@checkstack/frontend 0.8.0 → 0.9.1

package/CHANGELOG.md

@@ -1,5 +1,152 @@
 # @checkstack/frontend
 
+## 0.9.1
+
+### Patch Changes
+
+- 16f89bd: Disable production source maps by default in the frontend build. Source maps over
+  the bundled Monaco / VS Code (`@codingame/*`) editor stack roughly doubled the
+  build's time and peak memory and shipped several MB of `.js.map` into the image -
+  enough to OOM-thrash a CI runner (the Docker image build hung on the frontend
+  build step). They are now off by default; opt in locally with
+  `VITE_SOURCEMAP=true bun run --filter '@checkstack/frontend' build` when you need
+  to debug the production bundle.
+
+  Also fixes the `@module-federation/vite` `shared` typing (its published type omits
+  `eager` and types `requiredVersion` as `string`, narrower than the MF runtime),
+  so `vite.config.ts` no longer reports type errors.
+
+- 56e7c75: Hide navigation, actions and links that the current user cannot use, so anonymous
+  and read-only users no longer see entries that lead to "Access Denied" or to
+  actions the server would reject.
+
+  - **Sidebar**: a nav entry can now declare a dynamic `nav.isVisible({ accessRules, isAuthenticated })` predicate (in addition to the static `accessRule`). A group whose every entry is filtered out is no longer rendered. The filtering/grouping logic is extracted to a pure, unit-tested helper.
+  - **Infrastructure**: its sidebar entry is shown only when the user can READ at least one contributed tab (queue, cache, …), instead of always (it previously had no static rule because tabs are contributed at runtime).
+  - **Notification Settings**: hidden from anonymous users - notifications are per-user, so an anonymous visitor can't have any.
+  - **Anomaly Mute / Suppress**: the "Mute" / "Mute all" controls (a per-user preference) are hidden from anonymous visitors; the "Suppress" control is gated on `anomalyAccess.feed.manage`. Both were previously always visible.
+  - **Dashboard**: the "Open Catalog" actions (which open the manage-only Catalog config page) are hidden from users without `catalogAccess.system.manage`, and the "View catalog" link is gated on `catalogAccess.system.read`.
+  - **Dashboard status signals**: the per-system status rows contributed by plugins (`SystemSignalsSlot`) now render as a LINK only when the user can open the target, and as plain text otherwise. `SystemSignal` gains an optional `accessRule`; the healthcheck, anomaly, and dependency fillers set it for their gated targets (check-history / assignments / dependency-map). Signals pointing at ungated pages (incident / maintenance / SLO detail) stay links.
+  - **Plugin Manager**: the "Install plugin" button (which opens the install-gated page) is hidden from users with only `plugin` view access.
+  - **Satellites**: the page is entirely manage-gated, but its route/sidebar entry was gated on `read`, so read-only users saw the nav item and hit "Access Denied" on click. The route and nav entry now require `satellite.manage`.
+
+  The `@checkstack/ai-backend` bump is only the regenerated bundled docs index
+  (the frontend routing guide gained the `nav.isVisible` section); no code change.
+
+  **BREAKING (`@checkstack/frontend-api`):** the `AccessApi` interface gains a
+  required `useIsAuthenticated()` method. Custom `AccessApi` implementations must
+  add it (it returns `{ loading, isAuthenticated }`). The built-in auth
+  implementation and the no-auth fallback already do. `NavEntry` also gains an
+  optional `isVisible` predicate (purely additive).
+
+- 56e7c75: Fix frontend access checks to use FULLY-QUALIFIED access-rule ids, and resolve
+  the anonymous role on the frontend.
+
+  Granted access-rule ids are stored fully-qualified as `{pluginId}.{ruleId}` (e.g.
