@checkstack/script-packages-frontend 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,120 @@
 # @checkstack/script-packages-frontend
 
+## 0.3.0
+
+### Minor Changes
+
+- 9dcc848: Cut initial-load JS: lazy plugin contributions, a hardened lazy-by-default contribution contract, on-demand Monaco, and a lighter icon/chart load.
+
+  - Lazy plugin route pages: each plugin's route `element` references a `React.lazy`-wrapped page rendered inside a shared `<Suspense>` boundary. Plugins still register synchronously, so nav, slots, commands, API factories, and `foreignSignals` are available on first paint. This moves ~37 route-page chunks (~600 KB) out of the entry; the entry chunk drops from ~2.4 MB to ~190 KB. Auth flow pages stay eager. The `@checkstack/scripts` scaffold template generates lazy route pages too.
+  - Hardened contribution contract (BREAKING, frontend plugin contract): plugins declare contributions lazily and let the framework own code-splitting, Suspense, and per-plugin error isolation. Routes use `load: () => import("./Page").then((m) => ({ default: m.Page }))` instead of `element: <Page />` (`element` is still accepted for the rare page that must paint without a chunk fetch; provide exactly one). Slot extensions accept either an eager `component` or a lazy `load`; new `getLazyContribution` + `ExtensionComponent` exports from `@checkstack/frontend-api` render either kind. This also fixes runtime-installed plugins: `ExtensionSlot` subscribes to the plugin registry, and the API registry rebuilds when the plugin set changes (`getPlugins()` returns an immutable snapshot via `useSyncExternalStore`). A per-plugin error boundary contains a bad contribution.
+  - On-demand Monaco: the `@checkstack/ui` barrel no longer pulls the `@codingame/*` / `monaco-languageclient` stack into the initial load. `CodeEditor` lazy-loads its Monaco-backed editor behind `React.lazy` + Suspense, `validateTypeScriptSources` imports the editor API via in-body `await import(...)`, and the "vscode services ready" signal moved to a Monaco-free module. The ~10 MB editor body loads only when a `CodeEditor` mounts. A `react-vendor` `manualChunks` split was added for stable vendor caching.
+  - lucide-react 1.x + lighter icons/charts (BREAKING for icon consumers): lucide-react unified from three drifting ranges to `^1.17.0`. lucide v1 removed brand icons, so the GitHub/GitLab marks are vendored in `@checkstack/ui` (`GithubIcon`, `GitlabIcon`, `brandIcons`); a new `IconName` type (`LucideIconName | BrandIconName`) in `@checkstack/common` is canonical, accepted by `AuthStrategy.icon` and the card components, so data-driven brand names keep working. `DynamicIcon` no longer eagerly imports lucide's ~1600-icon map (~1 MB) - it lives in a `React.lazy` `iconRegistry` chunk fetched on first data-driven render, while statically named-imported icons tree-shake normally. The recharts-backed health-check charts (~300 KB) and the `HealthCheckSystemOverview` drawer leave the initial load.
+
+  BREAKING CHANGES:
+
+  - Frontend plugin contract: routes/slot contributions are lazy-by-default (`load` instead of `element`/eager elements) as described above.
+  - Any external consumer importing a brand icon from `lucide-react` (e.g. `import { Github } from "lucide-react"`) must switch to the vendored `@checkstack/ui` brand icons or a custom SVG.
+
+  This is a beta minor.
+
+- 9dcc848: Add scheduled vulnerability auditing for Script Packages.
+
+  A daily recurring job runs `bun audit --json` against the installed script-packages tree, persists advisories to new plugin-owned Postgres tables (`script_package_audit_advisory` keyed by lockfile hash + advisory id, plus a `script_package_audit_state` singleton last-run summary), and notifies every holder of `script-packages.manage` when a new or severity-escalated advisory appears. All severities are recorded; notifications fire on medium/high/critical, with a stable per-advisory key + a durable `notified` flag suppressing repeat-notify on an unchanged set. The pass is single-flight across the cluster via the existing installer advisory lock (mutually exclusive with installs, storage migrations, and blob GC) and reuses the installer's scratch / `.npmrc` / registry setup, reporting purely from the lockfile. New `getAuditState` and `auditNow` RPCs (gated by `script-packages.manage`), a `SCRIPT_PACKAGES_AUDIT_COMPLETED` signal, and a "Vulnerability audit" section in the settings page with an "Audit now" button that live-refreshes on completion.
+
+  State and scale: audit results are the cluster-wide source of truth in Postgres (not the pod-local node_modules tree), so any pod returns the same advisories regardless of which pod ran the audit.
+
+  This is a beta minor.
+
+- 9dcc848: Layered OS-level script sandbox, secure and fail-closed by default (epic #247).
+
+  Script and shell health checks and the `run_shell` / `run_script` automation actions now run inside a layered OS-level sandbox by default. The sandbox lives in `core/backend-api/src/script-sandbox/` (the single source of truth) and is enforced inside the shared runners, so it applies wherever a job runs.
+
+  Layers:
+
+  - Resource caps (CPU / memory / PID / FD / file-size, via `prlimit` on capable Linux; ESM JS-heap cap via `--max-old-space-size`; portable wall-clock timeout) and an OOM-safe streaming output cap.
+  - Privilege drop via a NON-ROOT supervisor model: the shipped images run the supervisor as non-root uid `65532`, so every sandboxed script inherits non-root and can never be host-root; filesystem + network confinement is delivered by ROOTLESS `bwrap`/`nsjail` via unprivileged user namespaces. `enforced.privilege` is truthful (true only when the child cannot run as host-root). Runners no longer pass `uid`/`gid` to `Bun.spawn` (a silent no-op and a forward-compat hazard).
+  - Filesystem isolation (`scratch-only` / `scratch-plus-ro`) confining the child to its per-run scratch dir over a read-only base; the interpreter path is RO-bound so the runtime execs, and `TMPDIR` is pinned to the in-namespace tmpfs.
+  - Network egress control: `deny` (routeless loopback-only netns), `allowlist` (real plumbed egress via macvlan OR rootless slirp4netns + an in-kernel nftables filter), and an always-on metadata / link-local block (`169.254.0.0/16`, `fe80::/10`, `fc00::/7`). No-blackhole invariant: `enforced.network` is never true when egress is actually severed or unfiltered; unpluggable egress degrades to surfaced host net.
+  - Per-run fork-bomb containment via RLIMIT*NPROC inside the fresh per-run user+PID namespace; a centralized forbidden-env denylist (`LD_PRELOAD`, `LD_LIBRARY_PATH`, `DYLD*_`, `NODE*OPTIONS`, `BUN*_`, caller `PATH` overrides).
+  - A validated tuned seccomp profile (`deploy/seccomp/checkstack-userns.json`) and a live `clone(CLONE_NEWUSER|CLONE_NEWNET)` capability probe (not the static sysctl), shipped by default in both Dockerfiles, `docker-compose.yml`, and `deploy/k8s/checkstack-sandbox.yaml`.
+
+  Global policy and operator surface:
+
+  - The global sandbox policy lives in ONE durable row owned by `script-packages` (its `ConfigService` row in shared `plugin_configs`). A single process-wide provider serves every runner; the two script plugins no longer register competing providers. A dedicated admin-only `script-sandbox.manage` permission gates both reading and writing the policy. New `getSandboxPolicy` / `setSandboxPolicy` endpoints and a Settings -> Script Sandbox admin UI (`enabled`, `onUnavailable`, network/filesystem/privilege modes, allow list, metadata block, resource caps). The startup capability/readiness log is emitted in-process by `script-packages-backend` (no fragile init-order RPC self-loop), and on a host that cannot enforce a layer a one-time startup warning explains the two local-dev paths (Docker, or set the global policy to `degrade`).
+  - Satellite relay: the WS protocol carries the resolved policy in the `authenticated` message and a `sandbox_policy` push-on-change; a satellite caches the last relayed policy and resolves every run through it.
+
+  BREAKING CHANGES (platform in BETA, shipped as minor):
+
+  - Scripts run sandboxed by default. The shipped global default is FAIL-CLOSED (`onUnavailable: "fail"`): when a requested layer cannot be enforced the run is REFUSED (clean `exitCode: -1`, never an unsandboxed spawn) rather than silently degrading. Deployments on hosts that cannot enforce a layer (no bubblewrap, user namespaces blocked, no `/proc` unmask) must run the official images with the documented runtime flags (the bundled seccomp profile + `systempaths=unconfined`, or k8s `procMount: Unmasked`), or set the global policy to `degrade`. On macOS / restricted containers the strong layers degrade to the portable subset and are surfaced per run.
