@checkstack/dependency-common 1.2.3 → 1.2.5

package/CHANGELOG.md

@@ -1,5 +1,87 @@
 # @checkstack/dependency-common
 
+## 1.2.5
+
+### Patch Changes
+
+- f9cfdae: fix(dependency): gate the dependency map behind its own non-public access rule
+
+  Anonymous users could see the "Dependency Map" nav entry and open the page
+  (which then rendered empty) because the map was gated by `dependency.read`,
+  which is public so that dependency _warning_ badges stay visible on the
+  catalog and dashboard.
+
+  The full topology map is now gated by a dedicated `dependency.map` access
+  rule that is granted to authenticated users by default but is NOT public, so
+  anonymous visitors no longer see the nav entry or reach the page. The
+  `getAllDependencies`, `getNodePositions`, and `saveNodePositions` endpoints
+  move to this rule too, and the dashboard dependency signal now renders as
+  plain text (not a map link) for users without map access. Per-system
+  dependency warnings stay on the public `dependency.read` rule, so warning
+  badges/alerts/signals remain visible to everyone as before.
+
+  Admins can still grant `dependency.map` to the anonymous role to make the
+  map public again.
+
+  Note: the default-rule sync is add-only, so on existing deployments the
+  anonymous role keeps any rules already granted. Since `dependency.map` is a
+  brand-new rule the anonymous role never had it, so the map is hidden from
+  anonymous users immediately after upgrade with no admin action required.
+
+## 1.2.4
+
+### Patch Changes
+
+- 56e7c75: Fix frontend access checks to use FULLY-QUALIFIED access-rule ids, and resolve
+  the anonymous role on the frontend.
+
+  Granted access-rule ids are stored fully-qualified as `{pluginId}.{ruleId}` (e.g.
+  `incident.incident.read`) so two plugins defining the same short rule id never
+  collide. The frontend, however, was checking the UNqualified id (`incident.read`)
+  via `isAccessRuleSatisfied`, so every check failed for any user without the `*`
+  (admin) grant - masked in development because dev-auth grants `*`. This silently
+  broke ALL non-admin frontend gating (route guards, sidebar entries, and
+  `useAccess`-based button/link gating).
+
+  - **`@checkstack/common`**: `AccessRule` now carries a REQUIRED owning `pluginId`;
+    `access()` / `accessPair()` require and stamp it; `isAccessRuleSatisfied`
+    qualifies the rule (`{pluginId}.{id}`, plus the manage->read escalation) and
+    matches ONLY the qualified form. There is intentionally NO unqualified fallback
+    - matching a bare id would let one plugin's grant satisfy another plugin's
+      identically-named rule (a cross-plugin privilege-escalation flaw). Every plugin
+      that defines access rules now passes its own `pluginId`.
+  - **`@checkstack/backend`**: `pluginManager.getAllAccessRules()` no longer strips
+    the `pluginId` field (the rule `id` is already fully-qualified for the DB sync).
+  - **Route guard** (`@checkstack/frontend` / `@checkstack/frontend-api`) now
+    checks the FULL rule object (so it qualifies and escalates), not a bare id.
+  - **Anonymous role on the frontend**: the `accessRules` procedure is now
+    `public`, returning the configurable anonymous role's grants to unauthenticated
+    callers; `useAccessRules` fetches them for guests instead of returning an empty
+    set. So anonymous UI now reflects exactly what the anonymous role is allowed -
+    which an admin can change (`isPublic` is only the seeded default).
+  - Incident / maintenance / SLO detail routes are now read-gated (their read rule
+    is an `isPublic` default, so the anonymous role holds it unless an admin
+    revokes it); their dashboard status signals carry that rule and render as a
+    link only when the viewer may open it.
+
+  **BREAKING (`@checkstack/common`):** `AccessRule.pluginId` is now REQUIRED, and
+  `access()` / `accessPair()` require a `pluginId` option. `isAccessRuleSatisfied`
+  matches ONLY the fully-qualified `{pluginId}.{ruleId}` form - the previous
+  unqualified fallback is removed, because it was a cross-plugin
+  privilege-escalation flaw. Any code constructing an `AccessRule` or calling
+  `access()`/`accessPair()` must supply the owning `pluginId`.
+
+  Verified live against an anonymous caller: read pages resolve (qualified match),
+  manage actions are denied, manage->read escalation and `*` still work.
+
+- Updated dependencies [56e7c75]
+- Updated dependencies [56e7c75]
+  - @checkstack/frontend-api@0.9.0
+  - @checkstack/catalog-common@2.3.4
+  - @checkstack/common@0.15.0
+  - @checkstack/notification-common@1.3.3
+  - @checkstack/signal-common@0.2.9
+
 ## 1.2.3
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/dependency-common",
-  "version": "1.2.3",
+  "version": "1.2.5",
   "license": "Elastic-2.0",
   "type": "module",
   "exports": {
@@ -9,18 +9,18 @@
     }
   },
   "dependencies": {
-    "@checkstack/common": "0.14.1",
-    "@checkstack/catalog-common": "2.3.3",
-    "@checkstack/frontend-api": "0.8.0",
-    "@checkstack/notification-common": "1.3.2",
-    "@checkstack/signal-common": "0.2.8",
+    "@checkstack/common": "0.15.0",
+    "@checkstack/catalog-common": "2.3.4",
+    "@checkstack/frontend-api": "0.9.0",
+    "@checkstack/notification-common": "1.3.3",
+    "@checkstack/signal-common": "0.2.9",
     "@orpc/contract": "^1.14.4",
     "zod": "^4.2.1"
   },
   "devDependencies": {
     "typescript": "^5.7.2",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/scripts": "0.6.0"
+    "@checkstack/scripts": "0.6.1"
   },
   "scripts": {
     "typecheck": "tsgo -b",

