@checkstack/gitops-common 0.2.1 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,138 @@
 # @checkstack/gitops-common
 
+## 0.3.0
+
+### Minor Changes
+
+- f6f9a5c: Surface the source repository for GitOps-managed entities and gate the
+  system→group remove button on the system's lock state.
+
+  - `provenanceSchema` now carries a `sourceUrl` field, derived on the
+    backend from the provider type, baseUrl, repository and filePath. URLs
+    are constructed for github.com / gitlab.com and self-hosted
+    GitHub/GitLab where the API base ends in `/api/v3` or `/api/v4`. Other
+    baseUrls fall back to `null` so the UI keeps showing the raw path.
+  - New `useProvenanceLocks` hook (bulk variant of `useProvenanceLock`)
+    for views that render many entities and need to look up locks
+    client-side.
+  - New `<GitOpsSourceBadge>` popover component that replaces the bare
+    GitBranch icon on system and group catalog cards. The popover
+    surfaces the repository, file path, and a "View in source provider"
+    deep link.
+  - `<GitOpsLockBanner>` repo line is now a real link when a sourceUrl is
+    available.
+  - The system→group remove button in the catalog now disables itself
+    when the system is GitOps-managed, matching the backend lock that was
+    already in place.
+
+### Patch Changes
+
+- Updated dependencies [42abfff]
+  - @checkstack/common@0.9.0
+
+## 0.2.2
+
+### Patch Changes
+
+- 50e5f5f: Runtime plugin system: install + uninstall plugins from npm, GitHub releases
+  (including private GitHub Enterprise instances), or tarball uploads at
+  runtime, with multi-package bundles, dependency-derived compatibility checks,
+  multi-instance coordination via a Postgres artifact store, and
+  single-coordinator destructive cleanup.
+
+  Highlights:
+
+  - New `PluginSource` discriminated union and `PluginInstaller` /
+    `PluginInstallerRegistry` interfaces in `@checkstack/backend-api`. The
+    GitHub variant accepts an optional `apiBaseUrl` so deployments backed by
+    GitHub Enterprise can install from `https://ghe.example.com/api/v3`
+    instead of `api.github.com`.
+  - New `installPackageMetadataSchema` (Zod) in `@checkstack/common` validates
+    every plugin's `package.json` at install time. Required fields: `name`,
+    `version`, `description`, `author`, `license`, `checkstack.type`,
+    `checkstack.pluginId`. Optional: `checkstack.bundle`,
+    `checkstack.usageInstructions`, `checkstack.allowInstallScripts`.
+  - New `pluginManagerContract` in `@checkstack/pluginmanager-common` with
+    `list`, `previewInstall`, `install`, `previewUninstall`, `uninstall`, and
+    `events` procedures.
+  - New `@checkstack/pluginmanager-frontend` admin UI: installed-plugins list
+    with per-row uninstall (typed-confirmation modal, schema/configs/cascade
+    toggles), install page with NPM / Tarball Upload / GitHub Release tabs
+    (Catalog tab disabled — coming soon), and an events page surfacing the
+    install/uninstall audit log.
+  - New `bunx @checkstack/scripts plugin-pack` CLI for plugin authors —
+    per-package mode produces an npm-shaped tarball; `--bundle` mode produces
+    an outer tarball containing every sibling declared in
+    `package.json#checkstack.bundle`. Published to npm so external authors
+    can `bunx` it directly without a workspace checkout.
+  - Compatibility derived from `package.json#dependencies` ranges
+    (`semver.satisfies` against the platform's loaded `@checkstack/*`
+    versions) — no separate `compatibility` field.
+  - Multi-instance: originator persists artifacts + `plugins` rows + broadcasts
+    install/uninstall; receiving instances do in-process register/unregister
+    only. Destructive ops (drop schema, delete plugin_configs, delete
+    artifacts, delete `plugins` rows) run exactly once on the originator.
+  - Fresh-instance bootstrap: `loadPlugins()` hydrates any
+    `is_uninstallable=true` plugin missing from `node_modules` from the
+    artifact store before normal Phase 1 register.
