tiny-forge

Author	SHA1	Message	Date
alexei.dolgolyov	410a131cec	feat(apps): stepped creation wizard, branch previews, and app-creation fixes This session (frontend focus): - Rebuild /apps/new as a 4-step wizard (Basics → Configure → Trigger → Review): WizardRail, SourceKindPicker card grid, AppManifest review, per-step validation, ConfirmDialog-based unsaved-changes guard. - Extract lib/workload/sourceForms.ts (single source of truth for source_config) + {Image,Compose,Static,Dockerfile}SourceForm + StaticDiscoveryWizard; fold the /apps/[id] edit form onto the same components (removes the duplication). Add vitest + sourceForms unit tests. - Branch preview environments UI: /chain is_preview/preview_branch + a Preview environments panel on /apps/[id] (per-branch URLs, ConfirmDialog teardown, armed state); RegistryImagePicker on the registry trigger and the image source. - Fixes: image-inspect 404 -> admin-gated POST /api/discovery/image/inspect; conflict-panel blur flicker; friendly localized discovery errors; CPU/Memory label hints; dashboard + /apps "Total workloads" count only source_kind workloads (drop stale trigger_kind gate); NPM cert/access-list name cache; EntityPicker empty-list guard. - Update CLAUDE.md frontend conventions + add a Build & Test section. Also captures pre-existing in-progress platform work (not from this session): workload notifications, Prometheus metrics export, store lockfile, health probes, backup hardening, and related store/webhook/scheduler changes.	2026-05-29 02:09:54 +03:00
alexei.dolgolyov	739b67856a	feat(cutover): hard legacy cutover — drop projects/stacks/sites/deploys Build / build (push) Successful in 10m39s Details The clean-break delete that closes the workload-first refactor arc. Net diff: ~30 backend files deleted, ~20 modified, ~12k LOC removed on the Go side; entire /projects /stacks /sites /deploy frontend trees gone; ~6.7k LOC removed on the Svelte/TypeScript side. Backend - API handlers gone: internal/api/{projects,stages,stage_env,stacks, static_sites,deploys,instances,volume_browser}.go - Store CRUD + tests gone: internal/store/{projects,stages,stage_env, stacks,static_sites,static_site_secrets,deploys,poll_state,volumes, workload_sync}.go (+ _test.go siblings) - Legacy deployer pipeline gone: internal/deployer/{bluegreen,promote, rollback,subdomain,resolver_test}.go; deployer.go trimmed to just the dispatch surface used by the plugin pipeline - internal/staticsite/{manager,healthcheck}.go and internal/stack/manager.go gone (the rest of those packages stay as helpers imported by the static + compose plugins) - internal/registry/poller.go gone (legacy registry poller) - internal/volume.ResolvePath gone; ResolveWorkloadPath stays - internal/webhook: handleWebhook (project) + handleSiteWebhook (site) gone; only POST /api/webhook/triggers/{secret} remains - workload-side webhook URL handlers (getWorkloadWebhook + regenerateWorkloadWebhook + EnsureWorkloadWebhookSecret + SetWorkloadWebhookSecret + GetWorkloadByWebhookSecret) gone — they minted URLs that would 404 against the new trigger-only ingress - cmd/server/main.go: dropped staticsite.Manager, stack.Manager, staticsite.HealthChecker, registry poller, SetSiteSyncTriggerer, SetStaticSiteManager, SetStackManager, wireStaticBackend - store/store.go: idempotent DROP TABLE IF EXISTS for every legacy table (projects, stages, stage_env, volumes, deploys, deploy_logs, poll_states, stacks, stack_revisions, stack_deploys, static_sites, static_site_secrets); FK order children-then-parents - store/models.go: dropped Project, Stage, Deploy, DeployLog, StageEnv, Volume, StaticSite, StaticSiteSecret, Stack, StackRevision, StackDeploy types; kept WorkloadKind constants as documented strings - internal/store/helpers.go (new): BoolToInt, rowScanner, GenerateWebhookSecret extracted from deleted CRUD files - internal/api/secrets.go (new): forwards to store.GenerateWebhookSecret so api + store paths share one secret-generation impl (no panic-vs-UUID-fallback divergence) - internal/reconciler/reconciler.go: dropped legacy stack-by-compose + static-site label paths; only canonical tinyforge.workload.id dispatch remains - providers (gitea_content/github_provider/gitlab_provider) gained path-traversal rejection on every tree entry - internal/webhook ParsedImage / ParseImageRef demoted to package- private (no external callers) Frontend - /projects /stacks /sites /deploy routes deleted (entire trees) - ProjectCard / InstanceCard / StaleContainerCard components deleted - api.ts: dropped every project/stage/stack/site/deploy/instance helper + types (Project, Stage, Stack, StaticSite, Deploy, Instance, Volume, etc.); kept Workload, Container, App, Settings, Registry, EventTrigger, LogScanRule, webhook envelopes - WorkloadWebhook type + getWorkloadWebhook/regenerateWorkloadWebhook api functions gone (mirror of the backend deletion above) - web/src/routes/+layout.svelte: dropped /projects /sites /stacks /deploy nav entries, trimmed quick-nav keymap - web/src/routes/+page.svelte: dashboard rewrite — reads listWorkloads + listContainers only; 4-card stat grid (workloads/running/failed/stale) + recent workloads strip - navCounts.ts, SystemHealthCard.svelte, ContainerLogs.svelte, ContainerStats.svelte, StatusBadge.svelte, TagCombobox.svelte, proxies/+page.svelte, containers/+page.svelte all rewired to the workload-first surface - AbortController plumbing on dashboard, nav-counts, stale page, SystemHealthCard so navigation doesn't leave dangling fetches - i18n: dropped projects., projectDetail., envEditor., volumeEditor., volumeBrowser., quickDeploy., sites., stacks., instance., confirm. namespaces; en/ru parity preserved (1042 keys each) Hardening from go-reviewer + security-reviewer + typescript-reviewer subagent passes (0 CRITICAL across all three; 1 HIGH + ~12 MEDIUM addressed inline before commit): - Sec H1: dead-end workload webhook URL handlers (would mint URLs that 404 the new trigger-only ingress) deleted across backend + frontend - Go M1: IsTerminalDeployStatus dropped (no production callers) - Go M2: ParsedImage/ParseImageRef lowercased (in-package only) - Go M6: generateWebhookSecret unified — api shim forwards to store.GenerateWebhookSecret - Doc/comment freshness: stage_id (no longer FK), ProxyRoute legacy field names, workloadIDRow rationale, webhook_deliveries.target_type enum, WebhookDeliveryLog component header Doc - WORKLOAD_REFACTOR_TODO: cutover marked DONE; all three Priority 1 items are now shipped. Next focus is Priority 3 polish (apps.* i18n + codemap entries) and Priority 4 tests. Behavioral notes for operators upgrading from a pre-cutover build - Existing rows in the dropped tables disappear on first boot. - Legacy webhook URLs at /api/webhook/{secret} and /api/webhook/sites/{secret} return 404; CI configs must repoint to /api/webhook/triggers/{secret} (the trigger-split boot backfill lifted any embedded workload secret onto a Trigger row, so the secret value itself carries over). - Frontend routes /projects /stacks /sites /deploy are gone; nav links replaced with /apps and /triggers.	2026-05-16 06:00:21 +03:00
alexei.dolgolyov	2aff22f565	feat(triggers): first-class triggers + bindings with fan-out webhook Build / build (push) Successful in 10m39s Details Promote triggers from embedded workload fields to standalone records joined to workloads via workload_trigger_bindings. One trigger (webhook, registry watcher, git push, manual) now fans out to many workloads with per-binding config overrides (top-level JSON merge, binding wins). Backend - new triggers + workload_trigger_bindings tables with ON DELETE CASCADE - boot-time backfill of embedded trigger config inside per-workload tx - store.ErrUnique sentinel translates SQLite UNIQUE at store boundary - /api/triggers CRUD + /api/triggers/{id}/{webhook,bindings} - /api/bindings/{id} update/delete; /api/workloads/{id}/triggers list+bind - bindTriggerToWorkload accepts trigger_id or inline {kind,name,config} - inline-create uses CreateTriggerWithBindingTx (no orphan triggers) - validateBindingConfig enforces 8 KiB cap + plugin Validate on merged - ListTriggersWithBindingCount + ListBindingsWithNames remove N+1 - POST /api/webhook/triggers/{secret} resolves trigger then fans out - bounded worker pool (4) per request; per-binding error isolation - outcome accounting: deployed / skipped / no-match / errored - legacy /api/webhook/workloads/{secret} route removed (clean break; backfill keeps secrets resolvable at the new /triggers/{secret} path) - reconciler gate dropped from (Source && Trigger) to Source only - MergeJSONConfig returns freshly allocated slices (no fan-out aliasing) - WithEffectiveTrigger lets existing Trigger.Match contract stay unchanged Frontend - /triggers list, new wizard, [id] detail (bindings, webhook rotate) - workload create wizard: NEW / PICK / SKIP trigger modes - workload detail: bindings panel + Add-trigger modal (inline / pick) - per-binding override editor with merged-preview + 8 KiB guard - "OVERRIDES n FIELDS" row badge when binding_config is non-empty - shared TriggerKindForm component (registry / git / manual + JSON) - 3 raw <input type=checkbox> replaced with <ToggleSwitch> - full EN + RU i18n: redeployTriggers., apps.detail.bindings., apps.new.triggers., nav.triggers; event-triggers nav disambiguated Doc - WORKLOAD_REFACTOR_TODO: trigger-split marked DONE; next focus is the static-source inline port + hard legacy cutover (Priority 1)	2026-05-16 02:24:31 +03:00
alexei.dolgolyov	82d32181ba	feat(webhook): vendor-specific event parsing (Gitea / GitHub / GitLab) The /api/webhook/workloads/{secret} ingress now short-circuits on a recognized X-*-Event header before falling back to the generic simple-body parser. Vendor parsers populate fields the generic parser cannot (image digest, GitEvent.Vendor, registry host). internal/webhook/vendor_parsers.go covers: - Gitea package events (X-Gitea-Event: package, container type) - GitHub registry_package + package events (CONTAINER package_type) - GitHub / Gitea push events with vendor stamping - GitLab Push Hook + Tag Push Hook with path_with_namespace mapping When a vendor parser claims a request (ok=true), it's authoritative — a malformed Gitea package payload surfaces as an error rather than silently re-parsing as generic. The generic {image} / {ref + repository.full_name} fallback stays in place for legacy CIs that send those shapes. Coverage: internal/webhook/vendor_parsers_test.go + inbound_event_test.go (round-trip through buildInboundEvent). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-11 22:17:53 +03:00
alexei.dolgolyov	cba2149aa9	refactor(workload): finalize containers index + post-review hardening Wraps up the workload refactor with the fixes that came out of the multi-agent code review (see docs/plans/workload-refactor.md "What actually shipped"). Backend: - store.ReconcileContainer: separate write path so the 30s reconciler tick no longer overwrites deployer-owned fields (subdomain, proxy_route_id, npm_proxy_id, image_tag). - Container.stage_id column + index; ListProxyRoutes / ListContainersByStageID join via stage_id (survives stage rename), with legacy fallback to (project_id, role=stage_name). - Reconciler: workload-existence check (rejects forged tinyforge.workload.id labels), skips inventing project-kind rows, child-context cancel before wg.Wait() on shutdown. - Transactional CRUD across projects / stacks / static_sites: parent UPDATE and workload sync land in one transaction so secret rotations are durable. - Webhook routing reads exclusively through workloads.webhook_secret; legacy GetProjectByWebhookSecret / GetStaticSiteByWebhookSecret fallback removed. - store.GetStackByComposeProjectName + indexed lookup (no more full-table stack scan per compose container per tick). - store.ListMissingSweepRows: filtered query for the missing-sweep. - /api/instances/* handlers verify (workload_id, role) match URL (project_id, stage_name) before mutating — closes the cross-project hijack the security review flagged. - extra_json no longer referenced from Go (column kept on disk for now). Frontend: - WorkloadContainers.svelte: generic detail-page panel reusable by stack and site detail pages. - Containers page polish: client-side kind/state filters over an unfiltered fetch, URL-synced filters, race-safe loads via sequence number, EN+RU i18n, sidebar counter via navCounts.containers. Misc: - scripts/dev-server.sh: tolerate empty netstat grep result. - .gitignore: ignore docker-watcher binaries, .claude/worktrees/, .facts-sync.json.	2026-05-09 15:44:41 +03:00
