Phase 4: AI-driven app/database/auth lifecycle

Workspace-owned deploy infra so AI agents can create and destroy
Coolify resources without ever touching the root admin token.

  vibn_workspaces
    + coolify_server_uuid, coolify_destination_uuid
    + coolify_environment_name (default "production")
    + coolify_private_key_uuid, gitea_bot_ssh_key_id

  ensureWorkspaceProvisioned
    + generates an ed25519 keypair per workspace
    + pushes pubkey to the Gitea bot user (read/write scoped by team)
    + registers privkey in Coolify as a reusable deploy key

  New endpoints under /api/workspaces/[slug]/
    apps/                POST (private-deploy-key from Gitea repo)
    apps/[uuid]          PATCH, DELETE?confirm=<name>
    apps/[uuid]/domains  GET, PATCH (policy: *.{ws}.vibnai.com only)
    databases/           GET, POST (8 types incl. postgres, clickhouse, dragonfly)
    databases/[uuid]     GET, PATCH, DELETE?confirm=<name>
    auth/                GET, POST (Pocketbase, Authentik, Keycloak, Pocket-ID, Logto, Supertokens)
    auth/[uuid]          DELETE?confirm=<name>

  MCP (/api/mcp) gains 15 new tools that mirror the REST surface and
  enforce the same workspace tenancy + delete-confirm guard.

  Safety: destructive ops require ?confirm=<exact-resource-name>; volumes
  are kept by default (pass delete_volumes=true to drop).

Made-with: Cursor

lib/workspaces.ts

@@ -19,7 +19,12 @@
 
 import { randomBytes } from 'crypto';
 import { query, queryOne } from '@/lib/db-postgres';
-import { createProject as createCoolifyProject } from '@/lib/coolify';
+import {
+  createProject as createCoolifyProject,
+  createPrivateKey as createCoolifyPrivateKey,
+  COOLIFY_DEFAULT_SERVER_UUID,
+  COOLIFY_DEFAULT_DESTINATION_UUID,
+} from '@/lib/coolify';
 import {
   createOrg,
   getOrg,
@@ -29,8 +34,11 @@ import {
   createAccessTokenFor,
   ensureOrgTeamMembership,
   adminEditUser,
+  adminAddUserSshKey,
+  adminListUserSshKeys,
 } from '@/lib/gitea';
 import { encryptSecret, decryptSecret } from '@/lib/auth/secret-box';
+import { generateEd25519Keypair } from '@/lib/ssh-keys';
 
 export interface VibnWorkspace {
   id: string;
@@ -39,10 +47,15 @@ export interface VibnWorkspace {
   owner_user_id: string;
   coolify_project_uuid: string | null;
   coolify_team_id: number | null;
+  coolify_server_uuid: string | null;
+  coolify_destination_uuid: string | null;
+  coolify_environment_name: string;
+  coolify_private_key_uuid: string | null;
   gitea_org: string | null;
   gitea_bot_username: string | null;
   gitea_bot_user_id: number | null;
   gitea_bot_token_encrypted: string | null;
+  gitea_bot_ssh_key_id: number | null;
   provision_status: 'pending' | 'partial' | 'ready' | 'error';
   provision_error: string | null;
   created_at: Date;
@@ -183,11 +196,18 @@ export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Prom
     workspace.coolify_project_uuid &&
     workspace.gitea_org &&
     workspace.gitea_bot_username &&
-    workspace.gitea_bot_token_encrypted;
+    workspace.gitea_bot_token_encrypted &&
+    workspace.coolify_private_key_uuid &&
+    workspace.gitea_bot_ssh_key_id;
   if (fullyProvisioned) return workspace;
 
   let coolifyUuid = workspace.coolify_project_uuid;
   let giteaOrg = workspace.gitea_org;
+  let coolifyServerUuid = workspace.coolify_server_uuid ?? COOLIFY_DEFAULT_SERVER_UUID;
+  let coolifyDestinationUuid =
+    workspace.coolify_destination_uuid ?? COOLIFY_DEFAULT_DESTINATION_UUID;
+  let coolifyPrivateKeyUuid = workspace.coolify_private_key_uuid;
+  let giteaBotSshKeyId = workspace.gitea_bot_ssh_key_id;
   const errors: string[] = [];
 
   // ── Coolify Project ────────────────────────────────────────────────
@@ -323,20 +343,83 @@ export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Prom
     }
   }
 
