feat(workspaces): per-account tenancy + AI access keys + Cursor integration
Adds logical multi-tenancy on top of Coolify + Gitea so every Vibn
account gets its own isolated tenant boundary, and exposes that
boundary to AI agents (Cursor, Claude Code, scripts) through
per-workspace bearer tokens.
Schema (additive, idempotent — run /api/admin/migrate once after deploy)
- vibn_workspaces: slug, name, owner, coolify_project_uuid,
coolify_team_id (reserved for when Coolify ships POST /teams),
gitea_org, provision_status
- vibn_workspace_members: room for multi-user workspaces later
- vibn_workspace_api_keys: sha256-hashed bearer tokens
- fs_projects.vibn_workspace_id: nullable FK linking projects
to their workspace
Provisioning
- On first sign-in, ensureWorkspaceForUser() inserts the row
(no network calls — keeps signin fast).
- On first project create, ensureWorkspaceProvisioned() lazily
creates a Coolify Project (vibn-ws-{slug}) and a Gitea org
(vibn-{slug}). Failures are recorded on the row, not thrown,
and POST /api/workspaces/{slug}/provision retries.
Auth surface
- lib/auth/workspace-auth.ts: requireWorkspacePrincipal() accepts
either a NextAuth session or "Authorization: Bearer vibn_sk_...".
The bearer key is hard-pinned to one workspace — it cannot
reach any other tenant.
- mintWorkspaceApiKey / listWorkspaceApiKeys / revokeWorkspaceApiKey
Routes
- GET /api/workspaces list
- GET /api/workspaces/[slug] details
- POST /api/workspaces/[slug]/provision retry provisioning
- GET /api/workspaces/[slug]/keys list keys
- POST /api/workspaces/[slug]/keys mint key (token shown once)
- DELETE /api/workspaces/[slug]/keys/[keyId] revoke
UI
- components/workspace/WorkspaceKeysPanel.tsx: identity card,
keys CRUD with one-time secret reveal, and a "Connect Cursor"
block with copy/download for:
.cursor/rules/vibn-workspace.mdc — rule telling the agent
about the API + workspace IDs + house rules
~/.cursor/mcp.json — MCP server registration with key
embedded (server URL is /api/mcp; HTTP MCP route lands next)
.env.local — VIBN_API_KEY + smoke-test curl
- Slotted into existing /[workspace]/settings between Workspace
and Notifications cards (no other layout changes).
projects/create
- Resolves the user's workspace (creating + provisioning lazily).
- Repos go under workspace.gitea_org (falls back to GITEA_ADMIN_USER
for backwards compat).
- Coolify services are created inside workspace.coolify_project_uuid
(renamed {slug}-{appName} to stay unique within the namespace) —
no more per-Vibn-project Coolify Project sprawl.
- Stamps vibn_workspace_id on fs_projects.
lib/gitea
- createOrg, getOrg, addOrgOwner, getUser
- createRepo now routes /orgs/{owner}/repos when owner != admin
Also includes prior-turn auth hardening that was already in
authOptions.ts (CredentialsProvider for dev-local, isLocalNextAuth
cookie config) bundled in to keep the auth layer in one consistent
state.
.env.example
- Documents GITEA_API_URL / GITEA_API_TOKEN / GITEA_ADMIN_USER /
GITEA_WEBHOOK_SECRET and COOLIFY_URL / COOLIFY_API_TOKEN /
COOLIFY_SERVER_UUID, with the canonical hostnames
(git.vibnai.com, coolify.vibnai.com).
Post-deploy
- Run once: curl -X POST https://vibnai.com/api/admin/migrate \\
-H "x-admin-secret: \$ADMIN_MIGRATE_SECRET"
- Existing users get a workspace row on next sign-in.
- Existing fs_projects keep working (legacy gitea owner + their
own per-project Coolify Projects); new projects use the
workspace-scoped path.
