feat(workspaces): per-account tenancy + AI access keys + Cursor integration
Adds logical multi-tenancy on top of Coolify + Gitea so every Vibn
account gets its own isolated tenant boundary, and exposes that
boundary to AI agents (Cursor, Claude Code, scripts) through
per-workspace bearer tokens.
Schema (additive, idempotent — run /api/admin/migrate once after deploy)
- vibn_workspaces: slug, name, owner, coolify_project_uuid,
coolify_team_id (reserved for when Coolify ships POST /teams),
gitea_org, provision_status
- vibn_workspace_members: room for multi-user workspaces later
- vibn_workspace_api_keys: sha256-hashed bearer tokens
- fs_projects.vibn_workspace_id: nullable FK linking projects
to their workspace
Provisioning
- On first sign-in, ensureWorkspaceForUser() inserts the row
(no network calls — keeps signin fast).
- On first project create, ensureWorkspaceProvisioned() lazily
creates a Coolify Project (vibn-ws-{slug}) and a Gitea org
(vibn-{slug}). Failures are recorded on the row, not thrown,
and POST /api/workspaces/{slug}/provision retries.
Auth surface
- lib/auth/workspace-auth.ts: requireWorkspacePrincipal() accepts
either a NextAuth session or "Authorization: Bearer vibn_sk_...".
The bearer key is hard-pinned to one workspace — it cannot
reach any other tenant.
- mintWorkspaceApiKey / listWorkspaceApiKeys / revokeWorkspaceApiKey
Routes
- GET /api/workspaces list
- GET /api/workspaces/[slug] details
- POST /api/workspaces/[slug]/provision retry provisioning
- GET /api/workspaces/[slug]/keys list keys
- POST /api/workspaces/[slug]/keys mint key (token shown once)
- DELETE /api/workspaces/[slug]/keys/[keyId] revoke
UI
- components/workspace/WorkspaceKeysPanel.tsx: identity card,
keys CRUD with one-time secret reveal, and a "Connect Cursor"
block with copy/download for:
.cursor/rules/vibn-workspace.mdc — rule telling the agent
about the API + workspace IDs + house rules
~/.cursor/mcp.json — MCP server registration with key
embedded (server URL is /api/mcp; HTTP MCP route lands next)
.env.local — VIBN_API_KEY + smoke-test curl
- Slotted into existing /[workspace]/settings between Workspace
and Notifications cards (no other layout changes).
projects/create
- Resolves the user's workspace (creating + provisioning lazily).
- Repos go under workspace.gitea_org (falls back to GITEA_ADMIN_USER
for backwards compat).
- Coolify services are created inside workspace.coolify_project_uuid
(renamed {slug}-{appName} to stay unique within the namespace) —
no more per-Vibn-project Coolify Project sprawl.
- Stamps vibn_workspace_id on fs_projects.
lib/gitea
- createOrg, getOrg, addOrgOwner, getUser
- createRepo now routes /orgs/{owner}/repos when owner != admin
Also includes prior-turn auth hardening that was already in
authOptions.ts (CredentialsProvider for dev-local, isLocalNextAuth
cookie config) bundled in to keep the auth layer in one consistent
state.
.env.example
- Documents GITEA_API_URL / GITEA_API_TOKEN / GITEA_ADMIN_USER /
GITEA_WEBHOOK_SECRET and COOLIFY_URL / COOLIFY_API_TOKEN /
COOLIFY_SERVER_UUID, with the canonical hostnames
(git.vibnai.com, coolify.vibnai.com).
Post-deploy
- Run once: curl -X POST https://vibnai.com/api/admin/migrate \\
-H "x-admin-secret: \$ADMIN_MIGRATE_SECRET"
- Existing users get a workspace row on next sign-in.
- Existing fs_projects keep working (legacy gitea owner + their
own per-project Coolify Projects); new projects use the
workspace-scoped path.
