Phase 4: AI-driven app/database/auth lifecycle
Workspace-owned deploy infra so AI agents can create and destroy
Coolify resources without ever touching the root admin token.
vibn_workspaces
+ coolify_server_uuid, coolify_destination_uuid
+ coolify_environment_name (default "production")
+ coolify_private_key_uuid, gitea_bot_ssh_key_id
ensureWorkspaceProvisioned
+ generates an ed25519 keypair per workspace
+ pushes pubkey to the Gitea bot user (read/write scoped by team)
+ registers privkey in Coolify as a reusable deploy key
New endpoints under /api/workspaces/[slug]/
apps/ POST (private-deploy-key from Gitea repo)
apps/[uuid] PATCH, DELETE?confirm=<name>
apps/[uuid]/domains GET, PATCH (policy: *.{ws}.vibnai.com only)
databases/ GET, POST (8 types incl. postgres, clickhouse, dragonfly)
databases/[uuid] GET, PATCH, DELETE?confirm=<name>
auth/ GET, POST (Pocketbase, Authentik, Keycloak, Pocket-ID, Logto, Supertokens)
auth/[uuid] DELETE?confirm=<name>
MCP (/api/mcp) gains 15 new tools that mirror the REST surface and
enforce the same workspace tenancy + delete-confirm guard.
Safety: destructive ops require ?confirm=<exact-resource-name>; volumes
are kept by default (pass delete_volumes=true to drop).
Made-with: Cursor
This commit is contained in:
114
app/api/workspaces/[slug]/apps/[uuid]/domains/route.ts
Normal file
114
app/api/workspaces/[slug]/apps/[uuid]/domains/route.ts
Normal file
@@ -0,0 +1,114 @@
|
||||
/**
|
||||
* GET /api/workspaces/[slug]/apps/[uuid]/domains — list current domains
|
||||
* PATCH /api/workspaces/[slug]/apps/[uuid]/domains — replace domain set
|
||||
*
|
||||
* Body: { domains: string[] } — each must end with .{workspace}.vibnai.com.
|
||||
* We enforce workspace-subdomain policy here to prevent AI-driven
|
||||
* hijacking of other workspaces' subdomains.
|
||||
*/
|
||||
|
||||
import { NextResponse } from 'next/server';
|
||||
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
|
||||
import {
|
||||
getApplicationInProject,
|
||||
setApplicationDomains,
|
||||
TenantError,
|
||||
} from '@/lib/coolify';
|
||||
import {
|
||||
isDomainUnderWorkspace,
|
||||
parseDomainsString,
|
||||
workspaceAppFqdn,
|
||||
slugify,
|
||||
} from '@/lib/naming';
|
||||
|
||||
export async function GET(
|
||||
request: Request,
|
||||
{ params }: { params: Promise<{ slug: string; uuid: string }> }
|
||||
) {
|
||||
const { slug, uuid } = await params;
|
||||
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
|
||||
if (principal instanceof NextResponse) return principal;
|
||||
|
||||
const ws = principal.workspace;
|
||||
if (!ws.coolify_project_uuid) {
|
||||
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
|
||||
}
|
||||
|
||||
try {
|
||||
const app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
|
||||
return NextResponse.json({
|
||||
uuid: app.uuid,
|
||||
name: app.name,
|
||||
domains: parseDomainsString(app.domains ?? app.fqdn ?? ''),
|
||||
workspaceDomainSuffix: `${ws.slug}.vibnai.com`,
|
||||
});
|
||||
} catch (err) {
|
||||
if (err instanceof TenantError) {
|
||||
return NextResponse.json({ error: err.message }, { status: 403 });
|
||||
}
|
||||
return NextResponse.json({ error: 'App not found' }, { status: 404 });
|
||||
}
|
||||
}
|
||||
|
||||
export async function PATCH(
|
||||
request: Request,
|
||||
{ params }: { params: Promise<{ slug: string; uuid: string }> }
|
||||
) {
|
||||
const { slug, uuid } = await params;
|
||||
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
|
||||
if (principal instanceof NextResponse) return principal;
|
||||
|
||||
const ws = principal.workspace;
|
||||
if (!ws.coolify_project_uuid) {
|
||||
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
|
||||
}
|
||||
|
||||
let app;
|
||||
try {
|
||||
app = await getApplicationInProject(uuid, ws.coolify_project_uuid);
|
||||
} catch (err) {
|
||||
if (err instanceof TenantError) {
|
||||
return NextResponse.json({ error: err.message }, { status: 403 });
|
||||
}
|
||||
return NextResponse.json({ error: 'App not found' }, { status: 404 });
|
||||
}
|
||||
|
||||
let body: { domains?: string[] } = {};
|
||||
try {
|
||||
body = await request.json();
|
||||
} catch {
|
||||
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
|
||||
}
|
||||
|
||||
const raw = Array.isArray(body.domains) ? body.domains : [];
|
||||
if (raw.length === 0) {
|
||||
return NextResponse.json({ error: '`domains` must be a non-empty array' }, { status: 400 });
|
||||
}
|
||||
|
||||
// Normalize + policy-check.
|
||||
const normalized: string[] = [];
|
||||
for (const d of raw) {
|
||||
if (typeof d !== 'string' || !d.trim()) continue;
|
||||
const clean = d.replace(/^https?:\/\//, '').replace(/\/+$/, '').toLowerCase();
|
||||
if (!isDomainUnderWorkspace(clean, ws.slug)) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: `Domain ${clean} is not allowed; must end with .${ws.slug}.vibnai.com`,
|
||||
hint: `Use ${workspaceAppFqdn(ws.slug, slugify(app.name))}`,
|
||||
},
|
||||
{ status: 403 }
|
||||
);
|
||||
}
|
||||
normalized.push(clean);
|
||||
}
|
||||
|
||||
try {
|
||||
await setApplicationDomains(uuid, normalized, { forceOverride: true });
|
||||
return NextResponse.json({ ok: true, uuid, domains: normalized });
|
||||
} catch (err) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Coolify domain update failed', details: err instanceof Error ? err.message : String(err) },
|
||||
{ status: 502 }
|
||||
);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user