npm - @checkstack/healthcheck-frontend - Versions diffs - 0.20.0 → 0.22.0 - Mend

@checkstack/healthcheck-frontend 0.20.0 → 0.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md +244 -0
package/package.json +16 -14
package/src/components/assignments/NotificationsPanel.tsx +8 -237
package/src/components/editor/CollectorScriptTestRenderer.tsx +115 -0
package/src/components/editor/CollectorSection.tsx +35 -8
package/tsconfig.json +6 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,249 @@
 # @checkstack/healthcheck-frontend
+## 0.22.0
+### Minor Changes
+- b995afb: Move health-check flapping configuration from the per-assignment notification policy onto the `healthcheck.flapping_detected` automation trigger.
+  Flapping thresholds (`transitions`, `windowMinutes`) are now configured on the trigger itself, next to the automation that reacts to them, instead of on each check assignment. The health-check executor still owns the windowed transition counting (it writes `health_check_unhealthy_transitions` and runs the window query), but it now SOURCES the thresholds from the subscribed automations' trigger config:
+  - On a transition-to-unhealthy it records the transition unconditionally (keeping history warm), then looks up the enabled automations subscribed to `healthcheck.flapping_detected`, collects the distinct set of configured windows, counts transitions once per distinct window, and emits one `healthcheck.flapping_detected` per window. The trigger's exact-window `evaluateConfig` gate then fires each automation only for its own window and transition threshold.
+  - A missing or partial flapping trigger config defaults to `{ transitions: 3, windowMinutes: 60 }`, so automations created before the trigger carried config keep working unchanged.
+  - `automation-backend` exposes a new backend-only, read-only `automationSubscriptionsRef` service ref (`findEnabledByTriggerEvent`) so a plugin that owns a trigger's underlying event can discover its subscribers' trigger config. It is never browser-exposed.
+  **BREAKING CHANGES**
+  - The per-assignment `notificationPolicy.flappingTrigger` field is removed. `NotificationPolicy` is now `{ suppressDeEscalations }` only. Stored rows that still carry a `flappingTrigger` key parse cleanly - the key is stripped on read - so no data migration is required, but the per-check flapping toggle/threshold in the assignment Notifications tab is gone; configure flapping on the trigger instead.
+  - The GitOps `System.healthcheck[].notificationPolicy.flappingTrigger` field is removed. A `flappingTrigger` block in a manifest is ignored. Move the thresholds to the `transitions` / `windowMinutes` config of your `healthcheck.flapping_detected` automation trigger.
+  - The standalone `enabled` flag for flapping is gone: flapping is "enabled" precisely when at least one enabled automation subscribes to `healthcheck.flapping_detected`. With no subscriber, the transition is still recorded but nothing is counted or emitted.
+- b995afb: Remove the legacy per-assignment auto-incident system. Auto-incidents are now built entirely by user-authored automations; nothing is seeded or hardcoded.
+  What was removed:
+  - The one-time migration that auto-seeded "sustained unhealthy" and "flapping" default automations from each assignment's notification policy, plus the `listAutoIncidentPolicies` RPC it consumed.
+  - The seeder-only notification-policy settings and their UI: `autoOpenIncidentOnUnhealthy`, `useNotificationSuppression`, `skipDuringMaintenance`, `sustainedUnhealthyTrigger`, and `autoCloseAfterMinutes`. The assignment **Notifications** tab now exposes only the two live settings: **Suppress de-escalation notifications** and the **flapping-detection** thresholds.
+  - The dead `health_check_auto_incidents` table (no longer written or read; dropped via migration).
+  What is preserved: flapping detection (`healthcheck.flapping_detected`) and de-escalation suppression are unchanged. The `flappingTrigger` and `suppressDeEscalations` policy fields stay exactly as before.
+  > [!NOTE]
+  > One-time cleanup: an automation-backend migration deletes the historically auto-seeded incident automations (`managed_by LIKE 'auto-incident:%'`) from existing databases. This is intentional and destructive - those automations were no longer managed by anything. If you had edited a seeded automation and want to keep it, re-create it as a normal automation before upgrading. See the "Build auto-incident automations" guide for templates.
+  > [!IMPORTANT]
+  > NARROWING: `NotificationPolicySchema` is narrowed to `{ suppressDeEscalations, flappingTrigger }`. Stored rows that still carry the removed legacy keys parse cleanly - zod strips the unknown keys on read - so no data migration is required for the `system_health_checks.notification_policy` column. GitOps `notificationPolicy` specs that set the removed fields are no longer accepted for those keys.
+- 270ef29: Extend in-UI script testing to health-check collectors, and add
+  load-from-run replay for automation script tests.
