mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(workspaces): per-account tenancy + AI access keys + Cursor integration

Browse Source 
Adds logical multi-tenancy on top of Coolify + Gitea so every Vibn
account gets its own isolated tenant boundary, and exposes that
boundary to AI agents (Cursor, Claude Code, scripts) through
per-workspace bearer tokens.

Schema (additive, idempotent — run /api/admin/migrate once after deploy)
  - vibn_workspaces: slug, name, owner, coolify_project_uuid,
    coolify_team_id (reserved for when Coolify ships POST /teams),
    gitea_org, provision_status
  - vibn_workspace_members: room for multi-user workspaces later
  - vibn_workspace_api_keys: sha256-hashed bearer tokens
  - fs_projects.vibn_workspace_id: nullable FK linking projects
    to their workspace

Provisioning
  - On first sign-in, ensureWorkspaceForUser() inserts the row
    (no network calls — keeps signin fast).
  - On first project create, ensureWorkspaceProvisioned() lazily
    creates a Coolify Project (vibn-ws-{slug}) and a Gitea org
    (vibn-{slug}). Failures are recorded on the row, not thrown,
    and POST /api/workspaces/{slug}/provision retries.

Auth surface
  - lib/auth/workspace-auth.ts: requireWorkspacePrincipal() accepts
    either a NextAuth session or "Authorization: Bearer vibn_sk_...".
    The bearer key is hard-pinned to one workspace — it cannot
    reach any other tenant.
  - mintWorkspaceApiKey / listWorkspaceApiKeys / revokeWorkspaceApiKey

Routes
  - GET    /api/workspaces                         list
  - GET    /api/workspaces/[slug]                  details
  - POST   /api/workspaces/[slug]/provision        retry provisioning
  - GET    /api/workspaces/[slug]/keys             list keys
  - POST   /api/workspaces/[slug]/keys             mint key (token shown once)
  - DELETE /api/workspaces/[slug]/keys/[keyId]     revoke

UI
  - components/workspace/WorkspaceKeysPanel.tsx: identity card,
    keys CRUD with one-time secret reveal, and a "Connect Cursor"
    block with copy/download for:
      .cursor/rules/vibn-workspace.mdc — rule telling the agent
        about the API + workspace IDs + house rules
      ~/.cursor/mcp.json — MCP server registration with key
        embedded (server URL is /api/mcp; HTTP MCP route lands next)
      .env.local — VIBN_API_KEY + smoke-test curl
  - Slotted into existing /[workspace]/settings between Workspace
    and Notifications cards (no other layout changes).

projects/create
  - Resolves the user's workspace (creating + provisioning lazily).
  - Repos go under workspace.gitea_org (falls back to GITEA_ADMIN_USER
    for backwards compat).
  - Coolify services are created inside workspace.coolify_project_uuid
    (renamed {slug}-{appName} to stay unique within the namespace) —
    no more per-Vibn-project Coolify Project sprawl.
  - Stamps vibn_workspace_id on fs_projects.

lib/gitea
  - createOrg, getOrg, addOrgOwner, getUser
  - createRepo now routes /orgs/{owner}/repos when owner != admin

Also includes prior-turn auth hardening that was already in
authOptions.ts (CredentialsProvider for dev-local, isLocalNextAuth
cookie config) bundled in to keep the auth layer in one consistent
state.

.env.example
  - Documents GITEA_API_URL / GITEA_API_TOKEN / GITEA_ADMIN_USER /
    GITEA_WEBHOOK_SECRET and COOLIFY_URL / COOLIFY_API_TOKEN /
    COOLIFY_SERVER_UUID, with the canonical hostnames
    (git.vibnai.com, coolify.vibnai.com).

Post-deploy
  - Run once: curl -X POST https://vibnai.com/api/admin/migrate \\
      -H "x-admin-secret: \$ADMIN_MIGRATE_SECRET"
  - Existing users get a workspace row on next sign-in.
  - Existing fs_projects keep working (legacy gitea owner + their
    own per-project Coolify Projects); new projects use the
    workspace-scoped path.