+  - New schema: `plugin_artifacts` (tarball storage), `plugin_install_events`
+    (audit/error log). `plugins` extended with `version`, `metadata`,
+    `source`, `bundle_id`, `is_primary`. Local plugin sync now writes
+    `version` from each plugin's `package.json` so the admin UI shows real
+    versions instead of `—`.
+  - Tarball-upload endpoint (`POST /api/pluginmanager/upload-tarball`) for
+    the install UI; access-gated by `pluginmanager.plugin.manage`.
+  - Plugin Manager menu link added to the user menu (main grid, alongside
+    Profile / Notification Settings / etc.).
+
+  Cross-cutting changes:
+
+  - Backend request/response logging now flows through `rootLogger` (winston)
+    instead of `hono/logger`. 5xx responses include the response body inline
+    so swallowed early-return errors are visible in the log.
+  - The `/api/:pluginId/*` dispatcher now logs which core service is missing
+    or which `pluginId` had no metadata when it 500s.
+  - New `registerCorePluginMetadata` on `PluginManager` for core routers
+    (like the plugin manager itself) that need their metadata visible to the
+    RPC dispatcher without going through the full plugin lifecycle.
+  - ESLint: `unicorn/no-null` is now disabled globally. Drizzle distinguishes
+    between `null` (writes a real SQL NULL) and `undefined` (skip the column
+    on insert), so treating them as interchangeable produced latent bugs at
+    the persistence boundary. The bulk of the patch-bumped packages above
+    reflect lint-fix touches that landed when this rule was relaxed.
+  - Workspace-wide license normalization to `Elastic-2.0` (matches
+    `LICENSE.md`). Every `package.json` in the workspace now declares the
+    same SPDX identifier; the patch bumps capture this.
+
+  Plugin packages (every `plugins/*`): added a `pack` npm script
+  (`bunx @checkstack/scripts plugin-pack`), mirrored each plugin's
+  `pluginId` from `plugin-metadata.ts` into `package.json#checkstack.pluginId`
+  so install-time validation passes, stubbed any missing required metadata
+  fields (`description`, `author`, `license`), and added
+  `checkstack.bundle` to multi-package plugin primaries (telegram, rcon, ssh,
+  jira, queue-bullmq, queue-memory, cache-memory).
+
+  Breaking changes:
+
+  - The legacy single-method `PluginInstaller` interface (`install(packageName)`)
+    is removed. Callers must use `coreServices.pluginInstallerRegistry`.
+  - The old `pluginAdminContract` and `createPluginAdminRouter` are removed.
+    Replaced by `pluginManagerContract` in `@checkstack/pluginmanager-common`
+    and `createPluginManagerRouter` in `core/backend`.
+  - `@checkstack/test-utils-backend` no longer exports
+    `createMockPluginInstaller` / `MockPluginInstaller` (the legacy interface
+    it shimmed is gone).
+
+  Note: bumps are limited to `minor` (for packages with new public API
+  surface) and `patch` (for downstream consumers, license normalization,
+  and lint fixes). No `major` bumps despite the `PluginInstaller` removal —
+  the legacy interface had no third-party consumers in the wild before this
+  runtime plugin system landed, and the contract surface is the same shape
+  modulo the rename.
+
+- Updated dependencies [50e5f5f]
+  - @checkstack/common@0.8.0
+
 ## 0.2.1
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@checkstack/gitops-common",
-  "version": "0.2.1",
+  "version": "0.3.0",
+  "license": "Elastic-2.0",
   "type": "module",
   "exports": {
     ".": {
@@ -8,17 +9,17 @@
     }
   },
   "dependencies": {
-    "@checkstack/common": "0.6.5",
+    "@checkstack/common": "0.8.0",
     "@orpc/contract": "^1.13.14",
     "zod": "^4.2.1"
   },
   "devDependencies": {
     "typescript": "^5.7.2",
-    "@checkstack/tsconfig": "0.0.5",
-    "@checkstack/scripts": "0.1.2"
+    "@checkstack/tsconfig": "0.0.7",
+    "@checkstack/scripts": "0.3.0"
   },
   "scripts": {
-    "typecheck": "tsc --noEmit",
+    "typecheck": "tsgo -b",
     "lint": "bun run lint:code",
     "lint:code": "eslint . --max-warnings 0"
   },

