@librechat/data-schemas 0.0.30 → 0.0.33

package/dist/index.es.js

@@ -1,10 +1,11 @@
-import { EModelEndpoint, agentsEndpointSchema, memorySchema, removeNullishValues, SafeSearchTypes, normalizeEndpointName, defaultAssistantsVersion, Capabilities, assistantEndpointSchema, validateAzureGroups, mapModelToAzureConfig, OCRStrategy, getConfigDefaults, PermissionBits, FileSources, Constants, PermissionTypes, Permissions, SystemRoles, ResourceType, PrincipalType, PrincipalModel, roleDefaults, AccessRoleIds } from 'librechat-data-provider';
+import { EModelEndpoint, agentsEndpointSchema, memorySchema, removeNullishValues, SafeSearchTypes, normalizeEndpointName, defaultAssistantsVersion, Capabilities, assistantEndpointSchema, validateAzureGroups, mapModelToAzureConfig, extractEnvVariable, envVarRegex, OCRStrategy, getConfigDefaults, PermissionBits, FileSources, Constants, PermissionTypes, Permissions, SystemRoles, parseTextParts, ResourceType, PrincipalType, PrincipalModel, roleDefaults, ErrorTypes, EToolResources, FileContext, AccessRoleIds } from 'librechat-data-provider';
 import winston from 'winston';
 import 'winston-daily-rotate-file';
 import { klona } from 'klona';
 import path from 'path';
+import 'dotenv/config';
 import jwt from 'jsonwebtoken';
-import { webcrypto } from 'node:crypto';
+import crypto from 'node:crypto';
 import mongoose, { Schema, Types } from 'mongoose';
 import _ from 'lodash';
 import { MeiliSearch } from 'meilisearch';
@@ -854,6 +855,153 @@ function azureConfigSetup(config) {
     };
 }
 
+/**
+ * Default Vertex AI models available through Google Cloud
+ * These are the standard Anthropic model names as served by Vertex AI
+ */
+const defaultVertexModels = [
+    'claude-sonnet-4-20250514',
+    'claude-3-7-sonnet-20250219',
+    'claude-3-5-sonnet-v2@20241022',
+    'claude-3-5-sonnet@20240620',
+    'claude-3-5-haiku@20241022',
+    'claude-3-opus@20240229',
+    'claude-3-haiku@20240307',
+];
+/**
+ * Processes models configuration and creates deployment name mapping
+ * Similar to Azure's model mapping logic
+ * @param models - The models configuration (can be array or object)
+ * @param defaultDeploymentName - Optional default deployment name
+ * @returns Object containing modelNames array and modelDeploymentMap
+ */
+function processVertexModels(models, defaultDeploymentName) {
+    const modelNames = [];
+    const modelDeploymentMap = {};
+    if (!models) {
+        // No models specified, use defaults
+        for (const model of defaultVertexModels) {
+            modelNames.push(model);
+            modelDeploymentMap[model] = model; // Default: model name = deployment name
+        }
+        return { modelNames, modelDeploymentMap };
+    }
+    if (Array.isArray(models)) {
+        // Legacy format: simple array of model names
+        for (const modelName of models) {
+            modelNames.push(modelName);
+            // If a default deployment name is provided, use it for all models
+            // Otherwise, model name is the deployment name
+            modelDeploymentMap[modelName] = defaultDeploymentName || modelName;
+        }
+    }
+    else {
+        // New format: object with model names as keys and config as values
+        for (const [modelName, modelConfig] of Object.entries(models)) {
+            modelNames.push(modelName);
+            if (typeof modelConfig === 'boolean') {
+                // Model is set to true/false - use default deployment name or model name
+                modelDeploymentMap[modelName] = defaultDeploymentName || modelName;
+            }
+            else if (modelConfig === null || modelConfig === void 0 ? void 0 : modelConfig.deploymentName) {
+                // Model has its own deployment name specified
+                modelDeploymentMap[modelName] = modelConfig.deploymentName;
+            }
+            else {
+                // Model is an object but no deployment name - use default or model name
+                modelDeploymentMap[modelName] = defaultDeploymentName || modelName;
+            }
+        }
+    }
+    return { modelNames, modelDeploymentMap };
+}
+/**
+ * Validates and processes Vertex AI configuration
+ * @param vertexConfig - The Vertex AI configuration object
+ * @returns Validated configuration with errors if any
+ */
+function validateVertexConfig(vertexConfig) {
+    if (!vertexConfig) {
+        return null;
+    }
+    const errors = [];
+    // Extract and validate environment variables
+    // projectId is optional - will be auto-detected from service key if not provided
+    const projectId = vertexConfig.projectId ? extractEnvVariable(vertexConfig.projectId) : undefined;
+    const region = extractEnvVariable(vertexConfig.region || 'us-east5');
+    const serviceKeyFile = vertexConfig.serviceKeyFile
+        ? extractEnvVariable(vertexConfig.serviceKeyFile)
+        : undefined;
+    const defaultDeploymentName = vertexConfig.deploymentName
+        ? extractEnvVariable(vertexConfig.deploymentName)
+        : undefined;
+    // Check for unresolved environment variables
+    if (projectId && envVarRegex.test(projectId)) {
+        errors.push(`Vertex AI projectId environment variable "${vertexConfig.projectId}" was not found.`);
+    }
+    if (envVarRegex.test(region)) {
+        errors.push(`Vertex AI region environment variable "${vertexConfig.region}" was not found.`);
+    }
+    if (serviceKeyFile && envVarRegex.test(serviceKeyFile)) {
+        errors.push(`Vertex AI serviceKeyFile environment variable "${vertexConfig.serviceKeyFile}" was not found.`);
+    }
+    if (defaultDeploymentName && envVarRegex.test(defaultDeploymentName)) {
+        errors.push(`Vertex AI deploymentName environment variable "${vertexConfig.deploymentName}" was not found.`);
+    }
+    // Process models and create deployment mapping
+    const { modelNames, modelDeploymentMap } = processVertexModels(vertexConfig.models, defaultDeploymentName);
+    // Note: projectId is optional - if not provided, it will be auto-detected from the service key file
+    const isValid = errors.length === 0;
+    return {
+        enabled: vertexConfig.enabled !== false,
+        projectId,
+        region,
+        serviceKeyFile,
+        deploymentName: defaultDeploymentName,
+        models: vertexConfig.models,
+        modelNames,
+        modelDeploymentMap,
+        isValid,
+        errors,
+    };
+}
+/**
+ * Sets up the Vertex AI configuration from the config (`librechat.yaml`) file.
+ * Similar to azureConfigSetup, this processes and validates the Vertex AI configuration.
+ * @param config - The loaded custom configuration.
+ * @returns The validated Vertex AI configuration or null if not configured.
+ */
+function vertexConfigSetup(config) {
+    var _a, _b;
+    const anthropicConfig = (_a = config.endpoints) === null || _a === void 0 ? void 0 : _a[EModelEndpoint.anthropic];
+    if (!(anthropicConfig === null || anthropicConfig === void 0 ? void 0 : anthropicConfig.vertex)) {
+        return null;
+    }
+    const vertexConfig = anthropicConfig.vertex;
+    // Skip if explicitly disabled (enabled: false)
+    // When vertex config exists, it's enabled by default unless explicitly set to false
+    if (vertexConfig.enabled === false) {
+        return null;
+    }
+    const validatedConfig = validateVertexConfig(vertexConfig);
+    if (!validatedConfig) {
+        return null;
+    }
+    if (!validatedConfig.isValid) {
+        const errorString = validatedConfig.errors.join('\n');
+        const errorMessage = 'Invalid Vertex AI configuration:\n' + errorString;
+        logger$1.error(errorMessage);
+        throw new Error(errorMessage);
+    }
+    logger$1.info('Vertex AI configuration loaded successfully', {
+        projectId: validatedConfig.projectId,
+        region: validatedConfig.region,
+        modelCount: ((_b = validatedConfig.modelNames) === null || _b === void 0 ? void 0 : _b.length) || 0,
+        models: validatedConfig.modelNames,
+    });
+    return validatedConfig;
+}
+
 /**
  * Loads custom config endpoints
  * @param [config]
@@ -876,12 +1024,24 @@ const loadEndpoints = (config, agentsDefaults) => {
         loadedEndpoints[EModelEndpoint.assistants] = assistantsConfigSetup(config, EModelEndpoint.assistants, loadedEndpoints[EModelEndpoint.assistants]);
     }
     loadedEndpoints[EModelEndpoint.agents] = agentsConfigSetup(config, agentsDefaults);
+    // Handle Anthropic endpoint with Vertex AI configuration
+    if (endpoints === null || endpoints === void 0 ? void 0 : endpoints[EModelEndpoint.anthropic]) {
+        const anthropicConfig = endpoints[EModelEndpoint.anthropic];
+        const vertexConfig = vertexConfigSetup(config);
+        loadedEndpoints[EModelEndpoint.anthropic] = {
+            ...anthropicConfig,
+            // If Vertex AI is enabled, use the visible model names from vertex config
+            // Otherwise, use the models array from anthropic config
+            ...((vertexConfig === null || vertexConfig === void 0 ? void 0 : vertexConfig.modelNames) && { models: vertexConfig.modelNames }),
+            // Attach validated Vertex AI config if present
+            ...(vertexConfig && { vertexConfig }),
+        };
+    }
     const endpointKeys = [
         EModelEndpoint.openAI,
         EModelEndpoint.google,
         EModelEndpoint.custom,
         EModelEndpoint.bedrock,
-        EModelEndpoint.anthropic,
     ];
     endpointKeys.forEach((key) => {
         const currentKey = key;
@@ -936,7 +1096,9 @@ const AppService = async (params) => {
     const imageOutputType = (_e = config === null || config === void 0 ? void 0 : config.imageOutputType) !== null && _e !== void 0 ? _e : configDefaults.imageOutputType;
     process.env.CDN_PROVIDER = fileStrategy;
     const availableTools = systemTools;
-    const mcpConfig = config.mcpServers || null;
+    const mcpServersConfig = config.mcpServers || null;
+    const mcpSettings = config.mcpSettings || null;
+    const actions = config.actions;
     const registration = (_f = config.registration) !== null && _f !== void 0 ? _f : configDefaults.registration;
     const interfaceConfig = await loadDefaultInterface({ config, configDefaults });
     const turnstileConfig = loadTurnstileConfig(config, configDefaults);
@@ -948,8 +1110,10 @@ const AppService = async (params) => {
         memory,
         speech,
         balance,
+        actions,
         transactions,
-        mcpConfig,
+        mcpConfig: mcpServersConfig,
+        mcpSettings,
         webSearch,
         fileStrategy,
         registration,
@@ -997,6 +1161,12 @@ var RoleBits;
     RoleBits[RoleBits["OWNER"] = PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE] = "OWNER";
 })(RoleBits || (RoleBits = {}));
 
