@checkstack/backend 0.14.0 → 0.16.0

package/src/services/health-check-registry.test.ts

@@ -8,6 +8,7 @@ import {
   Versioned,
   VersionedAggregated,
   aggregatedCounter,
+  configString,
 } from "@checkstack/backend-api";
 import { createMockLogger } from "@checkstack/test-utils-backend";
 import { z } from "zod";
@@ -80,6 +81,39 @@ describe("CoreHealthCheckRegistry", () => {
       expect(registry.getStrategy(qualifiedId)).toBe(mockStrategy1);
     });
 
+    it("throws at register time when a field is both secret and templatable", () => {
+      const conflictingStrategy: HealthCheckStrategy = {
+        id: "conflicting-strategy",
+        displayName: "Conflicting",
+        description: "Has a field that is both secret and templatable",
+        config: new Versioned({
+          version: 1,
+          schema: z.object({
+            timeout: z.number().default(30_000),
+            token: configString({ "x-secret": true, "x-templatable": true }),
+          }),
+        }),
+        result: new Versioned({
+          version: 1,
+          schema: z.record(z.string(), z.unknown()),
+        }),
+        aggregatedResult: new VersionedAggregated({
+          version: 1,
+          fields: { count: aggregatedCounter({}) },
+        }),
+        createClient: mock(() =>
+          Promise.resolve({
+            client: { exec: async () => ({}) },
+            close: () => {},
+          }),
+        ),
+        mergeResult: mock(() => ({})),
+      };
+      expect(() =>
+        registry.registerWithOwner(conflictingStrategy, mockOwner),
+      ).toThrow(/both/);
+    });
+
     it("should overwrite an existing strategy with the same qualified ID", () => {
       const overwritingStrategy: HealthCheckStrategy = {
         ...mockStrategy1,

package/src/services/health-check-registry.ts

@@ -2,6 +2,7 @@ import type { PluginMetadata } from "@checkstack/common";
 import {
   HealthCheckRegistry,
   HealthCheckStrategy,
+  assertNoSecretTemplatableConflict,
 } from "@checkstack/backend-api";
 import { rootLogger } from "../logger";
 
@@ -30,6 +31,12 @@ export class CoreHealthCheckRegistry {
     ownerPlugin: PluginMetadata,
   ): void {
     const qualifiedId = `${ownerPlugin.pluginId}.${strategy.id}`;
+    // Load-time guard: secret + templatable on one field is a config error
+    // (the two are resolved in separate ordered passes).
+    assertNoSecretTemplatableConflict({
+      schema: strategy.config.schema,
+      schemaName: `strategy:${qualifiedId}`,
+    });
     if (this.strategies.has(qualifiedId)) {
       rootLogger.warn(
         `HealthCheckStrategy '${qualifiedId}' is already registered. Overwriting.`,

