@checkstack/satellite-backend 0.2.21 → 0.3.1

package/CHANGELOG.md

@@ -1,5 +1,67 @@
 # @checkstack/satellite-backend
 
+## 0.3.1
+
+### Patch Changes
+
+- Updated dependencies [7c97b43]
+- Updated dependencies [9016526]
+  - @checkstack/healthcheck-backend@1.1.0
+  - @checkstack/common@0.10.0
+  - @checkstack/healthcheck-common@1.1.0
+  - @checkstack/gitops-common@0.4.0
+  - @checkstack/satellite-common@0.5.0
+  - @checkstack/backend-api@0.15.2
+  - @checkstack/gitops-backend@0.3.1
+  - @checkstack/signal-common@0.2.3
+  - @checkstack/queue-api@0.3.1
+
+## 0.3.0
+
+### Minor Changes
+
+- f6f9a5c: Add a GitOps `Satellite` kind plus a UI affordance for resetting tokens.
+
+  GitOps owns satellite **metadata only** — `metadata.name`,
+  `spec.region`, and `metadata.labels` (used as the satellite's runtime
+  tags). The bcrypt token is intentionally never expressed in YAML; on
+  first reconcile a satellite is created with a random token that is
+  discarded, and operators must use the Satellites page to retrieve a
+  working credential.
+
+  To support that flow:
+
+  - New service methods: `updateSatelliteMetadata`, `rotateSatelliteToken`,
+    `getSatelliteByName`.
+  - New RPC procs: `updateSatellite`, `rotateSatelliteToken`.
+  - New `RotateSatelliteTokenDialog` and a "Reset token" key icon on the
+    Satellites list. The dialog reuses the one-time-reveal layout from
+    `CreateSatelliteDialog`.
+  - The Satellites list shows a `GitOpsSourceBadge` next to managed
+    satellites and disables the delete button while leaving the
+    token-reset button enabled (so operators can always re-issue a
+    credential without touching YAML).
+
+  The satellite kind reconciler adopts pre-existing satellites by name on
+  first sync, so this is safe to roll out against installations that
+  already have manually-created satellites.
+
+### Patch Changes
+
+- Updated dependencies [42abfff]
+- Updated dependencies [f6f9a5c]
+- Updated dependencies [f6f9a5c]
+- Updated dependencies [aa89bc5]
+  - @checkstack/common@0.9.0
+  - @checkstack/satellite-common@0.4.0
+  - @checkstack/gitops-common@0.3.0
+  - @checkstack/gitops-backend@0.3.0
+  - @checkstack/queue-api@0.3.0
+  - @checkstack/backend-api@0.15.1
+  - @checkstack/healthcheck-backend@1.0.4
+  - @checkstack/healthcheck-common@1.0.2
+  - @checkstack/signal-common@0.2.2
+
 ## 0.2.21
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/satellite-backend",
-  "version": "0.2.21",
+  "version": "0.3.1",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
@@ -14,22 +14,24 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.14.1",
-    "@checkstack/satellite-common": "0.3.1",
-    "@checkstack/healthcheck-common": "1.0.0",
-    "@checkstack/signal-common": "0.2.0",
-    "@checkstack/healthcheck-backend": "1.0.2",
-    "@checkstack/common": "0.7.0",
-    "@checkstack/queue-api": "0.2.17",
+    "@checkstack/backend-api": "0.15.1",
+    "@checkstack/satellite-common": "0.4.0",
+    "@checkstack/healthcheck-common": "1.0.2",
+    "@checkstack/signal-common": "0.2.2",
+    "@checkstack/healthcheck-backend": "1.0.4",
+    "@checkstack/gitops-backend": "0.3.0",
+    "@checkstack/gitops-common": "0.3.0",
+    "@checkstack/common": "0.9.0",
+    "@checkstack/queue-api": "0.3.0",
     "drizzle-orm": "^0.45.0",
     "zod": "^4.2.1",
     "@orpc/server": "^1.13.2"
   },
   "devDependencies": {
-    "@checkstack/drizzle-helper": "0.0.4",
-    "@checkstack/scripts": "0.1.2",
-    "@checkstack/test-utils-backend": "0.1.23",
-    "@checkstack/tsconfig": "0.0.6",
+    "@checkstack/drizzle-helper": "0.0.5",
+    "@checkstack/scripts": "0.3.1",
+    "@checkstack/test-utils-backend": "0.1.25",
+    "@checkstack/tsconfig": "0.0.7",
     "@types/bun": "^1.0.0",
     "drizzle-kit": "^0.31.10",
     "typescript": "^5.0.0"