+  - Health-check collectors: a new `testCollectorScript` RPC runs the
+    inline-script (TypeScript) collector and the shell `script` collector
+    against an editable, auto-seeded sample context using the same
+    sandboxed runner the real collector uses. Surfaces beneath the
+    collector script fields in the collector editor (both marked
+    `x-script-testable`). Gated by `healthcheck.configuration.manage`.
+  - Automation replay: a new `getRunScopeForReplay` RPC reconstructs an
+    editable test context from a real run (trigger + persisted artifacts,
+    plus the durable scope snapshot when the run is still in-flight), and
+    the script-test panel gains a "Load from run" picker that seeds the
+    sample context from a past run.
+  Note: health-check executions do not persist the script / config /
+  check / system that produced a result, so there is no health-check
+  replay - auto-seed is the only context source for collector tests. This
+  is by design; see the feature plan.
+- b995afb: Autocomplete the import specifier itself in script editors.
+  Lazy type acquisition only loads a package's types once its name is already in the buffer, so while you were still typing the import specifier (`import {} from "lod"`) there were no suggestions - the lazy-ATA catch-22. Script editors now suggest installed package names directly in import-specifier position; selecting one (e.g. `lodash`) inserts the name, and the existing ATA loop then loads its `@types/lodash` closure so members complete.
+  - `@checkstack/ui`: `CodeEditor`/`TypefoxEditor` gained an injected `importablePackages?: string[]` prop and a dedicated Monaco completion provider (registered once per `typescript`/`javascript` language, scoped to the editor's model, disposed on unmount). It fires ONLY when the cursor is inside an import/require module-specifier string - detected by a new pure, unit-tested helper `importSpecifierCompletionContext(lineUpToCursor)` that handles `from "…"`, bare `import "…"`, `require("…")`, and dynamic `import("…")`, returns the partial specifier + the replace range, and returns null once the string is closed or outside an import. Items are `kind: Module`, insert the bare name without touching the quotes, and coexist with (do not replace) the TS worker's own completions. Trigger characters: `"`, `'`, and `/` (for scoped subpaths); manual invoke (Ctrl+Space) also works. A new pure helper `importablePackageNames` filters a raw manifest name list (excludes `@types/*`, dedupes, sorts).
+  - `@checkstack/script-packages-frontend`: `useScriptPackageTypeAcquisition()` now also returns `importablePackages`, derived from the installed manifest (what is actually resolvable at runtime) with `@types/*` companions excluded - you import `lodash`, never `@types/lodash` (the `@types` package still backs the closure types).
+  - `@checkstack/automation-frontend` / `@checkstack/healthcheck-frontend`: pass `importablePackages` into `DynamicForm` alongside the existing `acquireTypes` wiring, so both the Run Script action editor and healthcheck collector editors get import-name completion.
+  The completion list is plugin-agnostic in `@checkstack/ui` (the names are injected); it never fires outside import-string positions, so normal completions are unaffected.
+- b995afb: Fix package IntelliSense in script editors: lazy Automatic Type Acquisition (ATA) with proper `@types/*` resolution.
+  Script editors (automation "Run Script (TypeScript)" and healthcheck collectors) now provide real autocomplete for installed npm packages. Importing a package whose types live in DefinitelyTyped - e.g. `import { debounce } from "lodash"` (lodash ships no own types; `@types/lodash` does) - now yields member completions. Previously no package completions appeared at all.
+  Root cause: the old rollup wrapped each package's raw, multi-file `.d.ts` (with `export =`, `export as namespace`, and triple-slash `/// <reference path>` chains) inside a single `declare module "<name>" { ... }`, which the TypeScript worker silently rejected, and it truncated large type sets (lodash is ~866 KB across ~700 files) at a 256 KB cap.
+  The fix registers the REAL declaration files at their `node_modules/...` virtual paths and lets TypeScript's own NodeJs + `@types` resolution do the work:
+  - `@checkstack/script-packages-backend`: replaced `rollupPackageTypes` with a tree-driven closure extractor (`resolvePackageTypeClosure`). Given a bare specifier, it resolves against the materialized tree - own types via `package.json` `types`/`typings`/`exports` (bundled-types packages like `zod`/`dayjs`), the `@types/<mangled>` companion when it exists (`lodash` -> `@types/lodash`, scoped `@babel/core` -> `@types/babel__core`), or both, or neither (graceful empty, never a throw). It follows `/// <reference path|types>` and relative imports, includes each package's `package.json`, leaves every file UNWRAPPED, and surfaces a `truncated` flag instead of silently capping. Served from a new raw, HTTP-cacheable route `GET /api/script-packages/types/:lockfileHash/:specifier` (`Cache-Control: private, max-age=1y, immutable`), auth-gated by `script-packages.read`.
