Initial commit

routes/api/git/stacks/+server.ts

@@ -0,0 +1,144 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import {
+	getGitStacks,
+	createGitStack,
+	getGitCredentials,
+	getGitRepository,
+	createGitRepository,
+	upsertStackSource
+} from '$lib/server/db';
+import { deployGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+import { registerSchedule } from '$lib/server/scheduler';
+import crypto from 'node:crypto';
+
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'view', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+
+		const stacks = await getGitStacks(envIdNum);
+		return json(stacks);
+	} catch (error) {
+		console.error('Failed to get git stacks:', error);
+		return json({ error: 'Failed to get git stacks' }, { status: 500 });
+	}
+};
+
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const data = await request.json();
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'create', data.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		if (!data.stackName || typeof data.stackName !== 'string') {
+			return json({ error: 'Stack name is required' }, { status: 400 });
+		}
+
+		// Either repositoryId or new repo details (url, branch) must be provided
+		let repositoryId = data.repositoryId;
+
+		if (!repositoryId) {
+			// Create a new repository if URL is provided
+			if (!data.url || typeof data.url !== 'string') {
+				return json({ error: 'Repository URL or existing repository ID is required' }, { status: 400 });
+			}
+
+			// Validate credential if provided
+			if (data.credentialId) {
+				const credentials = await getGitCredentials();
+				const credential = credentials.find(c => c.id === data.credentialId);
+				if (!credential) {
+					return json({ error: 'Invalid credential ID' }, { status: 400 });
+				}
+			}
+
+			// Create the repository first
+			const repoName = data.repoName || data.stackName;
+			try {
+				const repo = await createGitRepository({
+					name: repoName,
+					url: data.url,
+					branch: data.branch || 'main',
+					credentialId: data.credentialId || null
+				});
+				repositoryId = repo.id;
+			} catch (error: any) {
+				if (error.message?.includes('UNIQUE constraint failed')) {
+					return json({ error: 'A repository with this name already exists' }, { status: 400 });
+				}
+				throw error;
+			}
+		} else {
+			// Verify repository exists
+			const repo = await getGitRepository(repositoryId);
+			if (!repo) {
+				return json({ error: 'Repository not found' }, { status: 400 });
+			}
+		}
+
+		// Generate webhook secret if webhook is enabled
+		let webhookSecret = data.webhookSecret;
+		if (data.webhookEnabled && !webhookSecret) {
+			webhookSecret = crypto.randomBytes(32).toString('hex');
+		}
+
+		const gitStack = await createGitStack({
+			stackName: data.stackName,
+			environmentId: data.environmentId || null,
+			repositoryId: repositoryId,
+			composePath: data.composePath || 'docker-compose.yml',
+			envFilePath: data.envFilePath || null,
+			autoUpdate: data.autoUpdate || false,
+			autoUpdateSchedule: data.autoUpdateSchedule || 'daily',
+			autoUpdateCron: data.autoUpdateCron || '0 3 * * *',
+			webhookEnabled: data.webhookEnabled || false,
+			webhookSecret: webhookSecret
+		});
+
+		// Create stack_sources entry so the stack appears in the list immediately
+		await upsertStackSource({
+			stackName: data.stackName,
+			environmentId: data.environmentId || null,
+			sourceType: 'git',
+			gitRepositoryId: repositoryId,
+			gitStackId: gitStack.id
+		});
+
+		// Register schedule with croner if auto-update is enabled
+		if (gitStack.autoUpdate && gitStack.autoUpdateCron) {
+			await registerSchedule(gitStack.id, 'git_stack_sync', gitStack.environmentId);
+		}
+
+		// If deployNow is set, deploy immediately
+		if (data.deployNow) {
+			const deployResult = await deployGitStack(gitStack.id);
+			return json({
+				...gitStack,
+				deployResult: deployResult
+			});
+		}
+
+		return json(gitStack);
+	} catch (error: any) {
+		console.error('Failed to create git stack:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A git stack with this name already exists for this environment' }, { status: 400 });
+		}
+		return json({ error: 'Failed to create git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/+server.ts