+  - Default network posture is deny-egress (`allowlist` with an empty allow list, which resolves to the routeless `deny` path). Scripts calling external endpoints fail until those destinations are allowlisted in the global default. The always-on metadata / link-local block applies even under looser modes.
+  - The per-action / per-check `sandbox` config override and the transport `ScriptRequest.sandbox` field are removed; policy is global-only, so an automation/check author can no longer weaken the sandbox on their own item. Stored configs carrying a stray `sandbox` key are tolerated (stripped on parse).
+  - The shared runners' `run()` no longer accepts a `sandbox` option; callers rely on the global policy provider.
+  - A satellite fails closed (most restrictive profile) until it receives the first relayed policy; a relay-read failure or an older core keeps it fail-closed. A relay failure can never loosen a satellite's sandbox.
+
+  State and scale: the global policy is a single durable Postgres row read identically on every pod. Capability detection is per-process, deterministic from the host kernel, and surfaced per run via the `EffectiveSandbox` report (a Linux pod and a macOS satellite may legitimately differ). `CHECKSTACK_SANDBOX_UID/GID` and macvlan addressing are genuinely per-host infrastructure, surfaced per run, not the queryable policy. The satellite's policy cache is satellite-local transport state. No new pod-local current-state.
+
+  This is a beta minor.
+
+- 9dcc848: Add the auto-generated, version-pinned `@checkstack/sdk` package + codegen, and serve its types live to the in-app editor.
+
+  - A new committed workspace package `@checkstack/sdk`, generated from the platform's source of truth by `scripts/generate-sdk.ts` (`generate:sdk` / `generate:sdk:check`): a fully-typed oRPC client (`createCheckstackClient`) over the REST surface with one `InferClient` per plugin contract, real script-authoring helpers (`@checkstack/sdk/healthcheck`, `@checkstack/sdk/integration`) whose runtime body is the same identity function the in-app runner injects, per-subpath `.d.ts` under the package `exports` map, and an editor-only ambient bundle. A `generate:sdk:check` CI guard fails when the committed SDK files drift from a fresh generation. The `@checkstack/sdk` version is stamped from `@checkstack/release` and MUST NOT appear in a changeset (a guard enforces this); the `@checkstack/release` bump here advances the release version so the generated SDK can be published later. The generated client also normalizes its base URL without a backtracking-prone regex, closing a CodeQL `js/polynomial-redos` finding.
+  - Live editor type injection: a new version-keyed route `GET /api/script-packages/sdk-types/:releaseVersion` (raw handler in `@checkstack/script-packages-backend`) serves the generated SDK editor bundle with `Cache-Control: private, max-age=1y, immutable`; the pure path-build/parse module lives in `@checkstack/script-packages-common`, shared by backend and frontend. A mismatched version returns `409` so the editor refetches and never serves stale types after an upgrade. The frontend `useSdkTypeInjection` hook fetches the bundle once per session and mounts it into Monaco via `addExtraLib`. Schema-narrowed `context.config` / `context.event.payload` editor types stay local; the package-resolving module declarations come from the one published `@checkstack/sdk` source.
+
+  BREAKING CHANGES: the script-authoring import surface moves from the bare `@checkstack/healthcheck` / `@checkstack/integration` virtual modules to the `@checkstack/sdk/healthcheck` / `@checkstack/sdk/integration` subpaths of the published `@checkstack/sdk` package. The old bare-name imports no longer resolve (an old import now errors in the editor, surfacing the migration). Existing scripts must update the module specifier:
+
+      - import { defineHealthCheck } from "@checkstack/healthcheck";
+      + import { defineHealthCheck } from "@checkstack/sdk/healthcheck";
+
+      - import { defineIntegration } from "@checkstack/integration";
+      + import { defineIntegration } from "@checkstack/sdk/integration";
+
+  The helper names and their runtime behaviour are unchanged - only the module specifier moves. The global (no-import) helper form continues to work unchanged.
+
+  This is a beta minor.
+
+- 9dcc848: Align workspace dependency versions and migrate React Router to v7.
+
+  BREAKING CHANGES (React Router v7): All frontend packages now depend on `react-router-dom@^7.16.0`. Previously the workspace declared four divergent ranges (`^6.20.0`, `^6.22.0`, `^7.1.1`, `^7.14.2`), which resolved both `react-router@6` and `react-router@7` into a single bundle. Everything is now unified on v7. The public imports the app uses (`BrowserRouter`, `Routes`, `Route`, `Link`, `NavLink`, `MemoryRouter`, `useNavigate`, `useParams`, `useSearchParams`, `useLocation`) are unchanged between v6 and v7, so no source rewrites were required - but any out-of-tree plugin still on react-router v6 should upgrade to v7 (see the React Router v6 -> v7 upgrade guide) to share the host's single router instance via the import map.
+
+  Other unified ranges (no API change): `react` -> `^18.3.1`, the `@orpc/*` family (`contract`, `server`, `client`, `tanstack-query`, `openapi`, `zod`) -> `^1.14.4`, and `better-auth` -> `^1.6.13`.
+
+  Removed the pre-rename `@orpc/react-query` leftover from `@checkstack/frontend-api`; its `createRouterUtils` / `RouterUtils` / `ProcedureUtils` now come from `@orpc/tanstack-query` (the package already in use).
+
+  Stale in-range runtime deps pulled up to current published versions: `hono` `^4.12.23`, `@tanstack/react-query` (+devtools) `^5.100.14`, `date-fns` `^4.4.0`, `jose` `^6.2.3`, `tar` `^7.5.16`, `semver` `^7.8.1`, `@xyflow/react` `^12.11.0`.
+
+### Patch Changes
+
+- 9dcc848: Move primary navigation into a left sidebar, and serve the user guide in-app.
+
+  Feature navigation (a ~20-item user-menu dropdown) now lives in a persistent left sidebar (a slide-over drawer on mobile), grouped by section with the active route highlighted; the user menu keeps only account actions. A route opts into the sidebar with new `nav` metadata (`{ group, icon, label?, order?, accessRule? }`) on its registration, co-located with path + access + title. The sidebar filters entries with the same access check as page guards. `@checkstack/common` gains `isAccessRuleSatisfied` and a centralized set of in-app doc slugs (`APP_DOC_SLUGS` + `docsPath`, with a test asserting each resolves to a real docs page); `@checkstack/auth-frontend` exports `useAccessRules`.
+
+  The backend now serves the Astro Starlight docs build same-origin at `/checkstack/*` (the same artifact deployed to GitHub Pages), so the user guide is available inside the app including for self-hosted / air-gapped installs (served verbatim, no rebuild, no link rewriting; from `CHECKSTACK_DOCS_DIST`, before the SPA catch-all, degrading gracefully when absent; the Docker image builds and ships `docs/dist`; Vite proxies `/checkstack` in dev). The "Docs" link is a shell-owned external sidebar entry under the Documentation group (book icon), opening `/checkstack/user-guide/` in a new tab; the group renders even when no plugin route contributes to it.
+
+  BREAKING (plugin authors): `UserMenuItemsSlot` is no longer the way to add navigation - registering a top user-menu item no longer surfaces it anywhere. Add `nav` to the page's route instead. `UserMenuItemsBottomSlot` (account items) is unchanged. All bundled plugins have been migrated.
+
+  This is a beta minor.
+
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+- Updated dependencies [9dcc848]
+  - @checkstack/ui@1.13.0
+  - @checkstack/common@0.13.0
+  - @checkstack/script-packages-common@0.3.0
+  - @checkstack/frontend-api@0.7.0
+  - @checkstack/signal-frontend@0.2.0
+  - @checkstack/sdk@0.93.1
+
 ## 0.2.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/script-packages-frontend",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "./dist/index.js",
@@ -24,11 +24,13 @@
   "dependencies": {
     "@checkstack/common": "0.12.0",
     "@checkstack/frontend-api": "0.6.0",
-    "@checkstack/script-packages-common": "0.1.0",
-    "@checkstack/ui": "1.11.0",
-    "lucide-react": "0.562.0",
+    "@checkstack/sdk": "0.93.0",
+    "@checkstack/script-packages-common": "0.2.0",
+    "@checkstack/signal-frontend": "0.1.5",
+    "@checkstack/ui": "1.12.0",
+    "lucide-react": "^1.17.0",
     "react": "^18.3.1",
-    "react-router-dom": "^6.20.0"
+    "react-router-dom": "^7.16.0"
   },
   "devDependencies": {
     "@types/react": "^18.3.18",

