@checkstack/auth-common 0.0.3 → 0.2.0

package/CHANGELOG.md

@@ -1,5 +1,152 @@
 # @checkstack/auth-common
 
+## 0.2.0
+
+### Minor Changes
+
+- 9faec1f: # Unified AccessRule Terminology Refactoring
+
+  This release completes a comprehensive terminology refactoring from "permission" to "accessRule" across the entire codebase, establishing a consistent and modern access control vocabulary.
+
+  ## Changes
+
+  ### Core Infrastructure (`@checkstack/common`)
+
+  - Introduced `AccessRule` interface as the primary access control type
+  - Added `accessPair()` helper for creating read/manage access rule pairs
+  - Added `access()` builder for individual access rules
+  - Replaced `Permission` type with `AccessRule` throughout
+
+  ### API Changes
+
+  - `env.registerPermissions()` → `env.registerAccessRules()`
+  - `meta.permissions` → `meta.access` in RPC contracts
+  - `usePermission()` → `useAccess()` in frontend hooks
+  - Route `permission:` field → `accessRule:` field
+
+  ### UI Changes
+
+  - "Roles & Permissions" tab → "Roles & Access Rules"
+  - "You don't have permission..." → "You don't have access..."
+  - All permission-related UI text updated
+
+  ### Documentation & Templates
+
+  - Updated 18 documentation files with AccessRule terminology
+  - Updated 7 scaffolding templates with `accessPair()` pattern
+  - All code examples use new AccessRule API
+
+  ## Migration Guide
+
+  ### Backend Plugins
+
+  ```diff
+  - import { permissionList } from "./permissions";
+  - env.registerPermissions(permissionList);
+  + import { accessRules } from "./access";
+  + env.registerAccessRules(accessRules);
+  ```
+
+  ### RPC Contracts
+
+  ```diff
+  - .meta({ userType: "user", permissions: [permissions.read.id] })
+  + .meta({ userType: "user", access: [access.read] })
+  ```
+
+  ### Frontend Hooks
+
+  ```diff
+  - const canRead = accessApi.usePermission(permissions.read.id);
+  + const canRead = accessApi.useAccess(access.read);
+  ```
+
+  ### Routes
+
+  ```diff
+  - permission: permissions.entityRead.id,
+  + accessRule: access.read,
+  ```
+
+### Patch Changes
+
+- Updated dependencies [9faec1f]
+- Updated dependencies [f533141]
+  - @checkstack/common@0.2.0
+
+## 0.1.0
+
+### Minor Changes
+
+- 8e43507: # Teams and Resource-Level Access Control
+
+  This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
+
+  ## Features
+
+  ### Team Management
+
+  - Create, update, and delete teams with name and description
+  - Add/remove users from teams
+  - Designate team managers with elevated privileges
+  - View team membership and manager status
+
+  ### Resource-Level Access Control
+
+  - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
+  - Configure read-only or manage permissions per team
+  - Resource-level "Team Only" mode that restricts access exclusively to team members
+  - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
+  - Automatic cleanup of grants when teams are deleted (database cascade)
+
+  ### Middleware Integration
+
+  - Extended `autoAuthMiddleware` to support resource access checks
+  - Single-resource pre-handler validation for detail endpoints
+  - Automatic list filtering for collection endpoints
+  - S2S endpoints for access verification
+
+  ### Frontend Components
+
+  - `TeamsTab` component for managing teams in Auth Settings
+  - `TeamAccessEditor` component for assigning team access to resources
+  - Resource-level "Team Only" toggle in `TeamAccessEditor`
+  - Integration into System, Health Check, Incident, and Maintenance editors
+
+  ## Breaking Changes
+
+  ### API Response Format Changes
+
+  List endpoints now return objects with named keys instead of arrays directly:
+
+  ```typescript
+  // Before
+  const systems = await catalogApi.getSystems();
+
+  // After
+  const { systems } = await catalogApi.getSystems();
+  ```
+
+  Affected endpoints:
+
+  - `catalog.getSystems` → `{ systems: [...] }`
+  - `healthcheck.getConfigurations` → `{ configurations: [...] }`
+  - `incident.listIncidents` → `{ incidents: [...] }`
+  - `maintenance.listMaintenances` → `{ maintenances: [...] }`
+
+  ### User Identity Enrichment
+
+  `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
+
+  ## Documentation
+
+  See `docs/backend/teams.md` for complete API reference and integration guide.
+
+### Patch Changes
+
+- Updated dependencies [8e43507]
+  - @checkstack/common@0.1.0
+
 ## 0.0.3
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-common",
-  "version": "0.0.3",
+  "version": "0.2.0",
   "type": "module",
   "exports": {
     ".": {

