mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-02-14 22:48:10 +01:00
3398f6a17a
* feat: replace unsupported MongoDB aggregation operators for FerretDB compatibility Replace $lookup, $unwind, $sample, $replaceRoot, and $addFields aggregation stages which are unsupported on FerretDB v2.x (postgres-documentdb backend). - Prompt.js: Replace $lookup/$unwind/$project pipelines with find().select().lean() + attachProductionPrompts() batch helper. Replace $group/$replaceRoot/$sample in getRandomPromptGroups with distinct() + Fisher-Yates shuffle. - Agent/Prompt migration scripts: Replace $lookup anti-join pattern with distinct() + $nin two-step queries for finding un-migrated resources. All replacement patterns verified against FerretDB v2.7.0. Co-authored-by: Cursor <cursoragent@cursor.com> * fix: use $pullAll for simple array removals, fix memberIds type mismatches Replace $pull with $pullAll for exact-value scalar array removals. Both operators work on MongoDB and FerretDB, but $pullAll is more explicit for exact matching (no condition expressions). Fix critical type mismatch bugs where ObjectId values were used against String[] memberIds arrays in Group queries: - config/delete-user.js: use string uid instead of ObjectId user._id - e2e/setup/cleanupUser.ts: convert userId.toString() before query Harden PermissionService.bulkUpdateResourcePermissions abort handling to prevent crash when abortTransaction is called after commitTransaction. All changes verified against FerretDB v2.7.0 and MongoDB Memory Server. Co-authored-by: Cursor <cursoragent@cursor.com> * fix: harden transaction support probe for FerretDB compatibility Commit the transaction before aborting in supportsTransactions probe, and wrap abortTransaction in try-catch to prevent crashes when abort is called after a successful commit (observed behavior on FerretDB). Co-authored-by: Cursor <cursoragent@cursor.com> * feat: add FerretDB compatibility test suite, retry utilities, and CI config Add comprehensive FerretDB integration test suite covering: - $pullAll scalar array operations - $pull with subdocument conditions - $lookup replacement (find + manual join) - $sample replacement (distinct + Fisher-Yates) - $bit and $bitsAllSet operations - Migration anti-join pattern - Multi-tenancy (useDb, scaling, write amplification) - Sharding proof-of-concept - Production operations (backup/restore, schema migration, deadlock retry) Add production retryWithBackoff utility for deadlock recovery during concurrent index creation on FerretDB/DocumentDB backends. Add UserController.spec.js tests for deleteUserController (runs in CI). Configure jest and eslint to isolate FerretDB tests from CI pipelines: - packages/data-schemas/jest.config.mjs: ignore misc/ directory - eslint.config.mjs: ignore packages/data-schemas/misc/ Include Docker Compose config for local FerretDB v2.7 + postgres-documentdb, dedicated jest/tsconfig for the test files, and multi-tenancy findings doc. Co-authored-by: Cursor <cursoragent@cursor.com> * style: brace formatting in aclEntry.ts modifyPermissionBits Co-authored-by: Cursor <cursoragent@cursor.com> * refactor: reorganize retry utilities and update imports - Moved retryWithBackoff utility to a new file `retry.ts` for better structure. - Updated imports in `orgOperations.ferretdb.spec.ts` to reflect the new location of retry utilities. - Removed old import statement for retryWithBackoff from index.ts to streamline exports. * test: add $pullAll coverage for ConversationTag and PermissionService Add integration tests for deleteConversationTag verifying $pullAll removes tags from conversations correctly, and for syncUserEntraGroupMemberships verifying $pullAll removes user from non-matching Entra groups while preserving local group membership. --------- Co-authored-by: Cursor <cursoragent@cursor.com>
256 lines
8.3 KiB
JavaScript
256 lines
8.3 KiB
JavaScript
const path = require('path');
|
|
const { logger } = require('@librechat/data-schemas');
|
|