+  - `@checkstack/script-packages-common`: **BREAKING** - replaced the `listPackageTypes` RPC procedure and `PackageTypesSchema { name, version, dts }` with `PackageTypeClosureSchema` (a `{ path, content }` file-map plus `hasOwnTypes`/`hasAtTypes`/`notFound`/`truncated`) served over the cacheable HTTP route. Added a shared `buildTypeAcquisitionPath`/`parseTypeAcquisitionPath` path contract.
+  - `@checkstack/ui`: `CodeEditor`/`TypefoxEditor` gained an injected `acquireTypes` resolver + `acquireResetKey`. On debounced buffer change it parses bare `import`/`require` specifiers (pure, unit-tested) and lazily fetches + registers each NEW package's closure via `addExtraLib` at `file:///node_modules/...`, deduped by a shared acquired-set that resets when the install hash changes. Compiler options set `moduleResolution: NodeJs`, `baseUrl: "file:///"`, and `typeRoots` so a bare import resolves to its `@types` companion. The `context` ambient global keeps working unchanged.
+  - `@checkstack/script-packages-frontend`: replaced the old `useScriptPackageTypes` (which concatenated the broken `dts`) with `useScriptPackageTypeAcquisition()`, returning the `acquireTypes` resolver (targets the cacheable route, zod-validates the response) and the current `lockfileHash` as `acquireResetKey`.
+  - `@checkstack/automation-frontend` / `@checkstack/healthcheck-frontend`: wired the resolver into the Run Script and collector editors.
+  State & scale: the type closure is derived on read from the materialized package tree (no new durable state). The editor's acquired-set is pod-local UI bookkeeping; the route is keyed by the cluster-wide `lockfileHash`, so the browser HTTP cache is correct across pods and only refetches after a new install changes the hash.
+- 270ef29: Wire up the script-packages RPC router, admin UI, and editor IntelliSense.
+  - `script-packages-backend`: the oRPC router implementing the full
+    contract (allowlist CRUD, registry config with encrypted write-only auth
+    token, `installNow` via the elected installer, size cap, storage backend
+    selection, install state, `getManifest` / `downloadBlob` for reconcilers,
+    and `listPackageTypes`), the `installNow` controller (election, size-cap
+    enforcement, `script-packages.changed` emit, blocked during migration),
+    the `.d.ts` rollup, the singleton config stores, and the full plugin
+    wiring (broadcast-hook reconcile + startup backstop).
+  - `script-packages-common`: admin route for the settings page.
+  - `script-packages-frontend`: the Settings -> Script Packages admin page
+    (allowlist, install state + size, registry/storage summary, satellite
+    sync) and the `useScriptPackageTypes()` hook.
+  - `automation-frontend` / `healthcheck-frontend`: merge installed-package
+    `.d.ts` into the script-editor `typeDefinitions` so `import` from an
+    allowlisted package autocompletes in every script field.
+- b995afb: Fix the automation Run Script action's `secretEnv` (secret → env mapping) test wiring and tolerate bare secret names.
+  - `@checkstack/ui` `ScriptTestPanel` now accepts the script field's declared `secretEnv` and renders an optional per-secret test-override input. The `ScriptTestRenderer` callback (DynamicForm) receives the SIBLING `x-secret-env` mapping value, located by annotation (not by field name), so a testable script field forwards it to the panel. Previously the test path never sent `secretEnv`, so `buildTestSecretEnv` got `undefined` and `process.env.<env>` was undefined in an in-UI test. Now an override-less test injects `__SECRET_<NAME>__` placeholders, and any operator override is masked from the output. Real secret values are still NEVER resolved in the test path.
+  - `@checkstack/automation-frontend` forwards the action's `secretEnv` and the collected overrides to `testScript`.
+  - `@checkstack/secrets-common`: the `secretEnv` mapping VALUE now accepts EITHER a `${{ secrets.NAME }}` template OR a bare secret name, normalizing a bare name to the canonical `${{ secrets.NAME }}` template on parse. This is a forgiving / NARROWING input change (more inputs accepted; stored/output form is unchanged and still the template), not a breaking change. Existing data and YAML shorthand like `secretEnv: { secret: SECRET }` now pass config validation instead of failing with "Must contain a ${{ secrets.NAME }} reference". Partial inline interpolation (e.g. `u:${{ secrets.pw }}@host`) keeps working unchanged; values that are neither a secret reference nor a valid secret name are still rejected.
+  - `@checkstack/ui` `parseSecretName` tolerates a legacy bare secret name for display so the picker shows the same name for both the template and the bare form.
+  The healthcheck collector test panel was checked: its config has no `x-secret-env` field, so it needed no secret wiring (only the `onRun` signature change, which is backward compatible).
+- 270ef29: Secrets platform Phase 2: secret -> env-var mapping with central resolve, inject, and mask.