Not in this commit (follow-ups)
  - Wiring requireWorkspacePrincipal into the rest of /api/projects/*
    so API keys can drive existing routes
  - HTTP MCP server at /api/mcp (the mcp.json snippet already
    points at the right URL — no client re-setup when it lands)
  - Backfill script to assign legacy fs_projects to a workspace

Made-with: Cursor
This commit is contained in:
Mark Henderson
2026-04-20 17:17:12 -07:00
parent ccc6cc1da5
commit acb63a2a5a
14 changed files with 1824 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/[workspace]/settings/page.tsx
View File

@@ -9,6 +9,7 @@ import { auth } from '@/lib/firebase/config';
import { toast } from 'sonner';
import { Settings, User, Bell, Shield, Trash2 } from 'lucide-react';
import { useParams, useRouter } from 'next/navigation';
import { WorkspaceKeysPanel } from '@/components/workspace/WorkspaceKeysPanel';
import {
AlertDialog,
AlertDialogAction,
@@ -177,6 +178,9 @@ export default function SettingsPage() {
</CardContent>
</Card>
{/* Workspace tenancy + AI access keys */}
<WorkspaceKeysPanel workspaceSlug={workspace} />
{/* Notifications */}
<Card>
<CardHeader>

48
app/api/admin/migrate/route.ts
View File

@@ -139,6 +139,54 @@ export async function POST(req: NextRequest) {
expires TIMESTAMPTZ NOT NULL,
UNIQUE (identifier, token)
)`,
// ── Vibn workspaces (logical tenancy on top of Coolify) ──────────
// One workspace per Vibn account. Holds a Coolify Project UUID
// (the team boundary inside Coolify) and a Gitea org name.
`CREATE TABLE IF NOT EXISTS vibn_workspaces (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
slug TEXT NOT NULL UNIQUE,
name TEXT NOT NULL,
owner_user_id TEXT NOT NULL,
coolify_project_uuid TEXT,
coolify_team_id INT,
gitea_org TEXT,
provision_status TEXT NOT NULL DEFAULT 'pending',
provision_error TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
)`,
`CREATE INDEX IF NOT EXISTS vibn_workspaces_owner_idx ON vibn_workspaces (owner_user_id)`,
`CREATE TABLE IF NOT EXISTS vibn_workspace_members (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
workspace_id UUID NOT NULL REFERENCES vibn_workspaces(id) ON DELETE CASCADE,
user_id TEXT NOT NULL,
role TEXT NOT NULL DEFAULT 'member',
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
UNIQUE (workspace_id, user_id)
)`,
`CREATE INDEX IF NOT EXISTS vibn_workspace_members_user_idx ON vibn_workspace_members (user_id)`,
`CREATE TABLE IF NOT EXISTS vibn_workspace_api_keys (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
workspace_id UUID NOT NULL REFERENCES vibn_workspaces(id) ON DELETE CASCADE,
name TEXT NOT NULL,
key_prefix TEXT NOT NULL,
key_hash TEXT NOT NULL UNIQUE,
scopes JSONB NOT NULL DEFAULT '["workspace:*"]'::jsonb,
created_by TEXT NOT NULL,
last_used_at TIMESTAMPTZ,
revoked_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
)`,
`CREATE INDEX IF NOT EXISTS vibn_workspace_api_keys_workspace_idx ON vibn_workspace_api_keys (workspace_id)`,
// Tag projects with the workspace they belong to (nullable until backfill).
// The pre-existing fs_projects.workspace TEXT column stays for the legacy slug;
// this new UUID FK is the canonical link.
`ALTER TABLE fs_projects ADD COLUMN IF NOT EXISTS vibn_workspace_id UUID REFERENCES vibn_workspaces(id) ON DELETE SET NULL`,
`CREATE INDEX IF NOT EXISTS fs_projects_vibn_workspace_idx ON fs_projects (vibn_workspace_id)`,
];
for (const stmt of statements) {