Not in this commit (follow-ups)
- Wiring requireWorkspacePrincipal into the rest of /api/projects/*
so API keys can drive existing routes
- HTTP MCP server at /api/mcp (the mcp.json snippet already
points at the right URL — no client re-setup when it lands)
- Backfill script to assign legacy fs_projects to a workspace
Made-with: Cursor
This commit is contained in:
@@ -1,12 +1,12 @@
|
||||
import { NextResponse } from 'next/server';
|
||||
import { getServerSession } from 'next-auth';
|
||||
import { authOptions } from '@/lib/auth/authOptions';
|
||||
import { authSession } from "@/lib/auth/session-server";
|
||||
import { query } from '@/lib/db-postgres';
|
||||
import { randomUUID } from 'crypto';
|
||||
import { createRepo, createWebhook, getRepo, listWebhooks, GITEA_ADMIN_USER_EXPORT } from '@/lib/gitea';
|
||||
import { pushTurborepoScaffold } from '@/lib/scaffold';
|
||||
import { createProject as createCoolifyProject, createMonorepoAppService } from '@/lib/coolify';
|
||||
import { createMonorepoAppService } from '@/lib/coolify';
|
||||
import { provisionTheiaWorkspace } from '@/lib/cloud-run-workspace';
|
||||
import { getOrCreateProvisionedWorkspace } from '@/lib/workspaces';
|
||||
import type { ProjectPhaseData, ProjectPhaseScores } from '@/lib/types/project-artifacts';
|
||||
|
||||
const GITEA_ADMIN_USER = GITEA_ADMIN_USER_EXPORT;
|
||||
@@ -15,7 +15,7 @@ const GITEA_WEBHOOK_SECRET = process.env.GITEA_WEBHOOK_SECRET ?? 'vibn-webhook-s
|
||||
|
||||
export async function POST(request: Request) {
|
||||
try {
|
||||
const session = await getServerSession(authOptions);
|
||||
const session = await authSession();
|
||||
if (!session?.user?.email) {
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
|
||||
}
|
||||
@@ -53,6 +53,19 @@ export async function POST(request: Request) {
|
||||
|
||||
const firebaseUserId = users[0]!.id;
|
||||
|
||||
// Resolve (and lazily provision) the user's workspace. Provides:
|
||||
// - vibnWorkspace.coolify_project_uuid → namespace for Coolify apps/DBs
|
||||
// - vibnWorkspace.gitea_org → owner for Gitea repos
|
||||
// If provisioning failed for either, we fall back to legacy admin
|
||||
// identifiers so the project create still succeeds (with degraded isolation).
|
||||
let vibnWorkspace = await getOrCreateProvisionedWorkspace({
|
||||
userId: firebaseUserId,
|
||||
email,
|
||||
displayName: session.user.name ?? null,
|
||||
});
|
||||
|
||||
const repoOwner = vibnWorkspace.gitea_org ?? GITEA_ADMIN_USER;
|
||||
|
||||
const body = await request.json();
|
||||
const {
|
||||
projectName,
|
||||
@@ -97,14 +110,15 @@ export async function POST(request: Request) {
|
||||
description: `${projectName} — managed by Vibn`,
|
||||
private: true,
|
||||
auto_init: false,
|
||||
owner: repoOwner,
|
||||
});
|
||||
console.log(`[API] Gitea repo created: ${GITEA_ADMIN_USER}/${repoName}`);
|
||||
console.log(`[API] Gitea repo created: ${repoOwner}/${repoName}`);
|
||||
} catch (createErr) {
|
||||
const msg = createErr instanceof Error ? createErr.message : String(createErr);
|
||||
// 409 = repo already exists — link to it instead of failing
|
||||
if (msg.includes('409')) {
|
||||
console.log(`[API] Gitea repo already exists, linking to ${GITEA_ADMIN_USER}/${repoName}`);
|
||||
repo = await getRepo(GITEA_ADMIN_USER, repoName);
|
||||
console.log(`[API] Gitea repo already exists, linking to ${repoOwner}/${repoName}`);
|
||||
repo = await getRepo(repoOwner, repoName);
|
||||
if (!repo) throw new Error(`Repo ${repoName} exists but could not be fetched`);
|
||||
} else {
|
||||
throw createErr;
|
||||
@@ -125,7 +139,7 @@ export async function POST(request: Request) {
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({
|
||||
github_url: githubRepoUrl,
|
||||
gitea_repo: `${GITEA_ADMIN_USER}/${repoName}`,
|
||||
gitea_repo: `${repoOwner}/${repoName}`,
|
||||
project_name: projectName,
|
||||
github_token: githubToken || undefined,
|
||||
}),
|
||||
@@ -136,17 +150,17 @@ export async function POST(request: Request) {
|
||||
}
|
||||
console.log(`[API] GitHub repo mirrored to ${giteaRepo}`);
|
||||
} else {
|
||||
await pushTurborepoScaffold(GITEA_ADMIN_USER, repoName, slug, projectName);
|
||||
await pushTurborepoScaffold(repoOwner, repoName, slug, projectName);
|
||||
console.log(`[API] Turborepo scaffold pushed to ${giteaRepo}`);
|
||||
}
|
||||
|
||||
