@librechat/data-schemas 0.0.47 → 0.0.48

package/dist/schema/systemGrant.es.js

@@ -1,10 +1,7 @@
 import { Schema } from 'mongoose';
 import { PrincipalType } from 'librechat-data-provider';
-import { SystemCapabilities } from '../admin/capabilities.es.js';
+import { isValidCapability } from '../admin/capabilities.es.js';
 
-const baseCapabilities = new Set(Object.values(SystemCapabilities));
-const sectionCapPattern = /^(?:manage|read):configs:\w+$/;
-const assignCapPattern = /^assign:configs:(?:user|group|role)$/;
 const systemGrantSchema = new Schema({
     principalType: {
         type: String,
@@ -19,7 +16,7 @@ const systemGrantSchema = new Schema({
         type: String,
         required: true,
         validate: {
-            validator: (v) => baseCapabilities.has(v) || sectionCapPattern.test(v) || assignCapPattern.test(v),
+            validator: isValidCapability,
             message: 'Invalid capability string: "{VALUE}"',
         },
     },
@@ -59,6 +56,7 @@ const systemGrantSchema = new Schema({
  */
 systemGrantSchema.index({ principalType: 1, principalId: 1, capability: 1, tenantId: 1 }, { unique: true });
 systemGrantSchema.index({ capability: 1, tenantId: 1 });
+systemGrantSchema.index({ principalType: 1, capability: 1, tenantId: 1 });
 
 export { systemGrantSchema as default };
 //# sourceMappingURL=systemGrant.es.js.map

package/dist/schema/systemGrant.es.js.map

@@ -1 +1 @@
-{"version":3,"file":"systemGrant.es.js","sources":["../../src/schema/systemGrant.ts"],"sourcesContent":[null],"names":[],"mappings":";;;;AAMA,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAmB,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;AACrF,MAAM,iBAAiB,GAAG,+BAA+B;AACzD,MAAM,gBAAgB,GAAG,sCAAsC;AAE/D,MAAM,iBAAiB,GAAG,IAAI,MAAM,CAClC;AACE,IAAA,aAAa,EAAE;AACb,QAAA,IAAI,EAAE,MAAM;AACZ,QAAA,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;AAClC,QAAA,QAAQ,EAAE,IAAI;AACf,KAAA;AACD,IAAA,WAAW,EAAE;AACX,QAAA,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;AACxB,QAAA,QAAQ,EAAE,IAAI;AACf,KAAA;AACD,IAAA,UAAU,EAAE;AACV,QAAA,IAAI,EAAE,MAAM;AACZ,QAAA,QAAQ,EAAE,IAAI;AACd,QAAA,QAAQ,EAAE;YACR,SAAS,EAAE,CAAC,CAAmB,KAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;AAClF,YAAA,OAAO,EAAE,sCAAsC;AAChD,SAAA;AACF,KAAA;AACD;;;;;AAKG;AACH,IAAA,QAAQ,EAAE;AACR,QAAA,IAAI,EAAE,MAAM;AACZ,QAAA,QAAQ,EAAE,KAAK;AACf,QAAA,QAAQ,EAAE;AACR,YAAA,SAAS,EAAE,CAAC,CAAU,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,EAAE;AACjD,YAAA,OAAO,EAAE,+EAA+E;AACzF,SAAA;AACF,KAAA;AACD,IAAA,SAAS,EAAE;AACT,QAAA,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ;AAC3B,QAAA,GAAG,EAAE,MAAM;AACZ,KAAA;AACD,IAAA,SAAS,EAAE;AACT,QAAA,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,IAAI,CAAC,GAAG;AAClB,KAAA;;AAED,IAAA,SAAS,EAAE;AACT,QAAA,IAAI,EAAE,IAAI;AACV,QAAA,QAAQ,EAAE,KAAK;AAChB,KAAA;AACF,CAAA,EACD,EAAE,UAAU,EAAE,IAAI,EAAE;AAGtB;;;;;AAKG;AAEH,iBAAiB,CAAC,KAAK,CACrB,EAAE,aAAa,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAChE,EAAE,MAAM,EAAE,IAAI,EAAE,CACjB;AAED,iBAAiB,CAAC,KAAK,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;;;;"}
+{"version":3,"file":"systemGrant.es.js","sources":["../../src/schema/systemGrant.ts"],"sourcesContent":[null],"names":[],"mappings":";;;;AAKA,MAAM,iBAAiB,GAAG,IAAI,MAAM,CAClC;AACE,IAAA,aAAa,EAAE;AACb,QAAA,IAAI,EAAE,MAAM;AACZ,QAAA,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;AAClC,QAAA,QAAQ,EAAE,IAAI;AACf,KAAA;AACD,IAAA,WAAW,EAAE;AACX,QAAA,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;AACxB,QAAA,QAAQ,EAAE,IAAI;AACf,KAAA;AACD,IAAA,UAAU,EAAE;AACV,QAAA,IAAI,EAAE,MAAM;AACZ,QAAA,QAAQ,EAAE,IAAI;AACd,QAAA,QAAQ,EAAE;AACR,YAAA,SAAS,EAAE,iBAAiB;AAC5B,YAAA,OAAO,EAAE,sCAAsC;AAChD,SAAA;AACF,KAAA;AACD;;;;;AAKG;AACH,IAAA,QAAQ,EAAE;AACR,QAAA,IAAI,EAAE,MAAM;AACZ,QAAA,QAAQ,EAAE,KAAK;AACf,QAAA,QAAQ,EAAE;AACR,YAAA,SAAS,EAAE,CAAC,CAAU,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,EAAE;AACjD,YAAA,OAAO,EAAE,+EAA+E;AACzF,SAAA;AACF,KAAA;AACD,IAAA,SAAS,EAAE;AACT,QAAA,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ;AAC3B,QAAA,GAAG,EAAE,MAAM;AACZ,KAAA;AACD,IAAA,SAAS,EAAE;AACT,QAAA,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,IAAI,CAAC,GAAG;AAClB,KAAA;;AAED,IAAA,SAAS,EAAE;AACT,QAAA,IAAI,EAAE,IAAI;AACV,QAAA,QAAQ,EAAE,KAAK;AAChB,KAAA;AACF,CAAA,EACD,EAAE,UAAU,EAAE,IAAI,EAAE;AAGtB;;;;;AAKG;AAEH,iBAAiB,CAAC,KAAK,CACrB,EAAE,aAAa,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAChE,EAAE,MAAM,EAAE,IAAI,EAAE,CACjB;AAED,iBAAiB,CAAC,KAAK,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;AACvD,iBAAiB,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;;;;"}

