fix: address code review findings from PR #12451

- Restore typed `AnyBulkWriteOperation<AclEntry>[]` on bulkWriteAclEntries,
  cast to untyped only at the tenantSafeBulkWrite call site (Finding 1)
- Type `findUser` model accessor consistently with `findUsers` (Finding 2)
- Replace numbered Record casts with `.not.toHaveProperty()` in
  role.methods.spec for SHARED_GLOBAL assertions (Finding 6)
- Use per-test ObjectIds instead of shared testUserId in openid.spec (Finding 4)
- Replace inline `import()` type annotations with top-level SessionData
  import in sessionCache spec (Finding 5)
- Add `packages/client/node_modules` to typecheck CI cache paths (Finding 7)
- Remove extraneous blank line in user.ts searchUsers (Finding 8)

Author: danny-avila

.github/workflows/backend-review.yml

@@ -118,6 +118,7 @@ jobs:
             node_modules
             api/node_modules
             packages/api/node_modules
+            packages/client/node_modules
             packages/data-provider/node_modules
             packages/data-schemas/node_modules
           key: node-modules-backend-${{ runner.os }}-20.19-${{ hashFiles('package-lock.json') }}

packages/api/src/auth/openid.spec.ts

@@ -4,7 +4,9 @@ import { logger } from '@librechat/data-schemas';
 import type { IUser, UserMethods } from '@librechat/data-schemas';
 import { findOpenIDUser } from './openid';
 
-const testUserId = new Types.ObjectId();
+function newId() {
+  return new Types.ObjectId();
+}
 
 jest.mock('@librechat/data-schemas', () => ({
   ...jest.requireActual('@librechat/data-schemas'),
@@ -27,7 +29,7 @@ describe('findOpenIDUser', () => {
   describe('Primary condition searches', () => {
     it('should find user by openidId', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'openid_123',
         email: 'user@example.com',
@@ -54,7 +56,7 @@ describe('findOpenIDUser', () => {
 
     it('should find user by idOnTheSource', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         idOnTheSource: 'source_123',
         email: 'user@example.com',
@@ -81,7 +83,7 @@ describe('findOpenIDUser', () => {
 
     it('should find user by both openidId and idOnTheSource', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'openid_123',
         idOnTheSource: 'source_123',
@@ -112,7 +114,7 @@ describe('findOpenIDUser', () => {
   describe('Email-based searches', () => {
     it('should find user by email when primary conditions fail and openidId matches', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'openid_123',
         email: 'user@example.com',
@@ -180,7 +182,7 @@ describe('findOpenIDUser', () => {
   describe('Provider conflict handling', () => {
     it('should return error when user has different provider', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'google',
         email: 'user@example.com',
         username: 'testuser',
@@ -205,7 +207,7 @@ describe('findOpenIDUser', () => {
 
     it('should reject email fallback when existing openidId does not match token sub', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'openid_456',
         email: 'user@example.com',
@@ -229,7 +231,7 @@ describe('findOpenIDUser', () => {
 
     it('should allow email fallback when existing openidId matches token sub', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'openid_123',
         email: 'user@example.com',
@@ -255,7 +257,7 @@ describe('findOpenIDUser', () => {
   describe('User migration scenarios', () => {
     it('should prepare user for migration when email exists without openidId', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         email: 'user@example.com',
         username: 'testuser',
         // No provider and no openidId - needs migration
@@ -284,7 +286,7 @@ describe('findOpenIDUser', () => {
 
     it('should reject when user already has a different openidId', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'existing_openid',
         email: 'user@example.com',
@@ -308,7 +310,7 @@ describe('findOpenIDUser', () => {
 
     it('should reject when user has no provider but a different openidId', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         openidId: 'existing_openid',
         email: 'user@example.com',
         username: 'testuser',
@@ -415,7 +417,7 @@ describe('findOpenIDUser', () => {
 
     it('should pass email to findUser for case-insensitive lookup (findUser handles normalization)', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'openid_123',
         email: 'user@example.com',
@@ -451,7 +453,7 @@ describe('findOpenIDUser', () => {
 
     it('should reject email fallback when openidId is empty and user has a stored openidId', async () => {
       const mockUser: IUser = {
-        _id: testUserId,
+        _id: newId(),
         provider: 'openid',
         openidId: 'existing-real-id',
         email: 'user@example.com',

packages/api/src/cache/__tests__/cacheFactory/sessionCache.cache_integration.spec.ts

@@ -1,4 +1,4 @@
-import type { MemoryStore } from 'express-session';
+import type { MemoryStore, SessionData } from 'express-session';
 import type { RedisStore as ConnectRedis } from 'connect-redis';
 
 interface TestSessionData {
@@ -20,13 +20,7 @@ describe('sessionCache', () => {
   const asyncStore = (store: CacheSessionStore) => ({
     set: (id: string, data: TestSessionData) =>
       new Promise<void>((resolve) =>
-        store.set(
-          id,
-          data as Partial<
-            import('express-session').SessionData
-          > as import('express-session').SessionData,
-          () => resolve(),
-        ),
+        store.set(id, data as Partial<SessionData> as SessionData, () => resolve()),
       ),
     get: (id: string) =>
       new Promise<TestSessionData | null | undefined>((resolve) =>
@@ -35,13 +29,7 @@ describe('sessionCache', () => {
     destroy: (id: string) => new Promise<void>((resolve) => store.destroy(id, () => resolve())),
     touch: (id: string, data: TestSessionData) =>
       new Promise<void>((resolve) =>
-        store.touch(
-          id,
-          data as Partial<
-            import('express-session').SessionData
-          > as import('express-session').SessionData,
-          () => resolve(),
-        ),
+        store.touch(id, data as Partial<SessionData> as SessionData, () => resolve()),
       ),
   });
 

