@checkstack/script-packages-backend 0.2.0 → 0.3.0

package/src/sdk-types-route.ts

@@ -0,0 +1,137 @@
+import type { AuthService, Logger } from "@checkstack/backend-api";
+import {
+  parseSdkTypesPath,
+  scriptPackagesAccess,
+  SDK_TYPES_PATH_PREFIX,
+} from "@checkstack/script-packages-common";
+import { extractErrorMessage } from "@checkstack/common";
+
+/**
+ * Raw, HTTP-cacheable route serving the running platform release's generated
+ * `@checkstack/sdk` editor bundle (`core/sdk/generated/editor-bundle.d.ts`)
+ * for the in-app TypeScript script editor. Mounted (via
+ * `rpc.registerHttpHandler`) at `/api/script-packages/sdk-types/:releaseVersion`.
+ *
+ * Why a raw route and not an oRPC procedure: identical to the type-acquisition
+ * route - oRPC responses here can't set custom HTTP headers, and we want
+ * HTTP-level caching keyed to the running release. So we serve a raw handler
+ * and set `Cache-Control` directly.
+ *
+ * Caching: the path carries the running release version, and the response sets
+ * `Cache-Control: private, max-age=<1y>, immutable`. The SDK bundle is
+ * immutable for the life of a deployed release; a deployment upgrade changes
+ * the version, so the editor requests a fresh URL and never reuses the old
+ * cache entry. `private` because the surface (contract names) may be sensitive.
+ *
+ * Staleness: if the client requests a version != the running version (e.g. a
+ * tab open across a deployment upgrade), we return `409` so the client refetches
+ * the current version and remounts the fresh types - never serving stale SDK
+ * declarations.
+ *
+ * Auth: a raw route bypasses oRPC auto-auth, so we authenticate and enforce the
+ * same global `script-packages.read` access the editor's ATA route uses.
+ */
+
+/** One year. The bundle is immutable for the life of a deployed release. */
+const CACHE_MAX_AGE_SECONDS = 60 * 60 * 24 * 365;
+
+/** The virtual path the editor mounts the bundle at (a `node_modules` path so
+ * `@checkstack/sdk` + subpath resolution finds it). */
+export const SDK_BUNDLE_VIRTUAL_PATH =
+  "node_modules/@checkstack/sdk/editor-bundle.d.ts";
+
+interface CreateSdkTypesHttpHandlerDeps {
+  auth: AuthService;
+  /** The running platform release version (e.g. `@checkstack/release`). */
+  getReleaseVersion: () => string;
+  /** The generated SDK editor bundle (`editor-bundle.d.ts`) content. */
+  getSdkBundle: () => string;
+  logger: Logger;
+}
+
+/** One acquired file, mirroring the type-acquisition response shape so the
+ * frontend reuses the same `registerAcquiredFiles` mount path. */
+interface SdkTypesFile {
+  path: string;
+  content: string;
+}
+
+/** Whether the authenticated user holds global `script-packages.read`. */
+function hasReadAccess(
+  user: Awaited<ReturnType<AuthService["authenticate"]>>,
+): boolean {
+  if (!user) return false;
+  if (user.type === "service") return true;
+  const rules = user.accessRules ?? [];
+  return rules.includes("*") || rules.includes(scriptPackagesAccess.read.id);
+}
+
+function jsonResponse(body: unknown, status: number): Response {
+  return Response.json(body, { status });
+}
+
+export function createSdkTypesHttpHandler({
+  auth,
+  getReleaseVersion,
+  getSdkBundle,
+  logger,
+}: CreateSdkTypesHttpHandlerDeps): (req: Request) => Promise<Response> {
+  return async (req: Request): Promise<Response> => {
+    if (req.method !== "GET") {
+      return jsonResponse({ error: "Method not allowed" }, 405);
+    }
+
+    // ─── Auth ─────────────────────────────────────────────────────────────
+    let user: Awaited<ReturnType<AuthService["authenticate"]>>;
+    try {
+      user = await auth.authenticate(req);
+    } catch (error) {
+      logger.error(`SDK-types auth failed: ${extractErrorMessage(error)}`);
+      return jsonResponse({ error: "Unauthorized" }, 401);
+    }
+    if (!user) return jsonResponse({ error: "Unauthorized" }, 401);
+    if (!hasReadAccess(user)) {
+      return jsonResponse({ error: "Forbidden" }, 403);
+    }
+
+    // ─── Parse path ───────────────────────────────────────────────────────
+    const pathname = new URL(req.url).pathname;
+    const prefixIndex = pathname.indexOf(SDK_TYPES_PATH_PREFIX);
+    if (prefixIndex === -1) {
+      return jsonResponse({ error: "Not found" }, 404);
+    }
+    const afterPrefix = pathname.slice(
+      prefixIndex + SDK_TYPES_PATH_PREFIX.length,
+    );
+    const parsed = parseSdkTypesPath(afterPrefix);
+    if (!parsed) {
+      return jsonResponse({ error: "Bad request" }, 400);
+    }
+
+    // ─── Version must match the running release ───────────────────────────
+    const runningVersion = getReleaseVersion();
+    if (parsed.releaseVersion !== runningVersion) {
+      // Stale (e.g. a tab open across a deployment upgrade). Don't cache a
+      // mismatch; tell the client to refetch the current version.
+      return jsonResponse(
+        { error: "Stale release version; refetch SDK types." },
+        409,
+      );
+    }
+
+    const files: SdkTypesFile[] = [
+      { path: SDK_BUNDLE_VIRTUAL_PATH, content: getSdkBundle() },
+    ];
+    return Response.json(
+      { files },
+      {
+        status: 200,
+        headers: {
+          // Immutable for the life of this release; the version-keyed path
+          // changes on upgrade so the old URL is never reused.
+          "Cache-Control": `private, max-age=${CACHE_MAX_AGE_SECONDS}, immutable`,
+        },
+      },
+    );
+  };
+}

