@checkstack/healthcheck-common 0.2.0 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,149 @@
 # @checkstack/healthcheck-common
 
+## 0.4.0
+
+### Minor Changes
+
+- 7a23261: ## TanStack Query Integration
+
+  Migrated all frontend components to use `usePluginClient` hook with TanStack Query integration, replacing the legacy `forPlugin()` pattern.
+
+  ### New Features
+
+  - **`usePluginClient` hook**: Provides type-safe access to plugin APIs with `.useQuery()` and `.useMutation()` methods
+  - **Automatic request deduplication**: Multiple components requesting the same data share a single network request
+  - **Built-in caching**: Configurable stale time and cache duration per query
+  - **Loading/error states**: TanStack Query provides `isLoading`, `error`, `isRefetching` states automatically
+  - **Background refetching**: Stale data is automatically refreshed when components mount
+
+  ### Contract Changes
+
+  All RPC contracts now require `operationType: "query"` or `operationType: "mutation"` metadata:
+
+  ```typescript
+  const getItems = proc()
+    .meta({ operationType: "query", access: [access.read] })
+    .output(z.array(itemSchema))
+    .query();
+
+  const createItem = proc()
+    .meta({ operationType: "mutation", access: [access.manage] })
+    .input(createItemSchema)
+    .output(itemSchema)
+    .mutation();
+  ```
+
+  ### Migration
+
+  ```typescript
+  // Before (forPlugin pattern)
+  const api = useApi(myPluginApiRef);
+  const [items, setItems] = useState<Item[]>([]);
+  useEffect(() => {
+    api.getItems().then(setItems);
+  }, [api]);
+
+  // After (usePluginClient pattern)
+  const client = usePluginClient(MyPluginApi);
+  const { data: items, isLoading } = client.getItems.useQuery({});
+  ```
+
+  ### Bug Fixes
+
+  - Fixed `rpc.test.ts` test setup for middleware type inference
+  - Fixed `SearchDialog` to use `setQuery` instead of deprecated `search` method
+  - Fixed null→undefined warnings in notification and queue frontends
+
+### Patch Changes
+
+- Updated dependencies [7a23261]
+  - @checkstack/common@0.3.0
+  - @checkstack/signal-common@0.1.1
+
+## 0.3.0
+
+### Minor Changes
+
+- 9faec1f: # Unified AccessRule Terminology Refactoring
+
+  This release completes a comprehensive terminology refactoring from "permission" to "accessRule" across the entire codebase, establishing a consistent and modern access control vocabulary.
+
+  ## Changes
+
+  ### Core Infrastructure (`@checkstack/common`)
+
+  - Introduced `AccessRule` interface as the primary access control type
+  - Added `accessPair()` helper for creating read/manage access rule pairs
+  - Added `access()` builder for individual access rules
+  - Replaced `Permission` type with `AccessRule` throughout
+
+  ### API Changes
+
+  - `env.registerPermissions()` → `env.registerAccessRules()`
+  - `meta.permissions` → `meta.access` in RPC contracts
+  - `usePermission()` → `useAccess()` in frontend hooks
+  - Route `permission:` field → `accessRule:` field
+
+  ### UI Changes
+
+  - "Roles & Permissions" tab → "Roles & Access Rules"
+  - "You don't have permission..." → "You don't have access..."
+  - All permission-related UI text updated
+
+  ### Documentation & Templates
+
+  - Updated 18 documentation files with AccessRule terminology
+  - Updated 7 scaffolding templates with `accessPair()` pattern
+  - All code examples use new AccessRule API
+
+  ## Migration Guide
+
+  ### Backend Plugins
+
+  ```diff
+  - import { permissionList } from "./permissions";
+  - env.registerPermissions(permissionList);
+  + import { accessRules } from "./access";
+  + env.registerAccessRules(accessRules);
+  ```
+
+  ### RPC Contracts
+
+  ```diff
+  - .meta({ userType: "user", permissions: [permissions.read.id] })
+  + .meta({ userType: "user", access: [access.read] })
+  ```
+
+  ### Frontend Hooks
+
+  ```diff
+  - const canRead = accessApi.usePermission(permissions.read.id);
+  + const canRead = accessApi.useAccess(access.read);
+  ```
+
+  ### Routes
+
+  ```diff
+  - permission: permissions.entityRead.id,
+  + accessRule: access.read,
+  ```
+
+- f533141: Enforce health result factory function usage via branded types
+
+  - Added `healthResultSchema()` builder that enforces the use of factory functions at compile-time
+  - Added `healthResultArray()` factory for array fields (e.g., DNS resolved values)
+  - Added branded `HealthResultField<T>` type to mark schemas created by factory functions
+  - Consolidated `ChartType` and `HealthResultMeta` into `@checkstack/common` as single source of truth
+  - Updated all 12 health check strategies and 11 collectors to use `healthResultSchema()`
+  - Using raw `z.number()` etc. inside `healthResultSchema()` now causes a TypeScript error
+
+### Patch Changes
+
+- Updated dependencies [9faec1f]
+- Updated dependencies [f533141]
+  - @checkstack/common@0.2.0
+  - @checkstack/signal-common@0.1.0
+
 ## 0.2.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/healthcheck-common",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "type": "module",
   "exports": {
     ".": {

