Mark Henderson
acb63a2a5a
Adds logical multi-tenancy on top of Coolify + Gitea so every Vibn
account gets its own isolated tenant boundary, and exposes that
boundary to AI agents (Cursor, Claude Code, scripts) through
per-workspace bearer tokens.
Schema (additive, idempotent — run /api/admin/migrate once after deploy)
- vibn_workspaces: slug, name, owner, coolify_project_uuid,
coolify_team_id (reserved for when Coolify ships POST /teams),
gitea_org, provision_status
- vibn_workspace_members: room for multi-user workspaces later
- vibn_workspace_api_keys: sha256-hashed bearer tokens
- fs_projects.vibn_workspace_id: nullable FK linking projects
to their workspace
Provisioning
- On first sign-in, ensureWorkspaceForUser() inserts the row
(no network calls — keeps signin fast).
- On first project create, ensureWorkspaceProvisioned() lazily
creates a Coolify Project (vibn-ws-{slug}) and a Gitea org
(vibn-{slug}). Failures are recorded on the row, not thrown,
and POST /api/workspaces/{slug}/provision retries.
Auth surface
- lib/auth/workspace-auth.ts: requireWorkspacePrincipal() accepts
either a NextAuth session or "Authorization: Bearer vibn_sk_...".
The bearer key is hard-pinned to one workspace — it cannot
reach any other tenant.
- mintWorkspaceApiKey / listWorkspaceApiKeys / revokeWorkspaceApiKey
Routes
- GET /api/workspaces list
- GET /api/workspaces/[slug] details
- POST /api/workspaces/[slug]/provision retry provisioning
- GET /api/workspaces/[slug]/keys list keys
- POST /api/workspaces/[slug]/keys mint key (token shown once)
- DELETE /api/workspaces/[slug]/keys/[keyId] revoke
UI
- components/workspace/WorkspaceKeysPanel.tsx: identity card,
keys CRUD with one-time secret reveal, and a "Connect Cursor"
block with copy/download for:
.cursor/rules/vibn-workspace.mdc — rule telling the agent
about the API + workspace IDs + house rules
~/.cursor/mcp.json — MCP server registration with key
embedded (server URL is /api/mcp; HTTP MCP route lands next)
.env.local — VIBN_API_KEY + smoke-test curl
- Slotted into existing /[workspace]/settings between Workspace
and Notifications cards (no other layout changes).
projects/create
- Resolves the user's workspace (creating + provisioning lazily).
- Repos go under workspace.gitea_org (falls back to GITEA_ADMIN_USER
for backwards compat).
- Coolify services are created inside workspace.coolify_project_uuid
(renamed {slug}-{appName} to stay unique within the namespace) —
no more per-Vibn-project Coolify Project sprawl.
- Stamps vibn_workspace_id on fs_projects.
lib/gitea
- createOrg, getOrg, addOrgOwner, getUser
- createRepo now routes /orgs/{owner}/repos when owner != admin
Also includes prior-turn auth hardening that was already in
authOptions.ts (CredentialsProvider for dev-local, isLocalNextAuth
cookie config) bundled in to keep the auth layer in one consistent
state.
.env.example
- Documents GITEA_API_URL / GITEA_API_TOKEN / GITEA_ADMIN_USER /
GITEA_WEBHOOK_SECRET and COOLIFY_URL / COOLIFY_API_TOKEN /
COOLIFY_SERVER_UUID, with the canonical hostnames
(git.vibnai.com, coolify.vibnai.com).
Post-deploy
- Run once: curl -X POST https://vibnai.com/api/admin/migrate \\
-H "x-admin-secret: \$ADMIN_MIGRATE_SECRET"
- Existing users get a workspace row on next sign-in.
- Existing fs_projects keep working (legacy gitea owner + their
own per-project Coolify Projects); new projects use the
workspace-scoped path.