package/src/stores.ts

@@ -1,6 +1,8 @@
-import { eq, ne, desc, sql } from "drizzle-orm";
+import { and, eq, ne, desc, sql } from "drizzle-orm";
 import type { SafeDatabase } from "@checkstack/backend-api";
 import type {
+  AuditAdvisory,
+  AuditState,
   BlobGcState,
   ManifestEntry,
   PackageSpec,
@@ -23,6 +25,8 @@ import {
   scriptPackageBlobGcState,
   scriptPackageLockfileHistory,
   scriptPackageSatelliteState,
+  scriptPackageAuditAdvisory,
+  scriptPackageAuditState,
 } from "./schema";
 
 const SINGLETON = "singleton";
@@ -531,3 +535,214 @@ export function createSatelliteStateStore(db: SafeDatabase<SatelliteSchema>) {
     },
   };
 }
+
+// ─── Vulnerability-audit store ─────────────────────────────────────────────
+
+type AuditSchema = {
+  scriptPackageAuditAdvisory: typeof scriptPackageAuditAdvisory;
+  scriptPackageAuditState: typeof scriptPackageAuditState;
+};
+
+const DEFAULT_AUDIT_STATE: AuditState = {
+  lastRunAt: null,
+  lockfileHash: null,
+  total: 0,
+  counts: { low: 0, moderate: 0, high: 0, critical: 0 },
+  errorMessage: null,
+};
+
+function auditRowToAdvisory(r: {
+  packageName: string;
+  advisoryId: string;
+  title: string;
+  severity: AuditAdvisory["severity"];
+  vulnerableVersions: string;
+  url: string | null;
+  cvssScore: number | null;
+}): AuditAdvisory {
+  return {
+    packageName: r.packageName,
+    advisoryId: r.advisoryId,
+    title: r.title,
+    severity: r.severity,
+    vulnerableVersions: r.vulnerableVersions,
+    url: r.url,
+    cvssScore: r.cvssScore,
+  };
+}
+
+/**
+ * Persists the audit findings (cluster-wide source of truth) + the singleton
+ * last-run summary. The on-disk node_modules tree is pod-local; advisories
+ * live here so any pod returns the same answer (state-and-scale rule).
+ */
+export function createAuditStore(db: SafeDatabase<AuditSchema>) {
+  return {
+    /** Advisories stored for a given lockfile hash (sorted for stable diffing). */
+    async advisoriesForHash(lockfileHash: string): Promise<AuditAdvisory[]> {
+      const rows = await db
+        .select()
+        .from(scriptPackageAuditAdvisory)
+        .where(eq(scriptPackageAuditAdvisory.lockfileHash, lockfileHash));
+      return rows
+        .map((r) => auditRowToAdvisory(r))
+        .toSorted((a, b) =>
+          a.packageName === b.packageName
+            ? a.advisoryId.localeCompare(b.advisoryId)
+            : a.packageName.localeCompare(b.packageName),
+        );
+    },
+
+    /**
+     * Advisory keys (`<package> <advisoryId>`) already marked notified at
+     * (at least) the given severity, so a redeploy doesn't re-notify an
+     * unchanged set. Returns a map of key -> the severity last notified at.
+     */
+    async notifiedSeverities(
+      lockfileHash: string,
+    ): Promise<Map<string, AuditAdvisory["severity"]>> {
+      const rows = await db
+        .select({
+          packageName: scriptPackageAuditAdvisory.packageName,
+          advisoryId: scriptPackageAuditAdvisory.advisoryId,
+          severity: scriptPackageAuditAdvisory.severity,
+          notified: scriptPackageAuditAdvisory.notified,
+        })
+        .from(scriptPackageAuditAdvisory)
+        .where(eq(scriptPackageAuditAdvisory.lockfileHash, lockfileHash));
+      const map = new Map<string, AuditAdvisory["severity"]>();
+      for (const r of rows) {
+        if (r.notified) map.set(`${r.packageName} ${r.advisoryId}`, r.severity);
+      }
+      return map;
+    },
+
+    /**
+     * Replace the entire advisory set for a hash with `advisories`. `notified`
+     * is carried from `notifiedKeys` so already-notified advisories don't
+     * re-notify on the next pass. Done in one transaction so a reader never
+     * sees a half-written set.
+     */
+    async replaceForHash(input: {
+      lockfileHash: string;
+      advisories: AuditAdvisory[];
+      notifiedKeys: Set<string>;
+    }): Promise<void> {
+      const { lockfileHash, advisories, notifiedKeys } = input;
+      await db.transaction(async (tx) => {
+        await tx
+          .delete(scriptPackageAuditAdvisory)
+          .where(eq(scriptPackageAuditAdvisory.lockfileHash, lockfileHash));
+        if (advisories.length > 0) {
