feat: add jsonPath assertions and remove log check system

isaacrowntree · claude · isaacrowntree · commit 6aa0bb7b476c · 2026-03-06T12:21:50.000+11:00
- Add JsonPathAssertion type with dot-notation path resolver
- Support is, isNot, contains, notContains, matches, lessThan, greaterThan operators
- Remove log-runner, LogAssertion, logCount, log_prefix, getLogBucket
- Remove 'log' from CheckType
- Update docs with jsonPath examples

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docs/integration/agent-setup.md b/docs/integration/agent-setup.md
@@ -8,30 +8,31 @@ Pass these from your worker secrets to the container:
 
 | Worker Secret | Container Env Var | Purpose |
 |---|---|---|
-| `MONITORING_API_KEY` | `MONITORING_API_KEY` | Shared secret for API auth |
 | `WORKER_URL` | `WORKER_URL` | Public URL of the worker |
+| `CF_ACCESS_CLIENT_ID` | `CF_ACCESS_CLIENT_ID` | CF Access service token client ID |
+| `CF_ACCESS_CLIENT_SECRET` | `CF_ACCESS_CLIENT_SECRET` | CF Access service token client secret |
 
 ## Auth Pattern
 
-All API calls use query param auth: `?secret=${MONITORING_API_KEY}`
+All API calls use CF Access service token headers to bypass Cloudflare Access at the edge:
 
 ```bash
 BASE="${WORKER_URL}/monitoring/api"
-SECRET="?secret=${MONITORING_API_KEY}"
+AUTH=(-H "CF-Access-Client-Id: ${CF_ACCESS_CLIENT_ID}" -H "CF-Access-Client-Secret: ${CF_ACCESS_CLIENT_SECRET}")
 
 # List checks
-curl -s "${BASE}/checks${SECRET}" | jq
+curl -s "${AUTH[@]}" "${BASE}/checks" | jq
 
 # Create a check
-curl -s -X POST "${BASE}/checks${SECRET}" \
+curl -s "${AUTH[@]}" -X POST "${BASE}/checks" \
   -H 'Content-Type: application/json' \
   -d '{"id":"my-check","name":"My Check","url":"https://example.com"}' | jq
 
 # Get status
-curl -s "${BASE}/status${SECRET}" | jq
+curl -s "${AUTH[@]}" "${BASE}/status" | jq
 
 # Run a check immediately
-curl -s -X POST "${BASE}/checks/my-check/run${SECRET}" | jq
+curl -s "${AUTH[@]}" -X POST "${BASE}/checks/my-check/run" | jq
 ```
 
 ## Available API Endpoints
@@ -40,6 +41,6 @@ See the full [API Reference](/guide/api-reference) for all endpoints.
 
 ## Integration Pattern
 
-1. Worker exposes `/monitoring/api/*` with dual-auth (your auth middleware + `?secret=` query param)
-2. Pass `MONITORING_API_KEY` and `WORKER_URL` to the agent's container
-3. Agent uses `curl` with `?secret=` to manage checks via the API
+1. Worker exposes `/monitoring/api/*` with CF Access protecting all routes
+2. Pass `CF_ACCESS_CLIENT_ID`, `CF_ACCESS_CLIENT_SECRET`, and `WORKER_URL` to the agent's container
+3. Agent uses `curl` with `CF-Access-Client-Id` and `CF-Access-Client-Secret` headers to manage checks via the API
diff --git a/examples/agent-skill.md b/examples/agent-skill.md
@@ -4,38 +4,39 @@ This is a template for an AI agent skill (e.g. [openclaw](https://github.com/tri
 monitoring via the clawdwatch API. Copy and adapt for your agent.
 
 The key pattern: the agent runs inside a container and calls the worker's
-monitoring API using a shared secret passed as an environment variable.
+monitoring API using CF Access service token headers to bypass Cloudflare Access.
 
