mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 4: AI-driven app/database/auth lifecycle

Browse Source 
Workspace-owned deploy infra so AI agents can create and destroy
Coolify resources without ever touching the root admin token.

  vibn_workspaces
    + coolify_server_uuid, coolify_destination_uuid
    + coolify_environment_name (default "production")
    + coolify_private_key_uuid, gitea_bot_ssh_key_id

  ensureWorkspaceProvisioned
    + generates an ed25519 keypair per workspace
    + pushes pubkey to the Gitea bot user (read/write scoped by team)
    + registers privkey in Coolify as a reusable deploy key

  New endpoints under /api/workspaces/[slug]/
    apps/                POST (private-deploy-key from Gitea repo)
    apps/[uuid]          PATCH, DELETE?confirm=<name>
    apps/[uuid]/domains  GET, PATCH (policy: *.{ws}.vibnai.com only)
    databases/           GET, POST (8 types incl. postgres, clickhouse, dragonfly)
    databases/[uuid]     GET, PATCH, DELETE?confirm=<name>
    auth/                GET, POST (Pocketbase, Authentik, Keycloak, Pocket-ID, Logto, Supertokens)
    auth/[uuid]          DELETE?confirm=<name>

  MCP (/api/mcp) gains 15 new tools that mirror the REST surface and
  enforce the same workspace tenancy + delete-confirm guard.

  Safety: destructive ops require ?confirm=<exact-resource-name>; volumes
  are kept by default (pass delete_volumes=true to drop).

Made-with: Cursor
This commit is contained in:
Mark Henderson
2026-04-21 12:04:59 -07:00
parent b51fb6da21
commit 0797717bc1
14 changed files with 2274 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