package/src/access.ts

@@ -0,0 +1,91 @@
+import { access, accessPair, type AccessRule } from "@checkstack/common";
+
+/**
+ * Access rules for the Auth plugin.
+ *
+ * Auth has fine-grained access rules for different operations
+ * on users, roles, teams, strategies, etc.
+ */
+export const authAccess = {
+  /**
+   * User management access rules.
+   */
+  users: {
+    read: access("users", "read", "List all users"),
+    create: access(
+      "users.create",
+      "manage",
+      "Create new users (credential strategy)"
+    ),
+    manage: access("users", "manage", "Delete users"),
+  },
+
+  /**
+   * Role management access rules.
+   */
+  roles: {
+    read: access("roles", "read", "Read and list roles"),
+    create: access("roles.create", "manage", "Create new roles"),
+    update: access(
+      "roles.update",
+      "manage",
+      "Update role names and access rules"
+    ),
+    delete: access("roles.delete", "manage", "Delete roles"),
+    manage: access("roles", "manage", "Assign roles to users"),
+  },
+
+  /**
+   * Authentication strategy management.
+   */
+  strategies: access(
+    "strategies",
+    "manage",
+    "Manage authentication strategies and settings"
+  ),
+
+  /**
+   * Registration settings management.
+   */
+  registration: access(
+    "registration",
+    "manage",
+    "Manage user registration settings"
+  ),
+
+  /**
+   * External application management.
+   */
+  applications: access(
+    "applications",
+    "manage",
+    "Create, update, delete, and view external applications"
+  ),
+
+  /**
+   * Team management access rules.
+   */
+  teams: accessPair("teams", {
+    read: "View teams and team memberships",
+    manage: "Create, delete, and manage all teams and resource access",
+  }),
+};
+
+/**
+ * All access rules for registration with the plugin system.
+ */
+export const authAccessRules: AccessRule[] = [
+  authAccess.users.read,
+  authAccess.users.create,
+  authAccess.users.manage,
+  authAccess.roles.read,
+  authAccess.roles.create,
+  authAccess.roles.update,
+  authAccess.roles.delete,
+  authAccess.roles.manage,
+  authAccess.strategies,
+  authAccess.registration,
+  authAccess.applications,
+  authAccess.teams.read,
+  authAccess.teams.manage,
+];

package/src/index.ts

@@ -1,4 +1,4 @@
-export * from "./permissions";
+export * from "./access";
 export * from "./rpc-contract";
 export * from "./plugin-metadata";
 export * from "./schemas";

package/src/rpc-contract.ts

@@ -5,7 +5,7 @@ import {
   lucideIconSchema,
 } from "@checkstack/common";
 import { z } from "zod";
-import { permissions } from "./permissions";
+import { authAccess } from "./access";
 import { pluginMetadata } from "./plugin-metadata";
 
 // Base builder with full metadata support
@@ -23,12 +23,12 @@ const RoleDtoSchema = z.object({
   id: z.string(),
   name: z.string(),
   description: z.string().optional().nullable(),
-  permissions: z.array(z.string()),
+  accessRules: z.array(z.string()),
   isSystem: z.boolean().optional(),
   isAssignable: z.boolean().optional(), // False for anonymous role
 });
 
-const PermissionDtoSchema = z.object({
+const AccessRuleDtoSchema = z.object({
   id: z.string(),
   description: z.string().optional(),
 });
@@ -118,33 +118,33 @@ export const authContract = {
     .output(RegistrationStatusSchema),
 
   // ==========================================================================
-  // AUTHENTICATED ENDPOINTS (userType: "authenticated" - no specific permission)
+  // AUTHENTICATED ENDPOINTS (userType: "authenticated" - no specific access rule)
   // ==========================================================================
 
-  permissions: _base
-    .meta({ userType: "authenticated" }) // Any authenticated user can check their own permissions
-    .output(z.object({ permissions: z.array(z.string()) })),
+  accessRules: _base
+    .meta({ userType: "authenticated" }) // Any authenticated user can check their own access rules
+    .output(z.object({ accessRules: z.array(z.string()) })),
 