+  - Script consumers declare a least-privilege `secretEnv` allowlist
+    (`{ ENV_NAME: "${{ secrets.NAME }}" }`). The automation `run_script` /
+    `run_shell` actions resolve ONLY the declared secrets via
+    `secretResolverRef.resolveForRun`, inject them into the runner env for
+    that run (memory-only; the ESM runner gained a per-run `env` option), and
+    mask their values out of stdout/stderr/result/error via the run-scoped
+    masking context. A missing required secret fails the run clearly. No
+    ambient secret access.
+  - Test panel: `testScript` / `testCollectorScript` inject named
+    `__SECRET_<NAME>__` placeholders by default, or user-supplied per-secret
+    overrides; real production values are never resolved in the test path,
+    and overrides are masked out of the result.
+  - Healthcheck collectors carry the `secretEnv` field for authoring +
+    the test panel; runtime injection on satellites lands in Phase 3.
+  - Editor UX: a new `@checkstack/ui` `SecretEnvEditor` renders `x-secret-env`
+    record fields with `${{ secrets.* }}` name autocomplete (from
+    `listSecretNames`), wired into the automation action editor and the
+    healthcheck collector editor. New `withConfigMeta` helper +
+    `x-secret-env` config-meta key in `@checkstack/backend-api`.
+### Patch Changes
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+  - @checkstack/ui@1.12.0
+  - @checkstack/healthcheck-common@1.4.0
+  - @checkstack/script-packages-frontend@0.2.0
+  - @checkstack/satellite-common@0.7.0
+  - @checkstack/secrets-frontend@0.1.0
+  - @checkstack/auth-frontend@0.6.7
+  - @checkstack/dashboard-frontend@0.7.8
+  - @checkstack/gitops-frontend@0.4.7
+  - @checkstack/tips-frontend@0.2.7
+## 0.21.0
+### Minor Changes
+- 35bc682: feat(healthcheck): expose check + system run-context to script collectors
+  Script health checks can now read which check and system a run is for.
+  Previously shell scripts got only a curated env whitelist and inline
+  scripts only `context.config`, so a script had no built-in way to know
+  its own check name or the system it was checking.
+  - `@checkstack/backend-api`: new `CollectorRunContext` type
+    (`{ check: { id, name, intervalSeconds }, system: { id, name } }`) and
+    an optional `runContext` param on `CollectorStrategy.execute`. Optional,
+    so existing collector implementations are unaffected.
+  - Shell-script collector: injects reserved `CHECKSTACK_CHECK_ID`,
+    `CHECKSTACK_CHECK_NAME`, `CHECKSTACK_CHECK_INTERVAL_SECONDS`,
+    `CHECKSTACK_SYSTEM_ID`, `CHECKSTACK_SYSTEM_NAME` env vars (user-supplied
+    `env` still wins on collision).
+  - Inline-script collector: exposes `context.check` and `context.system`
+    alongside `context.config`; the inline-script editor now types them for
+    autocomplete.
+  - Shell editors (health-check collectors and automation shell actions) now
+    also suggest the user's own `env` (JSON) keys as `$NAME` completions, via
+    the new exported `customShellEnvVars` helper. Keys that aren't valid shell
+    identifiers are omitted.
+  - Fix: the Typefox `CodeEditor` captured a stale `onChange` at editor start,
+    so editing one `DynamicForm` field reverted sibling fields changed since
+    mount (e.g. typing in a shell `script` field wiped an unsaved `env` value,
+    or deleted a sibling automation action added after mount). The change
+    handler now routes through a ref to the current `onChange`.
+  - Fix: focusing a JSON editor threw "LanguageStatusService.addStatus is not
+    supported" because the standalone service set omitted `ILanguageStatusService`.
+    That one service is now registered via `serviceOverrides`.
+  - Fix: the automation trigger card nested a `<Badge>` (a `<div>`) inside a
+    `<p>`, producing a `validateDOMNesting` warning. Switched the wrapper to a
+    `<div>`.
+  - Local runs (`queue-executor`) and satellite runs both populate the
+    context. `SatelliteAssignment` (and the `getAssignmentsForSatellite`
+    RPC output) gained optional `configName` / `systemName` so the metadata
+    reaches satellite-side execution; `HealthCheckService` resolves the
+    system name via the catalog client.
+  BREAKING CHANGE: `createHealthCheckRouter` now requires a `catalogClient`
+  option (used to resolve system names for satellite assignments). Update
+  call sites to pass the catalog RPC client.
