@checkstack/satellite-common 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +58 -0
  2. package/package.json +3 -3
  3. package/src/protocol.test.ts +52 -0
  4. package/src/protocol.ts +26 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,63 @@
1
1
  # @checkstack/satellite-common
2
2
 
3
+ ## 0.8.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 9dcc848: Layered OS-level script sandbox, secure and fail-closed by default (epic #247).
8
+
9
+ Script and shell health checks and the `run_shell` / `run_script` automation actions now run inside a layered OS-level sandbox by default. The sandbox lives in `core/backend-api/src/script-sandbox/` (the single source of truth) and is enforced inside the shared runners, so it applies wherever a job runs.
10
+
11
+ Layers:
12
+
13
+ - Resource caps (CPU / memory / PID / FD / file-size, via `prlimit` on capable Linux; ESM JS-heap cap via `--max-old-space-size`; portable wall-clock timeout) and an OOM-safe streaming output cap.
14
+ - Privilege drop via a NON-ROOT supervisor model: the shipped images run the supervisor as non-root uid `65532`, so every sandboxed script inherits non-root and can never be host-root; filesystem + network confinement is delivered by ROOTLESS `bwrap`/`nsjail` via unprivileged user namespaces. `enforced.privilege` is truthful (true only when the child cannot run as host-root). Runners no longer pass `uid`/`gid` to `Bun.spawn` (a silent no-op and a forward-compat hazard).
15
+ - Filesystem isolation (`scratch-only` / `scratch-plus-ro`) confining the child to its per-run scratch dir over a read-only base; the interpreter path is RO-bound so the runtime execs, and `TMPDIR` is pinned to the in-namespace tmpfs.
16
+ - Network egress control: `deny` (routeless loopback-only netns), `allowlist` (real plumbed egress via macvlan OR rootless slirp4netns + an in-kernel nftables filter), and an always-on metadata / link-local block (`169.254.0.0/16`, `fe80::/10`, `fc00::/7`). No-blackhole invariant: `enforced.network` is never true when egress is actually severed or unfiltered; unpluggable egress degrades to surfaced host net.
17
+ - Per-run fork-bomb containment via RLIMIT*NPROC inside the fresh per-run user+PID namespace; a centralized forbidden-env denylist (`LD_PRELOAD`, `LD_LIBRARY_PATH`, `DYLD*_`, `NODE*OPTIONS`, `BUN*_`, caller `PATH` overrides).
18
+ - A validated tuned seccomp profile (`deploy/seccomp/checkstack-userns.json`) and a live `clone(CLONE_NEWUSER|CLONE_NEWNET)` capability probe (not the static sysctl), shipped by default in both Dockerfiles, `docker-compose.yml`, and `deploy/k8s/checkstack-sandbox.yaml`.
19
+
20
+ Global policy and operator surface:
21
+
22
+ - The global sandbox policy lives in ONE durable row owned by `script-packages` (its `ConfigService` row in shared `plugin_configs`). A single process-wide provider serves every runner; the two script plugins no longer register competing providers. A dedicated admin-only `script-sandbox.manage` permission gates both reading and writing the policy. New `getSandboxPolicy` / `setSandboxPolicy` endpoints and a Settings -> Script Sandbox admin UI (`enabled`, `onUnavailable`, network/filesystem/privilege modes, allow list, metadata block, resource caps). The startup capability/readiness log is emitted in-process by `script-packages-backend` (no fragile init-order RPC self-loop), and on a host that cannot enforce a layer a one-time startup warning explains the two local-dev paths (Docker, or set the global policy to `degrade`).
23
+ - Satellite relay: the WS protocol carries the resolved policy in the `authenticated` message and a `sandbox_policy` push-on-change; a satellite caches the last relayed policy and resolves every run through it.
24
+
25
+ BREAKING CHANGES (platform in BETA, shipped as minor):
26
+
27
+ - Scripts run sandboxed by default. The shipped global default is FAIL-CLOSED (`onUnavailable: "fail"`): when a requested layer cannot be enforced the run is REFUSED (clean `exitCode: -1`, never an unsandboxed spawn) rather than silently degrading. Deployments on hosts that cannot enforce a layer (no bubblewrap, user namespaces blocked, no `/proc` unmask) must run the official images with the documented runtime flags (the bundled seccomp profile + `systempaths=unconfined`, or k8s `procMount: Unmasked`), or set the global policy to `degrade`. On macOS / restricted containers the strong layers degrade to the portable subset and are surfaced per run.
28
+ - Default network posture is deny-egress (`allowlist` with an empty allow list, which resolves to the routeless `deny` path). Scripts calling external endpoints fail until those destinations are allowlisted in the global default. The always-on metadata / link-local block applies even under looser modes.
29
+ - The per-action / per-check `sandbox` config override and the transport `ScriptRequest.sandbox` field are removed; policy is global-only, so an automation/check author can no longer weaken the sandbox on their own item. Stored configs carrying a stray `sandbox` key are tolerated (stripped on parse).
30
+ - The shared runners' `run()` no longer accepts a `sandbox` option; callers rely on the global policy provider.
31
+ - A satellite fails closed (most restrictive profile) until it receives the first relayed policy; a relay-read failure or an older core keeps it fail-closed. A relay failure can never loosen a satellite's sandbox.
32
+
33
+ State and scale: the global policy is a single durable Postgres row read identically on every pod. Capability detection is per-process, deterministic from the host kernel, and surfaced per run via the `EffectiveSandbox` report (a Linux pod and a macOS satellite may legitimately differ). `CHECKSTACK_SANDBOX_UID/GID` and macvlan addressing are genuinely per-host infrastructure, surfaced per run, not the queryable policy. The satellite's policy cache is satellite-local transport state. No new pod-local current-state.
34
+
35
+ This is a beta minor.
36
+
37
+ - 9dcc848: Align workspace dependency versions and migrate React Router to v7.
38
+
39
+ BREAKING CHANGES (React Router v7): All frontend packages now depend on `react-router-dom@^7.16.0`. Previously the workspace declared four divergent ranges (`^6.20.0`, `^6.22.0`, `^7.1.1`, `^7.14.2`), which resolved both `react-router@6` and `react-router@7` into a single bundle. Everything is now unified on v7. The public imports the app uses (`BrowserRouter`, `Routes`, `Route`, `Link`, `NavLink`, `MemoryRouter`, `useNavigate`, `useParams`, `useSearchParams`, `useLocation`) are unchanged between v6 and v7, so no source rewrites were required - but any out-of-tree plugin still on react-router v6 should upgrade to v7 (see the React Router v6 -> v7 upgrade guide) to share the host's single router instance via the import map.
40
+
41
+ Other unified ranges (no API change): `react` -> `^18.3.1`, the `@orpc/*` family (`contract`, `server`, `client`, `tanstack-query`, `openapi`, `zod`) -> `^1.14.4`, and `better-auth` -> `^1.6.13`.
42
+
43
+ Removed the pre-rename `@orpc/react-query` leftover from `@checkstack/frontend-api`; its `createRouterUtils` / `RouterUtils` / `ProcedureUtils` now come from `@orpc/tanstack-query` (the package already in use).
44
+
45
+ Stale in-range runtime deps pulled up to current published versions: `hono` `^4.12.23`, `@tanstack/react-query` (+devtools) `^5.100.14`, `date-fns` `^4.4.0`, `jose` `^6.2.3`, `tar` `^7.5.16`, `semver` `^7.8.1`, `@xyflow/react` `^12.11.0`.
46
+
47
+ ### Patch Changes
48
+
49
+ - Updated dependencies [9dcc848]
50
+ - Updated dependencies [9dcc848]
51
+ - Updated dependencies [9dcc848]
52
+ - Updated dependencies [9dcc848]
53
+ - Updated dependencies [9dcc848]
54
+ - Updated dependencies [9dcc848]
55
+ - Updated dependencies [9dcc848]
56
+ - Updated dependencies [9dcc848]
57
+ - @checkstack/healthcheck-common@1.5.0
58
+ - @checkstack/common@0.13.0
59
+ - @checkstack/signal-common@0.2.6
60
+
3
61
  ## 0.7.0
4
62
 
