Mark Henderson
3192e0f7b9
Coolify v4's POST/PATCH /applications/{uuid}/envs only accepts key,
value, is_preview, is_literal, is_multiline, is_shown_once. Sending
is_build_time triggers a 422 "This field is not allowed." — it's now
a derived read-only flag (is_buildtime) computed from Dockerfile ARG
usage. Breaks agents trying to upsert env vars.
Three-layer fix so this can't regress:
- lib/coolify.ts: COOLIFY_ENV_WRITE_FIELDS whitelist enforced at the
network boundary, regardless of caller shape
- app/api/workspaces/[slug]/apps/[uuid]/envs: stops forwarding the
field; returns a deprecation warning when callers send it; GET
reads both is_buildtime and is_build_time for version parity
- app/api/mcp/route.ts: same treatment in the MCP dispatcher;
AI_CAPABILITIES.md doc corrected
Also bundles (not related to the above):
- Workspace API keys are now revealable from settings. New
key_encrypted column stores AES-256-GCM(VIBN_SECRETS_KEY, token).
POST /api/workspaces/[slug]/keys/[keyId]/reveal returns plaintext
for session principals only; API-key principals cannot reveal
siblings. Legacy keys stay valid for auth but can't reveal.
- P5.3 Object storage: lib/gcp/storage.ts + lib/workspace-gcs.ts
idempotently provision a per-workspace GCS bucket, service
account, IAM binding and HMAC key. New POST /api/workspaces/
[slug]/storage/buckets endpoint. Migration script + smoke test
included. Proven end-to-end against prod master-ai-484822.
Made-with: Cursor
26 lines
1.2 KiB
SQL
26 lines
1.2 KiB
SQL
-- =============================================================================
|
|
-- Make workspace API keys revealable.
|
|
--
|
|
-- Adds `key_encrypted` — base64 of secret-box(VIBN_SECRETS_KEY, plaintext token).
|
|
-- Existing rows keep `key_encrypted = NULL` and are therefore NOT revealable;
|
|
-- only the hash was stored at mint time and the plaintext is unrecoverable by
|
|
-- design. Those keys still work for auth (hash lookup is unchanged); they just
|
|
-- can't surface the plaintext again — the UI will flag them as legacy.
|
|
--
|
|
-- New keys minted after this migration will populate `key_encrypted` and can
|
|
-- be revealed on demand by session-authenticated users (never by API-key
|
|
-- principals — prevents lateral movement).
|
|
--
|
|
-- Safe to re-run.
|
|
-- =============================================================================
|
|
|
|
ALTER TABLE vibn_workspace_api_keys
|
|
ADD COLUMN IF NOT EXISTS key_encrypted TEXT;
|
|
|
|
COMMENT ON COLUMN vibn_workspace_api_keys.key_encrypted IS
|
|
'base64( AES-256-GCM encrypt(VIBN_SECRETS_KEY, plaintext vibn_sk_...) ). '
|
|
'NULL for legacy rows minted before this column existed — those keys '
|
|
'remain valid for auth but cannot be revealed.';
|
|
|
|
SELECT 'API-key revealability migration complete' AS status;
|