@checkstack/status-page-backend 0.1.0

package/src/service.test.ts

@@ -0,0 +1,276 @@
+import { describe, test, expect } from "bun:test";
+import { z } from "zod";
+import type { Logger, RpcClient, SafeDatabase } from "@checkstack/backend-api";
+import { StatusPageService } from "./service";
+import type {
+  RegisteredWidgetType,
+  WidgetTypeRegistry,
+} from "./widget-registry";
+import type { StatusPageRow } from "./schema";
+import * as schema from "./schema";
+
+/** Minimal chainable fake of the drizzle query used by resolvePublished. */
+function fakeDb(row: StatusPageRow | undefined): SafeDatabase<typeof schema> {
+  const result = row ? [row] : [];
+  const chain = {
+    from: () => chain,
+    where: () => chain,
+    limit: () => Promise.resolve(result),
+  };
+  // Cast: a hand-rolled stub of the SafeDatabase surface the service touches.
+  return { select: () => chain } as unknown as SafeDatabase<typeof schema>;
+}
+
+const noopLogger: Logger = {
+  debug: () => {},
+  info: () => {},
+  warn: () => {},
+  error: () => {},
+} as unknown as Logger;
+
+const noRpc: RpcClient = {
+  forPlugin: () => ({}) as never,
+};
+
+function widget(
+  over: Partial<RegisteredWidgetType> & { id: string },
+): RegisteredWidgetType {
+  return {
+    id: over.id,
+    qualifiedId: over.qualifiedId ?? `test.${over.id}`,
+    ownerPluginId: "test",
+    displayName: over.id,
+    description: "",
+    category: "Test",
+    binding: "none",
+    configSchema: z.unknown(),
+    dtoSchema: over.dtoSchema ?? z.object({ value: z.string() }),
+    boundResources: over.boundResources ?? (() => []),
+    resolvePublic:
+      over.resolvePublic ?? (async () => ({ value: "ok" })),
+    assertBindingsReadable: over.assertBindingsReadable,
+  };
+}
+
+function registryOf(widgets: RegisteredWidgetType[]): WidgetTypeRegistry {
+  const map = new Map(widgets.map((w) => [w.qualifiedId, w]));
+  return {
+    register: () => {},
+    get: (id) => map.get(id),
+    list: () => [...map.values()],
+  };
+}
+
+function row(over: Partial<StatusPageRow>): StatusPageRow {
+  return {
+    id: "p1",
+    slug: "acme",
+    title: "Acme",
+    visibility: "public",
+    theme: { mode: "auto" },
+    draftLayout: [],
+    publishedLayout: null,
+    publishedAt: null,
+    createdAt: new Date("2026-06-01T00:00:00Z"),
+    updatedAt: new Date("2026-06-01T00:00:00Z"),
+    ...over,
+  } as StatusPageRow;
+}
+
+function service(args: {
+  row?: StatusPageRow;
+  widgets?: RegisteredWidgetType[];
+}): StatusPageService {
+  return new StatusPageService({
+    db: fakeDb(args.row),
+    registry: registryOf(args.widgets ?? []),
+    rpcClient: noRpc,
+    logger: noopLogger,
+  });
+}
+
+describe("resolvePublished — isolation + visibility", () => {
+  test("returns null for a page that is not published", async () => {
+    const svc = service({ row: row({ publishedLayout: null }) });
+    expect(
+      await svc.resolvePublished({ slug: "acme", isAuthenticated: false }),
+    ).toBeNull();
+  });
+
+  test("an authenticated-only page is hidden from anonymous callers", async () => {
+    const svc = service({
+      row: row({ visibility: "authenticated", publishedLayout: [] }),
+    });
+    expect(
+      await svc.resolvePublished({ slug: "acme", isAuthenticated: false }),
+    ).toBeNull();
+    expect(
+      await svc.resolvePublished({ slug: "acme", isAuthenticated: true }),
+    ).not.toBeNull();
+  });
+
+  test("only blocks in the PUBLISHED layout are resolved", async () => {
+    const svc = service({
+      row: row({
+        publishedLayout: [{ id: "b1", type: "test.ok", config: {} }],
+        // Draft has an extra block that must NEVER appear publicly.
