@checkstack/gitops-backend 0.2.7 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,148 @@
 # @checkstack/gitops-backend
 
+## 0.3.0
+
+### Minor Changes
+
+- f6f9a5c: Surface the source repository for GitOps-managed entities and gate the
+  system→group remove button on the system's lock state.
+
+  - `provenanceSchema` now carries a `sourceUrl` field, derived on the
+    backend from the provider type, baseUrl, repository and filePath. URLs
+    are constructed for github.com / gitlab.com and self-hosted
+    GitHub/GitLab where the API base ends in `/api/v3` or `/api/v4`. Other
+    baseUrls fall back to `null` so the UI keeps showing the raw path.
+  - New `useProvenanceLocks` hook (bulk variant of `useProvenanceLock`)
+    for views that render many entities and need to look up locks
+    client-side.
+  - New `<GitOpsSourceBadge>` popover component that replaces the bare
+    GitBranch icon on system and group catalog cards. The popover
+    surfaces the repository, file path, and a "View in source provider"
+    deep link.
+  - `<GitOpsLockBanner>` repo line is now a real link when a sourceUrl is
+    available.
+  - The system→group remove button in the catalog now disables itself
+    when the system is GitOps-managed, matching the backend lock that was
+    already in place.
+
+### Patch Changes
+
+- Updated dependencies [42abfff]
+- Updated dependencies [f6f9a5c]
+- Updated dependencies [aa89bc5]
+  - @checkstack/common@0.9.0
+  - @checkstack/gitops-common@0.3.0
+  - @checkstack/queue-api@0.3.0
+  - @checkstack/backend-api@0.15.1
+  - @checkstack/command-backend@0.1.25
+
+## 0.2.8
+
+### Patch Changes
+
+- 50e5f5f: Runtime plugin system: install + uninstall plugins from npm, GitHub releases
+  (including private GitHub Enterprise instances), or tarball uploads at
+  runtime, with multi-package bundles, dependency-derived compatibility checks,
+  multi-instance coordination via a Postgres artifact store, and
+  single-coordinator destructive cleanup.
+
+  Highlights:
+
+  - New `PluginSource` discriminated union and `PluginInstaller` /
+    `PluginInstallerRegistry` interfaces in `@checkstack/backend-api`. The
+    GitHub variant accepts an optional `apiBaseUrl` so deployments backed by
+    GitHub Enterprise can install from `https://ghe.example.com/api/v3`
+    instead of `api.github.com`.
+  - New `installPackageMetadataSchema` (Zod) in `@checkstack/common` validates
+    every plugin's `package.json` at install time. Required fields: `name`,
+    `version`, `description`, `author`, `license`, `checkstack.type`,
+    `checkstack.pluginId`. Optional: `checkstack.bundle`,
+    `checkstack.usageInstructions`, `checkstack.allowInstallScripts`.
+  - New `pluginManagerContract` in `@checkstack/pluginmanager-common` with
+    `list`, `previewInstall`, `install`, `previewUninstall`, `uninstall`, and
+    `events` procedures.
+  - New `@checkstack/pluginmanager-frontend` admin UI: installed-plugins list
+    with per-row uninstall (typed-confirmation modal, schema/configs/cascade
+    toggles), install page with NPM / Tarball Upload / GitHub Release tabs
+    (Catalog tab disabled — coming soon), and an events page surfacing the
+    install/uninstall audit log.
+  - New `bunx @checkstack/scripts plugin-pack` CLI for plugin authors —
+    per-package mode produces an npm-shaped tarball; `--bundle` mode produces
+    an outer tarball containing every sibling declared in
+    `package.json#checkstack.bundle`. Published to npm so external authors
+    can `bunx` it directly without a workspace checkout.
+  - Compatibility derived from `package.json#dependencies` ranges
+    (`semver.satisfies` against the platform's loaded `@checkstack/*`
+    versions) — no separate `compatibility` field.
+  - Multi-instance: originator persists artifacts + `plugins` rows + broadcasts
+    install/uninstall; receiving instances do in-process register/unregister
+    only. Destructive ops (drop schema, delete plugin_configs, delete
+    artifacts, delete `plugins` rows) run exactly once on the originator.
+  - Fresh-instance bootstrap: `loadPlugins()` hydrates any
+    `is_uninstallable=true` plugin missing from `node_modules` from the
+    artifact store before normal Phase 1 register.
+  - New schema: `plugin_artifacts` (tarball storage), `plugin_install_events`
+    (audit/error log). `plugins` extended with `version`, `metadata`,
