@checkstack/satellite-backend 0.2.20 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,160 @@
 # @checkstack/satellite-backend
 
+## 0.3.0
+
+### Minor Changes
+
+- f6f9a5c: Add a GitOps `Satellite` kind plus a UI affordance for resetting tokens.
+
+  GitOps owns satellite **metadata only** — `metadata.name`,
+  `spec.region`, and `metadata.labels` (used as the satellite's runtime
+  tags). The bcrypt token is intentionally never expressed in YAML; on
+  first reconcile a satellite is created with a random token that is
+  discarded, and operators must use the Satellites page to retrieve a
+  working credential.
+
+  To support that flow:
+
+  - New service methods: `updateSatelliteMetadata`, `rotateSatelliteToken`,
+    `getSatelliteByName`.
+  - New RPC procs: `updateSatellite`, `rotateSatelliteToken`.
+  - New `RotateSatelliteTokenDialog` and a "Reset token" key icon on the
+    Satellites list. The dialog reuses the one-time-reveal layout from
+    `CreateSatelliteDialog`.
+  - The Satellites list shows a `GitOpsSourceBadge` next to managed
+    satellites and disables the delete button while leaving the
+    token-reset button enabled (so operators can always re-issue a
+    credential without touching YAML).
+
+  The satellite kind reconciler adopts pre-existing satellites by name on
+  first sync, so this is safe to roll out against installations that
+  already have manually-created satellites.
+
+### Patch Changes
+
+- Updated dependencies [42abfff]
+- Updated dependencies [f6f9a5c]
+- Updated dependencies [f6f9a5c]
+- Updated dependencies [aa89bc5]
+  - @checkstack/common@0.9.0
+  - @checkstack/satellite-common@0.4.0
+  - @checkstack/gitops-common@0.3.0
+  - @checkstack/gitops-backend@0.3.0
+  - @checkstack/queue-api@0.3.0
+  - @checkstack/backend-api@0.15.1
+  - @checkstack/healthcheck-backend@1.0.4
+  - @checkstack/healthcheck-common@1.0.2
+  - @checkstack/signal-common@0.2.2
+
+## 0.2.21
+
+### Patch Changes
+
+- 50e5f5f: Runtime plugin system: install + uninstall plugins from npm, GitHub releases
+  (including private GitHub Enterprise instances), or tarball uploads at
+  runtime, with multi-package bundles, dependency-derived compatibility checks,
+  multi-instance coordination via a Postgres artifact store, and
+  single-coordinator destructive cleanup.
+
+  Highlights:
+
+  - New `PluginSource` discriminated union and `PluginInstaller` /
+    `PluginInstallerRegistry` interfaces in `@checkstack/backend-api`. The
+    GitHub variant accepts an optional `apiBaseUrl` so deployments backed by
+    GitHub Enterprise can install from `https://ghe.example.com/api/v3`
+    instead of `api.github.com`.
+  - New `installPackageMetadataSchema` (Zod) in `@checkstack/common` validates
+    every plugin's `package.json` at install time. Required fields: `name`,
+    `version`, `description`, `author`, `license`, `checkstack.type`,
+    `checkstack.pluginId`. Optional: `checkstack.bundle`,
+    `checkstack.usageInstructions`, `checkstack.allowInstallScripts`.
+  - New `pluginManagerContract` in `@checkstack/pluginmanager-common` with
+    `list`, `previewInstall`, `install`, `previewUninstall`, `uninstall`, and
+    `events` procedures.
+  - New `@checkstack/pluginmanager-frontend` admin UI: installed-plugins list
+    with per-row uninstall (typed-confirmation modal, schema/configs/cascade
+    toggles), install page with NPM / Tarball Upload / GitHub Release tabs
+    (Catalog tab disabled — coming soon), and an events page surfacing the
+    install/uninstall audit log.
+  - New `bunx @checkstack/scripts plugin-pack` CLI for plugin authors —
+    per-package mode produces an npm-shaped tarball; `--bundle` mode produces
+    an outer tarball containing every sibling declared in
+    `package.json#checkstack.bundle`. Published to npm so external authors
+    can `bunx` it directly without a workspace checkout.
+  - Compatibility derived from `package.json#dependencies` ranges
+    (`semver.satisfies` against the platform's loaded `@checkstack/*`
+    versions) — no separate `compatibility` field.
+  - Multi-instance: originator persists artifacts + `plugins` rows + broadcasts
+    install/uninstall; receiving instances do in-process register/unregister
+    only. Destructive ops (drop schema, delete plugin_configs, delete
+    artifacts, delete `plugins` rows) run exactly once on the originator.
+  - Fresh-instance bootstrap: `loadPlugins()` hydrates any
+    `is_uninstallable=true` plugin missing from `node_modules` from the
+    artifact store before normal Phase 1 register.
+  - New schema: `plugin_artifacts` (tarball storage), `plugin_install_events`
+    (audit/error log). `plugins` extended with `version`, `metadata`,
+    `source`, `bundle_id`, `is_primary`. Local plugin sync now writes