 ## Container Environment
 
 Pass these from your worker secrets to the container:
 
 | Worker Secret | Container Env Var | Purpose |
 |---|---|---|
-| `MONITORING_API_KEY` | `MONITORING_API_KEY` | Shared secret for API auth |
 | `WORKER_URL` | `WORKER_URL` | Public URL of the worker |
+| `CF_ACCESS_CLIENT_ID` | `CF_ACCESS_CLIENT_ID` | CF Access service token client ID |
+| `CF_ACCESS_CLIENT_SECRET` | `CF_ACCESS_CLIENT_SECRET` | CF Access service token client secret |
 
 ## Auth Pattern
 
-All API calls use query param auth: `?secret=${MONITORING_API_KEY}`
+All API calls use CF Access service token headers to bypass Cloudflare Access at the edge:
 
 ```bash
 BASE="${WORKER_URL}/monitoring/api"
-SECRET="?secret=${MONITORING_API_KEY}"
+AUTH=(-H "CF-Access-Client-Id: ${CF_ACCESS_CLIENT_ID}" -H "CF-Access-Client-Secret: ${CF_ACCESS_CLIENT_SECRET}")
 
 # List checks
-curl -s "${BASE}/checks${SECRET}" | jq
+curl -s "${AUTH[@]}" "${BASE}/checks" | jq
 
 # Create a check
-curl -s -X POST "${BASE}/checks${SECRET}" \
+curl -s "${AUTH[@]}" -X POST "${BASE}/checks" \
   -H 'Content-Type: application/json' \
   -d '{"id":"my-check","name":"My Check","url":"https://example.com"}' | jq
 
 # Get status
-curl -s "${BASE}/status${SECRET}" | jq
+curl -s "${AUTH[@]}" "${BASE}/status" | jq
 
 # Run a check immediately
-curl -s -X POST "${BASE}/checks/my-check/run${SECRET}" | jq
+curl -s "${AUTH[@]}" -X POST "${BASE}/checks/my-check/run" | jq
 ```
 
 ## Available API Endpoints
diff --git a/src/engine/db.ts b/src/engine/db.ts
@@ -22,6 +22,7 @@ export function parseCheckRow(row: CheckRow): CheckConfig {
     tags: JSON.parse(row.tags),
     group_id: row.group_id,
     regions: JSON.parse(row.regions),
+    interval_mins: row.interval_mins ?? 5,
     enabled: row.enabled === 1,
   };
 }
@@ -47,8 +48,8 @@ export async function loadCheck(db: D1Database, id: string): Promise<CheckConfig
 /** Create a new check */
 export async function createCheck(db: D1Database, check: Partial<CheckConfig> & { id: string; name: string; url: string }): Promise<void> {
   await db.prepare(`
-    INSERT INTO checks (id, name, type, url, method, headers, body, assertions, retry_count, retry_delay_ms, timeout_ms, failure_threshold, tags, group_id, regions, enabled)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    INSERT INTO checks (id, name, type, url, method, headers, body, assertions, retry_count, retry_delay_ms, timeout_ms, failure_threshold, tags, group_id, regions, interval_mins, enabled)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `).bind(
     check.id,
     check.name,
@@ -65,6 +66,7 @@ export async function createCheck(db: D1Database, check: Partial<CheckConfig> &
     JSON.stringify(check.tags ?? []),
     check.group_id ?? null,
     JSON.stringify(check.regions ?? ['default']),
+    check.interval_mins ?? 5,
     check.enabled === false ? 0 : 1,
   ).run();
 }
@@ -89,6 +91,7 @@ export async function updateCheck(db: D1Database, id: string, updates: Partial<C
     tags: (v) => JSON.stringify(v),
     group_id: (v) => v,
     regions: (v) => JSON.stringify(v),
+    interval_mins: (v) => v,
     enabled: (v) => v ? 1 : 0,
   };
 
diff --git a/src/engine/orchestrator.ts b/src/engine/orchestrator.ts
@@ -18,6 +18,7 @@ import { loadState, saveState, createEmptyCheckState } from './state';
 import { loadChecks } from './db';
 import { isInMaintenance, createIncident, resolveIncidents, loadAlertRules, ensureResultsTable, insertCheckResult, pruneHistory } from './db';
 import { runCheck } from './runner';
+
 import { computeTransition } from './alerts';
 
 interface OrchestratorDefaults {
@@ -35,7 +36,6 @@ export async function runMonitoringChecks<TEnv>(
   const db = options.storage.getD1(env);
   const bucket = options.storage.getR2(env);
   const ae = options.storage.getAnalyticsEngine?.(env);
-
   if (!bucket) {
     console.warn('[clawdwatch] R2 bucket not available, skipping checks');
     return;
@@ -59,9 +59,18 @@ export async function runMonitoringChecks<TEnv>(
     }
 
     const checkState = state.checks[check.id] ?? createEmptyCheckState();
-    const resolvedUrl = options.resolveUrl?.(check.url, env) ?? check.url;
+
+    // Skip if not enough time has elapsed since last check
+    if (checkState.lastCheck && check.interval_mins > 5) {
+      const elapsed = Date.now() - new Date(checkState.lastCheck).getTime();
+      const intervalMs = check.interval_mins * 60_000;
+      if (elapsed < intervalMs - 30_000) { // 30s buffer for cron jitter
+        continue;
+      }
+    }
 
