@checkstack/auth-common 0.0.3 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +73 -0
  2. package/package.json +1 -1
  3. package/src/permissions.ts +8 -0
  4. package/src/rpc-contract.ts +219 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,78 @@
1
1
  # @checkstack/auth-common
2
2
 
3
+ ## 0.1.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 8e43507: # Teams and Resource-Level Access Control
8
+
9
+ This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
10
+
11
+ ## Features
12
+
13
+ ### Team Management
14
+
15
+ - Create, update, and delete teams with name and description
16
+ - Add/remove users from teams
17
+ - Designate team managers with elevated privileges
18
+ - View team membership and manager status
19
+
20
+ ### Resource-Level Access Control
21
+
22
+ - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
23
+ - Configure read-only or manage permissions per team
24
+ - Resource-level "Team Only" mode that restricts access exclusively to team members
25
+ - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
26
+ - Automatic cleanup of grants when teams are deleted (database cascade)
27
+
28
+ ### Middleware Integration
29
+
30
+ - Extended `autoAuthMiddleware` to support resource access checks
31
+ - Single-resource pre-handler validation for detail endpoints
32
+ - Automatic list filtering for collection endpoints
33
+ - S2S endpoints for access verification
34
+
35
+ ### Frontend Components
36
+
37
+ - `TeamsTab` component for managing teams in Auth Settings
38
+ - `TeamAccessEditor` component for assigning team access to resources
39
+ - Resource-level "Team Only" toggle in `TeamAccessEditor`
40
+ - Integration into System, Health Check, Incident, and Maintenance editors
41
+
42
+ ## Breaking Changes
43
+
44
+ ### API Response Format Changes
45
+
46
+ List endpoints now return objects with named keys instead of arrays directly:
47
+
48
+ ```typescript
49
+ // Before
50
+ const systems = await catalogApi.getSystems();
51
+
52
+ // After
53
+ const { systems } = await catalogApi.getSystems();
54
+ ```
55
+
56
+ Affected endpoints:
57
+
58
+ - `catalog.getSystems` → `{ systems: [...] }`
59
+ - `healthcheck.getConfigurations` → `{ configurations: [...] }`
60
+ - `incident.listIncidents` → `{ incidents: [...] }`
61
+ - `maintenance.listMaintenances` → `{ maintenances: [...] }`
62
+
63
+ ### User Identity Enrichment
64
+
65
+ `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
66
+
67
+ ## Documentation
68
+
69
+ See `docs/backend/teams.md` for complete API reference and integration guide.
70
+
71
+ ### Patch Changes
72
+
73
+ - Updated dependencies [8e43507]
74
+ - @checkstack/common@0.1.0
75
+
3
76
  ## 0.0.3
4
77
 
5
78
  ### Patch Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@checkstack/auth-common",
3
- "version": "0.0.3",
3
+ "version": "0.1.0",
4
4
  "type": "module",
5
5
  "exports": {
6
6
  ".": {
package/src/permissions.ts CHANGED
@@ -45,6 +45,14 @@ export const permissions = {
45
45
  id: "applications.manage",
46
46
  description: "Create, update, delete, and view external applications",
47
47
  },
48
+ teamsRead: {
49
+ id: "teams.read",
50
+ description: "View teams and team memberships",
51
+ },
52
+ teamsManage: {
53
+ id: "teams.manage",
54
+ description: "Create, delete, and manage all teams and resource access",
55
+ },
48
56
  } satisfies Record<string, Permission>;
49
57
 