+        draftLayout: [
+          { id: "b1", type: "test.ok", config: {} },
+          { id: "secret", type: "test.ok", config: {} },
+        ],
+      }),
+      widgets: [widget({ id: "ok" })],
+    });
+    const result = await svc.resolvePublished({
+      slug: "acme",
+      isAuthenticated: false,
+    });
+    expect(result?.blocks.map((b) => b.id)).toEqual(["b1"]);
+  });
+
+  test("the DTO schema is the allow-list — extra resolver fields are stripped", async () => {
+    const svc = service({
+      row: row({ publishedLayout: [{ id: "b1", type: "test.ok", config: {} }] }),
+      widgets: [
+        widget({
+          id: "ok",
+          dtoSchema: z.object({ value: z.string() }),
+          resolvePublic: async () => ({ value: "shown", secret: "LEAK" }),
+        }),
+      ],
+    });
+    const result = await svc.resolvePublished({
+      slug: "acme",
+      isAuthenticated: false,
+    });
+    expect(result?.blocks[0].data).toEqual({ value: "shown" });
+    expect(JSON.stringify(result)).not.toContain("LEAK");
+  });
+
+  test("a failing widget degrades to data:null, never crashing the page", async () => {
+    const svc = service({
+      row: row({
+        publishedLayout: [
+          { id: "bad", type: "test.boom", config: {} },
+          { id: "good", type: "test.ok", config: {} },
+        ],
+      }),
+      widgets: [
+        widget({
+          id: "boom",
+          qualifiedId: "test.boom",
+          resolvePublic: async () => {
+            throw new Error("resolver blew up");
+          },
+        }),
+        widget({ id: "ok" }),
+      ],
+    });
+    const result = await svc.resolvePublished({
+      slug: "acme",
+      isAuthenticated: false,
+    });
+    expect(result?.blocks.find((b) => b.id === "bad")?.data).toBeNull();
+    expect(result?.blocks.find((b) => b.id === "good")?.data).toEqual({
+      value: "ok",
+    });
+  });
+
+  test("unknown widget types are skipped, not rendered", async () => {
+    const svc = service({
+      row: row({
+        publishedLayout: [{ id: "x", type: "ghost.widget", config: {} }],
+      }),
+      widgets: [],
+    });
+    const result = await svc.resolvePublished({
+      slug: "acme",
+      isAuthenticated: false,
+    });
+    expect(result?.blocks).toEqual([]);
+  });
+});
+
+describe("publish gate — delegates to the widget, fails closed", () => {
+  test("propagates a widget's access-check failure as FORBIDDEN", async () => {
+    const sysWidget = widget({
+      id: "sys",
+      qualifiedId: "test.sys",
+      boundResources: () => [
+        { resourceType: "catalog.system", resourceId: "s1" },
+      ],
+      assertBindingsReadable: async () => {
+        throw new Error("System s1 is not accessible");
+      },
+    });
+    const svc = service({
+      row: row({ draftLayout: [{ id: "b", type: "test.sys", config: {} }] }),
+      widgets: [sysWidget],
+    });
+    await expect(
+      svc.publish({ id: "p1", userClient: noRpc }),
+    ).rejects.toThrow(/not accessible/i);
+  });
+
+  test("FAILS CLOSED when a binding widget provides no access check", async () => {
+    const noCheck = widget({
+      id: "nocheck",
+      qualifiedId: "test.nocheck",
+      boundResources: () => [
+        { resourceType: "catalog.system", resourceId: "s1" },
+      ],
+      // no assertBindingsReadable
+    });
+    const svc = service({
+      row: row({ draftLayout: [{ id: "b", type: "test.nocheck", config: {} }] }),
+      widgets: [noCheck],
+    });
+    await expect(
+      svc.publish({ id: "p1", userClient: noRpc }),
+    ).rejects.toThrow(/cannot be published/i);
+  });
+
+  test("allows publish when the widget's access check passes", async () => {
+    let checked = false;
+    const okWidget = widget({
+      id: "ok",
+      qualifiedId: "test.okbind",
+      boundResources: () => [
+        { resourceType: "catalog.system", resourceId: "s1" },
+      ],
+      assertBindingsReadable: async () => {
+        checked = true;
+      },
+    });
+    const svc = service({
+      row: row({ draftLayout: [{ id: "b", type: "test.okbind", config: {} }] }),
+      widgets: [okWidget],
+    });
+    // The select-only fake DB can't service the post-gate UPDATE, so we only
+    // assert the gate ran + passed (the update path is covered elsewhere).
