@checkstack/backend-api 0.0.2 → 0.2.0

package/CHANGELOG.md

@@ -1,5 +1,123 @@
 # @checkstack/backend-api
 
+## 0.2.0
+
+### Minor Changes
+
+- 8e43507: # Teams and Resource-Level Access Control
+
+  This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
+
+  ## Features
+
+  ### Team Management
+
+  - Create, update, and delete teams with name and description
+  - Add/remove users from teams
+  - Designate team managers with elevated privileges
+  - View team membership and manager status
+
+  ### Resource-Level Access Control
+
+  - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
+  - Configure read-only or manage permissions per team
+  - Resource-level "Team Only" mode that restricts access exclusively to team members
+  - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
+  - Automatic cleanup of grants when teams are deleted (database cascade)
+
+  ### Middleware Integration
+
+  - Extended `autoAuthMiddleware` to support resource access checks
+  - Single-resource pre-handler validation for detail endpoints
+  - Automatic list filtering for collection endpoints
+  - S2S endpoints for access verification
+
+  ### Frontend Components
+
+  - `TeamsTab` component for managing teams in Auth Settings
+  - `TeamAccessEditor` component for assigning team access to resources
+  - Resource-level "Team Only" toggle in `TeamAccessEditor`
+  - Integration into System, Health Check, Incident, and Maintenance editors
+
+  ## Breaking Changes
+
+  ### API Response Format Changes
+
+  List endpoints now return objects with named keys instead of arrays directly:
+
+  ```typescript
+  // Before
+  const systems = await catalogApi.getSystems();
+
+  // After
+  const { systems } = await catalogApi.getSystems();
+  ```
+
+  Affected endpoints:
+
+  - `catalog.getSystems` → `{ systems: [...] }`
+  - `healthcheck.getConfigurations` → `{ configurations: [...] }`
+  - `incident.listIncidents` → `{ incidents: [...] }`
+  - `maintenance.listMaintenances` → `{ maintenances: [...] }`
+
+  ### User Identity Enrichment
+
+  `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
+
+  ## Documentation
+
+  See `docs/backend/teams.md` for complete API reference and integration guide.
+
+### Patch Changes
+
+- 97c5a6b: Fix collector lookup when health check is assigned to a system
+
+  Collectors are now stored in the registry with their fully-qualified ID format (ownerPluginId.collectorId) to match how they are referenced in health check configurations. Added `qualifiedId` field to `RegisteredCollector` interface to avoid re-constructing the ID at query time. This fixes the "Collector not found" warning that occurred when executing health checks with assigned systems.
+
+- Updated dependencies [8e43507]
+  - @checkstack/common@0.1.0
+  - @checkstack/queue-api@0.0.4
+  - @checkstack/signal-common@0.0.4
+
+## 0.1.0
+
+### Minor Changes
+
+- f5b1f49: Added collector registry lifecycle cleanup during plugin unloading.
+
+  - Added `unregisterByOwner(pluginId)` to remove collectors owned by unloading plugins
+  - Added `unregisterByMissingStrategies(loadedPluginIds)` for dependency-based pruning
+  - Integrated registry cleanup into `PluginManager.deregisterPlugin()`
+  - Updated `registerCoreServices` to return global registries for lifecycle management
+
+### Patch Changes
+
+- f5b1f49: Added JSONPath assertions for response body validation and fully qualified strategy IDs.
+
+  **JSONPath Assertions:**
+
+  - Added `healthResultJSONPath()` factory in healthcheck-common for fields supporting JSONPath queries
+  - Extended AssertionBuilder with jsonpath field type showing path input (e.g., `$.data.status`)
+  - Added `jsonPath` field to `CollectorAssertionSchema` for persistence
+  - HTTP Request collector body field now supports JSONPath assertions
+
+  **Fully Qualified Strategy IDs:**
+
+  - HealthCheckRegistry now uses scoped factories like CollectorRegistry
+  - Strategies are stored with `pluginId.strategyId` format
+  - Added `getStrategiesWithMeta()` method to HealthCheckRegistry interface
+  - Router returns qualified IDs so frontend can correctly fetch collectors
+
+  **UI Improvements:**
+
+  - Save button disabled when collector configs have invalid required fields
+  - Fixed nested button warning in CollectorList accordion
+
+- Updated dependencies [f5b1f49]
+  - @checkstack/common@0.0.3
+  - @checkstack/queue-api@0.0.3
+  - @checkstack/signal-common@0.0.3
+
 ## 0.0.2
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend-api",
-  "version": "0.0.2",
+  "version": "0.2.0",
   "type": "module",
   "main": "./src/index.ts",
   "scripts": {

