@checkstack/healthcheck-backend 1.5.0 → 1.6.0

package/src/ai/assertion-validation.test.ts

@@ -0,0 +1,117 @@
+import { describe, expect, test } from "bun:test";
+import { validateCollectorAssertions } from "./assertion-validation";
+import type { CollectorConfigEntry } from "@checkstack/healthcheck-common";
+
+const httpResultSchema: Record<string, unknown> = {
+  type: "object",
+  properties: {
+    statusCode: { type: "number" },
+    body: { type: "string" },
+    ok: { type: "boolean" },
+  },
+};
+
+const schemas = new Map([["healthcheck-http.request", httpResultSchema]]);
+
+function collector(
+  assertions: CollectorConfigEntry["assertions"],
+): CollectorConfigEntry[] {
+  return [
+    {
+      id: "c1",
+      collectorId: "healthcheck-http.request",
+      config: {},
+      assertions,
+    },
+  ];
+}
+
+describe("validateCollectorAssertions", () => {
+  test("accepts a valid field + operator", () => {
+    const issues = validateCollectorAssertions({
+      collectors: collector([
+        { field: "statusCode", operator: "equals", value: 200 },
+      ]),
+      resultSchemasById: schemas,
+    });
+    expect(issues).toEqual([]);
+  });
+
+  test("rejects an unknown operator (the reported 'eq' bug)", () => {
+    const issues = validateCollectorAssertions({
+      collectors: collector([
+        { field: "statusCode", operator: "eq", value: 200 },
+      ]),
+      resultSchemasById: schemas,
+    });
+    expect(issues).toHaveLength(1);
+    expect(issues[0].path).toEqual(["collectors", 0, "assertions", 0, "operator"]);
+    expect(issues[0].message).toContain("Unknown operator");
+    expect(issues[0].message).toContain("equals");
+  });
+
+  test("rejects an unknown field (the reported 'status' bug)", () => {
+    const issues = validateCollectorAssertions({
+      collectors: collector([
+        { field: "status", operator: "equals", value: 200 },
+      ]),
+      resultSchemasById: schemas,
+    });
+    expect(issues).toHaveLength(1);
+    expect(issues[0].path).toEqual(["collectors", 0, "assertions", 0, "field"]);
+    expect(issues[0].message).toContain("statusCode");
+  });
+
+  test("rejects an operator not valid for the field's type", () => {
+    const issues = validateCollectorAssertions({
+      // contains is a string operator; statusCode is a number field.
+      collectors: collector([
+        { field: "statusCode", operator: "contains", value: "2" },
+      ]),
+      resultSchemasById: schemas,
+    });
+    expect(issues).toHaveLength(1);
+    expect(issues[0].message).toContain("not valid for number field");
+  });
+
+  test("validates a JSONPath assertion against the dynamic operator set only", () => {
+    const ok = validateCollectorAssertions({
+      collectors: collector([
+        { field: "body", jsonPath: "$.data.id", operator: "exists" },
+      ]),
+      resultSchemasById: schemas,
+    });
+    expect(ok).toEqual([]);
+
+    const bad = validateCollectorAssertions({
+      collectors: collector([
+        { field: "body", jsonPath: "$.items", operator: "lengthEquals", value: 3 },
+      ]),
+      resultSchemasById: schemas,
+    });
+    expect(bad).toHaveLength(1);
+    expect(bad[0].message).toContain("JSONPath");
+  });
+
+  test("skips validation when the collector's result schema is unknown", () => {
+    const issues = validateCollectorAssertions({
+      collectors: collector([
+        { field: "anything", operator: "equals", value: 1 },
+      ]),
+      resultSchemasById: new Map(),
+    });
+    expect(issues).toEqual([]);
+  });
+
+  test("no collectors or no assertions yields no issues", () => {
+    expect(
+      validateCollectorAssertions({ collectors: undefined, resultSchemasById: schemas }),
+    ).toEqual([]);
+    expect(
+      validateCollectorAssertions({
+        collectors: collector(undefined),
+        resultSchemasById: schemas,
+      }),
+    ).toEqual([]);
+  });
+});

package/src/ai/assertion-validation.ts

@@ -0,0 +1,147 @@
+import {
+  NumericOperators,
+  StringOperators,
+  BooleanOperators,
+  ArrayOperators,
+  DynamicOperators,
+} from "@checkstack/backend-api";
+import type { CollectorConfigEntry } from "@checkstack/healthcheck-common";
+
+/**
+ * Validate the `field`/`operator` of every collector assertion against the
+ * collector's RESULT schema and the canonical operator vocabulary.