+    await svc.publish({ id: "p1", userClient: noRpc }).catch(() => undefined);
+    expect(checked).toBe(true);
+  });
+});
+
+describe("collectBoundResources", () => {
+  test("dedupes bound resources across blocks", () => {
+    const svc = service({
+      widgets: [
+        widget({
+          id: "w",
+          boundResources: () => [
+            { resourceType: "catalog.system", resourceId: "s1" },
+          ],
+        }),
+      ],
+    });
+    const bound = svc.collectBoundResources([
+      { id: "a", type: "test.w", config: {} },
+      { id: "b", type: "test.w", config: {} },
+    ]);
+    expect(bound).toEqual([
+      { resourceType: "catalog.system", resourceId: "s1" },
+    ]);
+  });
+});

package/src/service.ts

@@ -0,0 +1,337 @@
+import { eq } from "drizzle-orm";
+import { ORPCError } from "@orpc/server";
+import { extractErrorMessage } from "@checkstack/common";
+import type { SafeDatabase, RpcClient, Logger } from "@checkstack/backend-api";
+import {
+  StatusPageVisibilitySchema,
+  StatusPageThemeSchema,
+  type StatusPage,
+  type StatusPageSummary,
+  type StatusPageLayout,
+  type StatusPageTheme,
+  type StatusPageVisibility,
+  type PublishedStatusPage,
+  type ResolvedBlock,
+  type WidgetTypeDescriptor,
+} from "@checkstack/status-page-common";
+import * as schema from "./schema";
+import { statusPages, type StatusPageRow } from "./schema";
+import type {
+  BoundResource,
+  WidgetResolveContext,
+  WidgetTypeRegistry,
+} from "./widget-registry";
+
+type Db = SafeDatabase<typeof schema>;
+
+function iso(value: Date | null): string | null {
+  return value ? value.toISOString() : null;
+}
+
+function rowVisibility(row: StatusPageRow): StatusPageVisibility {
+  const parsed = StatusPageVisibilitySchema.safeParse(row.visibility);
+  return parsed.success ? parsed.data : "public";
+}
+
+function rowTheme(row: StatusPageRow): StatusPageTheme {
+  const parsed = StatusPageThemeSchema.safeParse(row.theme);
+  return parsed.success ? parsed.data : { mode: "auto" };
+}
+
+function rowToPage(row: StatusPageRow): StatusPage {
+  return {
+    id: row.id,
+    slug: row.slug,
+    title: row.title,
+    visibility: rowVisibility(row),
+    theme: rowTheme(row),
+    draftLayout: row.draftLayout,
+    publishedLayout: row.publishedLayout ?? null,
+    published: row.publishedLayout !== null,
+    publishedAt: iso(row.publishedAt),
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString(),
+  };
+}
+
+function rowToSummary(row: StatusPageRow): StatusPageSummary {
+  return {
+    id: row.id,
+    slug: row.slug,
+    title: row.title,
+    visibility: rowVisibility(row),
+    published: row.publishedLayout !== null,
+    publishedAt: iso(row.publishedAt),
+    updatedAt: row.updatedAt.toISOString(),
+  };
+}
+
+
+export interface StatusPageServiceDeps {
+  db: Db;
+  registry: WidgetTypeRegistry;
+  /** Trusted service client for the public resolver (reads bound resources). */
+  rpcClient: RpcClient;
+  logger: Logger;
+}
+
+export class StatusPageService {
+  constructor(private readonly deps: StatusPageServiceDeps) {}
+
+  async list(): Promise<StatusPageSummary[]> {
+    const rows = await this.deps.db.select().from(statusPages);
+    return rows.map((row) => rowToSummary(row));
+  }
+
+  async get(id: string): Promise<StatusPage | null> {
+    const [row] = await this.deps.db
+      .select()
+      .from(statusPages)
+      .where(eq(statusPages.id, id))
+      .limit(1);
+    return row ? rowToPage(row) : null;
+  }
+
+  private async requireRow(id: string): Promise<StatusPageRow> {
+    const [row] = await this.deps.db
+      .select()
+      .from(statusPages)
+      .where(eq(statusPages.id, id))
+      .limit(1);
+    if (!row) throw new ORPCError("NOT_FOUND", { message: "Status page not found." });
+    return row;
+  }
+
+  private async assertSlugFree(slug: string, exceptId?: string): Promise<void> {
+    const [row] = await this.deps.db
+      .select({ id: statusPages.id })
+      .from(statusPages)
+      .where(eq(statusPages.slug, slug))
+      .limit(1);
+    if (row && row.id !== exceptId) {
+      throw new ORPCError("CONFLICT", {
+        message: `The slug "${slug}" is already in use.`,
+      });