const { ensureRequiredCollectionsExist } = require('@librechat/api');
|
|
const { AccessRoleIds, ResourceType, PrincipalType } = require('librechat-data-provider');
|
|
const { GLOBAL_PROJECT_NAME } = require('librechat-data-provider').Constants;
|
|
|
|
require('module-alias')({ base: path.resolve(__dirname, '..', 'api') });
|
|
const connect = require('./connect');
|
|
|
|
const { grantPermission } = require('~/server/services/PermissionService');
|
|
const { getProjectByName } = require('~/models/Project');
|
|
const { findRoleByIdentifier } = require('~/models');
|
|
const { Agent, AclEntry } = require('~/db/models');
|
|
|
|
async function migrateAgentPermissionsEnhanced({ dryRun = true, batchSize = 100 } = {}) {
|
|
await connect();
|
|
|
|
logger.info('Starting Enhanced Agent Permissions Migration', { dryRun, batchSize });
|
|
|
|
const mongoose = require('mongoose');
|
|
/** @type {import('mongoose').mongo.Db | undefined} */
|
|
const db = mongoose.connection.db;
|
|
if (db) {
|
|
await ensureRequiredCollectionsExist(db);
|
|
}
|
|
|
|
// Verify required roles exist
|
|
const ownerRole = await findRoleByIdentifier(AccessRoleIds.AGENT_OWNER);
|
|
const viewerRole = await findRoleByIdentifier(AccessRoleIds.AGENT_VIEWER);
|
|
const editorRole = await findRoleByIdentifier(AccessRoleIds.AGENT_EDITOR);
|
|
|
|
if (!ownerRole || !viewerRole || !editorRole) {
|
|
throw new Error('Required roles not found. Run role seeding first.');
|
|
}
|
|
|
|
// Get global project agent IDs (stores agent.id, not agent._id)
|
|
const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, ['agentIds']);
|
|
const globalAgentIds = new Set(globalProject?.agentIds || []);
|
|
|
|
logger.info(`Found ${globalAgentIds.size} agents in global project`);
|
|
|
|
const migratedAgentIds = await AclEntry.distinct('resourceId', {
|
|
resourceType: ResourceType.AGENT,
|
|
principalType: PrincipalType.USER,
|
|
});
|
|
|
|
const agentsToMigrate = await Agent.find({
|
|
_id: { $nin: migratedAgentIds },
|
|
author: { $exists: true, $ne: null },
|
|
})
|
|
.select('_id id name author isCollaborative')
|
|
.lean();
|
|
|
|
const categories = {
|
|
globalEditAccess: [], // Global project + collaborative -> Public EDIT
|
|
globalViewAccess: [], // Global project + not collaborative -> Public VIEW
|
|
privateAgents: [], // Not in global project -> Private (owner only)
|
|
};
|
|
|
|
agentsToMigrate.forEach((agent) => {
|
|
const isGlobal = globalAgentIds.has(agent.id);
|
|
const isCollab = agent.isCollaborative;
|
|
|
|
if (isGlobal && isCollab) {
|
|
categories.globalEditAccess.push(agent);
|
|
} else if (isGlobal && !isCollab) {
|
|
categories.globalViewAccess.push(agent);
|
|
} else {
|
|
categories.privateAgents.push(agent);
|
|
|
|
// Log warning if private agent claims to be collaborative
|
|
if (isCollab) {
|
|
logger.warn(
|
|
`Agent "${agent.name}" (${agent.id}) has isCollaborative=true but is not in global project`,
|
|
);
|
|
}
|
|
}
|
|
});
|
|
|
|
logger.info(
|
|
'Agent categorization:\n' +
|
|
JSON.stringify(
|
|
{
|
|
globalEditAccess: categories.globalEditAccess.length,
|
|
globalViewAccess: categories.globalViewAccess.length,
|
|
privateAgents: categories.privateAgents.length,
|
|
total: agentsToMigrate.length,
|
|
},
|
|
null,
|
|
2,
|
|
),
|
|
);
|
|
|
|
if (dryRun) {
|
|
return {
|
|
migrated: 0,
|
|
errors: 0,
|
|
dryRun: true,
|
|
summary: {
|
|
globalEditAccess: categories.globalEditAccess.length,
|
|
globalViewAccess: categories.globalViewAccess.length,
|
|
privateAgents: categories.privateAgents.length,
|
|
total: agentsToMigrate.length,
|
|
},
|
|
details: {
|
|
globalEditAccess: categories.globalEditAccess.map((a) => ({
|
|
name: a.name,
|
|
id: a.id,
|
|
permissions: 'Owner + Public EDIT',
|
|
})),
|
|
globalViewAccess: categories.globalViewAccess.map((a) => ({
|
|
name: a.name,
|
|
id: a.id,
|
|
permissions: 'Owner + Public VIEW',
|
|
})),
|
|
privateAgents: categories.privateAgents.map((a) => ({
|
|
name: a.name,
|
|
id: a.id,
|
|
permissions: 'Owner only',