+ *
+ * WHY this exists: `CollectorAssertionSchema` types `field` and `operator` as
+ * free-form `z.string()`, and `validateConfiguration` does not check them, so a
+ * model that guesses (e.g. `field: "status", operator: "eq"` instead of
+ * `field: "statusCode", operator: "equals"`) produces a config that saves but
+ * renders as EMPTY dropdowns in the editor (the values are not in the options
+ * derived from the result schema + operator set). This validator rejects such
+ * assertions at propose/update time with a precise, self-correcting error that
+ * lists the assertable fields and valid operators, so the model fixes it.
+ *
+ * The operator vocabulary is the SAME canonical set the runtime evaluator and
+ * the editor's AssertionBuilder use (`@checkstack/backend-api` assertion enums).
+ */
+
+/** A structured validation issue, mirroring `validateConfiguration` errors. */
+export interface AssertionIssue {
+  path: Array<string | number>;
+  message: string;
+}
+
+/** Every valid operator across all field types (for the "unknown operator" check). */
+const ALL_OPERATORS: ReadonlySet<string> = new Set<string>([
+  ...NumericOperators.options,
+  ...StringOperators.options,
+  ...BooleanOperators.options,
+  ...ArrayOperators.options,
+  ...DynamicOperators.options,
+]);
+
+/** Operators valid for a given JSON Schema `type` (boolean is value-less). */
+const OPERATORS_BY_JSON_TYPE: Record<string, readonly string[]> = {
+  number: NumericOperators.options,
+  integer: NumericOperators.options,
+  string: StringOperators.options,
+  boolean: BooleanOperators.options,
+  array: ArrayOperators.options,
+};
+
+const DYNAMIC_OPERATORS: ReadonlySet<string> = new Set<string>(
+  DynamicOperators.options,
+);
+
+/** Extract the top-level `properties` record from a JSON-Schema-ish object. */
+function extractProperties(
+  resultSchema: Record<string, unknown> | undefined,
+): Record<string, { type?: unknown }> {
+  if (!resultSchema) return {};
+  const properties = resultSchema.properties;
+  if (typeof properties !== "object" || properties === null) return {};
+  return properties as Record<string, { type?: unknown }>;
+}
+
+/** Sorted, comma-joined operator list for an error message. */
+function listOperators(operators: ReadonlySet<string> | readonly string[]): string {
+  return [...operators].toSorted().join(", ");
+}
+
+/**
+ * Validate every assertion on every collector. `resultSchemasById` maps a
+ * collector id to its result JSON Schema (from the collector DTO registry).
+ * Returns one issue per problem; an empty array means all assertions are valid.
+ */
+export function validateCollectorAssertions({
+  collectors,
+  resultSchemasById,
+}: {
+  collectors: CollectorConfigEntry[] | undefined;
+  resultSchemasById: ReadonlyMap<string, Record<string, unknown>>;
+}): AssertionIssue[] {
+  const issues: AssertionIssue[] = [];
+  if (!collectors) return issues;
+
+  for (const [collectorIndex, entry] of collectors.entries()) {
+    const assertions = entry.assertions;
+    if (!assertions?.length) continue;
+
+    const properties = extractProperties(resultSchemasById.get(entry.collectorId));
+    const fieldNames = Object.keys(properties);
+
+    for (const [assertionIndex, assertion] of assertions.entries()) {
+      const at: Array<string | number> = [
+        "collectors",
+        collectorIndex,
+        "assertions",
+        assertionIndex,
+      ];
+      const isJsonPath =
+        typeof assertion.jsonPath === "string" && assertion.jsonPath.length > 0;
+
+      // Every assertion's operator must be a known operator.
+      if (!ALL_OPERATORS.has(assertion.operator)) {
+        issues.push({
+          path: [...at, "operator"],
+          message: `Unknown operator "${assertion.operator}". Valid operators: ${listOperators(ALL_OPERATORS)}.`,
+        });
+        continue;
+      }
+
+      // JSONPath assertions assert against an arbitrary path, not a result-schema
+      // field, so only the operator vocabulary applies (the dynamic set).