+var _a, _b;
+const { webcrypto } = crypto;
+/** Use hex decoding for both key and IV for legacy methods */
+const key = Buffer.from((_a = process.env.CREDS_KEY) !== null && _a !== void 0 ? _a : '', 'hex');
+const iv = Buffer.from((_b = process.env.CREDS_IV) !== null && _b !== void 0 ? _b : '', 'hex');
+const algorithm = 'AES-CBC';
 async function signPayload({ payload, secret, expirationTime, }) {
     return jwt.sign(payload, secret, { expiresIn: expirationTime });
 }
@@ -1005,6 +1175,130 @@ async function hashToken(str) {
     const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
     return Buffer.from(hashBuffer).toString('hex');
 }
+/** --- Legacy v1/v2 Setup: AES-CBC with fixed key and IV --- */
+/**
+ * Encrypts a value using AES-CBC
+ * @param value - The plaintext to encrypt
+ * @returns The encrypted string in hex format
+ */
+async function encrypt(value) {
+    const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
+        'encrypt',
+    ]);
+    const encoder = new TextEncoder();
+    const data = encoder.encode(value);
+    const encryptedBuffer = await webcrypto.subtle.encrypt({ name: algorithm, iv: iv }, cryptoKey, data);
+    return Buffer.from(encryptedBuffer).toString('hex');
+}
+/**
+ * Decrypts an encrypted value using AES-CBC
+ * @param encryptedValue - The encrypted string in hex format
+ * @returns The decrypted plaintext
+ */
+async function decrypt(encryptedValue) {
+    const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
+        'decrypt',
+    ]);
+    const encryptedBuffer = Buffer.from(encryptedValue, 'hex');
+    const decryptedBuffer = await webcrypto.subtle.decrypt({ name: algorithm, iv: iv }, cryptoKey, encryptedBuffer);
+    const decoder = new TextDecoder();
+    return decoder.decode(decryptedBuffer);
+}
+/** --- v2: AES-CBC with a random IV per encryption --- */
+/**
+ * Encrypts a value using AES-CBC with a random IV per encryption
+ * @param value - The plaintext to encrypt
+ * @returns The encrypted string with IV prepended (iv:ciphertext format)
+ */
+async function encryptV2(value) {
+    const gen_iv = webcrypto.getRandomValues(new Uint8Array(16));
+    const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
+        'encrypt',
+    ]);
+    const encoder = new TextEncoder();
+    const data = encoder.encode(value);
+    const encryptedBuffer = await webcrypto.subtle.encrypt({ name: algorithm, iv: gen_iv }, cryptoKey, data);
+    return Buffer.from(gen_iv).toString('hex') + ':' + Buffer.from(encryptedBuffer).toString('hex');
+}
+/**
+ * Decrypts an encrypted value using AES-CBC with random IV
+ * @param encryptedValue - The encrypted string in iv:ciphertext format
+ * @returns The decrypted plaintext
+ */
+async function decryptV2(encryptedValue) {
+    var _a;
+    const parts = encryptedValue.split(':');
+    if (parts.length === 1) {
+        return parts[0];
+    }
+    const gen_iv = Buffer.from((_a = parts.shift()) !== null && _a !== void 0 ? _a : '', 'hex');
+    const encrypted = parts.join(':');
+    const cryptoKey = await webcrypto.subtle.importKey('raw', key, { name: algorithm }, false, [
+        'decrypt',
+    ]);
+    const encryptedBuffer = Buffer.from(encrypted, 'hex');
+    const decryptedBuffer = await webcrypto.subtle.decrypt({ name: algorithm, iv: gen_iv }, cryptoKey, encryptedBuffer);
+    const decoder = new TextDecoder();
+    return decoder.decode(decryptedBuffer);
+}
+/** --- v3: AES-256-CTR using Node's crypto functions --- */
+const algorithm_v3 = 'aes-256-ctr';
+/**
+ * Encrypts a value using AES-256-CTR.
+ * Note: AES-256 requires a 32-byte key. Ensure that process.env.CREDS_KEY is a 64-character hex string.
+ * @param value - The plaintext to encrypt.
+ * @returns The encrypted string with a "v3:" prefix.
+ */
+function encryptV3(value) {
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes, got ${key.length} bytes`);
+    }
+    const iv_v3 = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv(algorithm_v3, key, iv_v3);
+    const encrypted = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()]);
+    return `v3:${iv_v3.toString('hex')}:${encrypted.toString('hex')}`;
+}
+/**
+ * Decrypts an encrypted value using AES-256-CTR.
+ * @param encryptedValue - The encrypted string with "v3:" prefix.
+ * @returns The decrypted plaintext.
+ */
+function decryptV3(encryptedValue) {
+    const parts = encryptedValue.split(':');
+    if (parts[0] !== 'v3') {
+        throw new Error('Not a v3 encrypted value');
+    }
+    const iv_v3 = Buffer.from(parts[1], 'hex');
+    const encryptedText = Buffer.from(parts.slice(2).join(':'), 'hex');
+    const decipher = crypto.createDecipheriv(algorithm_v3, key, iv_v3);
+    const decrypted = Buffer.concat([decipher.update(encryptedText), decipher.final()]);
+    return decrypted.toString('utf8');
+}
+/**
+ * Generates random values as a hex string
+ * @param length - The number of random bytes to generate
+ * @returns The random values as a hex string
+ */
+async function getRandomValues(length) {
+    if (!Number.isInteger(length) || length <= 0) {
+        throw new Error('Length must be a positive integer');
+    }
+    const randomValues = new Uint8Array(length);
+    webcrypto.getRandomValues(randomValues);
+    return Buffer.from(randomValues).toString('hex');
+}
+/**
+ * Computes SHA-256 hash for the given input.
+ * @param input - The input to hash.
+ * @returns The SHA-256 hash of the input.
+ */
+async function hashBackupCode(input) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(input);
+    const hashBuffer = await webcrypto.subtle.digest('SHA-256', data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    return hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+}
 
