@checkstack/dependency-common 1.2.4 → 1.2.5

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # @checkstack/dependency-common
 
+## 1.2.5
+
+### Patch Changes
+
+- f9cfdae: fix(dependency): gate the dependency map behind its own non-public access rule
+
+  Anonymous users could see the "Dependency Map" nav entry and open the page
+  (which then rendered empty) because the map was gated by `dependency.read`,
+  which is public so that dependency _warning_ badges stay visible on the
+  catalog and dashboard.
+
+  The full topology map is now gated by a dedicated `dependency.map` access
+  rule that is granted to authenticated users by default but is NOT public, so
+  anonymous visitors no longer see the nav entry or reach the page. The
+  `getAllDependencies`, `getNodePositions`, and `saveNodePositions` endpoints
+  move to this rule too, and the dashboard dependency signal now renders as
+  plain text (not a map link) for users without map access. Per-system
+  dependency warnings stay on the public `dependency.read` rule, so warning
+  badges/alerts/signals remain visible to everyone as before.
+
+  Admins can still grant `dependency.map` to the anonymous role to make the
+  map public again.
+
+  Note: the default-rule sync is add-only, so on existing deployments the
+  anonymous role keeps any rules already granted. Since `dependency.map` is a
+  brand-new rule the anonymous role never had it, so the map is hidden from
+  anonymous users immediately after upgrade with no admin action required.
+
 ## 1.2.4
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/dependency-common",
-  "version": "1.2.4",
+  "version": "1.2.5",
   "license": "Elastic-2.0",
   "type": "module",
   "exports": {

package/src/access.ts

@@ -1,4 +1,4 @@
-import { accessPair } from "@checkstack/common";
+import { access, accessPair } from "@checkstack/common";
 import { pluginMetadata } from "./plugin-metadata";
 
 /**
@@ -7,13 +7,17 @@ import { pluginMetadata } from "./plugin-metadata";
 export const dependencyAccess = {
   /**
    * Dependency access with both read and manage levels.
-   * Read is public by default so all users can see dependency warnings.
+   *
+   * Read is public by default so unauthenticated visitors can still see the
+   * dependency *warning* badges/alerts/signals on the catalog and dashboard.
+   * It does NOT grant the full topology map - that is gated separately by
+   * `dependencyAccess.map` (below).
    */
   dependency: accessPair(
     "dependency",
     {
       read: {
-        description: "View system dependencies and dependency warnings",
+        description: "View dependency warnings on systems and the dashboard",
         isDefault: true,
         isPublic: true,
       },
@@ -27,6 +31,22 @@ export const dependencyAccess = {
       pluginId: pluginMetadata.pluginId,
     },
   ),
+
+  /**
+   * Access to the dependency map (the full system-topology graph) - its nav
+   * entry, page, and full-graph/canvas endpoints.
+   *
+   * Deliberately NOT public: the map exposes the entire system topology, so
+   * anonymous visitors must not get it by default. Authenticated users get it
+   * by default (`isDefault`). Per-system dependency warnings stay on the public
+   * `dependency.read` rule, so withholding the map does not hide warning badges.
+   * Admins can still grant this rule to the anonymous role to make the map
+   * public again.
+   */
+  map: access("map", "read", "View the dependency map (full system topology)", {
+    isDefault: true,
+    pluginId: pluginMetadata.pluginId,
+  }),
 };
 
 /**
@@ -35,4 +55,5 @@ export const dependencyAccess = {
 export const dependencyAccessRules = [
   dependencyAccess.dependency.read,
   dependencyAccess.dependency.manage,
+  dependencyAccess.map,
 ];

package/src/rpc-contract.ts

@@ -33,11 +33,14 @@ export const dependencyContract = {
     )
     .output(z.object({ dependencies: z.array(DependencySchema) })),
 
-  /** Get the full dependency graph (all dependencies, for the canvas) */
+  /**
+   * Get the full dependency graph (all dependencies, for the canvas).
+   * Gated by the map rule - the full topology is map-only, not public.
+   */
   getAllDependencies: proc({
     operationType: "query",
     userType: "public",
-    access: [dependencyAccess.dependency.read],
+    access: [dependencyAccess.map],
   }).output(z.object({ dependencies: z.array(DependencySchema) })),
 
   /** Bulk-fetch derived warnings for multiple systems (for dashboard badges) */
@@ -101,20 +104,21 @@ export const dependencyContract = {
 
   // ==========================================================================
   // NODE POSITIONS (authenticated - per-user canvas layout persistence)
+  // Gated by the map rule - canvas layout only matters to map viewers.
   // ==========================================================================
 
   /** Get saved node positions for the dependency map canvas */
   getNodePositions: proc({
     operationType: "query",
     userType: "user",
-    access: [dependencyAccess.dependency.read],
+    access: [dependencyAccess.map],
   }).output(z.object({ positions: z.array(NodePositionSchema) })),
 
   /** Save node positions for the dependency map canvas */
   saveNodePositions: proc({
     operationType: "mutation",
     userType: "user",
-    access: [dependencyAccess.dependency.read],
+    access: [dependencyAccess.map],
   })
     .input(z.object({ positions: z.array(NodePositionSchema) }))
     .output(z.object({ success: z.boolean() })),

package/tests/access.test.ts

@@ -0,0 +1,58 @@
+import { describe, test, expect } from "bun:test";
+import { isAccessRuleSatisfied } from "@checkstack/common";
+import {
+  dependencyAccess,
+  dependencyAccessRules,
+} from "@checkstack/dependency-common";
+
+const QUALIFIED_MAP = "dependency.map.read";
+const QUALIFIED_READ = "dependency.dependency.read";
+
+describe("dependency-common access rules", () => {
+  describe("dependency.map", () => {
+    test("is its own resource/level with the dependency pluginId", () => {
+      expect(dependencyAccess.map.id).toBe("map.read");
+      expect(dependencyAccess.map.resource).toBe("map");
+      expect(dependencyAccess.map.level).toBe("read");
+      expect(dependencyAccess.map.pluginId).toBe("dependency");
+    });
+
+    test("is NOT public - anonymous users must not get the map by default", () => {
+      expect(dependencyAccess.map.isPublic).toBeUndefined();
+    });
+
+    test("is granted to authenticated users by default", () => {
+      expect(dependencyAccess.map.isDefault).toBe(true);
+    });
+
+    test("is registered so it syncs to roles", () => {
+      expect(dependencyAccessRules).toContain(dependencyAccess.map);
+    });
+
+    test("the public read grant alone does NOT satisfy the map rule", () => {
+      // A visitor who only has the public `dependency.read` (warnings) grant
+      // must NOT be able to view the map - the map needs its own rule.
+      expect(
+        isAccessRuleSatisfied([QUALIFIED_READ], dependencyAccess.map),
+      ).toBe(false);
+    });
+
+    test("the qualified map grant satisfies the map rule", () => {
+      expect(isAccessRuleSatisfied([QUALIFIED_MAP], dependencyAccess.map)).toBe(
+        true,
+      );
+    });
+  });
+
+  describe("dependency.read", () => {
+    test("stays public so warning badges remain visible to anonymous users", () => {
+      expect(dependencyAccess.dependency.read.isPublic).toBe(true);
+    });
+
+    test("is not satisfied by the map grant (the two are independent)", () => {
+      expect(
+        isAccessRuleSatisfied([QUALIFIED_MAP], dependencyAccess.dependency.read),
+      ).toBe(false);
+    });
+  });
+});