mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 4: AI-driven app/database/auth lifecycle

Browse Source 
Workspace-owned deploy infra so AI agents can create and destroy
Coolify resources without ever touching the root admin token.

  vibn_workspaces
    + coolify_server_uuid, coolify_destination_uuid
    + coolify_environment_name (default "production")
    + coolify_private_key_uuid, gitea_bot_ssh_key_id

  ensureWorkspaceProvisioned
    + generates an ed25519 keypair per workspace
    + pushes pubkey to the Gitea bot user (read/write scoped by team)
    + registers privkey in Coolify as a reusable deploy key

  New endpoints under /api/workspaces/[slug]/
    apps/                POST (private-deploy-key from Gitea repo)
    apps/[uuid]          PATCH, DELETE?confirm=<name>
    apps/[uuid]/domains  GET, PATCH (policy: *.{ws}.vibnai.com only)
    databases/           GET, POST (8 types incl. postgres, clickhouse, dragonfly)
    databases/[uuid]     GET, PATCH, DELETE?confirm=<name>
    auth/                GET, POST (Pocketbase, Authentik, Keycloak, Pocket-ID, Logto, Supertokens)
    auth/[uuid]          DELETE?confirm=<name>

  MCP (/api/mcp) gains 15 new tools that mirror the REST surface and
  enforce the same workspace tenancy + delete-confirm guard.

  Safety: destructive ops require ?confirm=<exact-resource-name>; volumes
  are kept by default (pass delete_volumes=true to drop).

Made-with: Cursor
This commit is contained in:
Mark Henderson
2026-04-21 12:04:59 -07:00
parent b51fb6da21
commit 0797717bc1
14 changed files with 2274 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app/api/admin/migrate/route.ts
View File

@@ -198,6 +198,23 @@ export async function POST(req: NextRequest) {
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS gitea_bot_username TEXT`,
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS gitea_bot_user_id INT`,
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS gitea_bot_token_encrypted TEXT`,
// ── Phase 4: workspace-owned deploy infra ────────────────────────
// Lets AI agents create Coolify applications/databases/services
// against a Gitea repo the bot can read, routed to the right
// server and Docker destination, and exposed under the workspace's
// own subdomain namespace.
//
// coolify_server_uuid — which Coolify server the workspace deploys to
// coolify_destination_uuid — Docker network / destination on that server
// coolify_environment_name — Coolify environment (default "production")
// coolify_private_key_uuid — workspace-wide SSH deploy key (Coolify-side UUID)
// gitea_bot_ssh_key_id — Gitea key id for the matching public key (for rotation)
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS coolify_server_uuid TEXT`,
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS coolify_destination_uuid TEXT`,
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS coolify_environment_name TEXT NOT NULL DEFAULT 'production'`,
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS coolify_private_key_uuid TEXT`,
`ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS gitea_bot_ssh_key_id INT`,
];
for (const stmt of statements) {

