@checkstack/backend 0.0.2 → 0.2.0

package/CHANGELOG.md

@@ -1,5 +1,134 @@
 # @checkstack/backend
 
+## 0.2.0
+
+### Minor Changes
+
+- 8e43507: # Teams and Resource-Level Access Control
+
+  This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
+
+  ## Features
+
+  ### Team Management
+
+  - Create, update, and delete teams with name and description
+  - Add/remove users from teams
+  - Designate team managers with elevated privileges
+  - View team membership and manager status
+
+  ### Resource-Level Access Control
+
+  - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
+  - Configure read-only or manage permissions per team
+  - Resource-level "Team Only" mode that restricts access exclusively to team members
+  - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
+  - Automatic cleanup of grants when teams are deleted (database cascade)
+
+  ### Middleware Integration
+
+  - Extended `autoAuthMiddleware` to support resource access checks
+  - Single-resource pre-handler validation for detail endpoints
+  - Automatic list filtering for collection endpoints
+  - S2S endpoints for access verification
+
+  ### Frontend Components
+
+  - `TeamsTab` component for managing teams in Auth Settings
+  - `TeamAccessEditor` component for assigning team access to resources
+  - Resource-level "Team Only" toggle in `TeamAccessEditor`
+  - Integration into System, Health Check, Incident, and Maintenance editors
+
+  ## Breaking Changes
+
+  ### API Response Format Changes
+
+  List endpoints now return objects with named keys instead of arrays directly:
+
+  ```typescript
+  // Before
+  const systems = await catalogApi.getSystems();
+
+  // After
+  const { systems } = await catalogApi.getSystems();
+  ```
+
+  Affected endpoints:
+
+  - `catalog.getSystems` → `{ systems: [...] }`
+  - `healthcheck.getConfigurations` → `{ configurations: [...] }`
+  - `incident.listIncidents` → `{ incidents: [...] }`
+  - `maintenance.listMaintenances` → `{ maintenances: [...] }`
+
+  ### User Identity Enrichment
+
+  `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
+
+  ## Documentation
+
+  See `docs/backend/teams.md` for complete API reference and integration guide.
+
+### Patch Changes
+
+- 97c5a6b: Fix collector lookup when health check is assigned to a system
+
+  Collectors are now stored in the registry with their fully-qualified ID format (ownerPluginId.collectorId) to match how they are referenced in health check configurations. Added `qualifiedId` field to `RegisteredCollector` interface to avoid re-constructing the ID at query time. This fixes the "Collector not found" warning that occurred when executing health checks with assigned systems.
+
+- Updated dependencies [97c5a6b]
+- Updated dependencies [8e43507]
+  - @checkstack/backend-api@0.2.0
+  - @checkstack/auth-common@0.1.0
+  - @checkstack/common@0.1.0
+  - @checkstack/queue-api@0.0.4
+  - @checkstack/signal-backend@0.0.4
+  - @checkstack/api-docs-common@0.0.4
+  - @checkstack/signal-common@0.0.4
+
+## 0.1.0
+
+### Minor Changes
+
+- f5b1f49: Added collector registry lifecycle cleanup during plugin unloading.
+
+  - Added `unregisterByOwner(pluginId)` to remove collectors owned by unloading plugins
+  - Added `unregisterByMissingStrategies(loadedPluginIds)` for dependency-based pruning
+  - Integrated registry cleanup into `PluginManager.deregisterPlugin()`
+  - Updated `registerCoreServices` to return global registries for lifecycle management
+
+### Patch Changes
+
+- f5b1f49: Added JSONPath assertions for response body validation and fully qualified strategy IDs.
+
+  **JSONPath Assertions:**
+
+  - Added `healthResultJSONPath()` factory in healthcheck-common for fields supporting JSONPath queries
+  - Extended AssertionBuilder with jsonpath field type showing path input (e.g., `$.data.status`)
+  - Added `jsonPath` field to `CollectorAssertionSchema` for persistence
+  - HTTP Request collector body field now supports JSONPath assertions
+
+  **Fully Qualified Strategy IDs:**
+
+  - HealthCheckRegistry now uses scoped factories like CollectorRegistry
+  - Strategies are stored with `pluginId.strategyId` format
+  - Added `getStrategiesWithMeta()` method to HealthCheckRegistry interface
+  - Router returns qualified IDs so frontend can correctly fetch collectors
+
+  **UI Improvements:**
+
+  - Save button disabled when collector configs have invalid required fields
+  - Fixed nested button warning in CollectorList accordion
+
+- Updated dependencies [f5b1f49]
+- Updated dependencies [f5b1f49]
+- Updated dependencies [f5b1f49]
+  - @checkstack/backend-api@0.1.0
+  - @checkstack/common@0.0.3
+  - @checkstack/queue-api@0.0.3
+  - @checkstack/signal-backend@0.0.3
+  - @checkstack/api-docs-common@0.0.3
+  - @checkstack/auth-common@0.0.3
+  - @checkstack/signal-common@0.0.3
+
 ## 0.0.2
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend",
-  "version": "0.0.2",
+  "version": "0.2.0",
   "type": "module",
   "scripts": {
     "dev": "bun --env-file=../../.env --watch src/index.ts",

