@checkstack/healthcheck-backend 0.1.0 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,190 @@
 # @checkstack/healthcheck-backend
 
+## 0.3.0
+
+### Minor Changes
+
+- 9faec1f: # Unified AccessRule Terminology Refactoring
+
+  This release completes a comprehensive terminology refactoring from "permission" to "accessRule" across the entire codebase, establishing a consistent and modern access control vocabulary.
+
+  ## Changes
+
+  ### Core Infrastructure (`@checkstack/common`)
+
+  - Introduced `AccessRule` interface as the primary access control type
+  - Added `accessPair()` helper for creating read/manage access rule pairs
+  - Added `access()` builder for individual access rules
+  - Replaced `Permission` type with `AccessRule` throughout
+
+  ### API Changes
+
+  - `env.registerPermissions()` → `env.registerAccessRules()`
+  - `meta.permissions` → `meta.access` in RPC contracts
+  - `usePermission()` → `useAccess()` in frontend hooks
+  - Route `permission:` field → `accessRule:` field
+
+  ### UI Changes
+
+  - "Roles & Permissions" tab → "Roles & Access Rules"
+  - "You don't have permission..." → "You don't have access..."
+  - All permission-related UI text updated
+
+  ### Documentation & Templates
+
+  - Updated 18 documentation files with AccessRule terminology
+  - Updated 7 scaffolding templates with `accessPair()` pattern
+  - All code examples use new AccessRule API
+
+  ## Migration Guide
+
+  ### Backend Plugins
+
+  ```diff
+  - import { permissionList } from "./permissions";
+  - env.registerPermissions(permissionList);
+  + import { accessRules } from "./access";
+  + env.registerAccessRules(accessRules);
+  ```
+
+  ### RPC Contracts
+
+  ```diff
+  - .meta({ userType: "user", permissions: [permissions.read.id] })
+  + .meta({ userType: "user", access: [access.read] })
+  ```
+
+  ### Frontend Hooks
+
+  ```diff
+  - const canRead = accessApi.usePermission(permissions.read.id);
+  + const canRead = accessApi.useAccess(access.read);
+  ```
+
+  ### Routes
+
+  ```diff
+  - permission: permissions.entityRead.id,
+  + accessRule: access.read,
+  ```
+
+### Patch Changes
+
+- Updated dependencies [9faec1f]
+- Updated dependencies [827b286]
+- Updated dependencies [f533141]
+- Updated dependencies [aa4a8ab]
+  - @checkstack/backend-api@0.3.0
+  - @checkstack/catalog-backend@0.2.0
+  - @checkstack/catalog-common@1.1.0
+  - @checkstack/command-backend@0.1.0
+  - @checkstack/common@0.2.0
+  - @checkstack/healthcheck-common@0.3.0
+  - @checkstack/integration-backend@0.1.0
+  - @checkstack/signal-common@0.1.0
+  - @checkstack/queue-api@0.0.5
+
+## 0.2.0
+
+### Minor Changes
+
+- 8e43507: # Teams and Resource-Level Access Control
+
+  This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
+
+  ## Features
+
+  ### Team Management
+
+  - Create, update, and delete teams with name and description
+  - Add/remove users from teams
+  - Designate team managers with elevated privileges
+  - View team membership and manager status
+
+  ### Resource-Level Access Control
+
+  - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
+  - Configure read-only or manage permissions per team
+  - Resource-level "Team Only" mode that restricts access exclusively to team members
+  - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
+  - Automatic cleanup of grants when teams are deleted (database cascade)
+
+  ### Middleware Integration
+
+  - Extended `autoAuthMiddleware` to support resource access checks
+  - Single-resource pre-handler validation for detail endpoints
+  - Automatic list filtering for collection endpoints
+  - S2S endpoints for access verification
+
+  ### Frontend Components
+
+  - `TeamsTab` component for managing teams in Auth Settings
+  - `TeamAccessEditor` component for assigning team access to resources
+  - Resource-level "Team Only" toggle in `TeamAccessEditor`
+  - Integration into System, Health Check, Incident, and Maintenance editors
+
+  ## Breaking Changes
+
+  ### API Response Format Changes
+
+  List endpoints now return objects with named keys instead of arrays directly:
+
+  ```typescript
+  // Before
+  const systems = await catalogApi.getSystems();
+
+  // After
+  const { systems } = await catalogApi.getSystems();
+  ```
+
+  Affected endpoints:
+
+  - `catalog.getSystems` → `{ systems: [...] }`
+  - `healthcheck.getConfigurations` → `{ configurations: [...] }`
+  - `incident.listIncidents` → `{ incidents: [...] }`
+  - `maintenance.listMaintenances` → `{ maintenances: [...] }`
+
+  ### User Identity Enrichment
+
+  `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
+
+  ## Documentation
+
+  See `docs/backend/teams.md` for complete API reference and integration guide.
+
+- 97c5a6b: Add UUID-based collector identification for better multiple collector support
+
+  **Breaking Change**: Existing health check configurations with collectors need to be recreated.
+
+  - Each collector instance now has a unique UUID assigned on creation
+  - Collector results are stored under the UUID key with `_collectorId` and `_assertionFailed` metadata
+  - Auto-charts correctly display separate charts for each collector instance
+  - Charts are now grouped by collector instance with clear headings
+  - Assertion status card shows pass/fail for each collector
+  - Renamed "Success" to "HTTP Success" to clarify it's about HTTP request success
+  - Fixed deletion of collectors not persisting to database
+  - Fixed duplicate React key warnings in auto-chart grid
+
+### Patch Changes
+
+- 97c5a6b: Fix collector lookup when health check is assigned to a system
+
+  Collectors are now stored in the registry with their fully-qualified ID format (ownerPluginId.collectorId) to match how they are referenced in health check configurations. Added `qualifiedId` field to `RegisteredCollector` interface to avoid re-constructing the ID at query time. This fixes the "Collector not found" warning that occurred when executing health checks with assigned systems.
+
+- Updated dependencies [97c5a6b]
+- Updated dependencies [8e43507]
+- Updated dependencies [8e43507]
+- Updated dependencies [97c5a6b]
+  - @checkstack/backend-api@0.2.0
+  - @checkstack/catalog-common@1.0.0
+  - @checkstack/catalog-backend@0.1.0
+  - @checkstack/common@0.1.0
+  - @checkstack/healthcheck-common@0.2.0
+  - @checkstack/command-backend@0.0.4
+  - @checkstack/integration-backend@0.0.4
+  - @checkstack/queue-api@0.0.4
+  - @checkstack/signal-common@0.0.4
+
 ## 0.1.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/healthcheck-backend",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "type": "module",
   "main": "src/index.ts",
   "scripts": {