+    `version` from each plugin's `package.json` so the admin UI shows real
+    versions instead of `—`.
+  - Tarball-upload endpoint (`POST /api/pluginmanager/upload-tarball`) for
+    the install UI; access-gated by `pluginmanager.plugin.manage`.
+  - Plugin Manager menu link added to the user menu (main grid, alongside
+    Profile / Notification Settings / etc.).
+
+  Cross-cutting changes:
+
+  - Backend request/response logging now flows through `rootLogger` (winston)
+    instead of `hono/logger`. 5xx responses include the response body inline
+    so swallowed early-return errors are visible in the log.
+  - The `/api/:pluginId/*` dispatcher now logs which core service is missing
+    or which `pluginId` had no metadata when it 500s.
+  - New `registerCorePluginMetadata` on `PluginManager` for core routers
+    (like the plugin manager itself) that need their metadata visible to the
+    RPC dispatcher without going through the full plugin lifecycle.
+  - ESLint: `unicorn/no-null` is now disabled globally. Drizzle distinguishes
+    between `null` (writes a real SQL NULL) and `undefined` (skip the column
+    on insert), so treating them as interchangeable produced latent bugs at
+    the persistence boundary. The bulk of the patch-bumped packages above
+    reflect lint-fix touches that landed when this rule was relaxed.
+  - Workspace-wide license normalization to `Elastic-2.0` (matches
+    `LICENSE.md`). Every `package.json` in the workspace now declares the
+    same SPDX identifier; the patch bumps capture this.
+
+  Plugin packages (every `plugins/*`): added a `pack` npm script
+  (`bunx @checkstack/scripts plugin-pack`), mirrored each plugin's
+  `pluginId` from `plugin-metadata.ts` into `package.json#checkstack.pluginId`
+  so install-time validation passes, stubbed any missing required metadata
+  fields (`description`, `author`, `license`), and added
+  `checkstack.bundle` to multi-package plugin primaries (telegram, rcon, ssh,
+  jira, queue-bullmq, queue-memory, cache-memory).
+
+  Breaking changes:
+
+  - The legacy single-method `PluginInstaller` interface (`install(packageName)`)
+    is removed. Callers must use `coreServices.pluginInstallerRegistry`.
+  - The old `pluginAdminContract` and `createPluginAdminRouter` are removed.
+    Replaced by `pluginManagerContract` in `@checkstack/pluginmanager-common`
+    and `createPluginManagerRouter` in `core/backend`.
+  - `@checkstack/test-utils-backend` no longer exports
+    `createMockPluginInstaller` / `MockPluginInstaller` (the legacy interface
+    it shimmed is gone).
+
+  Note: bumps are limited to `minor` (for packages with new public API
+  surface) and `patch` (for downstream consumers, license normalization,
+  and lint fixes). No `major` bumps despite the `PluginInstaller` removal —
+  the legacy interface had no third-party consumers in the wild before this
+  runtime plugin system landed, and the contract surface is the same shape
+  modulo the rename.
+
+- Updated dependencies [50e5f5f]
+  - @checkstack/backend-api@0.15.0
+  - @checkstack/common@0.8.0
+  - @checkstack/healthcheck-backend@1.0.3
+  - @checkstack/queue-api@0.2.18
+  - @checkstack/healthcheck-common@1.0.1
+  - @checkstack/satellite-common@0.3.2
+  - @checkstack/signal-common@0.2.1
+
 ## 0.2.20
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@checkstack/satellite-backend",
-  "version": "0.2.20",
+  "version": "0.3.0",
+  "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
   "checkstack": {
@@ -13,22 +14,24 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.14.0",
-    "@checkstack/satellite-common": "0.3.1",
-    "@checkstack/healthcheck-common": "1.0.0",
-    "@checkstack/signal-common": "0.2.0",
-    "@checkstack/healthcheck-backend": "1.0.1",
-    "@checkstack/common": "0.7.0",
-    "@checkstack/queue-api": "0.2.16",
+    "@checkstack/backend-api": "0.15.0",
+    "@checkstack/satellite-common": "0.3.2",
+    "@checkstack/healthcheck-common": "1.0.1",
+    "@checkstack/signal-common": "0.2.1",
+    "@checkstack/healthcheck-backend": "1.0.3",
+    "@checkstack/gitops-backend": "0.2.8",
+    "@checkstack/gitops-common": "0.2.2",
+    "@checkstack/common": "0.8.0",
+    "@checkstack/queue-api": "0.2.18",
     "drizzle-orm": "^0.45.0",
     "zod": "^4.2.1",
     "@orpc/server": "^1.13.2"
   },
   "devDependencies": {
-    "@checkstack/drizzle-helper": "0.0.4",
-    "@checkstack/scripts": "0.1.2",
-    "@checkstack/test-utils-backend": "0.1.22",
-    "@checkstack/tsconfig": "0.0.5",
+    "@checkstack/drizzle-helper": "0.0.5",
+    "@checkstack/scripts": "0.3.0",
+    "@checkstack/test-utils-backend": "0.1.24",
+    "@checkstack/tsconfig": "0.0.7",
     "@types/bun": "^1.0.0",
     "drizzle-kit": "^0.31.10",
     "typescript": "^5.0.0"