package/src/health-check-plugin-integration.test.ts

@@ -30,10 +30,13 @@ describe("HealthCheck Plugin Integration", () => {
       newResponse: mock(),
     } as never;
 
-    // Define a mock execute function for the strategy
-    const mockExecute = mock(async () => ({ status: "healthy" as const }));
+    // Define a mock createClient function for the strategy
+    const mockCreateClient = mock(async () => ({
+      client: { exec: async () => ({}) },
+      close: () => {},
+    }));
 
-    // 1. Define a mock strategy
+    // 1. Define a mock strategy with createClient pattern
     const mockStrategy: HealthCheckStrategy = {
       id: "test-strategy",
       displayName: "Test Strategy",
@@ -42,11 +45,15 @@ describe("HealthCheck Plugin Integration", () => {
         version: 1,
         schema: z.object({}),
       }),
+      result: new Versioned({
+        version: 1,
+        schema: z.record(z.string(), z.unknown()),
+      }),
       aggregatedResult: new Versioned({
         version: 1,
         schema: z.record(z.string(), z.unknown()),
       }),
-      execute: mockExecute,
+      createClient: mockCreateClient,
       aggregateResult: mock(() => ({})),
     };
 
@@ -88,6 +95,6 @@ describe("HealthCheck Plugin Integration", () => {
     expect(retrieved).toBe(mockStrategy);
     expect(retrieved?.displayName).toBe("Test Strategy");
     expect(retrieved?.id).toBe("test-strategy");
-    expect(retrieved?.execute).toBe(mockExecute);
+    expect(retrieved?.createClient).toBe(mockCreateClient);
   });
 });

package/src/plugin-manager/api-router.ts

@@ -8,13 +8,11 @@ import {
   Logger,
   Fetch,
   HealthCheckRegistry,
+  CollectorRegistry,
   type EmitHookFn,
   type Hook,
 } from "@checkstack/backend-api";
-import type {
-  QueuePluginRegistry,
-  QueueManager,
-} from "@checkstack/queue-api";
+import type { QueuePluginRegistry, QueueManager } from "@checkstack/queue-api";
 import type { ServiceRegistry } from "../services/service-registry";
 import type { EventBus } from "@checkstack/backend-api";
 import type { PluginMetadata } from "@checkstack/common";
@@ -70,6 +68,7 @@ export function createApiRouteHandler({
     const healthCheckRegistry = await getService(
       coreServices.healthCheckRegistry
     );
+    const collectorRegistry = await getService(coreServices.collectorRegistry);
     const queuePluginRegistry = await getService(
       coreServices.queuePluginRegistry
     );
@@ -82,6 +81,7 @@ export function createApiRouteHandler({
       !db ||
       !fetch ||
       !healthCheckRegistry ||
+      !collectorRegistry ||
       !queuePluginRegistry ||
       !queueManager ||
       !eventBus
@@ -111,6 +111,7 @@ export function createApiRouteHandler({
       db: db as NodePgDatabase<Record<string, unknown>>,
       fetch: fetch as Fetch,
       healthCheckRegistry: healthCheckRegistry as HealthCheckRegistry,
+      collectorRegistry: collectorRegistry as CollectorRegistry,
       queuePluginRegistry: queuePluginRegistry as QueuePluginRegistry,
       queueManager: queueManager as QueueManager,
       user,

package/src/plugin-manager/core-services.ts

@@ -16,7 +16,14 @@ import type { ServiceRegistry } from "../services/service-registry";
 import { rootLogger } from "../logger";
 import { db } from "../db";
 import { jwtService } from "../services/jwt";
-import { CoreHealthCheckRegistry } from "../services/health-check-registry";
+import {
+  CoreHealthCheckRegistry,
+  createScopedHealthCheckRegistry,
+} from "../services/health-check-registry";
+import {
+  CoreCollectorRegistry,
+  createScopedCollectorRegistry,
+} from "../services/collector-registry";
 import { EventBus } from "../services/event-bus.js";
 import { getPluginSchemaName } from "@checkstack/drizzle-helper";
 