package/src/index.ts

@@ -5,11 +5,11 @@ import {
 import * as schema from "./schema";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
 import {
-  permissionList,
+  healthCheckAccessRules,
+  healthCheckAccess,
   pluginMetadata,
   healthCheckContract,
   healthcheckRoutes,
-  permissions,
 } from "@checkstack/healthcheck-common";
 import {
   createBackendPlugin,
@@ -55,7 +55,7 @@ let storedEmitHook: EmitHookFn | undefined;
 export default createBackendPlugin({
   metadata: pluginMetadata,
   register(env) {
-    env.registerPermissions(permissionList);
+    env.registerAccessRules(healthCheckAccessRules);
 
     // Register hooks as integration events
     const integrationEvents = env.getExtensionPoint(
@@ -142,7 +142,7 @@ export default createBackendPlugin({
               route:
                 resolveRoute(healthcheckRoutes.routes.config) +
                 "?action=create",
-              requiredPermissions: [permissions.healthCheckManage],
+              requiredAccessRules: [healthCheckAccess.configuration.manage],
             },
             {
               id: "manage",
@@ -151,7 +151,7 @@ export default createBackendPlugin({
               iconName: "HeartPulse",
               shortcuts: ["meta+shift+h", "ctrl+shift+h"],
               route: resolveRoute(healthcheckRoutes.routes.config),
-              requiredPermissions: [permissions.healthCheckManage],
+              requiredAccessRules: [healthCheckAccess.configuration.manage],
             },
           ],
         });

package/src/queue-executor.test.ts

@@ -61,7 +61,7 @@ const createMockCatalogClient = () => ({
   notifySystemSubscribers: mock(async () => ({ notifiedCount: 0 })),
   // Other methods not used in queue-executor
   getEntities: mock(async () => ({ systems: [], groups: [] })),
-  getSystems: mock(async () => []),
+  getSystems: mock(async () => ({ systems: [] })),
   getGroups: mock(async () => []),
   createSystem: mock(async () => ({})),
   updateSystem: mock(async () => ({})),

package/src/queue-executor.ts

@@ -316,6 +316,9 @@ async function executeHealthCheckJob(props: {
           continue;
         }
 
+        // Use the collector's UUID as the storage key
+        const storageKey = collectorEntry.id;
+
         try {
           const collectorResult = await registered.collector.execute({
             config: collectorEntry.config,
@@ -323,9 +326,6 @@ async function executeHealthCheckJob(props: {
             pluginId: configRow.strategyId,
           });
 