package/src/index.ts

@@ -14,6 +14,8 @@ import { createSatelliteRouter } from "./router";
 import { HeartbeatMonitor } from "./heartbeat-monitor";
 import { SatelliteWsHandler } from "./satellite-ws-handler";
 import { ConfigRelay } from "./config-relay";
+import { entityKindExtensionPoint } from "@checkstack/gitops-backend";
+import { registerSatelliteGitOpsKinds } from "./satellite-gitops-kinds";
 
 // Queue and job constants
 const HEARTBEAT_QUEUE = "satellite-heartbeat";
@@ -25,6 +27,17 @@ export default createBackendPlugin({
   register(env) {
     env.registerAccessRules(satelliteAccessRules);
 
+    // ─── GitOps Entity Kind Registration ─────────────────────────────
+    let gitopsService: SatelliteService | undefined;
+    const kindRegistry = env.getExtensionPoint(entityKindExtensionPoint);
+    registerSatelliteGitOpsKinds({
+      kindRegistry,
+      getService: () => {
+        if (!gitopsService) throw new Error("SatelliteService not initialized");
+        return gitopsService;
+      },
+    });
+
     env.registerInit({
       schema,
       deps: {
@@ -41,6 +54,7 @@ export default createBackendPlugin({
         const service = new SatelliteService(
           database as SafeDatabase<typeof schema>,
         );
+        gitopsService = service;
 
         const router = createSatelliteRouter({
           service,

package/src/router.ts

@@ -1,4 +1,4 @@
-import { implement } from "@orpc/server";
+import { implement, ORPCError } from "@orpc/server";
 import {
   satelliteContract,
   SATELLITE_STATUS_CHANGED,
@@ -36,7 +36,7 @@ export function createSatelliteRouter(props: {
 
     getSatellite: os.getSatellite.handler(async ({ input }) => {
       const satellite = await service.getSatellite(input.id);
-      // eslint-disable-next-line unicorn/no-null -- oRPC contract uses nullable()
+       
       return satellite ?? null;
     }),
 
