tiny-forge

alexei.dolgolyov/tiny-forge

Fork 0

Commit Graph

Author	SHA1	Message	Date
alexei.dolgolyov	ea55d31177	feat(discovery+runtime): restore static-site wizard discovery + close /sites/[id] feature parity Build / build (push) Successful in 10m43s Details Two-stage feature arc closing the gaps left by the hard legacy cutover. The static-site creation wizard regains its auto-discovery + connection-test flow; /apps/[id] grows the runtime/storage/lifecycle surface the legacy /sites/[id] page used to expose. Backend (Go) - internal/api/discovery.go: six admin-gated endpoints wrapping staticsite.GitProvider — POST /api/discovery/git/{detect-provider, test-connection,repos,branches,tree} + GET /api/discovery/image/conflicts. Identifier validation (validateGitIdent / validateGitBranch) at the boundary so provider URL interpolation cannot be hijacked via `..`. Upstream errors scrubbed: detailed slog on the server, generic 502 to the client (mitigates token-reflection-in-error-page). - internal/api/workload_runtime.go: four endpoints — GET /api/workloads/{id}/runtime-state decodes containers.extra_json for static workloads; GET /api/workloads/{id}/storage execs `du -sb /app/data` with a 30s in-process cache (storageProbeCache) so polling can't turn into per-request execs; POST /api/workloads/{id}/{stop,start} iterate ListContainersByWorkload and call docker.StopContainer / StartContainer, returning 200 / 409 (nothing to act on) / 502 (all failed). - internal/staticsite/safehttp.go: NewSafeHTTPClient + ValidateBaseURL + blockReason. DialContext re-resolves hostnames and refuses loopback / link-local / multicast / unspecified addresses. RFC1918 + ULA explicitly allowed (self-hosted Gitea on LAN is the dominant deployment). Replaced four raw &http.Client{} constructions in the provider files. - internal/staticsite/gitlab_provider.go: url.PathEscape each segment in the raw-file URL builder for parity with projectPath(). - Test coverage: 26 cases in discovery_test.go (image-tag stripping, source-config decoding, conflict scenarios, validator boundaries, scheme rejection), 14 in workload_runtime_test.go (404 / 409 / nil-docker / probe-cache), 16 in safehttp_test.go (URL validation + block-reason policy matrix + live dial against loopback + AWS metadata literals). Frontend (Svelte 5 + runes) - web/src/lib/api.ts: typed wrappers for every endpoint, AbortSignal threaded through post(); ApiError exported so callers can narrow on e.status; new DetectedGitProvider narrow union. - web/src/routes/apps/new/+page.svelte: static-form discovery controls (auto-detect provider, test connection, repo / branch / folder EntityPickers, Deno auto-detect); image-form conflict panel with debounced lookup + double-click submit guard ("Forge anyway") + Inspect button that pre-fills port/healthcheck; English error fallbacks routed through apps.new.errors.* (en + ru). - web/src/routes/apps/[id]/+page.svelte: runtime-state panel + storage panel + Stop / Start / Open-site toolbar; universal live-state badge in the hero lede for image/compose/static (RUNNING / TRANSITIONING / STOPPED / NOT DEPLOYED / MIXED · n/m RUNNING); ContainerStats panel per row (auto-collapsing native <details> when N > 2); read-only webhook bindings summary card; responsive toolbar overflow with native <details> at <640px (z-index 100 above sticky nav). - web/src/app.css: project-wide .forge-btn-ghost:focus-visible outline. Hardening from go-reviewer + security-reviewer + typescript-reviewer + frontend-design UI/UX subagents (0 CRITICAL, all HIGH/BLOCKER addressed inline, IMPORTANT applied before commit): - AbortController + per-call sequence tokens on every long-running fetch (loadRuntimeState / loadStorage / loadTriggerMeta / inspectImage / listImageConflicts) plus onDestroy cleanup so late resolves cannot mutate dead component state. - doStop / doStart snapshot and restore `error` across the finally-block reload so a load()-cleared message doesn't hide a real failure. - triggersById refreshed after inline trigger creation so the webhook card doesn't silently exclude the just-created trigger. - Live-state badge wraps in role=status / aria-live=polite (no redundant aria-label). - Webhook row has a single click target (was two pointing at the same URL). - Empty webhook section hides entirely. - Dropped role=menu / role=menuitem from the overflow menu (they would promise arrow-key nav we don't wire; native Tab + ESC carry it). Doc - docs/CODEMAPS/INDEX.md + new docs/CODEMAPS/discovery-and-runtime.md map the endpoint surface, security posture, frontend integration patterns, and an "add a new probe" recipe. Verification - svelte-check: 0 errors, 3 pre-existing a11y warnings. - go build + go vet + go test ./...: all green. - i18n parity: en + ru at 1413 keys each. - Live smoke against :8090: 404 / 409 / 502 envelopes correct, discovery sanity passes, ProbeError surfaces on no-container path.	2026-05-16 21:35:51 +03:00