package/src/index.ts

@@ -14,6 +14,8 @@ import { createSatelliteRouter } from "./router";
 import { HeartbeatMonitor } from "./heartbeat-monitor";
 import { SatelliteWsHandler } from "./satellite-ws-handler";
 import { ConfigRelay } from "./config-relay";
+import { entityKindExtensionPoint } from "@checkstack/gitops-backend";
+import { registerSatelliteGitOpsKinds } from "./satellite-gitops-kinds";
 
 // Queue and job constants
 const HEARTBEAT_QUEUE = "satellite-heartbeat";
@@ -25,6 +27,17 @@ export default createBackendPlugin({
   register(env) {
     env.registerAccessRules(satelliteAccessRules);
 
+    // ─── GitOps Entity Kind Registration ─────────────────────────────
+    let gitopsService: SatelliteService | undefined;
+    const kindRegistry = env.getExtensionPoint(entityKindExtensionPoint);
+    registerSatelliteGitOpsKinds({
+      kindRegistry,
+      getService: () => {
+        if (!gitopsService) throw new Error("SatelliteService not initialized");
+        return gitopsService;
+      },
+    });
+
     env.registerInit({
       schema,
       deps: {
@@ -41,6 +54,7 @@ export default createBackendPlugin({
         const service = new SatelliteService(
           database as SafeDatabase<typeof schema>,
         );
+        gitopsService = service;
 
         const router = createSatelliteRouter({
           service,

package/src/router.ts

@@ -1,4 +1,4 @@
-import { implement } from "@orpc/server";
+import { implement, ORPCError } from "@orpc/server";
 import {
   satelliteContract,
   SATELLITE_STATUS_CHANGED,
@@ -75,6 +75,34 @@ export function createSatelliteRouter(props: {
       });
     }),
 
+    updateSatellite: os.updateSatellite.handler(async ({ input }) => {
+      const updated = await service.updateSatelliteMetadata(input);
+      if (!updated) {
+        throw new ORPCError("NOT_FOUND", {
+          message: `Satellite not found: ${input.id}`,
+        });
+      }
+      logger.info(`Satellite metadata updated: ${updated.name}`);
+      await signalService.broadcast(SATELLITE_CONFIG_CHANGED, {
+        satelliteId: updated.id,
+      });
+      return updated;
+    }),
+
+    rotateSatelliteToken: os.rotateSatelliteToken.handler(async ({ input }) => {
+      const result = await service.rotateSatelliteToken(input.id);
+      if (!result) {
+        throw new ORPCError("NOT_FOUND", {
+          message: `Satellite not found: ${input.id}`,
+        });
+      }
+      logger.info(`Satellite token rotated: ${result.satellite.name}`);
+      await signalService.broadcast(SATELLITE_CONFIG_CHANGED, {
+        satelliteId: result.satellite.id,
+      });
+      return { satellite: result.satellite, token: result.plaintextToken };
+    }),
+
     getOnlineSatelliteIds: os.getOnlineSatelliteIds.handler(async () => {
       const satelliteIds = await service.getOnlineSatelliteIds();
       return { satelliteIds };