@@ -75,6 +75,34 @@ export function createSatelliteRouter(props: {
       });
     }),
 
+    updateSatellite: os.updateSatellite.handler(async ({ input }) => {
+      const updated = await service.updateSatelliteMetadata(input);
+      if (!updated) {
+        throw new ORPCError("NOT_FOUND", {
+          message: `Satellite not found: ${input.id}`,
+        });
+      }
+      logger.info(`Satellite metadata updated: ${updated.name}`);
+      await signalService.broadcast(SATELLITE_CONFIG_CHANGED, {
+        satelliteId: updated.id,
+      });
+      return updated;
+    }),
+
+    rotateSatelliteToken: os.rotateSatelliteToken.handler(async ({ input }) => {
+      const result = await service.rotateSatelliteToken(input.id);
+      if (!result) {
+        throw new ORPCError("NOT_FOUND", {
+          message: `Satellite not found: ${input.id}`,
+        });
+      }
+      logger.info(`Satellite token rotated: ${result.satellite.name}`);
+      await signalService.broadcast(SATELLITE_CONFIG_CHANGED, {
+        satelliteId: result.satellite.id,
+      });
+      return { satellite: result.satellite, token: result.plaintextToken };
+    }),
+
     getOnlineSatelliteIds: os.getOnlineSatelliteIds.handler(async () => {
       const satelliteIds = await service.getOnlineSatelliteIds();
       return { satelliteIds };