+  `incident.incident.read`) so two plugins defining the same short rule id never
+  collide. The frontend, however, was checking the UNqualified id (`incident.read`)
+  via `isAccessRuleSatisfied`, so every check failed for any user without the `*`
+  (admin) grant - masked in development because dev-auth grants `*`. This silently
+  broke ALL non-admin frontend gating (route guards, sidebar entries, and
+  `useAccess`-based button/link gating).
+
+  - **`@checkstack/common`**: `AccessRule` now carries a REQUIRED owning `pluginId`;
+    `access()` / `accessPair()` require and stamp it; `isAccessRuleSatisfied`
+    qualifies the rule (`{pluginId}.{id}`, plus the manage->read escalation) and
+    matches ONLY the qualified form. There is intentionally NO unqualified fallback
+    - matching a bare id would let one plugin's grant satisfy another plugin's
+      identically-named rule (a cross-plugin privilege-escalation flaw). Every plugin
+      that defines access rules now passes its own `pluginId`.
+  - **`@checkstack/backend`**: `pluginManager.getAllAccessRules()` no longer strips
+    the `pluginId` field (the rule `id` is already fully-qualified for the DB sync).
+  - **Route guard** (`@checkstack/frontend` / `@checkstack/frontend-api`) now
+    checks the FULL rule object (so it qualifies and escalates), not a bare id.
+  - **Anonymous role on the frontend**: the `accessRules` procedure is now
+    `public`, returning the configurable anonymous role's grants to unauthenticated
+    callers; `useAccessRules` fetches them for guests instead of returning an empty
+    set. So anonymous UI now reflects exactly what the anonymous role is allowed -
+    which an admin can change (`isPublic` is only the seeded default).
+  - Incident / maintenance / SLO detail routes are now read-gated (their read rule
+    is an `isPublic` default, so the anonymous role holds it unless an admin
+    revokes it); their dashboard status signals carry that rule and render as a
+    link only when the viewer may open it.
+
+  **BREAKING (`@checkstack/common`):** `AccessRule.pluginId` is now REQUIRED, and
+  `access()` / `accessPair()` require a `pluginId` option. `isAccessRuleSatisfied`
+  matches ONLY the fully-qualified `{pluginId}.{ruleId}` form - the previous
+  unqualified fallback is removed, because it was a cross-plugin
+  privilege-escalation flaw. Any code constructing an `AccessRule` or calling
+  `access()`/`accessPair()` must supply the owning `pluginId`.
+
+  Verified live against an anonymous caller: read pages resolve (qualified match),
+  manage actions are denied, manage->read escalation and `*` still work.
+
+- Updated dependencies [0626782]
+- Updated dependencies [56e7c75]
+- Updated dependencies [56e7c75]
+  - @checkstack/auth-frontend@0.7.5
+  - @checkstack/frontend-api@0.9.0
+  - @checkstack/dependency-frontend@0.5.5
+  - @checkstack/ui@1.15.1
+  - @checkstack/common@0.15.0
+  - @checkstack/catalog-frontend@0.11.5
+  - @checkstack/announcement-frontend@0.4.5
+  - @checkstack/about-frontend@0.3.5
+  - @checkstack/command-frontend@0.3.5
+  - @checkstack/signal-common@0.2.9
+  - @checkstack/signal-frontend@0.2.4
+
+## 0.9.0
+
+### Minor Changes
+
+- fb705df: Upgrade React 18 to React 19 across the platform.
+
+  **BREAKING (runtime frontend plugins):** React is shared as a Module Federation
+  singleton, so the host now provides **React 19** to every runtime plugin.
+  Frontend plugins built against React 18 must be rebuilt against React 19
+  (`react` / `react-dom` `^19`). The scaffold templates and the host/plugin MF
+  `requiredVersion` are updated to `^19`. `react` (and now `react-dom`) are pinned
+  to a single version across the workspace via syncpack so the singleton can never
+  skew (react and react-dom must match exactly).
+
