npm - @checkstack/dependency-frontend - Versions diffs - 0.5.4 → 0.5.6 - Mend

@checkstack/dependency-frontend 0.5.4 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md +71 -0
package/package.json +12 -12
package/src/components/DependencySignalsFiller.tsx +4 -0
package/src/index.tsx +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,76 @@
 # @checkstack/dependency-frontend
+## 0.5.6
+### Patch Changes
+- f9cfdae: fix(dependency): gate the dependency map behind its own non-public access rule
+  Anonymous users could see the "Dependency Map" nav entry and open the page
+  (which then rendered empty) because the map was gated by `dependency.read`,
+  which is public so that dependency _warning_ badges stay visible on the
+  catalog and dashboard.
+  The full topology map is now gated by a dedicated `dependency.map` access
+  rule that is granted to authenticated users by default but is NOT public, so
+  anonymous visitors no longer see the nav entry or reach the page. The
+  `getAllDependencies`, `getNodePositions`, and `saveNodePositions` endpoints
+  move to this rule too, and the dashboard dependency signal now renders as
+  plain text (not a map link) for users without map access. Per-system
+  dependency warnings stay on the public `dependency.read` rule, so warning
+  badges/alerts/signals remain visible to everyone as before.
+  Admins can still grant `dependency.map` to the anonymous role to make the
+  map public again.
+  Note: the default-rule sync is add-only, so on existing deployments the
+  anonymous role keeps any rules already granted. Since `dependency.map` is a
+  brand-new rule the anonymous role never had it, so the map is hidden from
+  anonymous users immediately after upgrade with no admin action required.
+- Updated dependencies [f9cfdae]
+  - @checkstack/dependency-common@1.2.5
+## 0.5.5
+### Patch Changes
+- 56e7c75: Hide navigation, actions and links that the current user cannot use, so anonymous
+  and read-only users no longer see entries that lead to "Access Denied" or to
+  actions the server would reject.
+  - **Sidebar**: a nav entry can now declare a dynamic `nav.isVisible({ accessRules, isAuthenticated })` predicate (in addition to the static `accessRule`). A group whose every entry is filtered out is no longer rendered. The filtering/grouping logic is extracted to a pure, unit-tested helper.
+  - **Infrastructure**: its sidebar entry is shown only when the user can READ at least one contributed tab (queue, cache, …), instead of always (it previously had no static rule because tabs are contributed at runtime).
+  - **Notification Settings**: hidden from anonymous users - notifications are per-user, so an anonymous visitor can't have any.
+  - **Anomaly Mute / Suppress**: the "Mute" / "Mute all" controls (a per-user preference) are hidden from anonymous visitors; the "Suppress" control is gated on `anomalyAccess.feed.manage`. Both were previously always visible.
+  - **Dashboard**: the "Open Catalog" actions (which open the manage-only Catalog config page) are hidden from users without `catalogAccess.system.manage`, and the "View catalog" link is gated on `catalogAccess.system.read`.
+  - **Dashboard status signals**: the per-system status rows contributed by plugins (`SystemSignalsSlot`) now render as a LINK only when the user can open the target, and as plain text otherwise. `SystemSignal` gains an optional `accessRule`; the healthcheck, anomaly, and dependency fillers set it for their gated targets (check-history / assignments / dependency-map). Signals pointing at ungated pages (incident / maintenance / SLO detail) stay links.
+  - **Plugin Manager**: the "Install plugin" button (which opens the install-gated page) is hidden from users with only `plugin` view access.
