@checkstack/pluginmanager-common 0.2.0

package/CHANGELOG.md

@@ -0,0 +1,106 @@
+# @checkstack/pluginmanager-common
+
+## 0.2.0
+
+### Minor Changes
+
+- 50e5f5f: Runtime plugin system: install + uninstall plugins from npm, GitHub releases
+  (including private GitHub Enterprise instances), or tarball uploads at
+  runtime, with multi-package bundles, dependency-derived compatibility checks,
+  multi-instance coordination via a Postgres artifact store, and
+  single-coordinator destructive cleanup.
+
+  Highlights:
+
+  - New `PluginSource` discriminated union and `PluginInstaller` /
+    `PluginInstallerRegistry` interfaces in `@checkstack/backend-api`. The
+    GitHub variant accepts an optional `apiBaseUrl` so deployments backed by
+    GitHub Enterprise can install from `https://ghe.example.com/api/v3`
+    instead of `api.github.com`.
+  - New `installPackageMetadataSchema` (Zod) in `@checkstack/common` validates
+    every plugin's `package.json` at install time. Required fields: `name`,
+    `version`, `description`, `author`, `license`, `checkstack.type`,
+    `checkstack.pluginId`. Optional: `checkstack.bundle`,
+    `checkstack.usageInstructions`, `checkstack.allowInstallScripts`.
+  - New `pluginManagerContract` in `@checkstack/pluginmanager-common` with
+    `list`, `previewInstall`, `install`, `previewUninstall`, `uninstall`, and
+    `events` procedures.
+  - New `@checkstack/pluginmanager-frontend` admin UI: installed-plugins list
+    with per-row uninstall (typed-confirmation modal, schema/configs/cascade
+    toggles), install page with NPM / Tarball Upload / GitHub Release tabs
+    (Catalog tab disabled — coming soon), and an events page surfacing the
+    install/uninstall audit log.
+  - New `bunx @checkstack/scripts plugin-pack` CLI for plugin authors —
+    per-package mode produces an npm-shaped tarball; `--bundle` mode produces
+    an outer tarball containing every sibling declared in
+    `package.json#checkstack.bundle`. Published to npm so external authors
+    can `bunx` it directly without a workspace checkout.
+  - Compatibility derived from `package.json#dependencies` ranges
+    (`semver.satisfies` against the platform's loaded `@checkstack/*`
+    versions) — no separate `compatibility` field.
+  - Multi-instance: originator persists artifacts + `plugins` rows + broadcasts
+    install/uninstall; receiving instances do in-process register/unregister
+    only. Destructive ops (drop schema, delete plugin_configs, delete
+    artifacts, delete `plugins` rows) run exactly once on the originator.
+  - Fresh-instance bootstrap: `loadPlugins()` hydrates any
+    `is_uninstallable=true` plugin missing from `node_modules` from the
+    artifact store before normal Phase 1 register.
+  - New schema: `plugin_artifacts` (tarball storage), `plugin_install_events`
+    (audit/error log). `plugins` extended with `version`, `metadata`,
+    `source`, `bundle_id`, `is_primary`. Local plugin sync now writes
+    `version` from each plugin's `package.json` so the admin UI shows real
+    versions instead of `—`.
+  - Tarball-upload endpoint (`POST /api/pluginmanager/upload-tarball`) for
+    the install UI; access-gated by `pluginmanager.plugin.manage`.
+  - Plugin Manager menu link added to the user menu (main grid, alongside
+    Profile / Notification Settings / etc.).
+
+  Cross-cutting changes:
+
+  - Backend request/response logging now flows through `rootLogger` (winston)
+    instead of `hono/logger`. 5xx responses include the response body inline
+    so swallowed early-return errors are visible in the log.
+  - The `/api/:pluginId/*` dispatcher now logs which core service is missing
+    or which `pluginId` had no metadata when it 500s.
+  - New `registerCorePluginMetadata` on `PluginManager` for core routers
+    (like the plugin manager itself) that need their metadata visible to the
+    RPC dispatcher without going through the full plugin lifecycle.
+  - ESLint: `unicorn/no-null` is now disabled globally. Drizzle distinguishes
+    between `null` (writes a real SQL NULL) and `undefined` (skip the column
+    on insert), so treating them as interchangeable produced latent bugs at
+    the persistence boundary. The bulk of the patch-bumped packages above
+    reflect lint-fix touches that landed when this rule was relaxed.
+  - Workspace-wide license normalization to `Elastic-2.0` (matches
+    `LICENSE.md`). Every `package.json` in the workspace now declares the
+    same SPDX identifier; the patch bumps capture this.
+
+  Plugin packages (every `plugins/*`): added a `pack` npm script
+  (`bunx @checkstack/scripts plugin-pack`), mirrored each plugin's
+  `pluginId` from `plugin-metadata.ts` into `package.json#checkstack.pluginId`
+  so install-time validation passes, stubbed any missing required metadata
+  fields (`description`, `author`, `license`), and added
+  `checkstack.bundle` to multi-package plugin primaries (telegram, rcon, ssh,
+  jira, queue-bullmq, queue-memory, cache-memory).
+
+  Breaking changes:
+
+  - The legacy single-method `PluginInstaller` interface (`install(packageName)`)
+    is removed. Callers must use `coreServices.pluginInstallerRegistry`.
+  - The old `pluginAdminContract` and `createPluginAdminRouter` are removed.
+    Replaced by `pluginManagerContract` in `@checkstack/pluginmanager-common`
+    and `createPluginManagerRouter` in `core/backend`.
+  - `@checkstack/test-utils-backend` no longer exports
+    `createMockPluginInstaller` / `MockPluginInstaller` (the legacy interface
+    it shimmed is gone).
+
+  Note: bumps are limited to `minor` (for packages with new public API
+  surface) and `patch` (for downstream consumers, license normalization,
+  and lint fixes). No `major` bumps despite the `PluginInstaller` removal —
+  the legacy interface had no third-party consumers in the wild before this
+  runtime plugin system landed, and the contract surface is the same shape
+  modulo the rename.
+
+### Patch Changes
+
+- Updated dependencies [50e5f5f]
+  - @checkstack/common@0.8.0

