@checkstack/incident-common 1.4.2 → 1.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +65 -0
  2. package/package.json +7 -7
  3. package/src/access.ts +2 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,70 @@
1
1
  # @checkstack/incident-common
2
2
 
3
+ ## 1.4.4
4
+
5
+ ### Patch Changes
6
+
7
+ - 56e7c75: Fix frontend access checks to use FULLY-QUALIFIED access-rule ids, and resolve
8
+ the anonymous role on the frontend.
9
+
10
+ Granted access-rule ids are stored fully-qualified as `{pluginId}.{ruleId}` (e.g.
11
+ `incident.incident.read`) so two plugins defining the same short rule id never
12
+ collide. The frontend, however, was checking the UNqualified id (`incident.read`)
13
+ via `isAccessRuleSatisfied`, so every check failed for any user without the `*`
14
+ (admin) grant - masked in development because dev-auth grants `*`. This silently
15
+ broke ALL non-admin frontend gating (route guards, sidebar entries, and
16
+ `useAccess`-based button/link gating).
17
+
18
+ - **`@checkstack/common`**: `AccessRule` now carries a REQUIRED owning `pluginId`;
19
+ `access()` / `accessPair()` require and stamp it; `isAccessRuleSatisfied`
20
+ qualifies the rule (`{pluginId}.{id}`, plus the manage->read escalation) and
21
+ matches ONLY the qualified form. There is intentionally NO unqualified fallback
22
+ - matching a bare id would let one plugin's grant satisfy another plugin's
23
+ identically-named rule (a cross-plugin privilege-escalation flaw). Every plugin
24
+ that defines access rules now passes its own `pluginId`.
25
+ - **`@checkstack/backend`**: `pluginManager.getAllAccessRules()` no longer strips
26
+ the `pluginId` field (the rule `id` is already fully-qualified for the DB sync).
27
+ - **Route guard** (`@checkstack/frontend` / `@checkstack/frontend-api`) now
28
+ checks the FULL rule object (so it qualifies and escalates), not a bare id.
29
+ - **Anonymous role on the frontend**: the `accessRules` procedure is now
30
+ `public`, returning the configurable anonymous role's grants to unauthenticated
31
+ callers; `useAccessRules` fetches them for guests instead of returning an empty
32
+ set. So anonymous UI now reflects exactly what the anonymous role is allowed -
33
+ which an admin can change (`isPublic` is only the seeded default).
34
+ - Incident / maintenance / SLO detail routes are now read-gated (their read rule
35
+ is an `isPublic` default, so the anonymous role holds it unless an admin
36
+ revokes it); their dashboard status signals carry that rule and render as a
37
+ link only when the viewer may open it.
38
+
39
+ **BREAKING (`@checkstack/common`):** `AccessRule.pluginId` is now REQUIRED, and
40
+ `access()` / `accessPair()` require a `pluginId` option. `isAccessRuleSatisfied`
41
+ matches ONLY the fully-qualified `{pluginId}.{ruleId}` form - the previous
42
+ unqualified fallback is removed, because it was a cross-plugin
43
+ privilege-escalation flaw. Any code constructing an `AccessRule` or calling
44
+ `access()`/`accessPair()` must supply the owning `pluginId`.
45
+
46
+ Verified live against an anonymous caller: read pages resolve (qualified match),
47
+ manage actions are denied, manage->read escalation and `*` still work.
48
+
49
+ - Updated dependencies [56e7c75]
50
+ - Updated dependencies [56e7c75]
51
+ - @checkstack/frontend-api@0.9.0
52
+ - @checkstack/catalog-common@2.3.4
53
+ - @checkstack/common@0.15.0
54
+ - @checkstack/notification-common@1.3.3
55
+ - @checkstack/signal-common@0.2.9
56
+
57
+ ## 1.4.3
58
+
59
+ ### Patch Changes
60
+
61
+ - Updated dependencies [fb705df]
62
+ - @checkstack/frontend-api@0.8.0
63
+ - @checkstack/catalog-common@2.3.3
64
+ - @checkstack/common@0.14.1
65
+ - @checkstack/notification-common@1.3.2
66
+ - @checkstack/signal-common@0.2.8
67
+
3
68
  ## 1.4.2
4
69
 
5
70
  ### Patch Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@checkstack/incident-common",
3
- "version": "1.4.2",
3
+ "version": "1.4.4",
4
4
  "license": "Elastic-2.0",
5
5
  "type": "module",
6
6
  "exports": {
@@ -9,18 +9,18 @@
9
9
  }
10
10
  },
11
11
  "dependencies": {
12
- "@checkstack/common": "0.14.1",
13
- "@checkstack/catalog-common": "2.3.2",
14
- "@checkstack/frontend-api": "0.7.2",
15
- "@checkstack/notification-common": "1.3.2",
16
- "@checkstack/signal-common": "0.2.8",
12
+ "@checkstack/common": "0.15.0",
13
+ "@checkstack/catalog-common": "2.3.4",
14
+ "@checkstack/frontend-api": "0.9.0",
15
+ "@checkstack/notification-common": "1.3.3",
16
+ "@checkstack/signal-common": "0.2.9",
17
17
  "@orpc/contract": "^1.14.4",
18
18
  "zod": "^4.2.1"
19
19
  },
20
20
  "devDependencies": {
21
21
  "typescript": "^5.7.2",
22
22
  "@checkstack/tsconfig": "0.0.7",
23
- "@checkstack/scripts": "0.4.2"
23
+ "@checkstack/scripts": "0.6.1"
24
24
  },
25
25
  "scripts": {
26
26
  "typecheck": "tsgo -b",
package/src/access.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  import { accessPair } from "@checkstack/common";
2
+ import { pluginMetadata } from "./plugin-metadata";
2
3
 
3
4
  /**
4
5
  * Access rules for the Incident plugin.
@@ -26,6 +27,7 @@ export const incidentAccess = {
26
27
  },
27
28
  {
28
29
  idParam: "systemId",
30
+ pluginId: pluginMetadata.pluginId,
29
31
  },
30
32
  ),
31
33
  };