refactor(workload): finalize containers index + post-review hardening

Wraps up the workload refactor with the fixes that came out of the multi-agent code review (see docs/plans/workload-refactor.md "What actually shipped"). Backend: - store.ReconcileContainer: separate write path so the 30s reconciler tick no longer overwrites deployer-owned fields (subdomain, proxy_route_id, npm_proxy_id, image_tag). - Container.stage_id column + index; ListProxyRoutes / ListContainersByStageID join via stage_id (survives stage rename), with legacy fallback to (project_id, role=stage_name). - Reconciler: workload-existence check (rejects forged tinyforge.workload.id labels), skips inventing project-kind rows, child-context cancel before wg.Wait() on shutdown. - Transactional CRUD across projects / stacks / static_sites: parent UPDATE and workload sync land in one transaction so secret rotations are durable. - Webhook routing reads exclusively through workloads.webhook_secret; legacy GetProjectByWebhookSecret / GetStaticSiteByWebhookSecret fallback removed. - store.GetStackByComposeProjectName + indexed lookup (no more full-table stack scan per compose container per tick). - store.ListMissingSweepRows: filtered query for the missing-sweep. - /api/instances/* handlers verify (workload_id, role) match URL (project_id, stage_name) before mutating — closes the cross-project hijack the security review flagged. - extra_json no longer referenced from Go (column kept on disk for now). Frontend: - WorkloadContainers.svelte: generic detail-page panel reusable by stack and site detail pages. - Containers page polish: client-side kind/state filters over an unfiltered fetch, URL-synced filters, race-safe loads via sequence number, EN+RU i18n, sidebar counter via navCounts.containers. Misc: - scripts/dev-server.sh: tolerate empty netstat grep result. - .gitignore: ignore docker-watcher binaries, .claude/worktrees/, .facts-sync.json.
2026-05-09 15:44:41 +03:00
parent d8ab22876f
commit cba2149aa9
30 changed files with 1227 additions and 509 deletions
@@ -54,7 +54,8 @@ func scanProject(r rowScanner) (Project, error) {
 }

 // CreateProject inserts a new project and returns it. A webhook secret is
-// generated automatically if one is not already set on the input.
+// generated automatically if one is not already set on the input. Project
+// row + matching workload row are written in a single transaction.
 func (s *Store) CreateProject(p Project) (Project, error) {
 	p.ID = uuid.New().String()
 	p.CreatedAt = Now()
@@ -69,18 +70,27 @@ func (s *Store) CreateProject(p Project) (Project, error) {
 	if p.WebhookRequireSignature {
 		requireSig = 1
 	}
-	_, err := s.db.Exec(
+
+	tx, err := s.db.Begin()
+	if err != nil {
+		return Project{}, fmt.Errorf("begin: %w", err)
+	}
+	defer tx.Rollback()
+
+	if _, err := tx.Exec(
 		`INSERT INTO projects (`+projectCols+`)
 		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
 		p.ID, p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes,
 		p.NpmAccessListID, p.WebhookSecret, p.WebhookSigningSecret, requireSig,
 		p.NotificationURL, p.NotificationSecret, p.CreatedAt, p.UpdatedAt,
-	)
-	if err != nil {
+	); err != nil {
 		return Project{}, fmt.Errorf("insert project: %w", err)
 	}
-	if err := s.SyncProjectWorkload(p); err != nil {
-		return Project{}, fmt.Errorf("sync project workload: %w", err)
+	if err := SyncProjectWorkloadTx(tx, p); err != nil {
+		return Project{}, err
+	}
+	if err := tx.Commit(); err != nil {
+		return Project{}, fmt.Errorf("commit: %w", err)
 	}
 	return p, nil
 }
@@ -157,78 +167,74 @@ func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
 	return projects, rows.Err()
 }