   // ==========================================================================
-  // USER MANAGEMENT (userType: "user" with permissions)
+  // USER MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
   getUsers: _base
-    .meta({ userType: "user", permissions: [permissions.usersRead.id] })
+    .meta({ userType: "user", access: [authAccess.users.read] })
     .output(z.array(UserDtoSchema)),
 
   deleteUser: _base
-    .meta({ userType: "user", permissions: [permissions.usersManage.id] })
+    .meta({ userType: "user", access: [authAccess.users.manage] })
     .input(z.string())
     .output(z.void()),
 
   createCredentialUser: _base
-    .meta({ userType: "user", permissions: [permissions.usersCreate.id] })
+    .meta({ userType: "user", access: [authAccess.users.create] })
     .input(CreateCredentialUserInputSchema)
     .output(CreateCredentialUserOutputSchema),
 
   updateUserRoles: _base
-    .meta({ userType: "user", permissions: [permissions.usersManage.id] })
+    .meta({ userType: "user", access: [authAccess.users.manage] })
     .input(
       z.object({
         userId: z.string(),
@@ -154,55 +154,55 @@ export const authContract = {
     .output(z.void()),
 
   // ==========================================================================
-  // ROLE MANAGEMENT (userType: "user" with permissions)
+  // ROLE MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
   getRoles: _base
-    .meta({ userType: "user", permissions: [permissions.rolesRead.id] })
+    .meta({ userType: "user", access: [authAccess.roles.read] })
     .output(z.array(RoleDtoSchema)),
 
-  getPermissions: _base
-    .meta({ userType: "user", permissions: [permissions.rolesRead.id] })
-    .output(z.array(PermissionDtoSchema)),
+  getAccessRules: _base
+    .meta({ userType: "user", access: [authAccess.roles.read] })
+    .output(z.array(AccessRuleDtoSchema)),
 
   createRole: _base
-    .meta({ userType: "user", permissions: [permissions.rolesCreate.id] })
+    .meta({ userType: "user", access: [authAccess.roles.create] })
     .input(
       z.object({
         name: z.string(),
         description: z.string().optional(),
-        permissions: z.array(z.string()),
+        accessRules: z.array(z.string()),
       })
     )
     .output(z.void()),
 
   updateRole: _base
-    .meta({ userType: "user", permissions: [permissions.rolesUpdate.id] })
+    .meta({ userType: "user", access: [authAccess.roles.update] })
     .input(
       z.object({
         id: z.string(),
         name: z.string().optional(),
         description: z.string().optional(),
-        permissions: z.array(z.string()),
+        accessRules: z.array(z.string()),
       })
     )
     .output(z.void()),
 
   deleteRole: _base
-    .meta({ userType: "user", permissions: [permissions.rolesDelete.id] })
+    .meta({ userType: "user", access: [authAccess.roles.delete] })
     .input(z.string())
     .output(z.void()),
 
   // ==========================================================================
-  // STRATEGY MANAGEMENT (userType: "user" with permissions)
+  // STRATEGY MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
   getStrategies: _base
-    .meta({ userType: "user", permissions: [permissions.strategiesManage.id] })
+    .meta({ userType: "user", access: [authAccess.strategies] })
     .output(z.array(StrategyDtoSchema)),
 
   updateStrategy: _base
-    .meta({ userType: "user", permissions: [permissions.strategiesManage.id] })
+    .meta({ userType: "user", access: [authAccess.strategies] })
     .input(
       z.object({
         id: z.string(),
@@ -213,24 +213,24 @@ export const authContract = {
     .output(z.object({ success: z.boolean() })),
 
   reloadAuth: _base
-    .meta({ userType: "user", permissions: [permissions.strategiesManage.id] })
+    .meta({ userType: "user", access: [authAccess.strategies] })
     .output(z.object({ success: z.boolean() })),
 
   // ==========================================================================
-  // REGISTRATION MANAGEMENT (userType: "user" with permissions)
+  // REGISTRATION MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
   getRegistrationSchema: _base
     .meta({
       userType: "user",
-      permissions: [permissions.registrationManage.id],
+      access: [authAccess.registration],
     })
     .output(z.record(z.string(), z.unknown())),
 
   setRegistrationStatus: _base
     .meta({
       userType: "user",
-      permissions: [permissions.registrationManage.id],
+      access: [authAccess.registration],
     })
     .input(RegistrationStatusSchema)
     .output(z.object({ success: z.boolean() })),
@@ -240,10 +240,10 @@ export const authContract = {
   // ==========================================================================
 