90
app/api/projects/create/route.ts
View File

@@ -1,12 +1,12 @@
import { NextResponse } from 'next/server';
import { getServerSession } from 'next-auth';
import { authOptions } from '@/lib/auth/authOptions';
import { authSession } from "@/lib/auth/session-server";
import { query } from '@/lib/db-postgres';
import { randomUUID } from 'crypto';
import { createRepo, createWebhook, getRepo, listWebhooks, GITEA_ADMIN_USER_EXPORT } from '@/lib/gitea';
import { pushTurborepoScaffold } from '@/lib/scaffold';
import { createProject as createCoolifyProject, createMonorepoAppService } from '@/lib/coolify';
import { createMonorepoAppService } from '@/lib/coolify';
import { provisionTheiaWorkspace } from '@/lib/cloud-run-workspace';
import { getOrCreateProvisionedWorkspace } from '@/lib/workspaces';
import type { ProjectPhaseData, ProjectPhaseScores } from '@/lib/types/project-artifacts';
const GITEA_ADMIN_USER = GITEA_ADMIN_USER_EXPORT;
@@ -15,7 +15,7 @@ const GITEA_WEBHOOK_SECRET = process.env.GITEA_WEBHOOK_SECRET ?? 'vibn-webhook-s
export async function POST(request: Request) {
try {
const session = await getServerSession(authOptions);
const session = await authSession();
if (!session?.user?.email) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
@@ -53,6 +53,19 @@ export async function POST(request: Request) {
const firebaseUserId = users[0]!.id;
// Resolve (and lazily provision) the user's workspace. Provides:
// - vibnWorkspace.coolify_project_uuid → namespace for Coolify apps/DBs
// - vibnWorkspace.gitea_org → owner for Gitea repos
// If provisioning failed for either, we fall back to legacy admin
// identifiers so the project create still succeeds (with degraded isolation).
let vibnWorkspace = await getOrCreateProvisionedWorkspace({
userId: firebaseUserId,
email,
displayName: session.user.name ?? null,
});
const repoOwner = vibnWorkspace.gitea_org ?? GITEA_ADMIN_USER;
const body = await request.json();
const {
projectName,
@@ -97,14 +110,15 @@ export async function POST(request: Request) {
description: `${projectName} — managed by Vibn`,
private: true,
auto_init: false,
owner: repoOwner,
});
console.log(`[API] Gitea repo created: ${GITEA_ADMIN_USER}/${repoName}`);
console.log(`[API] Gitea repo created: ${repoOwner}/${repoName}`);
} catch (createErr) {
const msg = createErr instanceof Error ? createErr.message : String(createErr);
// 409 = repo already exists — link to it instead of failing
if (msg.includes('409')) {
console.log(`[API] Gitea repo already exists, linking to ${GITEA_ADMIN_USER}/${repoName}`);
repo = await getRepo(GITEA_ADMIN_USER, repoName);
console.log(`[API] Gitea repo already exists, linking to ${repoOwner}/${repoName}`);
repo = await getRepo(repoOwner, repoName);
if (!repo) throw new Error(`Repo ${repoName} exists but could not be fetched`);
} else {
throw createErr;
@@ -125,7 +139,7 @@ export async function POST(request: Request) {
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
github_url: githubRepoUrl,
gitea_repo: `${GITEA_ADMIN_USER}/${repoName}`,
gitea_repo: `${repoOwner}/${repoName}`,
project_name: projectName,
github_token: githubToken || undefined,
}),
@@ -136,17 +150,17 @@ export async function POST(request: Request) {
}
console.log(`[API] GitHub repo mirrored to ${giteaRepo}`);
} else {
await pushTurborepoScaffold(GITEA_ADMIN_USER, repoName, slug, projectName);
await pushTurborepoScaffold(repoOwner, repoName, slug, projectName);
console.log(`[API] Turborepo scaffold pushed to ${giteaRepo}`);
}
// Register webhook — skip if one already points to this project
const webhookUrl = `${APP_URL}/api/webhooks/gitea?projectId=${projectId}`;
