wu-sheng opened a new pull request, #84:
URL: https://github.com/apache/skywalking-horizon-ui/pull/84
## Why
A pre-1.0 audit flagged several items; this PR lands the three that are
clear, no-decision fixes. The remaining audit items (dependency-override
strategy, login throttling, CI audit gating, the version line itself) are
deferred by maintainer decision.
## What
**Changelog (docs).** 1.0.0 isn't released yet (latest tag v0.7.0;
package.json `1.0.0-dev`), but the changelog had a populated `## 1.1.0` section
stacked above `## 1.0.0` — wrong, since all of it ships in 1.0.0. Merged into a
single unreleased `## 1.0.0` (the duplicated `### Logs` subsection merged;
every bullet preserved). This also stops `release.sh` from duplicating the
`1.1.0` heading on the next-dev bump after a 1.0.0 cut.
**RBAC UI matcher parity (fix).** The UI auth store's verb matcher diverged
from the BFF's `rbac/matchOne` — it ignored the `admin` sentinel and truncated
verbs to two segments. So a custom `admin` grant was hidden in the UI, and a
`*:write` grant displayed `rule:write:structural` controls the BFF then denies.
The UI matcher now mirrors `matchOne` exactly (admin sentinel, `split(':', 3)`,
sub-action equality). The UI gate is advisory — the BFF still enforces — so
this is a UX-correctness fix.
**500 error-leak (fix).** The global Fastify error handler returned raw
`err.message` to the client for every non-`HttpError` 500 (which can carry
upstream response snippets / endpoint details). It now logs server-side and
returns a generic body + `requestId` for correlation; `err.message` is kept
only in `NODE_ENV=development`. `HttpError` messages (intentionally
client-facing) are unchanged.
## Validation
Green: type-check (both workspaces), build-ui, build-bff, lint +
source-budget, 116 UI + 162 BFF unit tests (the RBAC verb suite among them —
the UI matcher now mirrors it), license 0-invalid.
Coverage note: the 500 path and the `admin` / `structural` verb cases aren't
exercisable on the demo's simple roles, so those are covered by type-check +
the BFF verb suite rather than a live click-through; the changelog change is
content-only. No OAP wire shape is touched.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]