package/src/satellite-gitops-kinds.test.ts

@@ -0,0 +1,239 @@
+import { describe, it, expect, mock, beforeEach } from "bun:test";
+import {
+  CHECKSTACK_API_VERSION,
+  type ReconcileContext,
+} from "@checkstack/gitops-common";
+import type { SatelliteWithStatus } from "@checkstack/satellite-common";
+import type { SatelliteService } from "./service";
+import { buildSatelliteKind } from "./satellite-gitops-kinds";
+
+const noopLogger = {
+  debug: () => {},
+  info: () => {},
+  warn: () => {},
+  error: () => {},
+};
+
+const buildContext = (
+  overrides: Partial<ReconcileContext> = {},
+): ReconcileContext =>
+  ({
+    logger: noopLogger,
+    resolveEntityRef: async () => undefined,
+    resolveSecretsBySchema: async ({ value }) => ({
+      resolved: value,
+      warnings: [],
+    }),
+    ...overrides,
+  }) as ReconcileContext;
+
+const stubService = (initial?: SatelliteWithStatus | undefined) => {
+  let stored = initial;
+  const getSatellite = mock(async (id: string) =>
+    stored && stored.id === id ? stored : undefined,
+  );
+  const getSatelliteByName = mock(async (name: string) =>
+    stored && stored.name === name ? stored : undefined,
+  );
+  const createSatellite = mock(
+    async (props: {
+      name: string;
+      region: string;
+      tags: Record<string, string>;
+    }) => {
+      const satellite: SatelliteWithStatus = {
+        id: "sat-new",
+        name: props.name,
+        region: props.region,
+        tags: props.tags,
+        createdAt: new Date(),
+        status: "offline",
+      };
+      stored = satellite;
+      return { satellite, plaintextToken: "csat_test-token" };
+    },
+  );
+  const updateSatelliteMetadata = mock(
+    async (props: {
+      id: string;
+      name?: string;
+      region?: string;
+      tags?: Record<string, string>;
+    }) => {
+      if (!stored || stored.id !== props.id) return undefined;
+      stored = {
+        ...stored,
+        name: props.name ?? stored.name,
+        region: props.region ?? stored.region,
+        tags: props.tags ?? stored.tags,
+      };
+      return stored;
+    },
+  );
+  const deleteSatellite = mock(async (id: string) => {
+    if (stored && stored.id === id) stored = undefined;
+  });
+  return {
+    getSatellite,
+    getSatelliteByName,
+    createSatellite,
+    updateSatelliteMetadata,
+    deleteSatellite,
+    service: {
+      getSatellite,
+      getSatelliteByName,
+      createSatellite,
+      updateSatelliteMetadata,
+      deleteSatellite,
+    } as unknown as SatelliteService,
+    get current() {
+      return stored;
+    },
+  };
+};
+
+const mkEntity = (
+  name: string,
+  spec: { region: string },
+  metadataExtras: { labels?: Record<string, string> } = {},
+) => ({
+  apiVersion: CHECKSTACK_API_VERSION,
+  kind: "Satellite",
+  metadata: { name, ...metadataExtras },
+  spec,
+});
+
+describe("buildSatelliteKind", () => {
+  let kind: ReturnType<typeof buildSatelliteKind>;
+  let stub: ReturnType<typeof stubService>;
+
+  beforeEach(() => {
+    stub = stubService();
+    kind = buildSatelliteKind({ getService: () => stub.service });
+  });
+
+  it("registers as Satellite kind", () => {
+    expect(kind.kind).toBe("Satellite");
+  });
+
+  it("creates a satellite when none exists, discarding the plaintext token", async () => {
+    const result = await kind.reconcile({
+      entity: mkEntity(
+        "eu-west-1",
+        { region: "eu-west-1" },
+        { labels: { tier: "prod" } },
+      ),
+      context: buildContext(),
+    });
+
+    expect(stub.createSatellite).toHaveBeenCalledTimes(1);
+    expect(stub.createSatellite).toHaveBeenCalledWith({
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: { tier: "prod" },
+    });
+    expect(result.entityId).toBe("sat-new");
+  });
+
+  it("adopts an existing satellite by name on first sync", async () => {
+    const existing: SatelliteWithStatus = {
+      id: "sat-existing",
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: {},
+      createdAt: new Date(),
+      status: "online",
+    };
+    stub = stubService(existing);
+    kind = buildSatelliteKind({ getService: () => stub.service });
+
+    const result = await kind.reconcile({
+      entity: mkEntity(
+        "eu-west-1",
+        { region: "eu-west-2" },
+        { labels: { tier: "prod" } },
+      ),
+      context: buildContext(),
+    });
+
+    expect(stub.createSatellite).not.toHaveBeenCalled();
+    expect(stub.updateSatelliteMetadata).toHaveBeenCalledWith({
+      id: "sat-existing",
+      name: "eu-west-1",
+      region: "eu-west-2",
+      tags: { tier: "prod" },
+    });
+    expect(result.entityId).toBe("sat-existing");
+  });
+
+  it("uses the provenance entityId hint when provided", async () => {
+    const existing: SatelliteWithStatus = {
+      id: "sat-known",
+      name: "renamed",
+      region: "eu-west-1",
+      tags: {},
+      createdAt: new Date(),
+      status: "online",
+    };
+    stub = stubService(existing);
+    kind = buildSatelliteKind({ getService: () => stub.service });
+
+    const result = await kind.reconcile({
+      entity: mkEntity("renamed", { region: "eu-west-1" }),
+      existingEntityId: "sat-known",
+      context: buildContext(),
+    });
+
+    expect(stub.getSatellite).toHaveBeenCalledWith("sat-known");
+    expect(stub.getSatelliteByName).not.toHaveBeenCalled();
+    expect(result.entityId).toBe("sat-known");
+  });
+
+  it("treats pending-* entityIds as fresh and falls back to name lookup", async () => {
+    const existing: SatelliteWithStatus = {
+      id: "sat-existing",
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: {},
+      createdAt: new Date(),
+      status: "online",
+    };
+    stub = stubService(existing);
+    kind = buildSatelliteKind({ getService: () => stub.service });
+
+    await kind.reconcile({
+      entity: mkEntity("eu-west-1", { region: "eu-west-1" }),
+      existingEntityId: "pending-foo",
+      context: buildContext(),
+    });
+
+    expect(stub.getSatellite).not.toHaveBeenCalledWith("pending-foo");
+    expect(stub.getSatelliteByName).toHaveBeenCalledWith("eu-west-1");
+  });
+
+  it("normalizes missing metadata.labels to an empty tags object", async () => {
+    await kind.reconcile({
+      entity: mkEntity("eu-west-1", { region: "eu-west-1" }),
+      context: buildContext(),
+    });
+    expect(stub.createSatellite).toHaveBeenCalledWith({
+      name: "eu-west-1",
+      region: "eu-west-1",
+      tags: {},
+    });
+  });
+
+  it("delegates delete to the service", async () => {
+    await kind.delete!({
+      entityName: "eu-west-1",
+      entityId: "sat-1",
+      context: buildContext(),
+    });
+    expect(stub.deleteSatellite).toHaveBeenCalledWith("sat-1");
+  });
+
+  it("delete is a no-op without entityId", async () => {
+    await kind.delete!({ entityName: "x", context: buildContext() });
+    expect(stub.deleteSatellite).not.toHaveBeenCalled();
+  });
+});