package/src/satellite-gitops-kinds.test.ts

@@ -0,0 +1,239 @@
+import { describe, it, expect, mock, beforeEach } from "bun:test";
+import {
+  CHECKSTACK_API_VERSION,
+  type ReconcileContext,
+} from "@checkstack/gitops-common";
+import type { SatelliteWithStatus } from "@checkstack/satellite-common";
+import type { SatelliteService } from "./service";
+import { buildSatelliteKind } from "./satellite-gitops-kinds";
+
+const noopLogger = {
+  debug: () => {},
+  info: () => {},
+  warn: () => {},
+  error: () => {},
+};
+
+const buildContext = (
+  overrides: Partial<ReconcileContext> = {},
+): ReconcileContext =>
+  ({
+    logger: noopLogger,
+    resolveEntityRef: async () => undefined,
+    resolveSecretsBySchema: async ({ value }) => ({
+      resolved: value,
+      warnings: [],
+    }),
+    ...overrides,
+  }) as ReconcileContext;
+
+const stubService = (initial?: SatelliteWithStatus | undefined) => {
+  let stored = initial;
+  const getSatellite = mock(async (id: string) =>
+    stored && stored.id === id ? stored : undefined,
+  );
+  const getSatelliteByName = mock(async (name: string) =>
+    stored && stored.name === name ? stored : undefined,
+  );
+  const createSatellite = mock(
+    async (props: {
+      name: string;
+      region: string;
+      tags: Record<string, string>;
+    }) => {
+      const satellite: SatelliteWithStatus = {
+        id: "sat-new",
+        name: props.name,
+        region: props.region,
+        tags: props.tags,
+        createdAt: new Date(),
+        status: "offline",
+      };
+      stored = satellite;
+      return { satellite, plaintextToken: "csat_test-token" };
+    },
+  );
+  const updateSatelliteMetadata = mock(
+    async (props: {
+      id: string;
+      name?: string;
+      region?: string;
+      tags?: Record<string, string>;
+    }) => {
+      if (!stored || stored.id !== props.id) return undefined;
+      stored = {
+        ...stored,
+        name: props.name ?? stored.name,
+        region: props.region ?? stored.region,
+        tags: props.tags ?? stored.tags,
+      };
+      return stored;
+    },
+  );
+  const deleteSatellite = mock(async (id: string) => {
+    if (stored && stored.id === id) stored = undefined;
+  });
+  return {
+    getSatellite,
+    getSatelliteByName,
+    createSatellite,
+    updateSatelliteMetadata,
+    deleteSatellite,
+    service: {
+      getSatellite,
+      getSatelliteByName,
+      createSatellite,
+      updateSatelliteMetadata,
+      deleteSatellite,
+    } as unknown as SatelliteService,
+    get current() {
+      return stored;
+    },
+  };
+};
+
+const mkEntity = (
+  name: string,
+  spec: { region: string },
+  metadataExtras: { labels?: Record<string, string> } = {},
+) => ({
+  apiVersion: CHECKSTACK_API_VERSION,
+  kind: "Satellite",
+  metadata: { name, ...metadataExtras },
+  spec,
+});
+
+describe("buildSatelliteKind", () => {
+  let kind: ReturnType<typeof buildSatelliteKind>;
+  let stub: ReturnType<typeof stubService>;
+
+  beforeEach(() => {
+    stub = stubService();
+    kind = buildSatelliteKind({ getService: () => stub.service });
+  });
+
+  it("registers as Satellite kind", () => {
+    expect(kind.kind).toBe("Satellite");
+  });
+
+  it("creates a satellite when none exists, discarding the plaintext token", async () => {
+    const result = await kind.reconcile({
+      entity: mkEntity(
+        "eu-west-1",
+        { region: "eu-west-1" },
+        { labels: { tier: "prod" } },
+      ),
+      context: buildContext(),
+    });
+
+    expect(stub.createSatellite).toHaveBeenCalledTimes(1);
+    expect(stub.createSatellite).toHaveBeenCalledWith({
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: { tier: "prod" },
+    });
+    expect(result.entityId).toBe("sat-new");
+  });
+
+  it("adopts an existing satellite by name on first sync", async () => {
+    const existing: SatelliteWithStatus = {
+      id: "sat-existing",
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: {},
+      createdAt: new Date(),
+      status: "online",
+    };
+    stub = stubService(existing);
+    kind = buildSatelliteKind({ getService: () => stub.service });
+
+    const result = await kind.reconcile({
+      entity: mkEntity(
+        "eu-west-1",
+        { region: "eu-west-2" },
+        { labels: { tier: "prod" } },
+      ),
+      context: buildContext(),
+    });
+
+    expect(stub.createSatellite).not.toHaveBeenCalled();
+    expect(stub.updateSatelliteMetadata).toHaveBeenCalledWith({
+      id: "sat-existing",
+      name: "eu-west-1",
+      region: "eu-west-2",
+      tags: { tier: "prod" },
+    });
+    expect(result.entityId).toBe("sat-existing");
+  });
+
+  it("uses the provenance entityId hint when provided", async () => {
+    const existing: SatelliteWithStatus = {
+      id: "sat-known",
+      name: "renamed",
+      region: "eu-west-1",
+      tags: {},
+      createdAt: new Date(),
+      status: "online",
+    };
+    stub = stubService(existing);
+    kind = buildSatelliteKind({ getService: () => stub.service });
+
+    const result = await kind.reconcile({
+      entity: mkEntity("renamed", { region: "eu-west-1" }),
+      existingEntityId: "sat-known",
+      context: buildContext(),
+    });
+
+    expect(stub.getSatellite).toHaveBeenCalledWith("sat-known");
+    expect(stub.getSatelliteByName).not.toHaveBeenCalled();
+    expect(result.entityId).toBe("sat-known");
+  });
+
+  it("treats pending-* entityIds as fresh and falls back to name lookup", async () => {
+    const existing: SatelliteWithStatus = {
+      id: "sat-existing",
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: {},
+      createdAt: new Date(),
+      status: "online",
+    };
+    stub = stubService(existing);
+    kind = buildSatelliteKind({ getService: () => stub.service });
+
+    await kind.reconcile({
+      entity: mkEntity("eu-west-1", { region: "eu-west-1" }),
+      existingEntityId: "pending-foo",
+      context: buildContext(),
+    });
+
+    expect(stub.getSatellite).not.toHaveBeenCalledWith("pending-foo");
+    expect(stub.getSatelliteByName).toHaveBeenCalledWith("eu-west-1");
+  });
+
+  it("normalizes missing metadata.labels to an empty tags object", async () => {
+    await kind.reconcile({
+      entity: mkEntity("eu-west-1", { region: "eu-west-1" }),
+      context: buildContext(),
+    });
+    expect(stub.createSatellite).toHaveBeenCalledWith({
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: {},
+    });
+  });
+
+  it("delegates delete to the service", async () => {
+    await kind.delete!({
+      entityName: "eu-west-1",
+      entityId: "sat-1",
+      context: buildContext(),
+    });
+    expect(stub.deleteSatellite).toHaveBeenCalledWith("sat-1");
+  });
+
+  it("delete is a no-op without entityId", async () => {
+    await kind.delete!({ entityName: "x", context: buildContext() });
+    expect(stub.deleteSatellite).not.toHaveBeenCalled();
+  });
+});

