refactor(workload): finalize containers index + post-review hardening
Wraps up the workload refactor with the fixes that came out of the multi-agent code review (see docs/plans/workload-refactor.md "What actually shipped"). Backend: - store.ReconcileContainer: separate write path so the 30s reconciler tick no longer overwrites deployer-owned fields (subdomain, proxy_route_id, npm_proxy_id, image_tag). - Container.stage_id column + index; ListProxyRoutes / ListContainersByStageID join via stage_id (survives stage rename), with legacy fallback to (project_id, role=stage_name). - Reconciler: workload-existence check (rejects forged tinyforge.workload.id labels), skips inventing project-kind rows, child-context cancel before wg.Wait() on shutdown. - Transactional CRUD across projects / stacks / static_sites: parent UPDATE and workload sync land in one transaction so secret rotations are durable. - Webhook routing reads exclusively through workloads.webhook_secret; legacy GetProjectByWebhookSecret / GetStaticSiteByWebhookSecret fallback removed. - store.GetStackByComposeProjectName + indexed lookup (no more full-table stack scan per compose container per tick). - store.ListMissingSweepRows: filtered query for the missing-sweep. - /api/instances/* handlers verify (workload_id, role) match URL (project_id, stage_name) before mutating — closes the cross-project hijack the security review flagged. - extra_json no longer referenced from Go (column kept on disk for now). Frontend: - WorkloadContainers.svelte: generic detail-page panel reusable by stack and site detail pages. - Containers page polish: client-side kind/state filters over an unfiltered fetch, URL-synced filters, race-safe loads via sequence number, EN+RU i18n, sidebar counter via navCounts.containers. Misc: - scripts/dev-server.sh: tolerate empty netstat grep result. - .gitignore: ignore docker-watcher binaries, .claude/worktrees/, .facts-sync.json.
This commit is contained in:
+17
-10
@@ -319,18 +319,22 @@ func (h *Handler) handleWebhook(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
// Resolve the secret via the workload row first (canonical path —
|
||||
// workloads.webhook_secret is kept in sync by the project CRUD path).
|
||||
// Fall back to the project's own column for any pre-refactor row that
|
||||
// might not have its workload yet (defensive belt-and-suspenders).
|
||||
// Resolve the secret via the workload row only. The project's own
|
||||
// webhook_secret column is the source of truth, but lookups go through
|
||||
// workloads.webhook_secret which is kept in lock-step by the
|
||||
// transactional sync in the project CRUD path. Reading from workloads
|
||||
// alone closes the rotation-durability gap: any rotation that didn't
|
||||
// commit also didn't update the workload row, so an old secret
|
||||
// surfaces here as 404 rather than being silently accepted.
|
||||
var (
|
||||
project store.Project
|
||||
err error
|
||||
)
|
||||
if wl, wErr := h.store.GetWorkloadByWebhookSecret(secret); wErr == nil && wl.Kind == string(store.WorkloadKindProject) {
|
||||
wl, wErr := h.store.GetWorkloadByWebhookSecret(secret)
|
||||
if wErr == nil && wl.Kind == string(store.WorkloadKindProject) {
|
||||
project, err = h.store.GetProjectByID(wl.RefID)
|
||||
} else {
|
||||
project, err = h.store.GetProjectByWebhookSecret(secret)
|
||||
err = store.ErrNotFound
|
||||
}
|
||||
if err != nil {
|
||||
if errors.Is(err, store.ErrNotFound) {
|
||||
@@ -514,16 +518,19 @@ func (h *Handler) handleSiteWebhook(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
// Workload-first lookup, mirroring the project handler. Falls back to the
|
||||
// site's own webhook_secret column for pre-refactor rows.
|
||||
// Workload-only lookup, mirroring the project handler. Reading from
|
||||
// workloads.webhook_secret keeps rotation-durability honest — a
|
||||
// rotation that didn't commit doesn't update the workload row, so the
|
||||
// stale secret returns 404 instead of being silently accepted.
|
||||
var (
|
||||
site store.StaticSite
|
||||
err error
|
||||
)
|
||||
if wl, wErr := h.store.GetWorkloadByWebhookSecret(secret); wErr == nil && wl.Kind == string(store.WorkloadKindSite) {
|
||||
wl, wErr := h.store.GetWorkloadByWebhookSecret(secret)
|
||||
if wErr == nil && wl.Kind == string(store.WorkloadKindSite) {
|
||||
site, err = h.store.GetStaticSiteByID(wl.RefID)
|
||||
} else {
|
||||
site, err = h.store.GetStaticSiteByWebhookSecret(secret)
|
||||
err = store.ErrNotFound
|
||||
}
|
||||
if err != nil {
|
||||
if errors.Is(err, store.ErrNotFound) {
|
||||
|
||||
Reference in New Issue
Block a user