Phase 4: AI-driven app/database/auth lifecycle

Workspace-owned deploy infra so AI agents can create and destroy Coolify resources without ever touching the root admin token. vibn_workspaces + coolify_server_uuid, coolify_destination_uuid + coolify_environment_name (default "production") + coolify_private_key_uuid, gitea_bot_ssh_key_id ensureWorkspaceProvisioned + generates an ed25519 keypair per workspace + pushes pubkey to the Gitea bot user (read/write scoped by team) + registers privkey in Coolify as a reusable deploy key New endpoints under /api/workspaces/[slug]/ apps/ POST (private-deploy-key from Gitea repo) apps/[uuid] PATCH, DELETE?confirm=<name> apps/[uuid]/domains GET, PATCH (policy: *.{ws}.vibnai.com only) databases/ GET, POST (8 types incl. postgres, clickhouse, dragonfly) databases/[uuid] GET, PATCH, DELETE?confirm=<name> auth/ GET, POST (Pocketbase, Authentik, Keycloak, Pocket-ID, Logto, Supertokens) auth/[uuid] DELETE?confirm=<name> MCP (/api/mcp) gains 15 new tools that mirror the REST surface and enforce the same workspace tenancy + delete-confirm guard. Safety: destructive ops require ?confirm=<exact-resource-name>; volumes are kept by default (pass delete_volumes=true to drop). Made-with: Cursor
2026-04-21 12:04:59 -07:00
parent b51fb6da21
commit 0797717bc1
14 changed files with 2274 additions and 118 deletions
--- a/app/api/workspaces/[slug]/apps/[uuid]/domains/route.ts
+++ b/app/api/workspaces/[slug]/apps/[uuid]/domains/route.ts
@@ -0,0 +1,114 @@
+/**
+ * GET   /api/workspaces/[slug]/apps/[uuid]/domains  — list current domains
+ * PATCH /api/workspaces/[slug]/apps/[uuid]/domains  — replace domain set
+ *
+ * Body: { domains: string[] } — each must end with .{workspace}.vibnai.com.
+ * We enforce workspace-subdomain policy here to prevent AI-driven
+ * hijacking of other workspaces' subdomains.
+ */
+
+import { NextResponse } from 'next/server';
+import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
+import {
+  getApplicationInProject,
+  setApplicationDomains,
+  TenantError,
+} from '@/lib/coolify';
+import {
+  isDomainUnderWorkspace,
+  parseDomainsString,
+  workspaceAppFqdn,
+  slugify,
+} from '@/lib/naming';
+
+export async function GET(
+  request: Request,
+  { params }: { params: Promise<{ slug: string; uuid: string }> }
+) {
+  const { slug, uuid } = await params;
+  const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
+  if (principal instanceof NextResponse) return principal;
+
+  const ws = principal.workspace;
+  if (!ws.coolify_project_uuid) {
+    return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
+  }
+
+  try {
+    const app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
+    return NextResponse.json({
+      uuid: app.uuid,
+      name: app.name,
+      domains: parseDomainsString(app.domains ?? app.fqdn ?? ''),
+      workspaceDomainSuffix: `${ws.slug}.vibnai.com`,
+    });
+  } catch (err) {
+    if (err instanceof TenantError) {
+      return NextResponse.json({ error: err.message }, { status: 403 });
+    }
+    return NextResponse.json({ error: 'App not found' }, { status: 404 });
+  }
+}
+
+export async function PATCH(
+  request: Request,
+  { params }: { params: Promise<{ slug: string; uuid: string }> }
+) {
+  const { slug, uuid } = await params;
+  const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
+  if (principal instanceof NextResponse) return principal;
+
+  const ws = principal.workspace;
+  if (!ws.coolify_project_uuid) {
+    return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
+  }
+
+  let app;
+  try {
+    app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
+  } catch (err) {
+    if (err instanceof TenantError) {
+      return NextResponse.json({ error: err.message }, { status: 403 });
+    }
+    return NextResponse.json({ error: 'App not found' }, { status: 404 });
+  }
+
+  let body: { domains?: string[] } = {};
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
+  }
+
+  const raw = Array.isArray(body.domains) ? body.domains : [];
+  if (raw.length === 0) {
+    return NextResponse.json({ error: '`domains` must be a non-empty array' }, { status: 400 });
+  }
+
+  // Normalize + policy-check.
