@checkstack/catalog-backend 0.4.2 → 0.4.3

package/CHANGELOG.md

@@ -1,5 +1,41 @@
 # @checkstack/catalog-backend
 
+## 0.4.3
+
+### Patch Changes
+
+- cb65e9d: ### Schema-driven secret resolution, rotation invalidation, and security hardening
+
+  **Breaking**: Replaced `{ secretRef: "..." }` object syntax with `${{ secrets.NAME }}` template interpolation. The `secretField()`, `secretRefSchema`, `isSecretRef`, `SecretRef`, and `ResolvedSecretField` exports have been removed from `@checkstack/gitops-common`.
+
+  **Breaking**: `ReconcileContext.resolveSecretsBySchema()` now returns `{ resolved: T; warnings: string[] }` instead of `T` directly. Plugins must destructure the result. Warnings contain messages for `${{ secrets.NAME }}` templates found in non-secret fields (fields without `x-secret` annotation).
+
+  **New features**:
+
+  - Secrets can be referenced in **any string field** using `${{ secrets.NAME }}` syntax
+  - Inline interpolation is supported: `"postgres://user:${{ secrets.DB_PASS }}@host/db"`
+  - Resolution is **schema-driven** — reuses the existing `configString({ "x-secret": true })` pattern from DynamicForm
+  - Secret rotation now automatically invalidates affected entities, triggering re-reconciliation on the next sync cycle
+  - New `getSecretUsage` RPC endpoint to look up which entities reference a given secret
+  - Secrets UI now shows an expandable usage panel per secret showing referencing entities
+  - Reconciliation warnings: templates in non-secret fields are detected and surfaced in the provenance UI
+  - New `secretNameSchema` and `SECRET_NAME_REGEX` exports for validating secret names
+
+  **Security**:
+
+  - Secret names are validated at creation: must start with a letter, contain only `[a-zA-Z0-9_-]`, max 63 chars
+  - Secrets are validated to exist at sync time but **not pre-resolved** into the spec
+  - Templates in `metadata` fields are **rejected** to prevent secret leaks via display fields
+  - Only fields with `x-secret` schema annotations get resolved — no escape hatch
+  - Templates in non-secret fields emit warnings (stored in provenance, visible in UI) instead of silently passing
+
+  **Migration**: Update YAML descriptors to use `${{ secrets.NAME }}` instead of `secretRef: name`. Remove `secretField()` imports from plugin schemas — use `configString({ "x-secret": true })` to annotate secret fields. Destructure `const { resolved } = await context.resolveSecretsBySchema({ value, schema })` (return type changed from `T` to `{ resolved: T; warnings: string[] }`).
+
+- Updated dependencies [8ef367a]
+- Updated dependencies [cb65e9d]
+  - @checkstack/gitops-common@0.2.0
+  - @checkstack/gitops-backend@0.2.0
+
 ## 0.4.2
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/catalog-backend",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "type": "module",
   "main": "src/index.ts",
   "checkstack": {
@@ -18,8 +18,8 @@
     "@checkstack/catalog-common": "1.3.1",
     "@checkstack/command-backend": "0.1.19",
     "@checkstack/auth-backend": "0.4.18",
-    "@checkstack/gitops-backend": "0.1.0",
-    "@checkstack/gitops-common": "0.1.0",
+    "@checkstack/gitops-backend": "0.1.2",
+    "@checkstack/gitops-common": "0.1.1",
     "@checkstack/notification-common": "0.2.8",
     "@orpc/server": "^1.13.2",
     "drizzle-orm": "^0.45.0",

package/src/catalog-gitops-kinds.test.ts

@@ -103,6 +103,8 @@ const mockContext: ReconcileContext = {
     error: () => {},
   },
   resolveEntityRef: async () => undefined,
+  resolveSecretsBySchema: async <T>(params: { value: T }): Promise<{ resolved: T; warnings: string[] }> =>
+    ({ resolved: params.value, warnings: [] }),
 };
 
 // ─── Tests ─────────────────────────────────────────────────────────────────