-          // Store result under collector ID
-          collectorResults[collectorEntry.collectorId] = collectorResult.result;
-
           // Check for collector-level error
           if (collectorResult.error) {
             hasCollectorError = true;
@@ -333,6 +333,7 @@ async function executeHealthCheckJob(props: {
           }
 
           // Evaluate per-collector assertions
+          let assertionFailed: string | undefined;
           if (
             collectorEntry.assertions &&
             collectorEntry.assertions.length > 0 &&
@@ -345,23 +346,31 @@ async function executeHealthCheckJob(props: {
             );
             if (failedAssertion) {
               hasCollectorError = true;
-              errorMessage = `Assertion failed: ${failedAssertion.field} ${
+              assertionFailed = `${failedAssertion.field} ${
                 failedAssertion.operator
               } ${failedAssertion.value ?? ""}`;
+              errorMessage = `Assertion failed: ${assertionFailed}`;
               logger.debug(
-                `Collector ${collectorEntry.collectorId} assertion failed: ${errorMessage}`
+                `Collector ${storageKey} assertion failed: ${errorMessage}`
               );
             }
           }
+
+          // Store result under the collector's UUID, with collector type and assertion metadata
+          collectorResults[storageKey] = {
+            _collectorId: collectorEntry.collectorId, // Store the type for frontend schema linking
+            _assertionFailed: assertionFailed, // null if no assertion failed
+            ...collectorResult.result,
+          };
         } catch (error) {
           hasCollectorError = true;
           errorMessage = error instanceof Error ? error.message : String(error);
-          collectorResults[collectorEntry.collectorId] = {
+          collectorResults[storageKey] = {
+            _collectorId: collectorEntry.collectorId,
+            _assertionFailed: undefined,
             error: errorMessage,
           };
-          logger.debug(
-            `Collector ${collectorEntry.collectorId} failed: ${errorMessage}`
-          );
+          logger.debug(`Collector ${storageKey} failed: ${errorMessage}`);
         }
       }
     } finally {

package/src/router.test.ts

@@ -8,7 +8,7 @@ describe("HealthCheck Router", () => {
   const mockUser = {
     type: "user" as const,
     id: "test-user",
-    permissions: ["*"],
+    accessRules: ["*"],
     roles: ["admin"],
   };
 
@@ -82,11 +82,13 @@ describe("HealthCheck Router", () => {
     });
 
     const result = await call(router.getConfigurations, undefined, { context });
-    expect(Array.isArray(result)).toBe(true);
+    expect(result).toHaveProperty("configurations");
+    expect(Array.isArray(result.configurations)).toBe(true);
   });
 
   it("getCollectors returns collectors for strategy", async () => {
     const mockCollector = {
+      qualifiedId: "collector-hardware.cpu",
       collector: {
         id: "cpu",
         displayName: "CPU Metrics",

package/src/router.ts

@@ -14,8 +14,8 @@ import { toJsonSchemaWithChartMeta } from "./schema-utils";
 /**
  * Creates the healthcheck router using contract-based implementation.
  *
- * Auth and permissions are automatically enforced via autoAuthMiddleware
- * based on the contract's meta.userType and meta.permissions.
+ * Auth and access rules are automatically enforced via autoAuthMiddleware
+ * based on the contract's meta.userType and meta.access.
  */
 export const createHealthCheckRouter = (
   database: NodePgDatabase<typeof schema>,
@@ -68,9 +68,8 @@ export const createHealthCheckRouter = (
           pluginId,
         });
 
-      return registeredCollectors.map(({ collector, ownerPlugin }) => ({
-        // Fully-qualified ID: ownerPluginId.collectorId
-        id: `${ownerPlugin.pluginId}.${collector.id}`,
+      return registeredCollectors.map(({ qualifiedId, collector }) => ({
+        id: qualifiedId,
         displayName: collector.displayName,
         description: collector.description,
         configSchema: toJsonSchema(collector.config.schema),
@@ -80,7 +79,7 @@ export const createHealthCheckRouter = (
     }),
 
     getConfigurations: os.getConfigurations.handler(async () => {
-      return service.getConfigurations();
+      return { configurations: await service.getConfigurations() };
     }),
 
     createConfiguration: os.createConfiguration.handler(async ({ input }) => {

package/src/service.ts

@@ -491,7 +491,7 @@ export class HealthCheckService {
 
   /**
    * Get detailed health check run history with full result data.
-   * Restricted to users with manage permission.
+   * Restricted to users with manage access.
    */
   async getDetailedHistory(props: {
     systemId?: string;
@@ -530,7 +530,7 @@ export class HealthCheckService {
       .limit(limit)
       .offset(offset);
 
-    // Return with full result data for manage permission
+    // Return with full result data for manage access
     return {
       runs: runs.map((run) => ({
         id: run.id,