feat: Add X-User-Id header to Code Executor for session isolation

[SharpLu]

Summary

Add X-User-Id header to Code Execution API requests to enable proper user-based session isolation.

Problem

Currently, the CodeExecutor tool does not send any user identification header when making requests to the Code Interpreter API. While user_id is passed to createCodeExecutionTool(), it is only used internally and never transmitted to the backend.

This causes a critical session isolation issue in multi-user deployments:

1. LibreChat passes user_id when creating the tool:

const CodeExecutionTool = createCodeExecutionTool({
  user_id: user,  // Passed but never sent to API
  files,
  ...authValues,
});

2. Code Interpreter backend expects user identification via headers:

const userId = req.headers['x-user-id'] || 'anonymous';

3. Without the header, all users fall back to 'anonymous', causing:
   • Users can see other users' uploaded files
   • Session data leakage between different users
   • Privacy and security concerns in enterprise deployments

Suggested Solution

Add X-User-Id header to both GET and POST requests in src/tools/CodeExecutor.ts:

headers: {
  'Content-Type': 'application/json',
  'User-Agent': 'LibreChat/1.0',
  'X-API-Key': apiKey,
+  'X-User-Id': user_id,
}

Benefits

• Security: Proper session isolation between users
• Privacy: Users can only access their own uploaded files
• Backward Compatible: Backends that don't use this header will ignore it
• Consistent: Aligns with file upload which already sends User-Id header

I'm happy to submit a PR for this fix.