+// updateProjectAndSyncWorkloadTx performs the parent UPDATE + workload sync in
+// a single transaction. Used by every Set*Secret / UpdateProject path so the
+// project row and the workload row never desync after a partial failure.
+// updateSQL must be a parameterized UPDATE on `projects` ending with `WHERE id=?`;
+// args are the parameter values in order, with the project ID last.
+func (s *Store) updateProjectAndSyncWorkloadTx(id string, updateSQL string, args ...any) error {
+	tx, err := s.db.Begin()
+	if err != nil {
+		return fmt.Errorf("begin: %w", err)
+	}
+	defer tx.Rollback()
+
+	result, err := tx.Exec(updateSQL, args...)
+	if err != nil {
+		return fmt.Errorf("update project: %w", err)
+	}
+	n, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("rows affected: %w", err)
+	}
+	if n == 0 {
+		return fmt.Errorf("project %s: %w", id, ErrNotFound)
+	}
+
+	// Re-read the row inside the transaction so the workload sync sees the
+	// canonical values (the caller may have only updated one column).
+	row := tx.QueryRow(`SELECT `+projectCols+` FROM projects WHERE id = ?`, id)
+	p, err := scanProject(row)
+	if err != nil {
+		return fmt.Errorf("reread project for workload sync: %w", err)
+	}
+	if err := SyncProjectWorkloadTx(tx, p); err != nil {
+		return err
+	}
+	return tx.Commit()
+}
+
 // UpdateProject updates an existing project's mutable fields. Webhook secret
 // and notification_secret are intentionally not updated here — use the
 // dedicated SetProjectWebhookSecret / SetProjectNotificationSecret helpers.
 func (s *Store) UpdateProject(p Project) error {
 	p.UpdatedAt = Now()
-	result, err := s.db.Exec(
+	return s.updateProjectAndSyncWorkloadTx(p.ID,
 		`UPDATE projects SET name=?, registry=?, image=?, port=?, healthcheck=?, env=?, volumes=?,
 		   npm_access_list_id=?, notification_url=?, updated_at=?
 		 WHERE id=?`,
 		p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes,
 		p.NpmAccessListID, p.NotificationURL, p.UpdatedAt, p.ID,
 	)
-	if err != nil {
-		return fmt.Errorf("update project: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("project %s: %w", p.ID, ErrNotFound)
-	}
-	// Re-read so the workload sync sees the canonical row (e.g. webhook
-	// secrets that UpdateProject does not write but other call sites do).
-	current, err := s.GetProjectByID(p.ID)
-	if err != nil {
-		return fmt.Errorf("reread project for workload sync: %w", err)
-	}
-	if err := s.SyncProjectWorkload(current); err != nil {
-		return fmt.Errorf("sync project workload: %w", err)
-	}
-	return nil
 }

 // SetProjectWebhookSecret assigns a webhook secret to a project.
 // Pass an empty string to disable webhook access for the project.
 func (s *Store) SetProjectWebhookSecret(id, secret string) error {
-	result, err := s.db.Exec(
+	return s.updateProjectAndSyncWorkloadTx(id,
 		`UPDATE projects SET webhook_secret=?, updated_at=? WHERE id=?`,
 		secret, Now(), id,
 	)
-	if err != nil {
-		return fmt.Errorf("set project webhook secret: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("project %s: %w", id, ErrNotFound)
-	}
-	current, err := s.GetProjectByID(id)
-	if err != nil {
-		return fmt.Errorf("reread project for workload sync: %w", err)
-	}
-	return s.SyncProjectWorkload(current)
 }

 // SetProjectWebhookSigningSecret assigns the HMAC signing secret used to
 // verify inbound webhook payloads. Pass an empty string to clear it (which
 // also implicitly disables signature enforcement on the next request).
 func (s *Store) SetProjectWebhookSigningSecret(id, secret string) error {
-	result, err := s.db.Exec(
+	return s.updateProjectAndSyncWorkloadTx(id,
 		`UPDATE projects SET webhook_signing_secret=?, updated_at=? WHERE id=?`,
 		secret, Now(), id,
 	)
-	if err != nil {
-		return fmt.Errorf("set project webhook signing secret: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("project %s: %w", id, ErrNotFound)
-	}
-	current, err := s.GetProjectByID(id)
-	if err != nil {
-		return fmt.Errorf("reread project for workload sync: %w", err)
-	}
-	return s.SyncProjectWorkload(current)
 }

