@checkstack/integration-webex-backend 0.2.14 → 0.2.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,84 @@
1
1
  # @checkstack/integration-webex-backend
2
2
 
3
+ ## 0.2.16
4
+
5
+ ### Patch Changes
6
+
7
+ - Updated dependencies [c55d7c6]
8
+ - @checkstack/common@0.21.0
9
+ - @checkstack/automation-backend@0.10.9
10
+ - @checkstack/backend-api@0.29.1
11
+ - @checkstack/integration-backend@0.7.1
12
+
13
+ ## 0.2.15
14
+
15
+ ### Patch Changes
16
+
17
+ - faf98f5: Security: config secrets (health-check strategy/collector credentials such as
18
+ SSH passwords, DB credentials, HTTP auth, and integration connection
19
+ credentials) ride ONE shared, domain-agnostic extraction channel instead of
20
+ being stored as plaintext or re-implemented per plugin.
21
+
22
+ New primitive and shared service:
23
+
24
+ - `configSecret({ id })` (in `@checkstack/backend-api`) declares an
25
+ extraction-channel secret keyed by a STABLE `id`, independent of field name or
26
+ position, so renaming or reordering a field never orphans its value. Use it
27
+ (not `configString({ "x-secret": true })`) for any credential whose config is
28
+ relayed to a satellite, projected to AI, or diffed by GitOps. `validateSecretIds`
29
+ rejects, at plugin registration, an `x-secret` field with no `id`, a duplicate
30
+ `id`, or a secret nested in an un-keyable container (array / record / tuple /
31
+ map) - so a mis-keyable schema fails boot rather than at run time.
32
+ - `ConfigSecretChannel` (in `@checkstack/secrets-backend`) is the single
33
+ extract / inflate / collect / redact / merge / delete / prune implementation.
34
+ Health-checks and integration connections both BIND it to their own scope
35
+ (marker prefix + internal-secret key layout); neither re-implements the walk.
36
+
37
+ Lifecycle (both bindings):
38
+
39
+ - **Write**: an inline value is extracted into the encrypted internal secret
40
+ store; the stored config keeps only an opaque marker. `${{ secrets.NAME }}`
41
+ references are stored verbatim and resolve through the active backend (local
42
+ or Vault) at run time.
43
+ - **Read**: configuration and connection reads strip `x-secret` values and
44
+ internal markers while keeping `${{ secrets.NAME }}` references visible; the
45
+ AI `getConfigurations` tool and create/update responses are redacted too. A
46
+ value never reaches a browser or an AI model context.
47
+ - **Run**: the core executor inflates markers/references in memory just before
48
+ the client is built. Satellites receive markers only and fetch values
49
+ just-in-time over the authenticated WS channel, per run, never persisted, then
50
+ fail CLOSED if any marker/reference survives resolution.
51
+ - **No orphan**: clearing a secret, removing a field/collector, swapping an
52
+ inline value for a reference, updating a connection, or deleting a
53
+ configuration/connection deletes the now-unreferenced internal secret. Cleanup
54
+ is schema-free (scans markers by prefix) and best-effort on delete, so it works
55
+ even when the owning plugin is uninstalled and never blocks a delete.
56
+ - **Forged-marker safe**: extract/inflate key each internal secret by the
57
+ SCHEMA leaf's stable `id`, never by an id parsed out of a stored marker string,
58
+ so a crafted marker can never resolve or delete another scope's secret.
59
+
60
+ Health-checks additionally get an idempotent, advisory-locked backfill that
61
+ moves pre-existing plaintext values into the internal store, and per-config-id
62
+ locking so concurrent writers across pods can never leave a dangling marker.
63
+ Integration connection credentials keep their released `__connref__:` marker
64
+ prefix and key layout (id equals the flat field name), so existing stored
65
+ connections are byte-compatible.
66
+
67
+ BREAKING CHANGES:
68
+
69
+ - Configuration and connection reads no longer include `x-secret` field values
70
+ (clients must treat blank-on-save as keep-existing; the bundled editors
71
+ already do).
72
+ - Satellites must be upgraded together with the core: an old satellite cannot
73
+ resolve the markers a new core stores, so its credentialed checks fail until
74
+ upgraded.
75
+
76
+ - Updated dependencies [faf98f5]
77
+ - @checkstack/backend-api@0.29.0
78
+ - @checkstack/common@0.20.0
79
+ - @checkstack/integration-backend@0.7.0
80
+ - @checkstack/automation-backend@0.10.8
81
+
3
82
  ## 0.2.14
4
83
 
5
84
  ### Patch Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@checkstack/integration-webex-backend",
3
- "version": "0.2.14",
3
+ "version": "0.2.16",
4
4
  "type": "module",
5
5
  "main": "src/index.ts",
6
6
  "checkstack": {
@@ -15,17 +15,17 @@
15
15
  "pack": "bunx @checkstack/scripts plugin-pack"
16
16
  },
17
17
  "dependencies": {
18
- "@checkstack/backend-api": "0.28.0",
19
- "@checkstack/integration-backend": "0.6.10",
20
- "@checkstack/automation-backend": "0.10.7",
21
- "@checkstack/common": "0.19.0",
18
+ "@checkstack/backend-api": "0.29.1",
19
+ "@checkstack/integration-backend": "0.7.1",
20
+ "@checkstack/automation-backend": "0.10.9",
21
+ "@checkstack/common": "0.21.0",
22
22
  "zod": "^4.2.1"
23
23
  },
24
24
  "devDependencies": {
25
25
  "@types/bun": "^1.0.0",
26
26
  "typescript": "^5.0.0",
27
27
  "@checkstack/tsconfig": "0.0.7",
28
- "@checkstack/test-utils-backend": "0.1.51"
28
+ "@checkstack/test-utils-backend": "0.1.53"
29
29
  },
30
30
  "description": "Checkstack integration-webex-backend plugin",
31
31
  "author": {
package/src/provider.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import { z } from "zod";
2
- import { configString, Versioned } from "@checkstack/backend-api";
2
+ import { configSecret, Versioned } from "@checkstack/backend-api";
3
3
  import type {
4
4
  IntegrationProvider,
5
5
  GetConnectionOptionsParams,
@@ -38,7 +38,7 @@ export const WEBEX_RESOLVERS = {
38
38
  // ─── Connection schema ──────────────────────────────────────────────────
39
39
 
40
40
  export const WebexConnectionSchema = z.object({
41
- botToken: configString({ "x-secret": true }).describe(
41
+ botToken: configSecret({ id: "botToken" }).describe(
42
42
  "Webex Bot Access Token from developer.webex.com",
43
43
  ),
44
44
  });