoSchema = z5.object({
+  content: z5.string().describe("Brief description of the task"),
+  status: z5.string().describe("Current status of the task: pending, in_progress, completed, cancelled"),
+  priority: z5.string().describe("Priority level of the task: high, medium, low"),
+  id: z5.string().describe("Unique identifier for the todo item")
 });
 var TodoWriteTool = new ExuluTool({
   id: "todo_write",
@@ -10181,8 +10512,8 @@ var TodoWriteTool = new ExuluTool({
       default: todowrite_default
     }
   ],
-  inputSchema: z4.object({
-    todos: z4.array(TodoSchema).describe("The updated todo list")
+  inputSchema: z5.object({
+    todos: z5.array(TodoSchema).describe("The updated todo list")
   }),
   execute: async (inputs) => {
     const { sessionID, todos, user } = inputs;
@@ -10217,7 +10548,7 @@ var TodoReadTool = new ExuluTool({
   id: "todo_read",
   name: "Todo Read",
   description: "Use this tool to read your todo list",
-  inputSchema: z4.object({}),
+  inputSchema: z5.object({}),
   type: "function",
   category: "todo",
   config: [
@@ -10259,7 +10590,7 @@ var todoTools = [TodoWriteTool, TodoReadTool];
 var questionread_default = 'Use this tool to read questions you\'ve asked and check if they\'ve been answered by the user. This tool helps you track the status of questions and retrieve the user\'s selected answers.\n\n## When to Use This Tool\n\nUse this tool proactively in these situations:\n- After asking a question to check if the user has responded\n- To retrieve the user\'s answer before proceeding with implementation\n- To review all questions and answers in the current session\n- When you need to reference a previous answer\n\n## How It Works\n\n- This tool takes no parameters (leave the input blank or empty)\n- Returns an array of all questions in the session\n- Each question includes:\n  - `id`: Unique identifier for the question\n  - `question`: The question text\n  - `answerOptions`: Array of answer options with their IDs and text\n  - `status`: Either "pending" (not answered) or "answered"\n  - `selectedAnswerId`: The ID of the chosen answer (only present if answered)\n\n## Usage Pattern\n\nTypically you\'ll:\n1. Use Question Ask to pose a question\n2. Wait for the user to respond\n3. Use Question Read to check the answer\n4. Find the selected answer by matching the `selectedAnswerId` with an option in `answerOptions`\n5. Proceed with implementation based on the user\'s choice\n\n## Example Response\n\n```json\n[\n  {\n    "id": "question123",\n    "question": "Which authentication method would you like to implement?",\n    "answerOptions": [\n      { "id": "ans1", "text": "JWT tokens" },\n      { "id": "ans2", "text": "OAuth 2.0" },\n      { "id": "ans3", "text": "Session-based auth" },\n      { "id": "ans4", "text": "None of the above..." }\n    ],\n    "status": "answered",\n    "selectedAnswerId": "ans1"\n  }\n]\n```\n\nIn this example, the user selected "JWT tokens" (id: ans1).\n\n## Important Notes\n\n- If no questions exist in the session, an empty array will be returned\n- Questions remain in the session even after being answered for reference\n- Use the `selectedAnswerId` to find which answer option the user chose by matching it against the `id` field in `answerOptions`\n';
 
 // src/templates/tools/question/question.ts
-import z6 from "zod";
+import z7 from "zod";
 
 // src/templates/tools/question/questionask.txt
 var questionask_default = `Use this tool to ask the user a question with multiple choice answer options during your session. This helps you gather user input, clarify requirements, and make informed decisions based on user preferences.
@@ -10346,18 +10677,18 @@ After asking a question, use the Question Read tool to check if the user has ans
 `;
 
 // src/templates/tools/question/question-ask.ts
-import z5 from "zod";
+import z6 from "zod";
 import { randomUUID as randomUUID4 } from "crypto";
-var AnswerOptionSchema = z5.object({
-  id: z5.string().describe("Unique identifier for the answer option"),
-  text: z5.string().describe("The text of the answer option")
+var AnswerOptionSchema = z6.object({
+  id: z6.string().describe("Unique identifier for the answer option"),
+  text: z6.string().describe("The text of the answer option")
 });
-var _QuestionSchema = z5.object({
-  id: z5.string().describe("Unique identifier for the question"),
-  question: z5.string().describe("The question to ask the user"),
-  answerOptions: z5.array(AnswerOptionSchema).describe("Array of possible answer options"),
-  selectedAnswerId: z5.string().optional().describe("The ID of the answer option selected by the user"),
-  status: z5.enum(["pending", "answered"]).describe("Status of the question: pending or answered")
+var _QuestionSchema = z6.object({
+  id: z6.string().describe("Unique identifier for the question"),
+  question: z6.string().describe("The question to ask the user"),
+  answerOptions: z6.array(AnswerOptionSchema).describe("Array of possible answer options"),
+  selectedAnswerId: z6.string().optional().describe("The ID of the answer option selected by the user"),
+  status: z6.enum(["pending", "answered"]).describe("Status of the question: pending or answered")
 });
 var QuestionAskTool = new ExuluTool({
   id: "question_ask",
@@ -10374,9 +10705,9 @@ var QuestionAskTool = new ExuluTool({
       default: questionask_default
     }
   ],
-  inputSchema: z5.object({
-    question: z5.string().describe("The question to ask the user"),
-    answerOptions: z5.array(z5.string()).describe("Array of possible answer options (strings)")
+  inputSchema: z6.object({
+    question: z6.string().describe("The question to ask the user"),
+    answerOptions: z6.array(z6.string()).describe("Array of possible answer options (strings)")
   }),
   execute: async (inputs) => {
     const { sessionID, question, answerOptions, user } = inputs;
@@ -10449,7 +10780,7 @@ var QuestionReadTool = new ExuluTool({
   name: "Question Read",
   needsApproval: false,
   description: "Use this tool to read questions and their answers",
-  inputSchema: z6.object({}),
+  inputSchema: z7.object({}),
   type: "function",
   category: "question",
   config: [
@@ -10479,15 +10810,15 @@ async function getQuestions(sessionID) {
 var questionTools = [QuestionAskTool, QuestionReadTool];
 
 // src/templates/tools/perplexity.ts
-import z7 from "zod";
+import z8 from "zod";
 import Perplexity from "@perplexity-ai/perplexity_ai";
 var internetSearchTool = new ExuluTool({
   id: "internet_search",
   name: "Internet Search",
   description: "Search the internet for information.",
-  inputSchema: z7.object({
-    query: z7.string().describe("The query to the tool."),
-    search_recency_filter: z7.enum(["day", "week", "month", "year"]).optional().describe("The recency filter for the search, can be day, week, month or year.")
+  inputSchema: z8.object({
+    query: z8.string().describe("The query to the tool."),
+    search_recency_filter: z8.enum(["day", "week", "month", "year"]).optional().describe("The recency filter for the search, can be day, week, month or year.")
   }),
   category: "internet_search",
   type: "web_search",
@@ -10565,121 +10896,531 @@ var internetSearchTool = new ExuluTool({
       } catch (error) {
         if (error instanceof Perplexity.RateLimitError && attempt < maxRetries - 1) {
           const delay = Math.pow(2, attempt) * 1e3 + Math.random() * 1e3;
-          await new Promise((resolve3) => setTimeout(resolve3, delay));
+          await new Promise((resolve4) => setTimeout(resolve4, delay));
           continue;
         }
         throw error;
       }
     }
     return {
-      result: "Max retries exceeded for perplexity research for query."
+      result: "Max retries exceeded for perplexity research for query."
+    };
+  }
+});
+var perplexityTools = [internetSearchTool];
+
+// src/templates/tools/email.ts
+import * as nodemailer from "nodemailer";
+import { z as z9 } from "zod";
+var transporter = null;
+function getTransporter(config) {
+  if (!transporter) {
+    transporter = nodemailer.createTransport(config);
+  }
+  return transporter;
+}
+async function sendEmail(recipient, subject, html, text, config) {
+  const transport = getTransporter(config);
+  html = html.trim();
+  text = text.trim();
+  await transport.sendMail({
+    from: config.from,
+    to: recipient,
+    subject,
+    text,
+    html
+  });
+}
+var emailTool = new ExuluTool({
+  id: "email",
+  name: "Email",
+  description: "Send an email.",
+  inputSchema: z9.object({
+    recipient: z9.string().describe("The recipient of the email."),
+    subject: z9.string().describe("The subject of the email."),
+    html: z9.string().describe("The HTML body of the email."),
+    text: z9.string().describe("The text body of the email.")
