🔐 feat: Granular Role-based Permissions + Entra ID Group Discovery (#7804)

WIP: pre-granular-permissions commit feat: Add category and support contact fields to Agent schema and UI components Revert "feat: Add category and support contact fields to Agent schema and UI components" This reverts commit c43a52b4c9. Fix: Update import for renderHook in useAgentCategories.spec.tsx fix: Update icon rendering in AgentCategoryDisplay tests to use empty spans refactor: Improve category synchronization logic and clean up AgentConfig component refactor: Remove unused UI flow translations from translation.json feat: agent marketplace features 🔐 feat: Granular Role-based Permissions + Entra ID Group Discovery (#7804)
2025-12-27 05:38:51 +01:00 · 2025-06-23 10:22:27 -04:00 · 2025-06-23 10:22:27 -04:00 · 76d75030b9
commit 76d75030b9
parent abc32e66ce
147 changed files with 17564 additions and 645 deletions
--- a/api/models/Agent.js
+++ b/api/models/Agent.js
@ -4,7 +4,8 @@ const { logger } = require('@librechat/data-schemas');
 const { SystemRoles, Tools, actionDelimiter } = require('librechat-data-provider');
 const { GLOBAL_PROJECT_NAME, EPHEMERAL_AGENT_ID, mcp_delimiter } =
  require('librechat-data-provider').Constants;
-const { CONFIG_STORE, STARTUP_CONFIG } = require('librechat-data-provider').CacheKeys;
+// Default category value for new agents
+const AgentCategory = require('./AgentCategory');
 const {
  getProjectByName,
  addAgentIdsToProject,
@ -12,7 +13,82 @@ const {
  removeAgentFromAllProjects,
 } = require('./Project');
 const { getCachedTools } = require('~/server/services/Config');
-const getLogStores = require('~/cache/getLogStores');
+
+// Category values are now imported from shared constants
+
+// Add category field to the Agent schema if it doesn't already exist
+if (!agentSchema.paths.category) {
+  agentSchema.add({
+    category: {
+      type: String,
+      trim: true,
+      validate: {
+        validator: async function (value) {
+          if (!value) return true; // Allow empty values (will use default)
+
+          // Check if category exists in database
+          const validCategories = await AgentCategory.getValidCategoryValues();
+          return validCategories.includes(value);
+        },
+        message: function (props) {
+          return `"${props.value}" is not a valid agent category. Please check available categories.`;
+        },
+      },
+      index: true,
+      default: 'general',
+    },
+  });
+}
+
+// Add support_contact field to the Agent schema if it doesn't already exist
+if (!agentSchema.paths.support_contact) {
+  agentSchema.add({
+    support_contact: {
+      type: Object,
+      default: {},
+      name: {
+        type: String,
+        minlength: [3, 'Support contact name must be at least 3 characters.'],
+        trim: true,
+      },
+      email: {
+        type: String,
+        match: [
+          /^\w+([.-]?\w+)*@\w+([.-]?\w+)*(\.\w{2,3})+$/,
+          'Please enter a valid email address.',
+        ],
+        trim: true,
+      },
+    },
+  });
+}
+
+// Add promotion field to the Agent schema if it doesn't already exist
+if (!agentSchema.paths.is_promoted) {
+  agentSchema.add({
+    is_promoted: {
+      type: Boolean,
+      default: false,
+      index: true, // Index for efficient promoted agent queries
+    },
+  });
+}
+
+// Add additional indexes for marketplace functionality
+agentSchema.index({ projectIds: 1, is_promoted: 1, updatedAt: -1 }); // Optimize promoted agents query
+agentSchema.index({ category: 1, projectIds: 1, updatedAt: -1 }); // Optimize category filtering
+agentSchema.index({ projectIds: 1, category: 1 }); // Optimize aggregation pipeline
+
+// Text indexes for search functionality
+agentSchema.index(
+  { name: 'text', description: 'text' },
+  {
+    weights: {
+      name: 3, // Name matches are 3x more important than description matches
+      description: 1,
+    },
+  },
+);
 const { getActions } = require('./Action');
 const { Agent } = require('~/db/models');