+  The React 19 removed-API surface was audited - the codebase used only no-arg
+  `useRef()` (now `useRef<T | undefined>(undefined)`); no `ReactDOM.render`,
+  legacy context, string refs, or function-component `defaultProps`. This also
+  clears the `IMPORT_IS_UNDEFINED` build warnings for `React.use` /
+  `React.useOptimistic` (react-router 7 feature-detection), which React 19 exports.
+
+  The downstream `*-frontend` packages (and `@checkstack/infrastructure-common`)
+  receive only the mechanical `react` dependency bump (`patch`); the framework
+  packages carrying the shared-singleton change are bumped `minor`.
+
+### Patch Changes
+
+- 9d8961c: Fix the double-scrolling on the AI chat page (`/ai/chat`). The page sized its
+  layout with a fixed `calc(100vh - 220px)` height, which overshot the available
+  space when the page subtitle wrapped to two lines - so the whole page scrolled
+  on top of the message list's own scroll.
+
+  `PageLayout` gains an opt-in `fillHeight` prop that fills the viewport via a
+  bounded flex height chain (established in the app shell) instead of viewport
+  math; the chat page uses it so only the message list scrolls and the page itself
+  never does. Normal document-flow pages are unaffected (they still scroll the
+  main area as before).
+
+- Updated dependencies [9d8961c]
+- Updated dependencies [50123c7]
+- Updated dependencies [fb705df]
+  - @checkstack/ui@1.15.0
+  - @checkstack/dependency-frontend@0.5.4
+  - @checkstack/frontend-api@0.8.0
+  - @checkstack/about-frontend@0.3.4
+  - @checkstack/announcement-frontend@0.4.4
+  - @checkstack/auth-frontend@0.7.4
+  - @checkstack/catalog-frontend@0.11.4
+  - @checkstack/command-frontend@0.3.4
+  - @checkstack/signal-frontend@0.2.3
+  - @checkstack/common@0.14.1
+  - @checkstack/signal-common@0.2.8
+
 ## 0.8.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/frontend",
-  "version": "0.8.0",
+  "version": "0.9.1",
   "license": "Elastic-2.0",
   "checkstack": {
     "type": "frontend"
@@ -20,17 +20,17 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/about-frontend": "0.3.3",
-    "@checkstack/announcement-frontend": "0.4.3",
-    "@checkstack/auth-frontend": "0.7.3",
-    "@checkstack/catalog-frontend": "0.11.3",
-    "@checkstack/command-frontend": "0.3.3",
-    "@checkstack/common": "0.14.1",
-    "@checkstack/dependency-frontend": "0.5.3",
-    "@checkstack/frontend-api": "0.7.2",
-    "@checkstack/signal-common": "0.2.8",
-    "@checkstack/signal-frontend": "0.2.2",
-    "@checkstack/ui": "1.14.0",
+    "@checkstack/about-frontend": "0.3.5",
+    "@checkstack/announcement-frontend": "0.4.5",
+    "@checkstack/auth-frontend": "0.7.5",
+    "@checkstack/catalog-frontend": "0.11.5",
+    "@checkstack/command-frontend": "0.3.5",
+    "@checkstack/common": "0.15.0",
+    "@checkstack/dependency-frontend": "0.5.5",
+    "@checkstack/frontend-api": "0.9.0",
+    "@checkstack/signal-common": "0.2.9",
+    "@checkstack/signal-frontend": "0.2.4",
+    "@checkstack/ui": "1.15.1",
     "@module-federation/runtime": "^2.5",
     "@module-federation/vite": "^1.16",
     "@orpc/client": "^1.14.4",
@@ -41,18 +41,18 @@
     "class-variance-authority": "^0.7.0",
     "clsx": "^2.1.0",
     "lucide-react": "^1.17.0",
-    "react": "^18.3.1",
-    "react-dom": "^18.2.0",
+    "react": "19.2.7",
+    "react-dom": "19.2.7",
     "react-router-dom": "^7.16.0",
     "tailwind-merge": "^2.2.0",
     "tailwindcss": "^3.4.1",
     "tailwindcss-animate": "^1.0.7"
   },
   "devDependencies": {
-    "@checkstack/scripts": "0.5.0",
+    "@checkstack/scripts": "0.6.1",
     "@checkstack/tsconfig": "0.0.7",
-    "@types/react": "^18.2.64",
-    "@types/react-dom": "^18.2.21",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
     "@vitejs/plugin-react": "^6.0.2",
     "postcss": "^8.5.15",
     "vite": "^8.0.16"