 // SetProjectWebhookRequireSignature toggles whether unsigned (or
@@ -238,22 +244,10 @@ func (s *Store) SetProjectWebhookRequireSignature(id string, require bool) error
 	if require {
 		v = 1
 	}
-	result, err := s.db.Exec(
+	return s.updateProjectAndSyncWorkloadTx(id,
 		`UPDATE projects SET webhook_require_signature=?, updated_at=? WHERE id=?`,
 		v, Now(), id,
 	)
-	if err != nil {
-		return fmt.Errorf("set project webhook require_signature: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("project %s: %w", id, ErrNotFound)
-	}
-	current, err := s.GetProjectByID(id)
-	if err != nil {
-		return fmt.Errorf("reread project for workload sync: %w", err)
-	}
-	return s.SyncProjectWorkload(current)
 }

 // EnsureProjectWebhookSecret returns the current webhook secret for a project,
@@ -278,22 +272,10 @@ func (s *Store) EnsureProjectWebhookSecret(id string) (string, error) {
 // secret. Empty string disables HMAC signing for this project (notifications
 // still send unsigned, falling through to the parent tier's secret if any).
 func (s *Store) SetProjectNotificationSecret(id, secret string) error {
-	result, err := s.db.Exec(
+	return s.updateProjectAndSyncWorkloadTx(id,
 		`UPDATE projects SET notification_secret=?, updated_at=? WHERE id=?`,
 		secret, Now(), id,
 	)
-	if err != nil {
-		return fmt.Errorf("set project notification secret: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("project %s: %w", id, ErrNotFound)
-	}
-	current, err := s.GetProjectByID(id)
-	if err != nil {
-		return fmt.Errorf("reread project for workload sync: %w", err)
-	}
-	return s.SyncProjectWorkload(current)
 }

 // EnsureProjectNotificationSecret returns the current outgoing-webhook signing
@@ -316,23 +298,45 @@ func (s *Store) EnsureProjectNotificationSecret(id string) (string, error) {

 // DeleteProject removes a project by ID. Cascading deletes handle stages, instances, and deploys.
 // Workload row + container index entries are removed too so the global views
-// don't show ghost rows after a project is gone.
+// don't show ghost rows after a project is gone. Atomic: the project, its
+// container index entries, and its workload row all live or die together.
 func (s *Store) DeleteProject(id string) error {
-	result, err := s.db.Exec(`DELETE FROM projects WHERE id = ?`, id)
+	tx, err := s.db.Begin()
+	if err != nil {
+		return fmt.Errorf("begin: %w", err)
+	}
+	defer tx.Rollback()
+
+	// Resolve the workload before deleting the project so we have the
+	// workload ID for the cascade.
+	var workloadID string
+	if err := tx.QueryRow(
+		`SELECT id FROM workloads WHERE kind = ? AND ref_id = ?`,
+		string(WorkloadKindProject), id,
+	).Scan(&workloadID); err != nil && !errors.Is(err, sql.ErrNoRows) {
+		return fmt.Errorf("lookup project workload: %w", err)
+	}
+
+	result, err := tx.Exec(`DELETE FROM projects WHERE id = ?`, id)
 	if err != nil {
 		return fmt.Errorf("delete project: %w", err)
 	}
-	n, _ := result.RowsAffected()
+	n, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("rows affected: %w", err)
+	}
 	if n == 0 {
 		return fmt.Errorf("project %s: %w", id, ErrNotFound)
 	}
-	if w, err := s.GetWorkloadByRef(WorkloadKindProject, id); err == nil {
-		if err := s.DeleteContainersByWorkload(w.ID); err != nil {
+
+	if workloadID != "" {
+		if _, err := tx.Exec(`DELETE FROM containers WHERE workload_id = ?`, workloadID); err != nil {
 			return fmt.Errorf("delete project containers: %w", err)
 		}
-		if err := s.DeleteWorkload(w.ID); err != nil {
+		if _, err := tx.Exec(`DELETE FROM workloads WHERE id = ?`, workloadID); err != nil {
 			return fmt.Errorf("delete project workload: %w", err)
 		}
 	}
-	return nil
+
+	return tx.Commit()
 }