@checkstack/slo-frontend 0.5.4 → 0.5.6

package/CHANGELOG.md

@@ -1,5 +1,81 @@
 # @checkstack/slo-frontend
 
+## 0.5.6
+
+### Patch Changes
+
+- dbe89ae: fix(slo): stop SLO overview cards stretching to the sidebar height
+
+  On the SLO Dashboard the card grid sits next to a taller sidebar in an
+  `items-stretch` layout, so the card grid was stretched to the sidebar's
+  height and the default `align-content` then stretched the card rows to fill
+  it, leaving large empty space inside each card. The card grid now uses
+  `content-start` so rows stay content-sized, while `h-full` on the card/anchor
+  still makes cards within the same row match each other.
+
+- Updated dependencies [f9cfdae]
+  - @checkstack/dependency-common@1.2.5
+
+## 0.5.5
+
+### Patch Changes
+
+- 56e7c75: Fix frontend access checks to use FULLY-QUALIFIED access-rule ids, and resolve
+  the anonymous role on the frontend.
+
+  Granted access-rule ids are stored fully-qualified as `{pluginId}.{ruleId}` (e.g.
+  `incident.incident.read`) so two plugins defining the same short rule id never
+  collide. The frontend, however, was checking the UNqualified id (`incident.read`)
+  via `isAccessRuleSatisfied`, so every check failed for any user without the `*`
+  (admin) grant - masked in development because dev-auth grants `*`. This silently
+  broke ALL non-admin frontend gating (route guards, sidebar entries, and
+  `useAccess`-based button/link gating).
+
+  - **`@checkstack/common`**: `AccessRule` now carries a REQUIRED owning `pluginId`;
+    `access()` / `accessPair()` require and stamp it; `isAccessRuleSatisfied`
+    qualifies the rule (`{pluginId}.{id}`, plus the manage->read escalation) and
+    matches ONLY the qualified form. There is intentionally NO unqualified fallback
+    - matching a bare id would let one plugin's grant satisfy another plugin's
+      identically-named rule (a cross-plugin privilege-escalation flaw). Every plugin
+      that defines access rules now passes its own `pluginId`.
+  - **`@checkstack/backend`**: `pluginManager.getAllAccessRules()` no longer strips
+    the `pluginId` field (the rule `id` is already fully-qualified for the DB sync).
+  - **Route guard** (`@checkstack/frontend` / `@checkstack/frontend-api`) now
+    checks the FULL rule object (so it qualifies and escalates), not a bare id.
+  - **Anonymous role on the frontend**: the `accessRules` procedure is now
+    `public`, returning the configurable anonymous role's grants to unauthenticated
+    callers; `useAccessRules` fetches them for guests instead of returning an empty
+    set. So anonymous UI now reflects exactly what the anonymous role is allowed -
+    which an admin can change (`isPublic` is only the seeded default).
+  - Incident / maintenance / SLO detail routes are now read-gated (their read rule
+    is an `isPublic` default, so the anonymous role holds it unless an admin
+    revokes it); their dashboard status signals carry that rule and render as a
+    link only when the viewer may open it.
+
+  **BREAKING (`@checkstack/common`):** `AccessRule.pluginId` is now REQUIRED, and
+  `access()` / `accessPair()` require a `pluginId` option. `isAccessRuleSatisfied`
+  matches ONLY the fully-qualified `{pluginId}.{ruleId}` form - the previous
+  unqualified fallback is removed, because it was a cross-plugin
+  privilege-escalation flaw. Any code constructing an `AccessRule` or calling
+  `access()`/`accessPair()` must supply the owning `pluginId`.
+
+  Verified live against an anonymous caller: read pages resolve (qualified match),
+  manage actions are denied, manage->read escalation and `*` still work.
+
+- Updated dependencies [460ffd6]
+- Updated dependencies [56e7c75]
+- Updated dependencies [56e7c75]
+  - @checkstack/dashboard-frontend@0.8.5
+  - @checkstack/frontend-api@0.9.0
+  - @checkstack/catalog-common@2.3.4
+  - @checkstack/ui@1.15.1
+  - @checkstack/common@0.15.0
+  - @checkstack/dependency-common@1.2.4
+  - @checkstack/healthcheck-common@1.5.4
+  - @checkstack/slo-common@0.5.4
+  - @checkstack/tips-frontend@0.3.5
+  - @checkstack/signal-frontend@0.2.4
+
 ## 0.5.4
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/slo-frontend",
-  "version": "0.5.4",
+  "version": "0.5.6",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.tsx",
@@ -13,16 +13,16 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/catalog-common": "2.3.3",
-    "@checkstack/common": "0.14.1",
-    "@checkstack/dashboard-frontend": "0.8.4",
-    "@checkstack/dependency-common": "1.2.3",
-    "@checkstack/frontend-api": "0.8.0",
-    "@checkstack/healthcheck-common": "1.5.3",
-    "@checkstack/signal-frontend": "0.2.3",
-    "@checkstack/slo-common": "0.5.3",
-    "@checkstack/tips-frontend": "0.3.4",
-    "@checkstack/ui": "1.15.0",
+    "@checkstack/catalog-common": "2.3.4",
+    "@checkstack/common": "0.15.0",
+    "@checkstack/dashboard-frontend": "0.8.5",
+    "@checkstack/dependency-common": "1.2.5",
+    "@checkstack/frontend-api": "0.9.0",
+    "@checkstack/healthcheck-common": "1.5.4",
+    "@checkstack/signal-frontend": "0.2.4",
+    "@checkstack/slo-common": "0.5.4",
+    "@checkstack/tips-frontend": "0.3.5",
+    "@checkstack/ui": "1.15.1",
     "date-fns": "^4.4.0",
     "lucide-react": "^1.17.0",
     "react": "19.2.7",
@@ -33,6 +33,6 @@
     "typescript": "^5.0.0",
     "@types/react": "^19.0.0",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/scripts": "0.6.0"
+    "@checkstack/scripts": "0.6.1"
   }
 }