package/dist/types/admin/capabilities.d.ts

@@ -34,6 +34,11 @@ export declare const SystemCapabilities: {
  * e.g. `MANAGE_USERS` implies `READ_USERS`.
  */
 export declare const CapabilityImplications: Partial<Record<BaseSystemCapability, BaseSystemCapability[]>>;
+/**
+ * Runtime validator for the full `SystemCapability` union:
+ * base capabilities, section-level config capabilities, and config assignment capabilities.
+ */
+export declare function isValidCapability(value: string): boolean;
 /**
  * Check whether a set of held capabilities satisfies a required capability,
  * accounting for the manage→read implication hierarchy.

package/dist/types/config/tenantContext.d.ts

@@ -18,3 +18,9 @@ export declare function getTenantId(): string | undefined;
  * The callback MUST be async — sync callbacks returning Mongoose thenables will lose context.
  */
 export declare function runAsSystem<T>(fn: () => Promise<T>): Promise<T>;
+/**
+ * Appends `:${tenantId}` to a cache key when a non-system tenant context is active.
+ * Returns the base key unchanged when no ALS context is set or when running
+ * inside `runAsSystem()` (SYSTEM_TENANT_ID context).
+ */
+export declare function scopedCacheKey(baseKey: string): string;

package/dist/types/index.d.ts

@@ -10,6 +10,6 @@ export type * from './types';
 export type * from './methods';
 export { default as logger } from './config/winston';
 export { default as meiliLogger } from './config/meiliLogger';
-export { tenantStorage, getTenantId, runAsSystem, SYSTEM_TENANT_ID } from './config/tenantContext';
+export { tenantStorage, getTenantId, runAsSystem, scopedCacheKey, SYSTEM_TENANT_ID, } from './config/tenantContext';
 export type { TenantContext } from './config/tenantContext';
 export { dropSupersededTenantIndexes, dropSupersededPromptGroupIndexes } from './migrations';