+  }),
+  type: "function",
+  config: [{
+    name: "smtp_host",
+    description: "The SMTP host to send the email from.",
+    type: "variable",
+    default: void 0
+  }, {
+    name: "smtp_port",
+    description: "The SMTP port to send the email from.",
+    type: "variable",
+    default: void 0
+  }, {
+    name: "smtp_user",
+    description: "The SMTP user to send the email from.",
+    type: "variable",
+    default: void 0
+  }, {
+    name: "smtp_password",
+    description: "The SMTP password to send the email from.",
+    type: "variable",
+    default: void 0
+  }, {
+    name: "smtp_from",
+    description: "The SMTP from address to send the email from.",
+    type: "variable",
+    default: void 0
+  }, {
+    name: "allowed_recipient_domains",
+    description: "A comma seperated list of allowed recipient domains to send emails to.",
+    type: "string",
+    default: void 0
+  }],
+  execute: async ({ recipient, subject, html, text, toolVariablesConfig }) => {
+    const EMAIL_CONFIG = {
+      host: toolVariablesConfig.smtp_host || process.env.SMTP_HOST || "",
+      port: parseInt(toolVariablesConfig.smtp_port || process.env.SMTP_PORT || "587", 10),
+      secure: toolVariablesConfig.smtp_secure === "true" || process.env.SMTP_SECURE === "true",
+      // true for 465, false for other ports
+      auth: {
+        user: toolVariablesConfig.smtp_user || process.env.SMTP_USER || "",
+        pass: toolVariablesConfig.smtp_password || process.env.SMTP_PASSWORD || ""
+      },
+      from: toolVariablesConfig.smtp_from || process.env.SMTP_FROM || "",
+      // Allow self-signed certificates if SMTP_REJECT_UNAUTHORIZED is set to 'false'
+      tls: {
+        rejectUnauthorized: false
+      }
+    };
+    if (toolVariablesConfig.allowed_recipient_domains) {
+      const allowedRecipientDomains = toolVariablesConfig.allowed_recipient_domains.split(",");
+      if (!allowedRecipientDomains.some((domain) => recipient.endsWith(`@${domain}`))) {
+        return {
+          result: "Recipient domain not allowed to send emails to."
+        };
+      }
+    }
+    await sendEmail(recipient, subject, html, text, EMAIL_CONFIG);
+    return {
+      result: "Email sent successfully to " + recipient + " with subject " + subject + "."
+    };
+  }
+});
+
+// src/templates/tools/transcribe.ts
+import { randomUUID as randomUUID5 } from "crypto";
+import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
+import { dirname, join as join2 } from "path";
+import { z as z10 } from "zod";
+var SANDBOX_ROOT = "/tmp/exulu-sessions";
+var parseSandboxPath = (input) => {
+  const stripped = input.startsWith("file://") ? input.slice("file://".length) : input;
+  if (!stripped.startsWith(`${SANDBOX_ROOT}/`)) return null;
+  const tail = stripped.slice(SANDBOX_ROOT.length + 1);
+  const slash = tail.indexOf("/");
+  if (slash < 1) return null;
+  const sessionId = tail.slice(0, slash);
+  const relPath = tail.slice(slash + 1);
+  if (!relPath) return null;
+  return { sessionId, relPath };
+};
+var audioMimetypeFromExtension = (filename) => {
+  const ext = filename.split(".").pop()?.toLowerCase();
+  switch (ext) {
+    case "mp3":
+      return "audio/mpeg";
+    case "m4a":
+    case "mp4":
+      return "audio/mp4";
+    case "wav":
+      return "audio/wav";
+    case "ogg":
+    case "oga":
+      return "audio/ogg";
+    case "flac":
+      return "audio/flac";
+    case "webm":
+      return "audio/webm";
+    case "aac":
+      return "audio/aac";
+    case "mpga":
+    case "mpeg":
+      return "audio/mpeg";
+    default:
+      throw new Error(
+        `Unable to infer an audio mimetype from filename "${filename}". Supported extensions: mp3, m4a, mp4, wav, ogg, flac, webm, aac, mpga.`
+      );
+  }
+};
+var transcribeTool = new ExuluTool({
+  id: "transcribe_audio",
+  name: "Transcribe Audio",
+  description: "Transcribe an audio file (mp3, wav, m4a, etc.) from a URL to text using the configured speech-to-text model. The transcript is stored as a .txt file on S3 and the URL is returned; use this for clips that may be too long to inline in the conversation.",
+  inputSchema: z10.object({
+    audio_url: z10.string().describe(
+      "Location of the audio file to transcribe. Accepts a publicly fetchable URL (https URL or presigned S3 URL), or a sandbox path such as '/tmp/exulu-sessions/<sessionId>/<file>' or 'file:///tmp/exulu-sessions/<sessionId>/<file>' \u2014 sandbox paths are resolved to their persisted S3 copy."
+    ),
+    language: z10.string().optional().describe(
+      "ISO-639-1 language code of the audio, e.g. 'en' or 'de'. Omit to let the model auto-detect."
+    )
+  }),
+  type: "function",
+  config: [{
+    name: "default_language",
+    description: "ISO-639-1 language code of the audio, e.g. 'en' or 'de'. Omit to let the model auto-detect.",
+    type: "string",
+    default: void 0
+  }],
+  execute: async ({ audio_url, language, user, exuluConfig, sessionID }) => {
+    if (!language && exuluConfig?.default_language) {
+      language = exuluConfig?.default_language;
+    } else {
+      language = "en";
+    }
+    language = exuluConfig?.default_language;
+    console.log("[EXULU] Exulu config", exuluConfig);
+    if (!isLiteLLMEnabled()) {
+      console.error("[EXULU] Speech-to-text is not enabled on this deployment (EXULU_USE_LITELLM is not 'true').");
+      throw new Error(
+        "Speech-to-text is not enabled on this deployment (EXULU_USE_LITELLM is not 'true')."
+      );
+    }
+    if (!process.env.TRANSCRIPTION_MODEL) {
+      console.error("[EXULU] TRANSCRIPTION_MODEL env var is not set.");
+      throw new Error("TRANSCRIPTION_MODEL env var is not set.");
+    }
+    if (!exuluConfig?.fileUploads) {
+      console.error("[EXULU] File uploads are not configured; the transcribe tool requires S3 to store transcripts.");
+      throw new Error(
+        "File uploads are not configured; the transcribe tool requires S3 to store transcripts."
+      );
+    }
+    const sandboxPath = parseSandboxPath(audio_url);
+    let buffer;
+    let mimetype;
+    let originalname;
+    if (sandboxPath) {
+      if (!user?.id) {
+        throw new Error(
+          "Sandbox audio paths require an authenticated user; got no user on the tool call."
+        );
+      }
+      if (sessionID && sandboxPath.sessionId !== sessionID) {
+        throw new Error(
+          `Refusing to transcribe an audio file from a different session's sandbox (path session=${sandboxPath.sessionId}, current session=${sessionID}).`
+        );
+      }
+      const rawKey = `user_${user.id}/sessions/${sandboxPath.sessionId}/${sandboxPath.relPath}`;
+      console.log("[EXULU] Transcribing audio from sandbox path", {
+        rawKey
+      });
+      const matches = await listS3ObjectsByPrefix(rawKey, exuluConfig);
+      const found = matches.find((m) => m.key.endsWith(rawKey));
+      if (!found) {
+        console.error("[EXULU] Sandbox audio file not found in S3 storage at", {
+          rawKey,
+          matches
+        });
+        throw new Error(
+          `Sandbox audio file not found in S3 storage at "${rawKey}". The file may not have been persisted yet \u2014 try again after the sandbox flushes it.`
+        );
+      }
+      buffer = await getS3ObjectBytes(found.key, exuluConfig);
+      originalname = decodeURIComponent(
+        sandboxPath.relPath.split("/").pop() || "audio"
+      );
+      mimetype = audioMimetypeFromExtension(originalname);
+    } else {
+      console.log("[EXULU] Fetching audio from URL", {
+        audio_url
+      });
+      const upstream = await fetch(audio_url);
+      if (!upstream.ok) {
+        console.error("[EXULU] Failed to fetch audio from", {
+          audio_url,
+          upstream
+        });
+        throw new Error(
+          `Failed to fetch audio from ${audio_url}: ${upstream.status} ${upstream.statusText}`
+        );
+      }
+      mimetype = upstream.headers.get("content-type") || "audio/mpeg";
+      if (!mimetype.startsWith("audio/")) {
+        throw new Error(
+          `URL did not return an audio file (content-type: ${mimetype}).`
+        );
+      }
+      buffer = Buffer.from(await upstream.arrayBuffer());
+      originalname = "audio";
+      try {
+        const pathname = new URL(audio_url).pathname;
+        const last = pathname.split("/").pop();
+        if (last) originalname = decodeURIComponent(last);
+      } catch {
+      }
+    }
+    const { text } = await transcribeAudio({
+      file: { buffer, originalname, mimetype },
+      language
+    });
+    const transcriptBuffer = Buffer.from(text, "utf-8");
+    const transcriptFilename = `${randomUUID5()}.txt`;
+    const transcriptKey = sessionID ? `sessions/${sessionID}/transcripts/${transcriptFilename}` : `transcripts/${transcriptFilename}`;
+    console.log("[EXULU] Uploading transcript to S3", {
+      transcriptFilename,
+      transcriptKey
+    });
+    const url = await uploadFile(
+      transcriptBuffer,
+      transcriptKey,
+      exuluConfig,
+      { contentType: "text/plain" },
+      user?.id
+    );
+    console.log("[EXULU] Uploaded transcript to S3", {
+      url
+    });
+    let sandboxLocalPath;
+    if (sessionID) {
+      sandboxLocalPath = join2(
+        SANDBOX_ROOT,
+        sessionID,