+    `source`, `bundle_id`, `is_primary`. Local plugin sync now writes
+    `version` from each plugin's `package.json` so the admin UI shows real
+    versions instead of `—`.
+  - Tarball-upload endpoint (`POST /api/pluginmanager/upload-tarball`) for
+    the install UI; access-gated by `pluginmanager.plugin.manage`.
+  - Plugin Manager menu link added to the user menu (main grid, alongside
+    Profile / Notification Settings / etc.).
+
+  Cross-cutting changes:
+
+  - Backend request/response logging now flows through `rootLogger` (winston)
+    instead of `hono/logger`. 5xx responses include the response body inline
+    so swallowed early-return errors are visible in the log.
+  - The `/api/:pluginId/*` dispatcher now logs which core service is missing
+    or which `pluginId` had no metadata when it 500s.
+  - New `registerCorePluginMetadata` on `PluginManager` for core routers
+    (like the plugin manager itself) that need their metadata visible to the
+    RPC dispatcher without going through the full plugin lifecycle.
+  - ESLint: `unicorn/no-null` is now disabled globally. Drizzle distinguishes
+    between `null` (writes a real SQL NULL) and `undefined` (skip the column
+    on insert), so treating them as interchangeable produced latent bugs at
+    the persistence boundary. The bulk of the patch-bumped packages above
+    reflect lint-fix touches that landed when this rule was relaxed.
+  - Workspace-wide license normalization to `Elastic-2.0` (matches
+    `LICENSE.md`). Every `package.json` in the workspace now declares the
+    same SPDX identifier; the patch bumps capture this.
+
+  Plugin packages (every `plugins/*`): added a `pack` npm script
+  (`bunx @checkstack/scripts plugin-pack`), mirrored each plugin's
+  `pluginId` from `plugin-metadata.ts` into `package.json#checkstack.pluginId`
+  so install-time validation passes, stubbed any missing required metadata
+  fields (`description`, `author`, `license`), and added
+  `checkstack.bundle` to multi-package plugin primaries (telegram, rcon, ssh,
+  jira, queue-bullmq, queue-memory, cache-memory).
+
+  Breaking changes:
+
+  - The legacy single-method `PluginInstaller` interface (`install(packageName)`)
+    is removed. Callers must use `coreServices.pluginInstallerRegistry`.
+  - The old `pluginAdminContract` and `createPluginAdminRouter` are removed.
+    Replaced by `pluginManagerContract` in `@checkstack/pluginmanager-common`
+    and `createPluginManagerRouter` in `core/backend`.
+  - `@checkstack/test-utils-backend` no longer exports
+    `createMockPluginInstaller` / `MockPluginInstaller` (the legacy interface
+    it shimmed is gone).
+
+  Note: bumps are limited to `minor` (for packages with new public API
+  surface) and `patch` (for downstream consumers, license normalization,
+  and lint fixes). No `major` bumps despite the `PluginInstaller` removal —
+  the legacy interface had no third-party consumers in the wild before this
+  runtime plugin system landed, and the contract surface is the same shape
+  modulo the rename.
+
+- Updated dependencies [50e5f5f]
+  - @checkstack/backend-api@0.15.0
+  - @checkstack/common@0.8.0
+  - @checkstack/gitops-common@0.2.2
+  - @checkstack/queue-api@0.2.18
+  - @checkstack/command-backend@0.1.24
+
 ## 0.2.7
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@checkstack/gitops-backend",
-  "version": "0.2.7",
+  "version": "0.3.0",
+  "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
   "checkstack": {
@@ -13,11 +14,11 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.14.0",
-    "@checkstack/gitops-common": "0.2.1",
-    "@checkstack/common": "0.7.0",
-    "@checkstack/command-backend": "0.1.22",
-    "@checkstack/queue-api": "0.2.16",
+    "@checkstack/backend-api": "0.15.0",
+    "@checkstack/gitops-common": "0.2.2",
+    "@checkstack/common": "0.8.0",
+    "@checkstack/command-backend": "0.1.24",
+    "@checkstack/queue-api": "0.2.18",
     "@orpc/server": "^1.13.2",
     "drizzle-orm": "^0.45.0",
     "minimatch": "^10.0.0",
@@ -26,9 +27,9 @@
     "yaml": "^2.7.0"
   },
   "devDependencies": {
-    "@checkstack/drizzle-helper": "0.0.4",
-    "@checkstack/scripts": "0.1.2",
-    "@checkstack/tsconfig": "0.0.5",
+    "@checkstack/drizzle-helper": "0.0.5",
+    "@checkstack/scripts": "0.3.0",
+    "@checkstack/tsconfig": "0.0.7",
     "@types/bun": "^1.3.5",
     "@types/node": "^20.0.0",
     "@types/uuid": "^11.0.0",