+    }
+  }
+
+  async create(input: { title: string; slug: string }): Promise<StatusPage> {
+    await this.assertSlugFree(input.slug);
+    const [row] = await this.deps.db
+      .insert(statusPages)
+      .values({ title: input.title, slug: input.slug })
+      .returning();
+    return rowToPage(row);
+  }
+
+  async update(input: {
+    id: string;
+    title?: string;
+    slug?: string;
+    visibility?: StatusPageVisibility;
+    theme?: StatusPageTheme;
+    draftLayout?: StatusPageLayout;
+  }): Promise<StatusPage> {
+    await this.requireRow(input.id);
+    if (input.slug !== undefined) await this.assertSlugFree(input.slug, input.id);
+    const set: Partial<StatusPageRow> = { updatedAt: new Date() };
+    if (input.title !== undefined) set.title = input.title;
+    if (input.slug !== undefined) set.slug = input.slug;
+    if (input.visibility !== undefined) set.visibility = input.visibility;
+    if (input.theme !== undefined) set.theme = input.theme;
+    if (input.draftLayout !== undefined) set.draftLayout = input.draftLayout;
+    const [row] = await this.deps.db
+      .update(statusPages)
+      .set(set)
+      .where(eq(statusPages.id, input.id))
+      .returning();
+    return rowToPage(row);
+  }
+
+  /** Every resource bound by the widgets in a layout (deduped per type+id). */
+  collectBoundResources(layout: StatusPageLayout): BoundResource[] {
+    const seen = new Set<string>();
+    const out: BoundResource[] = [];
+    for (const block of layout) {
+      const widget = this.deps.registry.get(block.type);
+      if (!widget) continue;
+      let bound: BoundResource[] = [];
+      try {
+        bound = widget.boundResources(block.config);
+      } catch {
+        // A malformed stored config can't bind anything; ignore for collection.
+        bound = [];
+      }
+      for (const b of bound) {
+        const key = `${b.resourceType}:${b.resourceId}`;
+        if (!seen.has(key)) {
+          seen.add(key);
+          out.push(b);
+        }
+      }
+    }
+    return out;
+  }
+
+  /**
+   * Publish the draft. The middleware already verified `manage` on the page;
+   * this additionally enforces the editor can READ every bound resource (you
+   * cannot publish what you cannot see) using the USER-scoped client, then
+   * snapshots draft -> published. Returns the exposed resources for the audit.
+   */
+  async publish(input: {
+    id: string;
+    userClient: RpcClient;
+  }): Promise<{ page: StatusPage; exposed: BoundResource[] }> {
+    const row = await this.requireRow(input.id);
+    await this.assertEditorCanAccess(input.userClient, row.draftLayout);
+    const bound = this.collectBoundResources(row.draftLayout);
+    const now = new Date();
+    const [updated] = await this.deps.db
+      .update(statusPages)
+      .set({ publishedLayout: row.draftLayout, publishedAt: now, updatedAt: now })
+      .where(eq(statusPages.id, input.id))
+      .returning();
+    return { page: rowToPage(updated), exposed: bound };
+  }
+
+  async unpublish(id: string): Promise<StatusPage> {
+    await this.requireRow(id);
+    const [row] = await this.deps.db
+      .update(statusPages)
+      .set({ publishedLayout: null, publishedAt: null, updatedAt: new Date() })
+      .where(eq(statusPages.id, id))
+      .returning();
+    return rowToPage(row);
+  }
+
+  async remove(id: string): Promise<boolean> {
+    const deleted = await this.deps.db
+      .delete(statusPages)
+      .where(eq(statusPages.id, id))
+      .returning({ id: statusPages.id });
+    return deleted.length > 0;
+  }
+
+  listWidgetTypes(): WidgetTypeDescriptor[] {
+    return this.deps.registry.list().map((w) => ({
+      id: w.qualifiedId,
+      displayName: w.displayName,
+      description: w.description,
+      category: w.category,
+      binding: w.binding,
+    }));
+  }
+
+  /**
+   * "Cannot publish what you cannot see." For each widget that binds resources,
+   * delegate the access check to the widget's own `assertBindingsReadable` (the
+   * OWNING plugin knows how to verify its resource types). FAILS CLOSED: a
+   * binding widget that provides no such check rejects the publish — the
+   * platform never silently passes an unverifiable binding.