package/src/access.ts

@@ -0,0 +1,55 @@
+import { access, accessPair } from "@checkstack/common";
+
+/**
+ * Access rules for the Health Check plugin.
+ */
+export const healthCheckAccess = {
+  /**
+   * Status-only access for viewing health check status.
+   * Enabled by default for anonymous and authenticated users.
+   * Uses system-level instance access for team-based filtering.
+   */
+  status: access("healthcheck.status", "read", "View Health Check Status", {
+    idParam: "systemId",
+    isDefault: true,
+    isPublic: true,
+  }),
+
+  /**
+   * Bulk status access for viewing health check status for multiple systems.
+   * Uses recordKey for filtering the output record by accessible system IDs.
+   */
+  bulkStatus: access("healthcheck.status", "read", "View Health Check Status", {
+    recordKey: "statuses",
+    isDefault: true,
+    isPublic: true,
+  }),
+
+  /**
+   * Configuration access for viewing and managing health check configurations.
+   */
+  configuration: accessPair("healthcheck", {
+    read: "Read Health Check Configurations",
+    manage: "Full management of Health Check Configurations",
+  }),
+
+  /**
+   * Access for viewing detailed health check run data including metadata.
+   * Allows access to extended visualizations without full management access.
+   */
+  details: access(
+    "healthcheck.details",
+    "read",
+    "View Detailed Health Check Run Data (Warning: This may expose sensitive data, depending on the health check strategy)"
+  ),
+};
+
+/**
+ * All access rules for registration with the plugin system.
+ */
+export const healthCheckAccessRules = [
+  healthCheckAccess.status,
+  healthCheckAccess.configuration.read,
+  healthCheckAccess.configuration.manage,
+  healthCheckAccess.details,
+];

package/src/index.ts

@@ -1,4 +1,4 @@
-export * from "./permissions";
+export * from "./access";
 export * from "./schemas";
 export * from "./zod-health-result";
 

package/src/rpc-contract.ts

@@ -1,12 +1,7 @@
-import { oc } from "@orpc/contract";
-import {
-  createClientDefinition,
-  createResourceAccessList,
-  type ProcedureMetadata,
-} from "@checkstack/common";
+import { createClientDefinition, proc } from "@checkstack/common";
 import { pluginMetadata } from "./plugin-metadata";
 import { z } from "zod";
-import { permissions } from "./permissions";
+import { healthCheckAccess } from "./access";
 import {
   HealthCheckStrategyDtoSchema,
   CollectorDtoSchema,
@@ -23,15 +18,6 @@ import {
   AggregatedBucketSchema,
 } from "./schemas";
 
-// Base builder with full metadata support
-const _base = oc.$meta<ProcedureMetadata>({});
-
-// Resource access configurations for team-based access control
-const configListAccess = createResourceAccessList(
-  "configuration",
-  "configurations"
-);
-
 // --- Response Schemas for Evaluated Status ---
 
 const SystemCheckStatusSchema = z.object({
@@ -48,28 +34,27 @@ const SystemHealthStatusResponseSchema = z.object({
   checkStatuses: z.array(SystemCheckStatusSchema),
 });
 
+export type SystemHealthStatusResponse = z.infer<
+  typeof SystemHealthStatusResponseSchema
+>;
+
 // Health Check RPC Contract using oRPC's contract-first pattern
 export const healthCheckContract = {
   // ==========================================================================
-  // STRATEGY MANAGEMENT (userType: "authenticated" with read permission)
+  // STRATEGY MANAGEMENT (userType: "authenticated" with read access)
   // ==========================================================================
 