   /**
-   * Get permissions assigned to the anonymous role.
-   * Used by core AuthService for permission checks on public endpoints.
+   * Get access rules assigned to the anonymous role.
+   * Used by core AuthService for access checks on public endpoints.
    */
-  getAnonymousPermissions: _base
+  getAnonymousAccessRules: _base
     .meta({ userType: "service" })
     .output(z.array(z.string())),
 
@@ -293,28 +293,28 @@ export const authContract = {
     ),
 
   /**
-   * Filter a list of user IDs to only those who have a specific permission.
+   * Filter a list of user IDs to only those who have a specific access rule.
    * Used by SignalService to send signals only to authorized users.
    */
-  filterUsersByPermission: _base
+  filterUsersByAccessRule: _base
     .meta({ userType: "service" })
     .input(
       z.object({
         userIds: z.array(z.string()),
-        permission: z.string(), // Fully-qualified permission ID
+        accessRule: z.string(), // Fully-qualified access rule ID
       })
     )
     .output(z.array(z.string())), // Returns filtered user IDs
 
   // ==========================================================================
-  // APPLICATION MANAGEMENT (userType: "user" with permissions)
+  // APPLICATION MANAGEMENT (userType: "user" with access)
   // External API applications (API keys) with RBAC integration
   // ==========================================================================
 