470
app/api/mcp/route.ts
View File

@@ -30,8 +30,31 @@ import {
TenantError,
upsertApplicationEnv,
deleteApplicationEnv,
// Phase 4 ── create/update/delete + domains + databases + services
createPrivateDeployKeyApp,
updateApplication,
deleteApplication,
setApplicationDomains,
listDatabasesInProject,
createDatabase,
getDatabaseInProject,
updateDatabase,
deleteDatabase,
listServicesInProject,
createService,
getServiceInProject,
deleteService,
type CoolifyDatabaseType,
} from '@/lib/coolify';
import { query } from '@/lib/db-postgres';
import { getRepo } from '@/lib/gitea';
import {
giteaSshUrl,
isDomainUnderWorkspace,
slugify,
toDomainsString,
workspaceAppFqdn,
} from '@/lib/naming';
const GITEA_API_URL = process.env.GITEA_API_URL ?? 'https://git.vibnai.com';
@@ -42,7 +65,7 @@ const GITEA_API_URL = process.env.GITEA_API_URL ?? 'https://git.vibnai.com';
export async function GET() {
return NextResponse.json({
name: 'vibn-mcp',
version: '2.0.0',
version: '2.1.0',
authentication: {
scheme: 'Bearer',
tokenPrefix: 'vibn_sk_',
@@ -60,11 +83,24 @@ export async function GET() {
'projects.get',
'apps.list',
'apps.get',
'apps.create',
'apps.update',
'apps.delete',
'apps.deploy',
'apps.deployments',
'apps.domains.list',
'apps.domains.set',
'apps.envs.list',
'apps.envs.upsert',
'apps.envs.delete',
'databases.list',
'databases.create',
'databases.get',
'databases.update',
'databases.delete',
'auth.list',
'auth.create',
'auth.delete',
],
},
},
@@ -126,6 +162,35 @@ export async function POST(request: Request) {
case 'apps.envs.delete':
return await toolAppsEnvsDelete(principal, params);
case 'apps.create':
return await toolAppsCreate(principal, params);
case 'apps.update':
return await toolAppsUpdate(principal, params);
case 'apps.delete':
return await toolAppsDelete(principal, params);
case 'apps.domains.list':
return await toolAppsDomainsList(principal, params);
case 'apps.domains.set':
return await toolAppsDomainsSet(principal, params);
case 'databases.list':
return await toolDatabasesList(principal);
case 'databases.create':
return await toolDatabasesCreate(principal, params);
case 'databases.get':
return await toolDatabasesGet(principal, params);
case 'databases.update':
return await toolDatabasesUpdate(principal, params);
case 'databases.delete':
return await toolDatabasesDelete(principal, params);
case 'auth.list':
return await toolAuthList(principal);
case 'auth.create':
return await toolAuthCreate(principal, params);
case 'auth.delete':
return await toolAuthDelete(principal, params);
default:
return NextResponse.json(
{ error: `Unknown tool "${action}"` },
@@ -351,3 +416,406 @@ async function toolAppsEnvsDelete(principal: Principal, params: Record<string, a
await deleteApplicationEnv(appUuid, key);
return NextResponse.json({ result: { ok: true, key } });
}
// ──────────────────────────────────────────────────
// Phase 4: apps create/update/delete + domains
// ──────────────────────────────────────────────────
async function toolAppsCreate(principal: Principal, params: Record<string, any>) {
const ws = principal.workspace;
if (!ws.coolify_project_uuid || !ws.coolify_private_key_uuid || !ws.gitea_org) {
return NextResponse.json(
{ error: 'Workspace not fully provisioned (need Coolify project + deploy key + Gitea org)' },
{ status: 503 }
);
}
const repoIn = String(params.repo ?? '').trim();
if (!repoIn) return NextResponse.json({ error: 'Param "repo" is required' }, { status: 400 });
const parts = repoIn.replace(/\.git$/, '').split('/');
const repoOrg = parts.length === 2 ? parts[0] : ws.gitea_org;
const repoName = parts.length === 2 ? parts[1] : parts[0];
if (repoOrg !== ws.gitea_org) {
return NextResponse.json(
{ error: `Repo owner ${repoOrg} is not this workspace's org ${ws.gitea_org}` },
{ status: 403 }
);
}
const repo = await getRepo(repoOrg, repoName);
if (!repo) {
return NextResponse.json({ error: `Repo ${repoOrg}/${repoName} not found in Gitea` }, { status: 404 });
}
const appName = slugify(String(params.name ?? repoName));
const fqdn = String(params.domain ?? '').trim()
? String(params.domain).replace(/^https?:\/\//, '')
: workspaceAppFqdn(ws.slug, appName);
if (!isDomainUnderWorkspace(fqdn, ws.slug)) {
return NextResponse.json(
{ error: `Domain ${fqdn} must end with .${ws.slug}.vibnai.com` },
{ status: 403 }
);
}
const created = await createPrivateDeployKeyApp({
projectUuid: ws.coolify_project_uuid,
serverUuid: ws.coolify_server_uuid ?? undefined,
environmentName: ws.coolify_environment_name,
destinationUuid: ws.coolify_destination_uuid ?? undefined,
privateKeyUuid: ws.coolify_private_key_uuid,
gitRepository: giteaSshUrl(repoOrg, repoName),
gitBranch: String(params.branch ?? repo.default_branch ?? 'main'),
portsExposes: String(params.ports ?? '3000'),
buildPack: (params.buildPack as any) ?? 'nixpacks',
name: appName,
domains: toDomainsString([fqdn]),
isAutoDeployEnabled: true,
isForceHttpsEnabled: true,
instantDeploy: false,
});
// Attach envs
if (params.envs && typeof params.envs === 'object') {
for (const [k, v] of Object.entries(params.envs as Record<string, unknown>)) {
if (!/^[A-Z_][A-Z0-9_]*$/i.test(k)) continue;
try {
await upsertApplicationEnv(created.uuid, { key: k, value: String(v) });
} catch (e) {
console.warn('[mcp apps.create] upsert env failed', k, e);
}
}
}
let deploymentUuid: string | null = null;
if (params.instantDeploy !== false) {
try {
const dep = await deployApplication(created.uuid);
deploymentUuid = dep.deployment_uuid ?? null;
} catch (e) {
console.warn('[mcp apps.create] first deploy failed', e);
}
}
return NextResponse.json({
result: {
uuid: created.uuid,
name: appName,
domain: fqdn,
url: `https://${fqdn}`,
deploymentUuid,
},
});
}
async function toolAppsUpdate(principal: Principal, params: Record<string, any>) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const appUuid = String(params.uuid ?? params.appUuid ?? '').trim();
if (!appUuid) return NextResponse.json({ error: 'Param "uuid" is required' }, { status: 400 });
await getApplicationInProject(appUuid, projectUuid);
const allowed = new Set([
'name', 'description', 'git_branch', 'build_pack', 'ports_exposes',
'install_command', 'build_command', 'start_command',
'base_directory', 'dockerfile_location',
'is_auto_deploy_enabled', 'is_force_https_enabled', 'static_image',
]);
const patch: Record<string, unknown> = {};
for (const [k, v] of Object.entries(params)) {
if (allowed.has(k) && v !== undefined) patch[k] = v;
}
if (Object.keys(patch).length === 0) {
return NextResponse.json({ error: 'No updatable fields in params' }, { status: 400 });
}
await updateApplication(appUuid, patch);
return NextResponse.json({ result: { ok: true, uuid: appUuid } });
}
async function toolAppsDelete(principal: Principal, params: Record<string, any>) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const appUuid = String(params.uuid ?? params.appUuid ?? '').trim();
if (!appUuid) return NextResponse.json({ error: 'Param "uuid" is required' }, { status: 400 });
const app = await getApplicationInProject(appUuid, projectUuid);
const confirm = String(params.confirm ?? '');
if (confirm !== app.name) {
return NextResponse.json(
{ error: 'Confirmation required', hint: `Pass confirm=${app.name} to delete` },
{ status: 409 }
);
}
const deleteVolumes = params.deleteVolumes === true;
await deleteApplication(appUuid, {
deleteConfigurations: true,
deleteVolumes,
deleteConnectedNetworks: true,
dockerCleanup: true,
});
return NextResponse.json({
result: { ok: true, deleted: { uuid: appUuid, name: app.name, volumesKept: !deleteVolumes } },
});
}
async function toolAppsDomainsList(principal: Principal, params: Record<string, any>) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const appUuid = String(params.uuid ?? params.appUuid ?? '').trim();
if (!appUuid) return NextResponse.json({ error: 'Param "uuid" is required' }, { status: 400 });
const app = await getApplicationInProject(appUuid, projectUuid);
const raw = (app.domains ?? app.fqdn ?? '') as string;
const list = raw
.split(/[,\s]+/)
.map(s => s.trim())
.filter(Boolean)
.map(s => s.replace(/^https?:\/\//, '').replace(/\/+$/, ''));
return NextResponse.json({ result: { uuid: appUuid, domains: list } });
}
async function toolAppsDomainsSet(principal: Principal, params: Record<string, any>) {
