🤝 fix: Load Handoff Agents for Agents API

api/server/controllers/agents/__tests__/openai.spec.js

@@ -46,9 +46,11 @@ jest.mock('@librechat/api', () => ({
     .fn()
     .mockReturnValue({ request: { model: 'agent-123', messages: [], stream: false } }),
   initializeAgent: jest.fn().mockResolvedValue({
+    id: 'agent-123',
     model: 'gpt-4',
     model_parameters: {},
     toolRegistry: {},
+    edges: [],
   }),
   getBalanceConfig: mockGetBalanceConfig,
   createErrorResponse: jest.fn(),
@@ -72,6 +74,24 @@ jest.mock('@librechat/api', () => ({
   resolveRecursionLimit: jest.fn().mockReturnValue(50),
   createToolExecuteHandler: jest.fn().mockReturnValue({ handle: jest.fn() }),
   isChatCompletionValidationFailure: jest.fn().mockReturnValue(false),
+  discoverConnectedAgents: jest.fn().mockResolvedValue({
+    agentConfigs: new Map(),
+    edges: [],
+    skippedAgentIds: new Set(),
+    userMCPAuthMap: undefined,
+  }),
+}));
+
+jest.mock('~/server/controllers/ModelController', () => ({
+  getModelsConfig: jest.fn().mockResolvedValue({}),
+}));
+
+jest.mock('~/server/services/Files/permissions', () => ({
+  filterFilesByAgentAccess: jest.fn(),
+}));
+
+jest.mock('~/cache', () => ({
+  logViolation: jest.fn(),
 }));
 
 jest.mock('~/server/services/ToolService', () => ({
@@ -91,6 +111,7 @@ jest.mock('~/server/controllers/agents/callbacks', () => ({
 
 jest.mock('~/server/services/PermissionService', () => ({
   findAccessibleResources: jest.fn().mockResolvedValue([]),
+  checkPermission: jest.fn().mockResolvedValue(true),
 }));
 
 const mockUpdateBalance = jest.fn().mockResolvedValue({});

api/server/controllers/agents/__tests__/responses.unit.spec.js

@@ -43,9 +43,17 @@ jest.mock('@librechat/api', () => ({
   buildToolSet: jest.fn().mockReturnValue(new Set()),
   createSafeUser: jest.fn().mockReturnValue({ id: 'user-123' }),
   initializeAgent: jest.fn().mockResolvedValue({
+    id: 'agent-123',
     model: 'claude-3',
     model_parameters: {},
     toolRegistry: {},
+    edges: [],
+  }),
+  discoverConnectedAgents: jest.fn().mockResolvedValue({
+    agentConfigs: new Map(),
+    edges: [],
+    skippedAgentIds: new Set(),
+    userMCPAuthMap: undefined,
   }),
   getBalanceConfig: mockGetBalanceConfig,
   getTransactionsConfig: mockGetTransactionsConfig,
@@ -121,6 +129,19 @@ jest.mock('~/server/controllers/agents/callbacks', () => {
 
 jest.mock('~/server/services/PermissionService', () => ({
   findAccessibleResources: jest.fn().mockResolvedValue([]),
+  checkPermission: jest.fn().mockResolvedValue(true),
+}));
+
+jest.mock('~/server/controllers/ModelController', () => ({
+  getModelsConfig: jest.fn().mockResolvedValue({}),
+}));
+
+jest.mock('~/server/services/Files/permissions', () => ({
+  filterFilesByAgentAccess: jest.fn(),
+}));
+
+jest.mock('~/cache', () => ({
+  logViolation: jest.fn(),
 }));
 
 const mockUpdateBalance = jest.fn().mockResolvedValue({});

api/server/controllers/agents/openai.js

@@ -21,6 +21,7 @@ const {
   createOpenAIStreamTracker,
   createOpenAIContentAggregator,
   isChatCompletionValidationFailure,
+  discoverConnectedAgents,
 } = require('@librechat/api');
 const {
   buildSummarizationHandlers,
@@ -29,7 +30,10 @@ const {
   agentLogHandlerObj,
 } = require('~/server/controllers/agents/callbacks');
 const { loadAgentTools, loadToolsForExecution } = require('~/server/services/ToolService');
-const { findAccessibleResources } = require('~/server/services/PermissionService');
+const { findAccessibleResources, checkPermission } = require('~/server/services/PermissionService');
+const { getModelsConfig } = require('~/server/controllers/ModelController');
+const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
+const { logViolation } = require('~/cache');
 const db = require('~/models');
 
 /**
@@ -207,6 +211,19 @@ const OpenAIChatCompletionController = async (req, res) => {
       model_parameters: agent.model_parameters ?? {},
     };
 
+    const dbMethods = {
+      getConvoFiles: db.getConvoFiles,
+      getFiles: db.getFiles,
+      getUserKey: db.getUserKey,
+      getMessages: db.getMessages,
+      updateFilesUsage: db.updateFilesUsage,
+      getUserKeyValues: db.getUserKeyValues,
+      getUserCodeFiles: db.getUserCodeFiles,
+      getToolFilesByIds: db.getToolFilesByIds,
+      getCodeGeneratedFiles: db.getCodeGeneratedFiles,
+      filterFilesByAgentAccess,
+    };
+
     const primaryConfig = await initializeAgent(
       {
         req,
@@ -220,19 +237,79 @@ const OpenAIChatCompletionController = async (req, res) => {
         allowedProviders,
         isInitialAgent: true,
       },
-      {
-        getConvoFiles: db.getConvoFiles,
-        getFiles: db.getFiles,
-        getUserKey: db.getUserKey,
-        getMessages: db.getMessages,
-        updateFilesUsage: db.updateFilesUsage,
-        getUserKeyValues: db.getUserKeyValues,
-        getUserCodeFiles: db.getUserCodeFiles,
-        getToolFilesByIds: db.getToolFilesByIds,
-        getCodeGeneratedFiles: db.getCodeGeneratedFiles,
-      },
+      dbMethods,
     );
 