-  getStrategies: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckRead.id],
-    })
-    .output(z.array(HealthCheckStrategyDtoSchema)),
+  getStrategies: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.read],
+  }).output(z.array(HealthCheckStrategyDtoSchema)),
 
-  /**
-   * Get available collectors for a specific strategy.
-   * Returns collectors that support the given strategy's transport.
-   */
-  getCollectors: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckRead.id],
-    })
+  getCollectors: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.read],
+  })
     .input(z.object({ strategyId: z.string() }))
     .output(z.array(CollectorDtoSchema)),
 
@@ -77,29 +62,27 @@ export const healthCheckContract = {
   // CONFIGURATION MANAGEMENT (userType: "authenticated")
   // ==========================================================================
 
-  getConfigurations: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckRead.id],
-      resourceAccess: [configListAccess],
-    })
-    .output(
-      z.object({ configurations: z.array(HealthCheckConfigurationSchema) })
-    ),
+  getConfigurations: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.read],
+  }).output(
+    z.object({ configurations: z.array(HealthCheckConfigurationSchema) })
+  ),
 
-  createConfiguration: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckManage.id],
-    })
+  createConfiguration: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.manage],
+  })
     .input(CreateHealthCheckConfigurationSchema)
     .output(HealthCheckConfigurationSchema),
 
-  updateConfiguration: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckManage.id],
-    })
+  updateConfiguration: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.manage],
+  })
     .input(
       z.object({
         id: z.string(),
@@ -108,11 +91,11 @@ export const healthCheckContract = {
     )
     .output(HealthCheckConfigurationSchema),
 
-  deleteConfiguration: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckManage.id],
-    })
+  deleteConfiguration: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.manage],
+  })
     .input(z.string())
     .output(z.void()),
 
@@ -120,23 +103,19 @@ export const healthCheckContract = {
   // SYSTEM ASSOCIATION (userType: "authenticated")
   // ==========================================================================
 
-  getSystemConfigurations: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckRead.id],
-    })
+  getSystemConfigurations: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.read],
+  })
     .input(z.string())
     .output(z.array(HealthCheckConfigurationSchema)),
 
-  /**
-   * Get system associations with their threshold configurations.
-   * Returns full association data including enabled state and thresholds.
-   */
-  getSystemAssociations: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckRead.id],
-    })
+  getSystemAssociations: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.read],
+  })
     .input(z.object({ systemId: z.string() }))
     .output(
       z.array(
@@ -149,11 +128,11 @@ export const healthCheckContract = {
       )
     ),
 
-  associateSystem: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckManage.id],
-    })
+  associateSystem: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.manage],
+  })
     .input(
       z.object({
         systemId: z.string(),
@@ -162,11 +141,11 @@ export const healthCheckContract = {
     )
     .output(z.void()),
 
-  disassociateSystem: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckManage.id],
-    })
+  disassociateSystem: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.manage],
+  })
     .input(
       z.object({
         systemId: z.string(),
@@ -176,14 +155,14 @@ export const healthCheckContract = {
     .output(z.void()),
 
   // ==========================================================================
-  // RETENTION CONFIGURATION (userType: "authenticated" with manage permission)
+  // RETENTION CONFIGURATION (userType: "authenticated" with manage access)
   // ==========================================================================
 
-  getRetentionConfig: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckRead.id],
-    })
+  getRetentionConfig: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.read],
+  })
     .input(
       z.object({
         systemId: z.string(),
@@ -196,11 +175,11 @@ export const healthCheckContract = {
       })
     ),
 
-  updateRetentionConfig: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckManage.id],
-    })
+  updateRetentionConfig: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [healthCheckAccess.configuration.manage],
+  })
     .input(
       z.object({
         systemId: z.string(),
@@ -211,14 +190,14 @@ export const healthCheckContract = {
     .output(z.void()),
 
   // ==========================================================================
-  // HISTORY & STATUS (userType: "user" with read permission)
+  // HISTORY & STATUS (userType: "public" with read access)
   // ==========================================================================
 
-  getHistory: _base
-    .meta({
-      userType: "public",
-      permissions: [permissions.healthCheckStatusRead.id],
-    })
+  getHistory: proc({
+    operationType: "query",
+    userType: "public",
+    access: [healthCheckAccess.status],
+  })
     .input(
       z.object({
         systemId: z.string().optional(),
@@ -236,15 +215,11 @@ export const healthCheckContract = {
       })
     ),
 