 // Define the Auth sub-schema with type-safety.
 const AuthSchema = new Schema({
@@ -1160,10 +1454,17 @@ const agentSchema = new Schema({
         default: false,
         index: true,
     },
+    /** MCP server names extracted from tools for efficient querying */
+    mcpServerNames: {
+        type: [String],
+        default: [],
+        index: true,
+    },
 }, {
     timestamps: true,
 });
 agentSchema.index({ updatedAt: -1, _id: 1 });
+agentSchema.index({ 'edges.to': 1 });
 
 const agentCategorySchema = new Schema({
     value: {
@@ -1299,6 +1600,10 @@ const bannerSchema = new Schema({
         type: Boolean,
         default: false,
     },
+    persistable: {
+        type: Boolean,
+        default: false,
+    },
 }, { timestamps: true });
 
 const categoriesSchema = new Schema({
@@ -1342,7 +1647,6 @@ conversationTag.index({ tag: 1, user: 1 }, { unique: true });
 
 // @ts-ignore
 const conversationPreset = {
-    // endpoint: [azureOpenAI, openAI, anthropic, chatGPTBrowser]
     endpoint: {
         type: String,
         default: null,
@@ -1351,7 +1655,7 @@ const conversationPreset = {
     endpointType: {
         type: String,
     },
-    // for azureOpenAI, openAI, chatGPTBrowser only
+    // for azureOpenAI, openAI only
     model: {
         type: String,
         required: false,
@@ -1516,9 +1820,6 @@ const convoSchema = new Schema({
         meiliIndex: true,
     },
     messages: [{ type: Schema.Types.ObjectId, ref: 'Message' }],
-    agentOptions: {
-        type: Schema.Types.Mixed,
-    },
     ...conversationPreset,
     agent_id: {
         type: String,
@@ -1538,6 +1839,8 @@ const convoSchema = new Schema({
 convoSchema.index({ expiredAt: 1 }, { expireAfterSeconds: 0 });
 convoSchema.index({ createdAt: 1, updatedAt: 1 });
 convoSchema.index({ conversationId: 1, user: 1 }, { unique: true });
+// index for MeiliSearch sync operations
+convoSchema.index({ _meiliIndex: 1, expiredAt: 1 });
 
 const file = new Schema({
     user: {
@@ -1734,25 +2037,6 @@ const messageSchema = new Schema({
         default: false,
     },
     files: { type: [{ type: mongoose.Schema.Types.Mixed }], default: undefined },
-    plugin: {
-        type: {
-            latest: {
-                type: String,
-                required: false,
-            },
-            inputs: {
-                type: [mongoose.Schema.Types.Mixed],
-                required: false,
-                default: undefined,
-            },
-            outputs: {
-                type: String,
-                required: false,
-            },
-        },
-        default: undefined,
-    },
-    plugins: { type: [{ type: mongoose.Schema.Types.Mixed }], default: undefined },
     content: {
         type: [{ type: mongoose.Schema.Types.Mixed }],
         default: undefined,
@@ -1792,10 +2076,16 @@ const messageSchema = new Schema({
     expiredAt: {
         type: Date,
     },
+    addedConvo: {
+        type: Boolean,
+        default: undefined,
+    },
 }, { timestamps: true });
 messageSchema.index({ expiredAt: 1 }, { expireAfterSeconds: 0 });
 messageSchema.index({ createdAt: 1 });
 messageSchema.index({ messageId: 1, user: 1 }, { unique: true });
+// index for MeiliSearch sync operations
+messageSchema.index({ _meiliIndex: 1, expiredAt: 1 });
 
 const pluginAuthSchema = new Schema({
     authField: {
@@ -1838,10 +2128,6 @@ const presetSchema = new Schema({
         type: Number,
     },
     ...conversationPreset,
-    agentOptions: {
-        type: mongoose.Schema.Types.Mixed,
-        default: null,
-    },
 }, { timestamps: true });
 
 const projectSchema = new Schema({
@@ -2000,6 +2286,11 @@ const rolePermissionsSchema = new Schema({
     [PermissionTypes.FILE_CITATIONS]: {
         [Permissions.USE]: { type: Boolean },
     },
+    [PermissionTypes.MCP_SERVERS]: {
+        [Permissions.USE]: { type: Boolean },
+        [Permissions.CREATE]: { type: Boolean },
+        [Permissions.SHARE]: { type: Boolean },
+    },
 }, { _id: false });
 const roleSchema = new Schema({
     name: { type: String, required: true, unique: true, index: true },
@@ -2143,6 +2434,7 @@ const transactionSchema = new Schema({
     },
     model: {
         type: String,
+        index: true,
     },
     context: {
         type: String,
@@ -2290,6 +2582,17 @@ const userSchema = new Schema({
         },
         default: {},
     },
+    favorites: {
+        type: [
+            {
+                _id: false,
+                agentId: String, // for agent
+                model: String, // for model
+                endpoint: String, // for model
+            },
+        ],
+        default: [],
+    },
     /** Field for external source identification (for consistency with TPrincipal schema) */
     idOnTheSource: {
         type: String,
@@ -2509,26 +2812,6 @@ const getSyncConfig = () => ({
     batchSize: parseInt(process.env.MEILI_SYNC_BATCH_SIZE || '100', 10),
     delayMs: parseInt(process.env.MEILI_SYNC_DELAY_MS || '100', 10),
 });
-/**
- * Local implementation of parseTextParts to avoid dependency on librechat-data-provider
- * Extracts text content from an array of content items
- */
-const parseTextParts = (content) => {
-    if (!Array.isArray(content)) {
-        return '';
-    }
-    return content
-        .filter((item) => item.type === 'text' && typeof item.text === 'string')
-        .map((item) => item.text)
-        .join(' ')
-        .trim();
-};
-/**
- * Local implementation to handle Bing convoId conversion
- */
-const cleanUpPrimaryKeyValue = (value) => {
-    return value.replace(/--/g, '|');
-};
 /**
  * Validates the required options for configuring the mongoMeili plugin.
  */
@@ -2590,7 +2873,8 @@ const createMeiliMongooseModel = ({ index, attributesToIndex, syncOptions, }) =>
                 const { batchSize, delayMs } = syncConfig;
                 logger.info(`[syncWithMeili] Starting sync for ${primaryKey === 'messageId' ? 'messages' : 'conversations'} with batch size ${batchSize}`);
                 // Build query with resume capability
-                const query = {};
+                // Do not sync TTL documents
+                const query = { expiredAt: null };
                 if (options === null || options === void 0 ? void 0 : options.resumeFromId) {
                     query._id = { $gt: options.resumeFromId };
                 }
@@ -2718,7 +3002,7 @@ const createMeiliMongooseModel = ({ index, attributesToIndex, syncOptions, }) =>
             const data = await index.search(q, params);
             if (populate) {
                 const query = {};
-                query[primaryKey] = _.map(data.hits, (hit) => cleanUpPrimaryKeyValue(hit[primaryKey]));
+                query[primaryKey] = _.map(data.hits, (hit) => hit[primaryKey]);
                 const projection = Object.keys(this.schema.obj).reduce((results, key) => {
                     if (!key.startsWith('$')) {
                         results[key] = 1;
@@ -2761,6 +3045,10 @@ const createMeiliMongooseModel = ({ index, attributesToIndex, syncOptions, }) =>
          * Adds the current document to the MeiliSearch index with retry logic
          */
         async addObjectToMeili(next) {
+            // If this conversation or message has a TTL, don't index it
+            if (!_.isNil(this.expiredAt)) {
+                return next();
+            }
             const object = this.preprocessObjectForIndex();
             const maxRetries = 3;
             let retryCount = 0;
@@ -3075,7 +3363,38 @@ function createAgentModel(mongoose) {
  * Creates or returns the AgentCategory model using the provided mongoose instance and schema
  */
 function createAgentCategoryModel(mongoose) {
-    return mongoose.models.AgentCategory || mongoose.model('AgentCategory', agentCategorySchema);
+    return (mongoose.models.AgentCategory ||
+        mongoose.model('AgentCategory', agentCategorySchema));
+}
+
+const mcpServerSchema = new Schema({
+    serverName: {
+        type: String,
+        index: true,
+        unique: true,
+        required: true,
+    },
+    config: {
+        type: Schema.Types.Mixed,
+        required: true,
+        // Config contains: title, description, url, oauth, etc.
+    },
+    author: {
+        type: Schema.Types.ObjectId,
+        ref: 'User',
+        required: true,
+        index: true,
+    },
+}, {
+    timestamps: true,
+});
+mcpServerSchema.index({ updatedAt: -1, _id: 1 });
+
+/**
+ * Creates or returns the MCPServer model using the provided mongoose instance and schema
+ */
+function createMCPServerModel(mongoose) {
+    return (mongoose.models.MCPServer || mongoose.model('MCPServer', mcpServerSchema));
 }
 