@ -23,7 +99,7 @@ const { Agent } = require('~/db/models');
 * @throws {Error} If the agent creation fails.
 */
 const createAgent = async (agentData) => {
-  const { author, ...versionData } = agentData;
+  const { author: _author, ...versionData } = agentData;
  const timestamp = new Date();
  const initialAgentData = {
    ...agentData,
@ -34,6 +110,7 @@ const createAgent = async (agentData) => {
        updatedAt: timestamp,
      },
    ],
+    category: agentData.category || 'general',
  };
  return (await Agent.create(initialAgentData)).toObject();
 };
@ -131,29 +208,7 @@ const loadAgent = async ({ req, agent_id, endpoint, model_parameters }) => {
  }

  agent.version = agent.versions ? agent.versions.length : 0;
-
-  if (agent.author.toString() === req.user.id) {
-    return agent;
-  }
-
-  if (!agent.projectIds) {
-    return null;
-  }
-
-  const cache = getLogStores(CONFIG_STORE);
-  /** @type {TStartupConfig} */
-  const cachedStartupConfig = await cache.get(STARTUP_CONFIG);
-  let { instanceProjectId } = cachedStartupConfig ?? {};
-  if (!instanceProjectId) {
-    instanceProjectId = (await getProjectByName(GLOBAL_PROJECT_NAME, '_id'))._id.toString();
-  }
-
-  for (const projectObjectId of agent.projectIds) {
-    const projectId = projectObjectId.toString();
-    if (projectId === instanceProjectId) {
-      return agent;
-    }
-  }
+  return agent;
 };

 /**
@ -183,7 +238,7 @@ const isDuplicateVersion = (updateData, currentData, versions, actionsHash = nul
    'actionsHash', // Exclude actionsHash from direct comparison
  ];

-  const { $push, $pull, $addToSet, ...directUpdates } = updateData;
+  const { $push: _$push, $pull: _$pull, $addToSet: _$addToSet, ...directUpdates } = updateData;

  if (Object.keys(directUpdates).length === 0 && !actionsHash) {
    return null;
@ -278,7 +333,14 @@ const updateAgent = async (searchParameter, updateData, options = {}) => {

  const currentAgent = await Agent.findOne(searchParameter);
  if (currentAgent) {
-    const { __v, _id, id, versions, author, ...versionData } = currentAgent.toObject();
+    const {
+      __v,
+      _id,
+      id: __id,
+      versions,
+      author: _author,
+      ...versionData
+    } = currentAgent.toObject();
    const { $push, $pull, $addToSet, ...directUpdates } = updateData;

    let actionsHash = null;
@ -462,8 +524,110 @@ const deleteAgent = async (searchParameter) => {
  return agent;
 };

