@checkstack/integration-webex-backend 0.1.11 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,69 @@
1
1
  # @checkstack/integration-webex-backend
2
2
 
3
+ ## 0.2.0
4
+
5
+ ### Minor Changes
6
+
7
+ - ebef442: feat(automation): gate integration actions on the runAs service account's permissions
8
+
9
+ **BREAKING.** Integration automation actions resolve credentials through a
10
+ trusted service rather than the bounded `runAs` client, so they previously
11
+ bypassed the runAs least-privilege model entirely: anyone able to author an
12
+ automation could create Jira tickets, send Teams/Webex messages, etc. on any
13
+ configured connection, with a zero-permission service account. This closes that
14
+ gap.
15
+
16
+ - **Actions declare `requiredAccessRules`** and the dispatch engine enforces
17
+ them against the resolved `runAs` principal BEFORE the action runs (failing
18
+ the step if missing) - the authorization point integration actions lacked.
19
+ - **Each integration plugin defines per-action access rules**, e.g.
20
+ `integration-jira.create_issue.manage` / `search_issues.read` /
21
+ `transition_issue.manage` / `add_comment.manage`,
22
+ `integration-teams.post_message.manage`,
23
+ `integration-webex.post_message.manage`.
24
+ - **`automation.propose` checks the same up front**, surfacing a per-action
25
+ missing-permission error on the review card; `listActions` now exposes each
26
+ action's `requiredAccessRules`, and `getBindableApplications` now returns each
27
+ app's effective `accessRules`.
28
+ - **New `integration.read` rule** gates `listConnectionSummaries` /
29
+ `resolveConnectionOptions` (previously open to any authenticated user), so
30
+ discovering connections and resolving their field options requires a grant.
31
+ - **The AI assistant picks a capable runAs up front.**
32
+ `automation.listServiceAccounts` now returns each account's `accessRules` and
33
+ `automation.getCapabilitySchema` returns each action's `requiredAccessRules`,
34
+ so the model selects a service account whose permissions cover the actions it
35
+ uses instead of proposing and being rejected. When the operator did not name a
36
+ runAs and more than one account qualifies, it ASKS which to use rather than
37
+ choosing the automation's identity itself; when none has the needed rules it
38
+ says which rule(s) to grant.
39
+
40
+ **Migration:** existing automations whose service account does not hold the new
41
+ rules will fail at the gated action until an admin grants the matching rule(s)
42
+ to the service account's role (e.g. add `integration-jira.create_issue.manage`).
43
+ Admin (`*`) service accounts are unaffected. Grant `integration.read` to roles
44
+ that author integration-using automations so the editor's connection pickers and
45
+ dropdowns keep working for non-admins.
46
+
47
+ ### Patch Changes
48
+
49
+ - Updated dependencies [ebef442]
50
+ - Updated dependencies [ebef442]
51
+ - @checkstack/integration-backend@0.6.0
52
+ - @checkstack/automation-backend@0.7.0
53
+ - @checkstack/backend-api@0.21.7
54
+
55
+ ## 0.1.12
56
+
57
+ ### Patch Changes
58
+
59
+ - Updated dependencies [c4bebbb]
60
+ - Updated dependencies [c4bebbb]
61
+ - Updated dependencies [c4bebbb]
62
+ - Updated dependencies [c4bebbb]
63
+ - Updated dependencies [c4bebbb]
64
+ - @checkstack/automation-backend@0.6.0
65
+ - @checkstack/integration-backend@0.5.0
66
+
3
67
  ## 0.1.11
4
68
 
5
69
  ### Patch Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@checkstack/integration-webex-backend",
3
- "version": "0.1.11",
3
+ "version": "0.2.0",
4
4
  "type": "module",
5
5
  "main": "src/index.ts",
6
6
  "checkstack": {
@@ -15,9 +15,9 @@
15
15
  "pack": "bunx @checkstack/scripts plugin-pack"
16
16
  },
17
17
  "dependencies": {
18
- "@checkstack/backend-api": "0.21.6",
19
- "@checkstack/integration-backend": "0.4.6",
20
- "@checkstack/automation-backend": "0.5.8",
18
+ "@checkstack/backend-api": "0.21.7",
19
+ "@checkstack/integration-backend": "0.6.0",
20
+ "@checkstack/automation-backend": "0.7.0",
21
21
  "@checkstack/common": "0.15.0",
22
22
  "zod": "^4.2.1"
23
23
  },
@@ -25,7 +25,7 @@
25
25
  "@types/bun": "^1.0.0",
26
26
  "typescript": "^5.0.0",
27
27
  "@checkstack/tsconfig": "0.0.7",
28
- "@checkstack/test-utils-backend": "0.1.40"
28
+ "@checkstack/test-utils-backend": "0.1.41"
29
29
  },
30
30
  "description": "Checkstack integration-webex-backend plugin",
31
31
  "author": {
@@ -13,7 +13,12 @@ import {
13
13
  } from "@checkstack/backend-api";
14
14
  import type { ActionDefinition } from "@checkstack/automation-backend";
15
15
  import { connectionStoreRef } from "@checkstack/integration-backend";
16
- import { extractErrorMessage } from "@checkstack/common";
16
+ import {
17
+ access,
18
+ extractErrorMessage,
19
+ qualifyAccessRuleId,
20
+ } from "@checkstack/common";
21
+ import { pluginMetadata } from "./plugin-metadata";
17
22
 
18
23
  import {
19
24
  WEBEX_RESOLVERS,
@@ -21,6 +26,20 @@ import {
21
26
  type WebexConnectionConfig,
22
27
  } from "./provider";
23
28
 
29
+ /**
30
+ * Access rule a runAs service account must hold to post Webex messages from an
31
+ * automation. Enforced by the dispatch engine before the action runs.
32
+ */
33
+ export const webexAccess = {
34
+ postMessage: access(
35
+ "post_message",
36
+ "manage",
37
+ "Post Webex messages from an automation",
38
+ { pluginId: pluginMetadata.pluginId },
39
+ ),
40
+ };
41
+ export const webexAccessRules = Object.values(webexAccess);
42
+
24
43
  const WEBEX_API_BASE = "https://webexapis.com/v1";
25
44
 
26
45
  const webexMessageDataSchema = z.object({
@@ -96,6 +115,9 @@ export function createWebexActions(): ActionDefinition<unknown, unknown>[] {
96
115
  category: "Webex",
97
116
  icon: "MessageSquare",
98
117
  connectionProviderId: WEBEX_PROVIDER_QUALIFIED_ID,
118
+ requiredAccessRules: [
119
+ qualifyAccessRuleId(pluginMetadata, webexAccess.postMessage),
120
+ ],
99
121
  config: new Versioned({
100
122
  version: 1,
101
123
  schema: webexPostMessageConfigSchema,
package/src/index.ts CHANGED
@@ -8,12 +8,15 @@ import { pluginMetadata } from "./plugin-metadata";
8
8
  import { webexProvider } from "./provider";
9
9
  import {
10
10
  createWebexActions,
11
+ webexAccessRules,
11
12
  webexMessageArtifactType,
12
13
  } from "./automations";
13
14
 
14
15
  export default createBackendPlugin({
15
16
  metadata: pluginMetadata,
16
17
  register(env) {
18
+ // A runAs service account must hold this rule to post Webex messages.
19
+ env.registerAccessRules(webexAccessRules);
17
20
  env
18
21
  .getExtensionPoint(providerExtensionPoint)
19
22
  .addProvider(webexProvider, pluginMetadata);