@@ -34,6 +41,7 @@ async function schemaExists(pool: Pool, schemaName: string): Promise<boolean> {
 /**
  * Registers all core services with the service registry.
  * Extracted from PluginManager for better organization.
+ * Returns the global registries for lifecycle cleanup.
  */
 export function registerCoreServices({
   registry,
@@ -47,7 +55,7 @@ export function registerCoreServices({
   pluginRpcRouters: Map<string, unknown>;
   pluginHttpHandlers: Map<string, (req: Request) => Promise<Response>>;
   pluginContractRegistry: Map<string, unknown>;
-}) {
+}): { collectorRegistry: CoreCollectorRegistry } {
   // 1. Database Factory (Scoped)
   registry.registerFactory(coreServices.database, async (metadata) => {
     const { pluginId, previousPluginIds } = metadata;
@@ -169,6 +177,32 @@ export function registerCoreServices({
           return [];
         }
       },
+
+      checkResourceTeamAccess: async (params) => {
+        try {
+          const rpcClient = await registry.get(coreServices.rpcClient, {
+            pluginId: "core",
+          });
+          const authClient = rpcClient.forPlugin(AuthApi);
+          return await authClient.checkResourceTeamAccess(params);
+        } catch {
+          // Fall back to global permission on error
+          return { hasAccess: params.hasGlobalPermission };
+        }
+      },
+
+      getAccessibleResourceIds: async (params) => {
+        try {
+          const rpcClient = await registry.get(coreServices.rpcClient, {
+            pluginId: "core",
+          });
+          const authClient = rpcClient.forPlugin(AuthApi);
+          return await authClient.getAccessibleResourceIds(params);
+        } catch {
+          // Fall back to global permission on error
+          return params.hasGlobalPermission ? params.resourceIds : [];
+        }
+      },
     };
     return authService;
   });
@@ -258,11 +292,16 @@ export function registerCoreServices({
     return rpcClient;
   });
 
-  // 6. Health Check Registry (Global Singleton)
-  const healthCheckRegistry = new CoreHealthCheckRegistry();
-  registry.registerFactory(
-    coreServices.healthCheckRegistry,
-    () => healthCheckRegistry
+  // 6. Health Check Registry (Scoped Factory - auto-prefixes strategy IDs with pluginId)
+  const globalHealthCheckRegistry = new CoreHealthCheckRegistry();
+  registry.registerFactory(coreServices.healthCheckRegistry, (metadata) =>
+    createScopedHealthCheckRegistry(globalHealthCheckRegistry, metadata)
+  );
+
+  // 6b. Collector Registry (Scoped Factory - injects ownerPlugin automatically)
+  const globalCollectorRegistry = new CoreCollectorRegistry();
+  registry.registerFactory(coreServices.collectorRegistry, (metadata) =>
+    createScopedCollectorRegistry(globalCollectorRegistry, metadata)
   );
 
   // 7. RPC Service (Scoped Factory - uses pluginId for path derivation)
@@ -309,4 +348,7 @@ export function registerCoreServices({
     }
     return eventBusInstance;
   });
+
+  // Return global registries for lifecycle cleanup
+  return { collectorRegistry: globalCollectorRegistry };
 }

package/src/plugin-manager.ts

@@ -1,6 +1,7 @@
 import type { Hono } from "hono";
 import { adminPool, db } from "./db";
 import { ServiceRegistry } from "./services/service-registry";
+import type { CoreCollectorRegistry } from "./services/collector-registry";
 import {
   BackendPlugin,
   ServiceRef,
@@ -46,14 +47,18 @@ export class PluginManager {
   // Hook subscriptions per plugin (for bulk unsubscribe)
   private hookSubscriptions = new Map<string, HookUnsubscribe[]>();
 
