docs: access control & admin panel (#561)

- Added a new 'Access Control' page detailing LibreChat's granular authorization system, including feature permissions, resource ACLs, and system grants.
- Introduced the 'Admin Panel' documentation, outlining its functionalities for managing users, groups, roles, and configuration overrides.
- Updated existing feature documentation (agents, MCP servers) to reflect the new access control model and emphasize the use of the Admin Panel for permission management.
- Marked several YAML fields as deprecated for permission management, recommending the Admin Panel for ongoing management.

Author: danny-avila

content/docs/configuration/librechat_yaml/object_structure/interface.mdx

@@ -36,6 +36,14 @@ These are fields under `interface`:
 - Default values are provided for most settings but can be overridden based on specific requirements or conditions.
 - Conditional logic in the application can further modify these settings based on other configurations like model specifications.
 
+<Callout type="warning" title="Deprecated: permission side-effect fields">
+Several fields below (`mcpServers`, `prompts`, `bookmarks`, `memories`, `multiConvo`, `agents`, `remoteAgents`, `temporaryChat`, `runCode`, `webSearch`, `fileSearch`, `fileCitations`, `peoplePicker`, `marketplace`) don't just toggle UI, they seed role permissions in the database at startup, and only for the built-in `USER` role.
+
+For ongoing management, use the [**LibreChat Admin Panel**](/docs/features/admin_panel), which edits the permission matrix directly on each role (including custom roles). These YAML fields remain supported for bootstrapping a fresh instance or fully file-driven deployments, but should no longer be used as the primary way to manage feature permissions.
+
+See [Access Control](/docs/features/access_control) for the full permission model.
+</Callout>
+
 ## Example
 
 ```yaml filename="interface"
@@ -85,6 +93,8 @@ interface:
 
 ## mcpServers
 
+> **Deprecated for permission management.** The `use`, `create`, `share`, and `public` sub-keys seed role permissions at startup. Prefer the [Admin Panel](/docs/features/admin_panel) for managing MCP server permissions per role/group/user. The `placeholder` and `trustCheckbox` sub-keys are unaffected.
+
 **Key:**
 <OptionTable
   options={[
@@ -223,6 +233,8 @@ interface:
 
 ## prompts
 
+> **Deprecated for permission management.** Seeds the `PROMPTS` role permissions at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel) for managing prompt permissions per role/group/user.
+
 **Key:**
 <OptionTable
   options={[
@@ -277,6 +289,8 @@ interface:
 
 ## bookmarks
 
+> **Deprecated for permission management.** Seeds the `BOOKMARKS` role permission at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[
@@ -294,6 +308,8 @@ interface:
 
 ## memories
 
+> **Deprecated for permission management.** Seeds the `MEMORIES` role permissions at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel). Note this toggle is separate from the [`memory`](/docs/configuration/librechat_yaml/object_structure/memory) behavior configuration.
+
 **Key:**
 <OptionTable
   options={[
@@ -313,6 +329,8 @@ interface:
 
 ## multiConvo
 
+> **Deprecated for permission management.** Seeds the `MULTI_CONVO` role permission at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[
@@ -332,6 +350,8 @@ interface:
 
 More info on [Agents](/docs/features/agents)
 
+> **Deprecated for permission management.** Seeds the `AGENTS` role permissions at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel) for managing agent permissions per role/group/user.
+
 **Key:**
 <OptionTable
   options={[
@@ -388,6 +408,8 @@ interface:
 
 Controls access to the Agents API (OpenAI-compatible and Open Responses API endpoints), which allows external applications to interact with LibreChat agents programmatically via API keys.
 
+> **Deprecated for permission management.** Seeds the `REMOTE_AGENTS` role permissions at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[
@@ -423,6 +445,8 @@ interface:
 
 Controls whether the temporary chat feature is available to users. Temporary chats are not saved to conversation history and are automatically deleted after a configurable retention period.
 
+> **Deprecated for permission management.** Seeds the `TEMPORARY_CHAT` role permission at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel). `temporaryChatRetention` below is not a permission and remains the recommended way to configure retention.
+
 **Key:**
 <OptionTable
   options={[
@@ -500,6 +524,8 @@ Enables/disables the "Run Code" button for Markdown Code Blocks. More info on th
 
 **Note:** This setting does not disable the [Agents Code Interpreter Capability](/docs/features/agents#code-interpreter). To disable the Agents Capability, see the [Agents Endpoint configuration](/docs/configuration/librechat_yaml/object_structure/agents) instead.
 
+> **Deprecated for permission management.** Seeds the `RUN_CODE` role permission at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[
@@ -521,6 +547,8 @@ Enables/disables the web search button in the chat interface. More info on [Web
 
 **Note:** This setting does not disable the [Agents Web Search Capability](/docs/features/agents#web-search). To disable the Agents Capability, see the [Agents Endpoint configuration](/docs/configuration/librechat_yaml/object_structure/agents) instead.
 
+> **Deprecated for permission management.** Seeds the `WEB_SEARCH` role permission at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[
@@ -542,6 +570,8 @@ Enables/disables the file search (for RAG API usage via tool) button in the chat
 
 **Note:** This setting does not disable the [Agents File Search Capability](/docs/features/agents#file-search). To disable the Agents Capability, see the [Agents Endpoint configuration](/docs/configuration/librechat_yaml/object_structure/agents) instead.
 
+> **Deprecated for permission management.** Seeds the `FILE_SEARCH` role permission at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[
@@ -561,6 +591,8 @@ interface:
 
 Controls the global availability of file citations functionality. When disabled, it effectively removes the `FILE_CITATIONS` permission for all users, preventing any file citations from being displayed when using file search, regardless of individual user permissions.
 
+> **Deprecated for permission management.** Seeds/globally gates the `FILE_CITATIONS` role permission at startup. Prefer the [Admin Panel](/docs/features/admin_panel) for managing citations permissions per role/group/user.
+
 **Note:** 
 - This setting acts as a global toggle for the `FILE_CITATIONS` permission system-wide.
 - When set to `false`, no users will see file citations, even if they have been granted the permission through roles.
@@ -586,6 +618,8 @@ interface:
 
 Controls which principal types (users, groups, roles) are available for selection in the people picker interface, typically used when sharing agents or managing access controls.
 
+> **Deprecated for permission management.** Seeds the `PEOPLE_PICKER` role permissions at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[
@@ -624,6 +658,8 @@ interface:
 
 Enables/disables access to the Agent Marketplace.
 
+> **Deprecated for permission management.** Seeds the `MARKETPLACE` role permission at startup for the default `USER` role only. Prefer the [Admin Panel](/docs/features/admin_panel).
+
 **Key:**
 <OptionTable
   options={[