+    /**
+     * Per-agent tool-execution context map, keyed by agentId.
+     * Needed so the ON_TOOL_EXECUTE callback routes each sub-agent's tool calls
+     * to the correct toolRegistry / userMCPAuthMap / tool_resources.
+     * @type {Map<string, {
+     *   agent: object,
+     *   toolRegistry?: import('@librechat/agents').LCToolRegistry,
+     *   userMCPAuthMap?: Record<string, Record<string, string>>,
+     *   tool_resources?: object,
+     *   actionsEnabled?: boolean,
+     * }>}
+     */
+    const agentToolContexts = new Map();
+    agentToolContexts.set(primaryConfig.id, {
+      agent,
+      toolRegistry: primaryConfig.toolRegistry,
+      userMCPAuthMap: primaryConfig.userMCPAuthMap,
+      tool_resources: primaryConfig.tool_resources,
+      actionsEnabled: primaryConfig.actionsEnabled,
+    });
+
+    // Only run BFS discovery (and pay `getModelsConfig` upfront) when the
+    // primary has edges to follow — the common API case is single-agent.
+    let handoffAgentConfigs = new Map();
+    let discoveredEdges = [];
+    let discoveredMCPAuthMap;
+    if (primaryConfig.edges?.length) {
+      const modelsConfig = await getModelsConfig(req);
+      ({
+        agentConfigs: handoffAgentConfigs,
+        edges: discoveredEdges,
+        userMCPAuthMap: discoveredMCPAuthMap,
+      } = await discoverConnectedAgents(
+        {
+          req,
+          res,
+          primaryConfig,
+          endpointOption,
+          allowedProviders,
+          modelsConfig,
+          loadTools,
+          requestFiles: [],
+          conversationId,
+          parentMessageId,
+          // The route enforces REMOTE_AGENT on the primary; every discovered
+          // sub-agent must clear the same sharing boundary, not the looser
+          // in-app AGENT one.
+          resourceType: ResourceType.REMOTE_AGENT,
+        },
+        {
+          getAgent: db.getAgent,
+          checkPermission,
+          logViolation,
+          db: dbMethods,
+          onAgentInitialized: (agentId, handoffAgent, config) => {
+            agentToolContexts.set(agentId, {
+              agent: handoffAgent,
+              toolRegistry: config.toolRegistry,
+              userMCPAuthMap: config.userMCPAuthMap,
+              tool_resources: config.tool_resources,
+              actionsEnabled: config.actionsEnabled,
+            });
+          },
+          initializeAgent,
+        },
+      ));
+    }
+
+    primaryConfig.edges = discoveredEdges;
+
     // Determine if streaming is enabled (check both request and agent config)
     const streamingDisabled = !!primaryConfig.model_parameters?.disableStreaming;
     const isStreaming = request.stream === true && !streamingDisabled;
@@ -270,17 +347,18 @@ const OpenAIChatCompletionController = async (req, res) => {
     const toolEndCallback = createToolEndCallback({ req, res, artifactPromises, streamId: null });
 
     const toolExecuteOptions = {
-      loadTools: async (toolNames) => {
+      loadTools: async (toolNames, agentId) => {
+        const ctx = agentToolContexts.get(agentId) ?? agentToolContexts.get(primaryConfig.id) ?? {};
         return loadToolsForExecution({
           req,
           res,
-          agent,
           toolNames,
+          agent: ctx.agent ?? agent,
           signal: abortController.signal,
-          toolRegistry: primaryConfig.toolRegistry,
-          userMCPAuthMap: primaryConfig.userMCPAuthMap,
-          tool_resources: primaryConfig.tool_resources,
-          actionsEnabled: primaryConfig.actionsEnabled,
+          toolRegistry: ctx.toolRegistry,
+          userMCPAuthMap: ctx.userMCPAuthMap,
+          tool_resources: ctx.tool_resources,
+          actionsEnabled: ctx.actionsEnabled,
         });
       },
       toolEndCallback,
@@ -467,11 +545,14 @@ const OpenAIChatCompletionController = async (req, res) => {
     // Create and run the agent
     const userId = req.user?.id ?? 'api-user';
 
-    // Extract userMCPAuthMap from primaryConfig (needed for MCP tool connections)
-    const userMCPAuthMap = primaryConfig.userMCPAuthMap;
+    // Extract merged userMCPAuthMap (needed for MCP tool connections across
+    // the primary and any discovered handoff sub-agents)
+    const userMCPAuthMap = discoveredMCPAuthMap ?? primaryConfig.userMCPAuthMap;
+
+    const runAgents = [primaryConfig, ...handoffAgentConfigs.values()];
 
     const run = await createRun({
-      agents: [primaryConfig],
+      agents: runAgents,
       messages: formattedMessages,
       indexTokenCountMap,
       initialSummary,