186
app/api/workspaces/[slug]/apps/route.ts
View File

@@ -1,15 +1,43 @@
/**
* GET /api/workspaces/[slug]/apps — list Coolify apps in this workspace
* GET /api/workspaces/[slug]/apps — list Coolify apps in this workspace
* POST /api/workspaces/[slug]/apps — create a new app from a Gitea repo
*
* Auth: session OR `Bearer vibn_sk_...`. The workspace's
* `coolify_project_uuid` acts as the tenant boundary — any app whose
* Coolify project uuid doesn't match is filtered out even if the
* token issuer accidentally had wider reach.
*
* POST body:
* {
* repo: string, // "my-api" or "{org}/my-api"
* branch?: string, // default: "main"
* name?: string, // default: derived from repo
* ports?: string, // default: "3000"
* buildPack?: "nixpacks"|"static"|"dockerfile"|"dockercompose"
* domain?: string, // default: {app}.{workspace}.vibnai.com
* envs?: Record<string,string>
* instantDeploy?: boolean, // default: true
* }
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import { listApplicationsInProject, projectUuidOf } from '@/lib/coolify';
import {
listApplicationsInProject,
projectUuidOf,
createPrivateDeployKeyApp,
upsertApplicationEnv,
getApplication,
deployApplication,
} from '@/lib/coolify';
import {
slugify,
workspaceAppFqdn,
toDomainsString,
isDomainUnderWorkspace,
giteaSshUrl,
} from '@/lib/naming';
import { getRepo } from '@/lib/gitea';
export async function GET(
request: Request,
@@ -36,6 +64,7 @@ export async function GET(
name: a.name,
status: a.status,
fqdn: a.fqdn ?? null,
domains: a.domains ?? null,
gitRepository: a.git_repository ?? null,
gitBranch: a.git_branch ?? null,
projectUuid: projectUuidOf(a),
@@ -48,3 +77,156 @@ export async function GET(
);
}
}
export async function POST(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const ws = principal.workspace;
if (
!ws.coolify_project_uuid ||
!ws.coolify_private_key_uuid ||
!ws.gitea_org
) {
return NextResponse.json(
{ error: 'Workspace not fully provisioned (need Coolify project + deploy key + Gitea org)' },
{ status: 503 }
);
}
type Body = {
repo?: string;
branch?: string;
name?: string;
ports?: string;
buildPack?: 'nixpacks' | 'static' | 'dockerfile' | 'dockercompose';
domain?: string;
envs?: Record<string, string>;
instantDeploy?: boolean;
description?: string;
baseDirectory?: string;
installCommand?: string;
buildCommand?: string;
startCommand?: string;
dockerfileLocation?: string;
};
let body: Body = {};
try {
body = (await request.json()) as Body;
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
if (!body.repo || typeof body.repo !== 'string') {
return NextResponse.json({ error: 'Missing "repo" field' }, { status: 400 });
}
// Accept either "repo-name" (assumed in workspace org) or "org/repo".
const parts = body.repo.replace(/\.git$/, '').split('/');
const repoOrg = parts.length === 2 ? parts[0] : ws.gitea_org;
const repoName = parts.length === 2 ? parts[1] : parts[0];
if (repoOrg !== ws.gitea_org) {
return NextResponse.json(
{ error: `Repo owner ${repoOrg} is not this workspace's org ${ws.gitea_org}` },
{ status: 403 }
);
}
if (!/^[a-zA-Z0-9._-]+$/.test(repoName)) {
return NextResponse.json({ error: 'Invalid repo name' }, { status: 400 });
}
// Verify the repo actually exists in Gitea (fail fast).
const repo = await getRepo(repoOrg, repoName);
if (!repo) {
return NextResponse.json(
{ error: `Repo ${repoOrg}/${repoName} not found in Gitea` },
{ status: 404 }
);
}
const appName = slugify(body.name ?? repoName);
const fqdn = body.domain
? body.domain.replace(/^https?:\/\//, '')
: workspaceAppFqdn(ws.slug, appName);
if (!isDomainUnderWorkspace(fqdn, ws.slug)) {
return NextResponse.json(
{ error: `Domain ${fqdn} must end with .${ws.slug}.vibnai.com` },
{ status: 403 }
);
}
try {
const created = await createPrivateDeployKeyApp({
projectUuid: ws.coolify_project_uuid,
serverUuid: ws.coolify_server_uuid ?? undefined,
environmentName: ws.coolify_environment_name,
destinationUuid: ws.coolify_destination_uuid ?? undefined,
privateKeyUuid: ws.coolify_private_key_uuid,
gitRepository: giteaSshUrl(repoOrg, repoName),
gitBranch: body.branch ?? repo.default_branch ?? 'main',
portsExposes: body.ports ?? '3000',
buildPack: body.buildPack ?? 'nixpacks',
name: appName,
description: body.description ?? `AI-created from ${repoOrg}/${repoName}`,
domains: toDomainsString([fqdn]),
isAutoDeployEnabled: true,
isForceHttpsEnabled: true,
// We defer the first deploy until envs are attached so they
// show up in the initial build.
instantDeploy: false,
baseDirectory: body.baseDirectory,
installCommand: body.installCommand,
buildCommand: body.buildCommand,
startCommand: body.startCommand,
dockerfileLocation: body.dockerfileLocation,
});
// Attach env vars (best-effort — don't fail the whole create on one bad key).
if (body.envs && typeof body.envs === 'object') {
for (const [key, value] of Object.entries(body.envs)) {
if (!/^[A-Z_][A-Z0-9_]*$/i.test(key)) continue;
try {
await upsertApplicationEnv(created.uuid, { key, value });
} catch (e) {
console.warn('[apps.POST] upsert env failed', key, e);
}
}
}
// Now kick off the first deploy (unless the caller opted out).
let deploymentUuid: string | null = null;
if (body.instantDeploy !== false) {
try {
const dep = await deployApplication(created.uuid);
deploymentUuid = dep.deployment_uuid ?? null;
} catch (e) {
console.warn('[apps.POST] initial deploy failed', e);
}
}
// Return a hydrated object (status / urls) for the UI.
const app = await getApplication(created.uuid);
return NextResponse.json(
{
uuid: app.uuid,
name: app.name,
status: app.status,
domain: fqdn,
url: `https://${fqdn}`,
gitRepository: app.git_repository ?? null,
gitBranch: app.git_branch ?? null,
deploymentUuid,
},
{ status: 201 }
);
} catch (err) {
return NextResponse.json(
{ error: 'Coolify create failed', details: err instanceof Error ? err.message : String(err) },
{ status: 502 }
);
}
}