package/src/collector-registry.ts

@@ -0,0 +1,44 @@
+import type { PluginMetadata } from "@checkstack/common";
+import type { CollectorStrategy } from "./collector-strategy";
+import type { TransportClient } from "./transport-client";
+
+/**
+ * A registered collector with its owning plugin metadata.
+ */
+export interface RegisteredCollector {
+  /** The fully-qualified collector ID (ownerPluginId.collectorId) */
+  qualifiedId: string;
+  /** The collector strategy */
+  collector: CollectorStrategy<TransportClient<unknown, unknown>>;
+  /** The plugin that registered this collector */
+  ownerPlugin: PluginMetadata;
+}
+
+/**
+ * Scoped collector registry interface.
+ * The owning plugin metadata is automatically injected via factory.
+ */
+export interface CollectorRegistry {
+  /**
+   * Register a collector strategy.
+   * The owning plugin metadata is automatically captured from the scoped context.
+   */
+  register(
+    collector: CollectorStrategy<TransportClient<unknown, unknown>>
+  ): void;
+
+  /**
+   * Get a collector by ID.
+   */
+  getCollector(id: string): RegisteredCollector | undefined;
+
+  /**
+   * Get all collectors that support a specific transport plugin.
+   */
+  getCollectorsForPlugin(pluginMetadata: PluginMetadata): RegisteredCollector[];
+
+  /**
+   * Get all registered collectors.
+   */
+  getCollectors(): RegisteredCollector[];
+}

package/src/collector-strategy.ts

@@ -0,0 +1,83 @@
+import type { PluginMetadata } from "@checkstack/common";
+import type { TransportClient } from "./transport-client";
+import type { Versioned } from "./config-versioning";
+import type { HealthCheckRunForAggregation } from "./health-check";
+
+/**
+ * Result from a collector execution.
+ */
+export interface CollectorResult<TResult> {
+  /** Collector-specific result data */
+  result: TResult;
+  /** Optional error message if collection partially failed */
+  error?: string;
+}
+
+/**
+ * Generic collector strategy interface.
+ *
+ * Collectors extend health check strategies by providing additional metrics
+ * collection capabilities. They receive a connected transport client and
+ * produce typed results with chart metadata.
+ *
+ * @template TClient - Transport client type (e.g., SshTransportClient)
+ * @template TConfig - Collector configuration schema
+ * @template TResult - Per-execution result type
+ * @template TAggregated - Aggregated result for buckets
+ */
+export interface CollectorStrategy<
+  TClient extends TransportClient<unknown, unknown>,
+  TConfig = unknown,
+  TResult = Record<string, unknown>,
+  TAggregated = Record<string, unknown>
+> {
+  /** Unique identifier for this collector */
+  id: string;
+
+  /** Human-readable name */
+  displayName: string;
+
+  /** Optional description */
+  description?: string;
+
+  /**
+   * PluginMetadata of transport strategies this collector supports.
+   * The registry uses this to match collectors to compatible strategies.
+   */
+  supportedPlugins: PluginMetadata[];
+
+  /**
+   * Whether multiple instances of this collector can be added to one config.
+   * Default: false (one instance per collector type)
+   */
+  allowMultiple?: boolean;
+
+  /** Collector configuration schema with versioning */
+  config: Versioned<TConfig>;
+
+  /** Per-execution result schema (with x-chart-* metadata) */
+  result: Versioned<TResult>;
+
+  /** Aggregated result schema for bucket storage */
+  aggregatedResult: Versioned<TAggregated>;
+
+  /**
+   * Execute the collector using the provided transport client.
+   *
+   * @param params.config - Validated collector configuration
+   * @param params.client - Connected transport client
+   * @param params.pluginId - ID of the transport strategy invoking this collector
+   * @returns Collector result with typed metadata
+   */
+  execute(params: {
+    config: TConfig;
+    client: TClient;
+    pluginId: string;
+  }): Promise<CollectorResult<TResult>>;
+
+  /**
+   * Aggregate results from multiple runs into a summary.
+   * Called during retention processing.
+   */
+  aggregateResult(runs: HealthCheckRunForAggregation<TResult>[]): TAggregated;
+}