alexei.dolgolyov	234c3c711e	feat(static): inline static-source plugin; drop phantom-row adapter Build / build (push) Successful in 10m43s Details Lift the static-site deploy pipeline from internal/staticsite/manager.go into internal/workload/plugin/source/static/ so plugin-native static workloads operate directly on plugin.Workload + the containers table + workload_env. The cmd/server/static_backend.go phantom-row adapter is gone; the legacy static_sites table is no longer touched on plugin deploys. Backend - new state.go: runtimeState (last_commit_sha, last_sync_at, last_error, status) persisted in containers.extra_json under the deterministic row id <workloadID>:site - per-workload sync.Mutex serializes saveState read-modify-write so parallel deploys for the same workload can't race container_id / proxy_route_id writes - extra_json round-trips through map[string]json.RawMessage so unknown keys survive — typed runtimeStateKeys are stripped before merge so clearing a typed field actually drops the key - new env.go reads workload_env (replaces static_site_secrets for plugin-native sites); decrypt-failure logs and skips one entry rather than failing the whole deploy - new build.go ports prepareDenoBuild + prepareStaticBuild + copyDir; copyDir uses filepath.WalkDir + Lstat to refuse symlinks and non-regular files - new deploy.go is the ~300-line core; intent.Reason gates force vs skip-if-no-changes; success-path saveState failure rolls back container + proxy route and writes "failed" state (no orphans) - new teardown.go combines Remove + Stop; idempotent on never-deployed workloads - new reconcile.go refreshes container state from Docker; flips runtimeState.Status to failed when the container is missing/crashed Hardening (from go-reviewer + security-reviewer subagent passes; 1 CRITICAL + 5 HIGH + 3 MEDIUM addressed before merge) - path-traversal defense in all 3 providers (gitea_content, github_provider, gitlab_provider): reject tree entries whose resolved local path escapes destDir - verifyDownloadInsideRoot walks the build dir post-download as a second line of defense - sanitizeError redacts the access token, collapses to one line, and clamps to 240 bytes before persisting to extra_json or fanning out to the notification webhook - container/image/volume names suffixed with workload-id short prefix (workload name is not UNIQUE in schema) - primaryDomain reads settings.Domain to complete a bare subdomain face into a full FQDN (matches legacy Manager behavior) - ctx-aware health-check sleep - json.Marshal for event metadata (was fmt.Sprintf JSON template) - strings.HasPrefix for failed-status detection (was brittle slice expression) Wire-up - cmd/server/main.go: removed wireStaticBackend(...) call; existing blank import on _ ".../source/static" drives init() registration - cmd/server/static_backend.go deleted Doc - WORKLOAD_REFACTOR_TODO: static port marked DONE; next focus is the hard legacy cutover (drop /api/projects, /api/stacks, /api/sites, /api/stages + their tables, internal/stack + internal/staticsite packages, frontend /projects /stacks /sites) Behavior notes for operators - plugin-native static workloads no longer write to static_sites; legacy /api/sites/* still serves original rows unchanged - legacy tinyforge.static-site / .static-site-name container labels dropped on plugin deploys; canonical tinyforge.workload.id / .kind cover ownership - container/image/volume names gained an 8-char ID suffix (e.g. dw-site-mysite-a1b2c3d4); legacy-deployed sites keep the old shape until redeployed through the plugin path	2026-05-16 02:56:23 +03:00
alexei.dolgolyov	8d2c5a063b	feat: static sites feature with Gitea/GitHub/GitLab support and Deno backend Deploy static content from Git repository folders with optional server-side API endpoints. Supports Gitea/Forgejo/Gogs, GitHub, and GitLab with provider autodetection. - New Sites entity with CRUD, encrypted secrets, and manual/push/tag sync triggers - Pluggable GitProvider interface with three implementations - Deno container mode: auto-generates router from API_{method}_{name} exports - Static container mode: nginx serving files with optional markdown rendering - Wizard UI with provider selector, repo picker, branch/folder tree pickers - Deploy pipeline builds fresh image, starts container, configures NPM proxy - Stop/Start buttons, force redeploy on manual trigger - Periodic health checker detects crashed containers - Proxy route existence check during auto-sync	2026-04-11 03:35:57 +03:00

