mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5fbba46a3dd1f9279f1cebe3dc8636e4a1afb8b2
vibn-frontend/lib/gitea.ts
Mark Henderson acb63a2a5a feat(workspaces): per-account tenancy + AI access keys + Cursor integration 
Adds logical multi-tenancy on top of Coolify + Gitea so every Vibn
account gets its own isolated tenant boundary, and exposes that
boundary to AI agents (Cursor, Claude Code, scripts) through
per-workspace bearer tokens.

Schema (additive, idempotent — run /api/admin/migrate once after deploy)
  - vibn_workspaces: slug, name, owner, coolify_project_uuid,
    coolify_team_id (reserved for when Coolify ships POST /teams),
    gitea_org, provision_status
  - vibn_workspace_members: room for multi-user workspaces later
  - vibn_workspace_api_keys: sha256-hashed bearer tokens
  - fs_projects.vibn_workspace_id: nullable FK linking projects
    to their workspace

Provisioning
  - On first sign-in, ensureWorkspaceForUser() inserts the row
    (no network calls — keeps signin fast).
  - On first project create, ensureWorkspaceProvisioned() lazily
    creates a Coolify Project (vibn-ws-{slug}) and a Gitea org
    (vibn-{slug}). Failures are recorded on the row, not thrown,
    and POST /api/workspaces/{slug}/provision retries.

Auth surface
  - lib/auth/workspace-auth.ts: requireWorkspacePrincipal() accepts
    either a NextAuth session or "Authorization: Bearer vibn_sk_...".
    The bearer key is hard-pinned to one workspace — it cannot
    reach any other tenant.
  - mintWorkspaceApiKey / listWorkspaceApiKeys / revokeWorkspaceApiKey

Routes
  - GET    /api/workspaces                         list
  - GET    /api/workspaces/[slug]                  details
  - POST   /api/workspaces/[slug]/provision        retry provisioning
  - GET    /api/workspaces/[slug]/keys             list keys
  - POST   /api/workspaces/[slug]/keys             mint key (token shown once)
  - DELETE /api/workspaces/[slug]/keys/[keyId]     revoke

UI
  - components/workspace/WorkspaceKeysPanel.tsx: identity card,
    keys CRUD with one-time secret reveal, and a "Connect Cursor"
    block with copy/download for:
      .cursor/rules/vibn-workspace.mdc — rule telling the agent
        about the API + workspace IDs + house rules
      ~/.cursor/mcp.json — MCP server registration with key
        embedded (server URL is /api/mcp; HTTP MCP route lands next)
      .env.local — VIBN_API_KEY + smoke-test curl
  - Slotted into existing /[workspace]/settings between Workspace
    and Notifications cards (no other layout changes).

projects/create
  - Resolves the user's workspace (creating + provisioning lazily).
  - Repos go under workspace.gitea_org (falls back to GITEA_ADMIN_USER
    for backwards compat).
  - Coolify services are created inside workspace.coolify_project_uuid
    (renamed {slug}-{appName} to stay unique within the namespace) —
    no more per-Vibn-project Coolify Project sprawl.
  - Stamps vibn_workspace_id on fs_projects.

lib/gitea
  - createOrg, getOrg, addOrgOwner, getUser
  - createRepo now routes /orgs/{owner}/repos when owner != admin

Also includes prior-turn auth hardening that was already in
authOptions.ts (CredentialsProvider for dev-local, isLocalNextAuth
cookie config) bundled in to keep the auth layer in one consistent
state.

.env.example
  - Documents GITEA_API_URL / GITEA_API_TOKEN / GITEA_ADMIN_USER /
    GITEA_WEBHOOK_SECRET and COOLIFY_URL / COOLIFY_API_TOKEN /
    COOLIFY_SERVER_UUID, with the canonical hostnames
    (git.vibnai.com, coolify.vibnai.com).

Post-deploy
  - Run once: curl -X POST https://vibnai.com/api/admin/migrate \\
      -H "x-admin-secret: \$ADMIN_MIGRATE_SECRET"
  - Existing users get a workspace row on next sign-in.
  - Existing fs_projects keep working (legacy gitea owner + their
    own per-project Coolify Projects); new projects use the
    workspace-scoped path.

