Secrets defined once and applied to many workloads by scope (global or
per-app), encrypted at rest and resolved into container env as a
low-precedence default layer: global-shared < app-shared < image cfg.Env
< workload_env. A workload with no applicable shared secrets is
byte-identical to the prior workload_env-only behavior.
- store: shared_secrets table + CRUD + ListApplicableSharedSecrets
(enabled global + app, global-first), UNIQUE(scope,app_id,name).
- plugin.ResolveSharedSecrets + integration into BuildWorkloadEnv
(static/dockerfile) and image buildEnv; best-effort — a shared-secret
store/decrypt error never fails a deploy, and values are never logged.
- REST CRUD at /api/shared-secrets (reads authed, mutations AdminOnly);
values encrypted at the boundary via crypto.Encrypt and never returned
(only a has_value flag), mirroring workload_env. UNIQUE collisions 409.
Compose is out of scope (YAML-defined env). Frontend rule UI is Phase 2.
Reviewed: go + security APPROVE (0 CRITICAL/HIGH); two MEDIUMs fixed
(translateSQLError -> 409, no driver-message leak). Deferred defense-in-
depth: json:"-" on the model value + a description length cap.
Extract the verbatim-duplicated helpers into shared homes:
- buildEnv -> plugin.BuildWorkloadEnv (base plugin pkg; a sourceName param
preserves each plugin's slog prefix / log-scraper text)
- idShort -> plugin.IDShort
- commitStatusReporter -> staticsite.CommitStatusReporter, re-parameterized
on primitives (owner/repo/sha/targetURL/enabled) so staticsite needs no
dependency on the plugin package; reporter tests ported to staticsite
(plus a new nil-provider case)
containerNameFor/imageTagFor are intentionally left per-plugin: their
prefixes differ (dw-site- vs tf-build-) and name real Docker resources,
so merging them would risk mis-routing. Behavior-preserving; the
static/dockerfile test suites pass unchanged.
Reviewed: go APPROVE (0 CRITICAL/HIGH).
Every deploy across all four source kinds now writes a workload-scoped
event via a shared plugin.EmitDeployEvent helper (replacing the inline
emit duplicated in static/dockerfile, standardizing static's metadata
key site_id->workload_id, and adding emission to image+compose which
were silent). New indexed event_log.workload_id column, EventLogFilter
.WorkloadID, and GET /api/workloads/{id}/events (id pinned from path).
Frontend: a forge "Activity" panel on /apps/[id] reusing EventLogEntry,
live SSE prepend filtered by workload_id, load-more pagination, an
All/Errors severity filter, and a shared toEventLogEntry mapper. en/ru
i18n parity.
Security: compose's failure status emits a generic reason instead of raw
`docker compose up` output, which can echo app secrets and egresses to
operator webhooks (NotificationURL + event-trigger actions); full detail
stays only in the returned error. Rune-safe 256-rune status cap.
Reviewed: go + typescript APPROVE; security HIGH fixed.
Report deploy status back to the Git provider as a commit status
(pending/success/failure) for git-sourced workloads (static + dockerfile).
- GitProvider.SetCommitStatus on gitea/github/gitlab over the existing
SSRF-safe client; fixed "tinyforge" context so redeploys update one row.
postJSON returns status-code-only errors (never echoes the upstream body,
which a hostile provider could use to reflect the auth token into the
best-effort log line).
- Best-effort deploy hook: pending on deploy start, success/failure on
outcome, gated on a per-workload report_commit_status flag. Never fails or
blocks a deploy; emits nothing on the unchanged-SHA short-circuit.
- UI ToggleSwitch (create + edit) + reportCommitStatus in sourceForms.ts
+ en/ru i18n.
- Tests: per-provider state mapping + request shape; reporter gating
(enabled/disabled/empty-SHA/nil/error-swallow).
Reviewed via go-reviewer + security-reviewer (0 CRITICAL/HIGH; one MEDIUM
body-echo log-leak fixed).