package/src/index.tsx

@@ -1,22 +1,21 @@
-import {
-  createFrontendPlugin,
-  createSlotExtension,
-  UserMenuItemsSlot,
-} from "@checkstack/frontend-api";
+import { createFrontendPlugin } from "@checkstack/frontend-api";
 import {
   scriptPackagesRoutes,
   scriptPackagesAccess,
+  scriptSandboxAccess,
   pluginMetadata,
 } from "@checkstack/script-packages-common";
-import { ScriptPackagesSettingsPage } from "./pages/ScriptPackagesSettingsPage";
-import { ScriptPackagesMenuItems } from "./components/ScriptPackagesMenuItems";
+import { Package, ShieldCheck } from "lucide-react";
 
 /**
  * Frontend plugin for script-package management.
  *
- * Route: `/script-packages/` -> the admin settings page (allowlist,
- * registry/storage summary, install state + size, satellite sync). Gated
- * on `script-packages.manage`.
+ * Routes:
+ *  - `/script-packages/` -> the admin settings page (allowlist,
+ *    registry/storage summary, install state + size, satellite sync). Gated
+ *    on `script-packages.manage`.
+ *  - `/script-packages/sandbox` -> the global script-sandbox policy editor,
+ *    gated on the dedicated admin `script-sandbox.manage` permission.
  *
  * The `useScriptPackageTypeAcquisition()` hook (exported below) gives editor
  * pages a lazy ATA resolver + install reset-key to pass to `DynamicForm`'s
@@ -28,18 +27,34 @@ export default createFrontendPlugin({
   routes: [
     {
       route: scriptPackagesRoutes.routes.settings,
-      element: <ScriptPackagesSettingsPage />,
+      load: () =>
+        import("./pages/ScriptPackagesSettingsPage").then((m) => ({
+          default: m.ScriptPackagesSettingsPage,
+        })),
       title: "Script packages",
       accessRule: scriptPackagesAccess.manage,
+      nav: {
+        group: "Configuration",
+        icon: Package,
+        label: "Script Packages",
+      },
+    },
+    {
+      route: scriptPackagesRoutes.routes.sandbox,
+      load: () =>
+        import("./pages/SandboxSettingsPage").then((m) => ({
+          default: m.SandboxSettingsPage,
+        })),
+      title: "Script sandbox",
+      accessRule: scriptSandboxAccess.manage,
+      nav: {
+        group: "Configuration",
+        icon: ShieldCheck,
+        label: "Script Sandbox",
+      },
     },
-  ],
-  extensions: [
-    createSlotExtension(UserMenuItemsSlot, {
-      id: "script-packages.user-menu.items",
-      component: ScriptPackagesMenuItems,
-      metadata: { group: "Configuration" },
-    }),
   ],
 });
 
 export { useScriptPackageTypeAcquisition } from "./useScriptPackageTypeAcquisition";
+export { useSdkTypeInjection } from "./useSdkTypeInjection";