// Register webhook — skip if one already points to this project
|
||||
const webhookUrl = `${APP_URL}/api/webhooks/gitea?projectId=${projectId}`;
|
||||
const existingHooks = await listWebhooks(GITEA_ADMIN_USER, repoName).catch(() => []);
|
||||
const existingHooks = await listWebhooks(repoOwner, repoName).catch(() => []);
|
||||
const alreadyHooked = existingHooks.some(h => h.config.url.includes(projectId));
|
||||
|
||||
if (!alreadyHooked) {
|
||||
const hook = await createWebhook(GITEA_ADMIN_USER, repoName, webhookUrl, GITEA_WEBHOOK_SECRET);
|
||||
const hook = await createWebhook(repoOwner, repoName, webhookUrl, GITEA_WEBHOOK_SECRET);
|
||||
giteaWebhookId = hook.id;
|
||||
console.log(`[API] Webhook registered: ${giteaRepo}, id: ${giteaWebhookId}`);
|
||||
} else {
|
||||
@@ -160,7 +174,7 @@ export async function POST(request: Request) {
|
||||
}
|
||||
|
||||
// ──────────────────────────────────────────────
|
||||
// 2. Provision Coolify project + per-app services
|
||||
// 2. Provision per-app services under the workspace's Coolify Project
|
||||
// ──────────────────────────────────────────────
|
||||
const APP_BASE_DOMAIN = process.env.APP_BASE_DOMAIN ?? 'vibnai.com';
|
||||
const appNames = ['product', 'website', 'admin', 'storybook'] as const;
|
||||
@@ -168,35 +182,29 @@ export async function POST(request: Request) {
|
||||
name: string; path: string; coolifyServiceUuid: string | null; domain: string | null;
|
||||
}> = appNames.map(name => ({ name, path: `apps/${name}`, coolifyServiceUuid: null, domain: null }));
|
||||
|
||||
let coolifyProjectUuid: string | null = null;
|
||||
// The workspace's Coolify Project IS our team boundary. All Vibn
|
||||
// projects for a workspace share one Coolify Project namespace.
|
||||
const coolifyProjectUuid: string | null = vibnWorkspace.coolify_project_uuid;
|
||||
|
||||
if (giteaCloneUrl) {
|
||||
try {
|
||||
const coolifyProject = await createCoolifyProject(
|
||||
projectName,
|
||||
`Vibn project for ${projectName}`
|
||||
);
|
||||
coolifyProjectUuid = coolifyProject.uuid;
|
||||
|
||||
for (const app of provisionedApps) {
|
||||
try {
|
||||
const domain = `${app.name}-${slug}.${APP_BASE_DOMAIN}`;
|
||||
const service = await createMonorepoAppService({
|
||||
projectUuid: coolifyProject.uuid,
|
||||
appName: app.name,
|
||||
gitRepo: giteaCloneUrl,
|
||||
domain,
|
||||
});
|
||||
app.coolifyServiceUuid = service.uuid;
|
||||
app.domain = domain;
|
||||
console.log(`[API] Coolify service created: ${app.name} → ${domain}`);
|
||||
} catch (appErr) {
|
||||
console.error(`[API] Coolify service failed for ${app.name}:`, appErr);
|
||||
}
|
||||
if (giteaCloneUrl && coolifyProjectUuid) {
|
||||
for (const app of provisionedApps) {
|
||||
try {
|
||||
const domain = `${app.name}-${slug}.${APP_BASE_DOMAIN}`;
|
||||
const service = await createMonorepoAppService({
|
||||
projectUuid: coolifyProjectUuid,
|
||||
appName: `${slug}-${app.name}`, // unique within the workspace's Coolify Project
|
||||
gitRepo: giteaCloneUrl,
|
||||
domain,
|
||||
});
|
||||
app.coolifyServiceUuid = service.uuid;
|
||||
app.domain = domain;
|
||||
console.log(`[API] Coolify service created: ${app.name} → ${domain}`);
|
||||
} catch (appErr) {
|
||||
console.error(`[API] Coolify service failed for ${app.name}:`, appErr);
|
||||
}
|
||||
} catch (coolifyErr) {
|
||||
console.error('[API] Coolify project provisioning failed (non-fatal):', coolifyErr);
|
||||
}
|
||||
} else if (!coolifyProjectUuid) {
|
||||
console.warn('[API] Workspace has no Coolify Project UUID — skipped app provisioning. Run /api/workspaces/{slug}/provision to retry.');
|
||||
}
|
||||
|
||||
// ──────────────────────────────────────────────
|
||||
@@ -274,9 +282,9 @@ export async function POST(request: Request) {
|
||||
};
|
||||
|
||||
await query(`
|
||||
INSERT INTO fs_projects (id, data, user_id, workspace, slug)
|
||||
VALUES ($1, $2::jsonb, $3, $4, $5)
|
||||
`, [projectId, JSON.stringify(projectData), firebaseUserId, workspace, slug]);
|
||||
INSERT INTO fs_projects (id, data, user_id, workspace, slug, vibn_workspace_id)
|
||||
VALUES ($1, $2::jsonb, $3, $4, $5, $6)
|
||||
`, [projectId, JSON.stringify(projectData), firebaseUserId, workspace, slug, vibnWorkspace.id]);
|
||||
|
||||
// Associate any unlinked sessions for this workspace path
|
||||
if (workspacePath) {
|
||||
|
||||
Reference in New Issue
Block a user