npm - @checkstack/common - Versions diffs - 0.7.0 → 0.8.0 - Mend

@checkstack/common 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,105 @@
 # @checkstack/common
+## 0.8.0
+### Minor Changes
+- 50e5f5f: Runtime plugin system: install + uninstall plugins from npm, GitHub releases
+  (including private GitHub Enterprise instances), or tarball uploads at
+  runtime, with multi-package bundles, dependency-derived compatibility checks,
+  multi-instance coordination via a Postgres artifact store, and
+  single-coordinator destructive cleanup.
+  Highlights:
+  - New `PluginSource` discriminated union and `PluginInstaller` /
+    `PluginInstallerRegistry` interfaces in `@checkstack/backend-api`. The
+    GitHub variant accepts an optional `apiBaseUrl` so deployments backed by
+    GitHub Enterprise can install from `https://ghe.example.com/api/v3`
+    instead of `api.github.com`.
+  - New `installPackageMetadataSchema` (Zod) in `@checkstack/common` validates
+    every plugin's `package.json` at install time. Required fields: `name`,
+    `version`, `description`, `author`, `license`, `checkstack.type`,
+    `checkstack.pluginId`. Optional: `checkstack.bundle`,
+    `checkstack.usageInstructions`, `checkstack.allowInstallScripts`.
+  - New `pluginManagerContract` in `@checkstack/pluginmanager-common` with
+    `list`, `previewInstall`, `install`, `previewUninstall`, `uninstall`, and
+    `events` procedures.
+  - New `@checkstack/pluginmanager-frontend` admin UI: installed-plugins list
+    with per-row uninstall (typed-confirmation modal, schema/configs/cascade
+    toggles), install page with NPM / Tarball Upload / GitHub Release tabs
+    (Catalog tab disabled — coming soon), and an events page surfacing the
+    install/uninstall audit log.
+  - New `bunx @checkstack/scripts plugin-pack` CLI for plugin authors —
+    per-package mode produces an npm-shaped tarball; `--bundle` mode produces
+    an outer tarball containing every sibling declared in
+    `package.json#checkstack.bundle`. Published to npm so external authors
+    can `bunx` it directly without a workspace checkout.
+  - Compatibility derived from `package.json#dependencies` ranges
+    (`semver.satisfies` against the platform's loaded `@checkstack/*`
+    versions) — no separate `compatibility` field.
+  - Multi-instance: originator persists artifacts + `plugins` rows + broadcasts
+    install/uninstall; receiving instances do in-process register/unregister
+    only. Destructive ops (drop schema, delete plugin_configs, delete
+    artifacts, delete `plugins` rows) run exactly once on the originator.
+  - Fresh-instance bootstrap: `loadPlugins()` hydrates any
+    `is_uninstallable=true` plugin missing from `node_modules` from the
+    artifact store before normal Phase 1 register.
+  - New schema: `plugin_artifacts` (tarball storage), `plugin_install_events`
+    (audit/error log). `plugins` extended with `version`, `metadata`,
+    `source`, `bundle_id`, `is_primary`. Local plugin sync now writes
+    `version` from each plugin's `package.json` so the admin UI shows real
+    versions instead of `—`.
+  - Tarball-upload endpoint (`POST /api/pluginmanager/upload-tarball`) for
+    the install UI; access-gated by `pluginmanager.plugin.manage`.
+  - Plugin Manager menu link added to the user menu (main grid, alongside
+    Profile / Notification Settings / etc.).
+  Cross-cutting changes:
+  - Backend request/response logging now flows through `rootLogger` (winston)
+    instead of `hono/logger`. 5xx responses include the response body inline
+    so swallowed early-return errors are visible in the log.
+  - The `/api/:pluginId/*` dispatcher now logs which core service is missing
+    or which `pluginId` had no metadata when it 500s.
+  - New `registerCorePluginMetadata` on `PluginManager` for core routers
+    (like the plugin manager itself) that need their metadata visible to the
+    RPC dispatcher without going through the full plugin lifecycle.
+  - ESLint: `unicorn/no-null` is now disabled globally. Drizzle distinguishes
+    between `null` (writes a real SQL NULL) and `undefined` (skip the column
+    on insert), so treating them as interchangeable produced latent bugs at
+    the persistence boundary. The bulk of the patch-bumped packages above
+    reflect lint-fix touches that landed when this rule was relaxed.
+  - Workspace-wide license normalization to `Elastic-2.0` (matches
+    `LICENSE.md`). Every `package.json` in the workspace now declares the
+    same SPDX identifier; the patch bumps capture this.
+  Plugin packages (every `plugins/*`): added a `pack` npm script
+  (`bunx @checkstack/scripts plugin-pack`), mirrored each plugin's
+  `pluginId` from `plugin-metadata.ts` into `package.json#checkstack.pluginId`
+  so install-time validation passes, stubbed any missing required metadata
+  fields (`description`, `author`, `license`), and added
+  `checkstack.bundle` to multi-package plugin primaries (telegram, rcon, ssh,
+  jira, queue-bullmq, queue-memory, cache-memory).
+  Breaking changes:
+  - The legacy single-method `PluginInstaller` interface (`install(packageName)`)
+    is removed. Callers must use `coreServices.pluginInstallerRegistry`.
+  - The old `pluginAdminContract` and `createPluginAdminRouter` are removed.
+    Replaced by `pluginManagerContract` in `@checkstack/pluginmanager-common`
+    and `createPluginManagerRouter` in `core/backend`.
+  - `@checkstack/test-utils-backend` no longer exports
+    `createMockPluginInstaller` / `MockPluginInstaller` (the legacy interface
+    it shimmed is gone).
+  Note: bumps are limited to `minor` (for packages with new public API
+  surface) and `patch` (for downstream consumers, license normalization,
+  and lint fixes). No `major` bumps despite the `PluginInstaller` removal —
+  the legacy interface had no third-party consumers in the wild before this
+  runtime plugin system landed, and the contract surface is the same shape
+  modulo the rename.
 ## 0.7.0
 ### Minor Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,7 @@
 {
   "name": "@checkstack/common",
-  "version": "0.7.0",
+  "version": "0.8.0",
+  "license": "Elastic-2.0",
   "type": "module",
   "main": "./src/index.ts",
   "types": "./src/index.ts",
@@ -18,11 +19,11 @@
   },
   "devDependencies": {
     "typescript": "^5.7.2",
-    "@checkstack/tsconfig": "0.0.5",
+    "@checkstack/tsconfig": "0.0.6",
     "@checkstack/scripts": "0.1.2"
   },
   "scripts": {
-    "typecheck": "tsc --noEmit",
+    "typecheck": "tsgo -b",
     "lint": "bun run lint:code",
     "lint:code": "eslint . --max-warnings 0"
   },