const existingHooks = await listWebhooks(GITEA_ADMIN_USER, repoName).catch(() => []);
const existingHooks = await listWebhooks(repoOwner, repoName).catch(() => []);
const alreadyHooked = existingHooks.some(h => h.config.url.includes(projectId));
if (!alreadyHooked) {
const hook = await createWebhook(GITEA_ADMIN_USER, repoName, webhookUrl, GITEA_WEBHOOK_SECRET);
const hook = await createWebhook(repoOwner, repoName, webhookUrl, GITEA_WEBHOOK_SECRET);
giteaWebhookId = hook.id;
console.log(`[API] Webhook registered: ${giteaRepo}, id: ${giteaWebhookId}`);
} else {
@@ -160,7 +174,7 @@ export async function POST(request: Request) {
}
// ──────────────────────────────────────────────
// 2. Provision Coolify project + per-app services
// 2. Provision per-app services under the workspace's Coolify Project
// ──────────────────────────────────────────────
const APP_BASE_DOMAIN = process.env.APP_BASE_DOMAIN ?? 'vibnai.com';
const appNames = ['product', 'website', 'admin', 'storybook'] as const;
@@ -168,35 +182,29 @@ export async function POST(request: Request) {
name: string; path: string; coolifyServiceUuid: string | null; domain: string | null;
}> = appNames.map(name => ({ name, path: `apps/${name}`, coolifyServiceUuid: null, domain: null }));
let coolifyProjectUuid: string | null = null;
// The workspace's Coolify Project IS our team boundary. All Vibn
// projects for a workspace share one Coolify Project namespace.
const coolifyProjectUuid: string | null = vibnWorkspace.coolify_project_uuid;
if (giteaCloneUrl) {
try {
const coolifyProject = await createCoolifyProject(
projectName,
`Vibn project for ${projectName}`
);
coolifyProjectUuid = coolifyProject.uuid;
for (const app of provisionedApps) {
try {
const domain = `${app.name}-${slug}.${APP_BASE_DOMAIN}`;
const service = await createMonorepoAppService({
projectUuid: coolifyProject.uuid,
appName: app.name,
gitRepo: giteaCloneUrl,
domain,
});
app.coolifyServiceUuid = service.uuid;
app.domain = domain;
console.log(`[API] Coolify service created: ${app.name}${domain}`);
} catch (appErr) {
console.error(`[API] Coolify service failed for ${app.name}:`, appErr);
}
if (giteaCloneUrl && coolifyProjectUuid) {
for (const app of provisionedApps) {
try {
const domain = `${app.name}-${slug}.${APP_BASE_DOMAIN}`;
const service = await createMonorepoAppService({
projectUuid: coolifyProjectUuid,
appName: `${slug}-${app.name}`, // unique within the workspace's Coolify Project
gitRepo: giteaCloneUrl,
domain,
});
app.coolifyServiceUuid = service.uuid;
app.domain = domain;
console.log(`[API] Coolify service created: ${app.name}${domain}`);
} catch (appErr) {
console.error(`[API] Coolify service failed for ${app.name}:`, appErr);
}
} catch (coolifyErr) {
console.error('[API] Coolify project provisioning failed (non-fatal):', coolifyErr);
}
} else if (!coolifyProjectUuid) {
console.warn('[API] Workspace has no Coolify Project UUID — skipped app provisioning. Run /api/workspaces/{slug}/provision to retry.');
}
// ──────────────────────────────────────────────
@@ -274,9 +282,9 @@ export async function POST(request: Request) {
};
await query(`
INSERT INTO fs_projects (id, data, user_id, workspace, slug)
VALUES ($1, $2::jsonb, $3, $4, $5)
`, [projectId, JSON.stringify(projectData), firebaseUserId, workspace, slug]);
INSERT INTO fs_projects (id, data, user_id, workspace, slug, vibn_workspace_id)
VALUES ($1, $2::jsonb, $3, $4, $5, $6)
`, [projectId, JSON.stringify(projectData), firebaseUserId, workspace, slug, vibnWorkspace.id]);
// Associate any unlinked sessions for this workspace path
if (workspacePath) {