package/dist/types/methods/aclEntry.d.ts

@@ -25,7 +25,7 @@
 /// <reference types="mongoose/types/inferrawdoctype" />
 import { Types } from 'mongoose';
 import type { AnyBulkWriteOperation, ClientSession, PipelineStage, DeleteResult } from 'mongoose';
-import type { IAclEntry } from '~/types';
+import type { AclEntry, IAclEntry } from '~/types';
 export declare function createAclEntryMethods(mongoose: typeof import('mongoose')): {
     findEntriesByPrincipal: (principalType: string, principalId: string | Types.ObjectId, resourceType?: string) => Promise<IAclEntry[]>;
     findEntriesByResource: (resourceType: string, resourceId: string | Types.ObjectId) => Promise<IAclEntry[]>;
@@ -55,7 +55,7 @@ export declare function createAclEntryMethods(mongoose: typeof import('mongoose'
     deleteAclEntries: (filter: Record<string, unknown>, options?: {
         session?: ClientSession;
     }) => Promise<DeleteResult>;
-    bulkWriteAclEntries: (ops: AnyBulkWriteOperation<IAclEntry>[], options?: {
+    bulkWriteAclEntries: (ops: AnyBulkWriteOperation<AclEntry>[], options?: {
         session?: ClientSession;
     }) => Promise<import("mongodb").BulkWriteResult>;
     findPublicResourceIds: (resourceType: string, requiredPermissions: number) => Promise<Types.ObjectId[]>;

package/dist/types/methods/systemGrant.d.ts

@@ -50,11 +50,39 @@ export declare function createSystemGrantMethods(mongoose: typeof import('mongoo
         capability: SystemCapability;
         tenantId?: string | undefined;
     }) => Promise<boolean>;
+    getHeldCapabilities: ({ principals, capabilities, tenantId, }: {
+        principals: Array<{
+            principalType: PrincipalType;
+            principalId?: string | Types.ObjectId;
+        }>;
+        capabilities: SystemCapability[];
+        tenantId?: string | undefined;
+    }) => Promise<Set<SystemCapability>>;
+    listGrants: (options?: {
+        tenantId?: string;
+        principalTypes?: PrincipalType[];
+        limit?: number;
+        offset?: number;
+    }) => Promise<ISystemGrant[]>;
+    countGrants: (options?: {
+        tenantId?: string;
+        principalTypes?: PrincipalType[];
+    }) => Promise<number>;
     getCapabilitiesForPrincipal: ({ principalType, principalId, tenantId, }: {
         principalType: PrincipalType;
         principalId: string | Types.ObjectId;
         tenantId?: string | undefined;
     }) => Promise<ISystemGrant[]>;
-    deleteGrantsForPrincipal: (principalType: PrincipalType, principalId: string | Types.ObjectId, session?: ClientSession) => Promise<void>;
+    getCapabilitiesForPrincipals: ({ principals, tenantId, }: {
+        principals: Array<{
+            principalType: PrincipalType;
+            principalId: string | Types.ObjectId;
+        }>;
+        tenantId?: string | undefined;
+    }) => Promise<ISystemGrant[]>;
+    deleteGrantsForPrincipal: (principalType: PrincipalType, principalId: string | Types.ObjectId, options?: {
+        tenantId?: string;
+        session?: ClientSession;
+    }) => Promise<void>;
 };
 export type SystemGrantMethods = ReturnType<typeof createSystemGrantMethods>;

package/dist/types/methods/tx.d.ts

@@ -91,7 +91,7 @@ export declare function createTxMethods(_mongoose: typeof import('mongoose'), tx
         inputTokenCount?: number | undefined;
         endpointTokenConfig?: Record<string, Record<string, number>> | undefined;
     }) => number;
-    getPremiumRate: (valueKey: string, tokenType: string, inputTokenCount?: number) => number | null;
+    getPremiumRate: (valueKey: string, tokenType: string, inputTokenCount?: number | null) => number | null;
     getCacheMultiplier: ({ valueKey, cacheType, model, endpoint, endpointTokenConfig, }: {
         valueKey?: string | undefined;
         cacheType?: "read" | "write" | undefined;

