@checkstack/backend 0.4.13 → 0.4.15

package/CHANGELOG.md

@@ -1,5 +1,44 @@
 # @checkstack/backend
 
+## 0.4.15
+
+### Patch Changes
+
+- 4d59cc7: Prune devDependencies and development-only source folders (like `core/scripts` and `test-utils-*`) from the production Docker image to reduce size and improve security.
+- b839ccb: Security: Hardened production Docker image by upgrading Alpine system libraries, migrating to Drizzle beta (v1.0.0-beta.21), and implementing aggressive binary pruning to eliminate vulnerable build-time tools (esbuild/drizzle-kit).
+- Updated dependencies [67158e2]
+  - @checkstack/api-docs-common@0.1.8
+  - @checkstack/auth-common@0.5.7
+  - @checkstack/backend-api@0.8.2
+  - @checkstack/common@0.6.4
+  - @checkstack/drizzle-helper@0.0.4
+  - @checkstack/queue-api@0.2.7
+  - @checkstack/signal-backend@0.1.13
+  - @checkstack/signal-common@0.1.8
+
+## 0.4.14
+
+### Patch Changes
+
+- 0ebbe56: Security Vulnerability Remediation completed:
+  - Refactored core authorization to Fail-Closed architecture with secure defaults.
+  - Implemented `assertTeamManagementAccess` to resolve BOLA in Teams Management.
+  - Protected internal S2S capabilities via explicit wildcard `serviceScope` definitions.
+  - Disarmed OS Command Injection in DiskCollector via strict regex validation and bash escaping.
+  - Re-architected inline script processing executing scripts in sandboxed Web Worker contexts.
+  - Isolated subprocess environment scopes in PingStrategy limiting variable leakage.
+  - Enforced strict token/API Key parsing with URLSearchParams checking.
+  - Explicitly fail-fast on missing DATABASE_URL configuration across independent backend clusters.
+  - Activated strict HTTP Security Headers (HSTS, CSP, X-Frame-Options) across the API automatically.
+- Updated dependencies [0ebbe56]
+  - @checkstack/auth-common@0.5.6
+  - @checkstack/backend-api@0.8.1
+  - @checkstack/common@0.6.3
+  - @checkstack/queue-api@0.2.6
+  - @checkstack/signal-backend@0.1.12
+  - @checkstack/api-docs-common@0.1.7
+  - @checkstack/signal-common@0.1.7
+
 ## 0.4.13
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,9 @@
 {
   "name": "@checkstack/backend",
-  "version": "0.4.13",
+  "version": "0.4.15",
+  "checkstack": {
+    "type": "backend"
+  },
   "type": "module",
   "scripts": {
     "dev": "bun --env-file=../../.env --watch src/index.ts",
@@ -10,33 +13,33 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/api-docs-common": "0.1.6",
-    "@checkstack/auth-common": "0.5.5",
-    "@checkstack/backend-api": "0.7.0",
-    "@checkstack/common": "0.6.2",
+    "@checkstack/api-docs-common": "0.1.7",
+    "@checkstack/auth-common": "0.5.6",
+    "@checkstack/backend-api": "0.8.1",
+    "@checkstack/common": "0.6.3",
     "@checkstack/drizzle-helper": "0.0.3",
-    "@checkstack/queue-api": "0.2.4",
-    "@checkstack/signal-backend": "0.1.10",
-    "@checkstack/signal-common": "0.1.6",
+    "@checkstack/queue-api": "0.2.6",
+    "@checkstack/signal-backend": "0.1.12",
+    "@checkstack/signal-common": "0.1.7",
     "@hono/zod-validator": "^0.7.6",
-    "@orpc/client": "^1.13.2",
+    "@orpc/client": "^1.13.14",
+    "@orpc/contract": "^1.13.14",
     "@orpc/openapi": "^1.13.2",
     "@orpc/server": "^1.13.2",
     "@orpc/zod": "^1.13.2",
     "better-auth": "^1.4.7",
-    "drizzle-orm": "^0.45.1",
-    "hono": "^4.0.0",
+    "drizzle-orm": "^0.45.0",
+    "hono": "^4.12.14",
     "jose": "^6.1.3",
     "pg": "^8.11.0",
     "winston": "^3.19.0",
     "zod": "^4.2.1"
   },
   "devDependencies": {
-    "drizzle-kit": "^0.31.8",
     "@types/pg": "^8.11.0",
     "@types/bun": "latest",
     "@checkstack/tsconfig": "0.0.3",
     "@checkstack/scripts": "0.1.1",
-    "@checkstack/test-utils-backend": "0.1.10"
+    "@checkstack/test-utils-backend": "0.1.12"
   }
 }

package/src/db.ts

@@ -17,4 +17,4 @@ export const adminPool = new Pool({
   connectionString,
 });
 