package/src/satellite-gitops-kinds.ts

@@ -0,0 +1,116 @@
+import { z } from "zod";
+import {
+  CHECKSTACK_API_VERSION,
+  type EntityKindDefinition,
+  type EntityKindRegistry,
+  type ReconcileContext,
+} from "@checkstack/gitops-common";
+import type { SatelliteService } from "./service";
+
+interface SatelliteGitOpsKindsDeps {
+  /** Lazy accessor — populated during init(), invoked at reconcile time. */
+  getService: () => SatelliteService;
+}
+
+// ─── Satellite Spec Schema ─────────────────────────────────────────────────
+//
+// GitOps owns metadata only — name, region, and the satellite's runtime
+// tags (sourced from the envelope's `metadata.labels`, since the envelope
+// already provides a `Record<string, string>` for that purpose). The bcrypt
+// token is never committed to YAML; operators retrieve and reset tokens via
+// the Satellites page in the UI.
+
+const satelliteSpecSchema = z.object({
+  region: z.string().min(1),
+});
+
+type SatelliteSpec = z.infer<typeof satelliteSpecSchema>;
+
+export function buildSatelliteKind(
+  deps: SatelliteGitOpsKindsDeps,
+): EntityKindDefinition<SatelliteSpec> {
+  return {
+    apiVersion: CHECKSTACK_API_VERSION,
+    kind: "Satellite",
+    specSchema: satelliteSpecSchema,
+
+    reconcile: async ({
+      entity,
+      existingEntityId,
+      context,
+    }: {
+      entity: {
+        metadata: {
+          name: string;
+          title?: string;
+          description?: string;
+          labels?: Record<string, string>;
+        };
+        spec: SatelliteSpec;
+      };
+      existingEntityId?: string;
+      context: ReconcileContext;
+    }) => {
+      const service = deps.getService();
+      const { spec, metadata } = entity;
+      const tags = metadata.labels ?? {};
+
+      // Try the provenance hint first; fall back to a name lookup so we
+      // adopt pre-existing satellites that match by name on first sync.
+      const existing =
+        existingEntityId && !existingEntityId.startsWith("pending-")
+          ? await service.getSatellite(existingEntityId)
+          : await service.getSatelliteByName(metadata.name);
+
+      if (existing) {
+        const updated = await service.updateSatelliteMetadata({
+          id: existing.id,
+          name: metadata.name,
+          region: spec.region,
+          tags,
+        });
+        const finalId = updated?.id ?? existing.id;
+        context.logger.info(
+          `GitOps: updated Satellite "${metadata.name}" (id: ${finalId})`,
+        );
+        return { entityId: finalId };
+      }
+
+      // First-time create. The plaintext token is intentionally discarded —
+      // an operator must use the UI's "Reset token" affordance to retrieve a
+      // working token. This keeps the secret out of YAML and out of logs.
+      const created = await service.createSatellite({
+        name: metadata.name,
+        region: spec.region,
+        tags,
+      });
+      context.logger.info(
+        `GitOps: created Satellite "${metadata.name}" (id: ${created.satellite.id}). ` +
+          `Reset the token via the Satellites page to obtain a working credential.`,
+      );
+      return { entityId: created.satellite.id };
+    },
+
+    delete: async ({
+      entityId,
+      context,
+    }: {
+      entityName: string;
+      entityId?: string;
+      context: ReconcileContext;
+    }) => {
+      if (!entityId) return;
+      await deps.getService().deleteSatellite(entityId);
+      context.logger.info(`GitOps: deleted Satellite (id: ${entityId})`);
+    },
+  };
+}
+
+export function registerSatelliteGitOpsKinds({
+  kindRegistry,
+  ...deps
+}: SatelliteGitOpsKindsDeps & {
+  kindRegistry: EntityKindRegistry;
+}): void {
+  kindRegistry.registerKind(buildSatelliteKind(deps));
+}