package/src/index.ts

@@ -36,3 +36,7 @@ export {
   type DeletionPolicy,
 } from "./provenance-types";
 export { gitopsContract, GitOpsApi, type GitOpsContract } from "./rpc-contract";
+export {
+  deriveSourceUrl,
+  type DeriveSourceUrlInput,
+} from "./source-url";

package/src/provenance-types.ts

@@ -16,6 +16,12 @@ export const provenanceSchema = z.object({
   providerId: z.string(),
   repository: z.string(),
   filePath: z.string(),
+  /**
+   * Browsable web URL pointing to the entity's defining file in its source
+   * provider, derived from the provider type, baseUrl, repository and filePath.
+   * Null when the URL cannot be safely derived (unknown baseUrl shape, etc.).
+   */
+  sourceUrl: z.string().nullable(),
   lastSyncHash: z.string(),
   status: provenanceStatusSchema,
   errorMessage: z.string().nullable(),

package/src/source-url.test.ts

@@ -0,0 +1,152 @@
+import { describe, expect, test } from "bun:test";
+import { deriveSourceUrl } from "./source-url";
+
+describe("deriveSourceUrl", () => {
+  test("public github.com", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: null,
+        repository: "acme/checkstack",
+        filePath: "catalog/system.yaml",
+      }),
+    ).toBe("https://github.com/acme/checkstack/blob/HEAD/catalog/system.yaml");
+  });
+
+  test("public gitlab.com", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "gitlab",
+        baseUrl: null,
+        repository: "acme/checkstack",
+        filePath: "catalog/system.yaml",
+      }),
+    ).toBe(
+      "https://gitlab.com/acme/checkstack/-/blob/HEAD/catalog/system.yaml",
+    );
+  });
+
+  test("api.github.com baseUrl maps to public host", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: "https://api.github.com",
+        repository: "acme/checkstack",
+        filePath: "catalog/system.yaml",
+      }),
+    ).toBe("https://github.com/acme/checkstack/blob/HEAD/catalog/system.yaml");
+  });
+
+  test("github enterprise baseUrl strips /api/v3", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: "https://github.example.com/api/v3",
+        repository: "acme/checkstack",
+        filePath: "catalog/system.yaml",
+      }),
+    ).toBe(
+      "https://github.example.com/acme/checkstack/blob/HEAD/catalog/system.yaml",
+    );
+  });
+
+  test("self-hosted gitlab baseUrl strips /api/v4", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "gitlab",
+        baseUrl: "https://gitlab.example.com/api/v4",
+        repository: "team/sub/checkstack",
+        filePath: "catalog/system.yaml",
+      }),
+    ).toBe(
+      "https://gitlab.example.com/team/sub/checkstack/-/blob/HEAD/catalog/system.yaml",
+    );
+  });
+
+  test("nested gitlab namespaces preserved", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "gitlab",
+        baseUrl: null,
+        repository: "group/sub/project",
+        filePath: "a/b.yaml",
+      }),
+    ).toBe("https://gitlab.com/group/sub/project/-/blob/HEAD/a/b.yaml");
+  });
+
+  test("encodes spaces and special characters in path segments", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: null,
+        repository: "acme/checkstack",
+        filePath: "catalog/my system.yaml",
+      }),
+    ).toBe(
+      "https://github.com/acme/checkstack/blob/HEAD/catalog/my%20system.yaml",
+    );
+  });
+
+  test("strips leading slashes from filePath", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: null,
+        repository: "acme/checkstack",
+        filePath: "/catalog/system.yaml",
+      }),
+    ).toBe("https://github.com/acme/checkstack/blob/HEAD/catalog/system.yaml");
+  });
+
+  test("returns null for unknown self-hosted baseUrl", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: "https://github.example.com/some/weird/path",
+        repository: "acme/checkstack",
+        filePath: "catalog/system.yaml",
+      }),
+    ).toBeNull();
+  });
+
+  test("returns null for traversal attempts", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: null,
+        repository: "acme/checkstack",
+        filePath: "../etc/passwd",
+      }),
+    ).toBeNull();
+  });
+
+  test("returns null for empty inputs", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: null,
+        repository: "",
+        filePath: "x.yaml",
+      }),
+    ).toBeNull();
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: null,
+        repository: "a/b",
+        filePath: "",
+      }),
+    ).toBeNull();
+  });
+
+  test("returns null for malformed baseUrl", () => {
+    expect(
+      deriveSourceUrl({
+        providerType: "github",
+        baseUrl: "not a url",
+        repository: "acme/checkstack",
+        filePath: "x.yaml",
+      }),
+    ).toBeNull();
+  });
+});

