📦 chore: Bump librechat-data-provider and @librechat/data-schemas

[dustinhealy]

Summary

Bumps librechat-data-provider 0.8.502 → 0.8.505 and @librechat/data-schemas 0.0.51 → 0.0.53.

What this brings in

• modelSpecs.list[].conversation_starters — string array of starter prompts shown while a spec is active (upstream #13710)
• New messageFilter top-level config block with pii.{starterPatterns, customPatterns} for blocking patterns in user messages before they reach models
• New skillSync top-level config block — scheduled GitHub-based pull of skill definitions (github.{enabled, intervalMinutes, runOnStartup, sources[]})
• New interface toggles: contextUsage, contextCost, currency (code + rate), retainAgentFiles, retentionMode, sharedLinks, buildInfo
• New modelSpecs.preset flags: softDefault, showOnLanding, hideBadgeRow
• New agents.skills.maxCatalogSkills cap, new agents.subagents.{allowSelf, agent_ids} block
• New bedrock.guardrailConfig.{guardrailIdentifier, guardrailVersion, trace, streamProcessingMode} for AWS Bedrock guardrail integration
• New titleTiming ("immediate" / "final") on endpoint shared settings, plus reasoningFormat / reasoningKey for endpoint params
• New forward_audience_on_refresh on OAuth OIDC config
• New proxy and obo fields on MCP HTTP/SSE server transports
• New SHARED_LINKS value in PermissionTypes (upstream #13051)
• Tighter BaseSystemCapability literal union that no longer accepts plain string
• tokenConfig per-model pricing entries (prompt, completion, context, cacheRead, cacheWrite)
• data-schemas tsdown migration (upstream #13578) shipping dual .d.cts / .d.mts declaration bundles

Admin-panel changes required by the bump

• src/constants/role.ts — added [PermissionTypes.SHARED_LINKS] entry to PERMISSION_TYPE_SCHEMA since Record<PermissionTypes, Permissions[]> is exhaustive over the enum
• src/components/grants/CapabilityPanel.tsx — cast cap as BaseSystemCapability inside .includes(...); the tightened literal union no longer accepts plain string
• src/server/config.ts — dropped the AppService(...) call in parseImportedYaml and widened the success return to Record<string, ConfigValue>. The AppService branch was returning an AppConfig wrapper, not the flat config the ImportYamlDialog consumer treats as Record<string, ConfigValue>. Removing it also sidesteps a type-identity collision introduced by the tsdown migration (#13578), which ships dual .d.cts / .d.mts declaration bundles that resolve to nominally distinct types under moduleResolution: bundler.
• 50 new com_config_field_* keys (including 4 _item array-row entries) covering every field flagged by the localization-coverage test so it passes again
• 2 new com_config_section_* title + description pairs (messageFilter, skillSync)
• New messageFilter → Features tab and skillSync → System tab entries in SECTION_META, otherwise both fall into the catch-all "Other" tab
• com_config_field_pii relabeled from "PII" to "Personally Identifiable Information" since the parent "Message filter" section already provides the filter context
• Added com_endpoint_prompt_cache (label) and com_endpoint_anthropic_prompt_cache (description). Both label keys were already referenced by librechat-data-provider's Anthropic / Bedrock parameter settings since at least 0.8.502 but the admin-panel locale was missing them, so the promptCache boolean rendered with raw i18n keys.
• src/server/config.test.ts gained two new SAMPLE_OVERRIDES entries (skillSync.github.intervalMinutes ≥ 5; skillSync.github.sources as a fully-formed GitHub source entry with credentialKey) so the control → value → safeParse round-trip stays green for the new schema additions

Schema-driven form renderer fix

The new bump surfaced an existing rendering bug. FieldRenderer was passing isSoleField={true} whenever a rendered level had exactly one field and one group, which suppressed the inner field's ConfigRow label and left the parent NestedGroup label as the only label visible. For wrappers like agents.skills = { maxCatalogSkills } and fileConfig.skills = { fileSizeLimit }, that surfaced a bare number input under a generic "Skills" header with no indication of which limit it was.

Dropped the flattening so single-child object wrappers now render as Skills > Max catalog skills: [input] with both labels visible. The alwaysShowLabels opt-out prop (only used by EndpointsRenderer to defeat this same flattening for priority fields) becomes redundant and was removed from FieldRendererProps.

Test plan

• npx tsc --noEmit clean
• bun run lint clean
• bun run test: 710/710 passing
• Manual smoke against local LibreChat 0.8.505 in bun run dev:
  • Configuration → Features → Message filter renders with proper labels; Personally Identifiable Information sub-section + starter patterns + custom patterns all editable
  • Configuration → System → Skill sync renders with proper labels; GitHub interval / runOnStartup / sources editable
  • Configuration → Model Specs → list[] shows conversation_starters as editable string array
  • Configuration → Agents → Skills shows "Max catalog skills" (not a bare number)
  • Configuration → Files → Skills shows "File size limit" (not a bare number)
  • Configuration → Anthropic / Bedrock parameter editors: "Prompt cache" toggle renders with description
  • Import YAML dialog still validates and routes to the scope picker
  • Grants page → implied-capability badges still resolve labels
  • System → Roles → SHARED_LINKS permission row editable alongside existing types

---

Note

Medium Risk
Touches YAML import behavior (no AppService merge), permission defaults for a new type, and broad config UI/i18n for new schema blocks; dependency bumps may carry upstream behavioral changes beyond what this repo wires up.

Overview
Upgrades librechat-data-provider (0.8.502 → 0.8.505) and @librechat/data-schemas (0.0.51 → 0.0.53), pulling in new config surface (e.g. message filter, skill sync, shared links permissions, and related schema fields) that the admin UI must expose.

Configuration UI: Adds Features entries for messageFilter and System for skillSync in section metadata, plus many new com_config_field_* / section i18n strings (including prompt-cache labels and a clearer PII label). YAML import no longer runs AppService after validation—it returns the parsed config as Record<string, ConfigValue> to match ImportYamlDialog and avoid tsdown dual-declaration type clashes. Roles gain a SHARED_LINKS permission block; Grants casts capabilities when resolving implied-capability badges after the tighter BaseSystemCapability union.

Form renderer: Stops treating single-field/single-group blocks as “sole field” (and removes alwaysShowLabels), so nested settings like agents/files Skills show both group and field labels instead of a bare input under a generic header. Config tests add skillSync sample overrides for round-trip validation.

^{Reviewed by Cursor Bugbot for commit 86e411c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 86e411c. Configure here.}

[dustinhealy]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

librechat-admin-panel/src/constants/role.ts

Lines 38 to 43 in 86e411c

	[PermissionTypes.MCP_SERVERS]: [
	Permissions.USE,
	Permissions.CREATE,
	Permissions.SHARE,
	Permissions.SHARE_PUBLIC,
	],

Include CONFIGURE_OBO in MCP permissions

With this dependency bump, MCP server permissions include CONFIGURE_OBO for configuring On-Behalf-Of token exchange, but this schema still exposes only use/create/share/public for MCP_SERVERS. In environments using OBO-capable MCP servers, the role editor cannot grant the required action from the admin panel, so users remain unable to configure mcpServers.<server>.obo even though the new config field is present.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dustinhealy]

@codex review

[dustinhealy]

@codex review

[dustinhealy]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bb2755c244

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dustinhealy]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

Reviewed commit: 4cb8db1270

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".