+/**
+ * Get agents by accessible IDs with optional cursor-based pagination.
+ * @param {Object} params - The parameters for getting accessible agents.
+ * @param {Array} [params.accessibleIds] - Array of agent ObjectIds the user has ACL access to.
+ * @param {Object} [params.otherParams] - Additional query parameters (including author filter).
+ * @param {number} [params.limit] - Number of agents to return (max 100). If not provided, returns all agents.
+ * @param {string} [params.after] - Cursor for pagination - get agents after this cursor. // base64 encoded JSON string with updatedAt and _id.
+ * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
+ */
+const getListAgentsByAccess = async ({
+  accessibleIds = [],
+  otherParams = {},
+  limit = null,
+  after = null,
+}) => {
+  const isPaginated = limit !== null && limit !== undefined;
+  const normalizedLimit = isPaginated ? Math.min(Math.max(1, parseInt(limit) || 20), 100) : null;
+
+  // Build base query combining ACL accessible agents with other filters
+  const baseQuery = { ...otherParams };
+
+  if (accessibleIds.length > 0) {
+    baseQuery._id = { $in: accessibleIds };
+  }
+
+  // Add cursor condition
+  if (after) {
+    try {
+      const cursor = JSON.parse(Buffer.from(after, 'base64').toString('utf8'));
+      const { updatedAt, _id } = cursor;
+
+      const cursorCondition = {
+        $or: [
+          { updatedAt: { $lt: new Date(updatedAt) } },
+          { updatedAt: new Date(updatedAt), _id: { $gt: mongoose.Types.ObjectId(_id) } },
+        ],
+      };
+
+      // Merge cursor condition with base query
+      if (Object.keys(baseQuery).length > 0) {
+        baseQuery.$and = [{ ...baseQuery }, cursorCondition];
+        // Remove the original conditions from baseQuery to avoid duplication
+        Object.keys(baseQuery).forEach((key) => {
+          if (key !== '$and') delete baseQuery[key];
+        });
+      } else {
+        Object.assign(baseQuery, cursorCondition);
+      }
+    } catch (error) {
+      logger.warn('Invalid cursor:', error.message);
+    }
+  }
+
+  let query = Agent.find(baseQuery, {
+    id: 1,
+    _id: 1,
+    name: 1,
+    avatar: 1,
+    author: 1,
+    projectIds: 1,
+    description: 1,
+    updatedAt: 1,
+  }).sort({ updatedAt: -1, _id: 1 });
+
+  // Only apply limit if pagination is requested
+  if (isPaginated) {
+    query = query.limit(normalizedLimit + 1);
+  }
+
+  const agents = await query.lean();
+
+  const hasMore = isPaginated ? agents.length > normalizedLimit : false;
+  const data = (isPaginated ? agents.slice(0, normalizedLimit) : agents).map((agent) => {
+    if (agent.author) {
+      agent.author = agent.author.toString();
+    }
+    return agent;
+  });
+
+  // Generate next cursor only if paginated
+  let nextCursor = null;
+  if (isPaginated && hasMore && data.length > 0) {
+    const lastAgent = agents[normalizedLimit - 1];
+    nextCursor = Buffer.from(
+      JSON.stringify({
+        updatedAt: lastAgent.updatedAt.toISOString(),
+        _id: lastAgent._id.toString(),
+      }),
+    ).toString('base64');
+  }
+
+  return {
+    object: 'list',
+    data,
+    first_id: data.length > 0 ? data[0].id : null,
+    last_id: data.length > 0 ? data[data.length - 1].id : null,
+    has_more: hasMore,
+    after: nextCursor,
+  };
+};
+
 /**
 * Get all agents.
+ * @deprecated Use getListAgentsByAccess for ACL-aware agent listing
 * @param {Object} searchParameter - The search parameters to find matching agents.
 * @param {string} searchParameter.author - The user ID of the agent's author.
 * @returns {Promise<Object>} A promise that resolves to an object containing the agents data and pagination info.
@ -482,13 +646,15 @@ const getListAgents = async (searchParameter) => {
  const agents = (
    await Agent.find(query, {
      id: 1,
-      _id: 0,
+      _id: 1,
      name: 1,
      avatar: 1,
      author: 1,
      projectIds: 1,
      description: 1,
+      // @deprecated - isCollaborative replaced by ACL permissions
      isCollaborative: 1,
+      category: 1,
    }).lean()
  ).map((agent) => {
    if (agent.author?.toString() !== author) {
@ -671,6 +837,7 @@ module.exports = {
  revertAgentVersion,
  updateAgentProjects,
  addAgentResourceFile,
+  getListAgentsByAccess,
  removeAgentResourceFiles,
  generateActionMetadataHash,
 };
--- a/api/models/Agent.spec.js
+++ b/api/models/Agent.spec.js
@ -1612,7 +1612,7 @@ describe('models/Agent', () => {
      expect(result.version).toBe(1);
    });

-    test('should return null when user is not author and agent has no projectIds', async () => {
+    test('should return agent even when user is not author (permissions checked at route level)', async () => {
      const authorId = new mongoose.Types.ObjectId();
      const userId = new mongoose.Types.ObjectId();
      const agentId = `agent_${uuidv4()}`;
@ -1633,7 +1633,11 @@ describe('models/Agent', () => {
        model_parameters: { model: 'gpt-4' },
      });

-      expect(result).toBeFalsy();
+      // With the new permission system, loadAgent returns the agent regardless of permissions
+      // Permission checks are handled at the route level via middleware
+      expect(result).toBeTruthy();
+      expect(result.id).toBe(agentId);
+      expect(result.name).toBe('Test Agent');
    });

    test('should handle ephemeral agent with no MCP servers', async () => {
@ -1741,7 +1745,7 @@ describe('models/Agent', () => {
        }
      });

