@checkstack/dependency-frontend 0.5.5 → 0.5.7

package/CHANGELOG.md

@@ -1,5 +1,65 @@
 # @checkstack/dependency-frontend
 
+## 0.5.7
+
+### Patch Changes
+
+- 0b6f01b: feat(dependency): contribute dependency warnings to the backend system.issues aggregator
+
+  The dependency plugin now registers a `system.issues` contributor (sourceId
+  `dependency`) from its backend `init`, so the AI assistant surfaces upstream
+  dependency problems alongside incidents, SLOs, health checks, and anomalies.
+
+  The contributor enforces its own `dependency.read` access gate (returning an
+  empty map - never throwing - when the principal lacks access; service users are
+  trusted), then evaluates dependency warnings for every system that participates
+  in a dependency edge by reading the shared, durable `dependencies` table. The
+  answer is therefore identical on every pod. Only systems with an actual warning
+  appear in the result.
+
+  The row->signal mapping (source/tone/label/detail/href/accessRule/iconName) is
+  extracted into a new pure `deriveDependencySignals` deriver in
+  `@checkstack/dependency-common`, shared by both the backend contributor and the
+  frontend `DependencySignalsFiller` so the two surfaces stay in lockstep. The
+  frontend filler now delegates to that deriver with unchanged behavior.
+
+- Updated dependencies [0b6f01b]
+- Updated dependencies [0b6f01b]
+  - @checkstack/dependency-common@1.3.0
+  - @checkstack/healthcheck-common@1.6.0
+  - @checkstack/dashboard-frontend@0.8.6
+
+## 0.5.6
+
+### Patch Changes
+
+- f9cfdae: fix(dependency): gate the dependency map behind its own non-public access rule
+
+  Anonymous users could see the "Dependency Map" nav entry and open the page
+  (which then rendered empty) because the map was gated by `dependency.read`,
+  which is public so that dependency _warning_ badges stay visible on the
+  catalog and dashboard.
+
+  The full topology map is now gated by a dedicated `dependency.map` access
+  rule that is granted to authenticated users by default but is NOT public, so
+  anonymous visitors no longer see the nav entry or reach the page. The
+  `getAllDependencies`, `getNodePositions`, and `saveNodePositions` endpoints
+  move to this rule too, and the dashboard dependency signal now renders as
+  plain text (not a map link) for users without map access. Per-system
+  dependency warnings stay on the public `dependency.read` rule, so warning
+  badges/alerts/signals remain visible to everyone as before.
+
+  Admins can still grant `dependency.map` to the anonymous role to make the
+  map public again.
+
+  Note: the default-rule sync is add-only, so on existing deployments the
+  anonymous role keeps any rules already granted. Since `dependency.map` is a
+  brand-new rule the anonymous role never had it, so the map is hidden from
+  anonymous users immediately after upgrade with no admin action required.
+
+- Updated dependencies [f9cfdae]
+  - @checkstack/dependency-common@1.2.5
+
 ## 0.5.5
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/dependency-frontend",
-  "version": "0.5.5",
+  "version": "0.5.7",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.tsx",
@@ -15,12 +15,12 @@
   "dependencies": {
     "@checkstack/catalog-common": "2.3.4",
     "@checkstack/common": "0.15.0",
-    "@checkstack/dashboard-frontend": "0.8.5",
-    "@checkstack/dependency-common": "1.2.4",
+    "@checkstack/dashboard-frontend": "0.8.6",
+    "@checkstack/dependency-common": "1.3.0",
     "@checkstack/frontend-api": "0.9.0",
     "@checkstack/gitops-common": "0.6.3",
     "@checkstack/gitops-frontend": "0.5.5",
-    "@checkstack/healthcheck-common": "1.5.4",
+    "@checkstack/healthcheck-common": "1.6.0",
     "@checkstack/signal-frontend": "0.2.4",
     "@checkstack/ui": "1.15.1",
     "@xyflow/react": "^12.11.0",

package/src/components/DependencySignalsFiller.tsx

@@ -1,39 +1,24 @@
 import React, { useEffect, useMemo } from "react";
 import { usePluginClient, type SlotContext } from "@checkstack/frontend-api";
-import { resolveRoute } from "@checkstack/common";
 import {
   SystemSignalsSlot,
-  type SystemSignal,
   type SystemSignalsMap,
 } from "@checkstack/catalog-common";
 import {
   DependencyApi,
-  dependencyRoutes,
-  dependencyAccess,
-  type DerivedState,
+  deriveDependencySignals,
+  DEPENDENCY_SIGNAL_SOURCE_ID,
 } from "@checkstack/dependency-common";
 
 type Props = SlotContext<typeof SystemSignalsSlot>;
 
-const SOURCE_ID = "dependency";
-
-const stateToTone: Record<DerivedState, SystemSignal["tone"]> = {
-  down: "error",
-  degraded: "warn",
-  info: "info",
-};
-
-const stateToLabel: Record<DerivedState, string> = {
-  down: "Upstream down",
-  degraded: "Upstream degraded",
-  info: "Dependency info",
-};
-
 /**
  * Reports upstream dependency problems as dashboard signals. Bulk-fetches
  * derived warnings for all overview systems and emits one signal per affected
  * system, deep-linking to the dependency map. Headless filler for
- * {@link SystemSignalsSlot}.
+ * {@link SystemSignalsSlot}. The row->signal mapping is delegated to the shared
+ * {@link deriveDependencySignals} deriver so the frontend and the backend
+ * `system.issues` contributor stay in lockstep.
  */
 export const DependencySignalsFiller: React.FC<Props> = ({
   systemIds,
@@ -47,34 +32,21 @@ export const DependencySignalsFiller: React.FC<Props> = ({
   );
 
   const signals = useMemo<SystemSignalsMap>(() => {
-    const result: SystemSignalsMap = {};
-    if (!data) return result;
+    if (!data) return {};
 
+    // Scope the warnings to the systems this filler is responsible for before
+    // deriving, so the emitted map matches the slot's requested systemIds.
+    const scopedWarnings: typeof data.warnings = {};
     for (const systemId of systemIds) {
       const warning = data.warnings[systemId];
-      if (!warning) continue;
-
-      const upstreamCount = warning.affectedUpstreams.length;
-      const signal: SystemSignal = {
-        source: SOURCE_ID,
-        tone: stateToTone[warning.derivedState],
-        label: stateToLabel[warning.derivedState],
-        detail:
-          upstreamCount > 0
-            ? `${upstreamCount} upstream ${upstreamCount === 1 ? "system" : "systems"} affected`
-            : undefined,
-        href: resolveRoute(dependencyRoutes.routes.map),
-        // The dependency map is gated; render as text for users without access.
-        accessRule: dependencyAccess.dependency.read,
-        iconName: "GitBranch",
-      };
-      result[systemId] = [signal];
+      if (warning) scopedWarnings[systemId] = warning;
     }
-    return result;
+
+    return deriveDependencySignals({ warnings: scopedWarnings });
   }, [data, systemIds]);
 
   useEffect(() => {
-    onSignals(SOURCE_ID, signals);
+    onSignals(DEPENDENCY_SIGNAL_SOURCE_ID, signals);
   }, [signals, onSignals]);
 
   return null;

package/src/index.tsx

@@ -32,7 +32,7 @@ export default createFrontendPlugin({
           default: m.DependencyMapPage,
         })),
       title: "Dependency Map",
-      accessRule: dependencyAccess.dependency.read,
+      accessRule: dependencyAccess.map,
       nav: { group: "Workspace", icon: GitBranch },
     },
   ],