@checkstack/backend 0.10.0 → 0.10.2

package/CHANGELOG.md

@@ -1,5 +1,90 @@
 # @checkstack/backend
 
+## 0.10.2
+
+### Patch Changes
+
+- a06b899: Dead-code audit cleanup and a small platform of shared notification helpers.
+
+  **Removed (dead code)**
+
+  - `core/backend/src/plugin-manager/deregistration-guard.ts` deleted. The exported `assertCanDeregister()` was never called and was a less-complete version of the dependents+isUninstallable checks already done inline by `previewUninstallOriginator` / `uninstallOriginator` in `plugin-manager-orchestrator.ts`.
+  - `createMockQueueFactory` deprecated alias removed from `@checkstack/test-utils-backend`. Use `createMockQueueManager` directly.
+
+  **New shared helpers**
+
+  - `@checkstack/backend-api` now exports `requestTimeoutMs()` — a Zod field builder for outbound HTTP request timeouts (1s..60s, default 10s). Replaces hand-rolled `configNumber({}).min(1000).max(60_000).default(10_000)` in `integration-webhook-backend`, `integration-script-backend`, and `healthcheck-script-backend`'s inline collector.
+  - `@checkstack/notification-common` now exports `SubjectStatusSchema` / `SubjectStatus`, mirroring the existing `ImportanceSchema`.
+  - `@checkstack/notification-backend` now exports:
+    - `SUBJECT_STATUS_EMOJI` / `IMPORTANCE_EMOJI` — the shared status / importance emoji maps that Discord, Slack, Teams, Webex and Telegram previously each redefined inline.
+    - `postJson(opts)` — a timeout-bounded `fetch` wrapper that handles non-2xx logging and error mapping for webhook-style POSTs. Returns `{ ok: true, response } | { ok: false, error }`.
+
+  **Migrated to shared helpers**
+
+  - Discord, Slack, Gotify, Pushover notification backends now use `postJson`. Outer try/catch + per-plugin error mapping deleted (~140 LOC).
+  - Discord, Slack, Teams, Telegram, Webex notification backends now use `IMPORTANCE_EMOJI`. Discord, Slack, Teams use `SUBJECT_STATUS_EMOJI`.
+  - Teams, Webex, Backstage, Telegram kept their inline fetch/Bot logic: their error strings surface server response bodies to operators, or the transport isn't raw `fetch` (Telegram uses `grammy`'s `Bot`).
+
+  **API surface tightening**
+
+  - Per-plugin test-only re-exports in 6 notification backends (Pushover, Gotify, Backstage, Slack, Discord, Teams) and the `CertificateInfo` interface in `healthcheck-tls-backend/strategy.ts` are now JSDoc-tagged `@internal`. No behaviour change; signals that downstream consumers must not depend on them.
+
+- Updated dependencies [a06b899]
+- Updated dependencies [a06b899]
+  - @checkstack/backend-api@0.16.0
+  - @checkstack/cache-api@0.3.3
+  - @checkstack/queue-api@0.3.3
+  - @checkstack/signal-backend@0.2.7
+
+## 0.10.1
+
+### Patch Changes
+
+- 1909a61: Address open CodeQL code-scanning findings:
+
+  - **`@checkstack/ui` (`LinksEditor`)**: validate URL scheme on render and on
+    add; only `http:` / `https:` URLs are accepted, defeating stored XSS via
+    `javascript:` / `data:` schemes in user-supplied hotlinks
+    (`js/xss-through-dom`).
+  - **`@checkstack/backend-api` (`markdownToPlainText`)**: decode HTML entities
+    before stripping tags, then strip tags in a loop until the output
+    stabilizes. Decoding `&` last avoids reintroducing tag delimiters
+    via `<` round-trips (`js/double-escaping`,
+    `js/incomplete-multi-character-sanitization`).
+  - **`@checkstack/backend` (`createScopedWsRegistry`)**: drop the
+    identity-replacement on the path suffix; the leading-slash invariant
+    is documented on `WebSocketRouteRegistry` (`js/identity-replacement`).
+
+- b33fb4d: Refresh `bun.lock` to clear MEDIUM-severity Trivy advisories on transitive
+  runtime dependencies. No public API change — bumping every workspace
+  package that lists `@orpc/server` as a direct dep so consumers re-resolve
+  the optional `ws` peer to the patched release on their next install.
+
+  - `ws` `8.20.0` → `8.20.1` (CVE-2026-45736). Pulled into the install tree
+    as `@orpc/server`'s optional WebSocket peer; Bun auto-installs it into
+    every backend package that depends on `@orpc/server`, so a stale 8.20.0
+    ships in the consumer's `node_modules` until the parent package
+    re-resolves.
+  - `brace-expansion` `5.0.5` → `5.0.6` (CVE-2026-45149). Pulled in only
+    through dev tooling (`minimatch@10` via `@typescript-eslint` and
+    `storybook`'s `glob@13`), so it does not ship to consumers and no
+    workspace `package.json` lists it; the lockfile bump alone clears the
+    finding for the Docker image and the local dev tree. No version bump
+    is attributed to this advisory.
+
+  The fix lives entirely in `bun.lock` — no `package.json`, `overrides`, or
+  `resolutions` change is needed because both parent ranges (`minimatch@10
+→ brace-expansion@^5.0.5`, `@orpc/server / storybook / happy-dom →
+ws@>=8.18.x`) already accept the patched releases, and `bun install`
+  keeps the resolved versions sticky after the initial `bun update`.
+
+- Updated dependencies [1909a61]
+- Updated dependencies [b33fb4d]
+  - @checkstack/backend-api@0.15.3
+  - @checkstack/cache-api@0.3.2
+  - @checkstack/queue-api@0.3.2
+  - @checkstack/signal-backend@0.2.6
+
 ## 0.10.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend",
-  "version": "0.10.0",
+  "version": "0.10.2",
   "license": "Elastic-2.0",
   "checkstack": {
     "type": "backend"
@@ -14,16 +14,16 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/api-docs-common": "0.1.12",
-    "@checkstack/auth-common": "0.6.6",
-    "@checkstack/backend-api": "0.15.1",
-    "@checkstack/common": "0.9.0",
+    "@checkstack/api-docs-common": "0.1.13",
+    "@checkstack/auth-common": "0.7.0",
+    "@checkstack/backend-api": "0.15.3",
+    "@checkstack/common": "0.10.0",
     "@checkstack/drizzle-helper": "0.0.5",
-    "@checkstack/cache-api": "0.3.0",
-    "@checkstack/queue-api": "0.3.0",
-    "@checkstack/signal-backend": "0.2.4",
-    "@checkstack/signal-common": "0.2.2",
-    "@checkstack/pluginmanager-common": "0.2.1",
+    "@checkstack/cache-api": "0.3.2",
+    "@checkstack/queue-api": "0.3.2",
+    "@checkstack/signal-backend": "0.2.6",
+    "@checkstack/signal-common": "0.2.3",
+    "@checkstack/pluginmanager-common": "0.2.2",
     "@hono/zod-validator": "^0.7.6",
     "@orpc/client": "^1.13.14",
     "@orpc/contract": "^1.13.14",
@@ -45,8 +45,8 @@
     "@types/bun": "latest",
     "@types/semver": "^7.5.0",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/scripts": "0.3.1",
-    "@checkstack/test-utils-backend": "0.1.25",
+    "@checkstack/scripts": "0.3.2",
+    "@checkstack/test-utils-backend": "0.1.27",
     "drizzle-kit": "^0.31.10"
   }
 }