+        "transcripts",
+        transcriptFilename
+      );
+      console.log("[EXULU] Mirroring transcript into session sandbox", {
+        sandboxLocalPath
+      });
+      try {
+        await mkdir2(dirname(sandboxLocalPath), { recursive: true });
+        await writeFile2(sandboxLocalPath, transcriptBuffer);
+      } catch (err) {
+        console.error(
+          `[EXULU] Failed to write transcript to sandbox dir ${sandboxLocalPath}; S3 copy is unaffected.`,
+          err
+        );
+        sandboxLocalPath = void 0;
+      }
+    }
+    console.log("[EXULU] Transcribed audio successfully", {
+      text,
+      url,
+      sandboxLocalPath,
+      length: text.length
+    });
+    return {
+      result: sandboxLocalPath ? `Transcript stored at: ${url} (also available in the session sandbox at ${sandboxLocalPath}, ${text.length} characters).` : `${url}`
+    };
+  }
+});
+
+// src/validators/postgres-name.ts
+var isValidPostgresName = (id) => {
+  const regex = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+  const isValid = regex.test(id);
+  const length = id.length;
+  return isValid && length <= 80 && length > 2;
+};
+
+// src/utils/python-setup.ts
+import { exec as exec2 } from "child_process";
+import { promisify as promisify2 } from "util";
+import { resolve, join as join3, dirname as dirname2 } from "path";
+import { existsSync as existsSync2, readFileSync } from "fs";
+import { fileURLToPath } from "url";
+var execAsync2 = promisify2(exec2);
+function getPackageRoot() {
+  const currentFile = fileURLToPath(import.meta.url);
+  let currentDir = dirname2(currentFile);
+  let attempts = 0;
+  const maxAttempts = 10;
+  while (attempts < maxAttempts) {
+    const packageJsonPath = join3(currentDir, "package.json");
+    if (existsSync2(packageJsonPath)) {
+      try {
+        const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+        if (packageJson.name === "@exulu/backend") {
+          return currentDir;
+        }
+      } catch {
+      }
+    }
+    const parentDir = resolve(currentDir, "..");
+    if (parentDir === currentDir) {
+      break;
+    }
+    currentDir = parentDir;
+    attempts++;
+  }
+  const fallback = resolve(dirname2(fileURLToPath(import.meta.url)), "../..");
+  return fallback;
+}
+function getSetupScriptPath(packageRoot) {
+  return resolve(packageRoot, "ee/python/setup.sh");
+}
+function getVenvPath(packageRoot) {
+  return resolve(packageRoot, "ee/python/.venv");
+}
+function isPythonEnvironmentSetup(packageRoot) {
+  const root = packageRoot ?? getPackageRoot();
+  const venvPath = getVenvPath(root);
+  const pythonPath = join3(venvPath, "bin", "python");
+  return existsSync2(venvPath) && existsSync2(pythonPath);
+}
+async function setupPythonEnvironment(options = {}) {
+  const {
+    packageRoot = getPackageRoot(),
+    force = false,
+    verbose = false,
+    timeout = 6e5
+    // 10 minutes
+  } = options;
+  if (!force && isPythonEnvironmentSetup(packageRoot)) {
+    if (verbose) {
+      console.log("\u2713 Python environment already set up");
+    }
+    return {
+      success: true,
+      message: "Python environment already exists",
+      alreadyExists: true
+    };
+  }
+  const setupScriptPath = getSetupScriptPath(packageRoot);
+  if (!existsSync2(setupScriptPath)) {
+    return {
+      success: false,
+      message: `Setup script not found at: ${setupScriptPath}`,
+      alreadyExists: false
+    };
+  }
+  try {
+    if (verbose) {
+      console.log("Setting up Python environment...");
+    }
+    const { stdout, stderr } = await execAsync2(`bash "${setupScriptPath}"`, {
+      cwd: packageRoot,
+      timeout,
+      env: {
+        ...process.env,
+        // Ensure script can write to the directory
+        PYTHONDONTWRITEBYTECODE: "1"
+      },
+      maxBuffer: 10 * 1024 * 1024
+      // 10MB buffer
+    });
+    const output = stdout + stderr;
+    const versionMatch = output.match(/Python (\d+\.\d+\.\d+)/);
+    const pythonVersion = versionMatch ? versionMatch[1] : void 0;
+    if (verbose) {
+      console.log(output);
+    }
+    return {
+      success: true,
+      message: "Python environment set up successfully",
+      alreadyExists: false,
+      pythonVersion,
+      output
+    };
+  } catch (error) {
+    const errorOutput = error.stdout + error.stderr;
+    return {
+      success: false,
+      message: `Setup failed: ${error.message}`,
+      alreadyExists: false,
+      output: errorOutput
+    };
+  }
+}
+function getPythonSetupInstructions() {
+  return `
+Python environment not set up. Please run one of the following commands:
+
+Option 1 (Automatic):
+  import { setupPythonEnvironment } from '@exulu/backend';
+  await setupPythonEnvironment();
+
+Option 2 (Manual - for package consumers):
+  npx @exulu/backend setup-python
+
+Option 3 (Manual - for contributors):
+  npm run python:setup
+
+These commands will automatically create a Python virtual environment (.venv)
+in the @exulu/backend package and install all required dependencies.
+
+Requirements:
+  - Python 3.10 or higher must be installed
+  - pip must be available
+  - venv module must be available (for creating virtual environments)
+
+If Python dependencies are not installed, install them first, then run one of the commands above:
+  - macOS: brew install python@3.12
+  - Ubuntu/Debian: sudo apt-get install python3.12 python3-pip python3-venv
+  - Alpine Linux: apk add python3 py3-pip python3-dev
+  - Windows: Download from https://www.python.org/downloads/
+
+Note: In Docker containers, ensure you install all three components:
+  Ubuntu/Debian: apt-get install -y python3 python3-pip python3-venv
+  Alpine: apk add python3 py3-pip python3-dev
+`.trim();
+}
+async function validatePythonEnvironment(packageRoot, checkPackages = true) {
+  const root = packageRoot ?? getPackageRoot();
+  const venvPath = getVenvPath(root);
+  const pythonPath = join3(venvPath, "bin", "python");
+  if (!existsSync2(venvPath)) {
+    return {
+      valid: false,
+      message: getPythonSetupInstructions()
     };
   }
-});
-var perplexityTools = [internetSearchTool];
-
-// src/templates/tools/email.ts
-import * as nodemailer from "nodemailer";
-import { z as z8 } from "zod";
-var transporter = null;
-function getTransporter(config) {
-  if (!transporter) {
-    transporter = nodemailer.createTransport(config);
-  }
-  return transporter;
-}
-async function sendEmail(recipient, subject, html, text, config) {
-  const transport = getTransporter(config);
-  html = html.trim();
-  text = text.trim();
-  await transport.sendMail({
-    from: config.from,
-    to: recipient,
-    subject,
-    text,
-    html
-  });
-}
-var emailTool = new ExuluTool({
-  id: "email",
-  name: "Email",
-  description: "Send an email.",
-  inputSchema: z8.object({
-    recipient: z8.string().describe("The recipient of the email."),
-    subject: z8.string().describe("The subject of the email."),
-    html: z8.string().describe("The HTML body of the email."),
-    text: z8.string().describe("The text body of the email.")
-  }),
-  type: "function",
-  config: [{
-    name: "smtp_host",
-    description: "The SMTP host to send the email from.",
-    type: "variable",
-    default: void 0
-  }, {
-    name: "smtp_port",
-    description: "The SMTP port to send the email from.",
-    type: "variable",
-    default: void 0
-  }, {
-    name: "smtp_user",
-    description: "The SMTP user to send the email from.",
-    type: "variable",
-    default: void 0
-  }, {
-    name: "smtp_password",
-    description: "The SMTP password to send the email from.",
-    type: "variable",
-    default: void 0
-  }, {
-    name: "smtp_from",
-    description: "The SMTP from address to send the email from.",
-    type: "variable",
-    default: void 0
-  }, {
-    name: "allowed_recipient_domains",
-    description: "A comma seperated list of allowed recipient domains to send emails to.",
-    type: "string",
-    default: void 0
-  }],
-  execute: async ({ recipient, subject, html, text, toolVariablesConfig }) => {
-    const EMAIL_CONFIG = {
-      host: toolVariablesConfig.smtp_host || process.env.SMTP_HOST || "",
-      port: parseInt(toolVariablesConfig.smtp_port || process.env.SMTP_PORT || "587", 10),
-      secure: toolVariablesConfig.smtp_secure === "true" || process.env.SMTP_SECURE === "true",
-      // true for 465, false for other ports
-      auth: {
-        user: toolVariablesConfig.smtp_user || process.env.SMTP_USER || "",
-        pass: toolVariablesConfig.smtp_password || process.env.SMTP_PASSWORD || ""
-      },
-      from: toolVariablesConfig.smtp_from || process.env.SMTP_FROM || "",
-      // Allow self-signed certificates if SMTP_REJECT_UNAUTHORIZED is set to 'false'
-      tls: {
-        rejectUnauthorized: false
-      }
+  if (!existsSync2(pythonPath)) {
+    return {
+      valid: false,
+      message: "Python virtual environment is corrupted. Please run:\n  await setupPythonEnvironment({ force: true })"
     };
-    if (toolVariablesConfig.allowed_recipient_domains) {
-      const allowedRecipientDomains = toolVariablesConfig.allowed_recipient_domains.split(",");
-      if (!allowedRecipientDomains.some((domain) => recipient.endsWith(`@${domain}`))) {
-        return {
-          result: "Recipient domain not allowed to send emails to."