package/src/App.tsx

@@ -7,6 +7,7 @@ import {
   useNavigate,
 } from "react-router-dom";
 import { Menu } from "lucide-react";
+import type { AccessRule } from "@checkstack/common";
 import {
   ApiProvider,
   ApiRegistryBuilder,
@@ -121,15 +122,13 @@ function GlobalShortcuts() {
 
 const RouteGuard: React.FC<{
   children: React.ReactNode;
-  accessRule?: string;
+  accessRule?: AccessRule;
 }> = ({ children, accessRule }) => {
   const accessApi = useApi(accessApiRef);
-  // If there's an access rule requirement, use useAccess with a minimal AccessRule-like object
-  // the route.accessRule is already the qualified access rule ID string
+  // Pass the FULL rule so the check qualifies it (`{pluginId}.{id}`) against the
+  // user's granted ids and applies manage->read escalation.
   const { allowed, loading } = accessRule
-    ? accessApi.useAccess({ id: accessRule } as Parameters<
-        typeof accessApi.useAccess
-      >[0])
+    ? accessApi.useAccess(accessRule)
     : { allowed: true, loading: false };
 
   if (loading) {
@@ -207,8 +206,12 @@ function AppContent() {
               mobileOpen={mobileNavOpen}
               onMobileOpenChange={setMobileNavOpen}
             />
-            <main className="flex-1 min-w-0 overflow-y-auto">
-              <div className="px-3 py-4 md:p-8 w-full max-w-7xl mx-auto">
+            <main className="flex flex-1 min-w-0 flex-col overflow-y-auto">
+              {/* `flex-1 min-h-0 flex flex-col` establishes a bounded height
+                  chain so a page can fill the viewport (PageLayout `fillHeight`)
+                  and scroll an inner pane instead of the whole page. Tall normal
+                  pages still overflow into `main`'s scroll (verified). */}
+              <div className="flex flex-1 min-h-0 flex-col px-3 py-4 md:p-8 w-full max-w-7xl mx-auto">
                 <Routes>
             <Route
               path="/"
@@ -286,7 +289,9 @@ function AppWithApis() {
     const registryBuilder = new ApiRegistryBuilder()
       .register(loggerApiRef, new ConsoleLoggerApi())
       .register(accessApiRef, {
-        useAccess: () => ({ loading: false, allowed: true }), // Default to allow all if no auth plugin present
+        // Default to allow all if no auth plugin present (mirrors useAccess).
+        useAccess: () => ({ loading: false, allowed: true }),
+        useIsAuthenticated: () => ({ loading: false, isAuthenticated: true }),
       })
       .registerFactory(fetchApiRef, (_registry) => {
         return new CoreFetchApi(baseUrl);