+  // Global collector registry reference for cleanup
+  private collectorRegistry: CoreCollectorRegistry;
+
   constructor() {
-    registerCoreServices({
+    const registries = registerCoreServices({
       registry: this.registry,
       adminPool,
       pluginRpcRouters: this.pluginRpcRouters,
       pluginHttpHandlers: this.pluginHttpHandlers,
       pluginContractRegistry: this.pluginContractRegistry,
     });
+    this.collectorRegistry = registries.collectorRegistry;
   }
 
   registerExtensionPoint<T>(ref: ExtensionPoint<T>, impl: T) {
@@ -163,6 +168,16 @@ export class PluginManager {
     this.pluginContractRegistry.delete(pluginId);
     rootLogger.debug(`   -> Removed routers and contracts for ${pluginId}`);
 
+    // 4b. Cleanup collectors
+    // - Remove collectors owned by this plugin
+    this.collectorRegistry.unregisterByOwner(pluginId);
+    // - Remove collectors that have no loaded strategy plugins
+    //   (exclude the current plugin being deregistered)
+    const loadedPluginIds = new Set(
+      [...this.pluginMetadataRegistry.keys()].filter((id) => id !== pluginId)
+    );
+    this.collectorRegistry.unregisterByMissingStrategies(loadedPluginIds);
+
     // 5. Remove permissions from registry
     const beforeCount = this.registeredPermissions.length;
     this.registeredPermissions = this.registeredPermissions.filter(

package/src/services/collector-registry.ts

@@ -0,0 +1,115 @@
+import type { PluginMetadata } from "@checkstack/common";
+import type {
+  CollectorStrategy,
+  TransportClient,
+  RegisteredCollector,
+} from "@checkstack/backend-api";
+import { rootLogger } from "../logger";
+
+/**
+ * Core implementation of the CollectorRegistry storage.
+ * This is the global singleton that stores all collectors.
+ */
+export class CoreCollectorRegistry {
+  private collectors = new Map<string, RegisteredCollector>();
+
+  registerWithOwner(
+    collector: CollectorStrategy<TransportClient<unknown, unknown>>,
+    ownerPlugin: PluginMetadata
+  ): void {
+    // Use fully-qualified ID: ownerPluginId.collectorId
+    const qualifiedId = `${ownerPlugin.pluginId}.${collector.id}`;
+    if (this.collectors.has(qualifiedId)) {
+      rootLogger.warn(
+        `CollectorStrategy '${qualifiedId}' is already registered. Overwriting.`
+      );
+    }
+    this.collectors.set(qualifiedId, { qualifiedId, collector, ownerPlugin });
+    rootLogger.debug(`✅ Registered CollectorStrategy: ${qualifiedId}`);
+  }
+
+  /**
+   * Unregister all collectors owned by a specific plugin.
+   * Called when the collector-providing plugin is unloaded.
+   */
+  unregisterByOwner(ownerPluginId: string): void {
+    const toRemove: string[] = [];
+    for (const [id, entry] of this.collectors) {
+      if (entry.ownerPlugin.pluginId === ownerPluginId) {
+        toRemove.push(id);
+      }
+    }
+    for (const id of toRemove) {
+      this.collectors.delete(id);
+      rootLogger.debug(
+        `🗑️ Unregistered CollectorStrategy: ${id} (owner plugin unloaded)`
+      );
+    }
+  }
+
+  /**
+   * Remove collectors that no longer have any supported strategies loaded.
+   * Called when a healthcheck strategy plugin is unloaded.
+   * @param loadedStrategyPluginIds - Set of plugin IDs that are still loaded
+   */
+  unregisterByMissingStrategies(loadedStrategyPluginIds: Set<string>): void {
+    const toRemove: string[] = [];
+    for (const [id, entry] of this.collectors) {
+      // Check if ANY of the collector's supported plugins are still loaded
+      const hasLoadedStrategy = entry.collector.supportedPlugins.some((p) =>
+        loadedStrategyPluginIds.has(p.pluginId)
+      );
+      // If none of the supported plugins are loaded, mark for removal
+      if (!hasLoadedStrategy) {
+        toRemove.push(id);
+      }
+    }
+    for (const id of toRemove) {
+      this.collectors.delete(id);
+      rootLogger.debug(
+        `🗑️ Unregistered CollectorStrategy: ${id} (no supported strategies loaded)`
+      );
+    }
+  }
+
+  getCollector(id: string): RegisteredCollector | undefined {
+    return this.collectors.get(id);
+  }
+
+  getCollectorsForPlugin(
+    pluginMetadata: PluginMetadata
+  ): RegisteredCollector[] {
+    return [...this.collectors.values()].filter((entry) =>
+      entry.collector.supportedPlugins.some(
+        (p) => p.pluginId === pluginMetadata.pluginId
+      )
+    );
+  }
+
+  getCollectors(): RegisteredCollector[] {
+    return [...this.collectors.values()];
+  }
+}
+
+/**
+ * Creates a scoped CollectorRegistry that auto-injects owning plugin metadata.
+ */
+export function createScopedCollectorRegistry(
+  globalRegistry: CoreCollectorRegistry,
+  ownerPlugin: PluginMetadata
+) {
+  return {
+    register(collector: CollectorStrategy<TransportClient<unknown, unknown>>) {
+      globalRegistry.registerWithOwner(collector, ownerPlugin);
+    },
+    getCollector(id: string) {
+      return globalRegistry.getCollector(id);
+    },
+    getCollectorsForPlugin(pluginMetadata: PluginMetadata) {
+      return globalRegistry.getCollectorsForPlugin(pluginMetadata);
+    },
+    getCollectors() {
+      return globalRegistry.getCollectors();
+    },
+  };
+}

