* fix(lemonade): throw on embedding failures instead of returning empty vectors
* use class logger
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* add API key param to Lemonade LLM Provider and Embedding Provider
* add LEMONADE_LLM_API_KEY to .env.example
* add api key to aibitat provider
* fix api key from being sent to frontend
* fix tooltip id
* add null fallback for `apiKey`
* remove console log
* add missing api keys
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* add ask to run prompt for tools
* border-none on buttons
* translations
* linting
* i18n (#5263)
* extend approve/deny requests to telegram
* break up handler
* Add User-Agent header for Anthropic API calls
Passes User-Agent: AnythingLLM/{version} to the Anthropic SDK
so Anthropic can identify traffic from AnythingLLM.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* remove test, simplify header default
* unset change to spread
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* Beta Intelligent Tooling
todo: Agent Skill banner warning when tool # is high or % of content window?
* forgot files
* add UI controls and maxToolCallStack setting
* update docs link
* ISS i18n (#5237)
i18n
* Add automatic chat mode with native tool calling support
Introduces a new automatic chat mode (now the default) that automatically invokes tools when the provider supports native tool calling. Conditionally shows/hides the @agent command based on whether native tooling is available.
- Add supportsNativeToolCalling() to AI providers (OpenAI, Anthropic, Azure always support; others opt-in via ENV)
- Update all locale translations with new mode descriptions
- Enhance translator to preserve Trans component tags
- Remove deprecated ability tags UI
* rebase translations
* WIP on image attachments. Supports initial image attachment + subsequent attachments
* persist images
* Image attachments and updates for providers
* desktop pre-change
* always show command on failure
* add back gemini streaming detection
* move provider native tooling flag to Provider func
* whoops - forgot to delete
* strip "@agent" from prompts to prevent weird replies
* translations for automatic-mode (#5145)
* translations for automatic-mode
* rebase
* translations
* lint
* fix dead translations
* change default for now to chat mode just for rollout
* remove pfp for workspace
* passthrough workspace for showAgentCommand detection and rendering
* Agent API automatic mode support
* ephemeral attachments passthrough
* support reading of pinned documents in agent context
* feat(agents): Add Perplexity Search API as web search provider
Adds Perplexity as a search provider for the agent web-browsing plugin,
using the Perplexity Search API (POST /search) which returns raw ranked
web results — distinct from the existing Perplexity LLM integration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: replace docs.perplexity.ai with console.perplexity.ai
* chore: replace docs.perplexity.ai with console.perplexity.ai
---------
Co-authored-by: kesku <kesku@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
Add ownership validation to prevent users from deleting or embedding
parsed files that don't belong to them. Previously, the delete and
embed endpoints only validated authentication but not resource ownership,
allowing users to delete attached files for users within workspaces they are also a member of.
Changes:
- Delete endpoint now filters by userId and workspaceId
- Embed endpoint validates file belongs to user and workspace (redundant)
- delete() returns false when no matching records found (returns 403)
- Added JSDoc comments for clarity
GHSA-p5rf-8p88-979c
Validate all ZIP entries before extraction in importCommunityItemFromUrl()
to prevent path traversal attacks (CWE-22). Malicious ZIP entries with
paths like "../../" could write files outside the intended plugin folder.
Requires admin privileges and explicit opt-in to unverified hub downloads.
GHSA-rh66-4w74-cf4m
Previously, suspended users could continue using browser extension
endpoints if they had created an API key before suspension. The normal
JWT session path blocked suspended users, but the browser extension
middleware did not.
Changes:
- Add suspension and user existence checks to validBrowserExtensionApiKey
- Delete browser extension API keys when a user is deleted
- Add deleteAllForUser method to BrowserExtensionApiKey model
GHSA-7754-8jcc-2rg3
Replace string concatenation with parameterized queries in all database
connectors to prevent SQL injection through LLM-generated table names.
Changes:
- PostgreSQL: Use $1, $2 placeholders with pg client parameterization
- MySQL: Use ? placeholders with mysql2 execute() prepared statements
- MSSQL: Use @p0 placeholders with request.input() parameterization
- Update handlers to support parameterized query objects
- Add formatQueryForDisplay() for logging parameterized queries
Security: Mitigates potential SQL injection when LLM passes unsanitized
user input as table_name parameter to getTableSchemaSql/getTablesSql.
