Previously, suspended users could continue using browser extension
endpoints if they had created an API key before suspension. The normal
JWT session path blocked suspended users, but the browser extension
middleware did not.
Changes:
- Add suspension and user existence checks to validBrowserExtensionApiKey
- Delete browser extension API keys when a user is deleted
- Add deleteAllForUser method to BrowserExtensionApiKey model
GHSA-7754-8jcc-2rg3
Replace string concatenation with parameterized queries in all database
connectors to prevent SQL injection through LLM-generated table names.
Changes:
- PostgreSQL: Use $1, $2 placeholders with pg client parameterization
- MySQL: Use ? placeholders with mysql2 execute() prepared statements
- MSSQL: Use @p0 placeholders with request.input() parameterization
- Update handlers to support parameterized query objects
- Add formatQueryForDisplay() for logging parameterized queries
Security: Mitigates potential SQL injection when LLM passes unsanitized
user input as table_name parameter to getTableSchemaSql/getTablesSql.
GHSA-jwjx-mw2p-5wc7
* New chat history layout with chat bubbles (#4985)
* new chat history layout, remove message alignment setting
* remove orphaned chat alignment hook and MessageDirection
* remove workspace profile picture setting and fetch
* clean up unnecessary changes
* add light mode colors to chat ui and main page backgrounds
* update chat message and action icon colors for light mode
* update thinking and agent ui, layout, sizing
* update user message uploaded images ui
* update thought, agent containers to use new colors
* add truncatable content with gradient to user chat messages
* fix citations margin
* implement new edit message UI with save and submit actions
* add translations for TruncatableContent subcomponent
* remove unused props
* fix text colors for default mode chats, agent, thoughts container
* Normalize translations for new chat history layout (#5022)
* normalize translations
* update translations with DMR
* lint
* fix mismatched home container colors
* fix: add password character validation to onboarding single-user setup (#5037)
* fix single user mode password bug
* share const
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* Native Tool calling (#5071)
* checkpoint
* test MCP and flows
* add native tool call detection back to LMStudio
* add native tool call loops for Ollama
* Add ablity detection to DMR (regex parse)
* bedrock and generic openai with ENV flag
* deepseek native tool calling
* localAI native function
* groq support
* linting, add litellm and OR native tool calling via flag
* fix: resolve Gemini agent 400 error on tool call responses (#5054)
* add gtc__ prefix to tool call names in Gemini agent message formatting
* resolve Gemini agent 400 error on tool call responses
* add comments explaining geminis thought signatures
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* fix: prevent CMD/CTRL+Arrow scroll from overriding textarea cursor movement (#5053)
prevent CMD/CTRL+Arrow scroll from overriding textarea cursor movement
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* linting, assistant speaker spacing and order, copy/edit order
---------
Co-authored-by: Marcello Fitton <106866560+angelplusultra@users.noreply.github.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* Implement new citations UI (#5038)
* new chat history layout, remove message alignment setting
* remove orphaned chat alignment hook and MessageDirection
* remove workspace profile picture setting and fetch
* clean up unnecessary changes
* add light mode colors to chat ui and main page backgrounds
* update chat message and action icon colors for light mode
* update thinking and agent ui, layout, sizing
* update user message uploaded images ui
* update thought, agent containers to use new colors
* add truncatable content with gradient to user chat messages
* fix citations margin
* implement new edit message UI with save and submit actions
* add translations for TruncatableContent subcomponent
* remove unused props
* fix text colors for default mode chats, agent, thoughts container
* Normalize translations for new chat history layout (#5022)
* normalize translations
* update translations with DMR
* lint
* fix mismatched home container colors
* implement new citations ui with sources sidebar
* bottom sheet for mobile citations
* convert mobile citations bottom sheet to new modal design
* add score, border separators for mobile citations modal
* push down sources sidebar in password/multiuser mode
* fix animation gap, simplify sources sidebar by splitting state to persist data on animation
* add english translations
* fix spacing from citations sidebar when user has auth
* Normalize translations for new citation UI (#5087)
* normalize translations
* update translations using DMR
* fix pluralize to use i18n native solution
change reset to immediate clear
fix spacing for TTS when showing or not to not have space
* proper pluralize
* hide metrics on mobile, fix last message padding on mobile
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* New prompt input ui/tools menu (#5070)
* wip new prompt input ui/tools menu
* fix colors for prompt input
* redesign workspace llm selector, extract text size + model picker to components
* refactor ToolsMenu component
* fix colors/refactor WorkspaceModelPicker
* fix spacing in ws model picker, change order of tools menu tabs
* fix slash commands showing /reset instead of /exit during active agent session
* refactor ToolsMenu to be much simpler
* cleanup, fix behavior of setupup provider in WorkspaceModelPicker
* simplify AgentSkillsTab toggle logic
* add english translations for new components
* remove legacy slash command/agent popups, add ToolsMenu keyboard nav
* fix spacing of workspace model picker text
* fix SourcesSidebar and TextSizeMenu positioning after merge
* fix keyboard nav in ToolsMenu when clicking on tools button to open
* typo
* only auto pop up tools menu when prompt input is empty with /
* fix z index for tools menu on citation
* fix behavior of / in prompt input
* move global window agent session state to module level variable
* fix prompt input not clearing on /reset
* missing translations
* revert translating slash command
* fix STT auto-submit not working on home page
* Normalize translations for new prompt input/tools menu UI (#5130)
* normalize translations
* update translations using DMR script
* normalize translations
* update translations using DMR script
* remove slash_exit
* fix skills.js import after merge
* fix tooltip z-index rendering behind citations
* patch translation prune script to not remove special cases
* updates to tools input
* factory translations
* use safeJsonParse in clearPromptInputDraft
* normalize translations
* disable agent skill toggles during active agent sessions + show tooltip on disabled
* normalize translations
* handle enter key behavior when tools menu is open
* fix unfocusable modal for slash command edit/new
* fix sending prompt when editing/creating slash commands
* hide/show agent skills in tools menu based on role
* container borders for dark/light mode compliance to designs
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* update how tooltip works for agent menu
* update prompt input to show agent button with CTA in agent panel for user clarify
update agent session start prompt button in input
* translations
* translations + move regex for slash commands to constants
* fix open sidebar ux
* fix tools menu to always open to slash commands, dismiss auto pop up
* fix sidebar open/close button overlapping with ws model picker
---------
Co-authored-by: Sean Hatfield <seanhatfield5@gmail.com>
Co-authored-by: Marcello Fitton <106866560+angelplusultra@users.noreply.github.com>
* fix: Migrate AzureOpenAI model key from OPEN_MODEL_PREF to prevent the naming collision. No effort necessary from current users.
* test: add backwards compat tests for AzureOpenAI model key migration
* patch missing env example file
* linting
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* add eslint config to server
* add break statements to switch case
* add support for browser globals and turn off empty catch blocks
* disable lines with useless try/catch wrappers
* format
* fix no-undef errors
* disbale lines violating no-unsafe-finally
* ignore syncStaticLists.mjs
* use proper null check for creatorId instead of unreachable nullish coalescing
* remove unneeded typescript eslint comment
* make no-unused-private-class-members a warning
* disable line for no-empty-objects
* add new lint script
* fix no-unused-vars violations
* make no-unsued-vars an error
---------
Co-authored-by: shatfield4 <seanhatfield5@gmail.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
