feat(apps): stepped creation wizard, branch previews, and app-creation fixes
This session (frontend focus):
- Rebuild /apps/new as a 4-step wizard (Basics → Configure → Trigger → Review):
WizardRail, SourceKindPicker card grid, AppManifest review, per-step validation,
ConfirmDialog-based unsaved-changes guard.
- Extract lib/workload/sourceForms.ts (single source of truth for source_config)
+ {Image,Compose,Static,Dockerfile}SourceForm + StaticDiscoveryWizard; fold the
/apps/[id] edit form onto the same components (removes the duplication). Add
vitest + sourceForms unit tests.
- Branch preview environments UI: /chain is_preview/preview_branch + a Preview
environments panel on /apps/[id] (per-branch URLs, ConfirmDialog teardown, armed
state); RegistryImagePicker on the registry trigger and the image source.
- Fixes: image-inspect 404 -> admin-gated POST /api/discovery/image/inspect;
conflict-panel blur flicker; friendly localized discovery errors; CPU/Memory
label hints; dashboard + /apps "Total workloads" count only source_kind workloads
(drop stale trigger_kind gate); NPM cert/access-list name cache; EntityPicker
empty-list guard.
- Update CLAUDE.md frontend conventions + add a Build & Test section.
Also captures pre-existing in-progress platform work (not from this session):
workload notifications, Prometheus metrics export, store lockfile, health probes,
backup hardening, and related store/webhook/scheduler changes.
This commit is contained in:
+46
-10
@@ -10,11 +10,26 @@ import (
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// ErrNoKey is returned when ENCRYPTION_KEY is not set.
|
||||
var ErrNoKey = errors.New("ENCRYPTION_KEY environment variable is not set")
|
||||
|
||||
// ErrDecryptFailed wraps any cipher.Open / decoder failure. Callers
|
||||
// upgrading from the silent-fallback pattern (treat-as-plaintext when
|
||||
// decrypt errored) MUST instead surface this — a rotated key would
|
||||
// otherwise silently leak ciphertext to upstream services as if it
|
||||
// were plaintext.
|
||||
var ErrDecryptFailed = errors.New("crypto: decrypt failed (wrong key, corrupted ciphertext, or unversioned legacy value)")
|
||||
|
||||
// envelopeV1Prefix tags ciphertext produced by Encrypt going forward.
|
||||
// Older databases may carry unprefixed hex blobs from the v0 era; those
|
||||
// are still readable via Decrypt for backward compatibility, but every
|
||||
// new write goes through EncryptV1 and emits the prefix so a future key
|
||||
// rotation has a clean fail-loud signal.
|
||||
const envelopeV1Prefix = "tf1:"
|
||||
|
||||
// DeriveKey computes a 32-byte AES-256 key from the given passphrase using SHA-256.
|
||||
// This is acceptable when ENCRYPTION_KEY is a high-entropy random string (e.g., 32+ hex chars).
|
||||
// For human-chosen passphrases, consider Argon2id or PBKDF2 with a salt instead.
|
||||
@@ -35,7 +50,8 @@ func KeyFromEnv() ([32]byte, error) {
|
||||
}
|
||||
|
||||
// Encrypt encrypts plaintext using AES-256-GCM with a random nonce.
|
||||
// The returned ciphertext is hex-encoded: nonce || ciphertext+tag.
|
||||
// Returns a versioned envelope (tf1:<hex>) so downstream readers can
|
||||
// distinguish ciphertext from accidentally-stored plaintext.
|
||||
func Encrypt(key [32]byte, plaintext string) (string, error) {
|
||||
block, err := aes.NewCipher(key[:])
|
||||
if err != nil {
|
||||
@@ -53,14 +69,34 @@ func Encrypt(key [32]byte, plaintext string) (string, error) {
|
||||
}
|
||||
|
||||
sealed := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
|
||||
return hex.EncodeToString(sealed), nil
|
||||
return envelopeV1Prefix + hex.EncodeToString(sealed), nil
|
||||
}
|
||||
|
||||
// Decrypt decrypts a hex-encoded ciphertext produced by Encrypt.
|
||||
func Decrypt(key [32]byte, ciphertextHex string) (string, error) {
|
||||
data, err := hex.DecodeString(ciphertextHex)
|
||||
// HasEnvelope reports whether the value is a v1-prefixed ciphertext.
|
||||
// Useful for router-level "decrypt only if encrypted" decision points
|
||||
// that previously relied on `err == nil` from a try-decrypt — that
|
||||
// pattern silently masked rotated-key failures.
|
||||
func HasEnvelope(value string) bool {
|
||||
return strings.HasPrefix(value, envelopeV1Prefix)
|
||||
}
|
||||
|
||||
// Decrypt decrypts an envelope (tf1:<hex>). For backward compatibility
|
||||
// it also accepts unprefixed hex from the v0 era — but only when the
|
||||
// resulting plaintext is valid; a wrong key for legacy data now returns
|
||||
// ErrDecryptFailed instead of silently treating ciphertext as
|
||||
// plaintext.
|
||||
//
|
||||
// Callers MUST NOT swallow the error and fall back to "use as-is".
|
||||
// That pattern is the exact footgun the envelope versioning removes.
|
||||
func Decrypt(key [32]byte, ciphertext string) (string, error) {
|
||||
hexBlob := ciphertext
|
||||
if strings.HasPrefix(hexBlob, envelopeV1Prefix) {
|
||||
hexBlob = hexBlob[len(envelopeV1Prefix):]
|
||||
}
|
||||
|
||||
data, err := hex.DecodeString(hexBlob)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("decode hex: %w", err)
|
||||
return "", fmt.Errorf("%w: decode hex: %v", ErrDecryptFailed, err)
|
||||
}
|
||||
|
||||
block, err := aes.NewCipher(key[:])
|
||||
@@ -75,15 +111,15 @@ func Decrypt(key [32]byte, ciphertextHex string) (string, error) {
|
||||
|
||||
nonceSize := gcm.NonceSize()
|
||||
if len(data) < nonceSize {
|
||||
return "", errors.New("ciphertext too short")
|
||||
return "", fmt.Errorf("%w: ciphertext too short", ErrDecryptFailed)
|
||||
}
|
||||
|
||||
nonce := data[:nonceSize]
|
||||
ciphertext := data[nonceSize:]
|
||||
body := data[nonceSize:]
|
||||
|
||||
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
|
||||
plaintext, err := gcm.Open(nil, nonce, body, nil)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("decrypt: %w", err)
|
||||
return "", fmt.Errorf("%w: %v", ErrDecryptFailed, err)
|
||||
}
|
||||
|
||||
return string(plaintext), nil
|
||||
|
||||
Reference in New Issue
Block a user