package/src/router.ts

@@ -2,7 +2,7 @@ import { implement, ORPCError } from "@orpc/server";
 import { z } from "zod";
 import { autoAuthMiddleware, type RpcContext } from "@checkstack/backend-api";
 import { encrypt, decrypt } from "@checkstack/backend-api";
-import { gitopsContract } from "@checkstack/gitops-common";
+import { gitopsContract, deriveSourceUrl } from "@checkstack/gitops-common";
 import type { SafeDatabase } from "@checkstack/backend-api";
 import type { QueueManager } from "@checkstack/queue-api";
 import type { InternalEntityKindRegistry } from "./kind-registry";
@@ -34,6 +34,36 @@ export const createGitOpsRouter = ({
 }: GitOpsRouterDeps) => {
   // ─── Provenance ──────────────────────────────────────────────────────
 
+  type ProviderMeta = {
+    type: "github" | "gitlab";
+    baseUrl: string | null;
+  };
+
+  const buildProviderLookup = async (): Promise<Map<string, ProviderMeta>> => {
+    const providers = await db.select().from(schema.providers);
+    const map = new Map<string, ProviderMeta>();
+    for (const p of providers) {
+      map.set(p.id, { type: p.type, baseUrl: p.baseUrl });
+    }
+    return map;
+  };
+
+  const decorateProvenance = (
+    row: typeof schema.provenance.$inferSelect,
+    providers: Map<string, ProviderMeta>,
+  ) => {
+    const provider = providers.get(row.providerId);
+    const sourceUrl = provider
+      ? deriveSourceUrl({
+          providerType: provider.type,
+          baseUrl: provider.baseUrl,
+          repository: row.repository,
+          filePath: row.filePath,
+        })
+      : null;
+    return { ...row, warnings: row.warnings ?? [], sourceUrl };
+  };
+
   const getProvenance = os.getProvenance.handler(async ({ input }) => {
     const conditions = [eq(schema.provenance.kind, input.kind)];
 
@@ -49,14 +79,15 @@ export const createGitOpsRouter = ({
       .from(schema.provenance)
       .where(and(...conditions));
     const row = result[0];
-    // eslint-disable-next-line unicorn/no-null
-    return row ? { ...row, warnings: row.warnings ?? [] } : null;
+    if (!row) return null;
+    const providers = await buildProviderLookup();
+    return decorateProvenance(row, providers);
   });
 
   const listProvenance = os.listProvenance.handler(async ({ input }) => {
     const rawRows = await db.select().from(schema.provenance);
-    // Normalize: ensure warnings is always a string[] (Drizzle may return null for pre-migration rows)
-    const rows = rawRows.map((row) => ({ ...row, warnings: row.warnings ?? [] }));
+    const providers = await buildProviderLookup();
+    const rows = rawRows.map((row) => decorateProvenance(row, providers));
     if (!input) return rows;
 
     return rows.filter((row) => {
@@ -92,8 +123,8 @@ export const createGitOpsRouter = ({
       type: input.type,
       target: input.target,
       pathPattern: input.pathPattern,
-      baseUrl: input.baseUrl ?? null, // eslint-disable-line unicorn/no-null
-      authToken: input.authToken ? encrypt(input.authToken) : null, // eslint-disable-line unicorn/no-null
+      baseUrl: input.baseUrl ?? null,  
+      authToken: input.authToken ? encrypt(input.authToken) : null,  
       syncInterval,
       deletionPolicy: input.deletionPolicy ?? "orphan",
     });
@@ -127,7 +158,7 @@ export const createGitOpsRouter = ({
     if (input.data.baseUrl !== undefined) updates.baseUrl = input.data.baseUrl;
     if (input.data.authToken !== undefined) {
       // null = explicitly clear token, string = encrypt and store
-      // eslint-disable-next-line unicorn/no-null
+       
       updates.authToken = input.data.authToken ? encrypt(input.data.authToken) : null;
     }
     if (input.data.syncInterval !== undefined)

package/src/sync/reconciler.ts

@@ -475,7 +475,7 @@ async function upsertProvenance(params: {
         // Preserve existing entityId on error retries; update on successful reconcile
         ...(entityId ? { entityId } : {}),
         status,
-        errorMessage: errorMessage ?? null, // eslint-disable-line unicorn/no-null
+        errorMessage: errorMessage ?? null,  
         warnings: warnings ?? [],
         repository: file.repository,
         filePath: file.filePath,
@@ -502,7 +502,7 @@ async function upsertProvenance(params: {
     lastSyncHash: contentHash,
     secretRefs,
     status,
-    errorMessage: errorMessage ?? null, // eslint-disable-line unicorn/no-null
+    errorMessage: errorMessage ?? null,  
     warnings: warnings ?? [],
   });
 }
@@ -518,7 +518,7 @@ async function updateProviderSyncStatus(params: {
     .update(schema.providers)
     .set({
       lastSyncAt: new Date(),
-      lastSyncError: error ?? null, // eslint-disable-line unicorn/no-null
+      lastSyncError: error ?? null,  
       updatedAt: new Date(),
     })
     .where(eq(schema.providers.id, providerId));