package/src/satellite-gitops-kinds.ts

@@ -0,0 +1,116 @@
+import { z } from "zod";
+import {
+  CHECKSTACK_API_VERSION,
+  type EntityKindDefinition,
+  type EntityKindRegistry,
+  type ReconcileContext,
+} from "@checkstack/gitops-common";
+import type { SatelliteService } from "./service";
+
+interface SatelliteGitOpsKindsDeps {
+  /** Lazy accessor — populated during init(), invoked at reconcile time. */
+  getService: () => SatelliteService;
+}
+
+// ─── Satellite Spec Schema ─────────────────────────────────────────────────
+//
+// GitOps owns metadata only — name, region, and the satellite's runtime
+// tags (sourced from the envelope's `metadata.labels`, since the envelope
+// already provides a `Record<string, string>` for that purpose). The bcrypt
+// token is never committed to YAML; operators retrieve and reset tokens via
+// the Satellites page in the UI.
+
+const satelliteSpecSchema = z.object({
+  region: z.string().min(1),
+});
+
+type SatelliteSpec = z.infer<typeof satelliteSpecSchema>;
+
+export function buildSatelliteKind(
+  deps: SatelliteGitOpsKindsDeps,
+): EntityKindDefinition<SatelliteSpec> {
+  return {
+    apiVersion: CHECKSTACK_API_VERSION,
+    kind: "Satellite",
+    specSchema: satelliteSpecSchema,
+
+    reconcile: async ({
+      entity,
+      existingEntityId,
+      context,
+    }: {
+      entity: {
+        metadata: {
+          name: string;
+          title?: string;
+          description?: string;
+          labels?: Record<string, string>;
+        };
+        spec: SatelliteSpec;
+      };
+      existingEntityId?: string;
+      context: ReconcileContext;
+    }) => {
+      const service = deps.getService();
+      const { spec, metadata } = entity;
+      const tags = metadata.labels ?? {};
+
+      // Try the provenance hint first; fall back to a name lookup so we
+      // adopt pre-existing satellites that match by name on first sync.
+      const existing =
+        existingEntityId && !existingEntityId.startsWith("pending-")
+          ? await service.getSatellite(existingEntityId)
+          : await service.getSatelliteByName(metadata.name);
+
+      if (existing) {
+        const updated = await service.updateSatelliteMetadata({
+          id: existing.id,
+          name: metadata.name,
+          region: spec.region,
+          tags,
+        });
+        const finalId = updated?.id ?? existing.id;
+        context.logger.info(
+          `GitOps: updated Satellite "${metadata.name}" (id: ${finalId})`,
+        );
+        return { entityId: finalId };
+      }
+
+      // First-time create. The plaintext token is intentionally discarded —
+      // an operator must use the UI's "Reset token" affordance to retrieve a
+      // working token. This keeps the secret out of YAML and out of logs.
+      const created = await service.createSatellite({
+        name: metadata.name,
+        region: spec.region,
+        tags,
+      });
+      context.logger.info(
+        `GitOps: created Satellite "${metadata.name}" (id: ${created.satellite.id}). ` +
+          `Reset the token via the Satellites page to obtain a working credential.`,
+      );
+      return { entityId: created.satellite.id };
+    },
+
+    delete: async ({
+      entityId,
+      context,
+    }: {
+      entityName: string;
+      entityId?: string;
+      context: ReconcileContext;
+    }) => {
+      if (!entityId) return;
+      await deps.getService().deleteSatellite(entityId);
+      context.logger.info(`GitOps: deleted Satellite (id: ${entityId})`);
+    },
+  };
+}
+
+export function registerSatelliteGitOpsKinds({
+  kindRegistry,
+  ...deps
+}: SatelliteGitOpsKindsDeps & {
+  kindRegistry: EntityKindRegistry;
+}): void {
+  kindRegistry.registerKind(buildSatelliteKind(deps));
+}