   getApplications: _base
     .meta({
       userType: "user",
-      permissions: [permissions.applicationsManage.id],
+      access: [authAccess.applications],
     })
     .output(
       z.array(
@@ -333,7 +333,7 @@ export const authContract = {
   createApplication: _base
     .meta({
       userType: "user",
-      permissions: [permissions.applicationsManage.id],
+      access: [authAccess.applications],
     })
     .input(
       z.object({
@@ -358,7 +358,7 @@ export const authContract = {
   updateApplication: _base
     .meta({
       userType: "user",
-      permissions: [permissions.applicationsManage.id],
+      access: [authAccess.applications],
     })
     .input(
       z.object({
@@ -373,7 +373,7 @@ export const authContract = {
   deleteApplication: _base
     .meta({
       userType: "user",
-      permissions: [permissions.applicationsManage.id],
+      access: [authAccess.applications],
     })
     .input(z.string())
     .output(z.void()),
@@ -381,10 +381,229 @@ export const authContract = {
   regenerateApplicationSecret: _base
     .meta({
       userType: "user",
-      permissions: [permissions.applicationsManage.id],
+      access: [authAccess.applications],
     })
     .input(z.string())
     .output(z.object({ secret: z.string() })), // New secret - shown once
+
+  // ==========================================================================
+  // TEAM MANAGEMENT (userType: "authenticated" with access)
+  // Resource-level access control via teams
+  // Both users and applications can manage teams with proper access
+  // ==========================================================================
+
+  getTeams: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.read],
+    })
+    .output(
+      z.array(
+        z.object({
+          id: z.string(),
+          name: z.string(),
+          description: z.string().optional().nullable(),
+          memberCount: z.number(),
+          isManager: z.boolean(),
+        })
+      )
+    ),
+
+  getTeam: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.read],
+    })
+    .input(z.object({ teamId: z.string() }))
+    .output(
+      z
+        .object({
+          id: z.string(),
+          name: z.string(),
+          description: z.string().optional().nullable(),
+          members: z.array(
+            z.object({ id: z.string(), name: z.string(), email: z.string() })
+          ),
+          managers: z.array(
+            z.object({ id: z.string(), name: z.string(), email: z.string() })
+          ),
+        })
+        .optional()
+    ),
+
+  createTeam: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.manage],
+    })
+    .input(
+      z.object({
+        name: z.string().min(1).max(100),
+        description: z.string().max(500).optional(),
+      })
+    )
+    .output(z.object({ id: z.string() })),
+
+  updateTeam: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.read],
+    })
+    .input(
+      z.object({
+        id: z.string(),
+        name: z.string().optional(),
+        description: z.string().optional().nullable(),
+      })
+    )
+    .output(z.void()),
+
+  deleteTeam: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.manage],
+    })
+    .input(z.string())
+    .output(z.void()),
+
+  addUserToTeam: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.read],
+    })
+    .input(z.object({ teamId: z.string(), userId: z.string() }))
+    .output(z.void()),
+
+  removeUserFromTeam: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.read],
+    })
+    .input(z.object({ teamId: z.string(), userId: z.string() }))
+    .output(z.void()),
+
+  addTeamManager: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.manage],
+    })
+    .input(z.object({ teamId: z.string(), userId: z.string() }))
+    .output(z.void()),
+
+  removeTeamManager: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.manage],
+    })
+    .input(z.object({ teamId: z.string(), userId: z.string() }))
+    .output(z.void()),
+
+  getResourceTeamAccess: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.read],
+    })
+    .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
+    .output(
+      z.array(
+        z.object({
+          teamId: z.string(),
+          teamName: z.string(),
+          canRead: z.boolean(),
+          canManage: z.boolean(),
+        })
+      )
+    ),
+
+  setResourceTeamAccess: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.manage],
+    })
+    .input(
+      z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+        teamId: z.string(),
+        canRead: z.boolean().optional(),
+        canManage: z.boolean().optional(),
+      })
+    )
+    .output(z.void()),
+
+  removeResourceTeamAccess: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.manage],
+    })
+    .input(
+      z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+        teamId: z.string(),
+      })
+    )
+    .output(z.void()),
+
+  // Resource-level access settings (teamOnly flag)
+  getResourceAccessSettings: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.read],
+    })
+    .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
+    .output(z.object({ teamOnly: z.boolean() })),
+
+  setResourceAccessSettings: _base
+    .meta({
+      userType: "authenticated",
+      access: [authAccess.teams.manage],
+    })
+    .input(
+      z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+        teamOnly: z.boolean(),
+      })
+    )
+    .output(z.void()),
+
+  // ==========================================================================
+  // S2S ENDPOINTS FOR TEAM ACCESS (userType: "service")
+  // ==========================================================================
+
+  checkResourceTeamAccess: _base
+    .meta({ userType: "service" })
+    .input(
+      z.object({
+        userId: z.string(),
+        userType: z.enum(["user", "application"]),
+        resourceType: z.string(),
+        resourceId: z.string(),
+        action: z.enum(["read", "manage"]),
+        hasGlobalAccess: z.boolean(),
+      })
+    )
+    .output(z.object({ hasAccess: z.boolean() })),
+
+  getAccessibleResourceIds: _base
+    .meta({ userType: "service" })
+    .input(
+      z.object({
+        userId: z.string(),
+        userType: z.enum(["user", "application"]),
+        resourceType: z.string(),
+        resourceIds: z.array(z.string()),
+        action: z.enum(["read", "manage"]),
+        hasGlobalAccess: z.boolean(),
+      })
+    )
+    .output(z.array(z.string())),
+
+  deleteResourceGrants: _base
+    .meta({ userType: "service" })
+    .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
+    .output(z.void()),
 };
 
 // Export contract type

package/src/permissions.ts

@@ -1,50 +0,0 @@
-import type { Permission } from "@checkstack/common";
-
-export const permissions = {
-  usersRead: {
-    id: "users.read",
-    description: "List all users",
-  },
-  usersCreate: {
-    id: "users.create",
-    description: "Create new users (credential strategy)",
-  },
-  usersManage: {
-    id: "users.manage",
-    description: "Delete users",
-  },
-  rolesRead: {
-    id: "roles.read",
-    description: "Read and list roles",
-  },
-  rolesCreate: {
-    id: "roles.create",
-    description: "Create new roles",
-  },
-  rolesUpdate: {
-    id: "roles.update",
-    description: "Update role names and permissions",
-  },
-  rolesDelete: {
-    id: "roles.delete",
-    description: "Delete roles",
-  },
-  rolesManage: {
-    id: "roles.manage",
-    description: "Assign roles to users",
-  },
-  strategiesManage: {
-    id: "strategies.manage",
-    description: "Manage authentication strategies and settings",
-  },
-  registrationManage: {
-    id: "registration.manage",
-    description: "Manage user registration settings",
-  },
-  applicationsManage: {
-    id: "applications.manage",
-    description: "Create, update, delete, and view external applications",
-  },
-} satisfies Record<string, Permission>;
-
-export const permissionList = Object.values(permissions);