package/src/services/ws-route-registry.ts

@@ -37,8 +37,9 @@ export function createScopedWsRegistry(
 ): WebSocketRouteRegistry {
   return {
     register(path: string, handler: WebSocketRouteHandler): void {
-      // Normalize: "/" maps to just the pluginId, "/foo" maps to "pluginId/foo"
-      const suffix = path === "/" ? "" : path.replace(/^\//, "/");
+      // Normalize: "/" maps to just the pluginId, "/foo" maps to "pluginId/foo".
+      // Paths are documented to start with `/` (see WebSocketRouteRegistry).
+      const suffix = path === "/" ? "" : path;
       const fullPath = `${pluginId}${suffix}`;
       store.registerHandler(fullPath, handler);
     },

package/src/plugin-manager/deregistration-guard.ts

@@ -1,41 +0,0 @@
-import { eq } from "drizzle-orm";
-import { SafeDatabase } from "@checkstack/backend-api";
-import { ORPCError } from "@orpc/server";
-import { plugins } from "../schema";
-
-/**
- * Validates that a plugin can be deregistered.
- * throws ORPCError if the plugin is not uninstallable or has dependents.
- */
-export async function assertCanDeregister({
-  pluginId,
-  db,
-}: {
-  pluginId: string;
-  db: SafeDatabase<Record<string, unknown>>;
-}): Promise<void> {
-  // 1. Check if plugin exists
-  const pluginRows = await db
-    .select()
-    .from(plugins)
-    .where(eq(plugins.name, pluginId));
-
-  if (pluginRows.length === 0) {
-    throw new ORPCError("NOT_FOUND", {
-      message: `Plugin "${pluginId}" not found`,
-    });
-  }
-
-  const plugin = pluginRows[0];
-
-  // 2. Check isUninstallable flag
-  if (!plugin.isUninstallable) {
-    throw new ORPCError("FORBIDDEN", {
-      message: `Plugin "${pluginId}" is a core platform component and cannot be uninstalled`,
-    });
-  }
-
-  // 3. TODO: Check for dependent plugins (consumers of this plugin's services)
-  // This would require tracking service dependencies at runtime
-  // For now, we skip this check and let the deregistration proceed
-}