package/src/components/SloSignalsFiller.tsx

@@ -6,7 +6,7 @@ import {
   type SystemSignal,
   type SystemSignalsMap,
 } from "@checkstack/catalog-common";
-import { SloApi, sloRoutes } from "@checkstack/slo-common";
+import { SloApi, sloRoutes, sloAccess } from "@checkstack/slo-common";
 
 type Props = SlotContext<typeof SystemSignalsSlot>;
 
@@ -61,6 +61,8 @@ export const SloSignalsFiller: React.FC<Props> = ({ systemIds, onSignals }) => {
           href: resolveRoute(sloRoutes.routes.detail, {
             sloId: objective.id,
           }),
+          // Detail page is read-gated; render as text for users without it.
+          accessRule: sloAccess.slo.read,
           iconName: "Target",
         });
       }

package/src/index.tsx

@@ -47,6 +47,8 @@ export default createFrontendPlugin({
           default: m.SloDetailPage,
         })),
       title: "SLO Detail",
+      // Read-gated; anonymous holds this by default (isPublic), admin-revocable.
+      accessRule: sloAccess.slo.read,
     },
   ],
   apis: [],

package/src/pages/SloOverviewPage.tsx

@@ -82,16 +82,20 @@ const SloOverviewPageContent: React.FC = () => {
         />
       ) : (
         <div className="grid grid-cols-1 lg:grid-cols-[1fr_300px] gap-6">
-          <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+          {/* content-start: this grid is stretched to the sidebar's height by
+              the outer items-stretch grid; without it, the default align-content
+              stretches the card rows to fill that height. Keep cards content-sized
+              while h-full still makes cards within a row match each other. */}
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4 content-start">
             {objectives.map((item) => (
               <Link
                 key={item.objective.id}
                 to={resolveRoute(sloRoutes.routes.detail, {
                   sloId: item.objective.id,
                 })}
-                className="block no-underline"
+                className="block no-underline h-full"
               >
-                <Card className="transition-colors hover:border-primary/50">
+                <Card className="h-full transition-colors hover:border-primary/50">
                   <CardHeader className="pb-3">
                     <div className="flex items-center justify-between">
                       <CardTitle className="text-sm font-medium">