refactor(PLATENG-800): replace platform-sdk-fetch with integration-sdk-http-client

.github/workflows/build.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Install dependencies
         run: npm ci --include=optional
         env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
 
       - name: Run tests
         run: npm run test:ci
@@ -59,7 +59,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: 20.x
           cache: npm
           registry-url: https://registry.npmjs.org
 
@@ -83,5 +83,6 @@ jobs:
           NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
         run: |
           echo "//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}" > .npmrc
-          npm ci
-          npm exec -c "lerna publish from-package --no-verify-access --yes"
+          npm ci --include=optional
+          npx nx run-many -t build:dist
+          npx nx release publish

.github/workflows/canary.yaml

@@ -96,6 +96,10 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Configure npm authentication
+        run: |
+          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" >> .npmrc
+
       - name: Install dependencies
         run: npm ci --include=optional
         env:
@@ -106,72 +110,109 @@ jobs:
           git config --global user.email "automation@jupiterone.com"
           git config --global user.name "Automation"
 
-      - name: Get changed packages
+      - name: Detect affected packages
         id: changed
         run: |
-          # Get list of packages changed since main (compact JSON for single-line output)
-          CHANGED=$(npx lerna changed --json 2>/dev/null | jq -c '.' || echo "[]")
-          echo "Changed packages: $CHANGED"
-
-          # Output as single line (no heredoc needed for compact JSON)
-          echo "packages=$CHANGED" >> $GITHUB_OUTPUT
+          AFFECTED=$(npx nx show projects --affected --base=origin/main --json 2>/dev/null || echo "[]")
+          echo "Affected packages: $AFFECTED"
+          echo "packages=$AFFECTED" >> $GITHUB_OUTPUT
 
-          # Check if there are any changed packages
-          if [ "$CHANGED" = "[]" ]; then
+          if [ "$AFFECTED" = "[]" ] || [ -z "$AFFECTED" ]; then
             echo "has_changes=false" >> $GITHUB_OUTPUT
           else
             echo "has_changes=true" >> $GITHUB_OUTPUT
           fi
 
-      - name: Build packages
-        if: steps.changed.outputs.has_changes == 'true'
-        run: npm run build:dist
-
-      - name: Publish canary versions
-        id: publish
+      - name: Bump canary versions
         if: steps.changed.outputs.has_changes == 'true'
         run: |
-          PRERELEASE_ID="canary-${{ github.event.issue.number }}-${{ github.run_attempt }}"
+          node <<'SCRIPT'
+          const fs = require('fs');
+          const path = require('path');
+
+          const preid = process.env.PRERELEASE_ID;
+          const packagesDir = 'packages';
+          const dirs = fs.readdirSync(packagesDir).filter(d =>
+            fs.existsSync(path.join(packagesDir, d, 'package.json'))
+          );
+
+          // Load all packages
+          const packages = new Map();
+          for (const dir of dirs) {
+            const pkgPath = path.join(packagesDir, dir, 'package.json');
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+            packages.set(pkg.name, { dir, pkg, pkgPath });
+          }
 
-          # Version bump with canary prerelease
-          npx lerna version prerelease --preid "$PRERELEASE_ID" --no-git-tag-version --no-push --yes
+          // Bump non-private packages to canary version
+          const bumped = new Map();
+          for (const [name, entry] of packages) {
+            if (entry.pkg.private) {
+              console.log(`Skipping private: ${name}`);
+              continue;
+            }
+            const canaryVersion = `${entry.pkg.version}-${preid}.0`;
+            entry.pkg.version = canaryVersion;
+            bumped.set(name, canaryVersion);
+            console.log(`${name} -> ${canaryVersion}`);
+          }
 
-          # Commit version changes locally to satisfy lerna publish
-          # These changes won't be pushed back to the PR
-          # Only stage lerna-modified files (package.json, lerna.json, package-lock.json)
-          git add lerna.json package-lock.json packages/*/package.json
-          git commit -m "chore: canary version bump [skip ci]" --no-verify
+          // Update internal cross-references
+          for (const [, entry] of packages) {
+            let changed = false;
+            for (const depType of ['dependencies', 'devDependencies', 'peerDependencies']) {
+              if (!entry.pkg[depType]) continue;
+              for (const depName of Object.keys(entry.pkg[depType])) {
+                if (bumped.has(depName)) {
+                  entry.pkg[depType][depName] = bumped.get(depName);
+                  changed = true;
+                }
+              }
+            }
+            if (changed || bumped.has(entry.pkg.name)) {
+              fs.writeFileSync(entry.pkgPath, JSON.stringify(entry.pkg, null, 2) + '\n');
+            }
+          }
+          SCRIPT
+        env:
+          PRERELEASE_ID: canary-${{ github.event.issue.number }}-${{ github.run_id }}
 
-          # Publish with canary tag
-          npx lerna publish from-package --dist-tag canary --yes 2>&1 | tee publish-output.txt
+      - name: Build packages
+        if: steps.changed.outputs.has_changes == 'true'
+        run: npx nx run-many -t build:dist
 