Not in this commit (follow-ups)
  - Wiring requireWorkspacePrincipal into the rest of /api/projects/*
    so API keys can drive existing routes
  - HTTP MCP server at /api/mcp (the mcp.json snippet already
    points at the right URL — no client re-setup when it lands)
  - Backfill script to assign legacy fs_projects to a workspace

Made-with: Cursor
2026-04-20 17:17:12 -07:00

267 lines
7.6 KiB
TypeScript
Raw Blame History

/**
* Gitea API client for Vibn project provisioning.
*
* Used server-side only. Credentials come from env vars:
* GITEA_API_URL — e.g. https://git.vibnai.com
* GITEA_API_TOKEN — admin token
* GITEA_ADMIN_USER — default owner for repos (e.g. "mark")
*/
const GITEA_API_URL = process.env.GITEA_API_URL ?? 'https://git.vibnai.com';
const GITEA_API_TOKEN = process.env.GITEA_API_TOKEN ?? '';
const GITEA_ADMIN_USER = process.env.GITEA_ADMIN_USER ?? 'mark';
export interface GiteaRepo {
id: number;
name: string;
full_name: string;
html_url: string;
clone_url: string;
ssh_url: string;
private: boolean;
default_branch: string;
}
export interface GiteaWebhook {
id: number;
type: string;
active: boolean;
config: {
url: string;
content_type: string;
secret?: string;
};
}
async function giteaFetch(path: string, options: RequestInit = {}) {
const url = `${GITEA_API_URL}/api/v1${path}`;
const res = await fetch(url, {
...options,
headers: {
'Content-Type': 'application/json',
Authorization: `token ${GITEA_API_TOKEN}`,
...(options.headers ?? {}),
},
});
if (!res.ok) {
const text = await res.text();
throw new Error(`Gitea API error ${res.status} on ${path}: ${text}`);
}
if (res.status === 204) return null;
return res.json();
}
/**
* Create a new repo. By default creates under the admin user.
* Pass `owner` to create under a specific user OR org — when the owner
* is an org (or any user other than the token holder), Gitea requires
* the org-scoped endpoint `/orgs/{owner}/repos`.
*/
export async function createRepo(
name: string,
opts: { description?: string; private?: boolean; owner?: string; auto_init?: boolean } = {}
): Promise<GiteaRepo> {
const { description = '', private: isPrivate = true, owner = GITEA_ADMIN_USER, auto_init = true } = opts;
const body = JSON.stringify({
name,
description,
private: isPrivate,
auto_init,
default_branch: 'main',
});
// Token-owner repos use /user/repos; everything else (orgs, other users)
// must go through /orgs/{owner}/repos.
const path = owner === GITEA_ADMIN_USER ? `/user/repos` : `/orgs/${owner}/repos`;
return giteaFetch(path, { method: 'POST', body });
}
// ──────────────────────────────────────────────────
// Organizations (per-workspace tenancy)
// ──────────────────────────────────────────────────
export interface GiteaOrg {
id: number;
username: string; // org name (Gitea uses "username" for orgs too)
full_name: string;
description?: string;
visibility: 'public' | 'private' | 'limited';
}
/**
* Create a Gitea organization. Requires the admin token to have
* permission to create orgs.
*/
export async function createOrg(opts: {
name: string;
fullName?: string;
description?: string;
visibility?: 'public' | 'private' | 'limited';
}): Promise<GiteaOrg> {
const { name, fullName = name, description = '', visibility = 'private' } = opts;
return giteaFetch(`/orgs`, {
method: 'POST',
body: JSON.stringify({
username: name,
full_name: fullName,
description,
visibility,
repo_admin_change_team_access: true,
}),
});
}
export async function getOrg(name: string): Promise<GiteaOrg | null> {
try {
return await giteaFetch(`/orgs/${name}`);
} catch (err) {
const msg = err instanceof Error ? err.message : String(err);
if (msg.includes('404')) return null;
throw err;
}
}
/**
* Add a Gitea user to an org's "Owners" team (full access to the org).
* Falls back to the org's default team when "Owners" cannot be located.