package/src/pages/SandboxSettingsPage.tsx

@@ -0,0 +1,393 @@
+import React from "react";
+import { ShieldCheck } from "lucide-react";
+import {
+  usePluginClient,
+  accessApiRef,
+  useApi,
+  wrapInSuspense,
+} from "@checkstack/frontend-api";
+import {
+  ScriptPackagesApi,
+  scriptSandboxAccess,
+} from "@checkstack/script-packages-common";
+import {
+  PageLayout,
+  Card,
+  CardHeader,
+  CardTitle,
+  CardContent,
+  Button,
+  Input,
+  Label,
+  Textarea,
+  Toggle,
+  Alert,
+  AlertTitle,
+  AlertDescription,
+  AccessDenied,
+  LoadingSpinner,
+  Select,
+  SelectTrigger,
+  SelectValue,
+  SelectContent,
+  SelectItem,
+  useInitOnceForKey,
+} from "@checkstack/ui";
+import { extractErrorMessage } from "@checkstack/common";
+import {
+  policyToForm,
+  formToPolicyInput,
+  validateForm,
+  DEFAULT_SANDBOX_FORM,
+  type SandboxFormState,
+} from "./sandbox-settings.logic";
+
+// Fail-closed seed default for a fresh global policy: the editor opens on the
+// secure default (`onUnavailable: "fail"`) until the loader query resolves the
+// durable policy and re-seeds the form. The backend resolves the SAME secure
+// default for an empty settings table, so on a fresh install there is no flash.
+const SEED_FORM = DEFAULT_SANDBOX_FORM;
+
+const SettingsContent: React.FC = () => {
+  const client = usePluginClient(ScriptPackagesApi);
+  const accessApi = useApi(accessApiRef);
+  const { allowed, loading: accessLoading } = accessApi.useAccess(
+    scriptSandboxAccess.manage,
+  );
+
+  // gcTime: 0 so stale-while-revalidate never races the one-shot init below.
+  const policyQuery = client.getSandboxPolicy.useQuery(undefined, {
+    gcTime: 0,
+  });
+  const setMutation = client.setSandboxPolicy.useMutation();
+
+  const [form, setForm] = React.useState<SandboxFormState>(SEED_FORM);
+  const [error, setError] = React.useState<string | null>(null);
+  const [saved, setSaved] = React.useState(false);
+
+  // Seed the editable form once per persisted version. The mutation invalidates
+  // the query on success → a fresh object identity re-seeds the form.
+  useInitOnceForKey(
+    policyQuery.data,
+    policyQuery.dataUpdatedAt,
+    (policy) => {
+      setForm(policyToForm(policy));
+    },
+  );
+
+  if (accessLoading) return <LoadingSpinner />;
+  if (!allowed) {
+    return (
+      <PageLayout title="Script sandbox" icon={ShieldCheck}>
+        <AccessDenied />
+      </PageLayout>
+    );
+  }
+
+  // Wait for the durable policy before showing the editor so a stored custom
+  // policy never flashes the fail-closed SEED_FORM. `form` itself is never null
+  // (it opens on the secure SEED_FORM and is re-seeded once the query resolves).
+  if (policyQuery.isLoading) return <LoadingSpinner />;
+
+  const patch = (next: Partial<SandboxFormState>) => {
+    setSaved(false);
+    setForm((cur) => ({ ...cur, ...next }));
+  };
+
+  const validationError = validateForm(form);
+
+  const handleSave = async () => {
+    setError(null);
+    setSaved(false);
+    const problem = validateForm(form);
+    if (problem) {
+      setError(problem);
+      return;
+    }
+    try {
+      await setMutation.mutateAsync(formToPolicyInput(form));
+      setSaved(true);
+    } catch (error_) {
+      setError(extractErrorMessage(error_));
+    }
+  };
+
+  return (
+    <PageLayout title="Script sandbox" icon={ShieldCheck}>
+      <div className="space-y-6">
+        {error && (
+          <Alert variant="error">
+            <AlertTitle>Something went wrong</AlertTitle>
+            <AlertDescription>{error}</AlertDescription>
+          </Alert>
+        )}
+        {saved && (
+          <Alert variant="success">
+            <AlertTitle>Saved</AlertTitle>
+            <AlertDescription>
+              The global script-sandbox policy was updated. It applies to every
+              script run cluster-wide, and connected satellites receive it
+              immediately.
+            </AlertDescription>
+          </Alert>
+        )}
+
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-base">Global policy</CardTitle>
+          </CardHeader>
+          <CardContent className="space-y-4 text-sm">
+            <p className="text-xs text-muted-foreground">
+              This single policy hardens every user-authored script and shell
+              run (health checks and automation actions) across all pods and
+              satellites. It is secure by default: egress is denied until you
+              add allow-list entries.
+            </p>
+            <div className="flex items-center gap-2">
+              <Toggle
+                checked={form.enabled}
+                onCheckedChange={(enabled) => patch({ enabled })}
+                aria-label="Sandbox enabled"
+              />
+              <span className="text-muted-foreground">
+                Sandbox enabled (turn off to run scripts unsandboxed - not
+                recommended)
+              </span>
+            </div>
+            <div className="w-64">
+              <Label htmlFor="on-unavailable">
+                When a layer can&apos;t be enforced
+              </Label>
+              <Select
+                value={form.onUnavailable}
+                onValueChange={(v) =>
+                  patch({ onUnavailable: v as SandboxFormState["onUnavailable"] })
+                }
+              >
+                <SelectTrigger id="on-unavailable">
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="degrade">
+                    Degrade (drop to portable subset, surface it)
+                  </SelectItem>
+                  <SelectItem value="fail">
+                    Fail (refuse to run the script)
+                  </SelectItem>
+                </SelectContent>
+              </Select>
+              <p className="mt-1 text-xs text-muted-foreground">
+                Fail is the secure default: a script never runs with a layer
+                missing. Choose Degrade only for hosts that cannot enforce a
+                layer (then runs proceed under the portable subset, with the gap
+                surfaced per run).
+              </p>
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-base">Network egress</CardTitle>
+          </CardHeader>
+          <CardContent className="space-y-4 text-sm">
+            <div className="w-64">
+              <Label htmlFor="network-mode">Mode</Label>
+              <Select
+                value={form.networkMode}
+                onValueChange={(v) =>
+                  patch({ networkMode: v as SandboxFormState["networkMode"] })
+                }
+              >
+                <SelectTrigger id="network-mode">
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="deny">Deny (no egress)</SelectItem>
+                  <SelectItem value="allowlist">
+                    Allowlist (only listed destinations)
+                  </SelectItem>
+                  <SelectItem value="unrestricted">Unrestricted</SelectItem>
+                </SelectContent>
+              </Select>
+            </div>
+            {form.networkMode === "allowlist" && (
+              <div>
+                <Label htmlFor="allow-list">
+                  Allowed destinations (one IP / CIDR per line)
+                </Label>
+                <Textarea
+                  id="allow-list"
+                  value={form.allowText}
+                  onChange={(e) => patch({ allowText: e.target.value })}
+                  placeholder={"203.0.113.0/24\n10.0.0.5"}
+                  className="font-mono min-h-24"
+                />
+              </div>
+            )}
+            <div className="flex items-center gap-2">
+              <Toggle
+                checked={form.denyLinkLocalAndMetadata}
+                onCheckedChange={(denyLinkLocalAndMetadata) =>
+                  patch({ denyLinkLocalAndMetadata })
+                }
+                aria-label="Block link-local and metadata IPs"
+              />
+              <span className="text-muted-foreground">
+                Always block link-local (169.254/16, fc00::/7) and cloud
+                metadata IPs
+              </span>
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-base">Filesystem &amp; privilege</CardTitle>
+          </CardHeader>
+          <CardContent className="space-y-4 text-sm">
+            <div className="w-72">
+              <Label htmlFor="fs-mode">Filesystem confinement</Label>
+              <Select
+                value={form.filesystemMode}
+                onValueChange={(v) =>
+                  patch({
+                    filesystemMode: v as SandboxFormState["filesystemMode"],
+                  })
+                }
+              >
+                <SelectTrigger id="fs-mode">
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="off">Off (full host filesystem)</SelectItem>
+                  <SelectItem value="scratch-only">
+                    Scratch only (per-run dir + minimal read-only base)
+                  </SelectItem>
+                  <SelectItem value="scratch-plus-ro">
+                    Scratch + read-only managed packages
+                  </SelectItem>
+                </SelectContent>
+              </Select>
+            </div>
+            <div className="w-72">
+              <Label htmlFor="priv-mode">Privilege</Label>
+              <Select
+                value={form.privilegeMode}
+                onValueChange={(v) =>
+                  patch({
+                    privilegeMode: v as SandboxFormState["privilegeMode"],
+                  })
+                }
+              >
+                <SelectTrigger id="priv-mode">
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="inherit">
+                    Inherit (run as host process UID)
+                  </SelectItem>
+                  <SelectItem value="drop-to-uid">
+                    Drop to dedicated low-privilege UID/GID
+                  </SelectItem>
+                </SelectContent>
+              </Select>
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-base">Resource caps</CardTitle>
+          </CardHeader>
+          <CardContent className="space-y-3 text-sm">
+            <p className="text-xs text-muted-foreground">
+              Leave a field blank to not cap that dimension. Memory / output /
+              file-size are in MB.
+            </p>
+            <div className="grid grid-cols-2 gap-3 sm:grid-cols-3">
+              <div>
+                <Label htmlFor="cpu">CPU seconds</Label>
+                <Input
+                  id="cpu"
+                  type="number"
+                  min={1}
+                  value={form.cpuSeconds}
+                  onChange={(e) => patch({ cpuSeconds: e.target.value })}
+                />
+              </div>
+              <div>
+                <Label htmlFor="mem">Memory (MB)</Label>
+                <Input
+                  id="mem"
+                  type="number"
+                  min={1}
+                  value={form.memoryMb}
+                  onChange={(e) => patch({ memoryMb: e.target.value })}
+                />
+              </div>
+              <div>
+                <Label htmlFor="nofile">Max open files</Label>
+                <Input
+                  id="nofile"
+                  type="number"
+                  min={1}
+                  value={form.maxOpenFiles}
+                  onChange={(e) => patch({ maxOpenFiles: e.target.value })}
+                />
+              </div>
+              <div>
+                <Label htmlFor="nproc">Max processes</Label>
+                <Input
+                  id="nproc"
+                  type="number"
+                  min={1}
+                  value={form.maxProcesses}
+                  onChange={(e) => patch({ maxProcesses: e.target.value })}
+                />
+              </div>
+              <div>
+                <Label htmlFor="out">Max output (MB)</Label>
+                <Input
+                  id="out"
+                  type="number"
+                  min={1}
+                  value={form.maxOutputMb}
+                  onChange={(e) => patch({ maxOutputMb: e.target.value })}
+                />
+              </div>
+              <div>
+                <Label htmlFor="fsize">Max file size (MB)</Label>
+                <Input
+                  id="fsize"
+                  type="number"
+                  min={1}
+                  value={form.maxFileSizeMb}
+                  onChange={(e) => patch({ maxFileSizeMb: e.target.value })}
+                />
+              </div>
+            </div>
+          </CardContent>
+        </Card>
+
+        {validationError && (
+          <p className="text-xs text-destructive">{validationError}</p>
+        )}
+        <Button
+          type="button"
+          onClick={handleSave}
+          disabled={setMutation.isPending || validationError !== null}
+        >
+          {setMutation.isPending ? "Saving…" : "Save policy"}
+        </Button>
+      </div>
+    </PageLayout>
+  );
+};
+
+/**
+ * Admin Settings -> Script Sandbox page. Edits the single, cluster-wide global
+ * script-sandbox policy. Gated by the dedicated `script-sandbox.manage`
+ * permission (distinct from `script-packages.manage`).
+ */
+export const SandboxSettingsPage = wrapInSuspense(SettingsContent);