-export const db = drizzle(adminPool, { schema });
+export const db = drizzle({ client: adminPool, schema });

package/src/index.ts

@@ -60,6 +60,15 @@ app.use(
 );
 app.use("*", logger());
 
+// SECURITY: Add missing standard security headers across all API responses
+app.use("/api/*", async (c, next) => {
+  await next();
+  c.res.headers.set("X-Content-Type-Options", "nosniff");
+  c.res.headers.set("X-Frame-Options", "DENY");
+  c.res.headers.set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'");
+  c.res.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+});
+
 // Runtime config endpoint - returns BASE_URL for frontend
 app.get("/api/config", (c) => {
   const baseUrl = process.env.BASE_URL || "http://localhost:3000";

package/src/plugin-manager/core-services.ts

@@ -176,9 +176,12 @@ export function registerCoreServices({
           });
           const authClient = rpcClient.forPlugin(AuthApi);
           return await authClient.checkResourceTeamAccess(params);
-        } catch {
-          // Fall back to global access on error
-          return { hasAccess: params.hasGlobalAccess };
+        } catch (error) {
+          // SECURITY: Fail-Closed — deny access when auth service is unavailable
+          rootLogger.error(
+            `[auth] checkResourceTeamAccess: S2S call failed for resource ${params.resourceType}:${params.resourceId}. Denying access (Fail-Closed). Error: ${error}`,
+          );
+          return { hasAccess: false };
         }
       },
 
@@ -189,9 +192,12 @@ export function registerCoreServices({
           });
           const authClient = rpcClient.forPlugin(AuthApi);
           return await authClient.getAccessibleResourceIds(params);
-        } catch {
-          // Fall back to global access on error
-          return params.hasGlobalAccess ? params.resourceIds : [];
+        } catch (error) {
+          // SECURITY: Fail-Closed — return empty set when auth service is unavailable
+          rootLogger.error(
+            `[auth] getAccessibleResourceIds: S2S call failed for resource type ${params.resourceType}. Denying access (Fail-Closed). Error: ${error}`,
+          );
+          return [];
         }
       },
     };

package/src/utils/plugin-discovery.test.ts

@@ -38,6 +38,7 @@ describe("extractPluginMetadata", () => {
         name: "@checkstack/test-backend",
         version: "0.0.1",
         type: "module",
+        checkstack: { type: "backend" },
       })
     );
 
@@ -57,6 +58,7 @@ describe("extractPluginMetadata", () => {
     mockReadFileSync.mockReturnValue(
       JSON.stringify({
         name: "@checkstack/test-frontend",
+        checkstack: { type: "frontend" },
       })
     );
 
@@ -71,6 +73,7 @@ describe("extractPluginMetadata", () => {
     mockReadFileSync.mockReturnValue(
       JSON.stringify({
         name: "@checkstack/test-common",
+        checkstack: { type: "common" },
       })
     );
 
@@ -159,13 +162,13 @@ describe("discoverLocalPlugins", () => {
     // Mock package.json reads
     mockReadFileSync.mockImplementation(((filePath: string) => {
       if (filePath.includes("auth-backend")) {
-        return JSON.stringify({ name: "@checkstack/auth-backend" });
+        return JSON.stringify({ name: "@checkstack/auth-backend", checkstack: { type: "backend" } });
       }
       if (filePath.includes("catalog-backend")) {
-        return JSON.stringify({ name: "@checkstack/catalog-backend" });
+        return JSON.stringify({ name: "@checkstack/catalog-backend", checkstack: { type: "backend" } });
       }
       if (filePath.includes("invalid-plugin")) {
-        return JSON.stringify({ name: "@checkstack/invalid-plugin" });
+        return JSON.stringify({ name: "@checkstack/invalid-plugin" }); // Missing block
       }
       return "{}";
     }) as typeof mockReadFileSync);
@@ -198,13 +201,13 @@ describe("discoverLocalPlugins", () => {
 