package/dist/types/methods/user.d.ts

@@ -30,7 +30,11 @@ export declare const DEFAULT_SESSION_EXPIRY: number;
 /** Factory function that takes mongoose instance and returns the methods */
 export declare function createUserMethods(mongoose: typeof import('mongoose')): {
     findUser: (searchCriteria: FilterQuery<IUser>, fieldsToSelect?: string | string[] | null) => Promise<IUser | null>;
-    findUsers: (searchCriteria: FilterQuery<IUser>, fieldsToSelect?: string | string[] | null) => Promise<IUser[]>;
+    findUsers: (searchCriteria: FilterQuery<IUser>, fieldsToSelect?: string | string[] | null, options?: {
+        limit?: number;
+        offset?: number;
+        sort?: Record<string, 1 | -1>;
+    }) => Promise<IUser[]>;
     countUsers: (filter?: FilterQuery<IUser>) => Promise<number>;
     createUser: (data: CreateUserRequest, balanceConfig?: BalanceConfig, disableTTL?: boolean, returnUser?: boolean) => Promise<mongoose.Types.ObjectId | Partial<IUser>>;
     updateUser: (userId: string, updateData: Partial<IUser>) => Promise<IUser | null>;

package/dist/types/methods/userGroup.d.ts

@@ -54,7 +54,7 @@ export declare function createUserGroupMethods(mongoose: typeof import('mongoose
         userId: string | Types.ObjectId;
         role?: string | null;
     }, session?: ClientSession) => Promise<Array<{
-        principalType: string;
+        principalType: PrincipalType;
         principalId?: string | Types.ObjectId;
     }>>;
     syncUserEntraGroups: (userId: string | Types.ObjectId, entraGroups: Array<{

package/dist/types/schema/user.d.ts

@@ -26,11 +26,11 @@
 import { Schema } from 'mongoose';
 import { IUser } from '~/types';
 declare const userSchema: Schema<IUser, import("mongoose").Model<IUser, any, any, any, import("mongoose").Document<unknown, any, IUser> & IUser & Required<{
-    _id: unknown;
+    _id: import("mongoose").Types.ObjectId;
 }> & {
     __v: number;
 }, any>, {}, {}, {}, {}, import("mongoose").DefaultSchemaOptions, IUser, import("mongoose").Document<unknown, {}, import("mongoose").FlatRecord<IUser>> & import("mongoose").FlatRecord<IUser> & Required<{
-    _id: unknown;
+    _id: import("mongoose").Types.ObjectId;
 }> & {
     __v: number;
 }>;

package/dist/types/types/admin.d.ts

@@ -1,11 +1,11 @@
-import type { PrincipalType, PrincipalModel, TCustomConfig, z, configSchema } from 'librechat-data-provider';
+import type { PrincipalType, PrincipalModel, TCustomConfig } from 'librechat-data-provider';
 import type { SystemCapabilities } from '~/admin/capabilities';
 /** Base capabilities derived from the SystemCapabilities constant. */
 export type BaseSystemCapability = (typeof SystemCapabilities)[keyof typeof SystemCapabilities];
 /** Principal types that can receive config overrides. */
 export type ConfigAssignTarget = 'user' | 'group' | 'role';
 /** Top-level keys of the configSchema from librechat.yaml. */
-export type ConfigSection = keyof z.infer<typeof configSchema>;
+export type ConfigSection = string & keyof TCustomConfig;
 /** Section-level config capabilities derived from configSchema keys. */
 type ConfigSectionCapability = `manage:configs:${ConfigSection}` | `read:configs:${ConfigSection}`;
 /** Principal-scoped config assignment capabilities. */
@@ -89,11 +89,24 @@ export type AdminMember = {
     avatarUrl?: string;
     joinedAt?: string;
 };
+/** Full user info returned by the admin user list endpoint. */
+export type AdminUserListItem = {
+    id: string;
+    name: string;
+    username: string;
+    email: string;
+    avatar: string;
+    role: string;
+    provider: string;
+    createdAt?: string;
+    updatedAt?: string;
+};
 /** Minimal user info returned by user search endpoints. */
 export type AdminUserSearchResult = {
-    userId: string;
+    id: string;
     name: string;
     email: string;
+    username?: string;
     avatarUrl?: string;
 };
 export {};