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@checkstack/pluginmanager-common",
+  "version": "0.2.0",
+  "license": "Elastic-2.0",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./src/index.ts",
+      "import": "./src/index.ts"
+    }
+  },
+  "dependencies": {
+    "@checkstack/common": "0.7.0",
+    "zod": "^4.0.0"
+  },
+  "devDependencies": {
+    "@checkstack/tsconfig": "0.0.6",
+    "@checkstack/scripts": "0.1.2",
+    "typescript": "^5.7.2"
+  },
+  "scripts": {
+    "typecheck": "tsgo -b",
+    "lint": "bun run lint:code",
+    "lint:code": "eslint . --max-warnings 0"
+  },
+  "checkstack": {
+    "type": "common"
+  }
+}

package/src/access.ts

@@ -0,0 +1,19 @@
+import { access } from "@checkstack/common";
+
+/**
+ * Access rules for the Plugin Manager.
+ *
+ * The plugin system runs arbitrary code with full platform access — only
+ * trusted operators should hold the `manage` rule.
+ */
+export const pluginManagerAccess = {
+  view: access("plugin", "read", "View installed plugins and install events"),
+  install: access("plugin", "manage", "Install plugins from any source"),
+  uninstall: access("plugin", "manage", "Uninstall plugins"),
+};
+
+export const pluginManagerAccessRules = [
+  pluginManagerAccess.view,
+  pluginManagerAccess.install,
+  pluginManagerAccess.uninstall,
+];

package/src/index.ts

@@ -0,0 +1,37 @@
+export { pluginMetadata } from "./plugin-metadata";
+export { pluginManagerRoutes } from "./routes";
+export { pluginManagerAccess, pluginManagerAccessRules } from "./access";
+export {
+  pluginManagerContract,
+  PluginManagerApi,
+  type PluginManagerContract,
+} from "./rpc-contract";
+// Re-export source types from `@checkstack/common` so consumers only need
+// one import for the contract + its inputs/outputs.
+export {
+  pluginSourceSchema,
+  type PluginSource,
+  type NpmPluginSource,
+  type TarballPluginSource,
+  type GithubPluginSource,
+  type CatalogPluginSource,
+} from "@checkstack/common";
+
+export {
+  compatibilityIssueSchema,
+  installPreviewSchema,
+  uninstallPreviewSchema,
+  installedPluginSchema,
+  installEventSchema,
+  installEventActionEnum,
+  installEventPhaseEnum,
+  installEventStatusEnum,
+  type CompatibilityIssue,
+  type InstallPreview,
+  type UninstallPreview,
+  type InstalledPlugin,
+  type InstallEvent,
+  type InstallEventAction,
+  type InstallEventPhase,
+  type InstallEventStatus,
+} from "./schemas";

package/src/plugin-metadata.ts

@@ -0,0 +1,5 @@
+import { definePluginMetadata } from "@checkstack/common";
+
+export const pluginMetadata = definePluginMetadata({
+  pluginId: "pluginmanager",
+});