-        };
-      }
-    }
-    await sendEmail(recipient, subject, html, text, EMAIL_CONFIG);
+  }
+  try {
+    await execAsync2(`"${pythonPath}" --version`, { cwd: root });
+  } catch {
     return {
-      result: "Email sent successfully to " + recipient + " with subject " + subject + "."
+      valid: false,
+      message: "Python executable is not working. Please run:\n  await setupPythonEnvironment({ force: true })"
     };
   }
-});
+  if (checkPackages) {
+    const criticalPackages = ["docling", "transformers"];
+    const missingPackages = [];
+    for (const pkg of criticalPackages) {
+      try {
+        await execAsync2(`"${pythonPath}" -c "import ${pkg}"`, {
+          cwd: root,
+          timeout: 1e4
+          // 10 second timeout per import check
+        });
+      } catch {
+        missingPackages.push(pkg);
+      }
+    }
+    if (missingPackages.length > 0) {
+      return {
+        valid: false,
+        message: `Python environment exists but required packages are not installed: ${missingPackages.join(", ")}
 
-// src/validators/postgres-name.ts
-var isValidPostgresName = (id) => {
-  const regex = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
-  const isValid = regex.test(id);
-  const length = id.length;
-  return isValid && length <= 80 && length > 2;
-};
+This usually happens when:
+1. The .venv folder was copied but dependencies were not installed
+2. The package was installed via npm but setup script was not run
+
+Please run:
+  await setupPythonEnvironment({ force: true })
+
+Or manually run the setup script:
+  bash ` + getSetupScriptPath(root)
+      };
+    }
+  }
+  return {
+    valid: true,
+    message: "Python environment is valid"
+  };
+}
 
 // src/exulu/app/index.ts
 var isDev = process.env.NODE_ENV !== "production";
@@ -10773,12 +11514,17 @@ var ExuluApp = class {
       ...providers ?? []
     ];
     this._config = config;
+    const transcriptionTools = [];
+    if (process.env.TRANSCRIPTION_MODEL && config?.fileUploads && config?.fileUploads?.s3region && config?.fileUploads?.s3key && config?.fileUploads?.s3secret && config?.fileUploads?.s3Bucket) {
+      transcriptionTools.push(transcribeTool);
+    }
     this._tools = [
       ...tools ?? [],
       ...todoTools,
       ...questionTools,
       ...perplexityTools,
-      emailTool
+      emailTool,
+      ...transcriptionTools
       // Because agents are stored in the database, we add those as tools
       // at request time, not during ExuluApp initialization. We add them
       // in the grahql tools resolver.
@@ -10795,9 +11541,9 @@ var ExuluApp = class {
         id: provider.id ?? "",
         type: "agent"
       })),
-      ...this._tools.map((tool) => ({
-        name: tool.name ?? "",
-        id: tool.id ?? "",
+      ...this._tools.map((tool2) => ({
+        name: tool2.name ?? "",
+        id: tool2.id ?? "",
         type: "tool"
       })),
       ...this._rerankers.map((reranker) => ({
@@ -10839,6 +11585,21 @@ var ExuluApp = class {
     await reportSystemDependencies({
       requireSystemDependencies: config.requireSystemDependencies !== false
     });
+    if (process.env.TRANSCRIPTION_MODEL && !isLiteLLMEnabled()) {
+      console.warn(
+        "[EXULU] TRANSCRIPTION_MODEL is set but EXULU_USE_LITELLM is not 'true'. The /transcribe endpoint will return 503 until LiteLLM is enabled."
+      );
+    }
+    if (process.env.TTS_MODEL && !isLiteLLMEnabled()) {
+      console.warn(
+        "[EXULU] TTS_MODEL is set but EXULU_USE_LITELLM is not 'true'. The /speech endpoint will return 503 until LiteLLM is enabled."
+      );
+    }
+    if (process.env.TTS_MODEL && !process.env.TTS_VOICE) {
+      console.warn(
+        "[EXULU] TTS_MODEL is set but TTS_VOICE is not. LiteLLM's router requires a voice for /v1/audio/speech; the /speech endpoint will return 503 until TTS_VOICE is set (e.g. 'alloy' for OpenAI tts-1)."
+      );
+    }
     console.log("[EXULU] App initialized.");
     exuluApp.set(this);
     return this;
@@ -10850,6 +11611,18 @@ var ExuluApp = class {
         await this.server.express.init();
         console.log("[EXULU] Express app initialized.");
       }
+      if (isLiteLLMEnabled()) {
+        const packageRoot = getPackageRoot();
+        setLiteLLMPackageRoot(packageRoot);
+        try {
+          await startLiteLLMSupervisor();
+        } catch (err) {
+          console.error(
+            "[EXULU] LiteLLM supervisor failed to start:",
+            err.message
+          );
+        }
+      }
       return this._expressApp;
     }
   };
@@ -12062,7 +12835,7 @@ var RecursiveChunker = class _RecursiveChunker extends BaseChunker {
 };
 
 // src/exulu/embedder.ts
-import CryptoJS7 from "crypto-js";
+import CryptoJS6 from "crypto-js";
 var ExuluEmbedder = class {
   id;
   name;
@@ -12133,8 +12906,8 @@ var ExuluEmbedder = class {
           );
         }
         try {
-          const bytes = CryptoJS7.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-          const decrypted = bytes.toString(CryptoJS7.enc.Utf8);
+          const bytes = CryptoJS6.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
+          const decrypted = bytes.toString(CryptoJS6.enc.Utf8);
           if (!decrypted) {
             throw new Error("Decryption returned empty string - invalid key or corrupted data");
           }
@@ -12610,7 +13383,7 @@ var SentenceChunker = class _SentenceChunker extends BaseChunker {
   }
 };
 
-// src/postgres/init-db.ts
+// src/postgres/init-exulu-db.ts
 var {
   agentsSchema: agentsSchema2,
   feedbackSchema: feedbackSchema2,
@@ -12620,6 +13393,7 @@ var {
   agentSessionsSchema: agentSessionsSchema2,
   platformConfigurationsSchema: platformConfigurationsSchema2,
   agentMessagesSchema: agentMessagesSchema2,
+  modelsSchema: modelsSchema2,
   rolesSchema: rolesSchema2,
   usersSchema: usersSchema2,
   skillsSchema: skillsSchema2,
@@ -12659,6 +13433,7 @@ var up = async function(knex) {
   const schemas = [
     agentSessionsSchema2(),
     agentMessagesSchema2(),
+    modelsSchema2(),
     rolesSchema2(),
     testCasesSchema2(),
     evalSetsSchema2(),
@@ -12702,6 +13477,47 @@ var up = async function(knex) {
     console.log(`[EXULU] Creating ${schema.name.plural} table.`, schema.fields);
     await createTable(schema);
   }
+  const hasOldProviderCol = await knex.schema.hasColumn("agents", "provider");
+  const hasOldKeyCol = await knex.schema.hasColumn("agents", "providerapikey");
+  if (hasOldProviderCol || hasOldKeyCol) {
+    console.log("[EXULU] Migrating agents.provider/providerapikey -> models table.");
+    await knex.transaction(async (trx) => {
+      const pairs = await trx("agents").distinct("provider", "providerapikey").whereNotNull("provider");
+      const pairToModelId = /* @__PURE__ */ new Map();
+      for (const { provider, providerapikey } of pairs) {
+        const inserted = await trx("models").insert({
+          name: `${provider}${providerapikey ? ` (${providerapikey})` : ""}`,
+          provider,
+          authvariable: providerapikey,
+          active: true,
+          rights_mode: "public",
+          created_by: 1
+        }).returning("id");
+        const id = inserted[0]?.id;
+        if (!id) {
+          throw new Error("[EXULU] Migration: failed to insert models row");
+        }
+        pairToModelId.set(`${provider}::${providerapikey ?? ""}`, id);
+      }
+      for (const [key2, modelId] of pairToModelId) {
+        const [provider, providerapikey] = key2.split("::");
+        const where = {
+          provider,
+          providerapikey: providerapikey ? providerapikey : null
+        };
+        await trx("agents").where(where).update({ model: modelId });
+      }
+      if (hasOldProviderCol) {
+        await trx.schema.alterTable("agents", (t) => t.dropColumn("provider"));
+      }
+      if (hasOldKeyCol) {
+        await trx.schema.alterTable("agents", (t) => t.dropColumn("providerapikey"));
+      }
+      console.log(
+        `[EXULU] Migrated ${pairToModelId.size} unique provider+key pairs into models.`
+      );
+    });
+  }
   if (!await knex.schema.hasTable("verification_token")) {
     console.log("[EXULU] Creating verification_token table.");
     await knex.schema.createTable("verification_token", (table) => {