package/src/access.ts

@@ -1,4 +1,5 @@
-import { accessPair } from "@checkstack/common";
+import { access, accessPair } from "@checkstack/common";
+import { pluginMetadata } from "./plugin-metadata";
 
 /**
  * Access rules for the Dependency plugin.
@@ -6,13 +7,17 @@ import { accessPair } from "@checkstack/common";
 export const dependencyAccess = {
   /**
    * Dependency access with both read and manage levels.
-   * Read is public by default so all users can see dependency warnings.
+   *
+   * Read is public by default so unauthenticated visitors can still see the
+   * dependency *warning* badges/alerts/signals on the catalog and dashboard.
+   * It does NOT grant the full topology map - that is gated separately by
+   * `dependencyAccess.map` (below).
    */
   dependency: accessPair(
     "dependency",
     {
       read: {
-        description: "View system dependencies and dependency warnings",
+        description: "View dependency warnings on systems and the dashboard",
         isDefault: true,
         isPublic: true,
       },
@@ -23,8 +28,25 @@ export const dependencyAccess = {
     },
     {
       idParam: "systemId",
+      pluginId: pluginMetadata.pluginId,
     },
   ),
+
+  /**
+   * Access to the dependency map (the full system-topology graph) - its nav
+   * entry, page, and full-graph/canvas endpoints.
+   *
+   * Deliberately NOT public: the map exposes the entire system topology, so
+   * anonymous visitors must not get it by default. Authenticated users get it
+   * by default (`isDefault`). Per-system dependency warnings stay on the public
+   * `dependency.read` rule, so withholding the map does not hide warning badges.
+   * Admins can still grant this rule to the anonymous role to make the map
+   * public again.
+   */
+  map: access("map", "read", "View the dependency map (full system topology)", {
+    isDefault: true,
+    pluginId: pluginMetadata.pluginId,
+  }),
 };
 
 /**
@@ -33,4 +55,5 @@ export const dependencyAccess = {
 export const dependencyAccessRules = [
   dependencyAccess.dependency.read,
   dependencyAccess.dependency.manage,
+  dependencyAccess.map,
 ];

package/src/rpc-contract.ts

@@ -33,11 +33,14 @@ export const dependencyContract = {
     )
     .output(z.object({ dependencies: z.array(DependencySchema) })),
 
