Replace string concatenation with parameterized queries in all database
connectors to prevent SQL injection through LLM-generated table names.
Changes:
- PostgreSQL: Use $1, $2 placeholders with pg client parameterization
- MySQL: Use ? placeholders with mysql2 execute() prepared statements
- MSSQL: Use @p0 placeholders with request.input() parameterization
- Update handlers to support parameterized query objects
- Add formatQueryForDisplay() for logging parameterized queries
Security: Mitigates potential SQL injection when LLM passes unsanitized
user input as table_name parameter to getTableSchemaSql/getTablesSql.
GHSA-jwjx-mw2p-5wc7
* New chat history layout with chat bubbles (#4985)
* new chat history layout, remove message alignment setting
* remove orphaned chat alignment hook and MessageDirection
* remove workspace profile picture setting and fetch
* clean up unnecessary changes
* add light mode colors to chat ui and main page backgrounds
* update chat message and action icon colors for light mode
* update thinking and agent ui, layout, sizing
* update user message uploaded images ui
* update thought, agent containers to use new colors
* add truncatable content with gradient to user chat messages
* fix citations margin
* implement new edit message UI with save and submit actions
* add translations for TruncatableContent subcomponent
* remove unused props
* fix text colors for default mode chats, agent, thoughts container
* Normalize translations for new chat history layout (#5022)
* normalize translations
* update translations with DMR
* lint
* fix mismatched home container colors
* fix: add password character validation to onboarding single-user setup (#5037)
* fix single user mode password bug
* share const
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* Native Tool calling (#5071)
* checkpoint
* test MCP and flows
* add native tool call detection back to LMStudio
* add native tool call loops for Ollama
* Add ablity detection to DMR (regex parse)
* bedrock and generic openai with ENV flag
* deepseek native tool calling
* localAI native function
* groq support
* linting, add litellm and OR native tool calling via flag
* fix: resolve Gemini agent 400 error on tool call responses (#5054)
* add gtc__ prefix to tool call names in Gemini agent message formatting
* resolve Gemini agent 400 error on tool call responses
* add comments explaining geminis thought signatures
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* fix: prevent CMD/CTRL+Arrow scroll from overriding textarea cursor movement (#5053)
prevent CMD/CTRL+Arrow scroll from overriding textarea cursor movement
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* linting, assistant speaker spacing and order, copy/edit order
---------
Co-authored-by: Marcello Fitton <106866560+angelplusultra@users.noreply.github.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* Implement new citations UI (#5038)
* new chat history layout, remove message alignment setting
* remove orphaned chat alignment hook and MessageDirection
* remove workspace profile picture setting and fetch
* clean up unnecessary changes
* add light mode colors to chat ui and main page backgrounds
* update chat message and action icon colors for light mode
* update thinking and agent ui, layout, sizing
* update user message uploaded images ui
* update thought, agent containers to use new colors
* add truncatable content with gradient to user chat messages
* fix citations margin
* implement new edit message UI with save and submit actions
* add translations for TruncatableContent subcomponent
* remove unused props
* fix text colors for default mode chats, agent, thoughts container
* Normalize translations for new chat history layout (#5022)
* normalize translations
* update translations with DMR
* lint
* fix mismatched home container colors
* implement new citations ui with sources sidebar
* bottom sheet for mobile citations
* convert mobile citations bottom sheet to new modal design
* add score, border separators for mobile citations modal
* push down sources sidebar in password/multiuser mode
* fix animation gap, simplify sources sidebar by splitting state to persist data on animation
* add english translations
* fix spacing from citations sidebar when user has auth
* Normalize translations for new citation UI (#5087)
* normalize translations
* update translations using DMR
* fix pluralize to use i18n native solution
change reset to immediate clear
fix spacing for TTS when showing or not to not have space
* proper pluralize
* hide metrics on mobile, fix last message padding on mobile
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* New prompt input ui/tools menu (#5070)
* wip new prompt input ui/tools menu
* fix colors for prompt input
* redesign workspace llm selector, extract text size + model picker to components
* refactor ToolsMenu component
* fix colors/refactor WorkspaceModelPicker
* fix spacing in ws model picker, change order of tools menu tabs
* fix slash commands showing /reset instead of /exit during active agent session
* refactor ToolsMenu to be much simpler
* cleanup, fix behavior of setupup provider in WorkspaceModelPicker
* simplify AgentSkillsTab toggle logic
* add english translations for new components
* remove legacy slash command/agent popups, add ToolsMenu keyboard nav
* fix spacing of workspace model picker text
* fix SourcesSidebar and TextSizeMenu positioning after merge
* fix keyboard nav in ToolsMenu when clicking on tools button to open
* typo
* only auto pop up tools menu when prompt input is empty with /
* fix z index for tools menu on citation
* fix behavior of / in prompt input
* move global window agent session state to module level variable
* fix prompt input not clearing on /reset
* missing translations
* revert translating slash command
* fix STT auto-submit not working on home page
* Normalize translations for new prompt input/tools menu UI (#5130)
* normalize translations
* update translations using DMR script
* normalize translations
* update translations using DMR script
* remove slash_exit
* fix skills.js import after merge
* fix tooltip z-index rendering behind citations
* patch translation prune script to not remove special cases
* updates to tools input
* factory translations
* use safeJsonParse in clearPromptInputDraft
* normalize translations
* disable agent skill toggles during active agent sessions + show tooltip on disabled
* normalize translations
* handle enter key behavior when tools menu is open
* fix unfocusable modal for slash command edit/new
* fix sending prompt when editing/creating slash commands
* hide/show agent skills in tools menu based on role
* container borders for dark/light mode compliance to designs
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* update how tooltip works for agent menu
* update prompt input to show agent button with CTA in agent panel for user clarify
update agent session start prompt button in input
* translations
* translations + move regex for slash commands to constants
* fix open sidebar ux
* fix tools menu to always open to slash commands, dismiss auto pop up
* fix sidebar open/close button overlapping with ws model picker
---------
Co-authored-by: Sean Hatfield <seanhatfield5@gmail.com>
Co-authored-by: Marcello Fitton <106866560+angelplusultra@users.noreply.github.com>
* fix: Migrate AzureOpenAI model key from OPEN_MODEL_PREF to prevent the naming collision. No effort necessary from current users.
* test: add backwards compat tests for AzureOpenAI model key migration
* patch missing env example file
* linting
---------
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
* add eslint config to server
* add break statements to switch case
* add support for browser globals and turn off empty catch blocks
* disable lines with useless try/catch wrappers
* format
* fix no-undef errors
* disbale lines violating no-unsafe-finally
* ignore syncStaticLists.mjs
* use proper null check for creatorId instead of unreachable nullish coalescing
* remove unneeded typescript eslint comment
* make no-unused-private-class-members a warning
* disable line for no-empty-objects
* add new lint script
* fix no-unused-vars violations
* make no-unsued-vars an error
---------
Co-authored-by: shatfield4 <seanhatfield5@gmail.com>
Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
Introduces a new automatic chat mode (now the default) that automatically invokes tools when the provider supports native tool calling. Conditionally shows/hides the @agent command based on whether native tooling is available.
- Add supportsNativeToolCalling() to AI providers (OpenAI, Anthropic, Azure always support; others opt-in via ENV)
- Update all locale translations with new mode descriptions
- Enhance translator to preserve Trans component tags
- Remove deprecated ability tags UI
