wu-sheng opened a new pull request, #84:
URL: https://github.com/apache/skywalking-horizon-ui/pull/84

   ## Why
   
   A pre-1.0 audit flagged several items; this PR lands the three that are 
clear, no-decision fixes. The remaining audit items (dependency-override 
strategy, login throttling, CI audit gating, the version line itself) are 
deferred by maintainer decision.
   
   ## What
   
   **Changelog (docs).** 1.0.0 isn't released yet (latest tag v0.7.0; 
package.json `1.0.0-dev`), but the changelog had a populated `## 1.1.0` section 
stacked above `## 1.0.0` — wrong, since all of it ships in 1.0.0. Merged into a 
single unreleased `## 1.0.0` (the duplicated `### Logs` subsection merged; 
every bullet preserved). This also stops `release.sh` from duplicating the 
`1.1.0` heading on the next-dev bump after a 1.0.0 cut.
   
   **RBAC UI matcher parity (fix).** The UI auth store's verb matcher diverged 
from the BFF's `rbac/matchOne` — it ignored the `admin` sentinel and truncated 
verbs to two segments. So a custom `admin` grant was hidden in the UI, and a 
`*:write` grant displayed `rule:write:structural` controls the BFF then denies. 
The UI matcher now mirrors `matchOne` exactly (admin sentinel, `split(':', 3)`, 
sub-action equality). The UI gate is advisory — the BFF still enforces — so 
this is a UX-correctness fix.
   
   **500 error-leak (fix).** The global Fastify error handler returned raw 
`err.message` to the client for every non-`HttpError` 500 (which can carry 
upstream response snippets / endpoint details). It now logs server-side and 
returns a generic body + `requestId` for correlation; `err.message` is kept 
only in `NODE_ENV=development`. `HttpError` messages (intentionally 
client-facing) are unchanged.
   
   ## Validation
   
   Green: type-check (both workspaces), build-ui, build-bff, lint + 
source-budget, 116 UI + 162 BFF unit tests (the RBAC verb suite among them — 
the UI matcher now mirrors it), license 0-invalid.
   
   Coverage note: the 500 path and the `admin` / `structural` verb cases aren't 
exercisable on the demo's simple roles, so those are covered by type-check + 
the BFF verb suite rather than a live click-through; the changelog change is 
content-only. No OAP wire shape is touched.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to