+### Patch Changes
+- Updated dependencies [e2d6f25]
+- Updated dependencies [41c77f4]
+- Updated dependencies [41c77f4]
+- Updated dependencies [41c77f4]
+- Updated dependencies [41c77f4]
+- Updated dependencies [4832e33]
+- Updated dependencies [6d52276]
+- Updated dependencies [35bc682]
+- Updated dependencies [c39ee69]
+  - @checkstack/frontend-api@0.6.0
+  - @checkstack/ui@1.11.0
+  - @checkstack/common@0.12.0
+  - @checkstack/healthcheck-common@1.3.0
+  - @checkstack/satellite-common@0.6.0
+  - @checkstack/auth-frontend@0.6.6
+  - @checkstack/catalog-common@2.2.3
+  - @checkstack/dashboard-frontend@0.7.7
+  - @checkstack/gitops-frontend@0.4.6
+  - @checkstack/tips-frontend@0.2.6
+  - @checkstack/anomaly-common@1.2.3
+  - @checkstack/signal-frontend@0.1.5
 ## 0.20.0
 ### Minor Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/healthcheck-frontend",
-  "version": "0.20.0",
+  "version": "0.22.0",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.tsx",
@@ -13,18 +13,20 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/anomaly-common": "1.2.2",
-    "@checkstack/auth-frontend": "0.6.5",
-    "@checkstack/catalog-common": "2.2.2",
-    "@checkstack/common": "0.11.0",
-    "@checkstack/dashboard-frontend": "0.7.5",
-    "@checkstack/frontend-api": "0.5.2",
-    "@checkstack/gitops-frontend": "0.4.5",
-    "@checkstack/healthcheck-common": "1.1.2",
-    "@checkstack/satellite-common": "0.5.2",
-    "@checkstack/signal-frontend": "0.1.4",
-    "@checkstack/tips-frontend": "0.2.5",
-    "@checkstack/ui": "1.10.0",
+    "@checkstack/anomaly-common": "1.2.3",
+    "@checkstack/auth-frontend": "0.6.6",
+    "@checkstack/catalog-common": "2.2.3",
+    "@checkstack/common": "0.12.0",
+    "@checkstack/dashboard-frontend": "0.7.7",
+    "@checkstack/frontend-api": "0.6.0",
+    "@checkstack/gitops-frontend": "0.4.6",
+    "@checkstack/healthcheck-common": "1.3.0",
+    "@checkstack/satellite-common": "0.6.0",
+    "@checkstack/script-packages-frontend": "0.1.0",
+    "@checkstack/secrets-frontend": "0.0.1",
+    "@checkstack/signal-frontend": "0.1.5",
+    "@checkstack/tips-frontend": "0.2.6",
+    "@checkstack/ui": "1.11.0",
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
     "date-fns": "^4.1.0",
@@ -36,7 +38,7 @@
     "zod": "^4.2.1"
   },
   "devDependencies": {
-    "@checkstack/scripts": "0.3.3",
+    "@checkstack/scripts": "0.3.4",
     "@checkstack/tsconfig": "0.0.7",
     "@types/react": "^18.2.0",
     "typescript": "^5.0.0"

package/src/components/assignments/NotificationsPanel.tsx CHANGED Viewed

@@ -1,6 +1,6 @@
 import React from "react";
 import type { NotificationPolicy } from "@checkstack/healthcheck-common";
-import { Button, Input, Label, Toggle, Tooltip } from "@checkstack/ui";
+import { Button, Label, Toggle, Tooltip } from "@checkstack/ui";
 interface NotificationsPanelProps {
   policy: NotificationPolicy;
@@ -25,6 +25,12 @@ interface NotificationsPanelProps {
  * Panel for configuring per-association notification behaviour. All
  * settings are scoped to a single (system, configuration) assignment
  * — different checks on the same system are independent.
+ *
+ * Auto-incident opening/closing is no longer configured here: it ships
+ * as ordinary user automations. Flapping thresholds likewise moved onto
+ * the automation engine's windowed-count gate (the
+ * `healthcheck.system_health_changed` trigger's `window` block). What
+ * remains is the de-escalation notification preference.
  */
 export const NotificationsPanel: React.FC<NotificationsPanelProps> = ({
   policy,
@@ -56,7 +62,7 @@ export const NotificationsPanel: React.FC<NotificationsPanelProps> = ({
         <h3 className="text-sm font-semibold">Notifications</h3>
         <p className="text-xs text-muted-foreground mt-1">
           Control which health state transitions notify subscribers for this
-          check, and when an incident is auto-opened for the system.
+          check.
         </p>
       </div>
@@ -135,241 +141,6 @@ export const NotificationsPanel: React.FC<NotificationsPanelProps> = ({
         </div>
       </div>
-      {/* Auto-open incident */}
-      <div className="p-4 bg-muted/50 rounded-lg border space-y-4">
-        <div className="flex items-start justify-between gap-4">
-          <div className="flex-1 min-w-0">
-            <div className="flex items-center gap-2">
-              <Label className="text-sm font-medium">
-                Auto-open incident when this check is critical
-              </Label>
-              <Tooltip content="When either trigger below fires, an incident is auto-opened on the system. Different checks on the same system are independent — disabling here only affects this check." />
-            </div>
-            <p className="text-xs text-muted-foreground mt-1">
-              One incident per outage instead of one ping per state change.