@@ -12799,39 +13615,310 @@ var execute = async ({ contexts }) => {
   } else {
     adminRoleId = existingAdminRole.id;
   }
-  if (!existingDefaultRole) {
-    console.log("[EXULU] Creating default role.");
-    await db.from("roles").insert({
-      name: "default",
-      agents: "write",
-      api: "read",
-      workflows: "read",
-      variables: "read",
-      users: "read",
-      evals: "read"
-    }).returning("id");
+  if (!existingDefaultRole) {
+    console.log("[EXULU] Creating default role.");
+    await db.from("roles").insert({
+      name: "default",
+      agents: "write",
+      api: "read",
+      workflows: "read",
+      variables: "read",
+      users: "read",
+      evals: "read"
+    }).returning("id");
+  }
+  const existingUser = await db.from("users").where({ email: "admin@exulu.com" }).first();
+  if (!existingUser) {
+    const password = await encryptString("admin");
+    console.log("[EXULU] Creating default admin user.");
+    await db.from("users").insert({
+      name: "exulu",
+      email: "admin@exulu.com",
+      super_admin: true,
+      createdAt: /* @__PURE__ */ new Date(),
+      emailVerified: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date(),
+      password,
+      type: "user",
+      role: adminRoleId
+    });
+  }
+  const { key: key2 } = await generateApiKey("exulu", "api@exulu.com");
+  console.log("[EXULU] Database initialized.");
+  console.log("[EXULU] Default api key: ", `${key2}`);
+  console.log("[EXULU] Default password if using password auth: ", `admin`);
+  console.log("[EXULU] Default email if using password auth: ", `admin@exulu.com`);
+  return;
+};
+
+// src/exulu/litellm/db-init.ts
+import { existsSync as existsSync4 } from "fs";
+import { resolve as resolve2 } from "path";
+import { spawnSync } from "child_process";
+import { Client } from "pg";
+
+// src/exulu/litellm/db-setup-check.ts
+import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+var readLiteLLMDatabaseUrl = (configPath) => {
+  if (!existsSync3(configPath)) return void 0;
+  const text = readFileSync2(configPath, "utf8");
+  const match = text.match(
+    /^\s*database_url:\s*["']?([^"'\n#]+?)["']?\s*(#.*)?$/m
+  );
+  if (!match) return void 0;
+  const value = match[1]?.trim();
+  if (!value) return void 0;
+  if (value.startsWith("os.environ/")) {
+    const envName = value.slice("os.environ/".length).trim();
+    return process.env[envName];
+  }
+  return value;
+};
+var parsePostgresUrl = (url) => {
+  try {
+    const u = new URL(url);
+    if (u.protocol !== "postgres:" && u.protocol !== "postgresql:") return void 0;
+    return {
+      host: u.hostname,
+      port: u.port ? parseInt(u.port, 10) : 5432,
+      database: u.pathname.replace(/^\//, "")
+    };
+  } catch {
+    return void 0;
+  }
+};
+var getExuluPostgresTarget = () => {
+  const host = process.env.POSTGRES_DB_HOST;
+  const database = process.env.POSTGRES_DB_NAME ?? "exulu";
+  if (!host) return void 0;
+  return {
+    host,
+    port: parseInt(process.env.POSTGRES_DB_PORT ?? "5432", 10),
+    database
+  };
+};
+var isSameDatabase = (a, b) => a.host === b.host && a.port === b.port && a.database === b.database;
+var checkLiteLLMDatabaseSafety = (configPath) => {
+  const litellmUrl = readLiteLLMDatabaseUrl(configPath);
+  if (!litellmUrl) return { ok: true, reason: "no-litellm-db-mode" };
+  const litellmTarget = parsePostgresUrl(litellmUrl);
+  if (!litellmTarget) return { ok: false, reason: "unparseable-url", rawUrl: litellmUrl };
+  const exuluTarget = getExuluPostgresTarget();
+  if (exuluTarget && isSameDatabase(litellmTarget, exuluTarget)) {
+    return { ok: false, reason: "shared-with-exulu", litellmTarget, exuluTarget };
+  }
+  return { ok: true, reason: "isolated", litellmTarget };
+};
+
+// src/exulu/litellm/db-init.ts
+var WARNING_BANNER = "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550";
+var warn = (lines) => {
+  console.warn(`
+${WARNING_BANNER}`);
+  console.warn("\u26A0  [EXULU-LITELLM] CONFIGURATION WARNING");
+  for (const line of lines) console.warn(`   ${line}`);
+  console.warn(`${WARNING_BANNER}
+`);
+};
+var log = (line) => console.log(`[EXULU-LITELLM] ${line}`);
+var initLiteLLMDatabase = async (packageRoot) => {
+  const configPath = process.env.LITELLM_CONFIG_PATH ?? resolve2(packageRoot, "./config.litellm.yaml");
+  const safety = checkLiteLLMDatabaseSafety(configPath);
+  if (safety.ok && safety.reason === "no-litellm-db-mode") return;
+  if (!safety.ok && safety.reason === "unparseable-url") {
+    warn([
+      `LiteLLM's database_url is not a valid postgres URL:`,
+      `   ${safety.rawUrl}`,
+      `Expected postgres://user:pass@host:port/database. Skipping setup.`
+    ]);
+    return;
+  }
+  if (!safety.ok && safety.reason === "shared-with-exulu") {
+    const { exuluTarget } = safety;
+    warn([
+      `LiteLLM's database_url points to the SAME database Exulu uses:`,
+      `   ${exuluTarget.host}:${exuluTarget.port}/${exuluTarget.database}`,
+      ``,
+      `If LiteLLM's schema sync were to run against this database, it`,
+      `would DROP every table that is not in LiteLLM's Prisma schema,`,
+      `destroying all of Exulu's data. Setup has been SKIPPED.`,
+      ``,
+      `Fix: create a dedicated Postgres database for LiteLLM (e.g.`,
+      `\`createdb litellm\`) and change database_url in ${configPath}`,
+      `to point at it. Then restart Exulu.`
+    ]);
+    return;
+  }
+  const litellmUrl = readLiteLLMDatabaseUrl(configPath);
+  if (!litellmUrl) {
+    return;
+  }
+  const target = "litellmTarget" in safety ? safety.litellmTarget : void 0;
+  log(
+    `LiteLLM database mode detected (${target?.host}:${target?.port}/${target?.database}).`
+  );
+  const ensureDatabaseExists = async () => {
+    const probe = new Client({ connectionString: litellmUrl });
+    try {
+      await probe.connect();
+      await probe.end();
+      return true;
+    } catch (err) {
+      const code = err?.code;
+      if (code !== "3D000") {
+        warn([
+          `Could not connect to LiteLLM's target database:`,
+          `   ${err instanceof Error ? err.message : String(err)}`,
+          ``,
+          `Skipping LiteLLM database setup. LiteLLM features that depend on`,
+          `the database will fail at runtime until this is resolved.`
+        ]);
+        return false;
+      }
+      const url = new URL(litellmUrl);
+      const targetDbName = url.pathname.replace(/^\//, "");
+      if (!targetDbName) {
+        warn([`LiteLLM database_url has no database name; cannot auto-create.`]);
+        return false;
+      }
+      url.pathname = "/postgres";
+      log(`Target database "${targetDbName}" does not exist; creating it\u2026`);
+      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(targetDbName)) {
+        warn([
+          `Refusing to auto-create database "${targetDbName}" \u2014 name`,
+          `contains characters that would require quoting. Create it`,
+          `manually: createdb -h ${url.hostname} -U ${url.username} ${targetDbName}`
+        ]);
+        return false;
+      }
+      const admin = new Client({ connectionString: url.toString() });
+      try {
+        await admin.connect();
+        await admin.query(`CREATE DATABASE "${targetDbName}"`);
+        log(`\u2713 Created database "${targetDbName}".`);
+        return true;
+      } catch (createErr) {
+        warn([
+          `Failed to auto-create database "${targetDbName}":`,
+          `   ${createErr instanceof Error ? createErr.message : String(createErr)}`,
+          ``,
+          `The connecting user likely lacks CREATEDB privilege. Create the`,
+          `database manually:`,
+          `   createdb -h ${url.hostname} -U ${url.username} ${targetDbName}`,
+          `Then restart Exulu.`
+        ]);
+        return false;
+      } finally {
+        try {
+          await admin.end();
+        } catch {
+        }
+      }
+    }
+  };
+  if (!await ensureDatabaseExists()) return;
+  log("Checking that the target database is safe to push into\u2026");
+  const client2 = new Client({ connectionString: litellmUrl });
+  let foreignTables = [];
+  try {
+    await client2.connect();
+    const res = await client2.query(
+      `SELECT table_name