Not in this commit (follow-ups)
- Wiring requireWorkspacePrincipal into the rest of /api/projects/*
so API keys can drive existing routes
- HTTP MCP server at /api/mcp (the mcp.json snippet already
points at the right URL — no client re-setup when it lands)
- Backfill script to assign legacy fs_projects to a workspace
Made-with: Cursor
271 lines
10 KiB
TypeScript
271 lines
10 KiB
TypeScript
/**
|
|
* Vibn workspaces — logical multi-tenancy on top of Coolify + Gitea.
|
|
*
|
|
* Each Vibn user gets one workspace. The workspace owns:
|
|
* - a Coolify Project UUID (the team/namespace boundary inside Coolify)
|
|
* - a Gitea org (which contains all repos for the workspace)
|
|
*
|
|
* All Vibn projects, apps, deployments, and AI access keys are
|
|
* scoped to a single workspace. Code that touches Coolify or Gitea
|
|
* MUST resolve a workspace first and use its IDs (never the legacy
|
|
* hardcoded admin user / project UUID).
|
|
*
|
|
* Coolify cannot create real Teams via its public API today — see
|
|
* Coolify changelog notes about scoping queries to current team and
|
|
* the lack of POST /teams. We treat one Coolify *Project* as our
|
|
* tenant boundary instead, and stamp `coolify_team_id` later if/when
|
|
* Coolify exposes team creation.
|
|
*/
|
|
|
|
import { query, queryOne } from '@/lib/db-postgres';
|
|
import { createProject as createCoolifyProject } from '@/lib/coolify';
|
|
import { createOrg, getOrg, getUser, addOrgOwner } from '@/lib/gitea';
|
|
|
|
export interface VibnWorkspace {
|
|
id: string;
|
|
slug: string;
|
|
name: string;
|
|
owner_user_id: string;
|
|
coolify_project_uuid: string | null;
|
|
coolify_team_id: number | null;
|
|
gitea_org: string | null;
|
|
provision_status: 'pending' | 'partial' | 'ready' | 'error';
|
|
provision_error: string | null;
|
|
created_at: Date;
|
|
updated_at: Date;
|
|
}
|
|
|
|
export interface VibnWorkspaceMember {
|
|
id: string;
|
|
workspace_id: string;
|
|
user_id: string;
|
|
role: 'owner' | 'admin' | 'member';
|
|
created_at: Date;
|
|
}
|
|
|
|
// ──────────────────────────────────────────────────
|
|
// Slug helpers
|
|
// ──────────────────────────────────────────────────
|
|
|
|
const SAFE_SLUG = /[^a-z0-9]+/g;
|
|
|
|
export function workspaceSlugFromEmail(email: string): string {
|
|
const local = email.split('@')[0]?.toLowerCase() ?? 'user';
|
|
return local.replace(SAFE_SLUG, '-').replace(/^-+|-+$/g, '') || 'user';
|
|
}
|
|
|
|
/** Coolify Project name we use for a workspace. Prefixed to avoid collisions. */
|
|
export function coolifyProjectNameFor(slug: string): string {
|
|
return `vibn-ws-${slug}`;
|
|
}
|
|
|
|
/** Gitea org name we use for a workspace. Same prefix for consistency. */
|
|
export function giteaOrgNameFor(slug: string): string {
|
|
return `vibn-${slug}`;
|
|
}
|
|
|
|
// ──────────────────────────────────────────────────
|
|
// CRUD
|
|
// ──────────────────────────────────────────────────
|
|
|
|
export async function getWorkspaceById(id: string): Promise<VibnWorkspace | null> {
|
|
return queryOne<VibnWorkspace>(`SELECT * FROM vibn_workspaces WHERE id = $1`, [id]);
|
|
}
|
|
|
|
export async function getWorkspaceBySlug(slug: string): Promise<VibnWorkspace | null> {
|
|
return queryOne<VibnWorkspace>(`SELECT * FROM vibn_workspaces WHERE slug = $1`, [slug]);
|
|
}
|
|
|
|
