@checkstack/gitops-backend 0.1.0 → 0.1.1

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # @checkstack/gitops-backend
 
+## 0.1.1
+
+### Patch Changes
+
+- 86bab6a: ### GitOps: Fix authentication token handling
+
+  - Made `authToken` optional in `ReconcileProviderParams` and `ScraperOptions` to support unauthenticated access to public repositories
+  - GitHub and GitLab scrapers now conditionally set authentication headers only when a token is provided
+  - Sync worker now decrypts the encrypted `authToken` from the database before passing it to scrapers, fixing authentication failures caused by sending encrypted values in HTTP headers
+
+  ### SLO: Fix premature Nines Club achievement unlock
+
+  - The "Nines Club" achievement now requires both ≥99.99% availability **and** a 365-day compliance streak, preventing immediate unlock on newly created SLOs with 100% default availability
+
+  ### SLO: Align frontend achievement descriptions with backend criteria
+
+  - Fixed mismatched descriptions for Iron Uptime (7-day, not 30), Diamond Uptime (30-day, not 90), Clean Sheet (rolling window, not quarter), Full Coverage (3+ SLOs, not all systems in group), and Nines Club (99.99%)
+
+  ### SLO: Enrich milestones with system names
+
+  - The `getRecentMilestones` endpoint now resolves human-readable system names via the Catalog API instead of returning raw system IDs
+
+- Updated dependencies [86bab6a]
+  - @checkstack/gitops-common@0.1.1
+
 ## 0.1.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/gitops-backend",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "type": "module",
   "main": "src/index.ts",
   "checkstack": {
@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@checkstack/backend-api": "0.12.0",
-    "@checkstack/gitops-common": "0.0.1",
+    "@checkstack/gitops-common": "0.1.0",
     "@checkstack/common": "0.6.5",
     "@checkstack/command-backend": "0.1.19",
     "@checkstack/queue-api": "0.2.13",

package/src/router.ts

@@ -112,8 +112,11 @@ export const createGitOpsRouter = ({
     if (input.data.pathPattern !== undefined)
       updates.pathPattern = input.data.pathPattern;
     if (input.data.baseUrl !== undefined) updates.baseUrl = input.data.baseUrl;
-    if (input.data.authToken !== undefined)
-      updates.authToken = encrypt(input.data.authToken);
+    if (input.data.authToken !== undefined) {
+      // null = explicitly clear token, string = encrypt and store
+      // eslint-disable-next-line unicorn/no-null
+      updates.authToken = input.data.authToken ? encrypt(input.data.authToken) : null;
+    }
     if (input.data.syncInterval !== undefined)
       updates.syncInterval = input.data.syncInterval;
     if (input.data.deletionPolicy !== undefined)

package/src/scrapers/github-scraper.test.ts

@@ -352,4 +352,55 @@ describe("githubScraper", () => {
       expect(url).toStartWith(enterpriseUrl);
     }
   });
+  it("works without auth token and does not send Authorization header", async () => {
+    const capturedHeaders: Record<string, string>[] = [];
+
+    const mockFetch: FetchFn = async (input, init) => {
+      const url = typeof input === "string" ? input : input.toString();
+      const headers = init?.headers as Record<string, string> | undefined;
+      if (headers) {
+        capturedHeaders.push(headers);
+      }
+
+      if (url.includes("git/trees")) {
+        return new Response(
+          JSON.stringify({
+            sha: "abc",
+            tree: [{ path: ".checkstack/sys.yaml", type: "blob" }],
+            truncated: false,
+          }),
+          { headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      if (url.includes("contents/")) {
+        return new Response(
+          JSON.stringify({ content: btoa("yaml"), encoding: "base64" }),
+          { headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      if (url.includes("repos/public-org/repo")) {
+        return new Response(
+          JSON.stringify({ full_name: "public-org/repo", default_branch: "main" }),
+          { headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      return new Response("Not Found", { status: 404 });
+    };
+
+    const files = await githubScraper.discoverFiles({
+      target: "public-org/repo",
+      pathPattern: ".checkstack/**/*.yaml",
+      logger: mockLogger,
+      fetch: mockFetch,
+    });
+
+    expect(files).toHaveLength(1);
+    // Verify no Authorization header was sent
+    for (const headers of capturedHeaders) {
+      expect(headers.Authorization).toBeUndefined();
+    }
+  });
 });

package/src/scrapers/github-scraper.ts

@@ -43,17 +43,18 @@ function parseNextPageUrl(linkHeader: string | null): string | undefined {
  */
 async function githubFetch(params: {
   url: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
 }): Promise<Response> {
   const { url, authToken, fetchFn } = params;
-  return fetchFn(url, {
-    headers: {
-      Authorization: `Bearer ${authToken}`,
-      Accept: "application/vnd.github+json",
-      "X-GitHub-Api-Version": "2022-11-28",
-    },
-  });
+  const headers: Record<string, string> = {
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+  };
+  if (authToken) {
+    headers.Authorization = `Bearer ${authToken}`;
+  }
+  return fetchFn(url, { headers });
 }
 