-  /**
-   * Get detailed health check run history with full result data.
-   * Requires permission to view detailed run data including metadata.
-   */
-  getDetailedHistory: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.healthCheckDetailsRead.id],
-    })
+  getDetailedHistory: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [healthCheckAccess.details],
+  })
     .input(
       z.object({
         systemId: z.string().optional(),
@@ -262,16 +237,11 @@ export const healthCheckContract = {
       })
     ),
 
-  /**
-   * Get aggregated health check history for long-term analysis.
-   * Returns pre-computed buckets with core metrics only (no strategy-specific data).
-   * For strategy-specific aggregated results, use getDetailedAggregatedHistory.
-   */
-  getAggregatedHistory: _base
-    .meta({
-      userType: "public",
-      permissions: [permissions.healthCheckStatusRead.id],
-    })
+  getAggregatedHistory: proc({
+    operationType: "query",
+    userType: "public",
+    access: [healthCheckAccess.status],
+  })
     .input(
       z.object({
         systemId: z.string(),
@@ -287,16 +257,11 @@ export const healthCheckContract = {
       })
     ),
 
-  /**
-   * Get detailed aggregated health check history including strategy-specific data.
-   * Returns buckets with core metrics AND aggregatedResult from strategy.
-   * Requires healthCheckDetailsRead permission.
-   */
-  getDetailedAggregatedHistory: _base
-    .meta({
-      userType: "public",
-      permissions: [permissions.healthCheckDetailsRead.id],
-    })
+  getDetailedAggregatedHistory: proc({
+    operationType: "query",
+    userType: "public",
+    access: [healthCheckAccess.details],
+  })
     .input(
       z.object({
         systemId: z.string(),
@@ -312,27 +277,31 @@ export const healthCheckContract = {
       })
     ),
 
-  /**
-   * Get evaluateted health status for a system based on configured thresholds.
-   * Aggregates all health check statuses for the system.
-   */
-  getSystemHealthStatus: _base
-    .meta({
-      userType: "public",
-      permissions: [permissions.healthCheckStatusRead.id],
-    })
+  getSystemHealthStatus: proc({
+    operationType: "query",
+    userType: "public",
+    access: [healthCheckAccess.status],
+  })
     .input(z.object({ systemId: z.string() }))
     .output(SystemHealthStatusResponseSchema),
 
-  /**
-   * Get comprehensive health overview for a system.
-   * Returns all health checks with their last 25 runs for sparkline visualization.
-   */
-  getSystemHealthOverview: _base
-    .meta({
-      userType: "public",
-      permissions: [permissions.healthCheckStatusRead.id],
-    })
+  getBulkSystemHealthStatus: proc({
+    operationType: "query",
+    userType: "public",
+    access: [healthCheckAccess.bulkStatus],
+  })
+    .input(z.object({ systemIds: z.array(z.string()) }))
+    .output(
+      z.object({
+        statuses: z.record(z.string(), SystemHealthStatusResponseSchema),
+      })
+    ),
+
+  getSystemHealthOverview: proc({
+    operationType: "query",
+    userType: "public",
+    access: [healthCheckAccess.status],
+  })
     .input(z.object({ systemId: z.string() }))
     .output(
       z.object({

package/src/schemas.ts

@@ -272,7 +272,7 @@ export const DEFAULT_RETENTION_CONFIG: RetentionConfig = {
 /**
  * Base schema for aggregated health check data buckets.
  * Contains core metrics only (no strategy-specific data).
- * Used by getAggregatedHistory endpoint (healthCheckStatusRead permission).
+ * Used by getAggregatedHistory endpoint (healthCheckStatusRead access).
  */
 export const AggregatedBucketBaseSchema = z.object({
   bucketStart: z.date(),
@@ -292,7 +292,7 @@ export type AggregatedBucketBase = z.infer<typeof AggregatedBucketBaseSchema>;
 
 /**
  * Extended schema with strategy-specific aggregated result.
- * Used by getDetailedAggregatedHistory endpoint (healthCheckDetailsRead permission).
+ * Used by getDetailedAggregatedHistory endpoint (healthCheckDetailsRead access).
  */
 export const AggregatedBucketSchema = AggregatedBucketBaseSchema.extend({
   aggregatedResult: z.record(z.string(), z.unknown()).optional(),

package/src/zod-health-result.ts

@@ -1,54 +1,95 @@
 import { z } from "zod";
+import type { HealthResultMeta } from "@checkstack/common";
 