export async function getWorkspaceByOwner(userId: string): Promise<VibnWorkspace | null> {
|
|
return queryOne<VibnWorkspace>(
|
|
`SELECT * FROM vibn_workspaces WHERE owner_user_id = $1 ORDER BY created_at ASC LIMIT 1`,
|
|
[userId]
|
|
);
|
|
}
|
|
|
|
export async function listWorkspacesForUser(userId: string): Promise<VibnWorkspace[]> {
|
|
return query<VibnWorkspace>(
|
|
`SELECT w.* FROM vibn_workspaces w
|
|
LEFT JOIN vibn_workspace_members m ON m.workspace_id = w.id
|
|
WHERE w.owner_user_id = $1 OR m.user_id = $1
|
|
GROUP BY w.id
|
|
ORDER BY w.created_at ASC`,
|
|
[userId]
|
|
);
|
|
}
|
|
|
|
export async function userHasWorkspaceAccess(userId: string, workspaceId: string): Promise<boolean> {
|
|
const row = await queryOne<{ id: string }>(
|
|
`SELECT w.id FROM vibn_workspaces w
|
|
LEFT JOIN vibn_workspace_members m ON m.workspace_id = w.id AND m.user_id = $1
|
|
WHERE w.id = $2 AND (w.owner_user_id = $1 OR m.user_id = $1)
|
|
LIMIT 1`,
|
|
[userId, workspaceId]
|
|
);
|
|
return !!row;
|
|
}
|
|
|
|
// ──────────────────────────────────────────────────
|
|
// Get-or-create + provision
|
|
// ──────────────────────────────────────────────────
|
|
|
|
/**
|
|
* Idempotently ensures a workspace row exists for the user. Does NOT
|
|
* provision Coolify/Gitea — call ensureWorkspaceProvisioned() for that.
|
|
*
|
|
* Suitable to call from the NextAuth signIn callback (cheap, single insert).
|
|
*/
|
|
export async function ensureWorkspaceForUser(opts: {
|
|
userId: string;
|
|
email: string;
|
|
displayName?: string | null;
|
|
}): Promise<VibnWorkspace> {
|
|
const existing = await getWorkspaceByOwner(opts.userId);
|
|
if (existing) return existing;
|
|
|
|
const slug = await pickAvailableSlug(workspaceSlugFromEmail(opts.email));
|
|
const name = opts.displayName?.trim() || opts.email.split('@')[0];
|
|
|
|
const inserted = await query<VibnWorkspace>(
|
|
`INSERT INTO vibn_workspaces (slug, name, owner_user_id)
|
|
VALUES ($1, $2, $3)
|
|
RETURNING *`,
|
|
[slug, name, opts.userId]
|
|
);
|
|
const workspace = inserted[0];
|
|
|
|
await query(
|
|
`INSERT INTO vibn_workspace_members (workspace_id, user_id, role)
|
|
VALUES ($1, $2, 'owner')
|
|
ON CONFLICT (workspace_id, user_id) DO NOTHING`,
|
|
[workspace.id, opts.userId]
|
|
);
|
|
|
|
return workspace;
|
|
}
|
|
|
|
/**
|
|
* Provisions Coolify Project + Gitea org for a workspace if not yet done.
|
|
* Idempotent. Failures are recorded on the row but do not throw — callers
|
|
* can retry by calling again. Returns the up-to-date workspace row.
|
|
*/
|
|
export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Promise<VibnWorkspace> {
|
|
if (workspace.provision_status === 'ready') return workspace;
|
|
|
|
let coolifyUuid = workspace.coolify_project_uuid;
|
|
let giteaOrg = workspace.gitea_org;
|
|
const errors: string[] = [];
|
|
|
|
// ── Coolify Project ────────────────────────────────────────────────
|
|
if (!coolifyUuid) {
|
|
try {
|
|
const project = await createCoolifyProject(
|
|
coolifyProjectNameFor(workspace.slug),
|
|
`Vibn workspace ${workspace.slug}`
|
|
);
|
|
coolifyUuid = project.uuid;
|
|
} catch (err) {
|
|
const msg = err instanceof Error ? err.message : String(err);
|
|
// Coolify returns 400/409 if the name collides — fall through; the
|
|
// workspace can still be patched manually with the right UUID.