+          await tx.insert(scriptPackageAuditAdvisory).values(
+            advisories.map((a) => ({
+              lockfileHash,
+              advisoryId: a.advisoryId,
+              packageName: a.packageName,
+              title: a.title,
+              severity: a.severity,
+              vulnerableVersions: a.vulnerableVersions,
+              url: a.url,
+              cvssScore: a.cvssScore,
+              notified: notifiedKeys.has(`${a.packageName} ${a.advisoryId}`),
+            })),
+          );
+        }
+      });
+    },
+
+    /** Mark the given advisory keys notified for a hash (post-send). */
+    async markNotified(input: {
+      lockfileHash: string;
+      keys: { packageName: string; advisoryId: string }[];
+    }): Promise<void> {
+      const { lockfileHash, keys } = input;
+      if (keys.length === 0) return;
+      // Each key is (package, advisory); update them in one statement per
+      // package-grouped set is awkward, so update by advisory id within hash
+      // and re-confirm the package in the WHERE.
+      for (const k of keys) {
+        await db
+          .update(scriptPackageAuditAdvisory)
+          .set({ notified: true })
+          .where(
+            and(
+              eq(scriptPackageAuditAdvisory.lockfileHash, lockfileHash),
+              eq(scriptPackageAuditAdvisory.advisoryId, k.advisoryId),
+              eq(scriptPackageAuditAdvisory.packageName, k.packageName),
+            ),
+          );
+      }
+    },
+
+    /** Drop advisories for hashes no longer relevant (housekeeping). */
+    async pruneHashesNotIn(keepHashes: string[]): Promise<void> {
+      if (keepHashes.length === 0) {
+        await db.delete(scriptPackageAuditAdvisory);
+        return;
+      }
+      await db
+        .delete(scriptPackageAuditAdvisory)
+        .where(
+          sql`${scriptPackageAuditAdvisory.lockfileHash} NOT IN (${sql.join(
+            keepHashes.map((h) => sql`${h}`),
+            sql`, `,
+          )})`,
+        );
+    },
+
+    async getState(): Promise<AuditState> {
+      const [row] = await db
+        .select()
+        .from(scriptPackageAuditState)
+        .where(eq(scriptPackageAuditState.id, SINGLETON))
+        .limit(1);
+      if (!row) return DEFAULT_AUDIT_STATE;
+      return {
+        lastRunAt: row.lastRunAt,
+        lockfileHash: row.lockfileHash,
+        total: row.total,
+        counts: {
+          low: row.countLow,
+          moderate: row.countModerate,
+          high: row.countHigh,
+          critical: row.countCritical,
+        },
+        errorMessage: row.errorMessage,
+      };
+    },
+
+    /** Record a successful run summary. */
+    async recordRun(input: {
+      lockfileHash: string | null;
+      total: number;
+      counts: AuditState["counts"];
+    }): Promise<void> {
+      const set = {
+        lastRunAt: new Date(),
+        lockfileHash: input.lockfileHash,
+        total: input.total,
+        countLow: input.counts.low,
+        countModerate: input.counts.moderate,
+        countHigh: input.counts.high,
+        countCritical: input.counts.critical,
+        errorMessage: null,
+      };
+      await db
+        .insert(scriptPackageAuditState)
+        .values({ id: SINGLETON, ...set })
+        .onConflictDoUpdate({ target: scriptPackageAuditState.id, set });
+    },
+
+    /** Record a failed run (keeps prior counts; surfaces the error). */
+    async recordError(message: string): Promise<void> {
+      const set = { lastRunAt: new Date(), errorMessage: message };
+      await db
+        .insert(scriptPackageAuditState)
+        .values({ id: SINGLETON, ...set })
+        .onConflictDoUpdate({ target: scriptPackageAuditState.id, set });
+    },
+  };
+}
+
+export type AuditStore = ReturnType<typeof createAuditStore>;

package/tsconfig.json

@@ -4,15 +4,24 @@
     "src"
   ],
   "references": [
+    {
+      "path": "../auth-common"
+    },
     {
       "path": "../backend-api"
     },
     {
       "path": "../common"
     },
+    {
+      "path": "../notification-common"
+    },
     {
       "path": "../script-packages-common"
     },
+    {
+      "path": "../sdk"
+    },
     {
       "path": "../secrets-backend"
     },