package/src/index.ts CHANGED Viewed

@@ -2,6 +2,7 @@ export * from "./types";
 export * from "./pagination";
 export * from "./routes";
 export * from "./plugin-metadata";
+export * from "./plugin-source";
 export * from "./client-definition";
 export * from "./access-utils";
 export * from "./icons";

package/src/plugin-metadata.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+import { z } from "zod";
 /**
  * Plugin metadata interface for backend plugins.
  *
@@ -26,3 +28,103 @@ export interface PluginMetadata {
 export function definePluginMetadata<T extends PluginMetadata>(metadata: T): T {
   return metadata;
 }
+// ─────────────────────────────────────────────────────────────────────────────
+// Install-time metadata (validated when a plugin is installed at runtime)
+// ─────────────────────────────────────────────────────────────────────────────
+export const pluginPackageTypeSchema = z.enum(["backend", "frontend", "common"]);
+export type PluginPackageType = z.infer<typeof pluginPackageTypeSchema>;
+/**
+ * Author shape — matches standard package.json `author` / `contributors`
+ * (string OR object form).
+ */
+export const pluginAuthorSchema = z.union([
+  z.string().min(1),
+  z.object({
+    name: z.string().min(1),
+    email: z.string().email().optional(),
+    url: z.string().url().optional(),
+  }),
+]);
+export type PluginAuthor = z.infer<typeof pluginAuthorSchema>;
+/**
+ * `package.json#checkstack` block schema.
+ *
+ * Required:
+ * - `type`: which kind of package this is.
+ * - `pluginId`: the runtime plugin id (must match the source const).
+ *
+ * Optional:
+ * - `bundle`: list of sibling package names that must install/uninstall together.
+ *   Set on the *primary* package only.
+ * - `usageInstructions`: markdown shown in the install UI.
+ * - `allowInstallScripts`: opt in to running `postinstall` etc. for this plugin's
+ *   `bun install`. Default false (we pass `--ignore-scripts`).
+ */
+export const pluginCheckstackBlockSchema = z.object({
+  type: pluginPackageTypeSchema,
+  pluginId: z.string().min(1).optional(),
+  bundle: z.array(z.string().min(1)).optional(),
+  usageInstructions: z.string().optional(),
+  allowInstallScripts: z.boolean().optional(),
+});
+export type PluginCheckstackBlock = z.infer<typeof pluginCheckstackBlockSchema>;
+/**
+ * Schema applied to the *full* package.json of a plugin at install time.
+ *
+ * We re-use standard package.json fields (name, version, description, author,
+ * license, homepage, repository) and only require what's strictly necessary
+ * for displaying + validating an installable plugin. Compatibility is *not*
+ * declared explicitly — it's derived from the `dependencies` section at
+ * install time (semver.satisfies against the platform's loaded
+ * `@checkstack/*` package versions).
+ */
+export const installPackageMetadataSchema = z.object({
+  name: z.string().min(1, "package.json `name` is required"),
+  version: z.string().min(1, "package.json `version` is required"),
+  description: z.string().min(1, "package.json `description` is required"),
+  author: pluginAuthorSchema,
+  contributors: z.array(pluginAuthorSchema).optional(),
+  license: z.string().min(1, "package.json `license` is required"),
+  homepage: z.string().url().optional(),
+  repository: z
+    .union([
+      z.string(),
+      z.object({
+        type: z.string().optional(),
+        url: z.string(),
+      }),
+    ])
+    .optional(),
+  dependencies: z.record(z.string(), z.string()).optional(),
+  peerDependencies: z.record(z.string(), z.string()).optional(),
+  checkstack: pluginCheckstackBlockSchema,
+});
+export type InstallPackageMetadata = z.infer<typeof installPackageMetadataSchema>;
+/**
+ * Bundle manifest written into a `--bundle`-mode tarball.
+ *
+ * Structure:
+ *   bundle.tgz
+ *     bundle.json                ← this manifest
+ *     packages/
+ *       <pkg-1>-<version>.tgz
+ *       <pkg-2>-<version>.tgz
+ */
+export const pluginBundleManifestSchema = z.object({
+  bundleVersion: z.literal(1),
+  primary: z.string().min(1),
+  packages: z.array(
+    z.object({
+      name: z.string().min(1),
+      version: z.string().min(1),
+      tarball: z.string().min(1), // path inside the outer tarball
+    }),
+  ),
+});
+export type PluginBundleManifest = z.infer<typeof pluginBundleManifestSchema>;