-      test('should handle loadAgent with agent from different project', async () => {
+      test('should return agent from different project (permissions checked at route level)', async () => {
        const authorId = new mongoose.Types.ObjectId();
        const userId = new mongoose.Types.ObjectId();
        const agentId = `agent_${uuidv4()}`;
@ -1764,7 +1768,11 @@ describe('models/Agent', () => {
          model_parameters: { model: 'gpt-4' },
        });

-        expect(result).toBeFalsy();
+        // With the new permission system, loadAgent returns the agent regardless of permissions
+        // Permission checks are handled at the route level via middleware
+        expect(result).toBeTruthy();
+        expect(result.id).toBe(agentId);
+        expect(result.name).toBe('Project Agent');
      });
    });
  });
--- a/api/models/AgentCategory.js
+++ b/api/models/AgentCategory.js
@ -0,0 +1,125 @@
+const mongoose = require('mongoose');
+
+/**
+ * AgentCategory Schema - Dynamic agent category management
+ * Focused implementation for core features only
+ */
+const agentCategorySchema = new mongoose.Schema(
+  {
+    // Unique identifier for the category (e.g., 'general', 'hr', 'finance')
+    value: {
+      type: String,
+      required: true,
+      unique: true,
+      trim: true,
+      lowercase: true,
+      index: true,
+    },
+    
+    // Display label for the category
+    label: {
+      type: String,
+      required: true,
+      trim: true,
+    },
+    
+    // Description of the category
+    description: {
+      type: String,
+      trim: true,
+      default: '',
+    },
+    
+    // Display order for sorting categories
+    order: {
+      type: Number,
+      default: 0,
+      index: true,
+    },
+    
+    // Whether the category is active and should be displayed
+    isActive: {
+      type: Boolean,
+      default: true,
+      index: true,
+    },
+  },
+  {
+    timestamps: true,
+  }
+);
+
+// Indexes for performance
+agentCategorySchema.index({ isActive: 1, order: 1 });
+
+/**
+ * Get all active categories sorted by order
+ * @returns {Promise<AgentCategory[]>} Array of active categories
+ */
+agentCategorySchema.statics.getActiveCategories = function() {
+  return this.find({ isActive: true })
+    .sort({ order: 1, label: 1 })
+    .lean();
+};
+
+/**
+ * Get categories with agent counts
+ * @returns {Promise<AgentCategory[]>} Categories with agent counts
+ */
+agentCategorySchema.statics.getCategoriesWithCounts = async function() {
+  const Agent = mongoose.model('agent');
+  
+  // Aggregate to get agent counts per category
+  const categoryCounts = await Agent.aggregate([
+    { $match: { category: { $exists: true, $ne: null } } },
+    { $group: { _id: '$category', count: { $sum: 1 } } },
+  ]);
+  
+  // Create a map for quick lookup
+  const countMap = new Map(categoryCounts.map(c => [c._id, c.count]));
+  
+  // Get all active categories and add counts
+  const categories = await this.getActiveCategories();
+  
+  return categories.map(category => ({
+    ...category,
+    agentCount: countMap.get(category.value) || 0,
+  }));
+};
+
+/**
+ * Get valid category values for Agent model validation
+ * @returns {Promise<string[]>} Array of valid category values
+ */
+agentCategorySchema.statics.getValidCategoryValues = function() {
+  return this.find({ isActive: true })
+    .distinct('value')
+    .lean();
+};
+
+/**
+ * Seed initial categories from existing constants
+ */
+agentCategorySchema.statics.seedCategories = async function(categories) {
+  const operations = categories.map((category, index) => ({
+    updateOne: {
+      filter: { value: category.value },
+      update: {
+        $setOnInsert: {
+          value: category.value,
+          label: category.label || category.value,
+          description: category.description || '',
+          order: category.order || index,
+          isActive: true,
+        },
+      },
+      upsert: true,
+    },
+  }));
+  
+  return this.bulkWrite(operations);
+};
+
+const AgentCategory = mongoose.model('AgentCategory', agentCategorySchema);
+
+module.exports = AgentCategory;