package/src/components/Sidebar.logic.test.ts

@@ -0,0 +1,140 @@
+import { describe, expect, test } from "bun:test";
+import type { AccessRule } from "@checkstack/common";
+import { selectNavGroups, type NavLike } from "./Sidebar.logic";
+
+const GROUP_ORDER = ["Workspace", "Configuration", "Documentation"] as const;
+
+// Rules carry an owning pluginId; checks match the qualified `${pluginId}.${id}`.
+const rule = (id: string): AccessRule =>
+  ({ id, resource: id, level: "read", pluginId: "p" }) as unknown as AccessRule;
+
+interface Route {
+  path: string;
+  nav?: NavLike;
+}
+
+const route = (path: string, nav?: Partial<NavLike>): Route => ({
+  path,
+  nav: nav ? { group: "Configuration", label: path, order: 0, ...nav } : undefined,
+});
+
+describe("selectNavGroups", () => {
+  test("drops routes without nav", () => {
+    const groups = selectNavGroups({
+      routes: [route("/a"), route("/b", { group: "Workspace" })],
+      accessRules: [],
+      isAuthenticated: true,
+      groupOrder: GROUP_ORDER,
+    });
+    expect(groups).toHaveLength(1);
+    expect(groups[0]?.items.map((r) => r.path)).toEqual(["/b"]);
+  });
+
+  test("hides an entry whose accessRule the user lacks, and drops the now-empty group", () => {
+    const groups = selectNavGroups({
+      routes: [route("/secret", { group: "Configuration", accessRule: rule("x.manage") })],
+      accessRules: [], // anonymous / no grants
+      isAuthenticated: true,
+      groupOrder: GROUP_ORDER,
+    });
+    // The only Configuration entry is gated away -> the group is not returned.
+    expect(groups).toEqual([]);
+  });
+
+  test("shows an entry whose accessRule the user satisfies", () => {
+    const groups = selectNavGroups({
+      routes: [route("/ok", { accessRule: rule("x.read") })],
+      accessRules: ["p.x.read"],
+      isAuthenticated: true,
+      groupOrder: GROUP_ORDER,
+    });
+    expect(groups[0]?.items.map((r) => r.path)).toEqual(["/ok"]);
+  });
+
+  test("isVisible predicate gates the entry (Infrastructure: any readable tab)", () => {
+    // Simulate Infrastructure: visible only if the user can read a tab. Here the
+    // predicate returns false, so the entry (and its lone group) vanish.
+    const infra = route("/infrastructure", {
+      isVisible: ({ accessRules }) => accessRules.includes("queue.read"),
+    });
+    expect(
+      selectNavGroups({
+        routes: [infra],
+        accessRules: [],
+        isAuthenticated: true,
+        groupOrder: GROUP_ORDER,
+      }),
+    ).toEqual([]);
+    // With the tab grant, it appears.
+    expect(
+      selectNavGroups({
+        routes: [infra],
+        accessRules: ["queue.read"],
+        isAuthenticated: true,
+        groupOrder: GROUP_ORDER,
+      })[0]?.items.map((r) => r.path),
+    ).toEqual(["/infrastructure"]);
+  });
+
+  test("isVisible receives isAuthenticated (Notification: authenticated only)", () => {
+    const notif = route("/notification", {
+      isVisible: ({ isAuthenticated }) => isAuthenticated,
+    });
+    expect(
+      selectNavGroups({
+        routes: [notif],
+        accessRules: [],
+        isAuthenticated: false,
+        groupOrder: GROUP_ORDER,
+      }),
+    ).toEqual([]);
+    expect(
+      selectNavGroups({
+        routes: [notif],
+        accessRules: [],
+        isAuthenticated: true,
+        groupOrder: GROUP_ORDER,
+      })[0]?.items.map((r) => r.path),
+    ).toEqual(["/notification"]);
+  });
+
+  test("both accessRule AND isVisible must pass", () => {
+    const r = route("/both", {
+      accessRule: rule("x.read"),
+      isVisible: ({ isAuthenticated }) => isAuthenticated,
+    });
+    // Has the rule but not authenticated -> hidden.
+    expect(
+      selectNavGroups({
+        routes: [r],
+        accessRules: ["p.x.read"],
+        isAuthenticated: false,
+        groupOrder: GROUP_ORDER,
+      }),
+    ).toEqual([]);
+  });
+
+  test("orders groups by groupOrder then alphabetically, items by order then label", () => {
+    const groups = selectNavGroups({
+      routes: [
+        route("/z", { group: "Documentation", order: 0, label: "Z" }),
+        route("/w", { group: "Workspace", order: 0, label: "W" }),
+        route("/c2", { group: "Configuration", order: 2, label: "C2" }),
+        route("/c1", { group: "Configuration", order: 1, label: "C1" }),
+        route("/x", { group: "Xtra", order: 0, label: "X" }), // unknown group -> last
+      ],
+      accessRules: [],
+      isAuthenticated: true,
+      groupOrder: GROUP_ORDER,
+    });
+    expect(groups.map((g) => g.group)).toEqual([
+      "Workspace",
+      "Configuration",
+      "Documentation",
+      "Xtra",
+    ]);
+    expect(
+      groups.find((g) => g.group === "Configuration")?.items.map((r) => r.path),
+    ).toEqual(["/c1", "/c2"]);
+  });
+});