package/src/plugin-source.ts ADDED Viewed

@@ -0,0 +1,73 @@
+import { z } from "zod";
+// ─────────────────────────────────────────────────────────────────────────────
+// PluginSource — discriminated union describing where a plugin came from.
+// One installer per `type`. Persisted on the `plugins` row so fresh-instance
+// bootstrap and reinstall can recreate the artifact from the same source.
+//
+// Lives in `@checkstack/common` (not `backend-api`) so it can be referenced
+// from contracts (which must remain importable from frontend & common
+// packages).
+// ─────────────────────────────────────────────────────────────────────────────
+export const npmPluginSourceSchema = z.object({
+  type: z.literal("npm"),
+  packageName: z.string().min(1),
+  version: z.string().optional(),
+  registry: z.string().url().optional(),
+});
+export type NpmPluginSource = z.infer<typeof npmPluginSourceSchema>;
+export const tarballPluginSourceSchema = z.object({
+  type: z.literal("tarball"),
+  /**
+   * The plugin_artifacts row id. The tarball bytes themselves live in
+   * Postgres — only the artifact reference is stored on the `plugins` row.
+   * On fresh-instance bootstrap, this is what's used to re-fetch the bytes.
+   */
+  artifactId: z.string().min(1),
+  /** Original filename for display in the UI. */
+  filename: z.string().optional(),
+});
+export type TarballPluginSource = z.infer<typeof tarballPluginSourceSchema>;
+export const githubPluginSourceSchema = z.object({
+  type: z.literal("github"),
+  owner: z.string().min(1),
+  repo: z.string().min(1),
+  tag: z.string().min(1),
+  /**
+   * Optional explicit asset filename. When omitted, the installer picks the
+   * single `.tgz` asset on the release (and errors if there are zero or many).
+   */
+  assetName: z.string().optional(),
+  /**
+   * Optional API base URL for GitHub Enterprise installs (e.g.
+   * `https://github.example.com/api/v3`). When omitted, the public
+   * `https://api.github.com` endpoint is used. Asset download URLs are
+   * always taken from the release response, so they automatically point
+   * at the same host as the API.
+   */
+  apiBaseUrl: z.string().url().optional(),
+  /**
+   * Optional name of an env var holding a Personal Access Token. Defaults
+   * to `GITHUB_TOKEN`. Useful when the platform needs to talk to several
+   * different GitHub instances with different tokens.
+   */
+  tokenEnvVar: z.string().optional(),
+});
+export type GithubPluginSource = z.infer<typeof githubPluginSourceSchema>;
+export const catalogPluginSourceSchema = z.object({
+  type: z.literal("catalog"),
+  catalogId: z.string().min(1),
+});
+export type CatalogPluginSource = z.infer<typeof catalogPluginSourceSchema>;
+export const pluginSourceSchema = z.discriminatedUnion("type", [
+  npmPluginSourceSchema,
+  tarballPluginSourceSchema,
+  githubPluginSourceSchema,
+  catalogPluginSourceSchema,
+]);
+export type PluginSource = z.infer<typeof pluginSourceSchema>;

package/tsconfig.json CHANGED Viewed

@@ -3,4 +3,4 @@
   "include": [
     "src"
   ]
-}
+}