+         FROM information_schema.tables
+        WHERE table_schema = 'public'
+          AND table_type = 'BASE TABLE'
+          AND table_name NOT LIKE 'LiteLLM%'
+          AND table_name <> '_prisma_migrations'
+        ORDER BY table_name;`
+    );
+    foreignTables = res.rows.map((r) => r.table_name);
+  } catch (err) {
+    warn([
+      `Could not query LiteLLM's target database to verify it is safe`,
+      `to push into:`,
+      `   ${err instanceof Error ? err.message : String(err)}`,
+      ``,
+      `Skipping LiteLLM database setup. LiteLLM features that depend on the`,
+      `database will fail at runtime until this is resolved.`
+    ]);
+    return;
+  } finally {
+    try {
+      await client2.end();
+    } catch {
+    }
+  }
+  if (foreignTables.length > 0) {
+    warn([
+      `LiteLLM's target database contains ${foreignTables.length} table(s) that are NOT`,
+      `part of LiteLLM's schema:`,
+      ...foreignTables.slice(0, 10).map((t) => `   - ${t}`),
+      ...foreignTables.length > 10 ? [`   \u2026 and ${foreignTables.length - 10} more`] : [],
+      ``,
+      `Refusing to run prisma db push to avoid data loss. Move LiteLLM to a`,
+      `dedicated database, or remove these tables first if they are obsolete.`
+    ]);
+    return;
+  }
+  const venvBin = resolve2(packageRoot, "ee/python/.venv/bin");
+  const prismaCli = resolve2(venvBin, "prisma");
+  const litellmProxyDir = resolve2(
+    packageRoot,
+    "ee/python/.venv/lib/python3.12/site-packages/litellm/proxy"
+  );
+  const schemaPath = resolve2(litellmProxyDir, "schema.prisma");
+  if (!existsSync4(prismaCli)) {
+    warn([
+      `Prisma CLI not found at ${prismaCli}.`,
+      `Run \`npm run python:setup\` to create the venv and install prisma.`,
+      `Skipping LiteLLM database setup.`
+    ]);
+    return;
   }
-  const existingUser = await db.from("users").where({ email: "admin@exulu.com" }).first();
-  if (!existingUser) {
-    const password = await encryptString("admin");
-    console.log("[EXULU] Creating default admin user.");
-    await db.from("users").insert({
-      name: "exulu",
-      email: "admin@exulu.com",
-      super_admin: true,
-      createdAt: /* @__PURE__ */ new Date(),
-      emailVerified: /* @__PURE__ */ new Date(),
-      updatedAt: /* @__PURE__ */ new Date(),
-      password,
-      type: "user",
-      role: adminRoleId
-    });
+  if (!existsSync4(schemaPath)) {
+    warn([
+      `LiteLLM Prisma schema not found at ${schemaPath}.`,
+      `Re-run \`npm run python:setup\`. Skipping LiteLLM database setup.`
+    ]);
+    return;
   }
-  const { key: key2 } = await generateApiKey("exulu", "api@exulu.com");
-  console.log("[EXULU] Database initialized.");
-  console.log("[EXULU] Default api key: ", `${key2}`);
-  console.log("[EXULU] Default password if using password auth: ", `admin`);
-  console.log("[EXULU] Default email if using password auth: ", `admin@exulu.com`);
+  log("Running `prisma db push` against LiteLLM's schema\u2026");
+  const result = spawnSync(prismaCli, ["db", "push", "--skip-generate"], {
+    cwd: litellmProxyDir,
+    env: {
+      ...process.env,
+      DATABASE_URL: litellmUrl,
+      PATH: `${venvBin}:${process.env.PATH ?? ""}`
+    },
+    // Capture rather than inherit so the prisma noise doesn't bury other
+    // Exulu boot logs; we'll print stdout/stderr only on failure.
+    stdio: ["ignore", "pipe", "pipe"],
+    encoding: "utf8"
+  });
+  if (result.error) {
+    warn([
+      `Failed to launch prisma: ${result.error.message}`,
+      `Skipping LiteLLM database setup.`
+    ]);
+    return;
+  }
+  if (result.status !== 0) {
+    warn([
+      `prisma db push exited with status ${result.status}.`,
+      `stdout:`,
+      ...(result.stdout || "(empty)").split("\n").map((l) => `   ${l}`),
+      `stderr:`,
+      ...(result.stderr || "(empty)").split("\n").map((l) => `   ${l}`)
+    ]);
+    return;
+  }
+  log("\u2713 LiteLLM database ready.");
+};
+
+// src/postgres/init-litellm-db.ts
+var initLitellmDb = async () => {
+  await initLiteLLMDatabase(getPackageRoot());
+  console.log("[EXULU] LiteLLM database initialized.");
   return;
 };
 
@@ -12878,7 +13965,7 @@ var create = ({
 };
 
 // src/index.ts
-import CryptoJS8 from "crypto-js";
+import CryptoJS7 from "crypto-js";
 
 // ee/chunking/markdown.ts
 var extractPageTag = (text) => {
@@ -13358,216 +14445,13 @@ var MarkdownChunker = class {
   }
 };
 
-// src/utils/python-setup.ts
-import { exec as exec2 } from "child_process";
-import { promisify as promisify2 } from "util";
-import { resolve, join as join2, dirname } from "path";
-import { existsSync as existsSync2, readFileSync } from "fs";
-import { fileURLToPath } from "url";
-var execAsync2 = promisify2(exec2);
-function getPackageRoot() {
-  const currentFile = fileURLToPath(import.meta.url);
-  let currentDir = dirname(currentFile);
-  let attempts = 0;
-  const maxAttempts = 10;
-  while (attempts < maxAttempts) {
-    const packageJsonPath = join2(currentDir, "package.json");
-    if (existsSync2(packageJsonPath)) {
-      try {
-        const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
-        if (packageJson.name === "@exulu/backend") {
-          return currentDir;
-        }
-      } catch {
-      }
-    }
-    const parentDir = resolve(currentDir, "..");
-    if (parentDir === currentDir) {
-      break;
-    }
-    currentDir = parentDir;
-    attempts++;
-  }
-  const fallback = resolve(dirname(fileURLToPath(import.meta.url)), "../..");
-  return fallback;
-}
-function getSetupScriptPath(packageRoot) {
-  return resolve(packageRoot, "ee/python/setup.sh");
-}
-function getVenvPath(packageRoot) {
-  return resolve(packageRoot, "ee/python/.venv");
-}
-function isPythonEnvironmentSetup(packageRoot) {
-  const root = packageRoot ?? getPackageRoot();
-  const venvPath = getVenvPath(root);
-  const pythonPath = join2(venvPath, "bin", "python");
-  return existsSync2(venvPath) && existsSync2(pythonPath);
-}
-async function setupPythonEnvironment(options = {}) {
-  const {
-    packageRoot = getPackageRoot(),
-    force = false,
-    verbose = false,
-    timeout = 6e5
-    // 10 minutes
-  } = options;
-  if (!force && isPythonEnvironmentSetup(packageRoot)) {
-    if (verbose) {
-      console.log("\u2713 Python environment already set up");
-    }
-    return {
-      success: true,
-      message: "Python environment already exists",
-      alreadyExists: true
-    };
-  }
-  const setupScriptPath = getSetupScriptPath(packageRoot);
-  if (!existsSync2(setupScriptPath)) {
-    return {
-      success: false,
-      message: `Setup script not found at: ${setupScriptPath}`,
-      alreadyExists: false
-    };
-  }
-  try {
-    if (verbose) {
-      console.log("Setting up Python environment...");
-    }
-    const { stdout, stderr } = await execAsync2(`bash "${setupScriptPath}"`, {
-      cwd: packageRoot,
-      timeout,
-      env: {
-        ...process.env,
-        // Ensure script can write to the directory
-        PYTHONDONTWRITEBYTECODE: "1"
-      },
-      maxBuffer: 10 * 1024 * 1024
-      // 10MB buffer
-    });
-    const output = stdout + stderr;
-    const versionMatch = output.match(/Python (\d+\.\d+\.\d+)/);
-    const pythonVersion = versionMatch ? versionMatch[1] : void 0;
-    if (verbose) {
-      console.log(output);
-    }
-    return {
-      success: true,
-      message: "Python environment set up successfully",
-      alreadyExists: false,
-      pythonVersion,
-      output
-    };
-  } catch (error) {
-    const errorOutput = error.stdout + error.stderr;
-    return {
-      success: false,
-      message: `Setup failed: ${error.message}`,
-      alreadyExists: false,
-      output: errorOutput
-    };
-  }
-}
-function getPythonSetupInstructions() {
-  return `
-Python environment not set up. Please run one of the following commands:
-
-Option 1 (Automatic):
-  import { setupPythonEnvironment } from '@exulu/backend';
-  await setupPythonEnvironment();
-
-Option 2 (Manual - for package consumers):
-  npx @exulu/backend setup-python
-
-Option 3 (Manual - for contributors):
-  npm run python:setup
-
-These commands will automatically create a Python virtual environment (.venv)
-in the @exulu/backend package and install all required dependencies.