 /**
@@ -3203,7 +3522,7 @@ const accessRoleSchema = new Schema({
     description: String,
     resourceType: {
         type: String,
-        enum: ['agent', 'project', 'file', 'promptGroup'],
+        enum: ['agent', 'project', 'file', 'promptGroup', 'mcpServer'],
         required: true,
         default: 'agent',
     },
@@ -3304,6 +3623,7 @@ function createModels(mongoose) {
         Message: createMessageModel(mongoose),
         Agent: createAgentModel(mongoose),
         AgentCategory: createAgentCategoryModel(mongoose),
+        MCPServer: createMCPServerModel(mongoose),
         Role: createRoleModel(mongoose),
         Action: createActionModel(mongoose),
         Assistant: createAssistantModel(mongoose),
@@ -3326,7 +3646,6 @@ function createModels(mongoose) {
     };
 }
 
-var _a;
 class SessionError extends Error {
     constructor(message, code = 'SESSION_ERROR') {
         super(message);
@@ -3334,22 +3653,24 @@ class SessionError extends Error {
         this.code = code;
     }
 }
-const { REFRESH_TOKEN_EXPIRY } = (_a = process.env) !== null && _a !== void 0 ? _a : {};
-const expires = REFRESH_TOKEN_EXPIRY ? eval(REFRESH_TOKEN_EXPIRY) : 1000 * 60 * 60 * 24 * 7; // 7 days default
+/** Default refresh token expiry: 7 days in milliseconds */
+const DEFAULT_REFRESH_TOKEN_EXPIRY = 1000 * 60 * 60 * 24 * 7;
 // Factory function that takes mongoose instance and returns the methods
 function createSessionMethods(mongoose) {
     /**
      * Creates a new session for a user
      */
     async function createSession(userId, options = {}) {
+        var _a;
         if (!userId) {
             throw new SessionError('User ID is required', 'INVALID_USER_ID');
         }
+        const expiresIn = (_a = options.expiresIn) !== null && _a !== void 0 ? _a : DEFAULT_REFRESH_TOKEN_EXPIRY;
         try {
             const Session = mongoose.models.Session;
             const currentSession = new Session({
                 user: userId,
-                expiration: options.expiration || new Date(Date.now() + expires),
+                expiration: options.expiration || new Date(Date.now() + expiresIn),
             });
             const refreshToken = await generateRefreshToken(currentSession);
             return { session: currentSession, refreshToken };
@@ -3403,14 +3724,16 @@ function createSessionMethods(mongoose) {
     /**
      * Updates session expiration
      */
-    async function updateExpiration(session, newExpiration) {
+    async function updateExpiration(session, newExpiration, options = {}) {
+        var _a;
+        const expiresIn = (_a = options.expiresIn) !== null && _a !== void 0 ? _a : DEFAULT_REFRESH_TOKEN_EXPIRY;
         try {
             const Session = mongoose.models.Session;
             const sessionDoc = typeof session === 'string' ? await Session.findById(session) : session;
             if (!sessionDoc) {
                 throw new SessionError('Session not found', 'SESSION_NOT_FOUND');
             }
-            sessionDoc.expiration = newExpiration || new Date(Date.now() + expires);
+            sessionDoc.expiration = newExpiration || new Date(Date.now() + expiresIn);
             return await sessionDoc.save();
         }
         catch (error) {
@@ -3481,7 +3804,9 @@ function createSessionMethods(mongoose) {
             throw new SessionError('Invalid session object', 'INVALID_SESSION');
         }
         try {
-            const expiresIn = session.expiration ? session.expiration.getTime() : Date.now() + expires;
+            const expiresIn = session.expiration
+                ? session.expiration.getTime()
+                : Date.now() + DEFAULT_REFRESH_TOKEN_EXPIRY;
             if (!session.expiration) {
                 session.expiration = new Date(expiresIn);
             }
@@ -3561,7 +3886,11 @@ function createTokenMethods(mongoose) {
     async function updateToken(query, updateData) {
         try {
             const Token = mongoose.models.Token;
-            return await Token.findOneAndUpdate(query, updateData, { new: true });
+            const dataToUpdate = { ...updateData };
+            if ((updateData === null || updateData === void 0 ? void 0 : updateData.expiresIn) !== undefined) {
+                dataToUpdate.expiresAt = new Date(Date.now() + updateData.expiresIn * 1000);
+            }
+            return await Token.findOneAndUpdate(query, dataToUpdate, { new: true });
         }
         catch (error) {
             logger$1.debug('An error occurred while updating token:', error);
@@ -3570,6 +3899,7 @@ function createTokenMethods(mongoose) {
     }
     /**
      * Deletes all Token documents that match the provided token, user ID, or email.
+     * Email is automatically normalized to lowercase for case-insensitive matching.
      */
     async function deleteTokens(query) {
         try {
@@ -3582,7 +3912,7 @@ function createTokenMethods(mongoose) {
                 conditions.push({ token: query.token });
             }
             if (query.email !== undefined) {
-                conditions.push({ email: query.email });
+                conditions.push({ email: query.email.trim().toLowerCase() });
             }
             if (query.identifier !== undefined) {
                 conditions.push({ identifier: query.identifier });
@@ -3604,6 +3934,7 @@ function createTokenMethods(mongoose) {
     }
     /**
      * Finds a Token document that matches the provided query.
+     * Email is automatically normalized to lowercase for case-insensitive matching.
      */
     async function findToken(query, options) {
         try {
@@ -3616,7 +3947,7 @@ function createTokenMethods(mongoose) {
                 conditions.push({ token: query.token });
             }
             if (query.email) {
-                conditions.push({ email: query.email });
+                conditions.push({ email: query.email.trim().toLowerCase() });
             }
             if (query.identifier) {
                 conditions.push({ identifier: query.identifier });
@@ -3681,14 +4012,37 @@ function createRoleMethods(mongoose) {
     };
 }
 