package/dist/types/types/user.d.ts

@@ -26,6 +26,7 @@
 import type { Document, Types } from 'mongoose';
 import { CursorPaginationParams } from '~/common';
 export interface IUser extends Document {
+    _id: Types.ObjectId;
     name?: string;
     username?: string;
     email: string;
@@ -74,6 +75,14 @@ export interface IUser extends Document {
     /** Field for external source identification (for consistency with TPrincipal schema) */
     idOnTheSource?: string;
     tenantId?: string;
+    federatedTokens?: OIDCTokens;
+    openidTokens?: OIDCTokens;
+}
+export interface OIDCTokens {
+    access_token?: string;
+    id_token?: string;
+    refresh_token?: string;
+    expires_at?: number;
 }
 export interface BalanceConfig {
     enabled?: boolean;

package/dist/types/utils/index.d.ts

@@ -1,5 +1,6 @@
 export * from './principal';
 export * from './string';
 export * from './tempChatRetention';
+export { tenantSafeBulkWrite } from './tenantBulkWrite';
 export * from './transactions';
 export * from './objectId';

package/dist/types/utils/tenantBulkWrite.d.ts

@@ -0,0 +1,45 @@
+/// <reference types="mongoose/types/aggregate" />
+/// <reference types="mongoose/types/callback" />
+/// <reference types="mongoose/types/collection" />
+/// <reference types="mongoose/types/connection" />
+/// <reference types="mongoose/types/cursor" />
+/// <reference types="mongoose/types/document" />
+/// <reference types="mongoose/types/error" />
+/// <reference types="mongoose/types/expressions" />
+/// <reference types="mongoose/types/helpers" />
+/// <reference types="mongoose/types/middlewares" />
+/// <reference types="mongoose/types/indexes" />
+/// <reference types="mongoose/types/models" />
+/// <reference types="mongoose/types/mongooseoptions" />
+/// <reference types="mongoose/types/pipelinestage" />
+/// <reference types="mongoose/types/populate" />
+/// <reference types="mongoose/types/query" />
+/// <reference types="mongoose/types/schemaoptions" />
+/// <reference types="mongoose/types/schematypes" />
+/// <reference types="mongoose/types/session" />
+/// <reference types="mongoose/types/types" />
+/// <reference types="mongoose/types/utility" />
+/// <reference types="mongoose/types/validation" />
+/// <reference types="mongoose/types/virtuals" />
+/// <reference types="mongoose/types/inferschematype" />
+/// <reference types="mongoose/types/inferrawdoctype" />
+import type { AnyBulkWriteOperation, Model, MongooseBulkWriteOptions } from 'mongoose';
+import type { BulkWriteResult } from 'mongodb';
+/** Resets the cached strict-mode flag. Exposed for test teardown only. */
+export declare function _resetBulkWriteStrictCache(): void;
+/**
+ * Tenant-safe wrapper around Mongoose `Model.bulkWrite()`.
+ *
+ * Mongoose's `bulkWrite` does not trigger schema-level middleware hooks, so the
+ * `applyTenantIsolation` plugin cannot intercept it. This wrapper injects the
+ * current ALS tenant context into every operation's filter and/or document
+ * before delegating to the native `bulkWrite`.
+ *
+ * Behavior:
+ * - **tenantId present** (normal request): injects `{ tenantId }` into every
+ *   operation filter (updateOne, deleteOne, replaceOne) and document (insertOne).
+ * - **SYSTEM_TENANT_ID**: skips injection (cross-tenant system operation).
+ * - **No tenantId + strict mode**: throws (fail-closed, same as the plugin).
+ * - **No tenantId + non-strict**: passes through without injection (backward compat).
+ */
+export declare function tenantSafeBulkWrite<T>(model: Model<T>, ops: AnyBulkWriteOperation[], options?: MongooseBulkWriteOptions): Promise<BulkWriteResult>;