package/src/routes.ts

@@ -0,0 +1,21 @@
+import { createRoutes } from "@checkstack/common";
+
+/**
+ * Route definitions for the plugin manager admin UI.
+ *
+ * @example
+ * ```tsx
+ * import { pluginManagerRoutes } from "@checkstack/pluginmanager-common";
+ *
+ * createFrontendPlugin({
+ *   routes: [
+ *     { route: pluginManagerRoutes.routes.installed, element: <InstalledPluginsPage /> },
+ *   ],
+ * });
+ * ```
+ */
+export const pluginManagerRoutes = createRoutes("pluginmanager", {
+  installed: "/",
+  install: "/install",
+  events: "/events",
+});

package/src/rpc-contract.ts

@@ -0,0 +1,136 @@
+import { z } from "zod";
+import {
+  createClientDefinition,
+  proc,
+  pluginSourceSchema,
+} from "@checkstack/common";
+import { pluginManagerAccess } from "./access";
+import { pluginMetadata } from "./plugin-metadata";
+import {
+  installPreviewSchema,
+  uninstallPreviewSchema,
+  installedPluginSchema,
+  installEventSchema,
+} from "./schemas";
+
+// Confirmation tokens: the UI must echo back a typed phrase before destructive
+// or potentially-malicious mutations are accepted. Mirrors the strong typed
+// confirmation modal pattern used in the install/uninstall UI.
+const installConfirmTokenSchema = z
+  .string()
+  .min(1, "Typed confirmation is required");
+const uninstallConfirmTokenSchema = z
+  .string()
+  .min(1, "Typed confirmation is required");
+
+export const pluginManagerContract = {
+  /**
+   * List all installed plugins (local monorepo + runtime-installed).
+   */
+  list: proc({
+    operationType: "query",
+    userType: "user",
+    access: [pluginManagerAccess.view],
+  })
+    .input(z.void())
+    .output(z.object({ plugins: z.array(installedPluginSchema) })),
+
+  /**
+   * Resolve a `PluginSource` to its full bundle metadata + compatibility
+   * issues. Performs no destructive ops — pure preview for the UI's
+   * typed-confirmation modal.
+   */
+  previewInstall: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [pluginManagerAccess.install],
+  })
+    .input(z.object({ source: pluginSourceSchema }))
+    .output(installPreviewSchema),
+
+  /**
+   * Install a plugin (or bundle) from a source. Re-runs validation and
+   * compatibility — the preview is non-binding. Persists the artifact to
+   * `plugin_artifacts` and broadcasts to all instances.
+   */
+  install: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [pluginManagerAccess.install],
+  })
+    .input(
+      z.object({
+        source: pluginSourceSchema,
+        confirm: installConfirmTokenSchema,
+      }),
+    )
+    .output(
+      z.object({
+        success: z.boolean(),
+        bundleId: z.string().nullable(),
+        installedPackages: z.array(z.string()),
+      }),
+    ),
+
+  /**
+   * Resolve a plugin id to the cleanup picture: siblings, dependents, what
+   * data will be deleted. Used by the uninstall typed-confirmation modal.
+   */
+  previewUninstall: proc({
+    operationType: "query",
+    userType: "user",
+    access: [pluginManagerAccess.uninstall],
+  })
+    .input(z.object({ pluginName: z.string().min(1) }))
+    .output(uninstallPreviewSchema),
+
+  /**
+   * Uninstall a plugin (and its bundle siblings). Originator owns destructive
+   * cleanup; receiving instances do in-process teardown only.
+   */
+  uninstall: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [pluginManagerAccess.uninstall],
+  })
+    .input(
+      z.object({
+        pluginName: z.string().min(1),
+        deleteSchema: z.boolean(),
+        deleteConfigs: z.boolean(),
+        cascade: z.boolean(),
+        confirm: uninstallConfirmTokenSchema,
+      }),
+    )
+    .output(
+      z.object({
+        success: z.boolean(),
+        uninstalledPackages: z.array(z.string()),
+      }),
+    ),
+
+  /**
+   * Audit/error event log. Used by the admin Events page to surface partial
+   * failures (originator died mid-install, instance failed in-process load,
+   * etc.) for manual remediation.
+   */
+  events: proc({
+    operationType: "query",
+    userType: "user",
+    access: [pluginManagerAccess.view],
+  })
+    .input(
+      z.object({
+        pluginName: z.string().optional(),
+        limit: z.number().int().positive().max(500).default(100),
+      }),
+    )
+    .output(z.object({ events: z.array(installEventSchema) })),
+};
+
+export type PluginManagerContract = typeof pluginManagerContract;
+
+export const PluginManagerApi = createClientDefinition(
+  pluginManagerContract,
+  pluginMetadata,
+);