package/src/core-services.ts

@@ -1,10 +1,8 @@
 import { createServiceRef } from "./service-ref";
 import type { RpcService } from "./rpc";
 import type { HealthCheckRegistry } from "./health-check";
-import type {
-  QueuePluginRegistry,
-  QueueManager,
-} from "@checkstack/queue-api";
+import type { CollectorRegistry } from "./collector-registry";
+import type { QueuePluginRegistry, QueueManager } from "@checkstack/queue-api";
 import type { ConfigService } from "./config-service";
 import type { SignalService } from "@checkstack/signal-common";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
@@ -32,6 +30,9 @@ export const coreServices = {
   healthCheckRegistry: createServiceRef<HealthCheckRegistry>(
     "core.healthCheckRegistry"
   ),
+  collectorRegistry: createServiceRef<CollectorRegistry>(
+    "core.collectorRegistry"
+  ),
   pluginInstaller: createServiceRef<PluginInstaller>("core.pluginInstaller"),
   rpc: createServiceRef<RpcService>("core.rpc"),
   rpcClient: createServiceRef<RpcClient>("core.rpcClient"),

package/src/health-check.ts

@@ -1,4 +1,5 @@
 import { Versioned } from "./config-versioning";
+import type { TransportClient } from "./transport-client";
 
 /**
  * Health check result with typed metadata.
@@ -23,13 +24,35 @@ export interface HealthCheckRunForAggregation<
 }
 
 /**
- * Health check strategy definition with typed config and result.
+ * Connected transport client with cleanup capability.
+ */
+export interface ConnectedClient<
+  TClient extends TransportClient<unknown, unknown>
+> {
+  /** The connected transport client */
+  client: TClient;
+  /** Close the connection and release resources */
+  close(): void;
+}
+
+/**
+ * Health check strategy definition with typed config and transport client.
+ *
+ * Strategies provide a `createClient` function that establishes a connection
+ * and returns a transport client. The platform executor handles running
+ * collectors and basic health check logic (connectivity test, latency measurement).
+ *
  * @template TConfig - Configuration type for this strategy
- * @template TResult - Per-run result type
+ * @template TClient - Transport client type (e.g., SshTransportClient)
+ * @template TResult - Per-run result type (for aggregation)
  * @template TAggregatedResult - Aggregated result type for buckets
  */
 export interface HealthCheckStrategy<
   TConfig = unknown,
+  TClient extends TransportClient<unknown, unknown> = TransportClient<
+    unknown,
+    unknown
+  >,
   TResult = Record<string, unknown>,
   TAggregatedResult = Record<string, unknown>
 > {
@@ -46,7 +69,15 @@ export interface HealthCheckStrategy<
   /** Aggregated result schema for long-term bucket storage */
   aggregatedResult: Versioned<TAggregatedResult>;
 
-  execute(config: TConfig): Promise<HealthCheckResult<TResult>>;
+  /**
+   * Create a connected transport client from the configuration.
+   * The platform will use this client to execute collectors.
+   *
+   * @param config - Validated strategy configuration
+   * @returns Connected client wrapper with close() method
+   * @throws Error if connection fails (will be caught by executor)
+   */
+  createClient(config: TConfig): Promise<ConnectedClient<TClient>>;
 
   /**
    * Aggregate results from multiple runs into a summary for bucket storage.
@@ -59,10 +90,47 @@ export interface HealthCheckStrategy<
   ): TAggregatedResult;
 }
 
+/**
+ * A registered strategy with its owning plugin metadata and qualified ID.
+ */
+export interface RegisteredStrategy {
+  strategy: HealthCheckStrategy<
+    unknown,
+    TransportClient<unknown, unknown>,
+    unknown,
+    unknown
+  >;
+  ownerPluginId: string;
+  qualifiedId: string;
+}
+
 export interface HealthCheckRegistry {
-  register(strategy: HealthCheckStrategy<unknown, unknown, unknown>): void;
+  register(
+    strategy: HealthCheckStrategy<
+      unknown,
+      TransportClient<unknown, unknown>,
+      unknown,
+      unknown
+    >
+  ): void;
   getStrategy(
     id: string
-  ): HealthCheckStrategy<unknown, unknown, unknown> | undefined;
-  getStrategies(): HealthCheckStrategy<unknown, unknown, unknown>[];
+  ):
+    | HealthCheckStrategy<
+        unknown,
+        TransportClient<unknown, unknown>,
+        unknown,
+        unknown
+      >
+    | undefined;
+  getStrategies(): HealthCheckStrategy<
+    unknown,
+    TransportClient<unknown, unknown>,
+    unknown,
+    unknown
+  >[];
+  /**
+   * Get all registered strategies with their metadata (qualified ID, owner plugin).
+   */
+  getStrategiesWithMeta(): RegisteredStrategy[];
 }