50
58
  export const permissionList = Object.values(permissions);
package/src/rpc-contract.ts CHANGED
@@ -385,6 +385,225 @@ export const authContract = {
385
385
  })
386
386
  .input(z.string())
387
387
  .output(z.object({ secret: z.string() })), // New secret - shown once
388
+
389
+ // ==========================================================================
390
+ // TEAM MANAGEMENT (userType: "authenticated" with permissions)
391
+ // Resource-level access control via teams
392
+ // Both users and applications can manage teams with proper permissions
393
+ // ==========================================================================
394
+
395
+ getTeams: _base
396
+ .meta({
397
+ userType: "authenticated",
398
+ permissions: [permissions.teamsRead.id],
399
+ })
400
+ .output(
401
+ z.array(
402
+ z.object({
403
+ id: z.string(),
404
+ name: z.string(),
405
+ description: z.string().optional().nullable(),
406
+ memberCount: z.number(),
407
+ isManager: z.boolean(),
408
+ })
409
+ )
410
+ ),
411
+
412
+ getTeam: _base
413
+ .meta({
414
+ userType: "authenticated",
415
+ permissions: [permissions.teamsRead.id],
416
+ })
417
+ .input(z.object({ teamId: z.string() }))
418
+ .output(
419
+ z
420
+ .object({
421
+ id: z.string(),
422
+ name: z.string(),
423
+ description: z.string().optional().nullable(),
424
+ members: z.array(
425
+ z.object({ id: z.string(), name: z.string(), email: z.string() })
426
+ ),
427
+ managers: z.array(
428
+ z.object({ id: z.string(), name: z.string(), email: z.string() })
429
+ ),
430
+ })
431
+ .optional()
432
+ ),
433
+
434
+ createTeam: _base
435
+ .meta({
436
+ userType: "authenticated",
437
+ permissions: [permissions.teamsManage.id],
438
+ })
439
+ .input(
440
+ z.object({
441
+ name: z.string().min(1).max(100),
442
+ description: z.string().max(500).optional(),
443
+ })
444
+ )
445
+ .output(z.object({ id: z.string() })),
446
+
447
+ updateTeam: _base
448
+ .meta({
449
+ userType: "authenticated",
450
+ permissions: [permissions.teamsRead.id],
451
+ })
452
+ .input(
453
+ z.object({
454
+ id: z.string(),
455
+ name: z.string().optional(),
456
+ description: z.string().optional().nullable(),
457
+ })
458
+ )
459
+ .output(z.void()),
460
+
461
+ deleteTeam: _base
462
+ .meta({
463
+ userType: "authenticated",
464
+ permissions: [permissions.teamsManage.id],
465
+ })
466
+ .input(z.string())
467
+ .output(z.void()),
468
+
469
+ addUserToTeam: _base
470
+ .meta({
471
+ userType: "authenticated",
472
+ permissions: [permissions.teamsRead.id],
473
+ })
474
+ .input(z.object({ teamId: z.string(), userId: z.string() }))
475
+ .output(z.void()),
476
+
477
+ removeUserFromTeam: _base
478
+ .meta({
479
+ userType: "authenticated",
480
+ permissions: [permissions.teamsRead.id],
481
+ })
482
+ .input(z.object({ teamId: z.string(), userId: z.string() }))
483
+ .output(z.void()),
484
+
485
+ addTeamManager: _base
486
+ .meta({
487
+ userType: "authenticated",
488
+ permissions: [permissions.teamsManage.id],
489
+ })
490
+ .input(z.object({ teamId: z.string(), userId: z.string() }))
491
+ .output(z.void()),
492
+
493
+ removeTeamManager: _base
494
+ .meta({
495
+ userType: "authenticated",
496
+ permissions: [permissions.teamsManage.id],
497
+ })
498
+ .input(z.object({ teamId: z.string(), userId: z.string() }))
499
+ .output(z.void()),
500
+
501
+ getResourceTeamAccess: _base
502
+ .meta({
503
+ userType: "authenticated",
504
+ permissions: [permissions.teamsRead.id],
505
+ })
506
+ .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
507
+ .output(
508
+ z.array(
509
+ z.object({
510
+ teamId: z.string(),
511
+ teamName: z.string(),
512
+ canRead: z.boolean(),
513
+ canManage: z.boolean(),
514
+ })
515
+ )
516
+ ),
517
+
518
+ setResourceTeamAccess: _base
519
+ .meta({
520
+ userType: "authenticated",
521
+ permissions: [permissions.teamsManage.id],
522
+ })
523
+ .input(
524
+ z.object({
525
+ resourceType: z.string(),
526
+ resourceId: z.string(),
527
+ teamId: z.string(),
528
+ canRead: z.boolean().optional(),
529
+ canManage: z.boolean().optional(),
530
+ })
531
+ )
532
+ .output(z.void()),
533
+
534
+ removeResourceTeamAccess: _base
535
+ .meta({
536
+ userType: "authenticated",
537
+ permissions: [permissions.teamsManage.id],
538
+ })
539
+ .input(
540
+ z.object({
541
+ resourceType: z.string(),
542
+ resourceId: z.string(),
543
+ teamId: z.string(),
544
+ })
545
+ )
546
+ .output(z.void()),
547
+
548
+ // Resource-level access settings (teamOnly flag)
549
+ getResourceAccessSettings: _base
550
+ .meta({
551
+ userType: "authenticated",
552
+ permissions: [permissions.teamsRead.id],
553
+ })
554
+ .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
555
+ .output(z.object({ teamOnly: z.boolean() })),
556
+
557
+ setResourceAccessSettings: _base
558
+ .meta({
559
+ userType: "authenticated",
560
+ permissions: [permissions.teamsManage.id],
561
+ })
562
+ .input(
563
+ z.object({
564
+ resourceType: z.string(),
565
+ resourceId: z.string(),
566
+ teamOnly: z.boolean(),
567
+ })
568
+ )
569
+ .output(z.void()),
570
+
571
+ // ==========================================================================
572
+ // S2S ENDPOINTS FOR TEAM ACCESS (userType: "service")
573
+ // ==========================================================================
574
+
575
+ checkResourceTeamAccess: _base
576
+ .meta({ userType: "service" })
577
+ .input(
578
+ z.object({
579
+ userId: z.string(),
580
+ userType: z.enum(["user", "application"]),
581
+ resourceType: z.string(),
582
+ resourceId: z.string(),
583
+ action: z.enum(["read", "manage"]),
584
+ hasGlobalPermission: z.boolean(),
585
+ })
586
+ )
587
+ .output(z.object({ hasAccess: z.boolean() })),
588
+
589
+ getAccessibleResourceIds: _base
590
+ .meta({ userType: "service" })
591
+ .input(
592
+ z.object({
593
+ userId: z.string(),
594
+ userType: z.enum(["user", "application"]),
595
+ resourceType: z.string(),
596
+ resourceIds: z.array(z.string()),
597
+ action: z.enum(["read", "manage"]),
598
+ hasGlobalPermission: z.boolean(),
599
+ })
600
+ )
601
+ .output(z.array(z.string())),
602
+
603
+ deleteResourceGrants: _base
604
+ .meta({ userType: "service" })
605
+ .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
606
+ .output(z.void()),
388
607
  };
389
608
 
390
609
  // Export contract type