-              Especially useful for Jira / Slack / email — the incident's
-              suppression silences downstream channels for the lifetime of
-              the incident.
-            </p>
-          </div>
-          <Toggle
-            checked={policy.autoOpenIncidentOnUnhealthy}
-            onCheckedChange={(checked: boolean) =>
-              onChange({ ...policy, autoOpenIncidentOnUnhealthy: checked })
-            }
-            disabled={disabled}
-            aria-label="Auto-open incident when this check is critical"
-          />
-        </div>
-        {policy.autoOpenIncidentOnUnhealthy && (
-          <div className="pl-4 border-l-2 border-border space-y-4">
-            {/* Suppress further notifications */}
-            <div className="flex items-start justify-between gap-4">
-              <div className="flex-1 min-w-0">
-                <Label className="text-sm">
-                  Suppress further notifications while open
-                </Label>
-                <p className="text-xs text-muted-foreground mt-1">
-                  Email, Jira, Slack all silenced for this system until the
-                  incident is resolved.
-                </p>
-              </div>
-              <Toggle
-                checked={policy.useNotificationSuppression}
-                onCheckedChange={(checked: boolean) =>
-                  onChange({
-                    ...policy,
-                    useNotificationSuppression: checked,
-                  })
-                }
-                disabled={disabled}
-                aria-label="Suppress further notifications while open"
-              />
-            </div>
-            {/* Skip during maintenance */}
-            <div className="flex items-start justify-between gap-4">
-              <div className="flex-1 min-w-0">
-                <Label className="text-sm">
-                  Skip during active maintenance
-                </Label>
-                <p className="text-xs text-muted-foreground mt-1">
-                  No auto-incident is opened while the system has an active
-                  maintenance window with suppression.
-                </p>
-              </div>
-              <Toggle
-                checked={policy.skipDuringMaintenance}
-                onCheckedChange={(checked: boolean) =>
-                  onChange({ ...policy, skipDuringMaintenance: checked })
-                }
-                disabled={disabled}
-                aria-label="Skip auto-incident during active maintenance"
-              />
-            </div>
-            {/* Sustained-duration trigger */}
-            <div className="space-y-2 pt-2 border-t border-border">
-              <div className="flex items-center justify-between gap-4">
-                <div className="flex items-center gap-2">
-                  <Label className="text-sm">
-                    Open when unhealthy continuously
-                  </Label>
-                  <Tooltip content="Catches real outages: the check has stayed unhealthy for at least this long without recovering." />
-                </div>
-                <Toggle
-                  checked={policy.sustainedUnhealthyTrigger.enabled}
-                  onCheckedChange={(checked: boolean) =>
-                    onChange({
-                      ...policy,
-                      sustainedUnhealthyTrigger: {
-                        ...policy.sustainedUnhealthyTrigger,
-                        enabled: checked,
-                      },
-                    })
-                  }
-                  disabled={disabled}
-                  aria-label="Enable sustained-unhealthy trigger"
-                />
-              </div>
-              {policy.sustainedUnhealthyTrigger.enabled && (
-                <div className="flex items-center gap-2 text-xs text-muted-foreground">
-                  <span>Open after</span>
-                  <Input
-                    type="number"
-                    min={1}
-                    className="h-8 w-16 text-center"
-                    value={policy.sustainedUnhealthyTrigger.durationMinutes}
-                    onChange={(e) =>
-                      onChange({
-                        ...policy,
-                        sustainedUnhealthyTrigger: {
-                          ...policy.sustainedUnhealthyTrigger,
-                          durationMinutes:
-                            Number.parseInt(e.target.value, 10) || 1,
-                        },
-                      })
-                    }
-                    disabled={disabled}
-                  />
-                  <span>minutes of continuous unhealthy state</span>
-                </div>
-              )}
-            </div>
-            {/* Flapping trigger */}
-            <div className="space-y-2 pt-2 border-t border-border">
-              <div className="flex items-center justify-between gap-4">
-                <div className="flex items-center gap-2">
-                  <Label className="text-sm">Open on flapping</Label>
-                  <Tooltip content="Catches checks that flip in and out of unhealthy too quickly for the sustained trigger to fire." />
-                </div>
-                <Toggle
-                  checked={policy.flappingTrigger.enabled}
-                  onCheckedChange={(checked: boolean) =>
-                    onChange({
-                      ...policy,
-                      flappingTrigger: {
-                        ...policy.flappingTrigger,
-                        enabled: checked,
-                      },
-                    })
-                  }
-                  disabled={disabled}
-                  aria-label="Enable flapping trigger"
-                />
-              </div>
-              {policy.flappingTrigger.enabled && (
-                <div className="flex flex-wrap items-center gap-2 text-xs text-muted-foreground">