const ws = principal.workspace;
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const appUuid = String(params.uuid ?? params.appUuid ?? '').trim();
const domainsIn = Array.isArray(params.domains) ? params.domains : [];
if (!appUuid || domainsIn.length === 0) {
return NextResponse.json({ error: 'Params "uuid" and "domains[]" are required' }, { status: 400 });
}
await getApplicationInProject(appUuid, projectUuid);
const normalized: string[] = [];
for (const d of domainsIn) {
if (typeof d !== 'string' || !d.trim()) continue;
const clean = d.replace(/^https?:\/\//, '').replace(/\/+$/, '').toLowerCase();
if (!isDomainUnderWorkspace(clean, ws.slug)) {
return NextResponse.json(
{ error: `Domain ${clean} must end with .${ws.slug}.vibnai.com` },
{ status: 403 }
);
}
normalized.push(clean);
}
await setApplicationDomains(appUuid, normalized, { forceOverride: true });
return NextResponse.json({ result: { uuid: appUuid, domains: normalized } });
}
// ──────────────────────────────────────────────────
// Phase 4: databases
// ──────────────────────────────────────────────────
const DB_TYPES: readonly CoolifyDatabaseType[] = [
'postgresql', 'mysql', 'mariadb', 'mongodb',
'redis', 'keydb', 'dragonfly', 'clickhouse',
];
async function toolDatabasesList(principal: Principal) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const dbs = await listDatabasesInProject(projectUuid);
return NextResponse.json({
result: dbs.map(d => ({
uuid: d.uuid,
name: d.name,
type: d.type ?? null,
status: d.status,
isPublic: d.is_public ?? false,
publicPort: d.public_port ?? null,
})),
});
}
async function toolDatabasesCreate(principal: Principal, params: Record<string, any>) {
const ws = principal.workspace;
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const type = String(params.type ?? '').toLowerCase() as CoolifyDatabaseType;
if (!DB_TYPES.includes(type)) {
return NextResponse.json(
{ error: `Param "type" must be one of: ${DB_TYPES.join(', ')}` },
{ status: 400 }
);
}
const name = slugify(String(params.name ?? `${type}-${Date.now().toString(36)}`));
const { uuid } = await createDatabase({
type,
name,
description: params.description ? String(params.description) : undefined,
projectUuid,
serverUuid: ws.coolify_server_uuid ?? undefined,
environmentName: ws.coolify_environment_name,
destinationUuid: ws.coolify_destination_uuid ?? undefined,
isPublic: params.isPublic === true,
publicPort: typeof params.publicPort === 'number' ? params.publicPort : undefined,
image: params.image ? String(params.image) : undefined,
credentials: params.credentials && typeof params.credentials === 'object' ? params.credentials : {},
limits: params.limits && typeof params.limits === 'object' ? params.limits : undefined,
instantDeploy: params.instantDeploy !== false,
});
const db = await getDatabaseInProject(uuid, projectUuid);
return NextResponse.json({
result: {
uuid: db.uuid,
name: db.name,
type: db.type ?? type,
status: db.status,
internalUrl: db.internal_db_url ?? null,
externalUrl: db.external_db_url ?? null,
},
});
}
async function toolDatabasesGet(principal: Principal, params: Record<string, any>) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const uuid = String(params.uuid ?? '').trim();
if (!uuid) return NextResponse.json({ error: 'Param "uuid" is required' }, { status: 400 });
const db = await getDatabaseInProject(uuid, projectUuid);
return NextResponse.json({
result: {
uuid: db.uuid,
name: db.name,
type: db.type ?? null,
status: db.status,
isPublic: db.is_public ?? false,
publicPort: db.public_port ?? null,
internalUrl: db.internal_db_url ?? null,
externalUrl: db.external_db_url ?? null,
},
});
}
async function toolDatabasesUpdate(principal: Principal, params: Record<string, any>) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const uuid = String(params.uuid ?? '').trim();
if (!uuid) return NextResponse.json({ error: 'Param "uuid" is required' }, { status: 400 });
await getDatabaseInProject(uuid, projectUuid);
const allowed = new Set(['name', 'description', 'is_public', 'public_port', 'image', 'limits_memory', 'limits_cpus']);
const patch: Record<string, unknown> = {};
for (const [k, v] of Object.entries(params)) {
if (allowed.has(k) && v !== undefined) patch[k] = v;
}
if (Object.keys(patch).length === 0) {
return NextResponse.json({ error: 'No updatable fields in params' }, { status: 400 });
}
await updateDatabase(uuid, patch);
return NextResponse.json({ result: { ok: true, uuid } });
}
async function toolDatabasesDelete(principal: Principal, params: Record<string, any>) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const uuid = String(params.uuid ?? '').trim();
if (!uuid) return NextResponse.json({ error: 'Param "uuid" is required' }, { status: 400 });
const db = await getDatabaseInProject(uuid, projectUuid);
const confirm = String(params.confirm ?? '');
if (confirm !== db.name) {
return NextResponse.json(
{ error: 'Confirmation required', hint: `Pass confirm=${db.name} to delete` },
{ status: 409 }
);
}
const deleteVolumes = params.deleteVolumes === true;
await deleteDatabase(uuid, {
deleteConfigurations: true,
deleteVolumes,
deleteConnectedNetworks: true,
dockerCleanup: true,
});
return NextResponse.json({
result: { ok: true, deleted: { uuid, name: db.name, volumesKept: !deleteVolumes } },
});
}
// ──────────────────────────────────────────────────
// Phase 4: auth providers (Coolify services, curated allowlist)
// ──────────────────────────────────────────────────
const AUTH_PROVIDERS_MCP: Record<string, string> = {
pocketbase: 'pocketbase',
authentik: 'authentik',
keycloak: 'keycloak',
'keycloak-with-postgres': 'keycloak-with-postgres',
'pocket-id': 'pocket-id',
'pocket-id-with-postgresql': 'pocket-id-with-postgresql',
logto: 'logto',
'supertokens-with-postgresql': 'supertokens-with-postgresql',
};
async function toolAuthList(principal: Principal) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const all = await listServicesInProject(projectUuid);
const slugs = new Set(Object.values(AUTH_PROVIDERS_MCP));
return NextResponse.json({
result: {
providers: all
.filter(s => {
for (const slug of slugs) {
if (s.name === slug || s.name.startsWith(`${slug}-`)) return true;
}
return false;
})
.map(s => ({ uuid: s.uuid, name: s.name, status: s.status ?? null })),
allowedProviders: Object.keys(AUTH_PROVIDERS_MCP),
},
});
}
async function toolAuthCreate(principal: Principal, params: Record<string, any>) {
const ws = principal.workspace;
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const key = String(params.provider ?? '').toLowerCase().trim();
const coolifyType = AUTH_PROVIDERS_MCP[key];
if (!coolifyType) {
return NextResponse.json(
{
error: `Unsupported provider "${key}"`,
allowed: Object.keys(AUTH_PROVIDERS_MCP),
},
{ status: 400 }
);
}
const name = slugify(String(params.name ?? key));
const { uuid } = await createService({
projectUuid,
type: coolifyType,
name,
description: params.description ? String(params.description) : undefined,
serverUuid: ws.coolify_server_uuid ?? undefined,
environmentName: ws.coolify_environment_name,
destinationUuid: ws.coolify_destination_uuid ?? undefined,
instantDeploy: params.instantDeploy !== false,
});
const svc = await getServiceInProject(uuid, projectUuid);
return NextResponse.json({
result: { uuid: svc.uuid, name: svc.name, provider: key, status: svc.status ?? null },
});
}
async function toolAuthDelete(principal: Principal, params: Record<string, any>) {
const projectUuid = requireCoolifyProject(principal);
if (projectUuid instanceof NextResponse) return projectUuid;
const uuid = String(params.uuid ?? '').trim();
if (!uuid) return NextResponse.json({ error: 'Param "uuid" is required' }, { status: 400 });
const svc = await getServiceInProject(uuid, projectUuid);
const confirm = String(params.confirm ?? '');
if (confirm !== svc.name) {
return NextResponse.json(
{ error: 'Confirmation required', hint: `Pass confirm=${svc.name} to delete` },
{ status: 409 }
);
}
const deleteVolumes = params.deleteVolumes === true;
await deleteService(uuid, {
deleteConfigurations: true,
deleteVolumes,
deleteConnectedNetworks: true,
dockerCleanup: true,
});
return NextResponse.json({
result: { ok: true, deleted: { uuid, name: svc.name, volumesKept: !deleteVolumes } },
});
}