package/src/services/health-check-registry.test.ts

@@ -1,8 +1,12 @@
 import { describe, it, expect, beforeEach, mock } from "bun:test";
-import { CoreHealthCheckRegistry } from "./health-check-registry";
+import {
+  CoreHealthCheckRegistry,
+  createScopedHealthCheckRegistry,
+} from "./health-check-registry";
 import { HealthCheckStrategy, Versioned } from "@checkstack/backend-api";
 import { createMockLogger } from "@checkstack/test-utils-backend";
 import { z } from "zod";
+import type { PluginMetadata } from "@checkstack/common";
 
 // Mock logger
 const mockLogger = createMockLogger();
@@ -13,6 +17,8 @@ mock.module("../logger", () => ({
 describe("CoreHealthCheckRegistry", () => {
   let registry: CoreHealthCheckRegistry;
 
+  const mockOwner: PluginMetadata = { pluginId: "test-plugin" };
+
   const mockStrategy1: HealthCheckStrategy = {
     id: "test-strategy-1",
     displayName: "Test Strategy 1",
@@ -21,11 +27,17 @@ describe("CoreHealthCheckRegistry", () => {
       version: 1,
       schema: z.object({}),
     }),
+    result: new Versioned({
+      version: 1,
+      schema: z.record(z.string(), z.unknown()),
+    }),
     aggregatedResult: new Versioned({
       version: 1,
       schema: z.record(z.string(), z.unknown()),
     }),
-    execute: mock(() => Promise.resolve({ status: "healthy" as const })),
+    createClient: mock(() =>
+      Promise.resolve({ client: { exec: async () => ({}) }, close: () => {} })
+    ),
     aggregateResult: mock(() => ({})),
   };
 
@@ -37,12 +49,16 @@ describe("CoreHealthCheckRegistry", () => {
       version: 1,
       schema: z.object({}),
     }),
+    result: new Versioned({
+      version: 1,
+      schema: z.record(z.string(), z.unknown()),
+    }),
     aggregatedResult: new Versioned({
       version: 1,
       schema: z.record(z.string(), z.unknown()),
     }),
-    execute: mock(() =>
-      Promise.resolve({ status: "unhealthy" as const, message: "Failed" })
+    createClient: mock(() =>
+      Promise.resolve({ client: { exec: async () => ({}) }, close: () => {} })
     ),
     aggregateResult: mock(() => ({})),
   };
@@ -51,31 +67,33 @@ describe("CoreHealthCheckRegistry", () => {
     registry = new CoreHealthCheckRegistry();
   });
 
-  describe("register", () => {
-    it("should register a new health check strategy", () => {
-      registry.register(mockStrategy1);
-      expect(registry.getStrategy(mockStrategy1.id)).toBe(mockStrategy1);
+  describe("registerWithOwner", () => {
+    it("should register a new health check strategy with qualified ID", () => {
+      registry.registerWithOwner(mockStrategy1, mockOwner);
+      // Should be stored with qualified ID: ownerPluginId.strategyId
+      const qualifiedId = `${mockOwner.pluginId}.${mockStrategy1.id}`;
+      expect(registry.getStrategy(qualifiedId)).toBe(mockStrategy1);
     });
 