package/src/index.ts

@@ -21,3 +21,6 @@ export * from "./markdown";
 export * from "./email-layout";
 export * from "./assertions";
 export * from "./chart-metadata";
+export * from "./transport-client";
+export * from "./collector-strategy";
+export * from "./collector-registry";

package/src/rpc.ts

@@ -1,13 +1,12 @@
 import { os as baseOs, ORPCError, Router } from "@orpc/server";
 import { AnyContractRouter } from "@orpc/contract";
 import { HealthCheckRegistry } from "./health-check";
-import {
-  QueuePluginRegistry,
-  QueueManager,
-} from "@checkstack/queue-api";
+import { CollectorRegistry } from "./collector-registry";
+import { QueuePluginRegistry, QueueManager } from "@checkstack/queue-api";
 import {
   ProcedureMetadata,
   qualifyPermissionId,
+  qualifyResourceType,
 } from "@checkstack/common";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
 import {
@@ -43,6 +42,7 @@ export interface RpcContext {
   auth: AuthService;
   user?: AuthUser;
   healthCheckRegistry: HealthCheckRegistry;
+  collectorRegistry: CollectorRegistry;
   queuePluginRegistry: QueuePluginRegistry;
   queueManager: QueueManager;
   /** Emit a hook event for cross-plugin communication */
@@ -87,10 +87,11 @@ export type { ProcedureMetadata } from "@checkstack/common";
  * Use this in backend routers: `implement(contract).$context<RpcContext>().use(autoAuthMiddleware)`
  */
 export const autoAuthMiddleware = os.middleware(
-  async ({ next, context, procedure }) => {
+  async ({ next, context, procedure }, input: unknown) => {
     const meta = procedure["~orpc"]?.meta as ProcedureMetadata | undefined;
     const requiredUserType = meta?.userType || "authenticated";
     const contractPermissions = meta?.permissions || [];
+    const resourceAccessConfigs = meta?.resourceAccess || [];
 
     // Prefix contract permissions with pluginId to get fully-qualified permission IDs
     // Contract defines: "catalog.read" -> Stored in DB as: "catalog.catalog.read"
@@ -98,30 +99,9 @@ export const autoAuthMiddleware = os.middleware(
       qualifyPermissionId(context.pluginMetadata, { id: p })
     );
 
-    // Helper to wrap next() with error logging
-    const nextWithErrorLogging = async () => {
-      try {
-        return await next({});
-      } catch (error) {
-        // Log the full error before oRPC sanitizes it to a generic 500
-        if (error instanceof ORPCError) {
-          // ORPCError is intentional - log at debug level
-          context.logger.debug("RPC error response:", {
-            code: error.code,
-            message: error.message,
-            data: error.data,
-          });
-        } else {
-          // Unexpected error - log at error level with full stack trace
-          context.logger.error("Unexpected RPC error:", error);
-        }
-        throw error;
-      }
-    };
-
     // 1. Handle anonymous endpoints - no auth required, no permission checks
     if (requiredUserType === "anonymous") {
-      return nextWithErrorLogging();
+      return next({});
     }
 
     // 2. Handle public endpoints - anyone can attempt, but permissions are checked
@@ -164,7 +144,7 @@ export const autoAuthMiddleware = os.middleware(
           }
         }
       }
-      return nextWithErrorLogging();
+      return next({});
     }
 
     // 3. Enforce authentication for user/service/authenticated types
@@ -206,11 +186,227 @@ export const autoAuthMiddleware = os.middleware(
       }
     }
 