114
app/api/workspaces/[slug]/apps/[uuid]/domains/route.ts Normal file
View File

@@ -0,0 +1,114 @@
/**
* GET /api/workspaces/[slug]/apps/[uuid]/domains — list current domains
* PATCH /api/workspaces/[slug]/apps/[uuid]/domains — replace domain set
*
* Body: { domains: string[] } — each must end with .{workspace}.vibnai.com.
* We enforce workspace-subdomain policy here to prevent AI-driven
* hijacking of other workspaces' subdomains.
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import {
getApplicationInProject,
setApplicationDomains,
TenantError,
} from '@/lib/coolify';
import {
isDomainUnderWorkspace,
parseDomainsString,
workspaceAppFqdn,
slugify,
} from '@/lib/naming';
export async function GET(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
try {
const app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
return NextResponse.json({
uuid: app.uuid,
name: app.name,
domains: parseDomainsString(app.domains ?? app.fqdn ?? ''),
workspaceDomainSuffix: `${ws.slug}.vibnai.com`,
});
} catch (err) {
if (err instanceof TenantError) {
return NextResponse.json({ error: err.message }, { status: 403 });
}
return NextResponse.json({ error: 'App not found' }, { status: 404 });
}
}
export async function PATCH(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
let app;
try {
app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
} catch (err) {
if (err instanceof TenantError) {
return NextResponse.json({ error: err.message }, { status: 403 });
}
return NextResponse.json({ error: 'App not found' }, { status: 404 });
}
let body: { domains?: string[] } = {};
try {
body = await request.json();
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
const raw = Array.isArray(body.domains) ? body.domains : [];
if (raw.length === 0) {
return NextResponse.json({ error: '`domains` must be a non-empty array' }, { status: 400 });
}
// Normalize + policy-check.
const normalized: string[] = [];
for (const d of raw) {
if (typeof d !== 'string' || !d.trim()) continue;
const clean = d.replace(/^https?:\/\//, '').replace(/\/+$/, '').toLowerCase();
if (!isDomainUnderWorkspace(clean, ws.slug)) {
return NextResponse.json(
{
error: `Domain ${clean} is not allowed; must end with .${ws.slug}.vibnai.com`,
hint: `Use ${workspaceAppFqdn(ws.slug, slugify(app.name))}`,
},
{ status: 403 }
);
}
normalized.push(clean);
}
try {
await setApplicationDomains(uuid, normalized, { forceOverride: true });
return NextResponse.json({ ok: true, uuid, domains: normalized });
} catch (err) {
return NextResponse.json(
{ error: 'Coolify domain update failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}