-    it("should overwrite an existing strategy with the same ID", () => {
-      const overwritingStrategy: HealthCheckStrategy<any> = {
+    it("should overwrite an existing strategy with the same qualified ID", () => {
+      const overwritingStrategy: HealthCheckStrategy = {
         ...mockStrategy1,
         displayName: "New Name",
       };
-      registry.register(mockStrategy1);
-      registry.register(overwritingStrategy);
+      registry.registerWithOwner(mockStrategy1, mockOwner);
+      registry.registerWithOwner(overwritingStrategy, mockOwner);
 
-      expect(registry.getStrategy(mockStrategy1.id)).toBe(overwritingStrategy);
-      expect(registry.getStrategy(mockStrategy1.id)?.displayName).toBe(
-        "New Name"
-      );
+      const qualifiedId = `${mockOwner.pluginId}.${mockStrategy1.id}`;
+      expect(registry.getStrategy(qualifiedId)).toBe(overwritingStrategy);
+      expect(registry.getStrategy(qualifiedId)?.displayName).toBe("New Name");
     });
   });
 
-  describe("getStrategySection", () => {
+  describe("getStrategy", () => {
     it("should return the strategy if it exists", () => {
-      registry.register(mockStrategy1);
-      expect(registry.getStrategy(mockStrategy1.id)).toBe(mockStrategy1);
+      registry.registerWithOwner(mockStrategy1, mockOwner);
+      const qualifiedId = `${mockOwner.pluginId}.${mockStrategy1.id}`;
+      expect(registry.getStrategy(qualifiedId)).toBe(mockStrategy1);
     });
 
     it("should return undefined if the strategy does not exist", () => {
@@ -85,8 +103,8 @@ describe("CoreHealthCheckRegistry", () => {
 
   describe("getStrategies", () => {
     it("should return all registered strategies", () => {
-      registry.register(mockStrategy1);
-      registry.register(mockStrategy2);
+      registry.registerWithOwner(mockStrategy1, mockOwner);
+      registry.registerWithOwner(mockStrategy2, mockOwner);
 
       const strategies = registry.getStrategies();
       expect(strategies).toHaveLength(2);
@@ -98,4 +116,27 @@ describe("CoreHealthCheckRegistry", () => {
       expect(registry.getStrategies()).toEqual([]);
     });
   });
+
+  describe("createScopedHealthCheckRegistry", () => {
+    it("should auto-qualify strategy IDs on register", () => {
+      const scoped = createScopedHealthCheckRegistry(registry, mockOwner);
+      scoped.register(mockStrategy1);
+
+      // The scoped registry should auto-prefix with pluginId
+      const qualifiedId = `${mockOwner.pluginId}.${mockStrategy1.id}`;
+      expect(registry.getStrategy(qualifiedId)).toBe(mockStrategy1);
+    });
+
+    it("should lookup strategies by both qualified and unqualified ID", () => {
+      const scoped = createScopedHealthCheckRegistry(registry, mockOwner);
+      scoped.register(mockStrategy1);
+
+      // Should be able to lookup by unqualified ID in scoped registry
+      expect(scoped.getStrategy(mockStrategy1.id)).toBe(mockStrategy1);
+
+      // Should also work with qualified ID
+      const qualifiedId = `${mockOwner.pluginId}.${mockStrategy1.id}`;
+      expect(scoped.getStrategy(qualifiedId)).toBe(mockStrategy1);
+    });
+  });
 });

package/src/services/health-check-registry.ts

@@ -1,27 +1,98 @@
+import type { PluginMetadata } from "@checkstack/common";
 import {
   HealthCheckRegistry,
   HealthCheckStrategy,
 } from "@checkstack/backend-api";
 import { rootLogger } from "../logger";
 
-export class CoreHealthCheckRegistry implements HealthCheckRegistry {
-  private strategies = new Map<string, HealthCheckStrategy>();
+/**
+ * Registered strategy with its fully qualified ID and owner info.
+ */
+interface RegisteredStrategy {
+  strategy: HealthCheckStrategy;
+  ownerPlugin: PluginMetadata;
+  qualifiedId: string;
+}
+
+/**
+ * Core implementation of the HealthCheckRegistry storage.
+ * This is the global singleton that stores all strategies with fully qualified IDs.
+ */
+export class CoreHealthCheckRegistry {
+  private strategies = new Map<string, RegisteredStrategy>();
 