5
63
  ### Minor Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@checkstack/satellite-common",
3
- "version": "0.7.0",
3
+ "version": "0.8.0",
4
4
  "license": "Elastic-2.0",
5
5
  "type": "module",
6
6
  "exports": {
@@ -10,9 +10,9 @@
10
10
  },
11
11
  "dependencies": {
12
12
  "@checkstack/common": "0.12.0",
13
- "@checkstack/healthcheck-common": "1.3.0",
13
+ "@checkstack/healthcheck-common": "1.4.0",
14
14
  "@checkstack/signal-common": "0.2.5",
15
- "@orpc/contract": "^1.13.14",
15
+ "@orpc/contract": "^1.14.4",
16
16
  "zod": "^4.2.1"
17
17
  },
18
18
  "devDependencies": {
package/src/protocol.test.ts CHANGED
@@ -148,3 +148,55 @@ describe("run-secrets request/reply (Phase 3 JIT delivery)", () => {
148
148
  }
149
149
  });
150
150
  });
151
+
152
+ describe("sandbox-policy protocol extensions", () => {
153
+ const policy = {
154
+ enabled: true,
155
+ onUnavailable: "degrade" as const,
156
+ resources: { cpuSeconds: 30 },
157
+ filesystem: { mode: "scratch-plus-ro" as const },
158
+ network: {
159
+ mode: "allowlist" as const,
160
+ allow: ["10.0.0.1"],
161
+ denyLinkLocalAndMetadata: true,
162
+ },
163
+ privilege: { mode: "drop-to-uid" as const },
164
+ };
165
+
166
+ test("authenticated carries an optional sandboxPolicy that round-trips", () => {
167
+ const parsed = CoreToSatelliteMessageSchema.parse({
168
+ type: "authenticated",
169
+ satelliteId: "sat-1",
170
+ assignments: [],
171
+ sandboxPolicy: policy,
172
+ });
173
+ if (parsed.type === "authenticated") {
174
+ expect(parsed.sandboxPolicy?.network.mode).toBe("allowlist");
175
+ expect(parsed.sandboxPolicy?.network.allow).toEqual(["10.0.0.1"]);
176
+ expect(parsed.sandboxPolicy?.resources.cpuSeconds).toBe(30);
177
+ }
178
+ });
179
+
180
+ test("authenticated WITHOUT sandboxPolicy parses (version-skew safety)", () => {
181
+ const parsed = CoreToSatelliteMessageSchema.parse({
182
+ type: "authenticated",
183
+ satelliteId: "sat-1",
184
+ assignments: [],
185
+ });
186
+ if (parsed.type === "authenticated") {
187
+ expect(parsed.sandboxPolicy).toBeUndefined();
188
+ }
189
+ });
190
+
191
+ test("sandbox_policy push message round-trips the full policy", () => {
192
+ const parsed = CoreToSatelliteMessageSchema.parse({
193
+ type: "sandbox_policy",
194
+ policy,
195
+ });
196
+ expect(parsed.type).toBe("sandbox_policy");
197
+ if (parsed.type === "sandbox_policy") {
198
+ expect(parsed.policy.network.mode).toBe("allowlist");
199
+ expect(parsed.policy.privilege.mode).toBe("drop-to-uid");
200
+ }
201
+ });
202
+ });
package/src/protocol.ts CHANGED
@@ -3,6 +3,7 @@ import {
3
3
  HealthCheckStatusSchema,
4
4
  HealthCheckRunResultSchema,
5
5
  } from "@checkstack/healthcheck-common";
6
+ import { sandboxPolicySchema } from "@checkstack/common";
6
7
 