+      if (isJsonPath) {
+        if (!DYNAMIC_OPERATORS.has(assertion.operator)) {
+          issues.push({
+            path: [...at, "operator"],
+            message: `Operator "${assertion.operator}" is not valid for a JSONPath assertion. Valid: ${listOperators(DYNAMIC_OPERATORS)}.`,
+          });
+        }
+        continue;
+      }
+
+      // Field-based assertion: the field must exist in the collector's result
+      // schema (when we know the schema). Empty schema -> skip (cannot validate).
+      if (fieldNames.length > 0 && !fieldNames.includes(assertion.field)) {
+        issues.push({
+          path: [...at, "field"],
+          message: `Unknown assertable field "${assertion.field}" for collector "${entry.collectorId}". Assertable fields: ${fieldNames.join(", ") || "(none)"}. For an arbitrary path, set jsonPath instead.`,
+        });
+        continue;
+      }
+
+      // The operator must be valid for the field's JSON type.
+      const prop = properties[assertion.field];
+      const jsonType = prop && typeof prop.type === "string" ? prop.type : undefined;
+      const allowed = jsonType ? OPERATORS_BY_JSON_TYPE[jsonType] : undefined;
+      if (allowed && !allowed.includes(assertion.operator)) {
+        issues.push({
+          path: [...at, "operator"],
+          message: `Operator "${assertion.operator}" is not valid for ${jsonType} field "${assertion.field}". Valid: ${allowed.join(", ")}.`,
+        });
+      }
+    }
+  }
+
+  return issues;
+}

package/src/ai/healthcheck-capabilities.test.ts

@@ -0,0 +1,158 @@
+import { describe, expect, test, mock } from "bun:test";
+import type { AuthUser, RpcClient } from "@checkstack/backend-api";
+import {
+  ListCapabilitiesOutputSchema,
+  GetCapabilitySchemaOutputSchema,
+} from "@checkstack/ai-common";
+import {
+  createHealthcheckListCapabilitiesTool,
+  createHealthcheckGetCapabilitySchemaTool,
+} from "./healthcheck-capabilities";
+
+const principal: AuthUser = {
+  type: "user",
+  id: "u1",
+  accessRules: ["healthcheck.healthcheck.read"],
+};
+
+/** A real-shaped collector config schema; the round-trip must preserve it byte-for-byte. */
+const HTTP_COLLECTOR_SCHEMA = {
+  type: "object",
+  properties: {
+    url: { type: "string", format: "uri", description: "Endpoint to probe" },
+    method: { type: "string", enum: ["GET", "HEAD", "POST"], default: "GET" },
+    timeoutMs: { type: "integer", minimum: 100, maximum: 30000 },
+    expectedStatus: {
+      type: "array",
+      items: { type: "integer" },
+      default: [200],
+    },
+  },
+  required: ["url"],
+  additionalProperties: false,
+};
+
+const HTTP_STRATEGY = {
+  id: "healthcheck-http",
+  displayName: "HTTP",
+  description: "Probe HTTP endpoints",
+  category: "network",
+  configSchema: { type: "object", properties: {} },
+};
+
+const HTTP_RESULT_SCHEMA = {
+  type: "object",
+  properties: { statusCode: { type: "number" }, body: { type: "string" } },
+};
+
+const HTTP_COLLECTOR = {
+  id: "healthcheck-http.http",
+  displayName: "HTTP request",
+  description: "Issue an HTTP request and assert on the response",
+  configSchema: HTTP_COLLECTOR_SCHEMA,
+  resultSchema: HTTP_RESULT_SCHEMA,
+  allowMultiple: true,
+};
+
+function fakeHealthcheckRpcClient(): RpcClient {
+  return {
+    forPlugin: () => ({
+      getStrategies: mock(() => Promise.resolve([HTTP_STRATEGY])),
+      getCollectors: mock(() => Promise.resolve([HTTP_COLLECTOR])),
+    }),
+  } as unknown as RpcClient;
+}
+
+describe("healthcheck.listCapabilities tool", () => {
+  test("declares read effect + healthcheck config read gate, no dryRun", () => {
+    const tool = createHealthcheckListCapabilitiesTool();
+    expect(tool.name).toBe("healthcheck.listCapabilities");
+    expect(tool.effect).toBe("read");
+    expect(tool.requiredAccessRules).toEqual(["healthcheck.healthcheck.read"]);
+    expect(tool.dryRun).toBeUndefined();
+  });
+
+  test("maps strategies + collectors to roles with compact summaries", async () => {
+    const tool = createHealthcheckListCapabilitiesTool();
+    const out = await tool.execute({
+      input: {},
+      principal,
+      rpcClient: fakeHealthcheckRpcClient(),
+    });
+    expect(ListCapabilitiesOutputSchema.safeParse(out).success).toBe(true);
+    expect(out.context).toBe("healthcheck");
+    expect(out.truncated).toBe(false);
+
+    const strategy = out.entries.find((e) => e.id === "healthcheck-http");
+    const collector = out.entries.find((e) => e.id === "healthcheck-http.http");
+    expect(strategy?.role).toBe("strategy");
+    expect(collector?.role).toBe("collector");
+    // Compact summary only - never the full schema.