*/
export async function addOrgOwner(orgName: string, username: string): Promise<void> {
const teams = (await giteaFetch(`/orgs/${orgName}/teams`)) as Array<{ id: number; name: string }>;
const owners = teams.find(t => t.name.toLowerCase() === 'owners') ?? teams[0];
if (!owners) throw new Error(`No teams found for org ${orgName}`);
await giteaFetch(`/teams/${owners.id}/members/${username}`, { method: 'PUT' });
}
export async function getUser(username: string): Promise<{ id: number; login: string } | null> {
try {
return await giteaFetch(`/users/${username}`);
} catch (err) {
const msg = err instanceof Error ? err.message : String(err);
if (msg.includes('404')) return null;
throw err;
}
}
/**
* Get an existing repo.
*/
export async function getRepo(owner: string, repo: string): Promise<GiteaRepo | null> {
try {
return await giteaFetch(`/repos/${owner}/${repo}`);
} catch {
return null;
}
}
/**
* Delete a repo (used for project cleanup).
*/
export async function deleteRepo(owner: string, repo: string): Promise<void> {
await giteaFetch(`/repos/${owner}/${repo}`, { method: 'DELETE' });
}
/**
* Register a webhook on a repo that fires on push, PR, and issue events.
*
* @param owner Repo owner (user or org)
* @param repo Repo name
* @param webhookUrl Target URL — should include projectId as query param
* @param secret Shared secret for payload signature verification
*/
export async function createWebhook(
owner: string,
repo: string,
webhookUrl: string,
secret: string
): Promise<GiteaWebhook> {
return giteaFetch(`/repos/${owner}/${repo}/hooks`, {
method: 'POST',
body: JSON.stringify({
type: 'gitea',
active: true,
events: ['push', 'pull_request', 'issues', 'issue_comment'],
config: {
url: webhookUrl,
content_type: 'json',
secret,
},
}),
});
}
/**
* List webhooks on a repo.
*/
export async function listWebhooks(owner: string, repo: string): Promise<GiteaWebhook[]> {
return giteaFetch(`/repos/${owner}/${repo}/hooks`);
}
/**
* Delete a webhook.
*/
export async function deleteWebhook(owner: string, repo: string, hookId: number): Promise<void> {
await giteaFetch(`/repos/${owner}/${repo}/hooks/${hookId}`, { method: 'DELETE' });
}
/**
* Verify the X-Gitea-Signature-256 header on an incoming webhook payload.
* Returns true if the signature matches.
*/
export async function verifyWebhookSignature(
body: string,
signature: string,
secret: string
): Promise<boolean> {
if (!signature?.startsWith('sha256=')) return false;
const encoder = new TextEncoder();
const key = await crypto.subtle.importKey(
'raw',
encoder.encode(secret),
{ name: 'HMAC', hash: 'SHA-256' },
false,
['sign']
);
const sigBytes = await crypto.subtle.sign('HMAC', key, encoder.encode(body));
const expected = 'sha256=' + Array.from(new Uint8Array(sigBytes))
.map(b => b.toString(16).padStart(2, '0'))
.join('');
return expected === signature;
}
/**
* Push a single file to a repo via the Gitea contents API.
* Creates the file if it doesn't exist; updates it if it does.
*/
export async function giteaPushFile(
owner: string,
repo: string,
path: string,
content: string,
message: string,
branch = 'main',
): Promise<void> {
const encoded = Buffer.from(content).toString('base64');
// Check if file already exists to get its SHA (required for updates)
let sha: string | undefined;
try {
const existing = await giteaFetch(`/repos/${owner}/${repo}/contents/${path}?ref=${branch}`);
sha = (existing as any)?.sha;
} catch {
// File doesn't exist — create it
}
await giteaFetch(`/repos/${owner}/${repo}/contents/${path}`, {
method: sha ? 'PUT' : 'POST',
body: JSON.stringify({ message, content: encoded, branch, ...(sha ? { sha } : {}) }),
});
}
export const GITEA_ADMIN_USER_EXPORT = GITEA_ADMIN_USER;
Reference in New Issue View Git Blame Copy Permalink