package/dist/utils/tenantBulkWrite.cjs

@@ -0,0 +1,85 @@
+'use strict';
+
+var tenantContext = require('../config/tenantContext.cjs');
+var winston = require('../config/winston.cjs');
+
+let _strictMode;
+function isStrict() {
+    return (_strictMode !== null && _strictMode !== void 0 ? _strictMode : (_strictMode = process.env.TENANT_ISOLATION_STRICT === 'true'));
+}
+/**
+ * Tenant-safe wrapper around Mongoose `Model.bulkWrite()`.
+ *
+ * Mongoose's `bulkWrite` does not trigger schema-level middleware hooks, so the
+ * `applyTenantIsolation` plugin cannot intercept it. This wrapper injects the
+ * current ALS tenant context into every operation's filter and/or document
+ * before delegating to the native `bulkWrite`.
+ *
+ * Behavior:
+ * - **tenantId present** (normal request): injects `{ tenantId }` into every
+ *   operation filter (updateOne, deleteOne, replaceOne) and document (insertOne).
+ * - **SYSTEM_TENANT_ID**: skips injection (cross-tenant system operation).
+ * - **No tenantId + strict mode**: throws (fail-closed, same as the plugin).
+ * - **No tenantId + non-strict**: passes through without injection (backward compat).
+ */
+async function tenantSafeBulkWrite(model, ops, options) {
+    const tenantId = tenantContext.getTenantId();
+    if (!tenantId) {
+        if (isStrict()) {
+            throw new Error(`[TenantIsolation] bulkWrite on ${model.modelName} attempted without tenant context in strict mode`);
+        }
+        return model.bulkWrite(ops, options);
+    }
+    if (tenantId === tenantContext.SYSTEM_TENANT_ID) {
+        return model.bulkWrite(ops, options);
+    }
+    const injected = ops.map((op) => injectTenantId(op, tenantId));
+    return model.bulkWrite(injected, options);
+}
+/**
+ * Injects `tenantId` into a single bulk-write operation.
+ * Returns a new operation object — does not mutate the original.
+ */
+function injectTenantId(op, tenantId) {
+    if ('insertOne' in op) {
+        return {
+            insertOne: {
+                document: { ...op.insertOne.document, tenantId },
+            },
+        };
+    }
+    if ('updateOne' in op) {
+        const { filter, ...rest } = op.updateOne;
+        return { updateOne: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('updateMany' in op) {
+        const { filter, ...rest } = op.updateMany;
+        return { updateMany: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('deleteOne' in op) {
+        const { filter, ...rest } = op.deleteOne;
+        return { deleteOne: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('deleteMany' in op) {
+        const { filter, ...rest } = op.deleteMany;
+        return { deleteMany: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('replaceOne' in op) {
+        const { filter, replacement, ...rest } = op.replaceOne;
+        return {
+            replaceOne: {
+                ...rest,
+                filter: { ...filter, tenantId },
+                replacement: { ...replacement, tenantId },
+            },
+        };
+    }
+    if (isStrict()) {
+        throw new Error('[TenantIsolation] Unknown bulkWrite operation type in strict mode — refusing to pass through without tenant injection');
+    }
+    winston.warn('[tenantSafeBulkWrite] Unknown bulk op type, passing through without tenant injection');
+    return op;
+}
+
+exports.tenantSafeBulkWrite = tenantSafeBulkWrite;
+//# sourceMappingURL=tenantBulkWrite.cjs.map

package/dist/utils/tenantBulkWrite.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenantBulkWrite.cjs","sources":["../../src/utils/tenantBulkWrite.ts"],"sourcesContent":[null],"names":["getTenantId","SYSTEM_TENANT_ID","logger"],"mappings":";;;;;AAKA,IAAI,WAAgC;AAEpC,SAAS,QAAQ,GAAA;AACf,IAAA,QAAQ,WAAW,KAAA,IAAA,IAAX,WAAW,KAAA,MAAA,GAAX,WAAW,IAAX,WAAW,GAAK,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,MAAM;AACxE;AAOA;;;;;;;;;;;;;;AAcG;AACI,eAAe,mBAAmB,CACvC,KAAe,EACf,GAA4B,EAC5B,OAAkC,EAAA;AAElC,IAAA,MAAM,QAAQ,GAAGA,yBAAW,EAAE;IAE9B,IAAI,CAAC,QAAQ,EAAE;QACb,IAAI,QAAQ,EAAE,EAAE;YACd,MAAM,IAAI,KAAK,CACb,CAAA,+BAAA,EAAkC,KAAK,CAAC,SAAS,CAAA,gDAAA,CAAkD,CACpG;QACH;QACA,OAAO,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC;IACtC;AAEA,IAAA,IAAI,QAAQ,KAAKC,8BAAgB,EAAE;QACjC,OAAO,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC;IACtC;AAEA,IAAA,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9D,OAAO,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC;AAC3C;AAEA;;;AAGG;AACH,SAAS,cAAc,CAAC,EAAyB,EAAE,QAAgB,EAAA;AACjE,IAAA,IAAI,WAAW,IAAI,EAAE,EAAE;QACrB,OAAO;AACL,YAAA,SAAS,EAAE;gBACT,QAAQ,EAAE,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,EAAE;AACjD,aAAA;SACF;IACH;AAEA,IAAA,IAAI,WAAW,IAAI,EAAE,EAAE;QACrB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,SAAS;AACxC,QAAA,OAAO,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACpE;AAEA,IAAA,IAAI,YAAY,IAAI,EAAE,EAAE;QACtB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,UAAU;AACzC,QAAA,OAAO,EAAE,UAAU,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrE;AAEA,IAAA,IAAI,WAAW,IAAI,EAAE,EAAE;QACrB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,SAAS;AACxC,QAAA,OAAO,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACpE;AAEA,IAAA,IAAI,YAAY,IAAI,EAAE,EAAE;QACtB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,UAAU;AACzC,QAAA,OAAO,EAAE,UAAU,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrE;AAEA,IAAA,IAAI,YAAY,IAAI,EAAE,EAAE;AACtB,QAAA,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,UAAU;QACtD,OAAO;AACL,YAAA,UAAU,EAAE;AACV,gBAAA,GAAG,IAAI;AACP,gBAAA,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE;AAC/B,gBAAA,WAAW,EAAE,EAAE,GAAG,WAAW,EAAE,QAAQ,EAAE;AAC1C,aAAA;SACF;IACH;IAEA,IAAI,QAAQ,EAAE,EAAE;AACd,QAAA,MAAM,IAAI,KAAK,CACb,uHAAuH,CACxH;IACH;AACA,IAAAC,OAAM,CAAC,IAAI,CACT,sFAAsF,CACvF;AACD,IAAA,OAAO,EAAE;AACX;;;;"}

