[APPS][Connections Part 6] Discover action calls in reachable modules

[sdkennedy2]

Motivation

Backend connection ID extraction previously only scanned the .backend.* entry module. That missed action-catalog calls hidden in local helper modules imported by a backend function, so the generated app manifest could omit required connection allowlists.

This PR now sits on top of build-plugins#357, which contains the behavior-neutral getVitePlugin ownership refactor. This diff is intended to focus on reachable module graph call-site discovery.

Changes

Adds an entry-scoped reachable local module graph pass for backend connection ID extraction. The transform hook now runs connection ID extraction asynchronously and passes a narrow graph context over Vite/Rollup resolution, loading, watch-file registration, and a TypeScript/JSX transform fallback.

The graph pass loads each local module reachable from the backend entry through static imports, named re-exports, and export *, then reuses the existing action-catalog call-site and same-module value resolver for each parsed module. This keeps the current value boundary intact: inline strings, same-module constants, and same-module object reads in reachable helpers work, while imported connection ID values still fail closed for the next PR.

Unsupported local graph shapes continue to fail closed when they could hide action-catalog calls, including unresolved local imports, local require, and local dynamic imports. Package imports, type-only imports/re-exports, virtual/generated files, and files outside the app root are skipped.

QA Instructions

Added tests.

Manual test app from the earlier combined branch:

• Linked /Users/scott.kennedy/dd/test-action-catalog-app to this local @datadog/vite-plugin.
• Verified dry production builds collect connection IDs from reachable helper modules with inline, same-module const, same-module object member, and export * re-export action calls.
• Verified a reachable helper using an imported CONNECTIONS.HTTP value fails closed with imported connectionId object binding CONNECTIONS.
• Verified staging upload with: NODE_TLS_REJECT_UNAUTHORIZED=0 DD_APPS_UPLOAD_ASSETS=1 dd-auth --domain="dd.datad0g.com" --actions-api -- npm run build
• Verified dev-server execution through /__dd/executeAction returned {"success":true,"result":{"data":{"ok":true}}} for moduleGraphHttpProbe.

Staging app: https://app.datad0g.com/app-builder/apps/0e17a356-3929-4bf0-8ae9-e67955c6dc55
Uploaded version: 00741f10cdd6718d

Blast Radius

Affects the @dd/apps-plugin backend transform path for .backend.ts / .backend.js files. The change is limited to connection ID manifest analysis and dev/build watch dependencies; backend proxy generation and runtime execution contracts are unchanged.

Risk is primarily false positive fail-closed behavior for unsupported local graph patterns. Dynamic local imports, local require, and unresolved local static imports now intentionally fail when they could hide action-catalog calls.

Documentation

• How to reliably make frontend production changes
• PR Description Guidelines
• Deploy steps

[sdkennedy2]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• [APPS][Connections Part 6] Discover action calls in reachable modules #353 👈 (View in Graphite)
• [APPS][Connections Part 5] Move apps Vite behavior into getVitePlugin #357
• [APPS][Connections Part 4] Resolve same-module connection ID object values #354
• [APPS][Connections Part 3] Resolve same-module connection ID constants #351
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[sdkennedy2]

@codex review
@cursor review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e118c97bcd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Resolve aliased local imports before skipping dependencies

For backend files that import local helpers through a Vite/TS path alias such as @/backend/helpers/http, this guard treats the bare specifier as a package and skips it before calling context.resolve. Vite supports aliases for import/require specifiers (https://vite.dev/config/shared-options/#resolve-alias), so an aliased helper can resolve back under buildRoot; skipping it means any action-catalog calls in that helper are never scanned and the generated manifest silently omits their allowedConnectionIds.

Useful? React with 👍 / 👎.