-          # Extract published versions
-          PUBLISHED=$(grep -E "Successfully published" publish-output.txt || echo "")
-          echo "published<<EOF" >> $GITHUB_OUTPUT
-          echo "$PUBLISHED" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+      - name: Publish canary versions
+        id: publish
+        if: steps.changed.outputs.has_changes == 'true'
+        run: npx nx release publish --tag canary
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
-          GH_TOKEN: ${{ secrets.AUTO_GITHUB_PAT_TOKEN }}
+          NPM_CONFIG_REGISTRY: https://registry.npmjs.org
 
       - name: Comment with published versions
         if: steps.changed.outputs.has_changes == 'true'
         uses: actions/github-script@v7
         with:
           script: |
-            const packages = JSON.parse('${{ steps.changed.outputs.packages }}');
+            const fs = require('fs');
+            const path = require('path');
 
-            // Build versions list and install commands from package.json files
+            // Read all non-private package versions
             let versionsList = [];
             let installCommands = [];
 
-            for (const pkg of packages) {
-              const pkgPath = pkg.location.startsWith(process.env.GITHUB_WORKSPACE)
-                ? pkg.location
-                : `${process.env.GITHUB_WORKSPACE}/${pkg.location}`;
-              const pkgJson = require(`${pkgPath}/package.json`);
-              versionsList.push(`- \`${pkg.name}@${pkgJson.version}\``);
-              installCommands.push(`npm install ${pkg.name}@${pkgJson.version}`);
+            const packagesDir = path.join(process.env.GITHUB_WORKSPACE, 'packages');
+            const dirs = fs.readdirSync(packagesDir);
+
+            for (const dir of dirs) {
+              const pkgPath = path.join(packagesDir, dir, 'package.json');
+              if (fs.existsSync(pkgPath)) {
+                const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+                if (!pkg.private && pkg.version.includes('canary')) {
+                  versionsList.push(`- \`${pkg.name}@${pkg.version}\``);
+                  installCommands.push(`npm install ${pkg.name}@${pkg.version}`);
+                }
+              }
             }
 
             const versionsText = versionsList.join('\n');

.gitignore

@@ -16,3 +16,7 @@ yarn-error.log
 *.bak.*
 
 tsconfig.tsbuildinfo
+*.tsbuildinfo
+
+# NX
+.nx/

CHANGELOG.md

@@ -1037,7 +1037,6 @@ Skipped step "Fetch Issues". Beta feature, please contact support to enable.
 ### Changed
 