package/src/services/service-registry.test.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect } from "bun:test";
+import { createServiceRef } from "@checkstack/backend-api";
+import type { PluginMetadata } from "@checkstack/common";
+import { ServiceRegistry } from "./service-registry";
+
+const metadata: PluginMetadata = { pluginId: "core" };
+
+describe("ServiceRegistry resolution precedence", () => {
+  it("resolves a factory before a plain instance for the same ref", async () => {
+    const ref = createServiceRef<string>("test.svc");
+    const registry = new ServiceRegistry();
+    registry.register(ref, "instance");
+    registry.registerFactory(ref, () => "factory");
+    // get() tries factories first — this is the long-standing behaviour the
+    // dev-auth fix relies on (see below).
+    expect(await registry.get(ref, metadata)).toBe("factory");
+  });
+
+  it("returns the registered instance when no factory exists", async () => {
+    const ref = createServiceRef<string>("test.svc.instance-only");
+    const registry = new ServiceRegistry();
+    registry.register(ref, "instance");
+    expect(await registry.get(ref, metadata)).toBe("instance");
+  });
+
+  // Regression guard (#251): the CHECKSTACK_DEV_AUTH bypass was dead code on
+  // the API path because the production auth FACTORY (registered by
+  // `registerCoreServices`) shadowed a dev auth INSTANCE registered via
+  // `registerService(coreServices.auth, …)` — `get()` resolves factories
+  // before instances, so the dev auth was never returned and every plugin
+  // API request 401ed. The fix registers the dev auth as a FACTORY so it
+  // wins. This test models that exact wiring on the auth ref.
+  it("dev auth registered as a factory overrides a pre-existing production auth factory", async () => {
+    const authRef = createServiceRef<{ kind: string }>("checkstack.auth");
+    const registry = new ServiceRegistry();
+
+    // Production setup: real auth registered as a factory.
+    const prodAuth = { kind: "production" };
+    registry.registerFactory(authRef, () => prodAuth);
+
+    // Sanity: before the dev override, get() returns the production factory.
+    expect((await registry.get(authRef, metadata)).kind).toBe("production");
+
+    // Dev path: register dev auth as a factory (NOT a plain instance).
+    const devAuth = { kind: "dev" };
+    registry.registerFactory(authRef, () => devAuth);
+
+    // The dev auth must now be what get() returns.
+    expect((await registry.get(authRef, metadata)).kind).toBe("dev");
+  });
+
+  it("a dev auth registered as a plain instance is (still) shadowed by a factory — documents why the fix uses a factory", async () => {
+    const authRef = createServiceRef<{ kind: string }>("checkstack.auth.legacy");
+    const registry = new ServiceRegistry();
+    registry.registerFactory(authRef, () => ({ kind: "production" }));
+    // This is the BUGGY shape the fix replaced: an instance is shadowed.
+    registry.register(authRef, { kind: "dev" });
+    expect((await registry.get(authRef, metadata)).kind).toBe("production");
+  });
+});

package/src/utils/plugin-discovery.test.ts

@@ -1,28 +1,53 @@
-import { describe, it, expect, beforeEach, mock } from "bun:test";
+import { describe, it, expect, beforeEach, afterAll, mock } from "bun:test";
 import {
   extractPluginMetadata,
   discoverLocalPlugins,
   syncPluginsToDatabase,
   type PluginMetadata,
 } from "./plugin-discovery";
+import * as realFs from "node:fs";
 import fs from "node:fs";
 import path from "node:path";
 
-// Mock filesystem for testing
+// Mock filesystem for testing.
+//
+// `mock.module("node:fs", …)` is PROCESS-GLOBAL in bun and is NOT undone by
+// `mock.restore()`, so a partial stub would leak the broken module to every
+// fs-using test that sorts after this file (e.g. the scaffold tests that call
+// `mkdtempSync`/`statSync`/`writeFileSync`). Two safeguards:
+//   1. The stub spreads the REAL module and overrides only the three functions
+//      these tests assert on — so even while active, every other fs API works.
+//   2. `afterAll` re-mocks `node:fs` back to the pristine real module, undoing
+//      the override for subsequently-loaded test files.
+// Named exports (namespace) and the default export, captured before mocking.
+const realFsModule: typeof realFs = { ...realFs };
+const realFsDefault = fs;
+
 const mockExistsSync = mock(() => true);
 const mockReadFileSync = mock(() => "{}");
 const mockReaddirSync = mock(() => []);
 
-mock.module("node:fs", () => {
+function mockFsModule() {
   const exports = {
+    ...realFsModule,
     existsSync: mockExistsSync,
     readFileSync: mockReadFileSync,
     readdirSync: mockReaddirSync,
   };
   return {
     ...exports,
-    default: exports,
+    default: { ...realFsDefault, ...exports },
   };
+}
+
+mock.module("node:fs", mockFsModule);
+
+afterAll(() => {
+  // Restore the pristine fs module so later test files don't inherit the stub.
+  mock.module("node:fs", () => ({
+    ...realFsModule,
+    default: realFsDefault,
+  }));
 });
 
 describe("extractPluginMetadata", () => {