-  const allReady = !!(coolifyUuid && giteaOrg && botUsername && botTokenEncrypted);
+  // ── Per-workspace SSH deploy keypair ──────────────────────────────
+  // Used by Coolify to clone private Gitea repos this workspace owns.
+  // We generate the keypair in-process, push the public key to Gitea
+  // (under the bot user so its team memberships scope repo access),
+  // and register the private key in Coolify. Neither key is ever
+  // persisted directly by Vibn — we only keep their ids.
+  if (botUsername && (!coolifyPrivateKeyUuid || !giteaBotSshKeyId)) {
+    try {
+      const comment = `vibn-${workspace.slug}@${botUsername}`;
+      const kp = generateEd25519Keypair(comment);
+
+      // Register public key on Gitea bot if not already present.
+      if (!giteaBotSshKeyId) {
+        // Protect against double-adding on re-provisioning by looking
+        // for an existing key with our canonical title first.
+        const title = `vibn-${workspace.slug}-coolify`;
+        let existingId: number | null = null;
+        try {
+          const keys = await adminListUserSshKeys(botUsername);
+          existingId = keys.find(k => k.title === title)?.id ?? null;
+        } catch {
+          /* list failure is non-fatal */
+        }
+        if (existingId) {
+          giteaBotSshKeyId = existingId;
+        } else {
+          const added = await adminAddUserSshKey({
+            username: botUsername,
+            title,
+            key: kp.publicKeyOpenSsh,
+            readOnly: false,
+          });
+          giteaBotSshKeyId = added.id;
+        }
+      }
+
+      // Register private key in Coolify if not already present.
+      if (!coolifyPrivateKeyUuid) {
+        const created = await createCoolifyPrivateKey({
+          name: `vibn-${workspace.slug}-gitea`,
+          description: `Workspace ${workspace.slug} Gitea deploy key (${kp.fingerprint})`,
+          privateKeyPem: kp.privateKeyPem,
+        });
+        coolifyPrivateKeyUuid = created.uuid;
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      errors.push(`ssh-key: ${msg}`);
+      console.error('[workspaces] SSH deploy-key provisioning failed', workspace.slug, msg);
+    }
+  }
+
+  const allReady = !!(
+    coolifyUuid &&
+    giteaOrg &&
+    botUsername &&
+    botTokenEncrypted &&
+    coolifyPrivateKeyUuid &&
+    giteaBotSshKeyId
+  );
   const status: VibnWorkspace['provision_status'] =
     allReady ? 'ready' : errors.length > 0 ? 'partial' : 'pending';
 
   const updated = await query<VibnWorkspace>(
     `UPDATE vibn_workspaces
-     SET coolify_project_uuid     = COALESCE($2, coolify_project_uuid),
-         gitea_org                = COALESCE($3, gitea_org),
-         gitea_bot_username       = COALESCE($4, gitea_bot_username),
-         gitea_bot_user_id        = COALESCE($5, gitea_bot_user_id),
-         gitea_bot_token_encrypted= COALESCE($6, gitea_bot_token_encrypted),
-         provision_status         = $7,
-         provision_error          = $8,
-         updated_at               = now()
+     SET coolify_project_uuid      = COALESCE($2, coolify_project_uuid),
+         gitea_org                 = COALESCE($3, gitea_org),
+         gitea_bot_username        = COALESCE($4, gitea_bot_username),
+         gitea_bot_user_id         = COALESCE($5, gitea_bot_user_id),
+         gitea_bot_token_encrypted = COALESCE($6, gitea_bot_token_encrypted),
+         coolify_server_uuid       = COALESCE($7, coolify_server_uuid),
+         coolify_destination_uuid  = COALESCE($8, coolify_destination_uuid),
+         coolify_private_key_uuid  = COALESCE($9, coolify_private_key_uuid),
+         gitea_bot_ssh_key_id      = COALESCE($10, gitea_bot_ssh_key_id),
+         provision_status          = $11,
+         provision_error           = $12,
+         updated_at                = now()
      WHERE id = $1
      RETURNING *`,
     [
@@ -346,6 +429,10 @@ export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Prom
       botUsername,
       botUserId,
       botTokenEncrypted,
+      coolifyServerUuid,
+      coolifyDestinationUuid,
+      coolifyPrivateKeyUuid,
+      giteaBotSshKeyId,
       status,
       errors.length ? errors.join('; ') : null,
     ]