+   */
+  private async assertEditorCanAccess(
+    userClient: RpcClient,
+    layout: StatusPageLayout,
+  ): Promise<void> {
+    for (const block of layout) {
+      const widget = this.deps.registry.get(block.type);
+      if (!widget) continue;
+      let binds: BoundResource[] = [];
+      try {
+        binds = widget.boundResources(block.config);
+      } catch {
+        binds = [];
+      }
+      if (binds.length === 0) continue;
+      if (!widget.assertBindingsReadable) {
+        throw new ORPCError("FORBIDDEN", {
+          message:
+            `The "${widget.displayName}" widget binds resources but provides ` +
+            "no access check, so it cannot be published.",
+        });
+      }
+      try {
+        await widget.assertBindingsReadable({ userClient, config: block.config });
+      } catch (error) {
+        throw new ORPCError("FORBIDDEN", {
+          message: extractErrorMessage(
+            error,
+            "You can only publish widgets bound to resources you can access.",
+          ),
+        });
+      }
+    }
+  }
+
+  /**
+   * Resolve a PUBLISHED page for the public surface. Returns null when no page
+   * matches, the page is unpublished, or its visibility excludes the caller —
+   * never revealing that an unpublished/private page exists. Each block is
+   * resolved via its widget's `resolvePublic` (trusted reads) and re-validated
+   * against the widget's DTO schema, so only allow-listed fields are emitted; a
+   * resolver error degrades that one block to `data: null`, never the page.
+   */
+  async resolvePublished(input: {
+    slug: string;
+    isAuthenticated: boolean;
+  }): Promise<PublishedStatusPage | null> {
+    const [row] = await this.deps.db
+      .select()
+      .from(statusPages)
+      .where(eq(statusPages.slug, input.slug))
+      .limit(1);
+    if (!row || row.publishedLayout === null) return null;
+    const visibility = rowVisibility(row);
+    if (visibility === "authenticated" && !input.isAuthenticated) return null;
+
+    // Per-resolve memo so a page with many widgets shares expensive reads (e.g.
+    // the full catalog) instead of re-fetching per widget on every public hit.
+    const memo = new Map<string, Promise<unknown>>();
+    const ctx: WidgetResolveContext = {
+      rpcClient: this.deps.rpcClient,
+      cache: <T,>(key: string, loader: () => Promise<T>): Promise<T> => {
+        const existing = memo.get(key);
+        if (existing) return existing as Promise<T>;
+        const created = loader();
+        memo.set(key, created);
+        return created;
+      },
+    };
+
+    const blocks: ResolvedBlock[] = [];
+    for (const block of row.publishedLayout) {
+      const widget = this.deps.registry.get(block.type);
+      if (!widget) continue;
+      let data: unknown = null;
+      try {
+        const raw = await widget.resolvePublic({
+          config: block.config,
+          ctx,
+        });
+        data = widget.dtoSchema.parse(raw);
+      } catch (error) {
+        this.deps.logger.warn("Status page widget failed to resolve", {
+          slug: row.slug,
+          blockType: block.type,
+          error: extractErrorMessage(error),
+        });
+        data = null;
+      }
+      blocks.push({
+        id: block.id,
+        type: block.type,
+        ...(block.label === undefined ? {} : { label: block.label }),
+        data,
+      });
+    }
+
+    return {
+      slug: row.slug,
+      title: row.title,
+      theme: rowTheme(row),
+      blocks,
+      generatedAt: new Date().toISOString(),
+    };
+  }
+}

package/src/user-client.ts

@@ -0,0 +1,39 @@
+import { createORPCClient } from "@orpc/client";
+import { RPCLink } from "@orpc/client/fetch";
+import type { RpcClient } from "@checkstack/backend-api";
+
+/**
+ * Build a USER-SCOPED RpcClient that re-enters the live router AS the calling
+ * user (forwarding their cookie / bearer), never as a trusted service. Used by
+ * the publish-time gate to verify the editor can actually READ every resource a
+ * widget binds — "you cannot publish what you cannot see". Mirrors the AI
+ * chat read-invoker; only the user's own auth headers are forwarded.
+ */
+export function createUserScopedRpcClient({
+  internalUrl,
+  forwardHeaders,
+}: {
+  internalUrl: string;
+  forwardHeaders: Record<string, string>;
+}): RpcClient {
+  const link = new RPCLink({ url: `${internalUrl}/api`, headers: forwardHeaders });
+  const client = createORPCClient(link);
+  return {
+    forPlugin(def) {
+      return (client as Record<string, unknown>)[def.pluginId] as never;
+    },
+  };
+}
+
+/** Extract ONLY the forwardable auth headers (cookie + bearer) from a request. */
+export function forwardableAuthHeadersFrom(
+  headers: Headers | undefined,
+): Record<string, string> {
+  const out: Record<string, string> = {};
+  if (!headers) return out;
+  const cookie = headers.get("cookie");
+  if (cookie) out.cookie = cookie;
+  const auth = headers.get("authorization");
+  if (auth) out.authorization = auth;
+  return out;
+}