package/src/service.ts

@@ -80,6 +80,72 @@ export class SatelliteService {
     await this.db.delete(satellites).where(eq(satellites.id, id));
   }
 
+  /**
+   * Update a satellite's metadata (name, region, tags). Token is left intact —
+   * use `rotateSatelliteToken` to issue a new one.
+   */
+  async updateSatelliteMetadata(props: {
+    id: string;
+    name?: string;
+    region?: string;
+    tags?: Record<string, string>;
+  }): Promise<SatelliteWithStatus | undefined> {
+    const updates: Partial<typeof satellites.$inferInsert> = {};
+    if (props.name !== undefined) updates.name = props.name;
+    if (props.region !== undefined) updates.region = props.region;
+    if (props.tags !== undefined) updates.tags = props.tags;
+    if (Object.keys(updates).length === 0) return this.getSatellite(props.id);
+
+    const [row] = await this.db
+      .update(satellites)
+      .set(updates)
+      .where(eq(satellites.id, props.id))
+      .returning();
+    return row ? this.toSatelliteWithStatus(row) : undefined;
+  }
+
+  /**
+   * Rotate the token for an existing satellite. Generates a fresh plaintext
+   * token, stores its bcrypt hash, and returns the plaintext for one-time
+   * display. The previous token is invalidated immediately.
+   */
+  async rotateSatelliteToken(
+    id: string,
+  ): Promise<{ satellite: SatelliteWithStatus; plaintextToken: string } | undefined> {
+    const randomBytes = crypto.getRandomValues(new Uint8Array(32));
+    const tokenBody = Buffer.from(randomBytes).toString("base64url");
+    const plaintextToken = `csat_${tokenBody}`;
+
+    const tokenHash = await Bun.password.hash(plaintextToken, {
+      algorithm: "bcrypt",
+      cost: 10,
+    });
+
+    const [row] = await this.db
+      .update(satellites)
+      .set({ tokenHash })
+      .where(eq(satellites.id, id))
+      .returning();
+    if (!row) return undefined;
+
+    return {
+      satellite: this.toSatelliteWithStatus(row),
+      plaintextToken,
+    };
+  }
+
+  /**
+   * Lookup helper — returns a satellite by its `name`. Used by GitOps to
+   * resolve a YAML-declared satellite name to the persisted UUID.
+   */
+  async getSatelliteByName(name: string): Promise<SatelliteWithStatus | undefined> {
+    const [row] = await this.db
+      .select()
+      .from(satellites)
+      .where(eq(satellites.name, name));
+    return row ? this.toSatelliteWithStatus(row) : undefined;
+  }
+
   /**
    * List all satellites with computed online/offline status.
    */

package/tsconfig.json

@@ -13,6 +13,12 @@
     {
       "path": "../drizzle-helper"
     },
+    {
+      "path": "../gitops-backend"
+    },
+    {
+      "path": "../gitops-common"
+    },
     {
       "path": "../healthcheck-common"
     },