+  const normalized: string[] = [];
+  for (const d of raw) {
+    if (typeof d !== 'string' || !d.trim()) continue;
+    const clean = d.replace(/^https?:\/\//, '').replace(/\/+$/, '').toLowerCase();
+    if (!isDomainUnderWorkspace(clean, ws.slug)) {
+      return NextResponse.json(
+        {
+          error: `Domain ${clean} is not allowed; must end with .${ws.slug}.vibnai.com`,
+          hint: `Use ${workspaceAppFqdn(ws.slug, slugify(app.name))}`,
+        },
+        { status: 403 }
+      );
+    }
+    normalized.push(clean);
+  }
+
+  try {
+    await setApplicationDomains(uuid, normalized, { forceOverride: true });
+    return NextResponse.json({ ok: true, uuid, domains: normalized });
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Coolify domain update failed', details: err instanceof Error ? err.message : String(err) },
+      { status: 502 }
+    );
+  }
+}
--- a/app/api/workspaces/[slug]/apps/[uuid]/route.ts
+++ b/app/api/workspaces/[slug]/apps/[uuid]/route.ts
@@ -1,13 +1,23 @@
 /**
- * GET /api/workspaces/[slug]/apps/[uuid]
+ * GET    /api/workspaces/[slug]/apps/[uuid]  — app details
+ * PATCH  /api/workspaces/[slug]/apps/[uuid]  — update fields (name/branch/build config)
+ * DELETE /api/workspaces/[slug]/apps/[uuid]?confirm=<name>
+ *                                             — destroy app. Volumes kept by default.
 *
- * Single Coolify app details. Verifies the app's project uuid matches
- * the workspace's before returning anything.
+ * All verify the app's project uuid matches the workspace's before
+ * acting. DELETE additionally requires `?confirm=<exact-resource-name>`
+ * to prevent AI-driven accidents.
 */

 import { NextResponse } from 'next/server';
 import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
-import { getApplicationInProject, projectUuidOf, TenantError } from '@/lib/coolify';
+import {
+  getApplicationInProject,
+  projectUuidOf,
+  TenantError,
+  updateApplication,
+  deleteApplication,
+} from '@/lib/coolify';

 export async function GET(
  request: Request,
@@ -29,6 +39,7 @@ export async function GET(
      name: app.name,
      status: app.status,
      fqdn: app.fqdn ?? null,
+      domains: app.domains ?? null,
      gitRepository: app.git_repository ?? null,
      gitBranch: app.git_branch ?? null,
      projectUuid: projectUuidOf(app),
@@ -43,3 +54,128 @@ export async function GET(
    );
  }
 }
+
+export async function PATCH(
+  request: Request,
+  { params }: { params: Promise<{ slug: string; uuid: string }> }
+) {
+  const { slug, uuid } = await params;
+  const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
+  if (principal instanceof NextResponse) return principal;
+
+  const ws = principal.workspace;
+  if (!ws.coolify_project_uuid) {
+    return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
+  }
+
+  // Verify tenancy first (400-style fail fast on cross-tenant access).
+  try {
+    await getApplicationInProject(uuid, ws.coolify_project_uuid);
+  } catch (err) {
+    if (err instanceof TenantError) {
+      return NextResponse.json({ error: err.message }, { status: 403 });
+    }
+    return NextResponse.json({ error: 'App not found' }, { status: 404 });
+  }
+
+  let body: Record<string, unknown> = {};
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
+  }
+
+  // Whitelist which Coolify fields we expose to AI-level callers.
+  // Domains are managed via the dedicated /domains subroute.
+  const allowed = new Set([
+    'name',
+    'description',
+    'git_branch',
+    'build_pack',
+    'ports_exposes',
+    'install_command',
+    'build_command',
+    'start_command',
+    'base_directory',
+    'dockerfile_location',
+    'is_auto_deploy_enabled',
+    'is_force_https_enabled',
+    'static_image',
+  ]);
+  const patch: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(body)) {
+    if (allowed.has(k) && v !== undefined) patch[k] = v;
+  }
+  if (Object.keys(patch).length === 0) {
+    return NextResponse.json({ error: 'No updatable fields in body' }, { status: 400 });
+  }
+
+  try {
+    await updateApplication(uuid, patch);
+    return NextResponse.json({ ok: true, uuid });
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Coolify update failed', details: err instanceof Error ? err.message : String(err) },
+      { status: 502 }
+    );
+  }
+}
+
+export async function DELETE(
+  request: Request,
+  { params }: { params: Promise<{ slug: string; uuid: string }> }
+) {
+  const { slug, uuid } = await params;
+  const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
+  if (principal instanceof NextResponse) return principal;
+
+  const ws = principal.workspace;
+  if (!ws.coolify_project_uuid) {
+    return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
+  }
+
+  // Resolve the app and verify tenancy.