package/src/pages/ScriptPackagesSettingsPage.tsx

@@ -1,15 +1,26 @@
 import React from "react";
-import { Package, Trash2, Download, RefreshCw, Recycle } from "lucide-react";
+import {
+  Package,
+  Trash2,
+  Download,
+  RefreshCw,
+  Recycle,
+  ShieldCheck,
+  ShieldAlert,
+} from "lucide-react";
 import {
   usePluginClient,
   accessApiRef,
   useApi,
   wrapInSuspense,
 } from "@checkstack/frontend-api";
+import { useSignal } from "@checkstack/signal-frontend";
 import {
   ScriptPackagesApi,
   scriptPackagesAccess,
   PackageVersionSchema,
+  SCRIPT_PACKAGES_AUDIT_COMPLETED_SIGNAL,
+  type AuditSeverity,
 } from "@checkstack/script-packages-common";
 import { PackageNameCombobox } from "../components/PackageNameCombobox";
 import { PackageVersionCombobox } from "../components/PackageVersionCombobox";
@@ -58,6 +69,15 @@ function mbToBytes(value: number): number {
   return Math.round(value * 1024 * 1024);
 }
 
+/** Badge variant for an advisory severity. */
+function severityVariant(
+  severity: AuditSeverity,
+): "destructive" | "secondary" {
+  return severity === "critical" || severity === "high"
+    ? "destructive"
+    : "secondary";
+}
+
 const SettingsContent: React.FC = () => {
   const client = usePluginClient(ScriptPackagesApi);
   const accessApi = useApi(accessApiRef);
@@ -85,6 +105,13 @@ const SettingsContent: React.FC = () => {
   const backendsQuery = client.listStorageBackends.useQuery();
   const satellitesQuery = client.listSatelliteSyncState.useQuery();
   const blobGcQuery = client.getBlobGcState.useQuery();
+  const auditQuery = client.getAuditState.useQuery();
+
+  // Live-refresh the audit findings when a scheduled or on-demand pass
+  // completes (the runner broadcasts on completion).
+  useSignal(SCRIPT_PACKAGES_AUDIT_COMPLETED_SIGNAL, () => {
+    void auditQuery.refetch();
+  });
 
   const addMutation = client.addPackage.useMutation();
   const removeMutation = client.removePackage.useMutation();
@@ -95,6 +122,7 @@ const SettingsContent: React.FC = () => {
   const setRegistryMutation = client.setRegistryConfig.useMutation();
   const setSizeCapMutation = client.setSizeCapConfig.useMutation();
   const setStorageBackendMutation = client.setStorageBackend.useMutation();
+  const auditMutation = client.auditNow.useMutation();
 
   const { isLowPower } = usePerformance();
   const [name, setName] = React.useState("");
@@ -198,6 +226,16 @@ const SettingsContent: React.FC = () => {
     }
   };
 
+  const handleAudit = async () => {
+    setError(null);
+    try {
+      const res = await auditMutation.mutateAsync({});
+      if (!res.ran && res.reason) setError(res.reason);
+    } catch (error_) {
+      setError(extractErrorMessage(error_));
+    }
+  };
+
   const handleSaveRegistry = async () => {
     setError(null);
     try {
@@ -278,6 +316,9 @@ const SettingsContent: React.FC = () => {
       : false;
 
   const blobGc = blobGcQuery.data;
+  const audit = auditQuery.data;
+  const auditAdvisories = audit?.advisories ?? [];
+  const auditState = audit?.state;
   const availableBackends = backendsQuery.data?.backends ?? [];
   const migrating = storage?.migrationStatus === "migrating";
   const migrationTargets = availableBackends.filter(
@@ -331,6 +372,122 @@ const SettingsContent: React.FC = () => {
         </CardContent>
       </Card>
 