-                  <span>Open after</span>
-                  <Input
-                    type="number"
-                    min={1}
-                    className="h-8 w-16 text-center"
-                    value={policy.flappingTrigger.transitions}
-                    onChange={(e) =>
-                      onChange({
-                        ...policy,
-                        flappingTrigger: {
-                          ...policy.flappingTrigger,
-                          transitions:
-                            Number.parseInt(e.target.value, 10) || 1,
-                        },
-                      })
-                    }
-                    disabled={disabled}
-                  />
-                  <span>transitions to unhealthy within</span>
-                  <Input
-                    type="number"
-                    min={1}
-                    className="h-8 w-16 text-center"
-                    value={policy.flappingTrigger.windowMinutes}
-                    onChange={(e) =>
-                      onChange({
-                        ...policy,
-                        flappingTrigger: {
-                          ...policy.flappingTrigger,
-                          windowMinutes:
-                            Number.parseInt(e.target.value, 10) || 1,
-                        },
-                      })
-                    }
-                    disabled={disabled}
-                  />
-                  <span>minutes</span>
-                </div>
-              )}
-            </div>
-            {/* Auto-close cooldown */}
-            <div className="space-y-2 pt-2 border-t border-border">
-              <div className="flex items-center gap-2">
-                <Label className="text-sm">Auto-close cooldown</Label>
-                <Tooltip content="Resolve the auto-incident once the system has stayed healthy for this long. Snapshotted per-incident at open time — later policy edits don't change in-flight incidents." />
-              </div>
-              <div className="flex flex-wrap items-center gap-3 text-xs text-muted-foreground">
-                <label className="inline-flex items-center gap-2 cursor-pointer">
-                  <input
-                    type="checkbox"
-                    checked={policy.autoCloseAfterMinutes === null}
-                    onChange={(e) =>
-                      onChange({
-                        ...policy,
-                        autoCloseAfterMinutes: e.target.checked ? null : 30,
-                      })
-                    }
-                    disabled={disabled}
-                  />
-                  <span>Never auto-close (manual resolve only)</span>
-                </label>
-                {policy.autoCloseAfterMinutes !== null && (
-                  <div className="flex items-center gap-2">
-                    <span>After</span>
-                    <Input
-                      type="number"
-                      min={1}
-                      className="h-8 w-16 text-center"
-                      value={policy.autoCloseAfterMinutes}
-                      onChange={(e) =>
-                        onChange({
-                          ...policy,
-                          autoCloseAfterMinutes:
-                            Number.parseInt(e.target.value, 10) || 1,
-                        })
-                      }
-                      disabled={disabled}
-                    />
-                    <span>minutes of sustained healthy</span>
-                  </div>
-                )}
-              </div>
-            </div>
-          </div>
-        )}
-      </div>
       {/* Save button hides when the assignment is inheriting — there
           is nothing to save. The Override button drives the transition
           into edit mode. */}

package/src/components/editor/CollectorScriptTestRenderer.tsx ADDED Viewed

@@ -0,0 +1,115 @@
+import React from "react";
+import { usePluginClient } from "@checkstack/frontend-api";
+import {
+  ScriptTestPanel,
+  ContextSampleEditor,
+  type ScriptTestRenderer,
+  type ScriptTestPanelResult,
+} from "@checkstack/ui";
+import { HealthCheckApi } from "@checkstack/healthcheck-common";
+import { extractErrorMessage } from "@checkstack/common";
+const TIMEOUT_MS = 30_000;
+/**
+ * Placeholder check/system metadata for the auto-seeded sample. A test run
+ * has no real check assignment, so we surface stable example values for
+ * `context.check` / `context.system` (and the `$CHECKSTACK_*` shell vars).
+ */
+const SAMPLE_RUN_CONTEXT = {
+  check: { id: "test-check", name: "Test Check", intervalSeconds: 60 },
+  system: { id: "test-system", name: "Test System" },
+};
+/**
+ * Build the auto-seeded sample context JSON for a collector script. There
+ * is no healthcheck replay (executions don't persist the script/config),
+ * so the seed is the collector's live config plus placeholder check/system.
+ */
+function seedSample(config: Record<string, unknown>): string {
+  return JSON.stringify(
+    { config, ...SAMPLE_RUN_CONTEXT },
+    null,
+    2,
+  );
+}
+interface CollectorScriptTestPanelProps {
+  kind: "typescript" | "shell";
+  script: string;
+  /** Live collector config, used to auto-seed `context.config`. */
+  config: Record<string, unknown>;
+}
+const CollectorScriptTestPanel: React.FC<CollectorScriptTestPanelProps> = ({
+  kind,
+  script,
+  config,
+}) => {
+  const client = usePluginClient(HealthCheckApi);
+  const testMutation = client.testCollectorScript.useMutation();
+  const [sampleContext, setSampleContext] = React.useState(() =>
+    seedSample(config),
+  );
+  const handleRun = React.useCallback(async (): Promise<ScriptTestPanelResult> => {
+    // Collector config has no `x-secret-env` field, so there are no secret
+    // overrides to forward; the panel passes none.
+    let parsed: {
+      config?: Record<string, unknown>;
+      check?: { id: string; name: string; intervalSeconds: number };
+      system?: { id: string; name: string };
+    } = {};
+    if (sampleContext.trim().length > 0) {
+      try {
+        parsed = JSON.parse(sampleContext) as typeof parsed;
+      } catch (error) {
+        return {
+          stdout: "",
+          stderr: "",
+          durationMs: 0,
+          timedOut: false,
+          error: `Sample context is not valid JSON: ${extractErrorMessage(error)}`,
+        };
+      }
+    }
+    return testMutation.mutateAsync({
+      kind,
+      script,
+      config: parsed.config,
+      runContext: {
+        ...(parsed.check ? { check: parsed.check } : {}),
+        ...(parsed.system ? { system: parsed.system } : {}),
+      },
+      timeoutMs: TIMEOUT_MS,
+    });
+  }, [testMutation, kind, script, sampleContext]);
+  return (
+    <ScriptTestPanel
+      onRun={handleRun}
+      disabled={script.trim().length === 0}
+      contextEditor={
+        <ContextSampleEditor value={sampleContext} onChange={setSampleContext} />
+      }
+    />
+  );
+};
+/**
+ * Build the {@link ScriptTestRenderer} for the health-check collector
+ * editor. Captures the live collector `config` so the auto-seeded sample
+ * matches what the operator is editing.
+ */
+export function createCollectorScriptTestRenderer(
+  config: Record<string, unknown>,
+): ScriptTestRenderer {
+  return ({ fieldId, kind, script }) => (
+    <CollectorScriptTestPanel
+      key={`${fieldId}-test`}
+      kind={kind}
+      script={script}
+      config={config}
+    />
+  );
+}

package/src/components/editor/CollectorSection.tsx CHANGED Viewed

@@ -10,7 +10,10 @@ import {
   healthcheckScriptContext,
 } from "@checkstack/ui";
 import { Trash2 } from "lucide-react";
+import { useScriptPackageTypeAcquisition } from "@checkstack/script-packages-frontend";
+import { useSecretNames } from "@checkstack/secrets-frontend";
 import { AssertionBuilder, type Assertion } from "../AssertionBuilder";
+import { createCollectorScriptTestRenderer } from "./CollectorScriptTestRenderer";
 interface CollectorSectionProps {
   entry: CollectorConfigEntry;
@@ -29,6 +32,18 @@ export const CollectorSection: React.FC<CollectorSectionProps> = ({
   onValidChange,
   onRemove,
 }) => {
+  const scriptTestRenderer = React.useMemo(
+    () => createCollectorScriptTestRenderer(entry.config),
+    [entry.config],
+  );
+  // Lazy ATA: collector scripts get package IntelliSense (incl. `@types/*`)
+  // on demand for whatever npm packages they import. `importablePackages`
+  // drives import-specifier name completion before any module is registered.
+  const { acquireTypes, acquireResetKey, importablePackages } =
+    useScriptPackageTypeAcquisition();
+  // Secret names (never values) for the secret -> env mapping editor.
+  const { secretNames } = useSecretNames();
   return (
     <div className="space-y-6">
       {/* Header */}
@@ -63,15 +78,27 @@ export const CollectorSection: React.FC<CollectorSectionProps> = ({
               Configure how this check item behaves.
             </p>
           </div>
-          <DynamicForm
-            schema={collectorDef.configSchema}
-            value={entry.config}
-            onChange={onConfigChange}
-            onValidChange={onValidChange}
-            {...healthcheckScriptContext({
+          {(() => {
+            const ctx = healthcheckScriptContext({
               collectorConfigSchema: collectorDef.configSchema,
-            })}
-          />
+              // Surface the user's own `env` keys as `$`-completions.
+              customEnv: entry.config.env,
+            });
+            return (
+              <DynamicForm
+                schema={collectorDef.configSchema}
+                value={entry.config}
+                onChange={onConfigChange}
+                onValidChange={onValidChange}
+                {...ctx}
+                scriptTestRenderer={scriptTestRenderer}
+                secretNames={secretNames}
+                acquireTypes={acquireTypes}
+                acquireResetKey={acquireResetKey}
+                importablePackages={importablePackages}
+              />
+            );
+          })()}
         </div>
       )}

package/tsconfig.json CHANGED Viewed

@@ -31,6 +31,12 @@
     {
       "path": "../satellite-common"
     },
+    {
+      "path": "../script-packages-frontend"
+    },
+    {
+      "path": "../secrets-frontend"
+    },
     {
       "path": "../signal-frontend"
     },