|
|
})),
|
|
},
|
|
};
|
|
}
|
|
|
|
const results = {
|
|
migrated: 0,
|
|
errors: 0,
|
|
publicViewGrants: 0,
|
|
publicEditGrants: 0,
|
|
ownerGrants: 0,
|
|
};
|
|
|
|
// Process in batches
|
|
for (let i = 0; i < agentsToMigrate.length; i += batchSize) {
|
|
const batch = agentsToMigrate.slice(i, i + batchSize);
|
|
|
|
logger.info(
|
|
`Processing batch ${Math.floor(i / batchSize) + 1}/${Math.ceil(agentsToMigrate.length / batchSize)}`,
|
|
);
|
|
|
|
for (const agent of batch) {
|
|
try {
|
|
const isGlobal = globalAgentIds.has(agent.id);
|
|
const isCollab = agent.isCollaborative;
|
|
|
|
// Always grant owner permission to author
|
|
await grantPermission({
|
|
principalType: PrincipalType.USER,
|
|
principalId: agent.author,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
accessRoleId: AccessRoleIds.AGENT_OWNER,
|
|
grantedBy: agent.author,
|
|
});
|
|
results.ownerGrants++;
|
|
|
|
// Determine public permissions for global project agents only
|
|
let publicRoleId = null;
|
|
let description = 'Private';
|
|
|
|
if (isGlobal) {
|
|
if (isCollab) {
|
|
// Global project + collaborative = Public EDIT access
|
|
publicRoleId = AccessRoleIds.AGENT_EDITOR;
|
|
description = 'Global Edit';
|
|
results.publicEditGrants++;
|
|
} else {
|
|
// Global project + not collaborative = Public VIEW access
|
|
publicRoleId = AccessRoleIds.AGENT_VIEWER;
|
|
description = 'Global View';
|
|
results.publicViewGrants++;
|
|
}
|
|
|
|
// Grant public permission
|
|
await grantPermission({
|
|
principalType: PrincipalType.PUBLIC,
|
|
principalId: null,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
accessRoleId: publicRoleId,
|
|
grantedBy: agent.author,
|
|
});
|
|
}
|
|
|
|
results.migrated++;
|
|
logger.debug(`Migrated agent "${agent.name}" [${description}]`, {
|
|
agentId: agent.id,
|
|
author: agent.author,
|
|
isGlobal,
|
|
isCollab,
|
|
publicRole: publicRoleId,
|
|
});
|
|
} catch (error) {
|
|
results.errors++;
|
|
logger.error(`Failed to migrate agent "${agent.name}"`, {
|
|
agentId: agent.id,
|
|
author: agent.author,
|
|
error: error.message,
|
|
});
|
|
}
|
|
}
|
|
|
|
// Brief pause between batches
|
|
await new Promise((resolve) => setTimeout(resolve, 100));
|
|
}
|
|
|
|
logger.info('Enhanced migration completed', results);
|
|
return results;
|
|
}
|
|
|
|
if (require.main === module) {
|
|
const dryRun = process.argv.includes('--dry-run');
|
|
const batchSize =
|
|
parseInt(process.argv.find((arg) => arg.startsWith('--batch-size='))?.split('=')[1]) || 100;
|
|
|
|
migrateAgentPermissionsEnhanced({ dryRun, batchSize })
|
|
.then((result) => {
|
|
if (dryRun) {
|
|
console.log('\n=== DRY RUN RESULTS ===');
|
|
console.log(`Total agents to migrate: ${result.summary.total}`);
|
|
console.log(`- Global Edit Access: ${result.summary.globalEditAccess} agents`);
|
|
console.log(`- Global View Access: ${result.summary.globalViewAccess} agents`);
|
|
console.log(`- Private Agents: ${result.summary.privateAgents} agents`);
|
|
|
|
if (result.details.globalEditAccess.length > 0) {
|
|
console.log('\nGlobal Edit Access agents:');
|
|
result.details.globalEditAccess.forEach((agent, i) => {
|
|
console.log(` ${i + 1}. "${agent.name}" (${agent.id})`);
|
|
});
|
|
}
|
|
|
|
if (result.details.globalViewAccess.length > 0) {
|
|
console.log('\nGlobal View Access agents:');
|
|
result.details.globalViewAccess.forEach((agent, i) => {
|
|
console.log(` ${i + 1}. "${agent.name}" (${agent.id})`);
|
|
});
|
|
}
|
|
|
|
if (result.details.privateAgents.length > 0) {
|
|
console.log('\nPrivate agents:');
|
|
result.details.privateAgents.forEach((agent, i) => {
|
|
console.log(` ${i + 1}. "${agent.name}" (${agent.id})`);
|
|
});
|
|
}
|
|
} else {
|
|
console.log('\nMigration Results:', JSON.stringify(result, null, 2));
|
|
}
|
|
process.exit(0);
|
|
})
|
|
.catch((error) => {
|
|
console.error('Enhanced migration failed:', error);
|
|
process.exit(1);
|
|
});
|
|
}
|
|
|
|
module.exports = { migrateAgentPermissionsEnhanced };
|