packages/api/src/utils/sanitizeTitle.spec.ts

@@ -1,4 +1,4 @@
-/* ES2024 String.prototype.isWellFormed — not in this TS lib version */
+/* String.prototype.isWellFormed — ES2024 API, available in Node 20+ but not in TS 5.3 lib */
 declare global {
   interface String {
     isWellFormed(): boolean;

packages/data-schemas/src/methods/aclEntry.ts

@@ -7,7 +7,7 @@ import type {
   DeleteResult,
   Model,
 } from 'mongoose';
-import type { IAclEntry } from '~/types';
+import type { AclEntry, IAclEntry } from '~/types';
 import { tenantSafeBulkWrite } from '~/utils/tenantBulkWrite';
 
 export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
@@ -375,11 +375,11 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
    * @param options - Optional query options (e.g., { session })
    */
   async function bulkWriteAclEntries(
-    ops: AnyBulkWriteOperation[],
+    ops: AnyBulkWriteOperation<AclEntry>[],
     options?: { session?: ClientSession },
   ) {
     const AclEntry = mongoose.models.AclEntry as Model<IAclEntry>;
-    return tenantSafeBulkWrite(AclEntry, ops, options || {});
+    return tenantSafeBulkWrite(AclEntry, ops as AnyBulkWriteOperation[], options || {});
   }
 
   /**

packages/data-schemas/src/methods/role.methods.spec.ts

@@ -289,16 +289,8 @@ describe('updateAccessPermissions', () => {
     // SHARED_GLOBAL=false → SHARE=false (inherited)
     expect(updatedRole.permissions[PermissionTypes.AGENTS]!.SHARE).toBe(false);
     // SHARED_GLOBAL cleaned up
-    const promptsPerms = updatedRole.permissions[PermissionTypes.PROMPTS] as Record<
-      string,
-      boolean | undefined
-    >;
-    const agentsPerms = updatedRole.permissions[PermissionTypes.AGENTS] as Record<
-      string,
-      boolean | undefined
-    >;
-    expect(promptsPerms.SHARED_GLOBAL).toBeUndefined();
-    expect(agentsPerms.SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
+    expect(updatedRole.permissions[PermissionTypes.AGENTS]).not.toHaveProperty('SHARED_GLOBAL');
   });
 
   it('should respect explicit SHARE in update payload and not override it with SHARED_GLOBAL', async () => {
@@ -318,11 +310,7 @@ describe('updateAccessPermissions', () => {
     const updatedRole = await getRoleByName(SystemRoles.USER);
 
     expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.SHARE).toBe(false);
-    const promptsPerms2 = updatedRole.permissions[PermissionTypes.PROMPTS] as Record<
-      string,
-      boolean | undefined
-    >;
-    expect(promptsPerms2.SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
   });
 
   it('should migrate SHARED_GLOBAL to SHARE even when the permType is not in the update payload', async () => {
@@ -350,11 +338,7 @@ describe('updateAccessPermissions', () => {
     // SHARE should have been inherited from SHARED_GLOBAL, not silently dropped
     expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.SHARE).toBe(true);
     // SHARED_GLOBAL should be removed
-    const promptsPerms3 = updatedRole.permissions[PermissionTypes.PROMPTS] as Record<
-      string,
-      boolean | undefined
-    >;
-    expect(promptsPerms3.SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
     // Original USE should be untouched
     expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.USE).toBe(true);
     // The actual update should have applied
@@ -382,11 +366,7 @@ describe('updateAccessPermissions', () => {
 
     const updatedRole = await getRoleByName(SystemRoles.USER);
 
-    const promptsPerms4 = updatedRole.permissions[PermissionTypes.PROMPTS] as Record<
-      string,
-      boolean | undefined
-    >;
-    expect(promptsPerms4.SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS]).not.toHaveProperty('SHARED_GLOBAL');
     expect(updatedRole.permissions[PermissionTypes.PROMPTS]!.SHARE).toBe(true);
     expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO]!.USE).toBe(true);
   });

packages/data-schemas/src/methods/user.ts

@@ -35,13 +35,13 @@ export function createUserMethods(mongoose: typeof import('mongoose')) {
     searchCriteria: FilterQuery<IUser>,
     fieldsToSelect?: string | string[] | null,
   ): Promise<IUser | null> {
-    const User = mongoose.models.User;
+    const User = mongoose.models.User as mongoose.Model<IUser>;
     const normalizedCriteria = normalizeEmailInCriteria(searchCriteria);
     const query = User.findOne(normalizedCriteria);
     if (fieldsToSelect) {
       query.select(fieldsToSelect);
     }
-    return (await query.lean()) as IUser | null;
+    return await query.lean();
   }
 
   async function findUsers(
@@ -301,8 +301,6 @@ export function createUserMethods(mongoose: typeof import('mongoose')) {
       .sort((a, b) => b._searchScore - a._searchScore)
       .slice(0, limit)
       .map((user) => {
-        // Remove the search score from final results
-
         const { _searchScore, ...userWithoutScore } = user;
         return userWithoutScore;
       });