package/src/source-url.ts

@@ -0,0 +1,89 @@
+/**
+ * Derive a human-browsable source URL for a GitOps-managed entity.
+ *
+ * Returns null when we don't have enough information to construct a stable URL
+ * (e.g., unknown provider type or a malformed `repository` value). Callers
+ * should fall back to displaying the raw `repository`/`filePath` text.
+ *
+ * The URL points at the file on the default branch via the `HEAD` ref so we
+ * don't need to know the branch name. Both GitHub and GitLab resolve `HEAD`
+ * server-side for blob URLs.
+ */
+export interface DeriveSourceUrlInput {
+  providerType: "github" | "gitlab";
+  /** The provider's `baseUrl` (API base) — null for public github.com/gitlab.com. */
+  baseUrl: string | null;
+  /** GitHub: `owner/repo`. GitLab: `group/project` (or nested `group/sub/project`). */
+  repository: string;
+  filePath: string;
+}
+
+const GITHUB_PUBLIC_HOST = "https://github.com";
+const GITLAB_PUBLIC_HOST = "https://gitlab.com";
+
+const stripApiSuffix = ({
+  providerType,
+  baseUrl,
+}: {
+  providerType: "github" | "gitlab";
+  baseUrl: string;
+}): string | null => {
+  // We only know how to strip the well-known API path suffixes. Anything else
+  // we treat as untrusted and bail out — better to fall back to text than to
+  // construct a broken link.
+  try {
+    const url = new URL(baseUrl);
+    if (providerType === "github") {
+      // api.github.com → github.com (public host has no API path component)
+      if (url.host === "api.github.com") return GITHUB_PUBLIC_HOST;
+      // GitHub Enterprise: https://github.example.com/api/v3
+      if (url.pathname.replace(/\/$/, "") === "/api/v3") {
+        return `${url.protocol}//${url.host}`;
+      }
+      return null;
+    }
+    // GitLab: https://gitlab.example.com/api/v4
+    if (url.pathname.replace(/\/$/, "") === "/api/v4") {
+      return `${url.protocol}//${url.host}`;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+};
+
+const encodeFilePath = (filePath: string) =>
+  filePath
+    .replace(/^\/+/, "")
+    .split("/")
+    .map((segment) => encodeURIComponent(segment))
+    .join("/");
+
+export const deriveSourceUrl = ({
+  providerType,
+  baseUrl,
+  repository,
+  filePath,
+}: DeriveSourceUrlInput): string | null => {
+  if (!repository || !filePath) return null;
+  // Reject backslashes and absolute-looking paths to keep things tidy.
+  if (repository.includes("..") || filePath.includes("..")) return null;
+
+  const host = baseUrl
+    ? stripApiSuffix({ providerType, baseUrl })
+    : providerType === "github"
+      ? GITHUB_PUBLIC_HOST
+      : GITLAB_PUBLIC_HOST;
+  if (!host) return null;
+
+  const repoPath = repository
+    .split("/")
+    .map((segment) => encodeURIComponent(segment))
+    .join("/");
+  const encodedFile = encodeFilePath(filePath);
+
+  if (providerType === "github") {
+    return `${host}/${repoPath}/blob/HEAD/${encodedFile}`;
+  }
+  return `${host}/${repoPath}/-/blob/HEAD/${encodedFile}`;
+};

package/tsconfig.json

@@ -1,4 +1,11 @@
 {
   "extends": "@checkstack/tsconfig/common.json",
-  "include": ["src"]
+  "include": [
+    "src"
+  ],
+  "references": [
+    {
+      "path": "../common"
+    }
+  ]
 }