+      {/* Vulnerability audit */}
+      <Card>
+        <CardHeader className="flex flex-row items-center justify-between">
+          <CardTitle className="text-base flex items-center gap-2">
+            {auditAdvisories.length > 0 ? (
+              <ShieldAlert className="h-4 w-4 text-destructive" />
+            ) : (
+              <ShieldCheck className="h-4 w-4 text-emerald-600" />
+            )}
+            Vulnerability audit
+            {auditAdvisories.length > 0 && (
+              <Badge variant="destructive">{auditAdvisories.length}</Badge>
+            )}
+          </CardTitle>
+          <Button
+            type="button"
+            size="sm"
+            variant="outline"
+            onClick={handleAudit}
+            disabled={auditMutation.isPending || migrating}
+          >
+            <RefreshCw
+              className={cn(
+                "h-4 w-4",
+                auditMutation.isPending && !isLowPower && "animate-spin",
+              )}
+            />
+            {auditMutation.isPending ? "Auditing…" : "Audit now"}
+          </Button>
+        </CardHeader>
+        <CardContent className="space-y-3 text-sm">
+          <p className="text-xs text-muted-foreground">
+            Runs <code>bun audit</code> against the installed package tree once
+            a day and notifies managers when a new vulnerability appears.
+            Findings below cover every severity.
+          </p>
+          <div className="flex flex-wrap items-center gap-2">
+            <span className="text-muted-foreground">Last run:</span>
+            <Badge variant="secondary">
+              {auditState?.lastRunAt
+                ? new Date(auditState.lastRunAt).toLocaleString()
+                : "never"}
+            </Badge>
+            {auditState && auditState.total > 0 && (
+              <>
+                {auditState.counts.critical > 0 && (
+                  <Badge variant="destructive">
+                    {auditState.counts.critical} critical
+                  </Badge>
+                )}
+                {auditState.counts.high > 0 && (
+                  <Badge variant="destructive">
+                    {auditState.counts.high} high
+                  </Badge>
+                )}
+                {auditState.counts.moderate > 0 && (
+                  <Badge variant="secondary">
+                    {auditState.counts.moderate} moderate
+                  </Badge>
+                )}
+                {auditState.counts.low > 0 && (
+                  <Badge variant="secondary">
+                    {auditState.counts.low} low
+                  </Badge>
+                )}
+              </>
+            )}
+          </div>
+          {auditState?.errorMessage && (
+            <p className="text-destructive text-xs">
+              Last audit failed: {auditState.errorMessage}
+            </p>
+          )}
+          {auditAdvisories.length === 0 ? (
+            <p className="text-sm text-muted-foreground italic">
+              No known vulnerabilities in the installed tree.
+            </p>
+          ) : (
+            <ul className="divide-y divide-border rounded-md border border-border">
+              {auditAdvisories.map((a) => (
+                <li
+                  key={`${a.packageName} ${a.advisoryId}`}
+                  className="flex items-center justify-between gap-3 px-3 py-2"
+                >
+                  <span className="flex flex-col gap-0.5 min-w-0">
+                    <span className="font-mono text-sm truncate">
+                      {a.packageName}{" "}
+                      <span className="text-muted-foreground">
+                        {a.vulnerableVersions}
+                      </span>
+                    </span>
+                    <span className="text-xs text-muted-foreground truncate">
+                      {a.url ? (
+                        <a
+                          href={a.url}
+                          target="_blank"
+                          rel="noreferrer"
+                          className="hover:underline"
+                        >
+                          {a.title || a.advisoryId}
+                        </a>
+                      ) : (
+                        (a.title || a.advisoryId)
+                      )}
+                    </span>
+                  </span>
+                  <Badge variant={severityVariant(a.severity)}>
+                    {a.severity}
+                  </Badge>
+                </li>
+              ))}
+            </ul>
+          )}
+        </CardContent>
+      </Card>
+
       {/* Allowlist */}
       <Card>
         <CardHeader>

package/src/pages/sandbox-settings.logic.test.ts

@@ -0,0 +1,120 @@
+import { describe, expect, it } from "bun:test";
+import { sandboxPolicySchema } from "@checkstack/common";
+import {
+  policyToForm,
+  formToPolicyInput,
+  parseAllowList,
+  validateForm,
+  DEFAULT_SANDBOX_FORM,
+  type SandboxFormState,
+} from "./sandbox-settings.logic";
+
+const SAFE_DEFAULT = sandboxPolicySchema.parse({
+  enabled: true,
+  onUnavailable: "degrade",
+  resources: {
+    cpuSeconds: 60,
+    memoryBytes: 512 * 1024 * 1024,
+    maxOpenFiles: 1024,
+    maxProcesses: 256,
+    maxOutputBytes: 5 * 1024 * 1024,
+    maxFileSizeBytes: 256 * 1024 * 1024,
+  },
+  filesystem: { mode: "scratch-plus-ro" },
+  network: { mode: "allowlist", allow: [], denyLinkLocalAndMetadata: true },
+  privilege: { mode: "drop-to-uid" },
+});
+
+describe("DEFAULT_SANDBOX_FORM (UI seed default)", () => {
+  it("is FAIL-CLOSED by default (onUnavailable=fail, never silent degrade)", () => {
+    // The editor opens on this seed for a fresh global policy; it must default
+    // to refusing the run when a layer can't be enforced, matching the shipped
+    // backend secure default.
+    expect(DEFAULT_SANDBOX_FORM.onUnavailable).toBe("fail");
+  });
+
+  it("is a valid, secure-by-default policy input", () => {
+    const input = formToPolicyInput(DEFAULT_SANDBOX_FORM);
+    const parsed = sandboxPolicySchema.safeParse(input);
+    expect(parsed.success).toBe(true);
+    // Secure-by-default: egress denied (empty allowlist), FS confined,
+    // privilege dropped.
+    expect(input.enabled).toBe(true);
+    expect(input.onUnavailable).toBe("fail");
+    expect(input.network?.mode).toBe("allowlist");
+    expect(input.network?.allow).toEqual([]);
+    expect(input.filesystem?.mode).toBe("scratch-plus-ro");
+    expect(input.privilege?.mode).toBe("drop-to-uid");
+  });
+});
+
+describe("policyToForm / formToPolicyInput round-trip", () => {
+  it("round-trips the safe default without drift", () => {
+    const form = policyToForm(SAFE_DEFAULT);
+    const back = sandboxPolicySchema.parse(formToPolicyInput(form));
+    expect(back).toEqual(SAFE_DEFAULT);
+  });
+
+  it("MB fields convert to bytes correctly", () => {
+    const form = policyToForm(SAFE_DEFAULT);
+    expect(form.memoryMb).toBe("512");
+    const input = formToPolicyInput(form);
+    expect(input.resources?.memoryBytes).toBe(512 * 1024 * 1024);
+  });
+
+  it("blank resource caps are omitted (unset, not zero)", () => {
+    const form: SandboxFormState = {
+      ...policyToForm(SAFE_DEFAULT),
+      cpuSeconds: "",
+      memoryMb: "",
+    };
+    const input = formToPolicyInput(form);
+    expect(input.resources?.cpuSeconds).toBeUndefined();
+    expect(input.resources?.memoryBytes).toBeUndefined();
+    // Still valid (unset caps allowed).
+    expect(sandboxPolicySchema.safeParse(input).success).toBe(true);
+  });
+});
+
+describe("parseAllowList", () => {
+  it("trims, drops blanks, keeps order", () => {
+    expect(parseAllowList(" 10.0.0.1 \n\n 192.168.0.0/24\n")).toEqual([
+      "10.0.0.1",
+      "192.168.0.0/24",
+    ]);
+  });
+
+  it("network mode + allow list survive form round-trip", () => {
+    const form: SandboxFormState = {
+      ...policyToForm(SAFE_DEFAULT),
+      networkMode: "allowlist",
+      allowText: "10.0.0.1\n203.0.113.0/24",
+    };
+    const input = formToPolicyInput(form);
+    expect(input.network?.mode).toBe("allowlist");
+    expect(input.network?.allow).toEqual(["10.0.0.1", "203.0.113.0/24"]);
+  });
+});
+
+describe("validateForm", () => {
+  it("returns null for a valid form", () => {
+    expect(validateForm(policyToForm(SAFE_DEFAULT))).toBeNull();
+  });
+
+  it("flags a non-positive resource cap before submit", () => {
+    const form: SandboxFormState = {
+      ...policyToForm(SAFE_DEFAULT),
+      cpuSeconds: "-5",
+    };
+    expect(validateForm(form)).not.toBeNull();
+  });
+
+  it("a global disable still produces a valid input", () => {
+    const form: SandboxFormState = {
+      ...policyToForm(SAFE_DEFAULT),
+      enabled: false,
+    };
+    expect(validateForm(form)).toBeNull();
+    expect(formToPolicyInput(form).enabled).toBe(false);
+  });
+});