package/dist/utils/tenantBulkWrite.es.js

@@ -0,0 +1,83 @@
+import { getTenantId, SYSTEM_TENANT_ID } from '../config/tenantContext.es.js';
+import logger from '../config/winston.es.js';
+
+let _strictMode;
+function isStrict() {
+    return (_strictMode !== null && _strictMode !== void 0 ? _strictMode : (_strictMode = process.env.TENANT_ISOLATION_STRICT === 'true'));
+}
+/**
+ * Tenant-safe wrapper around Mongoose `Model.bulkWrite()`.
+ *
+ * Mongoose's `bulkWrite` does not trigger schema-level middleware hooks, so the
+ * `applyTenantIsolation` plugin cannot intercept it. This wrapper injects the
+ * current ALS tenant context into every operation's filter and/or document
+ * before delegating to the native `bulkWrite`.
+ *
+ * Behavior:
+ * - **tenantId present** (normal request): injects `{ tenantId }` into every
+ *   operation filter (updateOne, deleteOne, replaceOne) and document (insertOne).
+ * - **SYSTEM_TENANT_ID**: skips injection (cross-tenant system operation).
+ * - **No tenantId + strict mode**: throws (fail-closed, same as the plugin).
+ * - **No tenantId + non-strict**: passes through without injection (backward compat).
+ */
+async function tenantSafeBulkWrite(model, ops, options) {
+    const tenantId = getTenantId();
+    if (!tenantId) {
+        if (isStrict()) {
+            throw new Error(`[TenantIsolation] bulkWrite on ${model.modelName} attempted without tenant context in strict mode`);
+        }
+        return model.bulkWrite(ops, options);
+    }
+    if (tenantId === SYSTEM_TENANT_ID) {
+        return model.bulkWrite(ops, options);
+    }
+    const injected = ops.map((op) => injectTenantId(op, tenantId));
+    return model.bulkWrite(injected, options);
+}
+/**
+ * Injects `tenantId` into a single bulk-write operation.
+ * Returns a new operation object — does not mutate the original.
+ */
+function injectTenantId(op, tenantId) {
+    if ('insertOne' in op) {
+        return {
+            insertOne: {
+                document: { ...op.insertOne.document, tenantId },
+            },
+        };
+    }
+    if ('updateOne' in op) {
+        const { filter, ...rest } = op.updateOne;
+        return { updateOne: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('updateMany' in op) {
+        const { filter, ...rest } = op.updateMany;
+        return { updateMany: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('deleteOne' in op) {
+        const { filter, ...rest } = op.deleteOne;
+        return { deleteOne: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('deleteMany' in op) {
+        const { filter, ...rest } = op.deleteMany;
+        return { deleteMany: { ...rest, filter: { ...filter, tenantId } } };
+    }
+    if ('replaceOne' in op) {
+        const { filter, replacement, ...rest } = op.replaceOne;
+        return {
+            replaceOne: {
+                ...rest,
+                filter: { ...filter, tenantId },
+                replacement: { ...replacement, tenantId },
+            },
+        };
+    }
+    if (isStrict()) {
+        throw new Error('[TenantIsolation] Unknown bulkWrite operation type in strict mode — refusing to pass through without tenant injection');
+    }
+    logger.warn('[tenantSafeBulkWrite] Unknown bulk op type, passing through without tenant injection');
+    return op;
+}
+
+export { tenantSafeBulkWrite };
+//# sourceMappingURL=tenantBulkWrite.es.js.map