package/src/components/Sidebar.logic.ts

@@ -0,0 +1,88 @@
+import { isAccessRuleSatisfied, type AccessRule } from "@checkstack/common";
+
+/**
+ * The nav-entry fields the sidebar filtering/grouping reads. Kept structural so
+ * this logic is pure and unit-testable without the registry or React.
+ */
+export interface NavLike {
+  group: string;
+  label: string;
+  order: number;
+  /** Static access rule gating visibility (effective rule from the registry). */
+  accessRule?: AccessRule;
+  /** Dynamic predicate; both this AND `accessRule` must pass to show the entry. */
+  isVisible?: (context: {
+    accessRules: string[];
+    isAuthenticated: boolean;
+  }) => boolean;
+}
+
+/** One rendered sidebar section: a group label and its visible entries. */
+export interface NavGroupOf<R> {
+  group: string;
+  items: R[];
+}
+
+/**
+ * Filter routes to the ones the current user may see, group them by section, and
+ * order both groups and items. A route is visible when:
+ *  - it declares `nav`, AND
+ *  - its `accessRule` (if any) is satisfied by the user's access rules, AND
+ *  - its `isVisible` predicate (if any) returns true.
+ *
+ * Crucially, groups are built ONLY from visible routes, so a section whose every
+ * entry is filtered out is not returned at all - e.g. the Infrastructure entry
+ * disappears for a user who can read none of its tabs. Pure: no registry, no
+ * hooks, no DOM.
+ */
+export function selectNavGroups<R extends { nav?: NavLike }>({
+  routes,
+  accessRules,
+  isAuthenticated,
+  groupOrder,
+}: {
+  routes: R[];
+  accessRules: string[];
+  isAuthenticated: boolean;
+  groupOrder: readonly string[];
+}): Array<NavGroupOf<R & { nav: NavLike }>> {
+  const visible = routes.filter((route): route is R & { nav: NavLike } => {
+    const nav = route.nav;
+    if (nav === undefined) return false;
+    if (
+      nav.accessRule !== undefined &&
+      !isAccessRuleSatisfied(accessRules, nav.accessRule)
+    ) {
+      return false;
+    }
+    if (
+      nav.isVisible !== undefined &&
+      !nav.isVisible({ accessRules, isAuthenticated })
+    ) {
+      return false;
+    }
+    return true;
+  });
+
+  const byGroup = new Map<string, Array<R & { nav: NavLike }>>();
+  for (const route of visible) {
+    const list = byGroup.get(route.nav.group);
+    if (list) list.push(route);
+    else byGroup.set(route.nav.group, [route]);
+  }
+
+  const orderOf = (group: string): number => {
+    const index = groupOrder.indexOf(group);
+    return index === -1 ? groupOrder.length : index;
+  };
+
+  return [...byGroup.entries()]
+    .toSorted(([a], [b]) => orderOf(a) - orderOf(b) || a.localeCompare(b))
+    .map(([group, items]) => ({
+      group,
+      items: items.toSorted(
+        (a, b) =>
+          a.nav.order - b.nav.order || a.nav.label.localeCompare(b.nav.label),
+      ),
+    }));
+}