package/src/pages/sandbox-settings.logic.ts

@@ -0,0 +1,165 @@
+import {
+  sandboxPolicySchema,
+  type SandboxPolicy,
+  type SandboxPolicyInput,
+} from "@checkstack/common";
+
+/**
+ * DOM-free logic for the global script-sandbox settings page. Kept separate
+ * from the `.tsx` so it is unit-testable under `bun test` (run from the repo
+ * root WITHOUT happy-dom). The page component is a thin React shell over these
+ * pure helpers.
+ */
+
+/** Editable, flattened form state mirroring the policy editor's controls. */
+export interface SandboxFormState {
+  enabled: boolean;
+  onUnavailable: "degrade" | "fail";
+  networkMode: "deny" | "allowlist" | "unrestricted";
+  /** Raw multiline textarea content; one IP / CIDR per line. */
+  allowText: string;
+  denyLinkLocalAndMetadata: boolean;
+  filesystemMode: "off" | "scratch-only" | "scratch-plus-ro";
+  privilegeMode: "inherit" | "drop-to-uid";
+  /** Resource caps as strings (text inputs); blank = leave unset. */
+  cpuSeconds: string;
+  memoryMb: string;
+  maxOpenFiles: string;
+  maxProcesses: string;
+  maxOutputMb: string;
+  maxFileSizeMb: string;
+}
+
+const BYTES_PER_MB = 1024 * 1024;
+
+/**
+ * The seed default the admin sees for a FRESH global policy, before any row is
+ * stored. It mirrors the shipped secure default profile and is FAIL-CLOSED
+ * (`onUnavailable: "fail"`): when a layer cannot be enforced the run is refused
+ * rather than silently degraded. The backend resolves the same secure default
+ * for an empty settings table, so this constant only seeds the editor's initial
+ * state (and keeps the UI deterministic before the loader query resolves); it
+ * never overrides a stored policy.
+ */
+export const DEFAULT_SANDBOX_FORM: SandboxFormState = {
+  enabled: true,
+  onUnavailable: "fail",
+  networkMode: "allowlist",
+  allowText: "",
+  denyLinkLocalAndMetadata: true,
+  filesystemMode: "scratch-plus-ro",
+  privilegeMode: "drop-to-uid",
+  cpuSeconds: "60",
+  memoryMb: "512",
+  maxOpenFiles: "1024",
+  maxProcesses: "256",
+  maxOutputMb: "5",
+  maxFileSizeMb: "256",
+};
+
+/** Bytes -> MB string for a text input, or "" when the cap is unset. */
+function bytesToMbText(bytes: number | undefined): string {
+  if (bytes === undefined) return "";
+  return String(bytes / BYTES_PER_MB);
+}
+
+/** Integer -> text, or "" when unset. */
+function numToText(value: number | undefined): string {
+  return value === undefined ? "" : String(value);
+}
+
+/**
+ * Seed the editable form state from a resolved policy (the loader query result).
+ */
+export function policyToForm(policy: SandboxPolicy): SandboxFormState {
+  return {
+    enabled: policy.enabled,
+    onUnavailable: policy.onUnavailable,
+    networkMode: policy.network.mode,
+    allowText: policy.network.allow.join("\n"),
+    denyLinkLocalAndMetadata: policy.network.denyLinkLocalAndMetadata,
+    filesystemMode: policy.filesystem.mode,
+    privilegeMode: policy.privilege.mode,
+    cpuSeconds: numToText(policy.resources.cpuSeconds),
+    memoryMb: bytesToMbText(policy.resources.memoryBytes),
+    maxOpenFiles: numToText(policy.resources.maxOpenFiles),
+    maxProcesses: numToText(policy.resources.maxProcesses),
+    maxOutputMb: bytesToMbText(policy.resources.maxOutputBytes),
+    maxFileSizeMb: bytesToMbText(policy.resources.maxFileSizeBytes),
+  };
+}
+
+/** Parse a multiline allow list into trimmed, non-empty entries. */
+export function parseAllowList(allowText: string): string[] {
+  return allowText
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0);
+}
+
+/** A positive-int text field -> number, or undefined when blank/invalid-empty. */
+function parsePositiveInt(value: string): number | undefined {
+  const trimmed = value.trim();
+  if (trimmed.length === 0) return undefined;
+  const n = Number(trimmed);
+  if (!Number.isFinite(n)) return undefined;
+  return Math.round(n);
+}
+
+/** An MB text field -> bytes, or undefined when blank. */
+function parseMbToBytes(value: string): number | undefined {
+  const trimmed = value.trim();
+  if (trimmed.length === 0) return undefined;
+  const n = Number(trimmed);
+  if (!Number.isFinite(n)) return undefined;
+  return Math.round(n * BYTES_PER_MB);
+}
+
+/**
+ * Build the FULL policy input to send to `setSandboxPolicy` from form state.
+ *
+ * The write endpoint treats its input as a partial merged over the safe
+ * default, but the editor exposes every layer, so we send a complete object
+ * (each layer explicit) - that is still a valid `SandboxPolicyInput`. Unset
+ * resource caps are OMITTED (left out of the object) so the schema treats them
+ * as "not capped by this layer" rather than coercing a 0/NaN.
+ */
+export function formToPolicyInput(form: SandboxFormState): SandboxPolicyInput {
+  const resources: Record<string, number> = {};
+  const cpu = parsePositiveInt(form.cpuSeconds);
+  if (cpu !== undefined) resources.cpuSeconds = cpu;
+  const mem = parseMbToBytes(form.memoryMb);
+  if (mem !== undefined) resources.memoryBytes = mem;
+  const nofile = parsePositiveInt(form.maxOpenFiles);
+  if (nofile !== undefined) resources.maxOpenFiles = nofile;
+  const nproc = parsePositiveInt(form.maxProcesses);
+  if (nproc !== undefined) resources.maxProcesses = nproc;
+  const out = parseMbToBytes(form.maxOutputMb);
+  if (out !== undefined) resources.maxOutputBytes = out;
+  const fsize = parseMbToBytes(form.maxFileSizeMb);
+  if (fsize !== undefined) resources.maxFileSizeBytes = fsize;
+
+  return {
+    enabled: form.enabled,
+    onUnavailable: form.onUnavailable,
+    resources,
+    filesystem: { mode: form.filesystemMode },
+    network: {
+      mode: form.networkMode,
+      allow: parseAllowList(form.allowText),
+      denyLinkLocalAndMetadata: form.denyLinkLocalAndMetadata,
+    },
+    privilege: { mode: form.privilegeMode },
+  };
+}
+
+/**
+ * Validate the form's would-be policy input against the canonical schema.
+ * Returns the first error message, or `null` when valid. Used to surface a
+ * problem (e.g. a non-positive resource cap) before submit.
+ */
+export function validateForm(form: SandboxFormState): string | null {
+  const parsed = sandboxPolicySchema.safeParse(formToPolicyInput(form));
+  if (parsed.success) return null;
+  return parsed.error.issues[0]?.message ?? "Invalid sandbox policy";
+}

