🔬 ci: Add TypeScript Type Checks to Backend Workflow and Fix All Type Errors (#12451)

* fix(data-schemas): resolve TypeScript strict type check errors in source files

- Constrain ConfigSection to string keys via `string & keyof TCustomConfig`
- Replace broken `z` import from data-provider with TCustomConfig derivation
- Add `_id: Types.ObjectId` to IUser matching other Document interfaces
- Add `federatedTokens` and `openidTokens` optional fields to IUser
- Type mongoose model accessors as `Model<IRole>` and `Model<IUser>`
- Widen `getPremiumRate` param to accept `number | null`
- Widen `bulkWriteAclEntries` ops to untyped `AnyBulkWriteOperation[]`
- Fix `getUserPrincipals` return type to use `PrincipalType` enum
- Add non-null assertions for `connection.db` in migration files
- Import DailyRotateFile constructor directly instead of relying on
  broken module augmentation across mismatched node_modules trees
- Add winston-daily-rotate-file as devDependency for type resolution

* fix(data-schemas): resolve TypeScript type errors in test files

- Replace arbitrary test keys with valid TCustomConfig properties in config.spec
- Use non-null assertions for permission objects in role.methods.spec
- Replace `.SHARED_GLOBAL` access with `.not.toHaveProperty()` for legacy field
- Add non-null assertions for balance, writeRate, readRate in spendTokens.spec
- Update mock user _id to use ObjectId in user.test
- Remove unused Schema import in tenantIndexes.spec

* fix(api): resolve TypeScript strict type check errors across source and test files

- Widen getUserPrincipals dep type in capabilities middleware
- Fix federatedTokens type in createSafeUser return
- Use proper mock req type for read-only properties in preAuthTenant.spec
- Replace `as IUser` casts with ObjectId-typed mocks in openid/oidc specs
- Use TokenExchangeMethodEnum values instead of string literals in MCP specs
- Fix SessionStore type compatibility in sessionCache specs
- Replace `catch (error: any)` with `(error as Error)` in redis specs
- Remove invalid properties from test data in initialize and MCP specs
- Add String.prototype.isWellFormed declaration for sanitizeTitle spec

* fix(client): resolve TypeScript type errors in shared client components

- Add default values for destructured bindings in OGDialogTemplate
- Replace broken ExtendedFile import with inline type in FileIcon

* ci: add TypeScript type-check job to backend review workflow

Add a `typecheck` job that runs `tsc --noEmit` on all four TypeScript
workspaces (data-provider, data-schemas, @librechat/api, @librechat/client)
after the build step. Catches type errors that rollup builds may miss.

* fix(data-schemas): add local type declaration for DailyRotateFile transport

The `winston-daily-rotate-file` package ships a module augmentation for
`winston/lib/winston/transports`, but it fails when winston and
winston-daily-rotate-file resolve from different node_modules trees
(which happens in this monorepo due to npm hoisting).

Add a local `.d.ts` declaration that augments the same module path from
within data-schemas' compilation unit, so `tsc --noEmit` passes while
keeping the original runtime pattern (`new winston.transports.DailyRotateFile`).

* fix: address code review findings from PR #12451

- Restore typed `AnyBulkWriteOperation<AclEntry>[]` on bulkWriteAclEntries,
  cast to untyped only at the tenantSafeBulkWrite call site (Finding 1)
- Type `findUser` model accessor consistently with `findUsers` (Finding 2)
- Replace inline `import('mongoose').ClientSession` with top-level import type
- Use `toHaveLength` for spy assertions in playwright-expect spec file
- Replace numbered Record casts with `.not.toHaveProperty()` in
  role.methods.spec for SHARED_GLOBAL assertions
- Use per-test ObjectIds instead of shared testUserId in openid.spec
- Replace inline `import()` type annotations with top-level SessionData
  import in sessionCache spec
- Remove extraneous blank line in user.ts searchUsers

* refactor: address remaining review findings (4–7)

- Extract OIDCTokens interface in user.ts; deduplicate across IUser fields
  and oidc.ts FederatedTokens (Finding 4)
- Move String.isWellFormed declaration from spec file to project-level
  src/types/es2024-string.d.ts (Finding 5)
- Replace verbose `= undefined` defaults in OGDialogTemplate with null
  coalescing pattern (Finding 6)
- Replace `Record<string, unknown>` TestConfig with named interface
  containing explicit test fields (Finding 7)

packages/data-schemas/src/methods/role.methods.spec.ts

@@ -285,12 +285,12 @@ describe('updateAccessPermissions', () => {
     const updatedRole = await getRoleByName(SystemRoles.USER);
 
     // SHARED_GLOBAL=true → SHARE=true (inherited)
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(true);
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.SHARE).toBe(true);
     // SHARED_GLOBAL=false → SHARE=false (inherited)
-    expect(updatedRole.permissions[PermissionTypes.AGENTS].SHARE).toBe(false);
+    expect(updatedRole.permissions[PermissionTypes.AGENTS]!.SHARE).toBe(false);
     // SHARED_GLOBAL cleaned up
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
-    expect(updatedRole.permissions[PermissionTypes.AGENTS].SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
+    expect(updatedRole.permissions[PermissionTypes.AGENTS]).not.toHaveProperty('SHARED_GLOBAL');
   });
 
   it('should respect explicit SHARE in update payload and not override it with SHARED_GLOBAL', async () => {
@@ -309,8 +309,8 @@ describe('updateAccessPermissions', () => {
 
     const updatedRole = await getRoleByName(SystemRoles.USER);
 
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(false);
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.SHARE).toBe(false);
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
   });
 
   it('should migrate SHARED_GLOBAL to SHARE even when the permType is not in the update payload', async () => {
@@ -336,13 +336,13 @@ describe('updateAccessPermissions', () => {
     const updatedRole = await getRoleByName(SystemRoles.USER);
 
     // SHARE should have been inherited from SHARED_GLOBAL, not silently dropped
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(true);
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.SHARE).toBe(true);
     // SHARED_GLOBAL should be removed
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
     // Original USE should be untouched
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].USE).toBe(true);
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.USE).toBe(true);
     // The actual update should have applied
-    expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO].USE).toBe(true);
+    expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO]!.USE).toBe(true);
   });
 
   it('should remove orphaned SHARED_GLOBAL when SHARE already exists and permType is not in update', async () => {
@@ -366,9 +366,9 @@ describe('updateAccessPermissions', () => {
 
     const updatedRole = await getRoleByName(SystemRoles.USER);
 
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
-    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(true);
-    expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO].USE).toBe(true);
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.SHARE).toBe(true);
+    expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO]!.USE).toBe(true);
   });
 
   it('should not update MULTI_CONVO permissions when no changes are needed', async () => {