@checkstack/backend-api 0.7.0 → 0.8.1

package/CHANGELOG.md

@@ -1,5 +1,50 @@
 # @checkstack/backend-api
 
+## 0.8.1
+
+### Patch Changes
+
+- 0ebbe56: Security Vulnerability Remediation completed:
+  - Refactored core authorization to Fail-Closed architecture with secure defaults.
+  - Implemented `assertTeamManagementAccess` to resolve BOLA in Teams Management.
+  - Protected internal S2S capabilities via explicit wildcard `serviceScope` definitions.
+  - Disarmed OS Command Injection in DiskCollector via strict regex validation and bash escaping.
+  - Re-architected inline script processing executing scripts in sandboxed Web Worker contexts.
+  - Isolated subprocess environment scopes in PingStrategy limiting variable leakage.
+  - Enforced strict token/API Key parsing with URLSearchParams checking.
+  - Explicitly fail-fast on missing DATABASE_URL configuration across independent backend clusters.
+  - Activated strict HTTP Security Headers (HSTS, CSP, X-Frame-Options) across the API automatically.
+- Updated dependencies [0ebbe56]
+  - @checkstack/common@0.6.3
+  - @checkstack/queue-api@0.2.6
+  - @checkstack/healthcheck-common@0.8.3
+  - @checkstack/signal-common@0.1.7
+
+## 0.8.0
+
+### Minor Changes
+
+- 869b4ab: ## Health Check Execution Improvements
+
+  ### Breaking Changes (backend-api)
+
+  - `HealthCheckStrategy.createClient()` now accepts `unknown` instead of `TConfig` due to TypeScript contravariance constraints. Implementations should use `this.config.validate(config)` to narrow the type.
+
+  ### Features
+
+  - **Platform-level hard timeout**: The executor now wraps the entire health check execution (connection + all collectors) in a single timeout, ensuring checks never hang indefinitely.
+  - **Parallel collector execution**: Collectors now run in parallel using `Promise.allSettled()`, improving performance while ensuring all collectors complete regardless of individual failures.
+  - **Base strategy config schema**: All strategy configs now extend `baseStrategyConfigSchema` which provides a standardized `timeout` field with sensible defaults (30s, min 100ms).
+
+  ### Fixes
+
+  - Fixed HTTP and Jenkins strategies clearing timeouts before reading the full response body.
+  - Simplified registry type signatures by using default type parameters.
+
+### Patch Changes
+
+- @checkstack/queue-api@0.2.5
+
 ## 0.7.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend-api",
-  "version": "0.7.0",
+  "version": "0.8.1",
   "type": "module",
   "main": "./src/index.ts",
   "scripts": {
@@ -9,10 +9,10 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/common": "0.6.1",
-    "@checkstack/healthcheck-common": "0.8.1",
-    "@checkstack/queue-api": "0.2.2",
-    "@checkstack/signal-common": "0.1.5",
+    "@checkstack/common": "0.6.2",
+    "@checkstack/healthcheck-common": "0.8.2",
+    "@checkstack/queue-api": "0.2.5",
+    "@checkstack/signal-common": "0.1.6",
     "@orpc/client": "^1.13.2",
     "@orpc/openapi": "^1.13.2",
     "@orpc/server": "^1.13.2",

package/src/base-strategy-config.ts

@@ -0,0 +1,26 @@
+import z from "zod";
+import { configNumber } from "./zod-config";
+
+/**
+ * Base configuration schema that all strategy configs should extend.
+ * Provides the required `timeout` field with a sensible default.
+ *
+ * @example
+ * ```typescript
+ * const myConfigSchema = baseStrategyConfigSchema.extend({
+ *   host: z.string().describe("Server hostname"),
+ *   port: z.number().default(22),
+ * });
+ * ```
+ */
+export const baseStrategyConfigSchema = z.object({
+  timeout: configNumber({})
+    .min(100)
+    .default(30_000)
+    .describe("Execution timeout in milliseconds"),
+});
+
+/**
+ * Base config type that all strategy configs must satisfy.
+ */
+export type BaseStrategyConfig = z.infer<typeof baseStrategyConfigSchema>;

package/src/health-check.ts

@@ -4,6 +4,7 @@ import type {
   VersionedAggregated,
   AggregatedResultShape,
 } from "./aggregated-result";
+import type { BaseStrategyConfig } from "./base-strategy-config";
 
