@checkstack/backend 0.1.0 → 0.2.0

package/CHANGELOG.md

@@ -1,5 +1,89 @@
 # @checkstack/backend
 
+## 0.2.0
+
+### Minor Changes
+
+- 8e43507: # Teams and Resource-Level Access Control
+
+  This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
+
+  ## Features
+
+  ### Team Management
+
+  - Create, update, and delete teams with name and description
+  - Add/remove users from teams
+  - Designate team managers with elevated privileges
+  - View team membership and manager status
+
+  ### Resource-Level Access Control
+
+  - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
+  - Configure read-only or manage permissions per team
+  - Resource-level "Team Only" mode that restricts access exclusively to team members
+  - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
+  - Automatic cleanup of grants when teams are deleted (database cascade)
+
+  ### Middleware Integration
+
+  - Extended `autoAuthMiddleware` to support resource access checks
+  - Single-resource pre-handler validation for detail endpoints
+  - Automatic list filtering for collection endpoints
+  - S2S endpoints for access verification
+
+  ### Frontend Components
+
+  - `TeamsTab` component for managing teams in Auth Settings
+  - `TeamAccessEditor` component for assigning team access to resources
+  - Resource-level "Team Only" toggle in `TeamAccessEditor`
+  - Integration into System, Health Check, Incident, and Maintenance editors
+
+  ## Breaking Changes
+
+  ### API Response Format Changes
+
+  List endpoints now return objects with named keys instead of arrays directly:
+
+  ```typescript
+  // Before
+  const systems = await catalogApi.getSystems();
+
+  // After
+  const { systems } = await catalogApi.getSystems();
+  ```
+
+  Affected endpoints:
+
+  - `catalog.getSystems` → `{ systems: [...] }`
+  - `healthcheck.getConfigurations` → `{ configurations: [...] }`
+  - `incident.listIncidents` → `{ incidents: [...] }`
+  - `maintenance.listMaintenances` → `{ maintenances: [...] }`
+
+  ### User Identity Enrichment
+
+  `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
+
+  ## Documentation
+
+  See `docs/backend/teams.md` for complete API reference and integration guide.
+
+### Patch Changes
+
+- 97c5a6b: Fix collector lookup when health check is assigned to a system
+
+  Collectors are now stored in the registry with their fully-qualified ID format (ownerPluginId.collectorId) to match how they are referenced in health check configurations. Added `qualifiedId` field to `RegisteredCollector` interface to avoid re-constructing the ID at query time. This fixes the "Collector not found" warning that occurred when executing health checks with assigned systems.
+
+- Updated dependencies [97c5a6b]
+- Updated dependencies [8e43507]
+  - @checkstack/backend-api@0.2.0
+  - @checkstack/auth-common@0.1.0
+  - @checkstack/common@0.1.0
+  - @checkstack/queue-api@0.0.4
+  - @checkstack/signal-backend@0.0.4
+  - @checkstack/api-docs-common@0.0.4
+  - @checkstack/signal-common@0.0.4
+
 ## 0.1.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "type": "module",
   "scripts": {
     "dev": "bun --env-file=../../.env --watch src/index.ts",

package/src/plugin-manager/core-services.ts

@@ -177,6 +177,32 @@ export function registerCoreServices({
           return [];
         }
       },
+
+      checkResourceTeamAccess: async (params) => {
+        try {
+          const rpcClient = await registry.get(coreServices.rpcClient, {
+            pluginId: "core",
+          });
+          const authClient = rpcClient.forPlugin(AuthApi);
+          return await authClient.checkResourceTeamAccess(params);
+        } catch {
+          // Fall back to global permission on error
+          return { hasAccess: params.hasGlobalPermission };
+        }
+      },
+
+      getAccessibleResourceIds: async (params) => {
+        try {
+          const rpcClient = await registry.get(coreServices.rpcClient, {
+            pluginId: "core",
+          });
+          const authClient = rpcClient.forPlugin(AuthApi);
+          return await authClient.getAccessibleResourceIds(params);
+        } catch {
+          // Fall back to global permission on error
+          return params.hasGlobalPermission ? params.resourceIds : [];
+        }
+      },
     };
     return authService;
   });

package/src/services/collector-registry.ts

@@ -17,15 +17,15 @@ export class CoreCollectorRegistry {
     collector: CollectorStrategy<TransportClient<unknown, unknown>>,
     ownerPlugin: PluginMetadata
   ): void {
-    if (this.collectors.has(collector.id)) {
+    // Use fully-qualified ID: ownerPluginId.collectorId
+    const qualifiedId = `${ownerPlugin.pluginId}.${collector.id}`;
+    if (this.collectors.has(qualifiedId)) {
       rootLogger.warn(
-        `CollectorStrategy '${collector.id}' is already registered. Overwriting.`
+        `CollectorStrategy '${qualifiedId}' is already registered. Overwriting.`
       );
     }
-    this.collectors.set(collector.id, { collector, ownerPlugin });
-    rootLogger.debug(
-      `✅ Registered CollectorStrategy: ${ownerPlugin.pluginId}.${collector.id}`
-    );
+    this.collectors.set(qualifiedId, { qualifiedId, collector, ownerPlugin });
+    rootLogger.debug(`✅ Registered CollectorStrategy: ${qualifiedId}`);
   }
 
   /**

package/src/test-preload.ts

@@ -60,6 +60,12 @@ mock.module(coreServicesPath, () => ({
       authenticate: async () => {},
       getCredentials: async () => ({ headers: {} }),
       getAnonymousPermissions: async () => [],
+      checkResourceTeamAccess: async () => ({ hasAccess: true }),
+      getAccessibleResourceIds: async ({
+        resourceIds,
+      }: {
+        resourceIds: string[];
+      }) => resourceIds,
     }));
 
     // Register mock fetch factory