144
app/api/workspaces/[slug]/apps/[uuid]/route.ts
View File

@@ -1,13 +1,23 @@
/**
* GET /api/workspaces/[slug]/apps/[uuid]
* GET /api/workspaces/[slug]/apps/[uuid] — app details
* PATCH /api/workspaces/[slug]/apps/[uuid] — update fields (name/branch/build config)
* DELETE /api/workspaces/[slug]/apps/[uuid]?confirm=<name>
* — destroy app. Volumes kept by default.
*
* Single Coolify app details. Verifies the app's project uuid matches
* the workspace's before returning anything.
* All verify the app's project uuid matches the workspace's before
* acting. DELETE additionally requires `?confirm=<exact-resource-name>`
* to prevent AI-driven accidents.
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import { getApplicationInProject, projectUuidOf, TenantError } from '@/lib/coolify';
import {
getApplicationInProject,
projectUuidOf,
TenantError,
updateApplication,
deleteApplication,
} from '@/lib/coolify';
export async function GET(
request: Request,
@@ -29,6 +39,7 @@ export async function GET(
name: app.name,
status: app.status,
fqdn: app.fqdn ?? null,
domains: app.domains ?? null,
gitRepository: app.git_repository ?? null,
gitBranch: app.git_branch ?? null,
projectUuid: projectUuidOf(app),
@@ -43,3 +54,128 @@ export async function GET(
);
}
}
export async function PATCH(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
// Verify tenancy first (400-style fail fast on cross-tenant access).
try {
await getApplicationInProject(uuid, ws.coolify_project_uuid);
} catch (err) {
if (err instanceof TenantError) {
return NextResponse.json({ error: err.message }, { status: 403 });
}
return NextResponse.json({ error: 'App not found' }, { status: 404 });
}
let body: Record<string, unknown> = {};
try {
body = await request.json();
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
// Whitelist which Coolify fields we expose to AI-level callers.
// Domains are managed via the dedicated /domains subroute.
const allowed = new Set([
'name',
'description',
'git_branch',
'build_pack',
'ports_exposes',
'install_command',
'build_command',
'start_command',
'base_directory',
'dockerfile_location',
'is_auto_deploy_enabled',
'is_force_https_enabled',
'static_image',
]);
const patch: Record<string, unknown> = {};
for (const [k, v] of Object.entries(body)) {
if (allowed.has(k) && v !== undefined) patch[k] = v;
}
if (Object.keys(patch).length === 0) {
return NextResponse.json({ error: 'No updatable fields in body' }, { status: 400 });
}
try {
await updateApplication(uuid, patch);
return NextResponse.json({ ok: true, uuid });
} catch (err) {
return NextResponse.json(
{ error: 'Coolify update failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}
export async function DELETE(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
// Resolve the app and verify tenancy.
let app;
try {
app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
} catch (err) {
if (err instanceof TenantError) {
return NextResponse.json({ error: err.message }, { status: 403 });
}
return NextResponse.json({ error: 'App not found' }, { status: 404 });
}
// Require `?confirm=<exact app name>` to prevent accidental destroys.
const url = new URL(request.url);
const confirm = url.searchParams.get('confirm');
if (confirm !== app.name) {
return NextResponse.json(
{
error: 'Confirmation required',
hint: `Pass ?confirm=${app.name} to delete this app`,
},
{ status: 409 }
);
}
// Default: preserve volumes (user data). Caller can opt in.
const deleteVolumes = url.searchParams.get('delete_volumes') === 'true';
const deleteConfigurations = url.searchParams.get('delete_configurations') !== 'false';
const deleteConnectedNetworks = url.searchParams.get('delete_connected_networks') !== 'false';
const dockerCleanup = url.searchParams.get('docker_cleanup') !== 'false';
try {
await deleteApplication(uuid, {
deleteConfigurations,
deleteVolumes,
deleteConnectedNetworks,
dockerCleanup,
});
return NextResponse.json({ ok: true, deleted: { uuid, name: app.name, volumesKept: !deleteVolumes } });
} catch (err) {
return NextResponse.json(
{ error: 'Coolify delete failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}