package/src/useSdkTypeInjection.ts

@@ -0,0 +1,70 @@
+import React from "react";
+import { fetchApiRef, useApi } from "@checkstack/frontend-api";
+import type { AcquiredTypeFile } from "@checkstack/ui";
+import {
+  buildSdkTypesPath,
+  pluginMetadata,
+  SdkTypesResponseSchema,
+} from "@checkstack/script-packages-common";
+import { SDK_RELEASE_VERSION } from "@checkstack/sdk/version";
+
+/**
+ * Fetch the running release's `@checkstack/sdk` editor bundle (the ambient
+ * `.d.ts` for the script-authoring helpers + typed client) so the in-app
+ * editor resolves `import { defineHealthCheck } from "@checkstack/sdk/healthcheck"`
+ * with real types - never a hand-rolled ambient string that drifts from the
+ * published package.
+ *
+ * Version-keyed + cacheable (mirrors `useScriptPackageTypeAcquisition`): the
+ * route is `GET /api/script-packages/sdk-types/:releaseVersion`, served with
+ * `Cache-Control: private, max-age=..., immutable`. `SDK_RELEASE_VERSION` is
+ * stamped into the frontend bundle at build time and equals the release the
+ * backend serves (frontend + backend ship together). The version doubles as
+ * the `sdkTypesResetKey` so a deployment upgrade refreshes the SDK libs.
+ *
+ * If the backend's running version differs (e.g. a tab open across a rolling
+ * deploy) the route returns 409 and the hook yields no files that round; a
+ * frontend redeploy carries the new stamped version and the editor remounts.
+ *
+ * Returns `sdkTypes: undefined` until the fetch resolves so the editor simply
+ * doesn't mount the SDK libs before they're available.
+ */
+export function useSdkTypeInjection(): {
+  sdkTypes: AcquiredTypeFile[] | undefined;
+  sdkTypesResetKey: string;
+} {
+  const fetchApi = useApi(fetchApiRef);
+  const [sdkTypes, setSdkTypes] = React.useState<AcquiredTypeFile[]>();
+
+  const pluginFetch = React.useMemo(
+    () => fetchApi.forPlugin(pluginMetadata.pluginId),
+    [fetchApi],
+  );
+
+  React.useEffect(() => {
+    let cancelled = false;
+    const load = async (): Promise<void> => {
+      const path = buildSdkTypesPath({ releaseVersion: SDK_RELEASE_VERSION });
+      try {
+        const response = await pluginFetch.fetch(path);
+        if (!response.ok) {
+          // 409 stale-version or any error: no SDK types this round. A redeploy
+          // bumps the stamped version and re-runs this effect.
+          if (!cancelled) setSdkTypes([]);
+          return;
+        }
+        const json: unknown = await response.json();
+        const parsed = SdkTypesResponseSchema.safeParse(json);
+        if (!cancelled) setSdkTypes(parsed.success ? parsed.data.files : []);
+      } catch {
+        if (!cancelled) setSdkTypes([]);
+      }
+    };
+    void load();
+    return () => {
+      cancelled = true;
+    };
+  }, [pluginFetch]);
+
+  return { sdkTypes, sdkTypesResetKey: SDK_RELEASE_VERSION };
+}

package/tsconfig.json

@@ -13,6 +13,12 @@
     {
       "path": "../script-packages-common"
     },
+    {
+      "path": "../sdk"
+    },
+    {
+      "path": "../signal-frontend"
+    },
     {
       "path": "../ui"
     }

package/src/components/ScriptPackagesMenuItems.tsx

@@ -1,35 +0,0 @@
-import React from "react";
-import { Link } from "react-router-dom";
-import { Package } from "lucide-react";
-import type { UserMenuItemsContext } from "@checkstack/frontend-api";
-import { DropdownMenuItem } from "@checkstack/ui";
-import { resolveRoute } from "@checkstack/common";
-import {
-  scriptPackagesRoutes,
-  scriptPackagesAccess,
-  pluginMetadata,
-} from "@checkstack/script-packages-common";
-
-/**
- * "Script Packages" entry in the user/settings menu. Gated on
- * `script-packages.manage` (the page itself is also access-gated by the
- * route); hiding the link is the cleaner UX for unauthorised users.
- */
-export const ScriptPackagesMenuItems = ({
-  accessRules: userPerms,
-}: UserMenuItemsContext) => {
-  const qualifiedId = `${pluginMetadata.pluginId}.${scriptPackagesAccess.manage.id}`;
-  const canManage = userPerms.includes("*") || userPerms.includes(qualifiedId);
-
-  if (!canManage) {
-    return <React.Fragment />;
-  }
-
-  return (
-    <Link to={resolveRoute(scriptPackagesRoutes.routes.settings)}>
-      <DropdownMenuItem icon={<Package className="w-4 h-4" />}>
-        Script Packages
-      </DropdownMenuItem>
-    </Link>
-  );
-};