Bring the previously-untested internal/workload/plugin/source/static/
package from 0% to 23.6% coverage with three new test files:
helpers_test.go (20 cases) - idShort/containerNameFor/imageTagFor/
siteVolumeKey shape + same-name-workload collision avoidance;
sanitizeError newline collapse, empty-token no-op, 240-byte cap, and
multi-byte UTF-8 validity at the cap; containerRowID determinism;
lockFor map semantics (same lock for same workload, distinct locks
for different workloads, real serialization under contention, safe
concurrent insertion); runtimeStateKeys exactly equals the JSON-tag
key set.
build_test.go (8 cases) - copyDir copies files + subdirs and
preserves modes on Unix; verifyDownloadInsideRoot accepts clean
trees and surfaces ErrNotExist for missing roots; both functions
reject symlinks (skipped cleanly on Windows non-admin where the
SeCreateSymbolicLink privilege is absent); prepareStaticBuild
writes the Dockerfile even for an empty source.
state_integration_test.go (12 cases) - loadState/saveState round-
trip on an in-memory SQLite store, including: unknown extra_json
keys (future writers) survive a save; clearing a typed field drops
the key; malformed extra_json is recovered from rather than
panicked on; concurrent writers exercise the per-workload mutex by
accumulating into state.LastError - the test verified to fail
loudly (15+ lost markers) when the mutex is disabled. buildEnv
returns plain values, decrypts encrypted ones, skips rows that
fail to decrypt without leaking ciphertext, and returns empty on
store failure without panicking.
Review followups from go-reviewer pass applied inline: H1 rewrite
to exercise actual lost-update race (verified against disabled
mutex), H2 workload-ID scoping by t.Name() so the package-global
saveLocks map cannot bleed across tests or -count=N runs, set-
based env-assertions, JSON tag-set equality check, multi-byte
truncation case, valid-JSON-on-recovery assertion, unique-keys
in concurrent map test, double-close cleanup.
Lift the static-site deploy pipeline from internal/staticsite/manager.go
into internal/workload/plugin/source/static/ so plugin-native static
workloads operate directly on plugin.Workload + the containers table +
workload_env. The cmd/server/static_backend.go phantom-row adapter is
gone; the legacy static_sites table is no longer touched on plugin
deploys.
Backend
- new state.go: runtimeState (last_commit_sha, last_sync_at,
last_error, status) persisted in containers.extra_json under the
deterministic row id <workloadID>:site
- per-workload sync.Mutex serializes saveState read-modify-write so
parallel deploys for the same workload can't race container_id /
proxy_route_id writes
- extra_json round-trips through map[string]json.RawMessage so
unknown keys survive — typed runtimeStateKeys are stripped before
merge so clearing a typed field actually drops the key
- new env.go reads workload_env (replaces static_site_secrets for
plugin-native sites); decrypt-failure logs and skips one entry
rather than failing the whole deploy
- new build.go ports prepareDenoBuild + prepareStaticBuild + copyDir;
copyDir uses filepath.WalkDir + Lstat to refuse symlinks and
non-regular files
- new deploy.go is the ~300-line core; intent.Reason gates force vs
skip-if-no-changes; success-path saveState failure rolls back
container + proxy route and writes "failed" state (no orphans)
- new teardown.go combines Remove + Stop; idempotent on
never-deployed workloads
- new reconcile.go refreshes container state from Docker; flips
runtimeState.Status to failed when the container is missing/crashed
Hardening (from go-reviewer + security-reviewer subagent passes;
1 CRITICAL + 5 HIGH + 3 MEDIUM addressed before merge)
- path-traversal defense in all 3 providers (gitea_content,
github_provider, gitlab_provider): reject tree entries whose
resolved local path escapes destDir
- verifyDownloadInsideRoot walks the build dir post-download as a
second line of defense
- sanitizeError redacts the access token, collapses to one line, and
clamps to 240 bytes before persisting to extra_json or fanning out
to the notification webhook
- container/image/volume names suffixed with workload-id short prefix
(workload name is not UNIQUE in schema)
- primaryDomain reads settings.Domain to complete a bare subdomain
face into a full FQDN (matches legacy Manager behavior)
- ctx-aware health-check sleep
- json.Marshal for event metadata (was fmt.Sprintf JSON template)
- strings.HasPrefix for failed-status detection (was brittle slice
expression)
Wire-up
- cmd/server/main.go: removed wireStaticBackend(...) call; existing
blank import on _ ".../source/static" drives init() registration
- cmd/server/static_backend.go deleted
Doc
- WORKLOAD_REFACTOR_TODO: static port marked DONE; next focus is
the hard legacy cutover (drop /api/projects, /api/stacks,
/api/sites, /api/stages + their tables, internal/stack +
internal/staticsite packages, frontend /projects /stacks /sites)
Behavior notes for operators
- plugin-native static workloads no longer write to static_sites;
legacy /api/sites/* still serves original rows unchanged
- legacy tinyforge.static-site / .static-site-name container labels
dropped on plugin deploys; canonical tinyforge.workload.id / .kind
cover ownership
- container/image/volume names gained an 8-char ID suffix
(e.g. dw-site-mysite-a1b2c3d4); legacy-deployed sites keep the
old shape until redeployed through the plugin path
alexei.dolgolyov