28
app/api/workspaces/[slug]/keys/[keyId]/route.ts Normal file
View File

@@ -0,0 +1,28 @@
/**
* DELETE /api/workspaces/[slug]/keys/[keyId] — revoke a workspace API key
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal, revokeWorkspaceApiKey } from '@/lib/auth/workspace-auth';
export async function DELETE(
request: Request,
{ params }: { params: Promise<{ slug: string; keyId: string }> }
) {
const { slug, keyId } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
if (principal.source !== 'session') {
return NextResponse.json(
{ error: 'API keys can only be revoked from a signed-in session' },
{ status: 403 }
);
}
const ok = await revokeWorkspaceApiKey(principal.workspace.id, keyId);
if (!ok) {
return NextResponse.json({ error: 'Key not found or already revoked' }, { status: 404 });
}
return NextResponse.json({ revoked: true });
}

72
app/api/workspaces/[slug]/keys/route.ts Normal file
View File

@@ -0,0 +1,72 @@
/**
* Per-workspace API keys for AI agents.
*
* GET /api/workspaces/[slug]/keys — list keys (no secrets)
* POST /api/workspaces/[slug]/keys — mint a new key
*
* The full plaintext key is returned ONCE in the POST response and never
* persisted; only its sha256 hash is stored.
*
* API-key principals can list their own workspace's keys but cannot mint
* new ones (use the session UI for that).
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import { listWorkspaceApiKeys, mintWorkspaceApiKey } from '@/lib/auth/workspace-auth';
export async function GET(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const keys = await listWorkspaceApiKeys(principal.workspace.id);
return NextResponse.json({ keys });
}
export async function POST(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
if (principal.source !== 'session') {
return NextResponse.json(
{ error: 'API keys can only be created from a signed-in session' },
{ status: 403 }
);
}
let body: { name?: string; scopes?: string[] };
try {
body = (await request.json()) as { name?: string; scopes?: string[] };
} catch {
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
}
const name = (body.name ?? '').trim();
if (!name) {
return NextResponse.json({ error: 'Field "name" is required' }, { status: 400 });
}
const minted = await mintWorkspaceApiKey({
workspaceId: principal.workspace.id,
name,
createdBy: principal.userId,
scopes: body.scopes,
});
return NextResponse.json({
id: minted.id,
name: minted.name,
prefix: minted.prefix,
createdAt: minted.created_at,
// ↓ Only returned ONCE. Client must store this — we never see it again.
token: minted.token,
});
}

29
app/api/workspaces/[slug]/provision/route.ts Normal file
View File

@@ -0,0 +1,29 @@
/**
* POST /api/workspaces/[slug]/provision — (re)run Coolify + Gitea provisioning
*
* Idempotent. Useful when initial provisioning during signin or first
* project create failed because Coolify or Gitea was unavailable.
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
import { ensureWorkspaceProvisioned } from '@/lib/workspaces';
export async function POST(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const updated = await ensureWorkspaceProvisioned(principal.workspace);
return NextResponse.json({
slug: updated.slug,
coolifyProjectUuid: updated.coolify_project_uuid,
giteaOrg: updated.gitea_org,
provisionStatus: updated.provision_status,
provisionError: updated.provision_error,
});
}

33
app/api/workspaces/[slug]/route.ts Normal file
View File

@@ -0,0 +1,33 @@
/**
* GET /api/workspaces/[slug] — workspace details
*/
import { NextResponse } from 'next/server';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
export async function GET(
request: Request,
{ params }: { params: Promise<{ slug: string }> }
) {
const { slug } = await params;
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
if (principal instanceof NextResponse) return principal;
const w = principal.workspace;
return NextResponse.json({
id: w.id,
slug: w.slug,
name: w.name,
coolifyProjectUuid: w.coolify_project_uuid,
coolifyTeamId: w.coolify_team_id,
giteaOrg: w.gitea_org,
provisionStatus: w.provision_status,
provisionError: w.provision_error,
createdAt: w.created_at,
updatedAt: w.updated_at,
principal: {
source: principal.source,
apiKeyId: principal.apiKeyId ?? null,
},
});
}

52
app/api/workspaces/route.ts Normal file
View File

@@ -0,0 +1,52 @@
/**
* GET /api/workspaces — list workspaces the caller can access
*
* Auth:
* - NextAuth session: returns the user's owned + member workspaces
* - vibn_sk_... API key: returns just the one workspace the key is bound to
*/
import { NextResponse } from 'next/server';
import { authSession } from '@/lib/auth/session-server';
import { queryOne } from '@/lib/db-postgres';
import { listWorkspacesForUser } from '@/lib/workspaces';
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
export async function GET(request: Request) {
// API-key clients are pinned to one workspace
if (request.headers.get('authorization')?.toLowerCase().startsWith('bearer vibn_sk_')) {
const principal = await requireWorkspacePrincipal(request);
if (principal instanceof NextResponse) return principal;
return NextResponse.json({ workspaces: [serializeWorkspace(principal.workspace)] });
}
const session = await authSession();
if (!session?.user?.email) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
const userRow = await queryOne<{ id: string }>(
`SELECT id FROM fs_users WHERE data->>'email' = $1 LIMIT 1`,
[session.user.email]
);
if (!userRow) {
return NextResponse.json({ workspaces: [] });
}
const list = await listWorkspacesForUser(userRow.id);
return NextResponse.json({ workspaces: list.map(serializeWorkspace) });
}
function serializeWorkspace(w: import('@/lib/workspaces').VibnWorkspace) {
return {
id: w.id,
slug: w.slug,
name: w.name,
coolifyProjectUuid: w.coolify_project_uuid,
giteaOrg: w.gitea_org,
provisionStatus: w.provision_status,
provisionError: w.provision_error,
createdAt: w.created_at,
updatedAt: w.updated_at,
};
}