|
|
errors.push(`coolify: ${msg}`);
|
|
console.error('[workspaces] Coolify provisioning failed', workspace.slug, msg);
|
|
}
|
|
}
|
|
|
|
// ── Gitea Org ──────────────────────────────────────────────────────
|
|
if (!giteaOrg) {
|
|
const wantOrg = giteaOrgNameFor(workspace.slug);
|
|
try {
|
|
const existingOrg = await getOrg(wantOrg);
|
|
if (existingOrg) {
|
|
giteaOrg = existingOrg.username;
|
|
} else {
|
|
const created = await createOrg({
|
|
name: wantOrg,
|
|
fullName: workspace.name,
|
|
description: `Vibn workspace for ${workspace.slug}`,
|
|
visibility: 'private',
|
|
});
|
|
giteaOrg = created.username;
|
|
}
|
|
} catch (err) {
|
|
const msg = err instanceof Error ? err.message : String(err);
|
|
errors.push(`gitea: ${msg}`);
|
|
console.error('[workspaces] Gitea org provisioning failed', workspace.slug, msg);
|
|
}
|
|
}
|
|
|
|
// ── Add the workspace owner to the Gitea org if they have a Gitea account.
|
|
// Best-effort: most Vibn users won't have a Gitea login, so a 404 is fine.
|
|
if (giteaOrg) {
|
|
try {
|
|
const ownerEmail = await queryOne<{ email: string }>(
|
|
`SELECT data->>'email' AS email FROM fs_users WHERE id = $1`,
|
|
[workspace.owner_user_id]
|
|
);
|
|
const candidateLogin = ownerEmail?.email
|
|
? workspaceSlugFromEmail(ownerEmail.email)
|
|
: null;
|
|
if (candidateLogin) {
|
|
const giteaUser = await getUser(candidateLogin);
|
|
if (giteaUser) {
|
|
await addOrgOwner(giteaOrg, giteaUser.login);
|
|
}
|
|
}
|
|
} catch (err) {
|
|
// Membership add is best-effort
|
|
console.warn('[workspaces] Skipping Gitea owner add', err);
|
|
}
|
|
}
|
|
|
|
const status: VibnWorkspace['provision_status'] =
|
|
coolifyUuid && giteaOrg ? 'ready' : errors.length > 0 ? 'partial' : 'pending';
|
|
|
|
const updated = await query<VibnWorkspace>(
|
|
`UPDATE vibn_workspaces
|
|
SET coolify_project_uuid = COALESCE($2, coolify_project_uuid),
|
|
gitea_org = COALESCE($3, gitea_org),
|
|
provision_status = $4,
|
|
provision_error = $5,
|
|
updated_at = now()
|
|
WHERE id = $1
|
|
RETURNING *`,
|
|
[workspace.id, coolifyUuid, giteaOrg, status, errors.length ? errors.join('; ') : null]
|
|
);
|
|
|
|
return updated[0];
|
|
}
|
|
|
|
/**
|
|
* Convenience: get-or-create + provision in one call. Used by the
|
|
* project-create flow so the first project in a fresh account always
|
|
* has somewhere to land.
|
|
*/
|
|
export async function getOrCreateProvisionedWorkspace(opts: {
|
|
userId: string;
|
|
email: string;
|
|
displayName?: string | null;
|
|
}): Promise<VibnWorkspace> {
|
|
const ws = await ensureWorkspaceForUser(opts);
|
|
return ensureWorkspaceProvisioned(ws);
|
|
}
|
|
|
|
// ──────────────────────────────────────────────────
|
|
// Slug uniqueness
|
|
// ──────────────────────────────────────────────────
|
|
|
|
async function pickAvailableSlug(base: string): Promise<string> {
|
|
// Try base, then base-2, base-3, … up to base-99.
|
|
for (let i = 0; i < 100; i++) {
|
|
const candidate = i === 0 ? base : `${base}-${i + 1}`;
|
|
const existing = await queryOne<{ id: string }>(
|
|
`SELECT id FROM vibn_workspaces WHERE slug = $1 LIMIT 1`,
|
|
[candidate]
|
|
);
|
|
if (!existing) return candidate;
|
|
}
|
|
// Extremely unlikely fallback
|
|
return `${base}-${Date.now().toString(36)}`;
|
|
}
|