+/** Default JWT session expiry: 15 minutes in milliseconds */
+const DEFAULT_SESSION_EXPIRY = 1000 * 60 * 15;
 /** Factory function that takes mongoose instance and returns the methods */
 function createUserMethods(mongoose) {
+    /**
+     * Normalizes email fields in search criteria to lowercase and trimmed.
+     * Handles both direct email fields and $or arrays containing email conditions.
+     */
+    function normalizeEmailInCriteria(criteria) {
+        const normalized = { ...criteria };
+        if (typeof normalized.email === 'string') {
+            normalized.email = normalized.email.trim().toLowerCase();
+        }
+        if (Array.isArray(normalized.$or)) {
+            normalized.$or = normalized.$or.map((condition) => {
+                if (typeof condition.email === 'string') {
+                    return { ...condition, email: condition.email.trim().toLowerCase() };
+                }
+                return condition;
+            });
+        }
+        return normalized;
+    }
     /**
      * Search for a single user based on partial data and return matching user document as plain object.
+     * Email fields in searchCriteria are automatically normalized to lowercase for case-insensitive matching.
      */
     async function findUser(searchCriteria, fieldsToSelect) {
         const User = mongoose.models.User;
-        const query = User.findOne(searchCriteria);
+        const normalizedCriteria = normalizeEmailInCriteria(searchCriteria);
+        const query = User.findOne(normalizedCriteria);
         if (fieldsToSelect) {
             query.select(fieldsToSelect);
         }
@@ -3785,23 +4139,14 @@ function createUserMethods(mongoose) {
     }
     /**
      * Generates a JWT token for a given user.
+     * @param user - The user object
+     * @param expiresIn - Optional expiry time in milliseconds. Default: 15 minutes
      */
-    async function generateToken(user) {
+    async function generateToken(user, expiresIn) {
         if (!user) {
             throw new Error('No user provided');
         }
-        let expires = 1000 * 60 * 15;
-        if (process.env.SESSION_EXPIRY !== undefined && process.env.SESSION_EXPIRY !== '') {
-            try {
-                const evaluated = eval(process.env.SESSION_EXPIRY);
-                if (evaluated) {
-                    expires = evaluated;
-                }
-            }
-            catch (error) {
-                console.warn('Invalid SESSION_EXPIRY expression, using default:', error);
-            }
-        }
+        const expires = expiresIn !== null && expiresIn !== void 0 ? expiresIn : DEFAULT_SESSION_EXPIRY;
         return await signPayload({
             payload: {
                 id: user._id,
@@ -3895,6 +4240,26 @@ function createUserMethods(mongoose) {
             return userWithoutScore;
         });
     };
+    /**
+     * Updates the plugins for a user based on the action specified (install/uninstall).
+     * @param userId - The user ID whose plugins are to be updated
+     * @param plugins - The current plugins array
+     * @param pluginKey - The key of the plugin to install or uninstall
+     * @param action - The action to perform, 'install' or 'uninstall'
+     * @returns The result of the update operation or null if action is invalid
+     */
+    async function updateUserPlugins(userId, plugins, pluginKey, action) {
+        const userPlugins = plugins !== null && plugins !== void 0 ? plugins : [];
+        if (action === 'install') {
+            return updateUser(userId, { plugins: [...userPlugins, pluginKey] });
+        }
+        if (action === 'uninstall') {
+            return updateUser(userId, {
+                plugins: userPlugins.filter((plugin) => plugin !== pluginKey),
+            });
+        }
+        return null;
+    }
     return {
         findUser,
         countUsers,
@@ -3904,10 +4269,356 @@ function createUserMethods(mongoose) {
         getUserById,
         generateToken,
         deleteUserById,
+        updateUserPlugins,
         toggleUserMemories,
     };
 }
 