+    expect(collector?.configSummary).toEqual([
+      { name: "url", type: "string", required: true },
+      { name: "method", type: "enum", required: false },
+      { name: "timeoutMs", type: "number", required: false },
+      { name: "expectedStatus", type: "array", required: false },
+    ]);
+    expect(
+      (collector as unknown as Record<string, unknown>).configSchema,
+    ).toBeUndefined();
+    expect(
+      (collector as unknown as Record<string, unknown>).resultSchema,
+    ).toBeUndefined();
+  });
+});
+
+describe("healthcheck.getCapabilitySchema tool", () => {
+  test("declares read effect + healthcheck config read gate, no dryRun", () => {
+    const tool = createHealthcheckGetCapabilitySchemaTool();
+    expect(tool.name).toBe("healthcheck.getCapabilitySchema");
+    expect(tool.effect).toBe("read");
+    expect(tool.requiredAccessRules).toEqual(["healthcheck.healthcheck.read"]);
+    expect(tool.dryRun).toBeUndefined();
+  });
+
+  test("returns ONE collector's FULL config schema + result schema + operators", async () => {
+    const tool = createHealthcheckGetCapabilitySchemaTool();
+    const out = await tool.execute({
+      input: { kind: "healthcheck-http.http" },
+      principal,
+      rpcClient: fakeHealthcheckRpcClient(),
+    });
+    expect(GetCapabilitySchemaOutputSchema.safeParse(out).success).toBe(true);
+    expect(out.context).toBe("healthcheck");
+    expect(out.id).toBe("healthcheck-http.http");
+    expect(out.role).toBe("collector");
+    // The crux: the FULL schema is returned unchanged - same object the UI form uses.
+    expect(out.configSchema).toEqual(HTTP_COLLECTOR_SCHEMA);
+    // A collector ALSO exposes the assertable result fields + operator vocabulary
+    // so the model authors assertions correctly instead of guessing field/operator.
+    expect(out.resultSchema).toEqual(HTTP_RESULT_SCHEMA);
+    expect(out.assertionOperators?.number).toContain("equals");
+    expect(out.assertionOperators?.number).toContain("greaterThanOrEqual");
+    expect(out.assertionOperators?.string).toContain("contains");
+  });
+
+  test("a non-collector kind (strategy) omits resultSchema + assertionOperators", async () => {
+    const tool = createHealthcheckGetCapabilitySchemaTool();
+    const out = await tool.execute({
+      input: { kind: "healthcheck-http" },
+      principal,
+      rpcClient: fakeHealthcheckRpcClient(),
+    });
+    expect(out.role).toBe("strategy");
+    expect(out.resultSchema).toBeUndefined();
+    expect(out.assertionOperators).toBeUndefined();
+  });
+
+  test("throws a clear error for an unknown kind", async () => {
+    const tool = createHealthcheckGetCapabilitySchemaTool();
+    await expect(
+      tool.execute({
+        input: { kind: "does-not-exist" },
+        principal,
+        rpcClient: fakeHealthcheckRpcClient(),
+      }),
+    ).rejects.toThrow(/unknown.*does-not-exist/i);
+  });
+});

package/src/ai/healthcheck-capabilities.ts

@@ -0,0 +1,217 @@
+import { qualifyAccessRuleId } from "@checkstack/common";
+import type { RpcClient } from "@checkstack/backend-api";
+import {
+  NumericOperators,
+  StringOperators,
+  BooleanOperators,
+  ArrayOperators,
+  DynamicOperators,
+} from "@checkstack/backend-api";
+import {
+  HealthCheckApi,
+  healthCheckAccess,
+  pluginMetadata as healthcheckPluginMetadata,
+} from "@checkstack/healthcheck-common";
+import {
+  type GetCapabilitySchemaOutput,
+  type ListCapabilitiesOutput,
+  GetCapabilitySchemaOutputSchema,
+  ListCapabilitiesOutputSchema,
+  applyCapabilitySizeGate,
+  summarizeConfigSchema,
+  type RawCapabilityEntry,
+} from "@checkstack/ai-common";
+import { z } from "zod";
+import type { RegisteredAiTool } from "@checkstack/ai-backend";
+
+/**
+ * A fully-derived health-check catalog entry that ALSO carries its full config
+ * JSON Schema. `listCapabilities` size-gates the summary out of
+ * `RawCapabilityEntry`; `getCapabilitySchema` reads `configSchema` from the same
+ * source to return one kind's full schema intact. Keeping both on one row means
+ * a single fan-out powers both tools.