 - The following packages have been upgraded:
-
   - `@pollyjs/adapter-node-http`
   - `@pollyjs/core`
   - `@pollyjs/persister-fs`
@@ -1274,7 +1273,6 @@ RETURN account, repo, user
   ```
 
 - Updated jest matchers in the following way:
-
   - added optional `_type` argument to `.toMatchGraphObjectSchema` matcher
   - added optional `_type` and `_class` arguments to
     `.toMatchDirectRelationshipSchema` matcher

docs/integrations/development_guide.md

@@ -36,7 +36,6 @@ in this SDK project.
 You'll need:
 
 - Node.js
-
   - It's recommended to use a Node version manager. Both
     [fnm](https://github.com/Schniz/fnm) and
     [nvm](https://github.com/nvm-sh/nvm) are great choices.

docs/plans/2026-02-06-platform-sdk-public-publishing-design.md

@@ -0,0 +1,167 @@
+# Platform SDK Public Publishing Design
+
+**Date:** 2026-02-06 **Status:** Approved for implementation **Authors:** Toks
+Fawibe, Ryan McAfee (security analysis) **Context:** PLATENG-800 — PR #1188 adds
+`@jupiterone/platform-sdk-fetch` (private) as a dependency of `@jupiterone/sdk`
+(public). External consumers cannot install private transitive deps.
+
+---
+
+## Problem
+
+`@jupiterone/sdk` is public on npm. PR #1188 replaces `@lifeomic/alpha` with
+`@jupiterone/platform-sdk-fetch`, which has
+`publishConfig.access: "restricted"`. Five of its transitive `@jupiterone/*`
+dependencies are also restricted. External consumers cannot `npm install` the
+SDK after this change merges.
+
+## Decision
+
+Make 17 platform-sdk packages public with MPL-2.0 license. This was chosen over:
+
+- **Vendoring the RequestClient** (~400 lines) — Viable but creates maintenance
+  burden and divergence from upstream.
+- **Using `undici` directly** — Requires rewriting ~460 lines + tests.
+  Unnecessary complexity.
+- **Bundling with tsdown/tsup** — 8-15 days effort, fragile DTS inlining,
+  massive bundle from unused AWS SDK clients. Not recommended.
+- **Native `fetch`** — Experimental on Node 18-20 (SDK's target range). Not
+  viable until engine constraint is raised to >=21.
+
+## Security Assessment
+
+Ryan McAfee performed a full assessment of all 21 platform-sdk packages.
+Independent verification audit confirmed his findings across 107+ source files.
+
+### Classification
+
+| Tier                     | Count | Packages                                                                                                                                                                      |
+| ------------------------ | ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Safe to publish          | 14    | config-reader, errors, fetch, graphql, koa, logging, message-codec, service, service-plugin-errors, service-plugin-health, service-types, sqs-consumer, test-tools, framework |
+| Safe after minor cleanup | 3     | aws, headers, iam                                                                                                                                                             |
+| Keep restricted          | 2     | elasticsearch, observability                                                                                                                                                  |
+| Keep private             | 2     | benchmark, examples                                                                                                                                                           |
+
+### Findings Summary
+
+- Zero HIGH or CRITICAL issues across all 17 packages
+- All hardcoded credentials found are verified LocalStack mocks (`test`/`test`)
+- All URLs in source/tests are generic placeholders (`example.com`, `localhost`)
+- Common LOW finding: `development@jupiterone.com` team email in `package.json`
+  author fields (standard npm convention)
+- Common INFORMATIONAL: GitHub usernames and Jira ticket prefixes in CHANGELOGs
+
+## Implementation Plan
+
+### Execution Order
+
+Packages must be published bottom-up (dependencies before dependents):
+
+```
+Layer 1 (no @jupiterone deps):
+  config-reader, errors, service-types, test-tools, headers*, iam*
+
+Layer 1.5:
+  aws* (depends on config-reader)
+
+Layer 2 (depends on Layer 1):
+  logging (-> errors)
+
+Layer 3 (depends on Layer 2):
+  fetch (-> logging, errors, aws)
+  message-codec (-> logging, errors)
+  koa (-> logging, errors)
+  graphql (-> errors)
+  service-plugin-errors (-> errors)
+  service-plugin-health (-> errors)
+  sqs-consumer (-> logging)
+  service (-> logging, errors)
+
+Layer 4 (depends on Layer 3):
+  framework (-> config-reader, errors, iam, logging)
+
+* = caution packages requiring minor code fixes
+```
+
+Since platform-sdk uses NX with independent versioning in a single monorepo, all
+changes go in one PR and publish together.
+
+### Changes
+
+**All 17 packages** — `package.json`:
+
+```diff
+- "license": "UNLICENSED",
++ "license": "MPL-2.0",
+
+  "publishConfig": {
+-   "access": "restricted"
++   "access": "public"
+  }
+```
+
+**`platform-sdk-aws`** — `src/config.ts:44`:
+
+```diff
+- (awsProfile === 'jupiterone-dev' ? 'us-east-1' : undefined)
++ (process.env.AWS_DEFAULT_REGION || undefined)
+```
+
+**`platform-sdk-headers`** — `src/index.ts:120-121`:
+
+```diff
+- // The JupiterOne-Forwards-acirciapo header is set by our CF distribution and gateways
+- // based on how many additional forwards there are between the CF distribution and the lambda:
++ // The JupiterOne-Forwards-acirciapo header is set by the CDN distribution and gateways
++ // based on how many additional forwards there are between the CDN distribution and the handler:
+```
+
+**`platform-sdk-iam`** — No code change. The `lifeomic-*` header names are a
+runtime contract across all consumers. Renaming would be a breaking change. Not
+a security vulnerability.
+
+**Root** — Add `LICENSE` file with MPL-2.0 text. Update root `package.json`
+license to `MPL-2.0`.
+
+### PR Strategy
+
+Single PR to `platform-sdk` repo:
+
+- Title: `chore: publish 17 packages as public with MPL-2.0 license`
+- 17 `package.json` updates
+- 2 code fixes (aws, headers)
+- Root LICENSE file + root package.json license field
+
+### Validation
+
+**Before merge:**
+
+1. CI passes (all existing tests)
+2. Verify `platform-sdk-aws` config change doesn't break tests
+3. `npm pack` dry-run on a few packages to inspect tarball contents
+
+**After platform-sdk publishes:** 4. Verify public access from unauthenticated
+environment:
+
+```
+npm view @jupiterone/platform-sdk-fetch
+npm view @jupiterone/platform-sdk-errors
+npm view @jupiterone/platform-sdk-logging
+```
+
+5. Trigger new SDK canary on PR #1188, deploy to dev, check NR logs
+6. External consumer simulation:
+   `npm install @jupiterone/integration-sdk-runtime@canary` in a clean directory
+   without `.npmrc` auth
+
+### Rollback
+
+npm allows deprecating or unpublishing within 72 hours. Security audit confirmed
+no sensitive data, so rollback is unlikely to be needed.
+
+### Timeline
+
+1. Create platform-sdk PR — ~1 hour
+2. Review & merge — same day
+3. Publish completes — automated via CI
+4. Validate SDK canary — ~30 minutes