package/src/components/Sidebar.tsx

@@ -2,11 +2,8 @@ import React, { useMemo, useState } from "react";
 import { NavLink, useLocation } from "react-router-dom";
 import { pluginRegistry } from "@checkstack/frontend-api";
 import { useAccessRules } from "@checkstack/auth-frontend";
-import {
-  isAccessRuleSatisfied,
-  APP_DOC_SLUGS,
-  docsPath,
-} from "@checkstack/common";
+import { APP_DOC_SLUGS, docsPath } from "@checkstack/common";
+import { selectNavGroups } from "./Sidebar.logic";
 import {
   Sheet,
   SheetContent,
@@ -43,42 +40,24 @@ interface NavGroup {
 
 /** Build the access-filtered, grouped, ordered nav model from the route registry. */
 function useNavGroups(): NavGroup[] {
-  const { accessRules } = useAccessRules();
+  const { accessRules, isAuthenticated } = useAccessRules();
 
   // getAllRoutes() is recomputed from the registry; plugin load/unload triggers
   // an App re-render so this stays current. Cheap O(routes) work.
   const routes = pluginRegistry.getAllRoutes();
 
-  return useMemo(() => {
-    const visible = routes.filter(
-      (route): route is NavRoute =>
-        route.nav !== undefined &&
-        (route.nav.accessRule === undefined ||
-          isAccessRuleSatisfied(accessRules, route.nav.accessRule)),
-    );
-
-    const byGroup = new Map<string, NavRoute[]>();
-    for (const route of visible) {
-      const list = byGroup.get(route.nav.group);
-      if (list) list.push(route);
-      else byGroup.set(route.nav.group, [route]);
-    }
-
-    const orderOf = (group: string): number => {
-      const index = GROUP_ORDER.indexOf(group as (typeof GROUP_ORDER)[number]);
-      return index === -1 ? GROUP_ORDER.length : index;
-    };
-
-    return [...byGroup.entries()]
-      .toSorted(([a], [b]) => orderOf(a) - orderOf(b) || a.localeCompare(b))
-      .map(([group, items]) => ({
-        group,
-        items: items.toSorted(
-          (a, b) =>
-            a.nav.order - b.nav.order || a.nav.label.localeCompare(b.nav.label),
-        ),
-      }));
-  }, [routes, accessRules]);
+  // Pure filtering/grouping (unit-tested in Sidebar.logic.test.ts): access +
+  // isVisible gating, with empty groups dropped.
+  return useMemo(
+    () =>
+      selectNavGroups({
+        routes,
+        accessRules,
+        isAuthenticated,
+        groupOrder: GROUP_ORDER,
+      }) as NavGroup[],
+    [routes, accessRules, isAuthenticated],
+  );
 }
 
 function loadCollapsedGroups(): Set<string> {

package/vite.config.ts

@@ -11,6 +11,21 @@ import { monacoViteConfig } from "../ui/src/vite-monaco";
 // Monorepo root is 2 levels up from core/frontend
 const monorepoRoot = path.resolve(__dirname, "../..");
 
+// The Module Federation share options we actually use. `@module-federation/vite`
+// publishes a `shared` type that is NARROWER than the MF runtime it drives: it
+// omits `eager` and types `requiredVersion` as `string` only. The runtime (and
+// `@module-federation/sdk`'s own `SharedConfig`) supports both `eager: true` and
+// `requiredVersion: false`, which we rely on. We author against this accurate
+// shape and bridge the plugin's outdated param type with a single cast below.
+interface HostShare {
+  singleton?: boolean;
+  eager?: boolean;
+  requiredVersion?: string | false;
+}
+type FederationSharedOption = NonNullable<
+  Parameters<typeof federation>[0]["shared"]
+>;
+
 // The Monaco / VS Code editor stack (`@checkstack/ui`'s CodeEditor) needs
 // `worker.format: "es"` and a `vscode` resolve alias. Both are produced by this
 // shared helper - also consumed by @checkstack/dev-server - so the app's config
@@ -34,7 +49,7 @@ export default defineConfig(({ command }) => {
   // below), which fails dep optimization with UNLOADABLE_DEPENDENCY. In dev the
   // host just bundles @checkstack/ui's editor normally (worker config + vscode
   // alias are applied unconditionally below), exactly as before this change.
-  const editorShare =
+  const editorShare: Record<string, HostShare> =
     command === "build"
       ? {
           // The Monaco / VS Code editor (the only shared piece of
@@ -58,6 +73,33 @@ export default defineConfig(({ command }) => {
         }
       : {};
 
