@checkstack/backend-api 0.19.0 → 0.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +205 -0
- package/package.json +12 -11
- package/src/advisory-lock-pool.it.test.ts +282 -0
- package/src/advisory-lock.test.ts +144 -3
- package/src/advisory-lock.ts +97 -55
- package/src/auth-strategy.ts +6 -3
- package/src/bearer-token.ts +13 -0
- package/src/collector-strategy.ts +9 -0
- package/src/config-versioning.test.ts +227 -0
- package/src/config-versioning.ts +172 -0
- package/src/core-services.ts +14 -0
- package/src/esm-script-runner.test.ts +55 -16
- package/src/esm-script-runner.ts +212 -55
- package/src/index.ts +3 -0
- package/src/render-templatable-config.test.ts +168 -0
- package/src/render-templatable-config.ts +193 -0
- package/src/schema-utils.ts +3 -0
- package/src/script-sandbox/capabilities.test.ts +122 -0
- package/src/script-sandbox/capabilities.ts +372 -0
- package/src/script-sandbox/capped-output.test.ts +116 -0
- package/src/script-sandbox/capped-output.ts +172 -0
- package/src/script-sandbox/env-guard.test.ts +105 -0
- package/src/script-sandbox/env-guard.ts +129 -0
- package/src/script-sandbox/filesystem.test.ts +437 -0
- package/src/script-sandbox/filesystem.ts +514 -0
- package/src/script-sandbox/forkbomb.it.test.ts +121 -0
- package/src/script-sandbox/global-default.test.ts +161 -0
- package/src/script-sandbox/global-default.ts +100 -0
- package/src/script-sandbox/index.ts +14 -0
- package/src/script-sandbox/network.test.ts +356 -0
- package/src/script-sandbox/network.ts +373 -0
- package/src/script-sandbox/observability.test.ts +210 -0
- package/src/script-sandbox/observability.ts +168 -0
- package/src/script-sandbox/output-truncation.test.ts +53 -0
- package/src/script-sandbox/output-truncation.ts +69 -0
- package/src/script-sandbox/policy.test.ts +189 -0
- package/src/script-sandbox/policy.ts +220 -0
- package/src/script-sandbox/provider.test.ts +61 -0
- package/src/script-sandbox/provider.ts +134 -0
- package/src/script-sandbox/readiness.test.ts +80 -0
- package/src/script-sandbox/readiness.ts +117 -0
- package/src/script-sandbox/report.ts +88 -0
- package/src/script-sandbox/rootless-egress.it.test.ts +86 -0
- package/src/script-sandbox/rootless-egress.test.ts +99 -0
- package/src/script-sandbox/rootless-egress.ts +218 -0
- package/src/script-sandbox/shell-quote.test.ts +32 -0
- package/src/script-sandbox/shell-quote.ts +10 -0
- package/src/script-sandbox/wrapper.test.ts +1194 -0
- package/src/script-sandbox/wrapper.ts +714 -0
- package/src/shell-script-runner.test.ts +243 -0
- package/src/shell-script-runner.ts +210 -45
- package/src/zod-config.test.ts +60 -0
- package/src/zod-config.ts +38 -14
- package/tsconfig.json +3 -0
package/src/zod-config.ts
CHANGED
|
@@ -54,6 +54,20 @@ export interface ConfigMeta {
|
|
|
54
54
|
* to the plain JSON editor.
|
|
55
55
|
*/
|
|
56
56
|
"x-secret-env"?: boolean;
|
|
57
|
+
/**
|
|
58
|
+
* Mark a string field as templatable. Its value is rendered through the
|
|
59
|
+
* template engine (`{{ environment.* }}` / `{{ check.* }}` /
|
|
60
|
+
* `{{ system.* }}`) at execute time, per resolved environment, BEFORE the
|
|
61
|
+
* collector reads it. ONLY `x-templatable` fields are rendered; every other
|
|
62
|
+
* field is passed through verbatim (so a literal `{{` in a non-templatable
|
|
63
|
+
* field is never touched).
|
|
64
|
+
*
|
|
65
|
+
* A field MUST NOT carry both `x-secret` (or `x-secret-env`) and
|
|
66
|
+
* `x-templatable` — secrets and templating are resolved in separate ordered
|
|
67
|
+
* passes (secrets first) and must never combine. This is enforced at load
|
|
68
|
+
* time via {@link assertNoSecretTemplatableConflict}.
|
|
69
|
+
*/
|
|
70
|
+
"x-templatable"?: boolean;
|
|
57
71
|
}
|
|
58
72
|
|
|
59
73
|
/**
|
|
@@ -71,23 +85,25 @@ export const configRegistry = z.registry<ConfigMeta>();
|
|
|
71
85
|
* - ZodOptional
|
|
72
86
|
* - ZodDefault
|
|
73
87
|
* - ZodNullable
|
|
88
|
+
*
|
|
89
|
+
* Loops so that multi-level wrappers (e.g. `.optional().default()`) are fully
|
|
90
|
+
* peeled — a single-pass strip misses the inner wrapper and causes
|
|
91
|
+
* `getConfigMeta` to return `undefined` for deeply-wrapped `x-templatable`
|
|
92
|
+
* fields.
|
|
74
93
|
*/
|
|
75
94
|
function unwrapSchema(schema: z.ZodTypeAny): z.ZodTypeAny {
|
|
76
|
-
let
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
95
|
+
let current = schema;
|
|
96
|
+
for (;;) {
|
|
97
|
+
if (current instanceof z.ZodOptional || current instanceof z.ZodNullable) {
|
|
98
|
+
current = current.unwrap() as z.ZodTypeAny;
|
|
99
|
+
continue;
|
|
100
|
+
}
|
|
101
|
+
if (current instanceof z.ZodDefault) {
|
|
102
|
+
current = current.def.innerType as z.ZodTypeAny;
|
|
103
|
+
continue;
|
|
104
|
+
}
|
|
105
|
+
return current;
|
|
80
106
|
}
|
|
81
|
-
|
|
82
|
-
if (unwrapped instanceof z.ZodDefault) {
|
|
83
|
-
unwrapped = unwrapped.def.innerType as z.ZodTypeAny;
|
|
84
|
-
}
|
|
85
|
-
|
|
86
|
-
if (unwrapped instanceof z.ZodNullable) {
|
|
87
|
-
unwrapped = unwrapped.unwrap() as z.ZodTypeAny;
|
|
88
|
-
}
|
|
89
|
-
|
|
90
|
-
return unwrapped;
|
|
91
107
|
}
|
|
92
108
|
|
|
93
109
|
/**
|
|
@@ -119,6 +135,14 @@ export function isHiddenSchema(schema: z.ZodTypeAny): boolean {
|
|
|
119
135
|
return getConfigMeta(schema)?.["x-hidden"] === true;
|
|
120
136
|
}
|
|
121
137
|
|
|
138
|
+
/**
|
|
139
|
+
* Check if a schema is marked templatable (its string value is rendered
|
|
140
|
+
* through the template engine before the collector reads it).
|
|
141
|
+
*/
|
|
142
|
+
export function isTemplatableSchema(schema: z.ZodTypeAny): boolean {
|
|
143
|
+
return getConfigMeta(schema)?.["x-templatable"] === true;
|
|
144
|
+
}
|
|
145
|
+
|
|
122
146
|
/**
|
|
123
147
|
* Get options resolver metadata for a schema.
|
|
124
148
|
*/
|