7
8
  // =============================================================================
8
9
  // SATELLITE ASSIGNMENT (Core → Satellite configuration payload)
@@ -187,6 +188,16 @@ const AuthenticatedMessageSchema = z.object({
187
188
  * Optional for version-skew safety; null means "no packages installed".
188
189
  */
189
190
  scriptPackagesLockfileHash: z.string().nullable().optional(),
191
+ /**
192
+ * The resolved GLOBAL script-sandbox policy, pushed at auth time so the
193
+ * satellite enforces the operator's cluster-wide policy from its very first
194
+ * script run. The satellite caches it and resolves every run through it;
195
+ * until this arrives it FAILS CLOSED (denies egress) rather than using the
196
+ * permissive shipped default. Optional for version-skew safety: an older
197
+ * core omits it, and the satellite then stays fail-closed until a
198
+ * `sandbox_policy` push or a reconnect against a newer core delivers it.
199
+ */
200
+ sandboxPolicy: sandboxPolicySchema.optional(),
190
201
  });
191
202
 
192
203
  const AuthFailedMessageSchema = z.object({
@@ -218,6 +229,19 @@ const RefreshScriptPackagesMessageSchema = z.object({
218
229
  lockfileHash: z.string(),
219
230
  });
220
231
 
232
+ /**
233
+ * Push the new GLOBAL script-sandbox policy to a connected satellite when an
234
+ * admin changes it (the push-on-change relay). Sent by each core instance's
235
+ * `script-sandbox.policy-changed` broadcast handler to its currently-connected
236
+ * satellites. The satellite replaces its cached policy so subsequent runs
237
+ * enforce it immediately. Best-effort liveness; the policy carried in the
238
+ * `authenticated` message on (re)connect is the durable backstop.
239
+ */
240
+ const SandboxPolicyMessageSchema = z.object({
241
+ type: z.literal("sandbox_policy"),
242
+ policy: sandboxPolicySchema,
243
+ });
244
+
221
245
  /** One resolved package in a manifest reply. */
222
246
  const ManifestEntryWireSchema = z.object({
223
247
  name: z.string(),
@@ -269,6 +293,7 @@ export const CoreToSatelliteMessageSchema = z.discriminatedUnion("type", [
269
293
  ConfigUpdatedMessageSchema,
270
294
  ShutdownMessageSchema,
271
295
  RefreshScriptPackagesMessageSchema,
296
+ SandboxPolicyMessageSchema,
272
297
  ScriptPackageManifestMessageSchema,
273
298
  ScriptPackageBlobMessageSchema,
274
299
  RunSecretsMessageSchema,
@@ -286,6 +311,7 @@ export type ShutdownMessage = z.infer<typeof ShutdownMessageSchema>;
286
311
  export type RefreshScriptPackagesMessage = z.infer<
287
312
  typeof RefreshScriptPackagesMessageSchema
288
313
  >;
314
+ export type SandboxPolicyMessage = z.infer<typeof SandboxPolicyMessageSchema>;
289
315
  export type ScriptPackageManifestMessage = z.infer<
290
316
  typeof ScriptPackageManifestMessageSchema
291
317
  >;