+ */
+interface CatalogEntryWithSchema extends RawCapabilityEntry {
+  configSchema: Record<string, unknown>;
+  /** Health-check collectors carry a result schema (its fields are assertable). */
+  resultSchema?: Record<string, unknown>;
+}
+
+/**
+ * Valid assertion operators per JSON type (and `jsonpath`), surfaced alongside a
+ * collector's result schema so the model authors assertions with the canonical
+ * operator words instead of guessing. Same vocabulary as the runtime evaluator
+ * and the editor's AssertionBuilder (`@checkstack/backend-api` assertion enums).
+ */
+const ASSERTION_OPERATORS: Record<string, string[]> = {
+  number: [...NumericOperators.options],
+  integer: [...NumericOperators.options],
+  string: [...StringOperators.options],
+  boolean: [...BooleanOperators.options],
+  array: [...ArrayOperators.options],
+  jsonpath: [...DynamicOperators.options],
+};
+
+/**
+ * The healthcheck config read rule that gates BOTH capability tools. This is a
+ * single-context reader (healthcheck only), so the resolver gate by the
+ * healthcheck config read rule is the authority - there is no cross-context
+ * surface, so no in-execute context assertion is needed: the tool only ever
+ * reads healthcheck data via the USER-SCOPED client passed at call time, so
+ * handler-side authorization is enforced exactly as a direct UI/RPC call.
+ */
+const HEALTHCHECK_READ_RULE = qualifyAccessRuleId(
+  healthcheckPluginMetadata,
+  healthCheckAccess.configuration.read,
+);
+
+/**
+ * Fetch + normalize every health-check capability into rows carrying both the
+ * compact summary and the full config schema. Pure mapping over the registry
+ * DTOs; the only I/O is the user-scoped-client fan-out
+ * (`getStrategies` + per-strategy `getCollectors`).
+ */
+async function fetchCatalog({
+  rpcClient,
+}: {
+  rpcClient: RpcClient;
+}): Promise<CatalogEntryWithSchema[]> {
+  const healthcheckClient = rpcClient.forPlugin(HealthCheckApi);
+  const strategies = await healthcheckClient.getStrategies();
+  const rows: CatalogEntryWithSchema[] = [];
+  for (const strategy of strategies) {
+    rows.push({
+      id: strategy.id,
+      displayName: strategy.displayName,
+      description: strategy.description,
+      role: "strategy",
+      category: strategy.category,
+      configSchema: strategy.configSchema,
+      configSummary: summarizeConfigSchema({
+        configSchema: strategy.configSchema,
+      }),
+    });
+    const collectors = await healthcheckClient.getCollectors({
+      strategyId: strategy.id,
+    });
+    for (const collector of collectors) {
+      rows.push({
+        id: collector.id,
+        displayName: collector.displayName,
+        description: collector.description,
+        role: "collector",
+        category: strategy.displayName,
+        configSchema: collector.configSchema,
+        // The collector's result schema: its top-level fields are the
+        // assertable fields the model authors assertions against.
+        resultSchema: collector.resultSchema,
+        configSummary: summarizeConfigSchema({
+          configSchema: collector.configSchema,
+        }),
+      });
+    }
+  }
+  return rows;
+}
+
+export const HealthcheckListCapabilitiesInputSchema = z.object({});
+export type HealthcheckListCapabilitiesInput = z.infer<
+  typeof HealthcheckListCapabilitiesInputSchema
+>;
+
+/**
+ * `healthcheck.listCapabilities` - the broad, size-gated catalog of health-check
+ * strategies + collectors. Sourced from the registry-introspection RPCs
+ * (`getStrategies`/`getCollectors`). Each entry returns id, displayName, a short
+ * description, and a COMPACT config summary (field names + types + required),
+ * gated so the broad catalog stays small. `effect: "read"`.