-
-Requirements:
-  - Python 3.10 or higher must be installed
-  - pip must be available
-  - venv module must be available (for creating virtual environments)
-
-If Python dependencies are not installed, install them first, then run one of the commands above:
-  - macOS: brew install python@3.12
-  - Ubuntu/Debian: sudo apt-get install python3.12 python3-pip python3-venv
-  - Alpine Linux: apk add python3 py3-pip python3-dev
-  - Windows: Download from https://www.python.org/downloads/
-
-Note: In Docker containers, ensure you install all three components:
-  Ubuntu/Debian: apt-get install -y python3 python3-pip python3-venv
-  Alpine: apk add python3 py3-pip python3-dev
-`.trim();
-}
-async function validatePythonEnvironment(packageRoot, checkPackages = true) {
-  const root = packageRoot ?? getPackageRoot();
-  const venvPath = getVenvPath(root);
-  const pythonPath = join2(venvPath, "bin", "python");
-  if (!existsSync2(venvPath)) {
-    return {
-      valid: false,
-      message: getPythonSetupInstructions()
-    };
-  }
-  if (!existsSync2(pythonPath)) {
-    return {
-      valid: false,
-      message: "Python virtual environment is corrupted. Please run:\n  await setupPythonEnvironment({ force: true })"
-    };
-  }
-  try {
-    await execAsync2(`"${pythonPath}" --version`, { cwd: root });
-  } catch {
-    return {
-      valid: false,
-      message: "Python executable is not working. Please run:\n  await setupPythonEnvironment({ force: true })"
-    };
-  }
-  if (checkPackages) {
-    const criticalPackages = ["docling", "transformers"];
-    const missingPackages = [];
-    for (const pkg of criticalPackages) {
-      try {
-        await execAsync2(`"${pythonPath}" -c "import ${pkg}"`, {
-          cwd: root,
-          timeout: 1e4
-          // 10 second timeout per import check
-        });
-      } catch {
-        missingPackages.push(pkg);
-      }
-    }
-    if (missingPackages.length > 0) {
-      return {
-        valid: false,
-        message: `Python environment exists but required packages are not installed: ${missingPackages.join(", ")}
-
-This usually happens when:
-1. The .venv folder was copied but dependencies were not installed
-2. The package was installed via npm but setup script was not run
-
-Please run:
-  await setupPythonEnvironment({ force: true })
-
-Or manually run the setup script:
-  bash ` + getSetupScriptPath(root)
-      };
-    }
-  }
-  return {
-    valid: true,
-    message: "Python environment is valid"
-  };
-}
-
 // ee/python/documents/processing/doc_processor.ts
-import * as fs3 from "fs";
+import * as fs4 from "fs";
 import * as path from "path";
-import { generateText as generateText4, Output as Output2 } from "ai";
-import { z as z9 } from "zod";
+import { generateText as generateText5, Output as Output2 } from "ai";
+import { z as z11 } from "zod";
 import pLimit from "p-limit";
-import { randomUUID as randomUUID5 } from "crypto";
+import { randomUUID as randomUUID6 } from "crypto";
 import * as mammoth from "mammoth";
 import TurndownService from "turndown";
 import WordExtractor from "word-extractor";
@@ -13576,34 +14460,34 @@ import { parseOfficeAsync as parseOfficeAsync2 } from "officeparser";
 // src/utils/python-executor.ts
 import { exec as exec3 } from "child_process";
 import { promisify as promisify3 } from "util";
-import { resolve as resolve2, join as join3, dirname as dirname2 } from "path";
-import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve3, join as join4, dirname as dirname3 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
 var execAsync3 = promisify3(exec3);
 function getPackageRoot2() {
   const currentFile = fileURLToPath2(import.meta.url);
-  let currentDir = dirname2(currentFile);
+  let currentDir = dirname3(currentFile);
   let attempts = 0;
   const maxAttempts = 10;
   while (attempts < maxAttempts) {
-    const packageJsonPath = join3(currentDir, "package.json");
-    if (existsSync3(packageJsonPath)) {
+    const packageJsonPath = join4(currentDir, "package.json");
+    if (existsSync5(packageJsonPath)) {
       try {
-        const packageJson = JSON.parse(readFileSync2(packageJsonPath, "utf-8"));
+        const packageJson = JSON.parse(readFileSync3(packageJsonPath, "utf-8"));
         if (packageJson.name === "@exulu/backend") {
           return currentDir;
         }
       } catch {
       }
     }
-    const parentDir = resolve2(currentDir, "..");
+    const parentDir = resolve3(currentDir, "..");
     if (parentDir === currentDir) {
       break;
     }
     currentDir = parentDir;
     attempts++;
   }
-  return resolve2(dirname2(fileURLToPath2(import.meta.url)), "../..");
+  return resolve3(dirname3(fileURLToPath2(import.meta.url)), "../..");
 }
 var PythonEnvironmentError = class extends Error {
   constructor(message) {
@@ -13624,11 +14508,11 @@ var PythonExecutionError = class extends Error {
   }
 };
 function getVenvPath2(packageRoot) {
-  return resolve2(packageRoot, "ee/python/.venv");
+  return resolve3(packageRoot, "ee/python/.venv");
 }
 function getPythonExecutable(packageRoot) {
   const venvPath = getVenvPath2(packageRoot);
-  return join3(venvPath, "bin", "python");
+  return join4(venvPath, "bin", "python");
 }
 async function validatePythonEnvironmentForExecution(packageRoot) {
   const validation = await validatePythonEnvironment(packageRoot);
@@ -13650,8 +14534,8 @@ async function executePythonScript(config) {
   if (validateEnvironment) {
     await validatePythonEnvironmentForExecution(packageRoot);
   }
-  const resolvedScriptPath = resolve2(packageRoot, scriptPath);
-  if (!existsSync3(resolvedScriptPath)) {
+  const resolvedScriptPath = resolve3(packageRoot, scriptPath);
+  if (!existsSync5(resolvedScriptPath)) {
     throw new PythonExecutionError(
       `Python script not found: ${resolvedScriptPath}`,
       "",
@@ -13746,9 +14630,9 @@ async function processWord(file) {
 }
 async function processImage(buffer, paths, config, verbose = false) {
   try {
-    await fs3.promises.mkdir(paths.images, { recursive: true });
+    await fs4.promises.mkdir(paths.images, { recursive: true });
     const imagePath = path.join(paths.images, "1.png");
-    await fs3.promises.writeFile(imagePath, buffer);
+    await fs4.promises.writeFile(imagePath, buffer);
     console.log(`[EXULU] Image saved to: ${imagePath}`);
     let json = [{
       page: 1,
@@ -13765,7 +14649,7 @@ async function processImage(buffer, paths, config, verbose = false) {
         verbose,
         config.vlm.concurrency
       );
-      await fs3.promises.writeFile(
+      await fs4.promises.writeFile(
         paths.json,
         JSON.stringify(json, null, 2),
         "utf-8"
@@ -13776,14 +14660,14 @@ async function processImage(buffer, paths, config, verbose = false) {
     } else {
       console.log("[EXULU] No VLM configured, image saved without content extraction");
       console.log("[EXULU] Note: Enable VLM in config to extract text/content from images");
-      await fs3.promises.writeFile(
+      await fs4.promises.writeFile(
         paths.json,
         JSON.stringify(json, null, 2),
         "utf-8"
       );
     }
     const markdown = json.map((p) => p.vlm_corrected_text ?? p.content).join("\n\n\n<!-- END_OF_PAGE -->\n\n\n");
-    await fs3.promises.writeFile(paths.markdown, markdown, "utf-8");
+    await fs4.promises.writeFile(paths.markdown, markdown, "utf-8");
     return {
       markdown,
       json
@@ -13836,7 +14720,7 @@ function reconstructHeadings(correctedText, headingsHierarchy) {
   return result;
 }
 async function validatePageWithVLM(page, imagePath, model) {
-  const imageBuffer = await fs3.promises.readFile(imagePath);
+  const imageBuffer = await fs4.promises.readFile(imagePath);
   const imageBase64 = imageBuffer.toString("base64");
   const mimeType = "image/png";
   const prompt = `You are a document validation assistant. Your task is to analyze a page image and correct the output of an OCR/parsing pipeline. The content may include tables, technical diagrams, schematics, and structured text.
@@ -13914,18 +14798,18 @@ If the page contains a flow-chart, schematic, technical drawing or control board
 
 ### 7. Only populate \`corrected_text\` when \`needs_correction\` is true. If the OCR output is accurate, return \`needs_correction: false\` and \`corrected_content: null\`.