+  // Authored against the accurate `HostShare` shape (eager + requiredVersion:
+  // false). Extracted to a const so it is passed as a VARIABLE (not a fresh
+  // object literal), letting the single cast below bridge the plugin's narrower
+  // published `shared` type without tripping excess-property checks.
+  const shared: Record<string, HostShare> = {
+    react: { singleton: true, eager: true, requiredVersion: "^19.0.0" },
+    "react-dom": { singleton: true, eager: true, requiredVersion: "^19.0.0" },
+    "react-router-dom": {
+      singleton: true,
+      eager: true,
+      requiredVersion: "^7.0.0",
+    },
+    "@tanstack/react-query": {
+      singleton: true,
+      eager: true,
+      requiredVersion: "^5.0.0",
+    },
+    // First-party, version-locked to the host: skip version negotiation
+    // (its dep range is `workspace:*`, not a semver range).
+    "@checkstack/frontend-api": {
+      singleton: true,
+      eager: true,
+      requiredVersion: false,
+    },
+    ...editorShare,
+  };
+
   return {
     // Tell Vite to look for .env files in monorepo root
     envDir: monorepoRoot,
@@ -81,32 +123,8 @@ export default defineConfig(({ command }) => {
       federation({
         name: "checkstack_host",
         remotes: {},
-        shared: {
-          react: { singleton: true, eager: true, requiredVersion: "^18.0.0" },
-          "react-dom": {
-            singleton: true,
-            eager: true,
-            requiredVersion: "^18.0.0",
-          },
-          "react-router-dom": {
-            singleton: true,
-            eager: true,
-            requiredVersion: "^7.0.0",
-          },
-          "@tanstack/react-query": {
-            singleton: true,
-            eager: true,
-            requiredVersion: "^5.0.0",
-          },
-          // First-party, version-locked to the host: skip version negotiation
-          // (its dep range is `workspace:*`, not a semver range).
-          "@checkstack/frontend-api": {
-            singleton: true,
-            eager: true,
-            requiredVersion: false,
-          },
-          ...editorShare,
-        },
+        // Cast bridges the plugin's outdated `shared` type (see HostShare).
+        shared: shared as FederationSharedOption,
       }),
     ],
     // The @typefox/monaco-editor-react + @codingame/monaco-vscode-* stack
@@ -165,8 +183,12 @@ export default defineConfig(({ command }) => {
     build: {
       // Use esnext to support top-level await and modern ES features
       target: "esnext",
-      // Generate sourcemaps for production debugging
-      sourcemap: true,
+      // Source maps over the Monaco / VS Code (`@codingame/*`) stack roughly
+      // DOUBLE the build's time and peak memory and ship ~MBs of `.js.map` into
+      // the image - enough to OOM-thrash a CI runner (the Docker build hung
+      // here). Off by default; opt in locally with `VITE_SOURCEMAP=true` when
+      // you need to debug the production bundle.
+      sourcemap: process.env.VITE_SOURCEMAP === "true",
       // Monaco stays off the initial load via the `React.lazy(CodeEditor)`
       // boundary (see CodeEditor.tsx) — verified preserved under Module
       // Federation's automatic code-splitting. We do NOT hand-group chunks: