@checkstack/incident-backend 1.1.4 → 1.1.5

package/CHANGELOG.md

@@ -1,5 +1,98 @@
 # @checkstack/incident-backend
 
+## 1.1.5
+
+### Patch Changes
+
+- f23f3c9: Phase 12 of the v1 polishing plan: three coordinated cleanup items that
+  close out half-finished features ahead of v1.0.
+
+  `@checkstack/incident-backend` adds focused unit-test coverage for
+  `IncidentService.hasActiveIncidentWithSuppression` in
+  `core/incident-backend/src/service.test.ts`. The new tests exercise the
+  real query-builder logic against a programmable mock data source and
+  pin down the active-only silencing contract: returns `true` only when
+  an unresolved incident with `suppressNotifications=true` is associated
+  with the queried `systemId`; returns `false` for resolved incidents,
+  incidents with `suppressNotifications=false`, systems with no incident
+  associations, and other systems' silenced incidents. No runtime
+  changes; the service code was already correct end-to-end (write path
+  through `IncidentEditor`, read path through the healthcheck queue
+  executor and dependency notifications). A companion docs page,
+  `docs/src/content/docs/architecture/alert-silencing.md`, documents the
+  contract, the two read sites, and the dispatch paths silencing does
+  NOT cover so users aren't surprised when an unaware channel keeps
+  firing.
+
+  `@checkstack/auth-frontend` surfaces inline role assignment inside the
+  user-creation dialog so admins can pick role(s) atomically with the
+  create call. `CreateUserDialog` now renders a checkbox list of
+  assignable roles (those with `isAssignable !== false`); on submit,
+  `UsersTab` awaits `createCredentialUser`, then immediately calls
+  `updateUserRoles` with the selected role IDs. On partial failure
+  (user created, role assignment failed) the UI surfaces a warning toast
+  naming the recovery path rather than silently misreporting success. No
+  new endpoints — reuses the existing `createCredentialUser` +
+  `updateUserRoles` contract pair. A companion docs page,
+  `docs/src/content/docs/architecture/users-and-teams.md`, documents the
+  identity / role / team model, the two S2S endpoints
+  (`checkResourceTeamAccess`, `getAccessibleResourceIds`) other plugins
+  should call to honour team grants, and explicitly defers audit
+  logging, CSV export, team-scoped resource-management UI, and deletion
+  side-effect handling to v1.1.
+
+  The third item — deleting the empty `core/status-frontend/` and
+  `core/status-page-backend/` shells — is tooling-only and intentionally
+  ships without a changeset; neither shell had a `package.json`, source
+  file, or downstream importer.
+
+- f23f3c9: Add `correlationMiddleware` to `@checkstack/backend-api` and apply it
+  to every plugin/core router so each request carries a stable
+  `x-correlation-id` (read from the inbound header, or freshly minted
+  via `crypto.randomUUID()` when absent) and an auto-injected child
+  logger bound with `{ correlationId, pluginId, userId? }`. The ID is
+  echoed back on the response header so the caller can correlate their
+  client-side trace to the server logs.
+
+  The `Logger` interface in `@checkstack/backend-api` now formally
+  documents the structured-metadata convention (`logger.info("msg",
+{ ...meta })`) alongside the long-standing varargs shape. Winston's
+  splat handling already routes both shapes through the same vararg
+  slot, so existing call sites are unaffected. A new optional
+  `Logger.child(meta)` method captures the metadata-binding contract the
+  new middleware relies on; production loggers always implement it,
+  minimal test mocks may omit it (the middleware falls back gracefully).
+
+  `RpcContext` grew two optional `Headers` bags, `requestHeaders` and
+  `responseHeaders`, populated by the outer Hono `/api/*` and `/rest/*`
+  handlers in `@checkstack/backend`. They are write-through observation
+  points for middleware; an `RpcContext` constructed without them (S2S
+  clients, tests) keeps working — the echo is a silent no-op and the ID
+  is still bound onto the child logger for server-side correlation.
+
+  The scaffolding template in `@checkstack/scripts` was updated so any
+  new plugin generated via `bun run create` wires the middleware in the
+  expected `.use(correlationMiddleware).use(autoAuthMiddleware)` order
+  out of the box.
+
+- Updated dependencies [f23f3c9]
+- Updated dependencies [f23f3c9]
+- Updated dependencies [f23f3c9]
+- Updated dependencies [f23f3c9]
+  - @checkstack/common@0.11.0
+  - @checkstack/backend-api@0.17.0
+  - @checkstack/catalog-backend@1.1.5
+  - @checkstack/command-backend@0.1.29
+  - @checkstack/integration-backend@0.1.29
+  - @checkstack/notification-common@1.2.0
+  - @checkstack/integration-common@0.5.0
+  - @checkstack/auth-common@0.7.1
+  - @checkstack/catalog-common@2.2.2
+  - @checkstack/incident-common@1.2.2
+  - @checkstack/signal-common@0.2.4
+  - @checkstack/cache-api@0.3.4
+  - @checkstack/cache-utils@0.2.9
+
 ## 1.1.4
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/incident-backend",
-  "version": "1.1.4",
+  "version": "1.1.5",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
@@ -14,17 +14,17 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.15.3",
-    "@checkstack/cache-api": "0.3.2",
-    "@checkstack/cache-utils": "0.2.7",
-    "@checkstack/incident-common": "1.2.0",
-    "@checkstack/catalog-common": "2.2.0",
-    "@checkstack/catalog-backend": "1.1.3",
-    "@checkstack/notification-common": "1.1.0",
+    "@checkstack/backend-api": "0.16.0",
+    "@checkstack/cache-api": "0.3.3",
+    "@checkstack/cache-utils": "0.2.8",
+    "@checkstack/incident-common": "1.2.1",
+    "@checkstack/catalog-common": "2.2.1",
+    "@checkstack/catalog-backend": "1.1.4",
+    "@checkstack/notification-common": "1.1.1",
     "@checkstack/auth-common": "0.7.0",
-    "@checkstack/command-backend": "0.1.27",
+    "@checkstack/command-backend": "0.1.28",
     "@checkstack/signal-common": "0.2.3",
-    "@checkstack/integration-backend": "0.1.27",
+    "@checkstack/integration-backend": "0.1.28",
     "@checkstack/integration-common": "0.4.0",
     "@checkstack/common": "0.10.0",
     "drizzle-orm": "^0.45.0",
@@ -34,7 +34,7 @@
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.5",
     "@checkstack/scripts": "0.3.2",
-    "@checkstack/test-utils-backend": "0.1.27",
+    "@checkstack/test-utils-backend": "0.1.28",
     "@checkstack/tsconfig": "0.0.7",
     "@types/bun": "^1.0.0",
     "drizzle-kit": "^0.31.10",

package/src/router.ts

@@ -5,6 +5,7 @@ import {
 } from "@checkstack/incident-common";
 import {
   autoAuthMiddleware,
+  correlationMiddleware,
   Logger,
   type RpcContext,
 } from "@checkstack/backend-api";
@@ -89,6 +90,7 @@ export function createRouter(
 
   const os = implement(incidentContract)
     .$context<RpcContext>()
+    .use(correlationMiddleware)
     .use(autoAuthMiddleware);
 
   return os.router({

package/src/service.test.ts

@@ -0,0 +1,126 @@
+import { describe, it, expect, mock, beforeEach } from "bun:test";
+import { IncidentService } from "./service";
+
+/**
+ * Programmable mock DB that records each `select(...).from(...).where(...)`
+ * (and optional `.limit(...)`) chain and returns a configurable row array
+ * per invocation. Tests exercise the real query-builder calls inside
+ * `IncidentService`, only swapping out the terminal data source.
+ */
+function createProgrammableSelectDb(resultsByCall: unknown[][]) {
+  let callIndex = 0;
+
+  const nextResult = (): unknown[] => {
+    const result = resultsByCall[callIndex] ?? [];
+    callIndex += 1;
+    return result;
+  };
+
+  const select = mock((projection?: Record<string, unknown>) => {
+    void projection;
+    const rows = nextResult();
+
+    const limit = mock(() => Promise.resolve(rows));
+    const whereResult = Object.assign(Promise.resolve(rows), { limit });
+    const where = mock(() => whereResult);
+    const fromResult = Object.assign(Promise.resolve(rows), { where });
+    const from = mock(() => fromResult);
+
+    return { from };
+  });
+
+  return {
+    db: { select } as unknown,
+    select,
+    getCallCount: () => callIndex,
+  };
+}
+
+describe("IncidentService.hasActiveIncidentWithSuppression", () => {
+  let dbHelper: ReturnType<typeof createProgrammableSelectDb>;
+  let service: IncidentService;
+
+  const setup = (resultsByCall: unknown[][]) => {
+    dbHelper = createProgrammableSelectDb(resultsByCall);
+    service = new IncidentService(dbHelper.db as never);
+  };
+
+  beforeEach(() => {
+    dbHelper = createProgrammableSelectDb([]);
+  });
+
+  it("returns true when an active incident with suppressNotifications=true exists for the system", async () => {
+    setup([
+      // 1st query: incidentSystems lookup for systemId="sys-1"
+      [{ incidentId: "inc-1" }],
+      // 2nd query: incidents lookup with .where(active AND suppression).limit(1)
+      [{ id: "inc-1" }],
+    ]);
+
+    const result = await service.hasActiveIncidentWithSuppression("sys-1");
+
+    expect(result).toBe(true);
+    expect(dbHelper.getCallCount()).toBe(2);
+  });
+
+  it("returns false when no incidents are associated with the system", async () => {
+    setup([
+      // 1st query: empty -> short-circuits before the 2nd query
+      [],
+    ]);
+
+    const result = await service.hasActiveIncidentWithSuppression("sys-1");
+
+    expect(result).toBe(false);
+    // Only one query should have run; the incidents lookup is skipped.
+    expect(dbHelper.getCallCount()).toBe(1);
+  });
+
+  it("returns false when the matching incident is resolved (silencing is scoped to active incidents)", async () => {
+    setup([
+      // 1st query: the system has an incident association.
+      [{ incidentId: "inc-resolved" }],
+      // 2nd query: the WHERE clause filters out resolved incidents, so the
+      // limit(1) projection finds nothing. The real query builder enforces
+      // this via `ne(incidents.status, "resolved")`.
+      [],
+    ]);
+
+    const result = await service.hasActiveIncidentWithSuppression("sys-1");
+
+    expect(result).toBe(false);
+    expect(dbHelper.getCallCount()).toBe(2);
+  });
+
+  it("returns false when the matching incident has suppressNotifications=false", async () => {
+    setup([
+      // 1st query: the system has an incident association.
+      [{ incidentId: "inc-no-suppress" }],
+      // 2nd query: the WHERE clause filters by suppressNotifications=true,
+      // so a row with suppressNotifications=false is excluded — the result
+      // set is empty.
+      [],
+    ]);
+
+    const result = await service.hasActiveIncidentWithSuppression("sys-1");
+
+    expect(result).toBe(false);
+    expect(dbHelper.getCallCount()).toBe(2);
+  });
+
+  it("filters by systemId — does not return true for another system's silenced incident", async () => {
+    // The systemId filter is enforced by the WHERE clause on the
+    // incidentSystems lookup. Querying "sys-other" returns an empty
+    // association set even though "sys-1" has a silenced incident, so the
+    // method short-circuits to false.
+    setup([
+      // 1st query for systemId="sys-other": no associations.
+      [],
+    ]);
+
+    const result = await service.hasActiveIncidentWithSuppression("sys-other");
+
+    expect(result).toBe(false);
+    expect(dbHelper.getCallCount()).toBe(1);
+  });
+});