alexei.dolgolyov	d8ab22876f	refactor(workload): extract Instance entirely; Container is canonical Build / build (push) Successful in 10m41s Details End-to-end extraction of the Instance concept. After this commit: * internal/store/instances.go — DELETED * internal/store/models.go — Instance struct gone, ProxyRoute moved here * containers table is the single source of truth for project/stack/site container state. instances table is dropped via DROP TABLE migration (idempotent; re-runnable on every boot). * Legacy tinyforge.project / tinyforge.stage / tinyforge.instance-id Docker labels are no longer emitted; only tinyforge.workload.{id,kind}, tinyforge.role, and tinyforge.managed are stamped on new containers. Backend rewrites: - internal/deployer: executeDeploy + blueGreenDeploy + rollback + promote use store.Container natively. New removeContainer() replaces removeInstance(). enforceMaxInstances reads via ListContainersByStageID. - internal/reconciler: legacy tinyforge.instance-id dispatch removed; upsertByWorkloadLabel now finds existing rows by docker container ID first and falls back to the deterministic workloadID:role key. - internal/stale/scanner: Scan + new FindStaleContainers walk the containers table; emit StaleContainer JSON. - internal/stats/collector: ListContainers replaces ListAllInstances. - internal/webhook/handler: workload-secret lookup tried first; falls back to project / static_site secret column. - internal/api: instances.go, stale.go, stats.go, stats_history.go, projects.go, settings.go, docker.go, dns.go all read / write through Container. Docker layer: - ManagedContainer exposes WorkloadID/Kind/Role from the canonical labels. - ListContainers filters by tinyforge.managed=true. - Network creation uses LabelManaged instead of LabelProject. Frontend: - Instance type is now a Container alias; .status → .state, .last_alive_at → .last_seen_at. - InstanceCard takes stageId as a prop (no longer derived from Instance). - StaleContainer JSON shape rewritten: { container, workload_name, role, days_stale }. StaleContainerCard + /containers/stale page updated. - ProjectCard / homepage / SystemHealthCard filter by .state. The migration loop now tolerates "no such table" alongside "duplicate column" / "already exists" so obsolete ALTER TABLE entries targeting the dropped instances table no-op cleanly on first boot. Tests: store + deployer + reconciler + webhook + staticsite + notify all still pass. Frontend svelte-check: zero errors.	2026-05-09 14:43:12 +03:00
alexei.dolgolyov	0f60a7a5db	feat(webhook): inbound delivery audit log Build / build (push) Successful in 10m35s Details Persists every inbound webhook hit (project + site) so users can debug "why didn't my deploy fire?" without grepping daemon logs. Surfaces a 14-day rolling history under the WebhookPanel on each project + site detail page; refreshes every 30s while open. Daily cron prunes records older than 14 days alongside the existing event log prune. Schema: - webhook_deliveries(id, target_type, target_id, target_name, received_at, source_ip, signature_state, status_code, outcome, detail, body_size) - indexes on (target_type,target_id,received_at) and (received_at) Backend: - store: WebhookDelivery model + Insert/List/Prune helpers - webhook/handler: deferred recordDelivery() captures the final outcome on every return path including HMAC rejects, image mismatch, no-stage, auto_deploy=false, and successful deploys; signatureStateFor() classifies "unconfigured" vs "missing" vs "invalid" vs "valid" - api: GET /api/{projects,sites}/{id}/webhook/deliveries with parseLimit() helper (default 50, max 200) - main: daily prune cron retains the last 14 days Frontend: - WebhookDeliveryLog.svelte: panel with refresh button, status code + outcome + signature badges, relative time tooltip-on-hover for absolute time, source IP column - Mounted below WebhookPanel on project + site detail pages - en/ru i18n strings for outcome/signature enums and column labels	2026-05-07 02:40:39 +03:00