186
app/api/workspaces/[slug]/apps/route.ts
View File

@@ -1,15 +1,43 @@
/**
* GET /api/workspaces/[slug]/apps — list Coolify apps in this workspace
* GET /api/workspaces/[slug]/apps — list Coolify apps in this workspace
* POST /api/workspaces/[slug]/apps — create a new app from a Gitea repo
*
* Auth: session OR `Bearer vibn_sk_...`. The workspace's
* `coolify_project_uuid` acts as the tenant boundary — any app whose
* Coolify project uuid doesn't match is filtered out even if the
* token issuer accidentally had wider reach.
*
* POST body:
* {
* repo: string, // "my-api" or "{org}/my-api"
* branch?: string, // default: "main"
* name?: string, // default: derived from repo
* ports?: string, // default: "3000"
* buildPack?: "nixpacks"|"static"|"dockerfile"|"dockercompose"
* domain?: string, // default: {app}.{workspace}.vibnai.com
* envs?: Record<string,string>
* instantDeploy?: boolean, // default: true
* }
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import { listApplicationsInProject, projectUuidOf } from '@/lib/coolify';
import {
listApplicationsInProject,
projectUuidOf,
createPrivateDeployKeyApp,
upsertApplicationEnv,
getApplication,
deployApplication,
} from '@/lib/coolify';
import {
slugify,
workspaceAppFqdn,
toDomainsString,
isDomainUnderWorkspace,
giteaSshUrl,
} from '@/lib/naming';
import { getRepo } from '@/lib/gitea';
export async function GET(
request: Request,
@@ -36,6 +64,7 @@ export async function GET(
name: a.name,
status: a.status,
fqdn: a.fqdn ?? null,
domains: a.domains ?? null,
gitRepository: a.git_repository ?? null,
gitBranch: a.git_branch ?? null,
projectUuid: projectUuidOf(a),
@@ -48,3 +77,156 @@ export async function GET(
);
}
}
export async function POST(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (
!ws.coolify_project_uuid ||
!ws.coolify_private_key_uuid ||
!ws.gitea_org
) {
return NextResponse.json(
{ error: 'Workspace not fully provisioned (need Coolify project + deploy key + Gitea org)' },
{ status: 503 }
);
}
type Body = {
repo?: string;
branch?: string;
name?: string;
ports?: string;
buildPack?: 'nixpacks' | 'static' | 'dockerfile' | 'dockercompose';
domain?: string;
envs?: Record<string, string>;
instantDeploy?: boolean;
description?: string;
baseDirectory?: string;
installCommand?: string;
buildCommand?: string;
startCommand?: string;
dockerfileLocation?: string;
};
let body: Body = {};
try {
body = (await request.json()) as Body;
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
if (!body.repo || typeof body.repo !== 'string') {
return NextResponse.json({ error: 'Missing "repo" field' }, { status: 400 });
}
// Accept either "repo-name" (assumed in workspace org) or "org/repo".
const parts = body.repo.replace(/\.git$/, '').split('/');
const repoOrg = parts.length === 2 ? parts[0] : ws.gitea_org;
const repoName = parts.length === 2 ? parts[1] : parts[0];
if (repoOrg !== ws.gitea_org) {
return NextResponse.json(
{ error: `Repo owner ${repoOrg} is not this workspace's org ${ws.gitea_org}` },
{ status: 403 }
);
}
if (!/^[a-zA-Z0-9._-]+$/.test(repoName)) {
return NextResponse.json({ error: 'Invalid repo name' }, { status: 400 });
}
// Verify the repo actually exists in Gitea (fail fast).
const repo = await getRepo(repoOrg, repoName);
if (!repo) {
return NextResponse.json(
{ error: `Repo ${repoOrg}/${repoName} not found in Gitea` },
{ status: 404 }
);
}
const appName = slugify(body.name ?? repoName);
const fqdn = body.domain
? body.domain.replace(/^https?:\/\//, '')
: workspaceAppFqdn(ws.slug, appName);
if (!isDomainUnderWorkspace(fqdn, ws.slug)) {
return NextResponse.json(
{ error: `Domain ${fqdn} must end with .${ws.slug}.vibnai.com` },
{ status: 403 }
);
}
try {
const created = await createPrivateDeployKeyApp({
projectUuid: ws.coolify_project_uuid,
serverUuid: ws.coolify_server_uuid ?? undefined,
environmentName: ws.coolify_environment_name,
destinationUuid: ws.coolify_destination_uuid ?? undefined,
privateKeyUuid: ws.coolify_private_key_uuid,
gitRepository: giteaSshUrl(repoOrg, repoName),
gitBranch: body.branch ?? repo.default_branch ?? 'main',
portsExposes: body.ports ?? '3000',
buildPack: body.buildPack ?? 'nixpacks',
name: appName,
description: body.description ?? `AI-created from ${repoOrg}/${repoName}`,
domains: toDomainsString([fqdn]),
isAutoDeployEnabled: true,
isForceHttpsEnabled: true,
// We defer the first deploy until envs are attached so they
// show up in the initial build.
instantDeploy: false,
baseDirectory: body.baseDirectory,
installCommand: body.installCommand,
buildCommand: body.buildCommand,
startCommand: body.startCommand,
dockerfileLocation: body.dockerfileLocation,
});
// Attach env vars (best-effort — don't fail the whole create on one bad key).
if (body.envs && typeof body.envs === 'object') {
for (const [key, value] of Object.entries(body.envs)) {
if (!/^[A-Z_][A-Z0-9_]*$/i.test(key)) continue;
try {
await upsertApplicationEnv(created.uuid, { key, value });
} catch (e) {
console.warn('[apps.POST] upsert env failed', key, e);
}
}
}
// Now kick off the first deploy (unless the caller opted out).
let deploymentUuid: string | null = null;
if (body.instantDeploy !== false) {
try {
const dep = await deployApplication(created.uuid);
deploymentUuid = dep.deployment_uuid ?? null;
} catch (e) {
console.warn('[apps.POST] initial deploy failed', e);
}
}
// Return a hydrated object (status / urls) for the UI.
const app = await getApplication(created.uuid);
return NextResponse.json(
{
uuid: app.uuid,
name: app.name,
status: app.status,
domain: fqdn,
url: `https://${fqdn}`,
gitRepository: app.git_repository ?? null,
gitBranch: app.git_branch ?? null,
deploymentUuid,
},
{ status: 201 }
);
} catch (err) {
return NextResponse.json(
{ error: 'Coolify create failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}

92
app/api/workspaces/[slug]/auth/[uuid]/route.ts Normal file
View File

@@ -0,0 +1,92 @@
/**
* GET /api/workspaces/[slug]/auth/[uuid] — provider details
* DELETE /api/workspaces/[slug]/auth/[uuid]?confirm=<name>
* Volumes KEPT by default (don't blow away user accounts).
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import {
getServiceInProject,
deleteService,
projectUuidOf,
TenantError,
} from '@/lib/coolify';
export async function GET(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
try {
const svc = await getServiceInProject(uuid, ws.coolify_project_uuid);
return NextResponse.json({
uuid: svc.uuid,
name: svc.name,
status: svc.status ?? null,
projectUuid: projectUuidOf(svc),
});
} catch (err) {
if (err instanceof TenantError) return NextResponse.json({ error: err.message }, { status: 403 });
return NextResponse.json({ error: 'Provider not found' }, { status: 404 });
}
}
export async function DELETE(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
let svc;
try {
svc = await getServiceInProject(uuid, ws.coolify_project_uuid);
} catch (err) {
if (err instanceof TenantError) return NextResponse.json({ error: err.message }, { status: 403 });
return NextResponse.json({ error: 'Provider not found' }, { status: 404 });
}
const url = new URL(request.url);
const confirm = url.searchParams.get('confirm');
if (confirm !== svc.name) {
return NextResponse.json(
{ error: 'Confirmation required', hint: `Pass ?confirm=${svc.name}` },
{ status: 409 }
);
}
const deleteVolumes = url.searchParams.get('delete_volumes') === 'true';
try {
await deleteService(uuid, {
deleteConfigurations: true,
deleteVolumes,
deleteConnectedNetworks: true,
dockerCleanup: true,
});
return NextResponse.json({
ok: true,
deleted: { uuid, name: svc.name, volumesKept: !deleteVolumes },
});
} catch (err) {
return NextResponse.json(
{ error: 'Coolify delete failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}