package/src/schemas.ts

@@ -0,0 +1,123 @@
+import { z } from "zod";
+import {
+  pluginSourceSchema,
+  installPackageMetadataSchema,
+  pluginCheckstackBlockSchema,
+  pluginPackageTypeSchema,
+} from "@checkstack/common";
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Compatibility issue surfaced by `previewInstall` / re-validated on `install`.
+// ─────────────────────────────────────────────────────────────────────────────
+
+export const compatibilityIssueSchema = z.object({
+  pluginName: z.string(),
+  kind: z.enum([
+    "missing-dependency",
+    "version-mismatch",
+    "platform-version-mismatch",
+  ]),
+  dependency: z.string(),
+  declared: z.string(),
+  actual: z.string().optional(),
+  message: z.string(),
+});
+export type CompatibilityIssue = z.infer<typeof compatibilityIssueSchema>;
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Preview-install / preview-uninstall result shapes.
+// ─────────────────────────────────────────────────────────────────────────────
+
+export const installPreviewSchema = z.object({
+  /** Validated package.json of the primary package. */
+  primary: installPackageMetadataSchema,
+  /** Validated package.json for every package in the bundle (including primary). */
+  packages: z.array(installPackageMetadataSchema),
+  /** Compatibility issues — non-empty means install will be rejected. */
+  compatibilityIssues: z.array(compatibilityIssueSchema),
+  /** Aggregate tarball size in bytes (sum of all packages in the bundle). */
+  totalSizeBytes: z.number().int().nonnegative(),
+  /** True when at least one package has `checkstack.allowInstallScripts: true`. */
+  hasInstallScripts: z.boolean(),
+});
+export type InstallPreview = z.infer<typeof installPreviewSchema>;
+
+export const uninstallPreviewSchema = z.object({
+  pluginName: z.string(),
+  /** All sibling packages that share this plugin's bundleId. */
+  siblings: z.array(z.string()),
+  /** Other plugins (NOT in this bundle) that depend on this plugin. */
+  dependents: z.array(z.string()),
+  /** Will this drop the plugin's Postgres schema? */
+  schemasToDrop: z.array(z.string()),
+  /** How many plugin_configs rows will be deleted? */
+  pluginConfigCount: z.number().int().nonnegative(),
+});
+export type UninstallPreview = z.infer<typeof uninstallPreviewSchema>;
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Installed-plugin row returned from `list`.
+// ─────────────────────────────────────────────────────────────────────────────
+
+export const installedPluginSchema = z.object({
+  name: z.string(),
+  version: z.string(),
+  type: pluginPackageTypeSchema,
+  enabled: z.boolean(),
+  isUninstallable: z.boolean(),
+  isPrimary: z.boolean(),
+  bundleId: z.string().nullable(),
+  source: pluginSourceSchema.nullable(),
+  metadata: z
+    .object({
+      description: z.string().optional(),
+      author: z.unknown().optional(),
+      license: z.string().optional(),
+      homepage: z.string().optional(),
+      repository: z.unknown().optional(),
+      checkstack: pluginCheckstackBlockSchema.partial().optional(),
+    })
+    .partial()
+    .optional(),
+});
+export type InstalledPlugin = z.infer<typeof installedPluginSchema>;
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Audit/error event row.
+// ─────────────────────────────────────────────────────────────────────────────
+
+export const installEventActionEnum = z.enum(["install", "uninstall"]);
+export type InstallEventAction = z.infer<typeof installEventActionEnum>;
+
+export const installEventPhaseEnum = z.enum([
+  "validate",
+  "persist",
+  "broadcast",
+  "in-process-load",
+  "in-process-unload",
+  "destructive-cleanup",
+  "audit",
+]);
+export type InstallEventPhase = z.infer<typeof installEventPhaseEnum>;
+
+export const installEventStatusEnum = z.enum([
+  "started",
+  "succeeded",
+  "failed",
+]);
+export type InstallEventStatus = z.infer<typeof installEventStatusEnum>;
+
+export const installEventSchema = z.object({
+  id: z.string(),
+  pluginName: z.string().nullable(),
+  bundleId: z.string().nullable(),
+  action: installEventActionEnum,
+  phase: installEventPhaseEnum,
+  status: installEventStatusEnum,
+  source: pluginSourceSchema.nullable(),
+  error: z.string().nullable(),
+  instanceId: z.string(),
+  userId: z.string().nullable(),
+  createdAt: z.string(),
+});
+export type InstallEvent = z.infer<typeof installEventSchema>;

package/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "extends": "@checkstack/tsconfig/common.json",
+  "include": [
+    "src"
+  ],
+  "references": [
+    {
+      "path": "../common"
+    }
+  ]
+}