-  /** Get the full dependency graph (all dependencies, for the canvas) */
+  /**
+   * Get the full dependency graph (all dependencies, for the canvas).
+   * Gated by the map rule - the full topology is map-only, not public.
+   */
   getAllDependencies: proc({
     operationType: "query",
     userType: "public",
-    access: [dependencyAccess.dependency.read],
+    access: [dependencyAccess.map],
   }).output(z.object({ dependencies: z.array(DependencySchema) })),
 
   /** Bulk-fetch derived warnings for multiple systems (for dashboard badges) */
@@ -101,20 +104,21 @@ export const dependencyContract = {
 
   // ==========================================================================
   // NODE POSITIONS (authenticated - per-user canvas layout persistence)
+  // Gated by the map rule - canvas layout only matters to map viewers.
   // ==========================================================================
 
   /** Get saved node positions for the dependency map canvas */
   getNodePositions: proc({
     operationType: "query",
     userType: "user",
-    access: [dependencyAccess.dependency.read],
+    access: [dependencyAccess.map],
   }).output(z.object({ positions: z.array(NodePositionSchema) })),
 
   /** Save node positions for the dependency map canvas */
   saveNodePositions: proc({
     operationType: "mutation",
     userType: "user",
-    access: [dependencyAccess.dependency.read],
+    access: [dependencyAccess.map],
   })
     .input(z.object({ positions: z.array(NodePositionSchema) }))
     .output(z.object({ success: z.boolean() })),

package/tests/access.test.ts

@@ -0,0 +1,58 @@
+import { describe, test, expect } from "bun:test";
+import { isAccessRuleSatisfied } from "@checkstack/common";
+import {
+  dependencyAccess,
+  dependencyAccessRules,
+} from "@checkstack/dependency-common";
+
+const QUALIFIED_MAP = "dependency.map.read";
+const QUALIFIED_READ = "dependency.dependency.read";
+
+describe("dependency-common access rules", () => {
+  describe("dependency.map", () => {
+    test("is its own resource/level with the dependency pluginId", () => {
+      expect(dependencyAccess.map.id).toBe("map.read");
+      expect(dependencyAccess.map.resource).toBe("map");
+      expect(dependencyAccess.map.level).toBe("read");
+      expect(dependencyAccess.map.pluginId).toBe("dependency");
+    });
+
+    test("is NOT public - anonymous users must not get the map by default", () => {
+      expect(dependencyAccess.map.isPublic).toBeUndefined();
+    });
+
+    test("is granted to authenticated users by default", () => {
+      expect(dependencyAccess.map.isDefault).toBe(true);
+    });
+
+    test("is registered so it syncs to roles", () => {
+      expect(dependencyAccessRules).toContain(dependencyAccess.map);
+    });
+
+    test("the public read grant alone does NOT satisfy the map rule", () => {
+      // A visitor who only has the public `dependency.read` (warnings) grant
+      // must NOT be able to view the map - the map needs its own rule.
+      expect(
+        isAccessRuleSatisfied([QUALIFIED_READ], dependencyAccess.map),
+      ).toBe(false);
+    });
+
+    test("the qualified map grant satisfies the map rule", () => {
+      expect(isAccessRuleSatisfied([QUALIFIED_MAP], dependencyAccess.map)).toBe(
+        true,
+      );
+    });
+  });
+
+  describe("dependency.read", () => {
+    test("stays public so warning badges remain visible to anonymous users", () => {
+      expect(dependencyAccess.dependency.read.isPublic).toBe(true);
+    });
+
+    test("is not satisfied by the map grant (the two are independent)", () => {
+      expect(
+        isAccessRuleSatisfied([QUALIFIED_MAP], dependencyAccess.dependency.read),
+      ).toBe(false);
+    });
+  });
+});