+  - **Satellites**: the page is entirely manage-gated, but its route/sidebar entry was gated on `read`, so read-only users saw the nav item and hit "Access Denied" on click. The route and nav entry now require `satellite.manage`.
+  The `@checkstack/ai-backend` bump is only the regenerated bundled docs index
+  (the frontend routing guide gained the `nav.isVisible` section); no code change.
+  **BREAKING (`@checkstack/frontend-api`):** the `AccessApi` interface gains a
+  required `useIsAuthenticated()` method. Custom `AccessApi` implementations must
+  add it (it returns `{ loading, isAuthenticated }`). The built-in auth
+  implementation and the no-auth fallback already do. `NavEntry` also gains an
+  optional `isVisible` predicate (purely additive).
+- Updated dependencies [460ffd6]
+- Updated dependencies [56e7c75]
+- Updated dependencies [56e7c75]
+  - @checkstack/dashboard-frontend@0.8.5
+  - @checkstack/frontend-api@0.9.0
+  - @checkstack/catalog-common@2.3.4
+  - @checkstack/ui@1.15.1
+  - @checkstack/common@0.15.0
+  - @checkstack/dependency-common@1.2.4
+  - @checkstack/gitops-common@0.6.3
+  - @checkstack/healthcheck-common@1.5.4
+  - @checkstack/gitops-frontend@0.5.5
+  - @checkstack/signal-frontend@0.2.4
 ## 0.5.4
 ### Patch Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/dependency-frontend",
-  "version": "0.5.4",
+  "version": "0.5.6",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.tsx",
@@ -13,16 +13,16 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/catalog-common": "2.3.3",
-    "@checkstack/common": "0.14.1",
-    "@checkstack/dashboard-frontend": "0.8.4",
-    "@checkstack/dependency-common": "1.2.3",
-    "@checkstack/frontend-api": "0.8.0",
-    "@checkstack/gitops-common": "0.6.2",
-    "@checkstack/gitops-frontend": "0.5.4",
-    "@checkstack/healthcheck-common": "1.5.3",
-    "@checkstack/signal-frontend": "0.2.3",
-    "@checkstack/ui": "1.15.0",
+    "@checkstack/catalog-common": "2.3.4",
+    "@checkstack/common": "0.15.0",
+    "@checkstack/dashboard-frontend": "0.8.5",
+    "@checkstack/dependency-common": "1.2.5",
+    "@checkstack/frontend-api": "0.9.0",
+    "@checkstack/gitops-common": "0.6.3",
+    "@checkstack/gitops-frontend": "0.5.5",
+    "@checkstack/healthcheck-common": "1.5.4",
+    "@checkstack/signal-frontend": "0.2.4",
+    "@checkstack/ui": "1.15.1",
     "@xyflow/react": "^12.11.0",
     "lucide-react": "^1.17.0",
     "react": "19.2.7",
@@ -32,6 +32,6 @@
     "typescript": "^5.0.0",
     "@types/react": "^19.0.0",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/scripts": "0.6.0"
+    "@checkstack/scripts": "0.6.1"
   }
 }

package/src/components/DependencySignalsFiller.tsx CHANGED Viewed

@@ -9,6 +9,7 @@ import {
 import {
   DependencyApi,
   dependencyRoutes,
+  dependencyAccess,
   type DerivedState,
 } from "@checkstack/dependency-common";
@@ -63,6 +64,9 @@ export const DependencySignalsFiller: React.FC<Props> = ({
             ? `${upstreamCount} upstream ${upstreamCount === 1 ? "system" : "systems"} affected`
             : undefined,
         href: resolveRoute(dependencyRoutes.routes.map),
+        // The dependency map is gated by its own rule; users who can see the
+        // warning (dependency.read) but not the map get plain text, not a link.
+        accessRule: dependencyAccess.map,
         iconName: "GitBranch",
       };
       result[systemId] = [signal];

package/src/index.tsx CHANGED Viewed

@@ -32,7 +32,7 @@ export default createFrontendPlugin({
           default: m.DependencyMapPage,
         })),
       title: "Dependency Map",
-      accessRule: dependencyAccess.dependency.read,
+      accessRule: dependencyAccess.map,
       nav: { group: "Workspace", icon: GitBranch },
     },
   ],