+/** Factory function that takes mongoose instance and returns the key methods */
+function createKeyMethods(mongoose) {
+    /**
+     * Retrieves and decrypts the key value for a given user identified by userId and identifier name.
+     * @param params - The parameters object
+     * @param params.userId - The unique identifier for the user
+     * @param params.name - The name associated with the key
+     * @returns The decrypted key value
+     * @throws Error if the key is not found or if there is a problem during key retrieval
+     * @description This function searches for a user's key in the database using their userId and name.
+     *              If found, it decrypts the value of the key and returns it. If no key is found, it throws
+     *              an error indicating that there is no user key available.
+     */
+    async function getUserKey(params) {
+        const { userId, name } = params;
+        const Key = mongoose.models.Key;
+        const keyValue = (await Key.findOne({ userId, name }).lean());
+        if (!keyValue) {
+            throw new Error(JSON.stringify({
+                type: ErrorTypes.NO_USER_KEY,
+            }));
+        }
+        return await decrypt(keyValue.value);
+    }
+    /**
+     * Retrieves, decrypts, and parses the key values for a given user identified by userId and name.
+     * @param params - The parameters object
+     * @param params.userId - The unique identifier for the user
+     * @param params.name - The name associated with the key
+     * @returns The decrypted and parsed key values
+     * @throws Error if the key is invalid or if there is a problem during key value parsing
+     * @description This function retrieves a user's encrypted key using their userId and name, decrypts it,
+     *              and then attempts to parse the decrypted string into a JSON object. If the parsing fails,
+     *              it throws an error indicating that the user key is invalid.
+     */
+    async function getUserKeyValues(params) {
+        const { userId, name } = params;
+        const userValues = await getUserKey({ userId, name });
+        try {
+            return JSON.parse(userValues);
+        }
+        catch (e) {
+            logger$1.error('[getUserKeyValues]', e);
+            throw new Error(JSON.stringify({
+                type: ErrorTypes.INVALID_USER_KEY,
+            }));
+        }
+    }
+    /**
+     * Retrieves the expiry information of a user's key identified by userId and name.
+     * @param params - The parameters object
+     * @param params.userId - The unique identifier for the user
+     * @param params.name - The name associated with the key
+     * @returns The expiry date of the key or null if the key doesn't exist
+     * @description This function fetches a user's key from the database using their userId and name and
+     *              returns its expiry date. If the key is not found, it returns null for the expiry date.
+     */
+    async function getUserKeyExpiry(params) {
+        const { userId, name } = params;
+        const Key = mongoose.models.Key;
+        const keyValue = (await Key.findOne({ userId, name }).lean());
+        if (!keyValue) {
+            return { expiresAt: null };
+        }
+        return { expiresAt: keyValue.expiresAt || 'never' };
+    }
+    /**
+     * Updates or inserts a new key for a given user identified by userId and name, with a specified value and expiry date.
+     * @param params - The parameters object
+     * @param params.userId - The unique identifier for the user
+     * @param params.name - The name associated with the key
+     * @param params.value - The value to be encrypted and stored as the key's value
+     * @param params.expiresAt - The expiry date for the key [optional]
+     * @returns The updated or newly inserted key document
+     * @description This function either updates an existing user key or inserts a new one into the database,
+     *              after encrypting the provided value. It sets the provided expiry date for the key (or unsets for no expiry).
+     */
+    async function updateUserKey(params) {
+        const { userId, name, value, expiresAt = null } = params;
+        const Key = mongoose.models.Key;
+        const encryptedValue = await encrypt(value);
+        const updateObject = {
+            userId,
+            name,
+            value: encryptedValue,
+        };
+        const updateQuery = {
+            $set: updateObject,
+        };
+        if (expiresAt) {
+            updateObject.expiresAt = new Date(expiresAt);
+        }
+        else {
+            updateQuery.$unset = { expiresAt: '' };
+        }
+        return await Key.findOneAndUpdate({ userId, name }, updateQuery, {
+            upsert: true,
+            new: true,
+        }).lean();
+    }
+    /**
+     * Deletes a key or all keys for a given user identified by userId, optionally based on a specified name.
+     * @param params - The parameters object
+     * @param params.userId - The unique identifier for the user
+     * @param params.name - The name associated with the key to delete. If not provided and all is true, deletes all keys
+     * @param params.all - Whether to delete all keys for the user
+     * @returns The result of the deletion operation
+     * @description This function deletes a specific key or all keys for a user from the database.
+     *              If a name is provided and all is false, it deletes only the key with that name.
+     *              If all is true, it ignores the name and deletes all keys for the user.
+     */
+    async function deleteUserKey(params) {
+        const { userId, name, all = false } = params;
+        const Key = mongoose.models.Key;
+        if (all) {
+            return await Key.deleteMany({ userId });
+        }
+        return await Key.findOneAndDelete({ userId, name }).lean();
+    }
+    return {
+        getUserKey,
+        updateUserKey,
+        deleteUserKey,
+        getUserKeyValues,
+        getUserKeyExpiry,
+    };
+}
+
+/** Factory function that takes mongoose instance and returns the file methods */
+function createFileMethods(mongoose) {
+    /**
+     * Finds a file by its file_id with additional query options.
+     * @param file_id - The unique identifier of the file
+     * @param options - Query options for filtering, projection, etc.
+     * @returns A promise that resolves to the file document or null
+     */
+    async function findFileById(file_id, options = {}) {
+        const File = mongoose.models.File;
+        return File.findOne({ file_id, ...options }).lean();
+    }
+    /**
+     * Retrieves files matching a given filter, sorted by the most recently updated.
+     * @param filter - The filter criteria to apply
+     * @param _sortOptions - Optional sort parameters
+     * @param selectFields - Fields to include/exclude in the query results. Default excludes the 'text' field
+     * @param options - Additional query options (userId, agentId for ACL)
+     * @returns A promise that resolves to an array of file documents
+     */
+    async function getFiles(filter, _sortOptions, selectFields) {
+        const File = mongoose.models.File;
+        const sortOptions = { updatedAt: -1, ..._sortOptions };
+        const query = File.find(filter);
+        if (selectFields != null) {
+            query.select(selectFields);
+        }
+        else {
+            query.select({ text: 0 });
+        }
+        return await query.sort(sortOptions).lean();
+    }
+    /**
+     * Retrieves tool files (files that are embedded or have a fileIdentifier) from an array of file IDs
+     * @param fileIds - Array of file_id strings to search for
+     * @param toolResourceSet - Optional filter for tool resources
+     * @returns Files that match the criteria
+     */
+    async function getToolFilesByIds(fileIds, toolResourceSet) {
+        var _a, _b, _c;
+        if (!fileIds || !fileIds.length || !(toolResourceSet === null || toolResourceSet === void 0 ? void 0 : toolResourceSet.size)) {
+            return [];
+        }
+        try {
+            const filter = {
+                file_id: { $in: fileIds },
+                $or: [],
+            };
+            if (toolResourceSet.has(EToolResources.context)) {
+                (_a = filter.$or) === null || _a === void 0 ? void 0 : _a.push({ text: { $exists: true, $ne: null }, context: FileContext.agents });
+            }
+            if (toolResourceSet.has(EToolResources.file_search)) {
+                (_b = filter.$or) === null || _b === void 0 ? void 0 : _b.push({ embedded: true });
+            }
+            if (toolResourceSet.has(EToolResources.execute_code)) {
+                (_c = filter.$or) === null || _c === void 0 ? void 0 : _c.push({ 'metadata.fileIdentifier': { $exists: true } });
+            }
+            const selectFields = { text: 0 };
+            const sortOptions = { updatedAt: -1 };
+            const results = await getFiles(filter, sortOptions, selectFields);
+            return results !== null && results !== void 0 ? results : [];
+        }
+        catch (error) {
+            logger$1.error('[getToolFilesByIds] Error retrieving tool files:', error);
+            throw new Error('Error retrieving tool files');
+        }
+    }
+    /**
+     * Creates a new file with a TTL of 1 hour.
+     * @param data - The file data to be created, must contain file_id
+     * @param disableTTL - Whether to disable the TTL
+     * @returns A promise that resolves to the created file document
+     */
+    async function createFile(data, disableTTL) {
+        const File = mongoose.models.File;
+        const fileData = {
+            ...data,
+            expiresAt: new Date(Date.now() + 3600 * 1000),
+        };
+        if (disableTTL) {
+            delete fileData.expiresAt;
+        }
+        return File.findOneAndUpdate({ file_id: data.file_id }, fileData, {
+            new: true,
+            upsert: true,
+        }).lean();
+    }
+    /**
+     * Updates a file identified by file_id with new data and removes the TTL.
+     * @param data - The data to update, must contain file_id
+     * @returns A promise that resolves to the updated file document
+     */
+    async function updateFile(data) {
+        const File = mongoose.models.File;
+        const { file_id, ...update } = data;
+        const updateOperation = {
+            $set: update,
+            $unset: { expiresAt: '' },
+        };
+        return File.findOneAndUpdate({ file_id }, updateOperation, {
+            new: true,
+        }).lean();
+    }
+    /**
+     * Increments the usage of a file identified by file_id.
+     * @param data - The data to update, must contain file_id and the increment value for usage
+     * @returns A promise that resolves to the updated file document
+     */
+    async function updateFileUsage(data) {
+        const File = mongoose.models.File;
+        const { file_id, inc = 1 } = data;
+        const updateOperation = {
+            $inc: { usage: inc },
+            $unset: { expiresAt: '', temp_file_id: '' },
+        };
+        return File.findOneAndUpdate({ file_id }, updateOperation, {
+            new: true,
+        }).lean();
+    }
+    /**
+     * Deletes a file identified by file_id.
+     * @param file_id - The unique identifier of the file to delete
+     * @returns A promise that resolves to the deleted file document or null
+     */
+    async function deleteFile(file_id) {
+        const File = mongoose.models.File;
+        return File.findOneAndDelete({ file_id }).lean();
+    }
+    /**
+     * Deletes a file identified by a filter.
+     * @param filter - The filter criteria to apply
+     * @returns A promise that resolves to the deleted file document or null
+     */
+    async function deleteFileByFilter(filter) {
+        const File = mongoose.models.File;
+        return File.findOneAndDelete(filter).lean();
+    }
+    /**
+     * Deletes multiple files identified by an array of file_ids.
+     * @param file_ids - The unique identifiers of the files to delete
+     * @param user - Optional user ID to filter by
+     * @returns A promise that resolves to the result of the deletion operation
+     */
+    async function deleteFiles(file_ids, user) {
+        const File = mongoose.models.File;
+        let deleteQuery = { file_id: { $in: file_ids } };
+        if (user) {
+            deleteQuery = { user: user };
+        }
+        return File.deleteMany(deleteQuery);
+    }
+    /**
+     * Batch updates files with new signed URLs in MongoDB
+     * @param updates - Array of updates in the format { file_id, filepath }
+     */
+    async function batchUpdateFiles(updates) {
+        if (!updates || updates.length === 0) {
+            return;
+        }
+        const File = mongoose.models.File;
+        const bulkOperations = updates.map((update) => ({
+            updateOne: {
+                filter: { file_id: update.file_id },
+                update: { $set: { filepath: update.filepath } },
+            },
+        }));
+        const result = await File.bulkWrite(bulkOperations);
+        logger$1.info(`Updated ${result.modifiedCount} files with new S3 URLs`);
+    }
+    /**
+     * Updates usage tracking for multiple files.
+     * Processes files and optional fileIds, updating their usage count in the database.
+     *
+     * @param files - Array of file objects to process
+     * @param fileIds - Optional array of file IDs to process
+     * @returns Array of updated file documents (with null results filtered out)
+     */
+    async function updateFilesUsage(files, fileIds) {
+        const promises = [];
+        const seen = new Set();
+        for (const file of files) {
+            const { file_id } = file;
+            if (seen.has(file_id)) {
+                continue;
+            }
+            seen.add(file_id);
+            promises.push(updateFileUsage({ file_id }));
+        }
+        if (!fileIds) {
+            const results = await Promise.all(promises);
+            return results.filter((result) => result != null);
+        }
+        for (const file_id of fileIds) {
+            if (seen.has(file_id)) {
+                continue;
+            }
+            seen.add(file_id);
+            promises.push(updateFileUsage({ file_id }));
+        }
+        const results = await Promise.all(promises);
+        return results.filter((result) => result != null);
+    }
+    return {
+        findFileById,
+        getFiles,
+        getToolFilesByIds,
+        createFile,
+        updateFile,
+        updateFileUsage,
+        deleteFile,
+        deleteFiles,
+        deleteFileByFilter,
+        batchUpdateFiles,
+        updateFilesUsage,
+    };
+}
+
 /**
  * Formats a date in YYYY-MM-DD format
  */
@@ -4255,6 +4966,258 @@ function createAgentCategoryMethods(mongoose) {
     };
 }
 