+  let app;
+  try {
+    app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
+  } catch (err) {
+    if (err instanceof TenantError) {
+      return NextResponse.json({ error: err.message }, { status: 403 });
+    }
+    return NextResponse.json({ error: 'App not found' }, { status: 404 });
+  }
+
+  // Require `?confirm=<exact app name>` to prevent accidental destroys.
+  const url = new URL(request.url);
+  const confirm = url.searchParams.get('confirm');
+  if (confirm !== app.name) {
+    return NextResponse.json(
+      {
+        error: 'Confirmation required',
+        hint: `Pass ?confirm=${app.name} to delete this app`,
+      },
+      { status: 409 }
+    );
+  }
+
+  // Default: preserve volumes (user data). Caller can opt in.
+  const deleteVolumes = url.searchParams.get('delete_volumes') === 'true';
+  const deleteConfigurations = url.searchParams.get('delete_configurations') !== 'false';
+  const deleteConnectedNetworks = url.searchParams.get('delete_connected_networks') !== 'false';
+  const dockerCleanup = url.searchParams.get('docker_cleanup') !== 'false';
+
+  try {
+    await deleteApplication(uuid, {
+      deleteConfigurations,
+      deleteVolumes,
+      deleteConnectedNetworks,
+      dockerCleanup,
+    });
+    return NextResponse.json({ ok: true, deleted: { uuid, name: app.name, volumesKept: !deleteVolumes } });
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Coolify delete failed', details: err instanceof Error ? err.message : String(err) },
+      { status: 502 }
+    );
+  }
+}
--- a/app/api/workspaces/[slug]/apps/route.ts
+++ b/app/api/workspaces/[slug]/apps/route.ts
@@ -1,15 +1,43 @@
 /**
- * GET /api/workspaces/[slug]/apps — list Coolify apps in this workspace
+ * GET  /api/workspaces/[slug]/apps — list Coolify apps in this workspace
+ * POST /api/workspaces/[slug]/apps — create a new app from a Gitea repo
 *
 * Auth: session OR `Bearer vibn_sk_...`. The workspace's
 * `coolify_project_uuid` acts as the tenant boundary — any app whose
 * Coolify project uuid doesn't match is filtered out even if the
 * token issuer accidentally had wider reach.
+ *
+ * POST body:
+ *   {
+ *     repo:       string,              // "my-api" or "{org}/my-api"
+ *     branch?:    string,              // default: "main"
+ *     name?:      string,              // default: derived from repo
+ *     ports?:     string,              // default: "3000"
+ *     buildPack?: "nixpacks"|"static"|"dockerfile"|"dockercompose"
+ *     domain?:    string,              // default: {app}.{workspace}.vibnai.com
+ *     envs?:      Record<string,string>
+ *     instantDeploy?: boolean,         // default: true
+ *   }
 */

 import { NextResponse } from 'next/server';
 import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
-import { listApplicationsInProject, projectUuidOf } from '@/lib/coolify';
+import {
+  listApplicationsInProject,
+  projectUuidOf,
+  createPrivateDeployKeyApp,
+  upsertApplicationEnv,
+  getApplication,
+  deployApplication,
+} from '@/lib/coolify';
+import {
+  slugify,
+  workspaceAppFqdn,
+  toDomainsString,
+  isDomainUnderWorkspace,
+  giteaSshUrl,
+} from '@/lib/naming';
+import { getRepo } from '@/lib/gitea';

 export async function GET(
  request: Request,
@@ -36,6 +64,7 @@ export async function GET(
        name: a.name,
        status: a.status,
        fqdn: a.fqdn ?? null,
+        domains: a.domains ?? null,
        gitRepository: a.git_repository ?? null,
        gitBranch: a.git_branch ?? null,
        projectUuid: projectUuidOf(a),
@@ -48,3 +77,156 @@ export async function GET(
    );
  }
 }
+
+export async function POST(
+  request: Request,
+  { params }: { params: Promise<{ slug: string }> }
+) {
+  const { slug } = await params;
+  const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
+  if (principal instanceof NextResponse) return principal;
+
+  const ws = principal.workspace;
+  if (
+    !ws.coolify_project_uuid ||
+    !ws.coolify_private_key_uuid ||
+    !ws.gitea_org
+  ) {
+    return NextResponse.json(
+      { error: 'Workspace not fully provisioned (need Coolify project + deploy key + Gitea org)' },
+      { status: 503 }
+    );
+  }
+
+  type Body = {
+    repo?: string;
+    branch?: string;
+    name?: string;
+    ports?: string;
+    buildPack?: 'nixpacks' | 'static' | 'dockerfile' | 'dockercompose';
+    domain?: string;
+    envs?: Record<string, string>;
+    instantDeploy?: boolean;
+    description?: string;
+    baseDirectory?: string;
+    installCommand?: string;
+    buildCommand?: string;
+    startCommand?: string;
+    dockerfileLocation?: string;
+  };
+  let body: Body = {};
+  try {
+    body = (await request.json()) as Body;
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
+  }
+
+  if (!body.repo || typeof body.repo !== 'string') {
+    return NextResponse.json({ error: 'Missing "repo" field' }, { status: 400 });
+  }
+
+  // Accept either "repo-name" (assumed in workspace org) or "org/repo".
