npm - @checkstack/catalog-common - Versions diffs - 0.0.3 → 1.0.0 - Mend

@checkstack/catalog-common 0.0.3 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,104 @@
 # @checkstack/catalog-common
+## 1.0.0
+### Major Changes
+- 8e43507: BREAKING: `getSystems` now returns `{ systems: [...] }` instead of plain array
+  This change enables resource-level access control filtering for the catalog plugin. The middleware needs a consistent object format with named keys to perform post-execution filtering on list endpoints.
+  ## Breaking Changes
+  - `getSystems()` now returns `{ systems: System[] }` instead of `System[]`
+  - All call sites must update to destructure: `const { systems } = await api.getSystems()`
+  ## New Features
+  - Added `resourceAccess` metadata to catalog endpoints:
+    - `getSystems`: List filtering by team access
+    - `getSystem`: Single resource pre-check by team access
+    - `getEntities`: List filtering for systems by team access
+  ## Migration
+  ```diff
+  - const systems = await catalogApi.getSystems();
+  + const { systems } = await catalogApi.getSystems();
+  ```
+### Minor Changes
+- 8e43507: # Teams and Resource-Level Access Control
+  This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
+  ## Features
+  ### Team Management
+  - Create, update, and delete teams with name and description
+  - Add/remove users from teams
+  - Designate team managers with elevated privileges
+  - View team membership and manager status
+  ### Resource-Level Access Control
+  - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
+  - Configure read-only or manage permissions per team
+  - Resource-level "Team Only" mode that restricts access exclusively to team members
+  - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
+  - Automatic cleanup of grants when teams are deleted (database cascade)
+  ### Middleware Integration
+  - Extended `autoAuthMiddleware` to support resource access checks
+  - Single-resource pre-handler validation for detail endpoints
+  - Automatic list filtering for collection endpoints
+  - S2S endpoints for access verification
+  ### Frontend Components
+  - `TeamsTab` component for managing teams in Auth Settings
+  - `TeamAccessEditor` component for assigning team access to resources
+  - Resource-level "Team Only" toggle in `TeamAccessEditor`
+  - Integration into System, Health Check, Incident, and Maintenance editors
+  ## Breaking Changes
+  ### API Response Format Changes
+  List endpoints now return objects with named keys instead of arrays directly:
+  ```typescript
+  // Before
+  const systems = await catalogApi.getSystems();
+  // After
+  const { systems } = await catalogApi.getSystems();
+  ```
+  Affected endpoints:
+  - `catalog.getSystems` → `{ systems: [...] }`
+  - `healthcheck.getConfigurations` → `{ configurations: [...] }`
+  - `incident.listIncidents` → `{ incidents: [...] }`
+  - `maintenance.listMaintenances` → `{ maintenances: [...] }`
+  ### User Identity Enrichment
+  `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
+  ## Documentation
+  See `docs/backend/teams.md` for complete API reference and integration guide.
+### Patch Changes
+- Updated dependencies [8e43507]
+  - @checkstack/common@0.1.0
+  - @checkstack/frontend-api@0.0.4
 ## 0.0.3
 ### Patch Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/catalog-common",
-  "version": "0.0.3",
+  "version": "1.0.0",
   "type": "module",
   "exports": {
     ".": {

package/src/rpc-contract.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import { oc } from "@orpc/contract";
 import {
   createClientDefinition,
+  createResourceAccess,
+  createResourceAccessList,
   type ProcedureMetadata,
 } from "@checkstack/common";
 import { pluginMetadata } from "./plugin-metadata";
@@ -11,6 +13,10 @@ import { permissions } from "./permissions";
 // Base builder with full metadata support
 const _base = oc.$meta<ProcedureMetadata>({});
+// Resource access configurations for team-based access control
+const systemAccess = createResourceAccess("system", "systemId");
+const systemListAccess = createResourceAccessList("system", "systems");
 // Input schemas that match the service layer expectations
 const CreateSystemInputSchema = z.object({
   name: z.string(),
@@ -55,7 +61,11 @@ export const catalogContract = {
   // ==========================================================================
   getEntities: _base
-    .meta({ userType: "public", permissions: [permissions.catalogRead.id] })
+    .meta({
+      userType: "public",
+      permissions: [permissions.catalogRead.id],
+      resourceAccess: [systemListAccess],
+    })
     .output(
       z.object({
         systems: z.array(SystemSchema),
@@ -64,11 +74,19 @@ export const catalogContract = {
     ),
   getSystems: _base
-    .meta({ userType: "public", permissions: [permissions.catalogRead.id] })
-    .output(z.array(SystemSchema)),
+    .meta({
+      userType: "public",
+      permissions: [permissions.catalogRead.id],
+      resourceAccess: [systemListAccess],
+    })
+    .output(z.object({ systems: z.array(SystemSchema) })),
   getSystem: _base
-    .meta({ userType: "public", permissions: [permissions.catalogRead.id] })
+    .meta({
+      userType: "public",
+      permissions: [permissions.catalogRead.id],
+      resourceAccess: [systemAccess],
+    })
     .input(z.object({ systemId: z.string() }))
     .output(SystemSchema.nullable()),