     mockReadFileSync.mockImplementation(((filePath: string) => {
       if (filePath.includes("auth-backend")) {
-        return JSON.stringify({ name: "@checkstack/auth-backend" });
+        return JSON.stringify({ name: "@checkstack/auth-backend", checkstack: { type: "backend" } });
       }
       if (filePath.includes("auth-frontend")) {
-        return JSON.stringify({ name: "@checkstack/auth-frontend" });
+        return JSON.stringify({ name: "@checkstack/auth-frontend", checkstack: { type: "frontend" } });
       }
       if (filePath.includes("auth-common")) {
-        return JSON.stringify({ name: "@checkstack/auth-common" });
+        return JSON.stringify({ name: "@checkstack/auth-common", checkstack: { type: "common" } });
       }
       return "{}";
     }) as typeof mockReadFileSync);

package/src/utils/plugin-discovery.ts

@@ -1,8 +1,9 @@
 import path from "node:path";
 import fs from "node:fs";
-import { eq, and } from "drizzle-orm";
+import { eq, and, notInArray } from "drizzle-orm";
 import type { SafeDatabase } from "@checkstack/backend-api";
 import { plugins } from "../schema";
+import { rootLogger } from "../logger";
 
 export interface PluginMetadata {
   packageName: string; // From package.json "name"
@@ -34,16 +35,28 @@ export function extractPluginMetadata({
       return undefined;
     }
 
-    // Determine plugin type from package name suffix
-    let type: "backend" | "frontend" | "common";
-    if (pkgJson.name.endsWith("-backend")) {
-      type = "backend";
-    } else if (pkgJson.name.endsWith("-frontend")) {
-      type = "frontend";
-    } else if (pkgJson.name.endsWith("-common")) {
-      type = "common";
-    } else {
-      return undefined; // Not a valid plugin package
+    // Transition: Strictly require checkstack metadata block
+    if (!pkgJson.checkstack || typeof pkgJson.checkstack !== "object") {
+      if (pkgJson.name.endsWith("-backend") || pkgJson.name.endsWith("-frontend") || pkgJson.name.endsWith("-common")) {
+        rootLogger.debug(`⏭️  Skipping package '${pkgJson.name}': Missing 'checkstack' metadata block in package.json`);
+      }
+      return undefined;
+    }
+
+    // Exclusion: Never discover the host platform itself as a plugin
+    if (pkgJson.name === "@checkstack/backend") {
+      return undefined;
+    }
+
+    const type = pkgJson.checkstack.type;
+    if (type === "tooling") {
+      rootLogger.debug(`⏭️  Skipping package '${pkgJson.name}': Identified as 'tooling'`);
+      return undefined;
+    }
+
+    if (type !== "backend" && type !== "frontend" && type !== "common") {
+      rootLogger.debug(`⏭️  Skipping package '${pkgJson.name}': Invalid checkstack type '${type}'`);
+      return undefined;
     }
 
     return {
@@ -52,7 +65,8 @@ export function extractPluginMetadata({
       type,
       enabled: true, // Local plugins are always enabled
     };
-  } catch {
+  } catch (error) {
+    rootLogger.debug(`⚠️  Failed to read package.json for ${pluginDir}:`, error);
     return undefined;
   }
 }
@@ -154,4 +168,26 @@ export async function syncPluginsToDatabase({
       }
     }
   }
+
+  // 3. Prune local plugins from DB that are no longer present on disk
+  // This is critical for Docker production builds where folders are pruned
+  const localPackageNames = localPlugins.map((p) => p.packageName);
+  
+  try {
+    const whereCondition = and(
+      eq(plugins.isUninstallable, false),
+      localPackageNames.length > 0
+        ? notInArray(plugins.name, localPackageNames)
+        : undefined,
+    );
+
+    // satisfy unicorn/prefer-ternary
+    await (localPackageNames.length > 0
+      ? db.delete(plugins).where(whereCondition)
+      : db.delete(plugins).where(eq(plugins.isUninstallable, false)));
+
+    rootLogger.debug("   -> Local plugin synchronization complete");
+  } catch (error) {
+    rootLogger.error("❌ Failed to prune stale plugins from database:", error);
+  }
 }