Author

SHA1

Message

Date

alexei.dolgolyov

ea55d31177

feat(discovery+runtime): restore static-site wizard discovery + close /sites/[id] feature parity

Build / build (push) Successful in 10m43s

Details

Two-stage feature arc closing the gaps left by the hard legacy cutover.
The static-site creation wizard regains its auto-discovery + connection-test
flow; /apps/[id] grows the runtime/storage/lifecycle surface the legacy
/sites/[id] page used to expose.

Backend (Go)
- internal/api/discovery.go: six admin-gated endpoints wrapping
  staticsite.GitProvider — POST /api/discovery/git/{detect-provider,
  test-connection,repos,branches,tree} + GET /api/discovery/image/conflicts.
  Identifier validation (validateGitIdent / validateGitBranch) at the
  boundary so provider URL interpolation cannot be hijacked via `..`.
  Upstream errors scrubbed: detailed slog on the server, generic 502 to
  the client (mitigates token-reflection-in-error-page).
- internal/api/workload_runtime.go: four endpoints —
  GET /api/workloads/{id}/runtime-state decodes containers.extra_json for
  static workloads; GET /api/workloads/{id}/storage execs `du -sb /app/data`
  with a 30s in-process cache (storageProbeCache) so polling can't turn
  into per-request execs; POST /api/workloads/{id}/{stop,start} iterate
  ListContainersByWorkload and call docker.StopContainer / StartContainer,
  returning 200 / 409 (nothing to act on) / 502 (all failed).
- internal/staticsite/safehttp.go: NewSafeHTTPClient + ValidateBaseURL +
  blockReason. DialContext re-resolves hostnames and refuses loopback /
  link-local / multicast / unspecified addresses. RFC1918 + ULA explicitly
  allowed (self-hosted Gitea on LAN is the dominant deployment).
  Replaced four raw &http.Client{} constructions in the provider files.
- internal/staticsite/gitlab_provider.go: url.PathEscape each segment in
  the raw-file URL builder for parity with projectPath().
- Test coverage: 26 cases in discovery_test.go (image-tag stripping,
  source-config decoding, conflict scenarios, validator boundaries,
  scheme rejection), 14 in workload_runtime_test.go (404 / 409 / nil-docker
  / probe-cache), 16 in safehttp_test.go (URL validation + block-reason
  policy matrix + live dial against loopback + AWS metadata literals).

Frontend (Svelte 5 + runes)
- web/src/lib/api.ts: typed wrappers for every endpoint, AbortSignal
  threaded through post(); ApiError exported so callers can narrow on
  e.status; new DetectedGitProvider narrow union.
- web/src/routes/apps/new/+page.svelte: static-form discovery controls
  (auto-detect provider, test connection, repo / branch / folder
  EntityPickers, Deno auto-detect); image-form conflict panel with
  debounced lookup + double-click submit guard ("Forge anyway") + Inspect
  button that pre-fills port/healthcheck; English error fallbacks routed
  through apps.new.errors.* (en + ru).
- web/src/routes/apps/[id]/+page.svelte: runtime-state panel + storage
  panel + Stop / Start / Open-site toolbar; universal live-state badge
  in the hero lede for image/compose/static (RUNNING / TRANSITIONING /
  STOPPED / NOT DEPLOYED / MIXED · n/m RUNNING); ContainerStats panel
  per row (auto-collapsing native <details> when N > 2); read-only
  webhook bindings summary card; responsive toolbar overflow with native
  <details> at <640px (z-index 100 above sticky nav).
- web/src/app.css: project-wide .forge-btn-ghost:focus-visible outline.

Hardening from go-reviewer + security-reviewer + typescript-reviewer +
frontend-design UI/UX subagents (0 CRITICAL, all HIGH/BLOCKER addressed
inline, IMPORTANT applied before commit):
- AbortController + per-call sequence tokens on every long-running
  fetch (loadRuntimeState / loadStorage / loadTriggerMeta / inspectImage /
  listImageConflicts) plus onDestroy cleanup so late resolves cannot
  mutate dead component state.
- doStop / doStart snapshot and restore `error` across the finally-block
  reload so a load()-cleared message doesn't hide a real failure.
- triggersById refreshed after inline trigger creation so the webhook
  card doesn't silently exclude the just-created trigger.
- Live-state badge wraps in role=status / aria-live=polite (no redundant
  aria-label).
- Webhook row has a single click target (was two pointing at the same URL).
- Empty webhook section hides entirely.
- Dropped role=menu / role=menuitem from the overflow menu (they would
  promise arrow-key nav we don't wire; native Tab + ESC carry it).

Doc
- docs/CODEMAPS/INDEX.md + new docs/CODEMAPS/discovery-and-runtime.md
  map the endpoint surface, security posture, frontend integration
  patterns, and an "add a new probe" recipe.