package/src/service.ts

@@ -80,6 +80,72 @@ export class SatelliteService {
     await this.db.delete(satellites).where(eq(satellites.id, id));
   }
 
+  /**
+   * Update a satellite's metadata (name, region, tags). Token is left intact —
+   * use `rotateSatelliteToken` to issue a new one.
+   */
+  async updateSatelliteMetadata(props: {
+    id: string;
+    name?: string;
+    region?: string;
+    tags?: Record<string, string>;
+  }): Promise<SatelliteWithStatus | undefined> {
+    const updates: Partial<typeof satellites.$inferInsert> = {};
+    if (props.name !== undefined) updates.name = props.name;
+    if (props.region !== undefined) updates.region = props.region;
+    if (props.tags !== undefined) updates.tags = props.tags;
+    if (Object.keys(updates).length === 0) return this.getSatellite(props.id);
+
+    const [row] = await this.db
+      .update(satellites)
+      .set(updates)
+      .where(eq(satellites.id, props.id))
+      .returning();
+    return row ? this.toSatelliteWithStatus(row) : undefined;
+  }
+
+  /**
+   * Rotate the token for an existing satellite. Generates a fresh plaintext
+   * token, stores its bcrypt hash, and returns the plaintext for one-time
+   * display. The previous token is invalidated immediately.
+   */
+  async rotateSatelliteToken(
+    id: string,
+  ): Promise<{ satellite: SatelliteWithStatus; plaintextToken: string } | undefined> {
+    const randomBytes = crypto.getRandomValues(new Uint8Array(32));
+    const tokenBody = Buffer.from(randomBytes).toString("base64url");
+    const plaintextToken = `csat_${tokenBody}`;
+
+    const tokenHash = await Bun.password.hash(plaintextToken, {
+      algorithm: "bcrypt",
+      cost: 10,
+    });
+
+    const [row] = await this.db
+      .update(satellites)
+      .set({ tokenHash })
+      .where(eq(satellites.id, id))
+      .returning();
+    if (!row) return undefined;
+
+    return {
+      satellite: this.toSatelliteWithStatus(row),
+      plaintextToken,
+    };
+  }
+
+  /**
+   * Lookup helper — returns a satellite by its `name`. Used by GitOps to
+   * resolve a YAML-declared satellite name to the persisted UUID.
+   */
+  async getSatelliteByName(name: string): Promise<SatelliteWithStatus | undefined> {
+    const [row] = await this.db
+      .select()
+      .from(satellites)
+      .where(eq(satellites.name, name));
+    return row ? this.toSatelliteWithStatus(row) : undefined;
+  }
+
   /**
    * List all satellites with computed online/offline status.
    */

package/tsconfig.json

@@ -13,6 +13,12 @@
     {
       "path": "../drizzle-helper"
     },
+    {
+      "path": "../gitops-backend"
+    },
+    {
+      "path": "../gitops-common"
+    },
     {
       "path": "../healthcheck-common"
     },