+const NORMALIZED_LIMIT_DEFAULT = 20;
+const MAX_CREATE_RETRIES = 5;
+const RETRY_BASE_DELAY_MS = 25;
+/**
+ * Helper to check if an error is a MongoDB duplicate key error.
+ * Since serverName is the only unique index on MCPServer, any E11000 error
+ * during creation is necessarily a serverName collision.
+ */
+function isDuplicateKeyError(error) {
+    if (error && typeof error === 'object' && 'code' in error) {
+        const mongoError = error;
+        return mongoError.code === 11000;
+    }
+    return false;
+}
+/**
+ * Escapes special regex characters in a string so they are treated literally.
+ */
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Generates a URL-friendly server name from a title.
+ * Converts to lowercase, replaces spaces with hyphens, removes special characters.
+ */
+function generateServerNameFromTitle(title) {
+    const slug = title
+        .toLowerCase()
+        .trim()
+        .replace(/[^a-z0-9\s-]/g, '') // Remove special chars except spaces and hyphens
+        .replace(/\s+/g, '-') // Replace spaces with hyphens
+        .replace(/-+/g, '-') // Remove consecutive hyphens
+        .replace(/^-|-$/g, ''); // Trim leading/trailing hyphens
+    return slug || 'mcp-server'; // Fallback if empty
+}
+function createMCPServerMethods(mongoose) {
+    /**
+     * Finds the next available server name by checking for duplicates.
+     * If baseName exists, returns baseName-2, baseName-3, etc.
+     */
+    async function findNextAvailableServerName(baseName) {
+        const MCPServer = mongoose.models.MCPServer;
+        // Find all servers with matching base name pattern (baseName or baseName-N)
+        const escapedBaseName = escapeRegex(baseName);
+        const existing = await MCPServer.find({
+            serverName: { $regex: `^${escapedBaseName}(-\\d+)?$` },
+        })
+            .select('serverName')
+            .lean();
+        if (existing.length === 0) {
+            return baseName;
+        }
+        // Extract numbers from existing names
+        const numbers = existing.map((s) => {
+            const match = s.serverName.match(/-(\d+)$/);
+            return match ? parseInt(match[1], 10) : 1;
+        });
+        const maxNumber = Math.max(...numbers);
+        return `${baseName}-${maxNumber + 1}`;
+    }
+    /**
+     * Create a new MCP server with retry logic for handling race conditions.
+     * When multiple requests try to create servers with the same title simultaneously,
+     * they may get the same serverName from findNextAvailableServerName() before any
+     * creates the record (TOCTOU race condition). This is handled by retrying with
+     * exponential backoff when a duplicate key error occurs.
+     * @param data - Object containing config (with title, description, url, etc.) and author
+     * @returns The created MCP server document
+     */
+    async function createMCPServer(data) {
+        const MCPServer = mongoose.models.MCPServer;
+        let lastError;
+        for (let attempt = 0; attempt < MAX_CREATE_RETRIES; attempt++) {
+            try {
+                // Generate serverName from title, with fallback to nanoid if no title
+                // Important: regenerate on each attempt to get fresh available name
+                let serverName;
+                if (data.config.title) {
+                    const baseSlug = generateServerNameFromTitle(data.config.title);
+                    serverName = await findNextAvailableServerName(baseSlug);
+                }
+                else {
+                    serverName = `mcp-${nanoid(16)}`;
+                }
+                const newServer = await MCPServer.create({
+                    serverName,
+                    config: data.config,
+                    author: data.author,
+                });
+                return newServer.toObject();
+            }
+            catch (error) {
+                lastError = error;
+                // Only retry on duplicate key errors (serverName collision)
+                if (isDuplicateKeyError(error) && attempt < MAX_CREATE_RETRIES - 1) {
+                    // Exponential backoff: 10ms, 20ms, 40ms
+                    const delay = RETRY_BASE_DELAY_MS * Math.pow(2, attempt);
+                    logger$1.debug(`[createMCPServer] Duplicate serverName detected, retrying (attempt ${attempt + 2}/${MAX_CREATE_RETRIES}) after ${delay}ms`);
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                    continue;
+                }
+                // Not a duplicate key error or out of retries - throw immediately
+                throw error;
+            }
+        }
+        // Should not reach here, but TypeScript requires a return
+        throw lastError;
+    }
+    /**
+     * Find an MCP server by serverName
+     * @param serverName - The MCP server ID
+     * @returns The MCP server document or null
+     */
+    async function findMCPServerById(serverName) {
+        const MCPServer = mongoose.models.MCPServer;
+        return await MCPServer.findOne({ serverName }).lean();
+    }
+    /**
+     * Find an MCP server by MongoDB ObjectId
+     * @param _id - The MongoDB ObjectId
+     * @returns The MCP server document or null
+     */
+    async function findMCPServerByObjectId(_id) {
+        const MCPServer = mongoose.models.MCPServer;
+        return await MCPServer.findById(_id).lean();
+    }
+    /**
+     * Find MCP servers by author
+     * @param authorId - The author's ObjectId or string
+     * @returns Array of MCP server documents
+     */
+    async function findMCPServersByAuthor(authorId) {
+        const MCPServer = mongoose.models.MCPServer;
+        return await MCPServer.find({ author: authorId }).sort({ updatedAt: -1 }).lean();
+    }
+    /**
+     * Get a paginated list of MCP servers by IDs with filtering and search
+     * @param ids - Array of ObjectIds to include
+     * @param otherParams - Additional filter parameters (e.g., search)
+     * @param limit - Page size limit (null for no pagination)
+     * @param after - Cursor for pagination
+     * @returns Paginated list of MCP servers
+     */
+    async function getListMCPServersByIds({ ids = [], otherParams = {}, limit = null, after = null, }) {
+        const MCPServer = mongoose.models.MCPServer;
+        const isPaginated = limit !== null && limit !== undefined;
+        const normalizedLimit = isPaginated
+            ? Math.min(Math.max(1, parseInt(String(limit)) || NORMALIZED_LIMIT_DEFAULT), 100)
+            : null;
+        // Build base query combining accessible servers with other filters
+        const baseQuery = { ...otherParams, _id: { $in: ids } };
+        // Add cursor condition
+        if (after) {
+            try {
+                const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
+                const { updatedAt, _id } = cursor;
+                const cursorCondition = {
+                    $or: [
+                        { updatedAt: { $lt: new Date(updatedAt) } },
+                        { updatedAt: new Date(updatedAt), _id: { $gt: new mongoose.Types.ObjectId(_id) } },
+                    ],
+                };
+                // Merge cursor condition with base query
+                if (Object.keys(baseQuery).length > 0) {
+                    baseQuery.$and = [{ ...baseQuery }, cursorCondition];
+                    // Remove the original conditions from baseQuery to avoid duplication
+                    Object.keys(baseQuery).forEach((key) => {
+                        if (key !== '$and') {
+                            delete baseQuery[key];
+                        }
+                    });
+                }
+            }
+            catch (error) {
+                // Invalid cursor, ignore
+                logger$1.warn('[getListMCPServersByIds] Invalid cursor provided', error);
+            }
+        }
+        if (normalizedLimit === null) {
+            // No pagination - return all matching servers
+            const servers = await MCPServer.find(baseQuery).sort({ updatedAt: -1, _id: 1 }).lean();
+            return {
+                data: servers,
+                has_more: false,
+                after: null,
+            };
+        }
+        // Paginated query - assign to const to help TypeScript
+        const servers = await MCPServer.find(baseQuery)
+            .sort({ updatedAt: -1, _id: 1 })
+            .limit(normalizedLimit + 1)
+            .lean();
+        const hasMore = servers.length > normalizedLimit;
+        const data = hasMore ? servers.slice(0, normalizedLimit) : servers;
+        let nextCursor = null;
+        if (hasMore && data.length > 0) {
+            const lastItem = data[data.length - 1];
+            nextCursor = Buffer.from(JSON.stringify({
+                updatedAt: lastItem.updatedAt,
+                _id: lastItem._id,
+            })).toString('base64');
+        }
+        return {
+            data,
+            has_more: hasMore,
+            after: nextCursor,
+        };
+    }
+    /**
+     * Update an MCP server
+     * @param serverName - The MCP server ID
+     * @param updateData - Object containing config to update
+     * @returns The updated MCP server document or null
+     */
+    async function updateMCPServer(serverName, updateData) {
+        const MCPServer = mongoose.models.MCPServer;
+        return await MCPServer.findOneAndUpdate({ serverName }, { $set: updateData }, { new: true, runValidators: true }).lean();
+    }
+    /**
+     * Delete an MCP server
+     * @param serverName - The MCP server ID
+     * @returns The deleted MCP server document or null
+     */
+    async function deleteMCPServer(serverName) {
+        const MCPServer = mongoose.models.MCPServer;
+        return await MCPServer.findOneAndDelete({ serverName }).lean();
+    }
+    /**
+     * Get MCP servers by their serverName strings
+     * @param names - Array of serverName strings to fetch
+     * @returns Object containing array of MCP server documents
+     */
+    async function getListMCPServersByNames({ names = [] }) {
+        if (names.length === 0) {
+            return { data: [] };
+        }
+        const MCPServer = mongoose.models.MCPServer;
+        const servers = await MCPServer.find({ serverName: { $in: names } }).lean();
+        return { data: servers };
+    }
+    return {
+        createMCPServer,
+        findMCPServerById,
+        findMCPServerByObjectId,
+        findMCPServersByAuthor,
+        getListMCPServersByIds,
+        getListMCPServersByNames,
+        updateMCPServer,
+        deleteMCPServer,
+    };
+}
+
 // Factory function that takes mongoose instance and returns the methods
 function createPluginAuthMethods(mongoose) {
     /**
@@ -4482,6 +5445,27 @@ function createAccessRoleMethods(mongoose) {
                 resourceType: ResourceType.PROMPTGROUP,
                 permBits: RoleBits.OWNER,
             },
+            {
+                accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
+                name: 'com_ui_mcp_server_role_viewer',
+                description: 'com_ui_mcp_server_role_viewer_desc',
+                resourceType: ResourceType.MCPSERVER,
+                permBits: RoleBits.VIEWER,
+            },
+            {
+                accessRoleId: AccessRoleIds.MCPSERVER_EDITOR,
+                name: 'com_ui_mcp_server_role_editor',
+                description: 'com_ui_mcp_server_role_editor_desc',
+                resourceType: ResourceType.MCPSERVER,
+                permBits: RoleBits.EDITOR,
+            },
+            {
+                accessRoleId: AccessRoleIds.MCPSERVER_OWNER,
+                name: 'com_ui_mcp_server_role_owner',
+                description: 'com_ui_mcp_server_role_owner_desc',
+                resourceType: ResourceType.MCPSERVER,
+                permBits: RoleBits.OWNER,
+            },
         ];
         const result = {};
         for (const role of defaultRoles) {
@@ -5062,6 +6046,49 @@ function createAclEntryMethods(mongoose) {
         }
         return effectiveBits;
     }
+    /**
+     * Get effective permissions for multiple resources in a single query (BATCH)
+     * Returns a map of resourceId → effectivePermissionBits
+     *
+     * @param principalsList - List of principals (user + groups + public)
+     * @param resourceType - The type of resource ('MCPSERVER', 'AGENT', etc.)
+     * @param resourceIds - Array of resource IDs to check
+     * @returns {Promise<Map<string, number>>} Map of resourceId → permission bits
+     *
+     * @example
+     * const principals = await getUserPrincipals({ userId, role });
+     * const serverIds = [id1, id2, id3];
+     * const permMap = await getEffectivePermissionsForResources(
+     *   principals,
+     *   ResourceType.MCPSERVER,
+     *   serverIds
+     * );
+     * // permMap.get(id1.toString()) → 7 (VIEW|EDIT|DELETE)
+     */
+    async function getEffectivePermissionsForResources(principalsList, resourceType, resourceIds) {
+        if (!Array.isArray(resourceIds) || resourceIds.length === 0) {
+            return new Map();
+        }
+        const AclEntry = mongoose.models.AclEntry;
+        const principalsQuery = principalsList.map((p) => ({
+            principalType: p.principalType,
+            ...(p.principalType !== PrincipalType.PUBLIC && { principalId: p.principalId }),
+        }));
+        // Batch query for all resources at once
+        const aclEntries = await AclEntry.find({
+            $or: principalsQuery,
+            resourceType,
+            resourceId: { $in: resourceIds },
+        }).lean();
+        // Compute effective permissions per resource
+        const permissionsMap = new Map();
+        for (const entry of aclEntries) {
+            const rid = entry.resourceId.toString();
+            const currentBits = permissionsMap.get(rid) || 0;
+            permissionsMap.set(rid, currentBits | entry.permBits);
+        }
+        return permissionsMap;
+    }
     /**
      * Grant permission to a principal for a resource
      * @param principalType - The type of principal ('user', 'group', 'public')
@@ -5202,6 +6229,7 @@ function createAclEntryMethods(mongoose) {
         findEntriesByPrincipalsAndResource,
         hasPermission,
         getEffectivePermissions,
+        getEffectivePermissionsForResources,
         grantPermission,
         revokePermission,
         modifyPermissionBits,
@@ -5677,6 +6705,7 @@ function createShareMethods(mongoose) {
 
