✨ feat: Audit log UI for SystemGrants changes

package.json

@@ -22,7 +22,7 @@
   },
   "dependencies": {
     "@clickhouse/click-ui": "0.2.0-rc.4",
-    "@librechat/data-schemas": "^0.0.51",
+    "@librechat/data-schemas": "^0.0.52",
     "@tailwindcss/vite": "^4.1.18",
     "@tanstack/react-devtools": "0.10.0",
     "@tanstack/react-query": "5.95.2",
@@ -41,7 +41,7 @@
     "i18next-browser-languagedetector": "^8.2.1",
     "input-otp": "^1.4.2",
     "js-yaml": "^4.1.1",
-    "librechat-data-provider": "^0.8.502",
+    "librechat-data-provider": "^0.8.503",
     "lucide-react": "^0.545.0",
     "prom-client": "^15.1.3",
     "react": "^19.2.0",

server.ts

@@ -40,6 +40,43 @@ function getCacheHeaders(filePath: string): Record<string, string> {
   return {};
 }
 
+// 'unsafe-inline' in style-src is required because Tailwind 4 + click-ui inject inline styles at runtime.
+// TanStack Start's SSR injects an inline `<script type="module">import("/_build/...")</script>` to
+// boot the client. Without a nonce or 'unsafe-inline' for script-src, browsers will block hydration.
+// Threading a per-request nonce through TanStack Start's manifest is non-trivial; until that wiring
+// lands we ship the policy as report-only so it surfaces violations in dev tooling without breaking
+// hydration in prod. Set ADMIN_PANEL_CSP_ENFORCE=true to switch back to enforcement (only safe once
+// the nonce path is in place).
+const CSP_VALUE = [
+  "default-src 'self'",
+  "script-src 'self'",
+  "style-src 'self' 'unsafe-inline'",
+  "img-src 'self' data: blob:",
+  "font-src 'self' data:",
+  "connect-src 'self'",
+  "object-src 'none'",
+  "frame-ancestors 'none'",
+  "base-uri 'self'",
+  "form-action 'self'",
+].join('; ');
+
+const CSP_ENFORCE = process.env.ADMIN_PANEL_CSP_ENFORCE === 'true';
+const CSP_HEADER_NAME = CSP_ENFORCE
+  ? 'Content-Security-Policy'
+  : 'Content-Security-Policy-Report-Only';
+
+function applySecurityHeaders(headers: Headers): void {
+  const contentType = headers.get('Content-Type') ?? '';
+  if (!contentType.toLowerCase().startsWith('text/html')) return;
+  headers.set(CSP_HEADER_NAME, CSP_VALUE);
+  headers.set('X-Content-Type-Options', 'nosniff');
+  headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+  headers.set('X-Frame-Options', 'DENY');
+  if (process.env.NODE_ENV === 'production') {
+    headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+  }
+}
+
 type Handler = { default: { fetch: (req: Request) => Promise<Response> } };
 
 const { default: handler } = (await import(SERVER_ENTRY.href)) as Handler;
@@ -65,11 +102,11 @@ async function buildStaticRoutes(): Promise<Record<string, (req: Request) => Pro
     const cache = getCacheHeaders(path);
     const routePath = `/${path}`;
     routes[routePath] = (req) =>
-      withHttpMetrics(
-        req,
-        routePath,
-        () => new Response(file, { headers: { 'Content-Type': file.type, ...cache } }),
-      );
+      withHttpMetrics(req, routePath, () => {
+        const res = new Response(file, { headers: { 'Content-Type': file.type, ...cache } });
+        applySecurityHeaders(res.headers);
+        return res;
+      });
   }
   return routes;
 }
@@ -86,6 +123,7 @@ const server = Bun.serve({
       for (const [k, v] of Object.entries(NO_CACHE)) {
         patched.headers.set(k, v);
       }
+      applySecurityHeaders(patched.headers);
       return patched;
     },
   },