@checkstack/backend 0.4.4 → 0.4.5

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @checkstack/backend
 
+## 0.4.5
+
+### Patch Changes
+
+- 8a87cd4: Added startup validation for unregistered access rules
+
+  The backend now throws an error at startup if a procedure contract references an access rule that isn't registered with the plugin system. This prevents silent runtime failures.
+
+- Updated dependencies [8a87cd4]
+- Updated dependencies [8a87cd4]
+- Updated dependencies [8a87cd4]
+  - @checkstack/auth-common@0.5.2
+  - @checkstack/backend-api@0.4.1
+  - @checkstack/common@0.5.0
+  - @checkstack/queue-api@0.1.3
+  - @checkstack/signal-backend@0.1.5
+  - @checkstack/api-docs-common@0.1.3
+  - @checkstack/signal-common@0.1.3
+
 ## 0.4.4
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "type": "module",
   "scripts": {
     "dev": "bun --env-file=../../.env --watch src/index.ts",

package/src/plugin-manager/plugin-loader.ts

@@ -424,6 +424,35 @@ export async function loadPlugins({
     }
   }
 
+  // Phase 2.5: Validate that all access rules used in contracts are registered
+  // This catches bugs where access rules are used in procedures but not added to
+  // the plugin's accessRules registration array.
+  rootLogger.debug("🔍 Validating access rules in contracts...");
+  const registeredRuleIds = new Set(
+    deps.registeredAccessRules.map((r) => r.id),
+  );
+  const validationErrors: string[] = [];
+
+  for (const [pluginId, contract] of deps.pluginContractRegistry) {
+    validateContractAccessRules({
+      pluginId,
+      contract,
+      registeredRuleIds,
+      validationErrors,
+    });
+  }
+
+  if (validationErrors.length > 0) {
+    rootLogger.error("❌ Unregistered access rules found in contracts:");
+    for (const error of validationErrors) {
+      rootLogger.error(`   • ${error}`);
+    }
+    throw new Error(
+      `Unregistered access rules in contracts:\n${validationErrors.join("\n")}`,
+    );
+  }
+  rootLogger.debug("✅ All access rules in contracts are registered");
+
   // Phase 3: Run afterPluginsReady callbacks
   rootLogger.debug("🔄 Running afterPluginsReady callbacks...");
 
@@ -507,3 +536,42 @@ export async function loadPlugins({
   }
   rootLogger.debug("✅ All afterPluginsReady callbacks complete");
 }
+
+/**
+ * Validate that all access rules used in a contract are registered with the plugin system.
+ * Recursively traverses the contract to find all procedures and their access metadata.
+ */
+function validateContractAccessRules({
+  pluginId,
+  contract,
+  registeredRuleIds,
+  validationErrors,
+}: {
+  pluginId: string;
+  contract: AnyContractRouter;
+  registeredRuleIds: Set<string>;
+  validationErrors: string[];
+}): void {
+  for (const [procedureName, procedure] of Object.entries(
+    contract as Record<string, unknown>,
+  )) {
+    if (!procedure || typeof procedure !== "object") continue;
+
+    // Check if this is a procedure with oRPC metadata
+    const orpcData = (procedure as Record<string, unknown>)["~orpc"] as
+      | { meta?: { access?: Array<{ id: string }> } }
+      | undefined;
+
+    if (orpcData?.meta?.access) {
+      for (const accessRule of orpcData.meta.access) {
+        const qualifiedId = `${pluginId}.${accessRule.id}`;
+        if (!registeredRuleIds.has(qualifiedId)) {
+          validationErrors.push(
+            `Plugin "${pluginId}" procedure "${procedureName}" uses unregistered access rule "${accessRule.id}" (qualified: "${qualifiedId}"). ` +
+              `Add it to the plugin's accessRules registration array.`,
+          );
+        }
+      }
+    }
+  }
+}