 `;
-  const result = await generateText4({
+  const result = await generateText5({
     model,
     output: Output2.object({
-      schema: z9.object({
-        needs_correction: z9.boolean(),
-        corrected_text: z9.string().nullable(),
-        current_page_table: z9.object({
-          headers: z9.array(z9.string()),
-          is_continuation: z9.boolean()
+      schema: z11.object({
+        needs_correction: z11.boolean(),
+        corrected_text: z11.string().nullable(),
+        current_page_table: z11.object({
+          headers: z11.array(z11.string()),
+          is_continuation: z11.boolean()
         }).nullable(),
-        confidence: z9.enum(["high", "medium", "low"]),
-        reasoning: z9.string()
+        confidence: z11.enum(["high", "medium", "low"]),
+        reasoning: z11.string()
       })
     }),
     messages: [
@@ -14005,7 +14889,7 @@ async function validateWithVLM(document, model, verbose = false, concurrency = 1
   let correctedCount = 0;
   const validationTasks = document.map(
     (page) => limit(async () => {
-      await new Promise((resolve3) => setImmediate(resolve3));
+      await new Promise((resolve4) => setImmediate(resolve4));
       const imagePath = page.image;
       if (!imagePath) {
         console.warn(`[EXULU] Page ${page.page}: No image found, skipping validation`);
@@ -14179,7 +15063,7 @@ ${setupResult.output || ""}`);
       if (!result.success) {
         throw new Error(`Document processing failed: ${result.stderr}`);
       }
-      const jsonContent = await fs3.promises.readFile(paths.json, "utf-8");
+      const jsonContent = await fs4.promises.readFile(paths.json, "utf-8");
       json = JSON.parse(jsonContent);
     } else if (config?.processor.name === "officeparser") {
       const text = await parseOfficeAsync2(buffer, {
@@ -14196,7 +15080,7 @@ ${setupResult.output || ""}`);
       if (!MISTRAL_API_KEY) {
         throw new Error('[EXULU] MISTRAL_API_KEY is not set, please set it in the environment variable via process.env or via an Exulu variable named "MISTRAL_API_KEY".');
       }
-      await new Promise((resolve3) => setTimeout(resolve3, Math.floor(Math.random() * 4e3) + 1e3));
+      await new Promise((resolve4) => setTimeout(resolve4, Math.floor(Math.random() * 4e3) + 1e3));
       const base64Pdf = buffer.toString("base64");
       const client2 = new Mistral({ apiKey: MISTRAL_API_KEY });
       const ocrResponse = await withRetry(async () => {
@@ -14212,9 +15096,9 @@ ${setupResult.output || ""}`);
       }, 10);
       const parser = new LiteParse();
       const screenshots = await parser.screenshot(paths.source, void 0);
-      await fs3.promises.mkdir(paths.images, { recursive: true });
+      await fs4.promises.mkdir(paths.images, { recursive: true });
       for (const screenshot of screenshots) {
-        await fs3.promises.writeFile(
+        await fs4.promises.writeFile(
           path.join(
             paths.images,
             `${screenshot.pageNum}.png`
@@ -14229,15 +15113,15 @@ ${setupResult.output || ""}`);
         image: screenshots.find((s) => s.pageNum === page.index + 1)?.imagePath,
         headings: []
       }));
-      fs3.writeFileSync(paths.json, JSON.stringify(json, null, 2));
+      fs4.writeFileSync(paths.json, JSON.stringify(json, null, 2));
     } else if (config?.processor.name === "liteparse") {
       const parser = new LiteParse();
       const result = await parser.parse(paths.source);
       const screenshots = await parser.screenshot(paths.source, void 0);
       console.log(`[EXULU] Liteparse screenshots: ${JSON.stringify(screenshots)}`);
-      await fs3.promises.mkdir(paths.images, { recursive: true });
+      await fs4.promises.mkdir(paths.images, { recursive: true });
       for (const screenshot of screenshots) {
-        await fs3.promises.writeFile(path.join(paths.images, `${screenshot.pageNum}.png`), screenshot.imageBuffer);
+        await fs4.promises.writeFile(path.join(paths.images, `${screenshot.pageNum}.png`), screenshot.imageBuffer);
         screenshot.imagePath = path.join(paths.images, `${screenshot.pageNum}.png`);
       }
       json = result.pages.map((page) => ({
@@ -14245,7 +15129,7 @@ ${setupResult.output || ""}`);
         content: page.text,
         image: screenshots.find((s) => s.pageNum === page.pageNum)?.imagePath
       }));
-      fs3.writeFileSync(paths.json, JSON.stringify(json, null, 2));
+      fs4.writeFileSync(paths.json, JSON.stringify(json, null, 2));
     }
     console.log(`[EXULU] 
 \u2713 Document processing completed successfully`);
@@ -14276,13 +15160,13 @@ ${setupResult.output || ""}`);
           console.log(`[EXULU]    Corrected: ${page.vlm_corrected_text.substring(0, 150)}...`);
         });
       }
-      await fs3.promises.writeFile(
+      await fs4.promises.writeFile(
         paths.json,
         JSON.stringify(json, null, 2),
         "utf-8"
       );
     }
-    const markdownStream = fs3.createWriteStream(paths.markdown, { encoding: "utf-8" });
+    const markdownStream = fs4.createWriteStream(paths.markdown, { encoding: "utf-8" });
     for (let i = 0; i < json.length; i++) {
       const p = json[i];
       if (!p) continue;
@@ -14292,13 +15176,13 @@ ${setupResult.output || ""}`);
         markdownStream.write("\n\n\n<!-- END_OF_PAGE -->\n\n\n");
       }
     }
-    await new Promise((resolve3, reject) => {
-      markdownStream.end(() => resolve3());
+    await new Promise((resolve4, reject) => {
+      markdownStream.end(() => resolve4());
       markdownStream.on("error", reject);
     });
     console.log(`[EXULU] Validated output saved to: ${paths.json}`);
     console.log(`[EXULU] Validated markdown saved to: ${paths.markdown}`);
-    const markdown = await fs3.promises.readFile(paths.markdown, "utf-8");
+    const markdown = await fs4.promises.readFile(paths.markdown, "utf-8");
     const processedJson = json.map((e) => {
       const finalContent = e.vlm_corrected_text ?? e.content;
       return {
@@ -14325,11 +15209,11 @@ var loadFile = async (file, name, tempDir) => {
   if (!fileType) {
     throw new Error("[EXULU] File name does not include extension, extension is required for document processing.");
   }
-  const UUID = randomUUID5();
+  const UUID = randomUUID6();
   let buffer;
   if (Buffer.isBuffer(file)) {
     filePath = path.join(tempDir, `${UUID}.${fileType}`);
-    await fs3.promises.writeFile(filePath, file);
+    await fs4.promises.writeFile(filePath, file);
     buffer = file;
   } else {
     filePath = filePath.trim();
@@ -14337,11 +15221,11 @@ var loadFile = async (file, name, tempDir) => {
       const response = await fetch(filePath);
       const array = await response.arrayBuffer();
       const tempFilePath = path.join(tempDir, `${UUID}.${fileType}`);
-      await fs3.promises.writeFile(tempFilePath, Buffer.from(array));
+      await fs4.promises.writeFile(tempFilePath, Buffer.from(array));
       buffer = Buffer.from(array);
       filePath = tempFilePath;
     } else {
-      buffer = await fs3.promises.readFile(file);
+      buffer = await fs4.promises.readFile(file);
     }
   }
   return { filePath, fileType, buffer };
@@ -14355,13 +15239,13 @@ async function documentProcessor({
   if (!license["advanced-document-processing"]) {
     throw new Error("Advanced document processing is an enterprise feature, please add a valid Exulu enterprise license key to use it.");
   }
-  const uuid = randomUUID5();
+  const uuid = randomUUID6();
   const tempDir = path.join(process.cwd(), "temp", uuid);
   const localFilesAndFoldersToDelete = [tempDir];
   console.log(`[EXULU] Temporary directory for processing document ${name}: ${tempDir}`);
-  await fs3.promises.mkdir(tempDir, { recursive: true });
+  await fs4.promises.mkdir(tempDir, { recursive: true });
   const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  await fs3.promises.writeFile(path.join(tempDir, "created_at.txt"), timestamp);
+  await fs4.promises.writeFile(path.join(tempDir, "created_at.txt"), timestamp);
   try {
     const {
       filePath,
@@ -14402,7 +15286,7 @@ async function documentProcessor({
     if (config?.debugging?.deleteTempFiles !== false) {
       for (const file2 of localFilesAndFoldersToDelete) {
         try {
-          await fs3.promises.rm(file2, { recursive: true });
+          await fs4.promises.rm(file2, { recursive: true });
           console.log(`[EXULU] Deleted file or folder: ${file2}`);
         } catch (error) {
           console.error(`[EXULU] Error deleting file or folder: ${file2}`, error);
@@ -14463,8 +15347,8 @@ var ExuluVariables = {
       throw new Error(`Variable ${name} not found.`);
     }
     if (variable.encrypted) {
-      const bytes = CryptoJS8.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
-      variable.value = bytes.toString(CryptoJS8.enc.Utf8);
+      const bytes = CryptoJS7.AES.decrypt(variable.value, process.env.NEXTAUTH_SECRET);
+      variable.value = bytes.toString(CryptoJS7.enc.Utf8);
     }
     return variable.value;
   }
@@ -14489,11 +15373,17 @@ var ExuluOtel = {
   }
 };
 var ExuluDatabase = {
-  init: async ({ contexts }) => {
+  init: async ({ contexts, litellm }) => {
     await execute({ contexts });
+    if (litellm !== false) {
+      await initLitellmDb();
+    }
   },
-  update: async ({ contexts }) => {
+  update: async ({ contexts, litellm }) => {
     await execute({ contexts });
+    if (litellm !== false) {
+      await initLitellmDb();
+    }
   },
   api: {
     key: {