GHSA-jwjx-mw2p-5wc7
* New chat history layout with chat bubbles (#4985)
* new chat history layout, remove message alignment setting
* remove orphaned chat alignment hook and MessageDirection
* remove workspace profile picture setting and fetch
* clean up unnecessary changes
* add light mode colors to chat ui and main page backgrounds
* update chat message and action icon colors for light mode
* update thinking and agent ui, layout, sizing
* update user message uploaded images ui
* update thought, agent containers to use new colors
* add truncatable content with gradient to user chat messages
* fix citations margin
* implement new edit message UI with save and submit actions
* add translations for TruncatableContent subcomponent
* remove unused props
* fix text colors for default mode chats, agent, thoughts container
* Normalize translations for new chat history layout (#5022)
* normalize translations
* update translations with DMR
* lint
* fix mismatched home container colors
* fix: add password character validation to onboarding single-user setup (#5037)
* fix single user mode password bug
* share const
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* Native Tool calling (#5071)
* checkpoint
* test MCP and flows
* add native tool call detection back to LMStudio
* add native tool call loops for Ollama
* Add ablity detection to DMR (regex parse)
* bedrock and generic openai with ENV flag
* deepseek native tool calling
* localAI native function
* groq support
* linting, add litellm and OR native tool calling via flag
* fix: resolve Gemini agent 400 error on tool call responses (#5054)
* add gtc__ prefix to tool call names in Gemini agent message formatting
* resolve Gemini agent 400 error on tool call responses
* add comments explaining geminis thought signatures
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* fix: prevent CMD/CTRL+Arrow scroll from overriding textarea cursor movement (#5053)
prevent CMD/CTRL+Arrow scroll from overriding textarea cursor movement
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* linting, assistant speaker spacing and order, copy/edit order
---------
Co-authored-by: Marcello Fitton <106866560+angelplusultra@users.noreply.github.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* Implement new citations UI (#5038)
* new chat history layout, remove message alignment setting
* remove orphaned chat alignment hook and MessageDirection
* remove workspace profile picture setting and fetch
* clean up unnecessary changes
* add light mode colors to chat ui and main page backgrounds
* update chat message and action icon colors for light mode
* update thinking and agent ui, layout, sizing
* update user message uploaded images ui
* update thought, agent containers to use new colors
* add truncatable content with gradient to user chat messages
* fix citations margin
* implement new edit message UI with save and submit actions
* add translations for TruncatableContent subcomponent
* remove unused props
* fix text colors for default mode chats, agent, thoughts container
* Normalize translations for new chat history layout (#5022)
* normalize translations
* update translations with DMR
* lint
* fix mismatched home container colors
* implement new citations ui with sources sidebar
* bottom sheet for mobile citations
* convert mobile citations bottom sheet to new modal design
* add score, border separators for mobile citations modal
* push down sources sidebar in password/multiuser mode
* fix animation gap, simplify sources sidebar by splitting state to persist data on animation
* add english translations
* fix spacing from citations sidebar when user has auth
* Normalize translations for new citation UI (#5087)
* normalize translations
* update translations using DMR
* fix pluralize to use i18n native solution
change reset to immediate clear
fix spacing for TTS when showing or not to not have space
* proper pluralize
* hide metrics on mobile, fix last message padding on mobile
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* New prompt input ui/tools menu (#5070)
* wip new prompt input ui/tools menu
* fix colors for prompt input
* redesign workspace llm selector, extract text size + model picker to components
* refactor ToolsMenu component
* fix colors/refactor WorkspaceModelPicker
* fix spacing in ws model picker, change order of tools menu tabs
* fix slash commands showing /reset instead of /exit during active agent session
* refactor ToolsMenu to be much simpler
* cleanup, fix behavior of setupup provider in WorkspaceModelPicker
* simplify AgentSkillsTab toggle logic
* add english translations for new components
* remove legacy slash command/agent popups, add ToolsMenu keyboard nav
* fix spacing of workspace model picker text
* fix SourcesSidebar and TextSizeMenu positioning after merge
* fix keyboard nav in ToolsMenu when clicking on tools button to open
* typo
* only auto pop up tools menu when prompt input is empty with /
* fix z index for tools menu on citation
* fix behavior of / in prompt input
* move global window agent session state to module level variable
* fix prompt input not clearing on /reset
* missing translations
* revert translating slash command
* fix STT auto-submit not working on home page
* Normalize translations for new prompt input/tools menu UI (#5130)
* normalize translations
* update translations using DMR script
* normalize translations
* update translations using DMR script
* remove slash_exit
* fix skills.js import after merge
* fix tooltip z-index rendering behind citations
* patch translation prune script to not remove special cases
* updates to tools input
* factory translations
* use safeJsonParse in clearPromptInputDraft
* normalize translations
* disable agent skill toggles during active agent sessions + show tooltip on disabled
* normalize translations
* handle enter key behavior when tools menu is open
* fix unfocusable modal for slash command edit/new
* fix sending prompt when editing/creating slash commands
* hide/show agent skills in tools menu based on role
* container borders for dark/light mode compliance to designs
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* update how tooltip works for agent menu
* update prompt input to show agent button with CTA in agent panel for user clarify
update agent session start prompt button in input
* translations
* translations + move regex for slash commands to constants
* fix open sidebar ux
* fix tools menu to always open to slash commands, dismiss auto pop up
* fix sidebar open/close button overlapping with ws model picker
---------
Co-authored-by: Sean Hatfield <seanhatfield5@gmail.com>
Co-authored-by: Marcello Fitton <106866560+angelplusultra@users.noreply.github.com>
* fix: Migrate AzureOpenAI model key from OPEN_MODEL_PREF to prevent the naming collision. No effort necessary from current users.
* test: add backwards compat tests for AzureOpenAI model key migration
* patch missing env example file
* linting
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* add eslint config to server
* add break statements to switch case
* add support for browser globals and turn off empty catch blocks
* disable lines with useless try/catch wrappers
* format
* fix no-undef errors
* disbale lines violating no-unsafe-finally
* ignore syncStaticLists.mjs
* use proper null check for creatorId instead of unreachable nullish coalescing
* remove unneeded typescript eslint comment
* make no-unused-private-class-members a warning
* disable line for no-empty-objects
* add new lint script
* fix no-unused-vars violations
* make no-unsued-vars an error
---------
Co-authored-by: shatfield4 <seanhatfield5@gmail.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
Introduces a new automatic chat mode (now the default) that automatically invokes tools when the provider supports native tool calling. Conditionally shows/hides the @agent command based on whether native tooling is available.
- Add supportsNativeToolCalling() to AI providers (OpenAI, Anthropic, Azure always support; others opt-in via ENV)
- Update all locale translations with new mode descriptions
- Enhance translator to preserve Trans component tags
- Remove deprecated ability tags UI
* checkpoint
* test MCP and flows
* add native tool call detection back to LMStudio
* add native tool call loops for Ollama
* Add ablity detection to DMR (regex parse)
* bedrock and generic openai with ENV flag
* deepseek native tool calling
* localAI native function
* groq support
* linting, add litellm and OR native tool calling via flag
