@checkstack/integration-webex-backend 0.2.14 → 0.2.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,74 @@
1
1
  # @checkstack/integration-webex-backend
2
2
 
3
+ ## 0.2.15
4
+
5
+ ### Patch Changes
6
+
7
+ - faf98f5: Security: config secrets (health-check strategy/collector credentials such as
8
+ SSH passwords, DB credentials, HTTP auth, and integration connection
9
+ credentials) ride ONE shared, domain-agnostic extraction channel instead of
10
+ being stored as plaintext or re-implemented per plugin.
11
+
12
+ New primitive and shared service:
13
+
14
+ - `configSecret({ id })` (in `@checkstack/backend-api`) declares an
15
+ extraction-channel secret keyed by a STABLE `id`, independent of field name or
16
+ position, so renaming or reordering a field never orphans its value. Use it
17
+ (not `configString({ "x-secret": true })`) for any credential whose config is
18
+ relayed to a satellite, projected to AI, or diffed by GitOps. `validateSecretIds`
19
+ rejects, at plugin registration, an `x-secret` field with no `id`, a duplicate
20
+ `id`, or a secret nested in an un-keyable container (array / record / tuple /
21
+ map) - so a mis-keyable schema fails boot rather than at run time.
22
+ - `ConfigSecretChannel` (in `@checkstack/secrets-backend`) is the single
23
+ extract / inflate / collect / redact / merge / delete / prune implementation.
24
+ Health-checks and integration connections both BIND it to their own scope
25
+ (marker prefix + internal-secret key layout); neither re-implements the walk.
26
+
27
+ Lifecycle (both bindings):
28
+
29
+ - **Write**: an inline value is extracted into the encrypted internal secret
30
+ store; the stored config keeps only an opaque marker. `${{ secrets.NAME }}`
31
+ references are stored verbatim and resolve through the active backend (local
32
+ or Vault) at run time.
33
+ - **Read**: configuration and connection reads strip `x-secret` values and
34
+ internal markers while keeping `${{ secrets.NAME }}` references visible; the
35
+ AI `getConfigurations` tool and create/update responses are redacted too. A
36
+ value never reaches a browser or an AI model context.
37
+ - **Run**: the core executor inflates markers/references in memory just before
38
+ the client is built. Satellites receive markers only and fetch values
39
+ just-in-time over the authenticated WS channel, per run, never persisted, then
40
+ fail CLOSED if any marker/reference survives resolution.
41
+ - **No orphan**: clearing a secret, removing a field/collector, swapping an
42
+ inline value for a reference, updating a connection, or deleting a
43
+ configuration/connection deletes the now-unreferenced internal secret. Cleanup
44
+ is schema-free (scans markers by prefix) and best-effort on delete, so it works
45
+ even when the owning plugin is uninstalled and never blocks a delete.
46
+ - **Forged-marker safe**: extract/inflate key each internal secret by the
47
+ SCHEMA leaf's stable `id`, never by an id parsed out of a stored marker string,
48
+ so a crafted marker can never resolve or delete another scope's secret.
49
+
50
+ Health-checks additionally get an idempotent, advisory-locked backfill that
51
+ moves pre-existing plaintext values into the internal store, and per-config-id
52
+ locking so concurrent writers across pods can never leave a dangling marker.
53
+ Integration connection credentials keep their released `__connref__:` marker
54
+ prefix and key layout (id equals the flat field name), so existing stored
55
+ connections are byte-compatible.
56
+
57
+ BREAKING CHANGES:
58
+
59
+ - Configuration and connection reads no longer include `x-secret` field values
60
+ (clients must treat blank-on-save as keep-existing; the bundled editors
61
+ already do).
62
+ - Satellites must be upgraded together with the core: an old satellite cannot
63
+ resolve the markers a new core stores, so its credentialed checks fail until
64
+ upgraded.
65
+
66
+ - Updated dependencies [faf98f5]
67
+ - @checkstack/backend-api@0.29.0
68
+ - @checkstack/common@0.20.0
69
+ - @checkstack/integration-backend@0.7.0
70
+ - @checkstack/automation-backend@0.10.8
71
+
3
72
  ## 0.2.14
4
73
 
5
74
  ### Patch Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@checkstack/integration-webex-backend",
3
- "version": "0.2.14",
3
+ "version": "0.2.15",
4
4
  "type": "module",
5
5
  "main": "src/index.ts",
6
6
  "checkstack": {
@@ -15,17 +15,17 @@
15
15
  "pack": "bunx @checkstack/scripts plugin-pack"
16
16
  },
17
17
  "dependencies": {
18
- "@checkstack/backend-api": "0.28.0",
19
- "@checkstack/integration-backend": "0.6.10",
20
- "@checkstack/automation-backend": "0.10.7",
21
- "@checkstack/common": "0.19.0",
18
+ "@checkstack/backend-api": "0.29.0",
19
+ "@checkstack/integration-backend": "0.7.0",
20
+ "@checkstack/automation-backend": "0.10.8",
21
+ "@checkstack/common": "0.20.0",
22
22
  "zod": "^4.2.1"
23
23
  },
24
24
  "devDependencies": {
25
25
  "@types/bun": "^1.0.0",
26
26
  "typescript": "^5.0.0",
27
27
  "@checkstack/tsconfig": "0.0.7",
28
- "@checkstack/test-utils-backend": "0.1.51"
28
+ "@checkstack/test-utils-backend": "0.1.52"
29
29
  },
30
30
  "description": "Checkstack integration-webex-backend plugin",
31
31
  "author": {
package/src/provider.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import { z } from "zod";
2
- import { configString, Versioned } from "@checkstack/backend-api";
2
+ import { configSecret, Versioned } from "@checkstack/backend-api";
3
3
  import type {
4
4
  IntegrationProvider,
5
5
  GetConnectionOptionsParams,
@@ -38,7 +38,7 @@ export const WEBEX_RESOLVERS = {
38
38
  // ─── Connection schema ──────────────────────────────────────────────────
39
39
 
40
40
  export const WebexConnectionSchema = z.object({
41
- botToken: configString({ "x-secret": true }).describe(
41
+ botToken: configSecret({ id: "botToken" }).describe(
42
42
  "Webex Bot Access Token from developer.webex.com",
43
43
  ),
44
44
  });