@checkstack/integration-webex-backend 0.2.14 → 0.2.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +69 -0
- package/package.json +6 -6
- package/src/provider.ts +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,74 @@
|
|
|
1
1
|
# @checkstack/integration-webex-backend
|
|
2
2
|
|
|
3
|
+
## 0.2.15
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- faf98f5: Security: config secrets (health-check strategy/collector credentials such as
|
|
8
|
+
SSH passwords, DB credentials, HTTP auth, and integration connection
|
|
9
|
+
credentials) ride ONE shared, domain-agnostic extraction channel instead of
|
|
10
|
+
being stored as plaintext or re-implemented per plugin.
|
|
11
|
+
|
|
12
|
+
New primitive and shared service:
|
|
13
|
+
|
|
14
|
+
- `configSecret({ id })` (in `@checkstack/backend-api`) declares an
|
|
15
|
+
extraction-channel secret keyed by a STABLE `id`, independent of field name or
|
|
16
|
+
position, so renaming or reordering a field never orphans its value. Use it
|
|
17
|
+
(not `configString({ "x-secret": true })`) for any credential whose config is
|
|
18
|
+
relayed to a satellite, projected to AI, or diffed by GitOps. `validateSecretIds`
|
|
19
|
+
rejects, at plugin registration, an `x-secret` field with no `id`, a duplicate
|
|
20
|
+
`id`, or a secret nested in an un-keyable container (array / record / tuple /
|
|
21
|
+
map) - so a mis-keyable schema fails boot rather than at run time.
|
|
22
|
+
- `ConfigSecretChannel` (in `@checkstack/secrets-backend`) is the single
|
|
23
|
+
extract / inflate / collect / redact / merge / delete / prune implementation.
|
|
24
|
+
Health-checks and integration connections both BIND it to their own scope
|
|
25
|
+
(marker prefix + internal-secret key layout); neither re-implements the walk.
|
|
26
|
+
|
|
27
|
+
Lifecycle (both bindings):
|
|
28
|
+
|
|
29
|
+
- **Write**: an inline value is extracted into the encrypted internal secret
|
|
30
|
+
store; the stored config keeps only an opaque marker. `${{ secrets.NAME }}`
|
|
31
|
+
references are stored verbatim and resolve through the active backend (local
|
|
32
|
+
or Vault) at run time.
|
|
33
|
+
- **Read**: configuration and connection reads strip `x-secret` values and
|
|
34
|
+
internal markers while keeping `${{ secrets.NAME }}` references visible; the
|
|
35
|
+
AI `getConfigurations` tool and create/update responses are redacted too. A
|
|
36
|
+
value never reaches a browser or an AI model context.
|
|
37
|
+
- **Run**: the core executor inflates markers/references in memory just before
|
|
38
|
+
the client is built. Satellites receive markers only and fetch values
|
|
39
|
+
just-in-time over the authenticated WS channel, per run, never persisted, then
|
|
40
|
+
fail CLOSED if any marker/reference survives resolution.
|
|
41
|
+
- **No orphan**: clearing a secret, removing a field/collector, swapping an
|
|
42
|
+
inline value for a reference, updating a connection, or deleting a
|
|
43
|
+
configuration/connection deletes the now-unreferenced internal secret. Cleanup
|
|
44
|
+
is schema-free (scans markers by prefix) and best-effort on delete, so it works
|
|
45
|
+
even when the owning plugin is uninstalled and never blocks a delete.
|
|
46
|
+
- **Forged-marker safe**: extract/inflate key each internal secret by the
|
|
47
|
+
SCHEMA leaf's stable `id`, never by an id parsed out of a stored marker string,
|
|
48
|
+
so a crafted marker can never resolve or delete another scope's secret.
|
|
49
|
+
|
|
50
|
+
Health-checks additionally get an idempotent, advisory-locked backfill that
|
|
51
|
+
moves pre-existing plaintext values into the internal store, and per-config-id
|
|
52
|
+
locking so concurrent writers across pods can never leave a dangling marker.
|
|
53
|
+
Integration connection credentials keep their released `__connref__:` marker
|
|
54
|
+
prefix and key layout (id equals the flat field name), so existing stored
|
|
55
|
+
connections are byte-compatible.
|
|
56
|
+
|
|
57
|
+
BREAKING CHANGES:
|
|
58
|
+
|
|
59
|
+
- Configuration and connection reads no longer include `x-secret` field values
|
|
60
|
+
(clients must treat blank-on-save as keep-existing; the bundled editors
|
|
61
|
+
already do).
|
|
62
|
+
- Satellites must be upgraded together with the core: an old satellite cannot
|
|
63
|
+
resolve the markers a new core stores, so its credentialed checks fail until
|
|
64
|
+
upgraded.
|
|
65
|
+
|
|
66
|
+
- Updated dependencies [faf98f5]
|
|
67
|
+
- @checkstack/backend-api@0.29.0
|
|
68
|
+
- @checkstack/common@0.20.0
|
|
69
|
+
- @checkstack/integration-backend@0.7.0
|
|
70
|
+
- @checkstack/automation-backend@0.10.8
|
|
71
|
+
|
|
3
72
|
## 0.2.14
|
|
4
73
|
|
|
5
74
|
### Patch Changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@checkstack/integration-webex-backend",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.15",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"main": "src/index.ts",
|
|
6
6
|
"checkstack": {
|
|
@@ -15,17 +15,17 @@
|
|
|
15
15
|
"pack": "bunx @checkstack/scripts plugin-pack"
|
|
16
16
|
},
|
|
17
17
|
"dependencies": {
|
|
18
|
-
"@checkstack/backend-api": "0.
|
|
19
|
-
"@checkstack/integration-backend": "0.
|
|
20
|
-
"@checkstack/automation-backend": "0.10.
|
|
21
|
-
"@checkstack/common": "0.
|
|
18
|
+
"@checkstack/backend-api": "0.29.0",
|
|
19
|
+
"@checkstack/integration-backend": "0.7.0",
|
|
20
|
+
"@checkstack/automation-backend": "0.10.8",
|
|
21
|
+
"@checkstack/common": "0.20.0",
|
|
22
22
|
"zod": "^4.2.1"
|
|
23
23
|
},
|
|
24
24
|
"devDependencies": {
|
|
25
25
|
"@types/bun": "^1.0.0",
|
|
26
26
|
"typescript": "^5.0.0",
|
|
27
27
|
"@checkstack/tsconfig": "0.0.7",
|
|
28
|
-
"@checkstack/test-utils-backend": "0.1.
|
|
28
|
+
"@checkstack/test-utils-backend": "0.1.52"
|
|
29
29
|
},
|
|
30
30
|
"description": "Checkstack integration-webex-backend plugin",
|
|
31
31
|
"author": {
|
package/src/provider.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { z } from "zod";
|
|
2
|
-
import {
|
|
2
|
+
import { configSecret, Versioned } from "@checkstack/backend-api";
|
|
3
3
|
import type {
|
|
4
4
|
IntegrationProvider,
|
|
5
5
|
GetConnectionOptionsParams,
|
|
@@ -38,7 +38,7 @@ export const WEBEX_RESOLVERS = {
|
|
|
38
38
|
// ─── Connection schema ──────────────────────────────────────────────────
|
|
39
39
|
|
|
40
40
|
export const WebexConnectionSchema = z.object({
|
|
41
|
-
botToken:
|
|
41
|
+
botToken: configSecret({ id: "botToken" }).describe(
|
|
42
42
|
"Webex Bot Access Token from developer.webex.com",
|
|
43
43
|
),
|
|
44
44
|
});
|