 /**
  * Health check result with typed metadata.
@@ -31,7 +32,7 @@ export interface HealthCheckRunForAggregation<
  * Connected transport client with cleanup capability.
  */
 export interface ConnectedClient<
-  TClient extends TransportClient<unknown, unknown>,
+  TClient extends TransportClient<never, unknown>,
 > {
   /** The connected transport client */
   client: TClient;
@@ -46,18 +47,18 @@ export interface ConnectedClient<
  * and returns a transport client. The platform executor handles running
  * collectors and basic health check logic (connectivity test, latency measurement).
  *
- * @template TConfig - Configuration type for this strategy
+ * @template TConfig - Configuration type for this strategy (must include timeout)
  * @template TClient - Transport client type (e.g., SshTransportClient)
  * @template TResult - Per-run result type (for aggregation)
  * @template TAggregatedFields - Aggregated field definitions for VersionedAggregated
  */
 export interface HealthCheckStrategy<
-  TConfig = unknown,
-  TClient extends TransportClient<unknown, unknown> = TransportClient<
-    unknown,
+  TConfig extends BaseStrategyConfig = BaseStrategyConfig,
+  TClient extends TransportClient<never, unknown> = TransportClient<
+    never,
     unknown
   >,
-  TResult = Record<string, unknown>,
+  TResult = unknown,
   TAggregatedFields extends AggregatedResultShape = AggregatedResultShape,
 > {
   id: string;
@@ -77,11 +78,11 @@ export interface HealthCheckStrategy<
    * Create a connected transport client from the configuration.
    * The platform will use this client to execute collectors.
    *
-   * @param config - Validated strategy configuration
+   * @param config - Strategy configuration (use config.validate() to narrow type)
    * @returns Connected client wrapper with close() method
    * @throws Error if connection fails (will be caught by executor)
    */
-  createClient(config: TConfig): Promise<ConnectedClient<TClient>>;
+  createClient(config: unknown): Promise<ConnectedClient<TClient>>;
 
   /**
    * Incrementally merge new run data into an existing aggregate.
@@ -103,41 +104,15 @@ export interface HealthCheckStrategy<
  * A registered strategy with its owning plugin metadata and qualified ID.
  */
 export interface RegisteredStrategy {
-  strategy: HealthCheckStrategy<
-    unknown,
-    TransportClient<unknown, unknown>,
-    unknown,
-    AggregatedResultShape
-  >;
+  strategy: HealthCheckStrategy;
   ownerPluginId: string;
   qualifiedId: string;
 }
 
 export interface HealthCheckRegistry {
-  register(
-    strategy: HealthCheckStrategy<
-      unknown,
-      TransportClient<unknown, unknown>,
-      unknown,
-      AggregatedResultShape
-    >,
-  ): void;
-  getStrategy(
-    id: string,
-  ):
-    | HealthCheckStrategy<
-        unknown,
-        TransportClient<unknown, unknown>,
-        unknown,
-        AggregatedResultShape
-      >
-    | undefined;
-  getStrategies(): HealthCheckStrategy<
-    unknown,
-    TransportClient<unknown, unknown>,
-    unknown,
-    AggregatedResultShape
-  >[];
+  register<S extends HealthCheckStrategy>(strategy: S): void;
+  getStrategy(id: string): HealthCheckStrategy | undefined;
+  getStrategies(): HealthCheckStrategy[];
   /**
    * Get all registered strategies with their metadata (qualified ID, owner plugin).
    */

package/src/index.ts

@@ -3,6 +3,7 @@ export * from "./extension-point";
 export * from "./core-services";
 export * from "./plugin-system";
 export * from "./health-check";
+export * from "./base-strategy-config";
 export * from "./auth-strategy";
 export * from "./zod-config";
 export * from "./encryption";

package/src/rpc.ts

@@ -206,6 +206,23 @@ export const autoAuthMiddleware = os.middleware(
 
     // 5. Skip remaining checks for services - they are trusted
     if (user?.type === "service") {
+      // SECURITY: Check service-level scope restrictions
+      const serviceScope = meta?.serviceScope;
+      if (serviceScope && serviceScope.length > 0) {
+        const isAllowed = serviceScope.some((allowedPattern) => {
+          if (allowedPattern.endsWith("*")) {
+            const prefix = allowedPattern.slice(0, -1);
+            return user.pluginId.startsWith(prefix);
+          }
+          return allowedPattern === user.pluginId;
+        });
+
+        if (!isAllowed) {
+          throw new ORPCError("FORBIDDEN", {
+            message: `Service '${user.pluginId}' is not allowed to call this endpoint`,
+          });
+        }
+      }
       return next({});
     }
 
@@ -483,8 +500,8 @@ async function checkResourceAccessViaS2S({
     });
     return result.hasAccess;
   } catch {
-    // If team access check fails (e.g., service not available), fall back to global access
-    return hasGlobalAccess;
+    // SECURITY: Fail-Closed — deny access when S2S check fails
+    return false;
   }
 }
 
@@ -520,8 +537,8 @@ async function getAccessibleResourceIdsViaS2S({
       hasGlobalAccess,
     });
   } catch {
-    // If team access check fails, fall back to global access behavior
-    return hasGlobalAccess ? resourceIds : [];
+    // SECURITY: Fail-Closed — return empty set when S2S check fails
+    return [];
   }
 }