 /**
  * Creates all database methods for all collections
+ * @param mongoose - Mongoose instance
  */
 function createMethods(mongoose) {
     return {
@@ -5684,8 +6713,11 @@ function createMethods(mongoose) {
         ...createSessionMethods(mongoose),
         ...createTokenMethods(mongoose),
         ...createRoleMethods(mongoose),
+        ...createKeyMethods(mongoose),
+        ...createFileMethods(mongoose),
         ...createMemoryMethods(mongoose),
         ...createAgentCategoryMethods(mongoose),
+        ...createMCPServerMethods(mongoose),
         ...createAccessRoleMethods(mongoose),
         ...createUserGroupMethods(mongoose),
         ...createAclEntryMethods(mongoose),
@@ -5694,5 +6726,5 @@ function createMethods(mongoose) {
     };
 }
 
-export { AppService, RoleBits, Action as actionSchema, agentCategorySchema, agentSchema, agentsConfigSetup, assistantSchema, balanceSchema, bannerSchema, categoriesSchema, conversationTag as conversationTagSchema, convoSchema, createMethods, createModels, file as fileSchema, getTransactionSupport, getWebSearchKeys, groupSchema, hashToken, keySchema, loadDefaultInterface, loadTurnstileConfig, loadWebSearchConfig, logger$1 as logger, logger as meiliLogger, MemoryEntrySchema as memorySchema, messageSchema, pluginAuthSchema, presetSchema, processModelSpecs, projectSchema, promptGroupSchema, promptSchema, roleSchema, sessionSchema, shareSchema, signPayload, supportsTransactions, tokenSchema, toolCallSchema, transactionSchema, userSchema, webSearchAuth, webSearchKeys };
+export { AppService, DEFAULT_REFRESH_TOKEN_EXPIRY, DEFAULT_SESSION_EXPIRY, RoleBits, Action as actionSchema, agentCategorySchema, agentSchema, agentsConfigSetup, assistantSchema, balanceSchema, bannerSchema, categoriesSchema, conversationTag as conversationTagSchema, convoSchema, createMethods, createModels, decrypt, decryptV2, decryptV3, defaultVertexModels, encrypt, encryptV2, encryptV3, file as fileSchema, getRandomValues, getTransactionSupport, getWebSearchKeys, groupSchema, hashBackupCode, hashToken, keySchema, loadDefaultInterface, loadTurnstileConfig, loadWebSearchConfig, logger$1 as logger, logger as meiliLogger, MemoryEntrySchema as memorySchema, messageSchema, pluginAuthSchema, presetSchema, processModelSpecs, projectSchema, promptGroupSchema, promptSchema, roleSchema, sessionSchema, shareSchema, signPayload, supportsTransactions, tokenSchema, toolCallSchema, transactionSchema, userSchema, validateVertexConfig, vertexConfigSetup, webSearchAuth, webSearchKeys };
 //# sourceMappingURL=index.es.js.map