alexei.dolgolyov	831b5c1a43	feat(webhook): HMAC-SHA256 signature verification on inbound webhooks Adds an opt-in inbound HMAC scheme so a leaked URL alone is not enough to forge deploy/sync requests — the caller must also know a separate signing secret. Header format is X-Hub-Signature-256, matching the Gitea/GitHub/GitLab convention so existing CI integrations work without custom code. Behaviour: - per-project / per-site signing_secret is independent of the URL secret - require_signature flag does a hard 401 on missing/invalid signatures - even when require_signature is off, an invalid submitted signature returns 401 — surfaces CI misconfiguration instead of silently passing - comparison uses subtle/hmac.Equal (constant time) Backend: - store: webhook_signing_secret + webhook_require_signature columns on projects + static_sites; scanProject helper, scan helpers updated; new Set* helpers for both fields - webhook/handler: verifyHMAC helper, body read once, integrated into both project and site handlers - api: per-entity signing-secret rotate / disable / require-toggle endpoints under /api/{projects,sites}/{id}/webhook/... Frontend: - WebhookPanel gains optional signing handlers (no breaking change for existing callers; signing UI hides when handlers aren't wired) - one-shot reveal of the issued secret with copy + dismiss - ToggleSwitch for require-signature, disabled until a secret is issued - en/ru i18n strings Tests: - HMACRequiredAndValid (200 + deploy fires) - HMACRequiredButMissing (401, no deploy) - HMACPresentButWrong (401 even when require_signature=false) - HMACOptionalUnsignedAccepted (200 when neither configured)	2026-05-07 02:34:40 +03:00
alexei.dolgolyov	a4362b842d	fix: harden security, fix concurrency bugs, and address review findings Build / build (push) Successful in 11m42s Details Security: - rate limit /api/webhook routes per-IP and cap concurrent site syncs - global SSE connection cap (256) with new sse_gate - validate ?tail= and cap JSON log responses at 4 MiB - strip ANSI/CSI/OSC and control bytes from streamed log lines - redact webhook secret from request log middleware - scrub host details from /api/health for non-admin viewers - drop container_id from /api/system/stats/top for non-admins - generate webhook secrets via crypto/rand; require >=32 chars on insert - verify iid path consistency in streamContainerLogs - LimitReader on site webhook body; reject malformed non-empty bodies Concurrency / correctness: - stats collector: Stop() no longer hangs without Start(), semaphore acquired in parent loop so ctx cancellation short-circuits the queue, in-flight tick cancellable via shared base context, zero-ts guard - webhook handler: replace fire-and-forget goroutine with WaitGroup-tracked workers + Drain() wired into graceful shutdown - $derived(() => ...) mis-idiom fixed in ContainerStats / InstanceCard / ProjectCard (returned function instead of value) - SystemResourcesCard: rename `window` and `t` locals to avoid shadowing globalThis.window and the i18n `t` import Quality / performance: - replace O(n^2) insertion sort with sort.Slice in stats top - runMigrations only swallows duplicate-column / already-exists errors - PruneStatsSamplesBefore wrapped in a transaction - collapse N+1 in unusedImageStats / pruneImages to one ListAllInstances pass; surface DB errors instead of silently treating them as inactive - run Docker Info + DiskUsage in parallel via errgroup - container log SSE emits `: ping` heartbeat every 20 s - imageMatches case-insensitive on registry host (RFC behaviour) - log warning on invalid stage tag pattern instead of silent skip - reject malformed non-empty site webhook payloads Frontend / i18n: - shared formatBytes utility replaces three local copies - statsInterval store drives dynamic "no samples / collection disabled" copy across ContainerStats and SystemResourcesCard - top consumers row now shows owner_name (project/stage or site name) - drop seven `as any` casts on the Settings type; add cloudflare_api_token write-only field - move "Service status", "Docker daemon", "Docker unreachable", "Proxy unreachable", "reachable", and "Docker daemon is not reachable." strings into en/ru i18n bundles	2026-05-07 00:56:14 +03:00