+  const parts = body.repo.replace(/\.git$/, '').split('/');
+  const repoOrg = parts.length === 2 ? parts[0] : ws.gitea_org;
+  const repoName = parts.length === 2 ? parts[1] : parts[0];
+  if (repoOrg !== ws.gitea_org) {
+    return NextResponse.json(
+      { error: `Repo owner ${repoOrg} is not this workspace's org ${ws.gitea_org}` },
+      { status: 403 }
+    );
+  }
+  if (!/^[a-zA-Z0-9._-]+$/.test(repoName)) {
+    return NextResponse.json({ error: 'Invalid repo name' }, { status: 400 });
+  }
+
+  // Verify the repo actually exists in Gitea (fail fast).
+  const repo = await getRepo(repoOrg, repoName);
+  if (!repo) {
+    return NextResponse.json(
+      { error: `Repo ${repoOrg}/${repoName} not found in Gitea` },
+      { status: 404 }
+    );
+  }
+
+  const appName = slugify(body.name ?? repoName);
+  const fqdn = body.domain
+    ? body.domain.replace(/^https?:\/\//, '')
+    : workspaceAppFqdn(ws.slug, appName);
+  if (!isDomainUnderWorkspace(fqdn, ws.slug)) {
+    return NextResponse.json(
+      { error: `Domain ${fqdn} must end with .${ws.slug}.vibnai.com` },
+      { status: 403 }
+    );
+  }
+
+  try {
+    const created = await createPrivateDeployKeyApp({
+      projectUuid: ws.coolify_project_uuid,
+      serverUuid: ws.coolify_server_uuid ?? undefined,
+      environmentName: ws.coolify_environment_name,
+      destinationUuid: ws.coolify_destination_uuid ?? undefined,
+      privateKeyUuid: ws.coolify_private_key_uuid,
+      gitRepository: giteaSshUrl(repoOrg, repoName),
+      gitBranch: body.branch ?? repo.default_branch ?? 'main',
+      portsExposes: body.ports ?? '3000',
+      buildPack: body.buildPack ?? 'nixpacks',
+      name: appName,
+      description: body.description ?? `AI-created from ${repoOrg}/${repoName}`,
+      domains: toDomainsString([fqdn]),
+      isAutoDeployEnabled: true,
+      isForceHttpsEnabled: true,
+      // We defer the first deploy until envs are attached so they
+      // show up in the initial build.
+      instantDeploy: false,
+      baseDirectory: body.baseDirectory,
+      installCommand: body.installCommand,
+      buildCommand: body.buildCommand,
+      startCommand: body.startCommand,
+      dockerfileLocation: body.dockerfileLocation,
+    });
+
+    // Attach env vars (best-effort — don't fail the whole create on one bad key).
+    if (body.envs && typeof body.envs === 'object') {
+      for (const [key, value] of Object.entries(body.envs)) {
+        if (!/^[A-Z_][A-Z0-9_]*$/i.test(key)) continue;
+        try {
+          await upsertApplicationEnv(created.uuid, { key, value });
+        } catch (e) {
+          console.warn('[apps.POST] upsert env failed', key, e);
+        }
+      }
+    }
+
+    // Now kick off the first deploy (unless the caller opted out).
+    let deploymentUuid: string | null = null;
+    if (body.instantDeploy !== false) {
+      try {
+        const dep = await deployApplication(created.uuid);
+        deploymentUuid = dep.deployment_uuid ?? null;
+      } catch (e) {
+        console.warn('[apps.POST] initial deploy failed', e);
+      }
+    }
+
+    // Return a hydrated object (status / urls) for the UI.
+    const app = await getApplication(created.uuid);
+    return NextResponse.json(
+      {
+        uuid: app.uuid,
+        name: app.name,
+        status: app.status,
+        domain: fqdn,
+        url: `https://${fqdn}`,
+        gitRepository: app.git_repository ?? null,
+        gitBranch: app.git_branch ?? null,
+        deploymentUuid,
+      },
+      { status: 201 }
+    );
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Coolify create failed', details: err instanceof Error ? err.message : String(err) },
+      { status: 502 }
+    );
+  }
+}