-    // Pass through - services are trusted with all permissions
-    return nextWithErrorLogging();
+    // 6. Resource-level access control
+    // Skip if no resource access configs or if user is a service
+    if (resourceAccessConfigs.length === 0 || user.type === "service") {
+      return next({});
+    }
+
+    const userId = user.id;
+    const userType = user.type;
+    const action = inferActionFromPermissions(contractPermissions);
+    const hasGlobalPermission =
+      user.permissions?.includes("*") ||
+      contractPermissions.some((p) =>
+        user.permissions?.includes(
+          qualifyPermissionId(context.pluginMetadata, { id: p })
+        )
+      );
+
+    // Separate single vs list configs
+    const singleConfigs = resourceAccessConfigs.filter(
+      (c) => c.filterMode !== "list"
+    );
+    const listConfigs = resourceAccessConfigs.filter(
+      (c) => c.filterMode === "list"
+    );
+
+    // Pre-check: Single resource access
+    for (const config of singleConfigs) {
+      if (!config.idParam) continue;
+      const resourceId = getNestedValue(input, config.idParam);
+      if (!resourceId) continue;
+
+      const qualifiedType = qualifyResourceType(
+        context.pluginMetadata.pluginId,
+        config.resourceType
+      );
+
+      const hasAccess = await checkResourceAccessViaS2S({
+        auth: context.auth,
+        userId,
+        userType,
+        resourceType: qualifiedType,
+        resourceId,
+        action,
+        hasGlobalPermission,
+      });
+
+      if (!hasAccess) {
+        throw new ORPCError("FORBIDDEN", {
+          message: `Access denied to resource ${config.resourceType}:${resourceId}`,
+        });
+      }
+    }
+
+    // Execute handler
+    const result = await next({});
+
+    // Post-filter: List endpoints
+    if (
+      listConfigs.length > 0 &&
+      result.output &&
+      typeof result.output === "object"
+    ) {
+      const mutableOutput = result.output as Record<string, unknown>;
+
+      for (const config of listConfigs) {
+        if (!config.outputKey) {
+          context.logger.error(
+            `resourceAccess: filterMode "list" requires outputKey`
+          );
+          throw new ORPCError("INTERNAL_SERVER_ERROR", {
+            message: "Invalid resource access configuration",
+          });
+        }
+
+        const items = mutableOutput[config.outputKey];
+
+        if (items === undefined) {
+          context.logger.error(
+            `resourceAccess: expected "${config.outputKey}" in response but not found`
+          );
+          throw new ORPCError("INTERNAL_SERVER_ERROR", {
+            message: "Invalid response shape for filtered endpoint",
+          });
+        }
+
+        if (!Array.isArray(items)) {
+          context.logger.error(
+            `resourceAccess: "${config.outputKey}" must be an array`
+          );
+          throw new ORPCError("INTERNAL_SERVER_ERROR", {
+            message: "Invalid response shape for filtered endpoint",
+          });
+        }
+
+        const qualifiedType = qualifyResourceType(
+          context.pluginMetadata.pluginId,
+          config.resourceType
+        );
+
+        const resourceIds = items
+          .map((item) => (item as { id?: string }).id)
+          .filter((id): id is string => typeof id === "string");
+
+        const accessibleIds = await getAccessibleResourceIdsViaS2S({
+          auth: context.auth,
+          userId,
+          userType,
+          resourceType: qualifiedType,
+          resourceIds,
+          action,
+          hasGlobalPermission,
+        });
+
+        const accessibleSet = new Set(accessibleIds);
+        mutableOutput[config.outputKey] = items.filter((item) => {
+          const id = (item as { id?: string }).id;
+          return id && accessibleSet.has(id);
+        });
+      }
+    }
+
+    return result;
   }
 );
 
+/**
+ * Extract a nested value from an object using dot notation.
+ * E.g., getNestedValue({ params: { id: "123" } }, "params.id") => "123"
+ */
+function getNestedValue(obj: unknown, path: string): string | undefined {
+  const parts = path.split(".");
+  let current: unknown = obj;
+  for (const part of parts) {
+    if (current === null || current === undefined) return undefined;
+    current = (current as Record<string, unknown>)[part];
+  }
+  return typeof current === "string" ? current : undefined;
+}
+
+/**
+ * Determine action from permission suffix (read vs manage).
+ */
+function inferActionFromPermissions(permissions: string[]): "read" | "manage" {
+  const perm = permissions[0] || "";
+  if (perm.endsWith(".manage") || perm.endsWith("Manage")) return "manage";
+  return "read";
+}
+
+/**
+ * Check resource access via auth service S2S endpoint.
+ */
+async function checkResourceAccessViaS2S({
+  auth,
+  userId,
+  userType,
+  resourceType,
+  resourceId,
+  action,
+  hasGlobalPermission,
+}: {
+  auth: AuthService;
+  userId: string;
+  userType: "user" | "application";
+  resourceType: string;
+  resourceId: string;
+  action: "read" | "manage";
+  hasGlobalPermission: boolean;
+}): Promise<boolean> {
+  try {
+    const result = await auth.checkResourceTeamAccess({
+      userId,
+      userType,
+      resourceType,
+      resourceId,
+      action,
+      hasGlobalPermission,
+    });
+    return result.hasAccess;
+  } catch {
+    // If team access check fails (e.g., service not available), fall back to global permission
+    return hasGlobalPermission;
+  }
+}
+
+/**
+ * Get accessible resource IDs via auth service S2S endpoint.
+ */
+async function getAccessibleResourceIdsViaS2S({
+  auth,
+  userId,
+  userType,
+  resourceType,
+  resourceIds,
+  action,
+  hasGlobalPermission,
+}: {
+  auth: AuthService;
+  userId: string;
+  userType: "user" | "application";
+  resourceType: string;
+  resourceIds: string[];
+  action: "read" | "manage";
+  hasGlobalPermission: boolean;
+}): Promise<string[]> {
+  if (resourceIds.length === 0) return [];
+
+  try {
+    return await auth.getAccessibleResourceIds({
+      userId,
+      userType,
+      resourceType,
+      resourceIds,
+      action,
+      hasGlobalPermission,
+    });
+  } catch {
+    // If team access check fails, fall back to global permission behavior
+    return hasGlobalPermission ? resourceIds : [];
+  }
+}
+
 // =============================================================================
 // CONTRACT BUILDER
 // =============================================================================