+ *
+ * This is a single-context (healthcheck-only) tool, so it is gated directly by
+ * the healthcheck config read rule - the resolver gate is the authority and no
+ * in-execute context check is needed (it only ever reads healthcheck data via
+ * the USER-SCOPED client passed at call time).
+ */
+export function createHealthcheckListCapabilitiesTool(): RegisteredAiTool<
+  HealthcheckListCapabilitiesInput,
+  ListCapabilitiesOutput
+> {
+  return {
+    name: "healthcheck.listCapabilities",
+    description:
+      "List the available health-check capability kinds: strategies + collectors. Returns each kind's id, name, short description, and a COMPACT config summary (field names + types + required). The summary is omitted for large catalogs (truncated=true) - pull one kind's full schema with healthcheck.getCapabilitySchema before configuring it.",
+    effect: "read",
+    input: HealthcheckListCapabilitiesInputSchema,
+    output: ListCapabilitiesOutputSchema,
+    requiredAccessRules: [HEALTHCHECK_READ_RULE],
+    async execute({ rpcClient }) {
+      const rows = await fetchCatalog({ rpcClient });
+      const stripped: RawCapabilityEntry[] = rows.map(
+        ({ configSchema: _schema, resultSchema: _result, ...rest }) => rest,
+      );
+      const { entries, truncated } = applyCapabilitySizeGate({
+        entries: stripped,
+      });
+      return { context: "healthcheck", entries, truncated };
+    },
+  };
+}
+
+export const HealthcheckGetCapabilitySchemaInputSchema = z.object({
+  /** The fully-qualified kind id from a `healthcheck.listCapabilities` entry. */
+  kind: z.string().min(1),
+});
+export type HealthcheckGetCapabilitySchemaInput = z.infer<
+  typeof HealthcheckGetCapabilitySchemaInputSchema
+>;
+
+/**
+ * `healthcheck.getCapabilitySchema` - the FULL config JSON Schema for ONE
+ * health-check kind, returned intact (the same schema that powers the UI config
+ * form). The two-level design keeps `listCapabilities` small while giving the
+ * model precise, complete detail only for the specific strategy/collector it is
+ * configuring. For collectors it ALSO returns the assertable `resultSchema` plus
+ * the valid `assertionOperators` vocabulary. `effect: "read"`; gated identically
+ * to `healthcheck.listCapabilities`.
+ */
+export function createHealthcheckGetCapabilitySchemaTool(): RegisteredAiTool<
+  HealthcheckGetCapabilitySchemaInput,
+  GetCapabilitySchemaOutput
+> {
+  return {
+    name: "healthcheck.getCapabilitySchema",
+    description:
+      "Return the FULL config JSON Schema for ONE health-check capability kind (a strategy or collector), identified by the id from healthcheck.listCapabilities. Use this to get exact field shapes, types, required fields, and enums before drafting a config. For collectors it also returns the assertable result fields (resultSchema) and the valid assertion operators per type.",
+    effect: "read",
+    input: HealthcheckGetCapabilitySchemaInputSchema,
+    output: GetCapabilitySchemaOutputSchema,
+    requiredAccessRules: [HEALTHCHECK_READ_RULE],
+    async execute({ input, rpcClient }) {
+      const rows = await fetchCatalog({ rpcClient });
+      const match = rows.find((row) => row.id === input.kind);
+      if (!match) {
+        const known = rows.map((row) => row.id).join(", ");
+        throw new Error(
+          `Unknown healthcheck capability kind "${input.kind}". Known kinds: ${known || "(none)"}.`,
+        );
+      }
+      const result: GetCapabilitySchemaOutput = {
+        context: "healthcheck",
+        id: match.id,
+        displayName: match.displayName,
+        description: match.description,
+        role: match.role,
+        configSchema: match.configSchema,
+        // For collectors, also expose the assertable result fields + the valid
+        // operator vocabulary so the model authors assertions correctly (field
+        // from resultSchema, operator a full word) instead of guessing.
+        ...(match.role === "collector" && match.resultSchema
+          ? {
+              resultSchema: match.resultSchema,
+              assertionOperators: ASSERTION_OPERATORS,
+            }
+          : {}),
+      };
+      return result;
+    },
+  };
+}