-  register(strategy: HealthCheckStrategy) {
-    if (this.strategies.has(strategy.id)) {
+  /**
+   * Register a strategy with its owning plugin.
+   * The strategy ID is stored as: ownerPluginId.strategyId
+   */
+  registerWithOwner(
+    strategy: HealthCheckStrategy,
+    ownerPlugin: PluginMetadata
+  ): void {
+    const qualifiedId = `${ownerPlugin.pluginId}.${strategy.id}`;
+    if (this.strategies.has(qualifiedId)) {
       rootLogger.warn(
-        `HealthCheckStrategy '${strategy.id}' is already registered. Overwriting.`
+        `HealthCheckStrategy '${qualifiedId}' is already registered. Overwriting.`
       );
     }
-    this.strategies.set(strategy.id, strategy);
-    rootLogger.debug(`✅ Registered HealthCheckStrategy: ${strategy.id}`);
+    this.strategies.set(qualifiedId, { strategy, ownerPlugin, qualifiedId });
+    rootLogger.debug(`✅ Registered HealthCheckStrategy: ${qualifiedId}`);
   }
 
-  getStrategy(id: string) {
-    return this.strategies.get(id);
+  getStrategy(qualifiedId: string) {
+    return this.strategies.get(qualifiedId)?.strategy;
   }
 
   getStrategies() {
-    return [...this.strategies.values()];
+    return [...this.strategies.values()].map((r) => r.strategy);
   }
+
+  /**
+   * Get the owner plugin ID for a strategy.
+   */
+  getOwnerPluginId(qualifiedId: string): string | undefined {
+    return this.strategies.get(qualifiedId)?.ownerPlugin.pluginId;
+  }
+
+  /**
+   * Get all registered strategies with their metadata.
+   */
+  getStrategiesWithMeta(): Array<{
+    strategy: HealthCheckStrategy;
+    ownerPluginId: string;
+    qualifiedId: string;
+  }> {
+    return [...this.strategies.values()].map((r) => ({
+      strategy: r.strategy,
+      ownerPluginId: r.ownerPlugin.pluginId,
+      qualifiedId: r.qualifiedId,
+    }));
+  }
+}
+
+/**
+ * Creates a scoped HealthCheckRegistry that auto-prefixes strategy IDs with plugin ID.
+ */
+export function createScopedHealthCheckRegistry(
+  globalRegistry: CoreHealthCheckRegistry,
+  ownerPlugin: PluginMetadata
+): HealthCheckRegistry {
+  return {
+    register(strategy: HealthCheckStrategy) {
+      globalRegistry.registerWithOwner(strategy, ownerPlugin);
+    },
+    getStrategy(id: string) {
+      // Support both qualified and unqualified lookups
+      return (
+        globalRegistry.getStrategy(id) ||
+        globalRegistry.getStrategy(`${ownerPlugin.pluginId}.${id}`)
+      );
+    },
+    getStrategies() {
+      return globalRegistry.getStrategies();
+    },
+    getStrategiesWithMeta() {
+      return globalRegistry.getStrategiesWithMeta();
+    },
+  };
 }

package/src/test-preload.ts

@@ -60,6 +60,12 @@ mock.module(coreServicesPath, () => ({
       authenticate: async () => {},
       getCredentials: async () => ({ headers: {} }),
       getAnonymousPermissions: async () => [],
+      checkResourceTeamAccess: async () => ({ hasAccess: true }),
+      getAccessibleResourceIds: async ({
+        resourceIds,
+      }: {
+        resourceIds: string[];
+      }) => resourceIds,
     }));
 
     // Register mock fetch factory
@@ -110,5 +116,20 @@ mock.module(coreServicesPath, () => ({
       // eslint-disable-next-line unicorn/consistent-function-scoping
       subscribe: async () => () => {},
     }));
+
+    // Return the registries object to match actual function signature
+    // Create a mock collector registry
+    const collectors = new Map<string, unknown>();
+    return {
+      collectorRegistry: {
+        register: (collector: { id: string }) => {
+          collectors.set(collector.id, collector);
+        },
+        getCollector: (id: string) => collectors.get(id),
+        getAllCollectors: () => [...collectors.values()],
+        unregisterByOwner: () => {},
+        unregisterByMissingStrategies: () => {},
+      },
+    };
   },
 }));