Verification
- svelte-check: 0 errors, 3 pre-existing a11y warnings.
- go build + go vet + go test ./...: all green.
- i18n parity: en + ru at 1413 keys each.
- Live smoke against :8090: 404 / 409 / 502 envelopes correct, discovery
  sanity passes, ProbeError surfaces on no-container path.

2026-05-16 21:35:51 +03:00

alexei.dolgolyov

234c3c711e

feat(static): inline static-source plugin; drop phantom-row adapter

Build / build (push) Successful in 10m43s

Details

Lift the static-site deploy pipeline from internal/staticsite/manager.go
into internal/workload/plugin/source/static/ so plugin-native static
workloads operate directly on plugin.Workload + the containers table +
workload_env. The cmd/server/static_backend.go phantom-row adapter is
gone; the legacy static_sites table is no longer touched on plugin
deploys.

Backend
- new state.go: runtimeState (last_commit_sha, last_sync_at,
  last_error, status) persisted in containers.extra_json under the
  deterministic row id <workloadID>:site
- per-workload sync.Mutex serializes saveState read-modify-write so
  parallel deploys for the same workload can't race container_id /
  proxy_route_id writes
- extra_json round-trips through map[string]json.RawMessage so
  unknown keys survive — typed runtimeStateKeys are stripped before
  merge so clearing a typed field actually drops the key
- new env.go reads workload_env (replaces static_site_secrets for
  plugin-native sites); decrypt-failure logs and skips one entry
  rather than failing the whole deploy
- new build.go ports prepareDenoBuild + prepareStaticBuild + copyDir;
  copyDir uses filepath.WalkDir + Lstat to refuse symlinks and
  non-regular files
- new deploy.go is the ~300-line core; intent.Reason gates force vs
  skip-if-no-changes; success-path saveState failure rolls back
  container + proxy route and writes "failed" state (no orphans)
- new teardown.go combines Remove + Stop; idempotent on
  never-deployed workloads
- new reconcile.go refreshes container state from Docker; flips
  runtimeState.Status to failed when the container is missing/crashed

Hardening (from go-reviewer + security-reviewer subagent passes;
1 CRITICAL + 5 HIGH + 3 MEDIUM addressed before merge)
- path-traversal defense in all 3 providers (gitea_content,
  github_provider, gitlab_provider): reject tree entries whose
  resolved local path escapes destDir
- verifyDownloadInsideRoot walks the build dir post-download as a
  second line of defense
- sanitizeError redacts the access token, collapses to one line, and
  clamps to 240 bytes before persisting to extra_json or fanning out
  to the notification webhook
- container/image/volume names suffixed with workload-id short prefix
  (workload name is not UNIQUE in schema)
- primaryDomain reads settings.Domain to complete a bare subdomain
  face into a full FQDN (matches legacy Manager behavior)
- ctx-aware health-check sleep
- json.Marshal for event metadata (was fmt.Sprintf JSON template)
- strings.HasPrefix for failed-status detection (was brittle slice
  expression)

Wire-up
- cmd/server/main.go: removed wireStaticBackend(...) call; existing
  blank import on _ ".../source/static" drives init() registration
- cmd/server/static_backend.go deleted

Doc
- WORKLOAD_REFACTOR_TODO: static port marked DONE; next focus is
  the hard legacy cutover (drop /api/projects, /api/stacks,
  /api/sites, /api/stages + their tables, internal/stack +
  internal/staticsite packages, frontend /projects /stacks /sites)

Behavior notes for operators
- plugin-native static workloads no longer write to static_sites;
  legacy /api/sites/* still serves original rows unchanged
- legacy tinyforge.static-site / .static-site-name container labels
  dropped on plugin deploys; canonical tinyforge.workload.id / .kind
  cover ownership
- container/image/volume names gained an 8-char ID suffix
  (e.g. dw-site-mysite-a1b2c3d4); legacy-deployed sites keep the
  old shape until redeployed through the plugin path

2026-05-16 02:56:23 +03:00

alexei.dolgolyov

8d2c5a063b

feat: static sites feature with Gitea/GitHub/GitLab support and Deno backend

Deploy static content from Git repository folders with optional server-side
API endpoints. Supports Gitea/Forgejo/Gogs, GitHub, and GitLab with provider
autodetection.

- New Sites entity with CRUD, encrypted secrets, and manual/push/tag sync triggers
- Pluggable GitProvider interface with three implementations
- Deno container mode: auto-generates router from API_{method}_{name} exports
- Static container mode: nginx serving files with optional markdown rendering
- Wizard UI with provider selector, repo picker, branch/folder tree pickers
- Deploy pipeline builds fresh image, starts container, configures NPM proxy
- Stop/Start buttons, force redeploy on manual trigger
- Periodic health checker detects crashed containers
- Proxy route existence check during auto-sync

2026-04-11 03:35:57 +03:00

3 Commits