package/src/test-utils.ts

@@ -2,10 +2,8 @@ import { mock } from "bun:test";
 import { RpcContext, EmitHookFn } from "./rpc";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
 import { HealthCheckRegistry } from "./health-check";
-import {
-  QueuePluginRegistry,
-  QueueManager,
-} from "@checkstack/queue-api";
+import { CollectorRegistry } from "./collector-registry";
+import { QueuePluginRegistry, QueueManager } from "@checkstack/queue-api";
 
 /**
  * Creates a mocked oRPC context for testing.
@@ -37,12 +35,24 @@ export function createMockRpcContext(
       authenticate: mock(),
       getCredentials: mock().mockResolvedValue({ headers: {} }),
       getAnonymousPermissions: mock().mockResolvedValue([]),
+      checkResourceTeamAccess: mock().mockResolvedValue({ hasAccess: true }),
+      getAccessibleResourceIds: mock().mockImplementation(
+        (params: { resourceIds: string[] }) =>
+          Promise.resolve(params.resourceIds)
+      ),
     },
     healthCheckRegistry: {
-      registerStrategy: mock(),
+      register: mock(),
       getStrategies: mock().mockReturnValue([]),
       getStrategy: mock(),
+      getStrategiesWithMeta: mock().mockReturnValue([]),
     } as unknown as HealthCheckRegistry,
+    collectorRegistry: {
+      register: mock(),
+      getCollector: mock(),
+      getCollectors: mock().mockReturnValue([]),
+      getCollectorsForPlugin: mock().mockReturnValue([]),
+    } as unknown as CollectorRegistry,
     queuePluginRegistry: {
       register: mock(),
       getPlugin: mock(),

package/src/transport-client.ts

@@ -0,0 +1,2 @@
+// Re-export TransportClient from common for convenience
+export type { TransportClient } from "@checkstack/common";

package/src/types.ts

@@ -31,6 +31,7 @@ export interface RealUser {
   name?: string;
   permissions?: string[];
   roles?: string[];
+  teamIds?: string[];
   [key: string]: unknown;
 }
 
@@ -53,6 +54,7 @@ export interface ApplicationUser {
   name: string;
   permissions?: string[];
   roles?: string[];
+  teamIds?: string[];
 }
 
 /**
@@ -70,6 +72,29 @@ export interface AuthService {
    * users on "public" userType endpoints.
    */
   getAnonymousPermissions(): Promise<string[]>;
+  /**
+   * Check if a user has access to a specific resource via team grants.
+   */
+  checkResourceTeamAccess(params: {
+    userId: string;
+    userType: "user" | "application";
+    resourceType: string;
+    resourceId: string;
+    action: "read" | "manage";
+    hasGlobalPermission: boolean;
+  }): Promise<{ hasAccess: boolean }>;
+  /**
+   * Get IDs of resources the user can access from a given list.
+   * Used for bulk filtering of list endpoints.
+   */
+  getAccessibleResourceIds(params: {
+    userId: string;
+    userType: "user" | "application";
+    resourceType: string;
+    resourceIds: string[];
+    action: "read" | "manage";
+    hasGlobalPermission: boolean;
+  }): Promise<string[]>;
 }
 
 /**