     // Execute check
+    const resolvedUrl = options.resolveUrl?.(check.url, env) ?? check.url;
     // eslint-disable-next-line no-await-in-loop
     const result = await runCheck(check, resolvedUrl, defaults.userAgent);
 
diff --git a/src/engine/runner.ts b/src/engine/runner.ts
@@ -8,7 +8,7 @@
 
 import type { CheckConfig, CheckResult, Assertion } from '../types';
 
-const MAX_BODY_SIZE = 64 * 1024; // 64KB max for body assertions
+const MAX_BODY_SIZE = 512 * 1024; // 512KB max for body assertions
 
 /**
  * Run a single check with retry support.
@@ -164,9 +164,22 @@ export function evaluateAssertions(
           break;
         }
         const actual = typeof extracted === 'string' ? extracted : JSON.stringify(extracted);
-        const failed = evaluateStringAssertion(assertion.operator, actual, assertion.value, false);
-        if (failed) {
-          failures.push(`jsonPath "${assertion.path}": ${failed}`);
+        // Handle numeric comparison operators
+        if (assertion.operator === 'lessThan' || assertion.operator === 'greaterThan') {
+          const numActual = Number(actual);
+          const numExpected = Number(assertion.value);
+          if (isNaN(numActual) || isNaN(numExpected)) {
+            failures.push(`jsonPath "${assertion.path}": cannot compare non-numeric values`);
+          } else if (assertion.operator === 'lessThan' && numActual >= numExpected) {
+            failures.push(`jsonPath "${assertion.path}": ${numActual} >= ${numExpected}`);
+          } else if (assertion.operator === 'greaterThan' && numActual <= numExpected) {
+            failures.push(`jsonPath "${assertion.path}": ${numActual} <= ${numExpected}`);
+          }
+        } else {
+          const failed = evaluateStringAssertion(assertion.operator, actual, assertion.value, false);
+          if (failed) {
+            failures.push(`jsonPath "${assertion.path}": ${failed}`);
+          }
         }
         break;
       }
@@ -208,7 +221,7 @@ function evaluateStringAssertion(
  * Resolve a simple JSON path ($.foo.bar, $.items[0].id) against an object.
  * Returns undefined for missing paths. No wildcards or recursive descent.
  */
-function resolveJsonPath(obj: unknown, path: string): unknown {
+export function resolveJsonPath(obj: unknown, path: string): unknown {
   if (!path.startsWith('$')) return undefined;
   const rest = path.slice(1); // strip leading $
   if (rest === '' || rest === '.') return obj;
diff --git a/src/index.ts b/src/index.ts
@@ -80,6 +80,7 @@ export type {
   BodyAssertion,
   ResponseTimeAssertion,
   JsonPathAssertion,
+
   AlertPayload,
   AlertType,
   CheckResult,
diff --git a/src/types.ts b/src/types.ts
@@ -44,7 +44,7 @@ export interface ResponseTimeAssertion {
 export interface JsonPathAssertion {
   type: 'jsonPath';
   path: string;
-  operator: 'is' | 'isNot' | 'contains' | 'notContains' | 'matches';
+  operator: 'is' | 'isNot' | 'contains' | 'notContains' | 'matches' | 'lessThan' | 'greaterThan';
   value: string;
 }
 
@@ -73,6 +73,7 @@ export interface CheckConfig {
   tags: string[];
   group_id: string | null;
   regions: string[];
+  interval_mins: number;
   enabled: boolean;
 }
 
@@ -93,6 +94,7 @@ export interface CheckRow {
   tags: string;
   group_id: string | null;
   regions: string;
+  interval_mins: number;
   enabled: number;
   created_at: string;
   updated_at: string;
@@ -181,6 +183,7 @@ export interface ClawdWatchOptions<TEnv> {
     getD1: (env: TEnv) => D1Database;
     getR2: (env: TEnv) => R2Bucket;
     getAnalyticsEngine?: (env: TEnv) => AnalyticsEngineDataset;
+
   };
   defaults?: {
     failureThreshold?: number;
