LibreChat/api/server/services
Danny Avila 7b7fa496aa
Some checks are pending
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Waiting to run
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Waiting to run
GitNexus Index / index (push) Waiting to run
GitNexus Index / post-index (push) Blocked by required conditions
🗃️ perf: Cache Group Memberships for ACL Principal Resolution (#14075)
* 🗃️ perf: Cache Group Memberships for ACL Principal Resolution

Continues #14069: caches resolved group-membership ids per member key in a
new USER_PRINCIPALS namespace so repeated permission checks skip the group
query, with exact invalidation on every membership mutation, same-process
build dedup, and optional Redis cross-container build locks.

Co-authored-by: Peter Rothlaender <peter.rothlaender@ginkgo.com>
Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com>

* 🧵 fix: Defer Transactional Invalidation and Gate No-Op Bulk Clears

Codex round-2 findings on the principals cache: membership writes inside a
transaction now defer cache invalidation until the session ends so concurrent
readers cannot re-cache pre-commit state with no later correction, and
bulkUpdateGroups skips invalidation entirely when MongoDB reports no modified
or upserted documents. userGroup.spec.ts now runs on a single-node replica set
so the deferral is covered by a real transaction.

* 🌐 fix: Evict Cross-Process Stale Rewrites and Scope Entra Sync to Tenant

Codex round-3 findings: a delayed second invalidation pass (lock wait plus a
short grace) now evicts membership entries that a build in another container
re-cached after the first delete, and syncUserEntraGroupMemberships establishes
the user's tenant ALS context when the OAuth callback runs it pre-middleware,
so tenant-scoped principal keys are invalidated (and sync queries and created
groups are scoped) exactly like authenticated reads. Deferred transactional
invalidations snapshot the caller's ALS so they keep tenant scoping.

---------

Co-authored-by: Peter Rothlaender <peter.rothlaender@ginkgo.com>
Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com>
2026-07-05 08:40:14 -04:00
..
__tests__ 🛂 fix: Re-Check execute_code Authorization on Event-Driven Tool Loads (#13912) 2026-06-23 08:30:39 -04:00
Agents 📇 feat: Agent Contact Visibility with Owner Fallback (#13663) 2026-06-25 15:58:15 -04:00
Artifacts 🪡 fix: Artifact Edit Saves (#13358) 2026-05-27 22:03:42 -07:00
Config 📨 feat: Custom Headers on Built-in Provider Endpoints (#13742) 2026-06-14 17:02:04 -04:00
Endpoints 🧠 feat: Add Memory as an Agent Capability with Inline Tools and Ephemeral Badge (#13869) 2026-06-24 17:14:13 -04:00
Files fix: bound peak memory of concurrent base64 attachment encoding (#14023) 2026-07-01 08:22:16 -04:00
Runs 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
Skills 🧬 feat: Add GitHub Skill Sync (#13293) 2026-06-10 21:05:54 -04:00
start 🧬 chore: Align LibreChat With Agents LangChain Upgrade (#12922) 2026-05-03 12:46:01 -04:00
Threads 🪪 fix: Scope Message Conversation Access (#13183) 2026-05-18 17:34:30 -04:00
Tools 🗄️ fix: Gate Request-Scoped MCP Servers Out of Persistent Tool Cache (#13672) 2026-06-13 11:26:49 -04:00
ActionService.js fix: Extend and Decouple MCP OAuth Flow Timeouts (#13622) 2026-06-09 17:50:02 -04:00
ActionService.spec.js ⚗️ feat: Agent Context Compaction/Summarization (#12287) 2026-03-21 14:28:56 -04:00
AssistantService.js 🪦 refactor: Remove Legacy Code (#10533) 2025-12-11 16:36:12 -05:00
AuthService.js 🛂 fix: Normalize Verification Flow Error Responses (#13558) 2026-06-06 15:08:43 -04:00
AuthService.spec.js 🛂 fix: Normalize Verification Flow Error Responses (#13558) 2026-06-06 15:08:43 -04:00
cleanup.js 📦 refactor: Consolidate DB models, encapsulating Mongoose usage in data-schemas (#11830) 2026-03-21 14:28:53 -04:00
createRunBody.js
GraphApiService.js 🪪 feat: Optimized Entra ID Group Sync with Auto-Creation (#12606) 2026-04-13 08:50:52 -04:00
GraphApiService.spec.js 🧵 refactor: Migrate Endpoint Initialization to TypeScript (#10794) 2025-12-11 16:37:16 -05:00
GraphTokenService.js 🔒 feat: Add On-Behalf-Of (OBO) token exchange support for MCP Servers (#13429) 2026-06-01 22:36:18 -04:00
initializeMCPs.js 🔐 fix: Honor Admin-Panel MCP Allowlist Overrides Without Restart (#13814) 2026-06-17 20:14:53 -04:00
initializeMCPs.spec.js 🔐 fix: Honor Admin-Panel MCP Allowlist Overrides Without Restart (#13814) 2026-06-17 20:14:53 -04:00
initializeOAuthReconnectManager.js 💫 feat: MCP OAuth Auto-Reconnect (#9646) 2025-09-17 16:49:36 -04:00
MCP.js 🚐 fix: Reuse Request-Scoped MCP Connections per Run (#13673) 2026-06-11 01:17:14 -04:00
MCP.spec.js 🤫 refactor: Silent MCP OAuth Refresh on Mid-Session 401 (#13369) 2026-06-10 13:12:42 -04:00
MCPRequestContext.js 🪢 fix: Tie MCP Cleanup To Resumable Runs (#13769) 2026-06-15 15:26:03 -04:00
OboPolicyService.js 🔒 feat: Add On-Behalf-Of (OBO) token exchange support for MCP Servers (#13429) 2026-06-01 22:36:18 -04:00
OboTokenService.js 🔒 feat: Add On-Behalf-Of (OBO) token exchange support for MCP Servers (#13429) 2026-06-01 22:36:18 -04:00
OboTokenService.spec.js 🔒 feat: Add On-Behalf-Of (OBO) token exchange support for MCP Servers (#13429) 2026-06-01 22:36:18 -04:00
PermissionService.js 🗃️ perf: Cache Group Memberships for ACL Principal Resolution (#14075) 2026-07-05 08:40:14 -04:00
PermissionService.spec.js 🗃️ perf: Cache Group Memberships for ACL Principal Resolution (#14075) 2026-07-05 08:40:14 -04:00
PluginService.js 🔌 feat: MCP Reinitialization and OAuth in UI (#8598) 2025-07-22 22:52:45 -04:00
systemGrant.spec.js 📜 feat: Implement System Grants for Capability-Based Authorization (#11896) 2026-03-21 14:28:54 -04:00
ToolService.js 🧠 feat: Add Memory as an Agent Capability with Inline Tools and Ephemeral Badge (#13869) 2026-06-24 17:14:13 -04:00
twoFactorService.js 🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223) 2026-03-14 01:51:31 -04:00