174
app/api/workspaces/[slug]/auth/route.ts Normal file
View File

@@ -0,0 +1,174 @@
/**
* Workspace authentication providers.
*
* GET /api/workspaces/[slug]/auth — list auth-provider services
* POST /api/workspaces/[slug]/auth — provision one of the vetted providers
*
* AI-callers can only create providers from an allowlist — we deliberately
* skip the rest of Coolify's ~300 one-click templates so this endpoint
* stays focused on "auth for my app". The allowlist:
*
* pocketbase — lightweight (SQLite-backed) auth + data
* authentik — feature-rich self-hosted IDP
* keycloak — industry-standard OIDC/SAML
* keycloak-with-postgres
* pocket-id — passkey-first OIDC
* pocket-id-with-postgresql
* logto — dev-first IDP
* supertokens-with-postgresql — session/auth backend
*
* (Zitadel is not on Coolify's service catalog — callers that ask for
* it get a descriptive 400 so the AI knows to pick a supported one.)
*
* POST body:
* { provider: "pocketbase", name?: "auth" }
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import {
listServicesInProject,
createService,
getService,
projectUuidOf,
} from '@/lib/coolify';
import { slugify } from '@/lib/naming';
/**
* Vetted auth-provider service ids. Keys are what callers pass as
* `provider`; values are the Coolify service-template slugs.
*/
const AUTH_PROVIDERS: Record<string, string> = {
pocketbase: 'pocketbase',
authentik: 'authentik',
keycloak: 'keycloak',
'keycloak-with-postgres': 'keycloak-with-postgres',
'pocket-id': 'pocket-id',
'pocket-id-with-postgresql': 'pocket-id-with-postgresql',
logto: 'logto',
'supertokens-with-postgresql': 'supertokens-with-postgresql',
};
/** Anything in this set is Coolify-supported but not an auth provider (used for filtering the list view). */
const AUTH_PROVIDER_SLUGS = new Set(Object.values(AUTH_PROVIDERS));
export async function GET(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json(
{ error: 'Workspace has no Coolify project yet', providers: [] },
{ status: 503 }
);
}
try {
const all = await listServicesInProject(ws.coolify_project_uuid);
// Coolify returns all services — we narrow to ones whose name
// contains an auth-provider slug. We also return the full list so
// callers can see non-auth services without a separate endpoint.
return NextResponse.json({
workspace: { slug: ws.slug, coolifyProjectUuid: ws.coolify_project_uuid },
providers: all
.filter(s => AUTH_PROVIDER_SLUGS.has(deriveTypeFromName(s.name)))
.map(s => ({
uuid: s.uuid,
name: s.name,
status: s.status ?? null,
provider: deriveTypeFromName(s.name),
projectUuid: projectUuidOf(s),
})),
allowedProviders: Object.keys(AUTH_PROVIDERS),
});
} catch (err) {
return NextResponse.json(
{ error: 'Coolify request failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}
export async function POST(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
let body: { provider?: string; name?: string; description?: string; instantDeploy?: boolean } = {};
try {
body = await request.json();
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
const providerKey = (body.provider ?? '').toLowerCase().trim();
const coolifyType = AUTH_PROVIDERS[providerKey];
if (!coolifyType) {
return NextResponse.json(
{
error: `Unsupported provider "${providerKey}". Allowed: ${Object.keys(AUTH_PROVIDERS).join(', ')}`,
hint: 'Zitadel is not on Coolify v4 service catalog — use keycloak or authentik instead.',
},
{ status: 400 }
);
}
const name = slugify(body.name ?? providerKey);
try {
const created = await createService({
projectUuid: ws.coolify_project_uuid,
type: coolifyType,
name,
description: body.description ?? `AI-provisioned ${providerKey} for ${ws.slug}`,
serverUuid: ws.coolify_server_uuid ?? undefined,
environmentName: ws.coolify_environment_name,
destinationUuid: ws.coolify_destination_uuid ?? undefined,
instantDeploy: body.instantDeploy ?? true,
});
const svc = await getService(created.uuid);
return NextResponse.json(
{
uuid: svc.uuid,
name: svc.name,
provider: providerKey,
status: svc.status ?? null,
},
{ status: 201 }
);
} catch (err) {
return NextResponse.json(
{ error: 'Coolify create failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}
/**
* Coolify names services "{type}-{random-suffix}" when auto-named. We
* recover the provider slug by stripping the trailing `-\w+` if any
* and matching against our allowlist. Falls back to empty string.
*/
function deriveTypeFromName(name: string): string {
const candidates = Object.values(AUTH_PROVIDERS).sort((a, b) => b.length - a.length);
for (const slug of candidates) {
if (name === slug || name.startsWith(`${slug}-`) || name.startsWith(`${slug}_`)) {
return slug;
}
}
return '';
}