package/dist/utils/tenantBulkWrite.es.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenantBulkWrite.es.js","sources":["../../src/utils/tenantBulkWrite.ts"],"sourcesContent":[null],"names":[],"mappings":";;;AAKA,IAAI,WAAgC;AAEpC,SAAS,QAAQ,GAAA;AACf,IAAA,QAAQ,WAAW,KAAA,IAAA,IAAX,WAAW,KAAA,MAAA,GAAX,WAAW,IAAX,WAAW,GAAK,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,MAAM;AACxE;AAOA;;;;;;;;;;;;;;AAcG;AACI,eAAe,mBAAmB,CACvC,KAAe,EACf,GAA4B,EAC5B,OAAkC,EAAA;AAElC,IAAA,MAAM,QAAQ,GAAG,WAAW,EAAE;IAE9B,IAAI,CAAC,QAAQ,EAAE;QACb,IAAI,QAAQ,EAAE,EAAE;YACd,MAAM,IAAI,KAAK,CACb,CAAA,+BAAA,EAAkC,KAAK,CAAC,SAAS,CAAA,gDAAA,CAAkD,CACpG;QACH;QACA,OAAO,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC;IACtC;AAEA,IAAA,IAAI,QAAQ,KAAK,gBAAgB,EAAE;QACjC,OAAO,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC;IACtC;AAEA,IAAA,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9D,OAAO,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC;AAC3C;AAEA;;;AAGG;AACH,SAAS,cAAc,CAAC,EAAyB,EAAE,QAAgB,EAAA;AACjE,IAAA,IAAI,WAAW,IAAI,EAAE,EAAE;QACrB,OAAO;AACL,YAAA,SAAS,EAAE;gBACT,QAAQ,EAAE,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,EAAE;AACjD,aAAA;SACF;IACH;AAEA,IAAA,IAAI,WAAW,IAAI,EAAE,EAAE;QACrB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,SAAS;AACxC,QAAA,OAAO,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACpE;AAEA,IAAA,IAAI,YAAY,IAAI,EAAE,EAAE;QACtB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,UAAU;AACzC,QAAA,OAAO,EAAE,UAAU,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrE;AAEA,IAAA,IAAI,WAAW,IAAI,EAAE,EAAE;QACrB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,SAAS;AACxC,QAAA,OAAO,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACpE;AAEA,IAAA,IAAI,YAAY,IAAI,EAAE,EAAE;QACtB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,UAAU;AACzC,QAAA,OAAO,EAAE,UAAU,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrE;AAEA,IAAA,IAAI,YAAY,IAAI,EAAE,EAAE;AACtB,QAAA,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC,UAAU;QACtD,OAAO;AACL,YAAA,UAAU,EAAE;AACV,gBAAA,GAAG,IAAI;AACP,gBAAA,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE;AAC/B,gBAAA,WAAW,EAAE,EAAE,GAAG,WAAW,EAAE,QAAQ,EAAE;AAC1C,aAAA;SACF;IACH;IAEA,IAAI,QAAQ,EAAE,EAAE;AACd,QAAA,MAAM,IAAI,KAAK,CACb,uHAAuH,CACxH;IACH;AACA,IAAA,MAAM,CAAC,IAAI,CACT,sFAAsF,CACvF;AACD,IAAA,OAAO,EAAE;AACX;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@librechat/data-schemas",
-  "version": "0.0.47",
+  "version": "0.0.48",
   "description": "Mongoose schemas and models for LibreChat",
   "type": "module",
   "main": "dist/index.cjs",