alexei.dolgolyov	0632f512e6	feat(webhook): per-project and per-site webhook URLs Build / build (push) Successful in 10m25s Details Replace the single global webhook secret with entity-scoped secrets stored on each project and static site. Webhook-driven project autocreate is removed — projects must exist before their URL can trigger deploys. Also wires static-site webhooks (sync_trigger=push\|tag), turning the previously inert "push" trigger into a functional one: POST the site's webhook URL from a Git provider and Tinyforge re-syncs on matching refs. - Adds webhook_secret columns + unique indexes to projects and static_sites - Per-entity GET/regenerate endpoints under /api/projects/{id}/webhook and /api/sites/{id}/webhook (admin-only) - Removes /api/settings/webhook-url and the global webhook panel - Reusable WebhookPanel Svelte component on both detail pages, i18n in en/ru - Tests for matcher (siteRefMatches, ParseImageRef) and handler (project match/mismatch/404 and site push/manual/branch-skip)	2026-04-23 15:18:19 +03:00
alexei.dolgolyov	791cd4d6af	feat: rename Docker Watcher to Tinyforge Build / build (push) Successful in 12m20s Details Rebrand the project as Tinyforge to reflect its evolution from a Docker container watcher into a self-hosted mini CI/deployment platform. Rename covers: Go module path, Docker labels, DB/config filenames, JWT issuer, Dockerfile binary, docker-compose, CI workflows, frontend i18n, README with static sites docs, and all code comments.	2026-04-12 21:30:39 +03:00
alexei.dolgolyov	be6ad15efc	fix: comprehensive security, performance, and quality hardening Security: apply AdminOnly middleware to mutating routes, require ENCRYPTION_KEY and ADMIN_PASSWORD (no insecure defaults), restrict CORS to same-origin, fix OIDC token delivery via cookie instead of URL query param, add rate limiting on login, add MaxBytesReader, validate volume paths against traversal, add security headers, validate user roles, add Secure flag to OIDC cookie. Performance: set SQLite MaxOpenConns(1) to prevent SQLITE_BUSY, add FK indexes on 8 columns, track notifier goroutines with WaitGroup for graceful shutdown, use GetRegistryByName instead of GetAllRegistries in deployer, pass basePath param to avoid redundant settings query, return empty slices from store to remove reflection. Quality: refactor TriggerDeploy to delegate to runDeploy (~100 lines removed), consolidate duplicated utilities (extractPort, boolToInt, now, isTerminalStatus) into shared exports, migrate all log.Printf to slog structured logging, use consistent webhook response envelope, remove dead code (parseEnvVars, duplicate auth types). UX: clean up NPM proxy on instance removal via API, add README with quickstart guide, add .env.example, require ADMIN_PASSWORD in docker-compose, document staging-net prerequisite.	2026-03-29 12:49:24 +03:00
alexei.dolgolyov	1f81ca9eb0	fix(docker-watcher): address final review findings Security: - Move config export behind auth middleware - Validate OIDC callback token before storing in localStorage - Use constant-time comparison for webhook secret - Encrypt OIDC client secret at rest (like registry tokens) Performance: - Make TriggerDeploy async from HTTP handlers (return deploy ID immediately, run pipeline in background goroutine) Robustness: - Wrap api.ts res.json() in try/catch for non-JSON responses i18n: - Replace ~20 hardcoded English validation messages with $t() calls - Localize ConfirmDialog cancel button, InstanceCard confirm titles, ProjectCard instance/instances pluralization - Add validation keys to both en.json and ru.json	2026-03-28 00:14:53 +03:00
alexei.dolgolyov	eef60a4302	feat(docker-watcher): phase 6 - webhook handler Secret UUID-based webhook endpoint for CI image push notifications. Project/stage matching via glob patterns, auto-creation of unknown projects from image inspection. Fix JSON response injection.	2026-03-27 21:56:18 +03:00
alexei.dolgolyov	90be636d66	feat(docker-watcher): phase 5 - registry client & poller Gitea registry client with tag listing and pattern matching, cron-based polling scheduler with first-poll safety, poll state persistence. DeployTriggerer interface for decoupled deploy triggering.	2026-03-27 21:34:09 +03:00

15 Commits