158
app/api/workspaces/[slug]/databases/[uuid]/route.ts Normal file
View File

@@ -0,0 +1,158 @@
/**
* GET /api/workspaces/[slug]/databases/[uuid] — database details (incl. URLs)
* PATCH /api/workspaces/[slug]/databases/[uuid] — update fields
* DELETE /api/workspaces/[slug]/databases/[uuid]?confirm=<name>
* Volumes KEPT by default (data). Pass &delete_volumes=true to drop.
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import {
getDatabaseInProject,
updateDatabase,
deleteDatabase,
projectUuidOf,
TenantError,
} from '@/lib/coolify';
export async function GET(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
try {
const db = await getDatabaseInProject(uuid, ws.coolify_project_uuid);
return NextResponse.json({
uuid: db.uuid,
name: db.name,
type: db.type ?? null,
status: db.status,
isPublic: db.is_public ?? false,
publicPort: db.public_port ?? null,
internalUrl: db.internal_db_url ?? null,
externalUrl: db.external_db_url ?? null,
projectUuid: projectUuidOf(db),
});
} catch (err) {
if (err instanceof TenantError) return NextResponse.json({ error: err.message }, { status: 403 });
return NextResponse.json({ error: 'Database not found' }, { status: 404 });
}
}
export async function PATCH(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
try {
await getDatabaseInProject(uuid, ws.coolify_project_uuid);
} catch (err) {
if (err instanceof TenantError) return NextResponse.json({ error: err.message }, { status: 403 });
return NextResponse.json({ error: 'Database not found' }, { status: 404 });
}
let body: Record<string, unknown> = {};
try {
body = await request.json();
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
const allowed = new Set([
'name',
'description',
'is_public',
'public_port',
'image',
'limits_memory',
'limits_cpus',
]);
const patch: Record<string, unknown> = {};
for (const [k, v] of Object.entries(body)) {
if (allowed.has(k) && v !== undefined) patch[k] = v;
}
if (Object.keys(patch).length === 0) {
return NextResponse.json({ error: 'No updatable fields in body' }, { status: 400 });
}
try {
await updateDatabase(uuid, patch);
return NextResponse.json({ ok: true, uuid });
} catch (err) {
return NextResponse.json(
{ error: 'Coolify update failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}
export async function DELETE(
request: Request,
{ params }: { params: Promise<{ slug: string; uuid: string }> }
) {
const { slug, uuid } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
let db;
try {
db = await getDatabaseInProject(uuid, ws.coolify_project_uuid);
} catch (err) {
if (err instanceof TenantError) return NextResponse.json({ error: err.message }, { status: 403 });
return NextResponse.json({ error: 'Database not found' }, { status: 404 });
}
const url = new URL(request.url);
const confirm = url.searchParams.get('confirm');
if (confirm !== db.name) {
return NextResponse.json(
{ error: 'Confirmation required', hint: `Pass ?confirm=${db.name}` },
{ status: 409 }
);
}
// Default: preserve volumes (it's a database — user data lives there).
const deleteVolumes = url.searchParams.get('delete_volumes') === 'true';
const deleteConfigurations = url.searchParams.get('delete_configurations') !== 'false';
const deleteConnectedNetworks = url.searchParams.get('delete_connected_networks') !== 'false';
const dockerCleanup = url.searchParams.get('docker_cleanup') !== 'false';
try {
await deleteDatabase(uuid, {
deleteConfigurations,
deleteVolumes,
deleteConnectedNetworks,
dockerCleanup,
});
return NextResponse.json({
ok: true,
deleted: { uuid, name: db.name, volumesKept: !deleteVolumes },
});
} catch (err) {
return NextResponse.json(
{ error: 'Coolify delete failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}

161
app/api/workspaces/[slug]/databases/route.ts Normal file
View File

@@ -0,0 +1,161 @@
/**
* GET /api/workspaces/[slug]/databases — list databases in this workspace
* POST /api/workspaces/[slug]/databases — provision a new database
*
* Supported `type` values (all that Coolify v4 can deploy):
* postgresql | mysql | mariadb | mongodb | redis | keydb | dragonfly | clickhouse
*
* POST body:
* {
* type: "postgresql",
* name?: "my-db",
* isPublic?: true, // expose a host port for remote clients
* publicPort?: 5433,
* image?: "postgres:16",
* credentials?: { ... } // type-specific (e.g. postgres_user)
* limits?: { memory?: "1G", cpus?: "1" },
* }
*
* Tenancy: every returned record is filtered to the workspace's own
* Coolify project UUID.
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import {
listDatabasesInProject,
createDatabase,
getDatabase,
projectUuidOf,
type CoolifyDatabaseType,
} from '@/lib/coolify';
import { slugify } from '@/lib/naming';
const SUPPORTED_TYPES: readonly CoolifyDatabaseType[] = [
'postgresql',
'mysql',
'mariadb',
'mongodb',
'redis',
'keydb',
'dragonfly',
'clickhouse',
];
export async function GET(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json(
{ error: 'Workspace has no Coolify project yet', databases: [] },
{ status: 503 }
);
}
try {
const dbs = await listDatabasesInProject(ws.coolify_project_uuid);
return NextResponse.json({
workspace: { slug: ws.slug, coolifyProjectUuid: ws.coolify_project_uuid },
databases: dbs.map(d => ({
uuid: d.uuid,
name: d.name,
type: d.type ?? null,
status: d.status,
isPublic: d.is_public ?? false,
publicPort: d.public_port ?? null,
projectUuid: projectUuidOf(d),
})),
});
} catch (err) {
return NextResponse.json(
{ error: 'Coolify request failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}
export async function POST(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (!ws.coolify_project_uuid) {
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
}
type Body = {
type?: string;
name?: string;
description?: string;
isPublic?: boolean;
publicPort?: number;
image?: string;
credentials?: Record<string, unknown>;
limits?: { memory?: string; cpus?: string };
instantDeploy?: boolean;
};
let body: Body = {};
try {
body = (await request.json()) as Body;
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
const type = body.type as CoolifyDatabaseType | undefined;
if (!type || !SUPPORTED_TYPES.includes(type)) {
return NextResponse.json(
{ error: `\`type\` must be one of: ${SUPPORTED_TYPES.join(', ')}` },
{ status: 400 }
);
}
const name = slugify(body.name ?? `${type}-${Date.now().toString(36)}`);
try {
const created = await createDatabase({
type,
name,
description: body.description,
projectUuid: ws.coolify_project_uuid,
serverUuid: ws.coolify_server_uuid ?? undefined,
environmentName: ws.coolify_environment_name,
destinationUuid: ws.coolify_destination_uuid ?? undefined,
isPublic: body.isPublic,
publicPort: body.publicPort,
image: body.image,
credentials: body.credentials,
limits: body.limits,
instantDeploy: body.instantDeploy ?? true,
});
const db = await getDatabase(created.uuid);
return NextResponse.json(
{
uuid: db.uuid,
name: db.name,
type: db.type ?? type,
status: db.status,
isPublic: db.is_public ?? false,
publicPort: db.public_port ?? null,
internalUrl: db.internal_db_url ?? null,
externalUrl: db.external_db_url ?? null,
},
{ status: 201 }
);
} catch (err) {
return NextResponse.json(
{ error: 'Coolify create failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}