@checkstack/catalog-common 2.1.0 → 2.2.0

package/CHANGELOG.md

@@ -1,5 +1,65 @@
 # @checkstack/catalog-common
 
+## 2.2.0
+
+### Minor Changes
+
+- 9016526: Add a `/rest/:pluginId/*` HTTP mount that serves every plugin's oRPC contract
+  through the REST/OpenAPI shape described by `/api/openapi.json`. Queries are
+  `GET` with query parameters, mutations are `POST` with the input as the raw
+  JSON body. The existing `/api/:pluginId/*` mount continues to serve oRPC's
+  native wire protocol unchanged, so existing clients are not affected.
+
+  The OpenAPI spec at `/api/openapi.json` now reflects the real mount: every
+  `paths` entry is prefixed with `/rest` instead of `/api`.
+
+  Also fixes a SPA-fallback bug: the backend's `/api-docs` route previously
+  returned 404 on production deployments because the static-file middleware
+  skipped any path starting with `/api`, capturing `/api-docs` along with real
+  API routes. The skip now requires a trailing slash (`/api/`, `/rest/`).
+
+  Required access rules are now visible in the API Docs UI. The OpenAPI spec
+  generator was reading a non-existent `accessRules` field on procedure
+  metadata; the real field is `access: AccessRule[]`. Each procedure's access
+  rules are now flattened to fully-qualified IDs (e.g. `catalog.system.read`)
+  and emitted under `x-orpc-meta.accessRules`, which the existing
+  `Required Access Rules` section in the docs UI already knew how to render.
+
+  The API Docs schema renderer now handles record types (zod `z.record`),
+  `$ref`s into `components.schemas`, `oneOf`/`anyOf`/`allOf`, nullable union
+  types (`type: ["string", "null"]`), and `format` qualifiers. Previously
+  record outputs like `{ statuses: object }` masked the actual value type;
+  they now render as `{ [key]: <ResolvedType> { ... } }` with the inner
+  schema expanded, capped at 12 levels with cycle detection.
+
+  **REST method conventions.** `proc()` now defaults to `GET` for queries and
+  `POST` for mutations on the `/rest` mount, using bracket-notation query
+  params (`?filter[status]=active&ids[0]=a`) for GET inputs. Existing
+  procedures were updated to follow REST semantics:
+
+  - `update*` mutations → `PATCH`
+  - `delete*` / `remove*` mutations → `DELETE`
+  - `getBulk*` queries and any query taking a large array input → `POST`
+    (because `@orpc/openapi@1.13.x` has no GET→POST URL-length fallback)
+
+  GET endpoints require an `object` input — bare scalars like
+  `.input(z.string())` are not valid on GET. `getSystemConfigurations` was
+  refactored from `.input(z.string())` to `.input(z.object({ systemId: ... }))`
+  to fit the GET shape; the only call-site update was the in-process router
+  unpacking `input.systemId` instead of passing `input` directly.
+
+  The API Docs UI now renders query parameters (path/query/header/cookie) in a
+  dedicated table for GET endpoints, and the fetch example shows them in the
+  URL with `<required>` / `<optional>` placeholders.
+
+### Patch Changes
+
+- Updated dependencies [9016526]
+  - @checkstack/common@0.10.0
+  - @checkstack/auth-common@0.7.0
+  - @checkstack/notification-common@1.1.0
+  - @checkstack/frontend-api@0.5.1
+
 ## 2.1.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/catalog-common",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "license": "Elastic-2.0",
   "type": "module",
   "exports": {
@@ -9,17 +9,17 @@
     }
   },
   "dependencies": {
-    "@checkstack/common": "0.8.0",
-    "@checkstack/auth-common": "0.6.5",
-    "@checkstack/frontend-api": "0.4.2",
-    "@checkstack/notification-common": "1.0.1",
+    "@checkstack/common": "0.9.0",
+    "@checkstack/auth-common": "0.6.6",
+    "@checkstack/frontend-api": "0.5.0",
+    "@checkstack/notification-common": "1.0.2",
     "@orpc/contract": "^1.13.14",
     "zod": "^4.2.1"
   },
   "devDependencies": {
     "typescript": "^5.7.2",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/scripts": "0.3.0"
+    "@checkstack/scripts": "0.3.1"
   },
   "scripts": {
     "typecheck": "tsgo -b",

package/src/rpc-contract.ts

@@ -116,6 +116,7 @@ export const catalogContract = {
     userType: "authenticated",
     access: [catalogAccess.system.manage],
   })
+    .route({ method: "PATCH" })
     .input(UpdateSystemInputSchema)
     .output(SystemSchema),
 
@@ -124,6 +125,7 @@ export const catalogContract = {
     userType: "authenticated",
     access: [catalogAccess.system.manage],
   })
+    .route({ method: "DELETE" })
     .input(z.string())
     .output(z.object({ success: z.boolean() })),
 
@@ -162,6 +164,7 @@ export const catalogContract = {
     userType: "authenticated",
     access: [catalogAccess.system.manage],
   })
+    .route({ method: "DELETE" })
     .input(z.string())
     .output(z.object({ success: z.boolean() })),
 
@@ -199,6 +202,7 @@ export const catalogContract = {
     userType: "authenticated",
     access: [catalogAccess.system.manage],
   })
+    .route({ method: "DELETE" })
     .input(z.string())
     .output(z.object({ success: z.boolean() })),
 
@@ -219,6 +223,7 @@ export const catalogContract = {
     userType: "authenticated",
     access: [catalogAccess.group.manage],
   })
+    .route({ method: "PATCH" })
     .input(UpdateGroupInputSchema)
     .output(GroupSchema),
 
@@ -227,6 +232,7 @@ export const catalogContract = {
     userType: "authenticated",
     access: [catalogAccess.group.manage],
   })
+    .route({ method: "DELETE" })
     .input(z.string())
     .output(z.object({ success: z.boolean() })),
 
@@ -252,6 +258,7 @@ export const catalogContract = {
     userType: "authenticated",
     access: [catalogAccess.system.manage],
   })
+    .route({ method: "DELETE" })
     .input(
       z.object({
         groupId: z.string(),