 // ─── Core Logic ────────────────────────────────────────────────────────────
@@ -64,7 +65,7 @@ async function githubFetch(params: {
  */
 async function enumerateRepos(params: {
   target: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
   apiUrl: string;
 }): Promise<GitHubRepo[]> {
@@ -113,7 +114,7 @@ async function enumerateRepos(params: {
 async function getMatchingFiles(params: {
   repo: GitHubRepo;
   pathPattern: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
   apiUrl: string;
 }): Promise<string[]> {
@@ -143,7 +144,7 @@ async function fetchFileContent(params: {
   repoFullName: string;
   filePath: string;
   branch: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
   apiUrl: string;
 }): Promise<string> {

package/src/scrapers/gitlab-scraper.test.ts

@@ -293,4 +293,56 @@ describe("gitlabScraper", () => {
       expect(url).toStartWith(selfHostedUrl);
     }
   });
+  it("works without auth token and does not send PRIVATE-TOKEN header", async () => {
+    const capturedHeaders: Record<string, string>[] = [];
+
+    const mockFetch: FetchFn = async (input, init) => {
+      const url = typeof input === "string" ? input : input.toString();
+      const headers = init?.headers as Record<string, string> | undefined;
+      if (headers) {
+        capturedHeaders.push(headers);
+      }
+
+      if (url.includes("/repository/tree")) {
+        return new Response(
+          JSON.stringify([
+            { id: "a1", name: "sys.yaml", type: "blob", path: ".checkstack/sys.yaml" },
+          ]),
+          { headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      if (url.includes("/repository/files/") && url.includes("/raw")) {
+        return new Response("yaml-content", {
+          headers: { "Content-Type": "text/plain" },
+        });
+      }
+
+      if (url.includes("/projects/")) {
+        return new Response(
+          JSON.stringify({
+            id: 99,
+            path_with_namespace: "public/repo",
+            default_branch: "main",
+          }),
+          { headers: { "Content-Type": "application/json" } },
+        );
+      }
+
+      return new Response("Not Found", { status: 404 });
+    };
+
+    const files = await gitlabScraper.discoverFiles({
+      target: "public/repo",
+      pathPattern: ".checkstack/**/*.yaml",
+      logger: mockLogger,
+      fetch: mockFetch,
+    });
+
+    expect(files).toHaveLength(1);
+    // Verify no PRIVATE-TOKEN header was sent
+    for (const headers of capturedHeaders) {
+      expect(headers["PRIVATE-TOKEN"]).toBeUndefined();
+    }
+  });
 });

package/src/scrapers/gitlab-scraper.ts

@@ -25,15 +25,15 @@ interface GitLabTreeItem {
  */
 async function gitlabFetch(params: {
   url: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
 }): Promise<Response> {
   const { url, authToken, fetchFn } = params;
-  return fetchFn(url, {
-    headers: {
-      "PRIVATE-TOKEN": authToken,
-    },
-  });
+  const headers: Record<string, string> = {};
+  if (authToken) {
+    headers["PRIVATE-TOKEN"] = authToken;
+  }
+  return fetchFn(url, { headers });
 }
 
 /**
@@ -41,7 +41,7 @@ async function gitlabFetch(params: {
  */
 async function paginateGitLab<T>(params: {
   initialUrl: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
 }): Promise<T[]> {
   const { initialUrl, authToken, fetchFn } = params;
@@ -80,7 +80,7 @@ async function paginateGitLab<T>(params: {
  */
 async function enumerateProjects(params: {
   target: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
   apiUrl: string;
 }): Promise<GitLabProject[]> {
@@ -96,7 +96,7 @@ async function enumerateProjects(params: {
 async function getMatchingFiles(params: {
   project: GitLabProject;
   pathPattern: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
   apiUrl: string;
 }): Promise<string[]> {
@@ -122,7 +122,7 @@ async function fetchFileContent(params: {
   projectId: number;
   filePath: string;
   branch: string;
-  authToken: string;
+  authToken?: string;
   fetchFn: FetchFn;
   apiUrl: string;
 }): Promise<string> {

package/src/scrapers/types.ts

@@ -32,8 +32,8 @@ export interface ScraperOptions {
   target: string;
   /** Glob pattern for matching file paths (e.g., ".checkstack/**\/*.yaml"). */
   pathPattern: string;
-  /** Decrypted auth token for the Git provider API. */
-  authToken: string;
+  /** Decrypted auth token for the Git provider API. Optional for public repos. */
+  authToken?: string;
   /** Custom API base URL for enterprise/on-prem installations. */
   baseUrl?: string;
   /** Logger for diagnostic output. */

package/src/sync/reconciler.ts

@@ -19,7 +19,7 @@ interface ReconcileProviderParams {
   providerType: "github" | "gitlab";
   target: string;
   pathPattern: string;
-  authToken: string;
+  authToken?: string;
   baseUrl?: string;
   deletionPolicy: "orphan" | "auto";
   db: Db;

package/src/sync/sync-worker.ts

@@ -1,4 +1,5 @@
 import type { Logger, SafeDatabase } from "@checkstack/backend-api";
+import { decrypt } from "@checkstack/backend-api";
 import type { QueueManager } from "@checkstack/queue-api";
 import type { InternalEntityKindRegistry } from "../kind-registry";
 import type { SecretStore } from "../secret-resolver";
@@ -104,12 +105,25 @@ async function runSyncForProvider(params: {
   const scraper =
     provider.type === "github" ? githubScraper : gitlabScraper;
 
+  // Decrypt authToken from database (stored encrypted via DynamicForm secret field)
+  let authToken: string | undefined;
+  if (provider.authToken) {
+    try {
+      authToken = decrypt(provider.authToken);
+    } catch (error) {
+      logger.error(
+        `GitOps sync: failed to decrypt authToken for provider ${providerId}: ${error}`,
+      );
+      throw new Error(`Failed to decrypt auth token for provider ${providerId}`);
+    }
+  }
+
   return reconcileProvider({
     providerId: provider.id,
     providerType: provider.type,
     target: provider.target,
     pathPattern: provider.pathPattern,
-    authToken: provider.authToken ?? "",
+    authToken,
     baseUrl: provider.baseUrl ?? undefined,
     deletionPolicy: provider.deletionPolicy,
     db,