mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-10 08:13:46 +00:00
Closes the forensic gap Codex flagged (R2-6/R3-4): deleting a role removed its SystemGrants with no audit entries. `deleteGrantsForPrincipal` now returns the removed grants, and the role-deletion handler emits a `grant.removed` audit entry per removed grant (actor = caller, target = role, metadata.capability, request context), matching the explicit revoke endpoint. Fail-open — the role is already deleted, so a failed audit is logged, not propagated; sequential to keep the per-tenant hash chain ordered. Extracted `buildAuditContext` to admin/context.ts (shared by grants + roles). Tests: role-deletion emits one entry per grant / none when no grants; ds 110, api admin 202 green. |
||
|---|---|---|
| .. | ||
| controllers | ||
| middleware | ||
| routes | ||
| services | ||
| utils | ||
| cleanup.js | ||
| experimental.js | ||
| index.js | ||
| index.metrics.spec.js | ||
| index.spec.js | ||
| socialLogins.js | ||
| socialLogins.spec.js | ||
| telemetry.js | ||
| telemetry.spec.js | ||