Not in this commit (follow-ups)
- Wiring requireWorkspacePrincipal into the rest of /api/projects/*
so API keys can drive existing routes
- HTTP MCP server at /api/mcp (the mcp.json snippet already
points at the right URL — no client re-setup when it lands)
- Backfill script to assign legacy fs_projects to a workspace
Made-with: Cursor
This commit is contained in:
83
lib/gitea.ts
83
lib/gitea.ts
@@ -54,7 +54,10 @@ async function giteaFetch(path: string, options: RequestInit = {}) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new repo under the admin user (or a specified owner).
|
||||
* Create a new repo. By default creates under the admin user.
|
||||
* Pass `owner` to create under a specific user OR org — when the owner
|
||||
* is an org (or any user other than the token holder), Gitea requires
|
||||
* the org-scoped endpoint `/orgs/{owner}/repos`.
|
||||
*/
|
||||
export async function createRepo(
|
||||
name: string,
|
||||
@@ -62,18 +65,86 @@ export async function createRepo(
|
||||
): Promise<GiteaRepo> {
|
||||
const { description = '', private: isPrivate = true, owner = GITEA_ADMIN_USER, auto_init = true } = opts;
|
||||
|
||||
return giteaFetch(`/user/repos`, {
|
||||
const body = JSON.stringify({
|
||||
name,
|
||||
description,
|
||||
private: isPrivate,
|
||||
auto_init,
|
||||
default_branch: 'main',
|
||||
});
|
||||
|
||||
// Token-owner repos use /user/repos; everything else (orgs, other users)
|
||||
// must go through /orgs/{owner}/repos.
|
||||
const path = owner === GITEA_ADMIN_USER ? `/user/repos` : `/orgs/${owner}/repos`;
|
||||
return giteaFetch(path, { method: 'POST', body });
|
||||
}
|
||||
|
||||
// ──────────────────────────────────────────────────
|
||||
// Organizations (per-workspace tenancy)
|
||||
// ──────────────────────────────────────────────────
|
||||
|
||||
export interface GiteaOrg {
|
||||
id: number;
|
||||
username: string; // org name (Gitea uses "username" for orgs too)
|
||||
full_name: string;
|
||||
description?: string;
|
||||
visibility: 'public' | 'private' | 'limited';
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a Gitea organization. Requires the admin token to have
|
||||
* permission to create orgs.
|
||||
*/
|
||||
export async function createOrg(opts: {
|
||||
name: string;
|
||||
fullName?: string;
|
||||
description?: string;
|
||||
visibility?: 'public' | 'private' | 'limited';
|
||||
}): Promise<GiteaOrg> {
|
||||
const { name, fullName = name, description = '', visibility = 'private' } = opts;
|
||||
return giteaFetch(`/orgs`, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify({
|
||||
name,
|
||||
username: name,
|
||||
full_name: fullName,
|
||||
description,
|
||||
private: isPrivate,
|
||||
auto_init,
|
||||
default_branch: 'main',
|
||||
visibility,
|
||||
repo_admin_change_team_access: true,
|
||||
}),
|
||||
});
|
||||
}
|
||||
|
||||
export async function getOrg(name: string): Promise<GiteaOrg | null> {
|
||||
try {
|
||||
return await giteaFetch(`/orgs/${name}`);
|
||||
} catch (err) {
|
||||
const msg = err instanceof Error ? err.message : String(err);
|
||||
if (msg.includes('404')) return null;
|
||||
throw err;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Add a Gitea user to an org's "Owners" team (full access to the org).
|
||||
* Falls back to the org's default team when "Owners" cannot be located.
|
||||
*/
|
||||
export async function addOrgOwner(orgName: string, username: string): Promise<void> {
|
||||
const teams = (await giteaFetch(`/orgs/${orgName}/teams`)) as Array<{ id: number; name: string }>;
|
||||
const owners = teams.find(t => t.name.toLowerCase() === 'owners') ?? teams[0];
|
||||
if (!owners) throw new Error(`No teams found for org ${orgName}`);
|
||||
await giteaFetch(`/teams/${owners.id}/members/${username}`, { method: 'PUT' });
|
||||
}
|
||||
|
||||
export async function getUser(username: string): Promise<{ id: number; login: string } | null> {
|
||||
try {
|
||||
return await giteaFetch(`/users/${username}`);
|
||||
} catch (err) {
|
||||
const msg = err instanceof Error ? err.message : String(err);
|
||||
if (msg.includes('404')) return null;
|
||||
throw err;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get an existing repo.
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user