 // ============================================================================
 // HEALTH RESULT REGISTRY - Typed metadata for chart annotations
 // ============================================================================
 
 /**
- * Chart types for auto-generated health check visualizations.
- *
- * Numeric types:
- * - line: Time series line chart for numeric metrics over time
- * - bar: Bar chart for distributions (record of string to number)
- * - pie: Pie chart for category distributions (record of string to number)
- * - counter: Simple count display with trend indicator
- * - gauge: Percentage gauge for rates/percentages (0-100)
- *
- * Non-numeric types:
- * - boolean: Boolean indicator (success/failure, connected/disconnected)
- * - text: Text display for string values
- * - status: Status badge for error/warning states
+ * Registry for health result schema metadata.
+ * Used by auto-chart components for visualization inference.
  */
-export type ChartType =
-  | "line"
-  | "bar"
-  | "pie"
-  | "counter"
-  | "gauge"
-  | "boolean"
-  | "text"
-  | "status";
+export const healthResultRegistry = z.registry<HealthResultMeta>();
+
+// ============================================================================
+// BRANDED TYPES FOR COMPILE-TIME ENFORCEMENT
+// ============================================================================
 
 /**
- * Metadata type for health check result schemas.
- * Provides autocompletion for `.meta()` calls on result fields.
+ * Unique symbol for branding health result fields.
+ * This enables compile-time enforcement that developers use factory functions.
  */
-export interface HealthResultMeta {
-  /** The type of chart to render for this field */
-  "x-chart-type"?: ChartType;
-  /** Human-readable label for the chart (defaults to field name) */
-  "x-chart-label"?: string;
-  /** Unit suffix for values (e.g., 'ms', '%', 'req/s') */
-  "x-chart-unit"?: string;
-  /** Whether this field supports JSONPath assertions */
-  "x-jsonpath"?: boolean;
-}
+declare const HealthResultBrand: unique symbol;
 
 /**
- * Registry for health result schema metadata.
- * Used by auto-chart components for visualization inference.
+ * A branded Zod schema type that marks it as a health result field.
+ * Only schemas created via factory functions (healthResultNumber, healthResultString, etc.)
+ * carry this brand.
  */
-export const healthResultRegistry = z.registry<HealthResultMeta>();
+export type HealthResultField<T extends z.ZodTypeAny> = T & {
+  [HealthResultBrand]: true;
+};
+
+/**
+ * Allowed field types in a health result schema.
+ * Supports direct fields, optional fields, and fields with defaults.
+ */
+export type HealthResultFieldType =
+  | HealthResultField<z.ZodTypeAny>
+  | z.ZodOptional<HealthResultField<z.ZodTypeAny>>
+  | z.ZodDefault<HealthResultField<z.ZodTypeAny>>
+  | z.ZodNullable<HealthResultField<z.ZodTypeAny>>;
+
+/**
+ * Constraint for health result schema shapes.
+ * All fields must use factory functions (healthResultNumber, healthResultString, etc.)
+ *
+ * @example
+ * ```typescript
+ * // ✅ Valid - uses factory functions
+ * const validSchema = z.object({
+ *   value: healthResultNumber({ "x-chart-type": "line" }),
+ *   error: healthResultString({ "x-chart-type": "status" }).optional(),
+ * });
+ *
+ * // ❌ Invalid - uses raw z.number()
+ * const invalidSchema = z.object({
+ *   value: z.number(), // Type error!
+ * });
+ * ```
+ */
+export type HealthResultShape = Record<string, HealthResultFieldType>;
+
+// ============================================================================
+// HEALTH RESULT SCHEMA BUILDER
+// ============================================================================
+
+/**
+ * Create a health result schema that enforces the use of factory functions.
+ *
+ * This builder ensures all fields use healthResultNumber(), healthResultString(),
+ * healthResultBoolean(), or healthResultJSONPath() - raw Zod schemas like z.number()
+ * will cause a compile-time error.
+ *
+ * @example
+ * ```typescript
+ * // ✅ Valid - all fields use factory functions
+ * const schema = healthResultSchema({
+ *   responseTime: healthResultNumber({ "x-chart-type": "line", "x-chart-label": "Response Time" }),
+ *   error: healthResultString({ "x-chart-type": "status" }).optional(),
+ * });
+ *
+ * // ❌ Invalid - raw z.number() causes type error
+ * const schema = healthResultSchema({
+ *   value: z.number(), // Type error: not assignable to HealthResultFieldType
+ * });
+ * ```
+ */
+export function healthResultSchema<T extends HealthResultShape>(
+  shape: T
+): z.ZodObject<T> {
+  return z.object(shape);
+}
 
 // ============================================================================
 // TYPED HEALTH RESULT FACTORIES
@@ -69,28 +110,53 @@ type ChartMeta = Omit<HealthResultMeta, "x-jsonpath">;
  * });
  * ```
  */
-export function healthResultString(meta: ChartMeta) {
+export function healthResultString(
+  meta: ChartMeta
+): HealthResultField<z.ZodString> {
   const schema = z.string();
   schema.register(healthResultRegistry, meta);
-  return schema;
+  return schema as HealthResultField<z.ZodString>;
 }
 
 /**
  * Create a health result number field with typed chart metadata.
  */
-export function healthResultNumber(meta: ChartMeta) {
+export function healthResultNumber(
+  meta: ChartMeta
+): HealthResultField<z.ZodNumber> {
   const schema = z.number();
   schema.register(healthResultRegistry, meta);
-  return schema;
+  return schema as HealthResultField<z.ZodNumber>;
 }
 
 /**
  * Create a health result boolean field with typed chart metadata.
  */
-export function healthResultBoolean(meta: ChartMeta) {
+export function healthResultBoolean(
+  meta: ChartMeta
+): HealthResultField<z.ZodBoolean> {
   const schema = z.boolean();
   schema.register(healthResultRegistry, meta);
-  return schema;
+  return schema as HealthResultField<z.ZodBoolean>;
+}
+
+/**
+ * Create a health result array field with typed chart metadata.
+ * For arrays of strings (e.g., DNS resolved values, list of hosts).
+ *
+ * @example
+ * ```typescript
+ * const resultSchema = healthResultSchema({
+ *   resolvedValues: healthResultArray({ "x-chart-type": "text", "x-chart-label": "Values" }),
+ * });
+ * ```
+ */
+export function healthResultArray(
+  meta: ChartMeta
+): HealthResultField<z.ZodArray<z.ZodString>> {
+  const schema = z.array(z.string());
+  schema.register(healthResultRegistry, meta);
+  return schema as HealthResultField<z.ZodArray<z.ZodString>>;
 }
 
 /**
@@ -106,10 +172,12 @@ export function healthResultBoolean(meta: ChartMeta) {
  * });
  * ```
  */
-export function healthResultJSONPath(meta: ChartMeta) {
+export function healthResultJSONPath(
+  meta: ChartMeta
+): HealthResultField<z.ZodString> {
   const schema = z.string();
   schema.register(healthResultRegistry, { ...meta, "x-jsonpath": true });
-  return schema;
+  return schema as HealthResultField<z.ZodString>;
 }
 
 // ============================================================================

package/src/permissions.ts

@@ -1,39 +0,0 @@
-import { createPermission } from "@checkstack/common";
-
-export const permissions = {
-  /**
-   * Status-only permission for viewing health check status.
-   * Enabled by default for anonymous and authenticated users.
-   */
-  healthCheckStatusRead: createPermission(
-    "healthcheck.status",
-    "read",
-    "View Health Check Status",
-    { isAuthenticatedDefault: true, isPublicDefault: true }
-  ),
-  /**
-   * Configuration read permission for viewing health check configurations.
-   * Restricted to users with explicit grant.
-   */
-  healthCheckRead: createPermission(
-    "healthcheck",
-    "read",
-    "Read Health Check Configurations"
-  ),
-  /**
-   * Permission for viewing detailed health check run data including metadata.
-   * Allows access to extended visualizations without full management access.
-   */
-  healthCheckDetailsRead: createPermission(
-    "healthcheck.details",
-    "read",
-    "View Detailed Health Check Run Data (Warning: This may expose sensitive data, depending on the health check strategy)"
-  ),
-  healthCheckManage: createPermission(
-    "healthcheck",
-    "manage",
-    "Full management of Health Check Configurations"
-  ),
-};
-
-export const permissionList = Object.values(permissions);