@@ -0,0 +1,112 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack, updateGitStack, deleteGitStack } from '$lib/server/db';
+import { deleteGitStackFiles, deployGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+import { registerSchedule, unregisterSchedule } from '$lib/server/scheduler';
+
+export const GET: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		return json(gitStack);
+	} catch (error) {
+		console.error('Failed to get git stack:', error);
+		return json({ error: 'Failed to get git stack' }, { status: 500 });
+	}
+};
+
+export const PUT: RequestHandler = async ({ params, request, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const existing = await getGitStack(id);
+		if (!existing) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'edit', existing.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const data = await request.json();
+		const updated = await updateGitStack(id, {
+			stackName: data.stackName,
+			composePath: data.composePath,
+			envFilePath: data.envFilePath,
+			autoUpdate: data.autoUpdate,
+			autoUpdateSchedule: data.autoUpdateSchedule,
+			autoUpdateCron: data.autoUpdateCron,
+			webhookEnabled: data.webhookEnabled,
+			webhookSecret: data.webhookSecret
+		});
+
+		// Register or unregister schedule with croner
+		if (updated.autoUpdate && updated.autoUpdateCron) {
+			await registerSchedule(id, 'git_stack_sync', updated.environmentId);
+		} else {
+			unregisterSchedule(id, 'git_stack_sync');
+		}
+
+		// If deployNow is set, deploy after saving
+		if (data.deployNow) {
+			const deployResult = await deployGitStack(id);
+			return json({
+				...updated,
+				deployResult
+			});
+		}
+
+		return json(updated);
+	} catch (error: any) {
+		console.error('Failed to update git stack:', error);
+		if (error.message?.includes('UNIQUE constraint failed')) {
+			return json({ error: 'A git stack with this name already exists for this environment' }, { status: 400 });
+		}
+		return json({ error: 'Failed to update git stack' }, { status: 500 });
+	}
+};
+
+export const DELETE: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const existing = await getGitStack(id);
+		if (!existing) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'remove', existing.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		// Unregister schedule from croner
+		unregisterSchedule(id, 'git_stack_sync');
+
+		// Delete git files first
+		deleteGitStackFiles(id);
+
+		// Delete from database
+		await deleteGitStack(id);
+
+		return json({ success: true });
+	} catch (error) {
+		console.error('Failed to delete git stack:', error);
+		return json({ error: 'Failed to delete git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/deploy-stream/+server.ts

@@ -0,0 +1,54 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { deployGitStackWithProgress } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const id = parseInt(params.id);
+	const gitStack = await getGitStack(id);
+
+	if (!gitStack) {
+		return new Response(JSON.stringify({ error: 'Git stack not found' }), {
+			status: 404,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('stacks', 'start', gitStack.environmentId || undefined)) {
+		return new Response(JSON.stringify({ error: 'Permission denied' }), {
+			status: 403,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	// Create a readable stream for SSE
+	const stream = new ReadableStream({
+		async start(controller) {
+			const encoder = new TextEncoder();
+
+			const sendEvent = (data: any) => {
+				controller.enqueue(encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
+			};
+
+			try {
+				await deployGitStackWithProgress(id, sendEvent);
+			} catch (error: any) {
+				sendEvent({ status: 'error', error: error.message || 'Unknown error' });
+			} finally {
+				controller.close();
+			}
+		}
+	});
+
+	return new Response(stream, {
+		headers: {
+			'Content-Type': 'text/event-stream',
+			'Cache-Control': 'no-cache',
+			'Connection': 'keep-alive'
+		}
+	});
+};

routes/api/git/stacks/[id]/deploy/+server.ts

@@ -0,0 +1,28 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { deployGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'start', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await deployGitStack(id);
+		return json(result);
+	} catch (error) {
+		console.error('Failed to deploy git stack:', error);
+		return json({ error: 'Failed to deploy git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/env-files/+server.ts

@@ -0,0 +1,75 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { listGitStackEnvFiles, readGitStackEnvFile } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+/**
+ * GET /api/git/stacks/[id]/env-files
+ * List all .env files in the git stack's repository.
+ * Returns: { files: string[] }
+ */
+export const GET: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await listGitStackEnvFiles(id);
+		if (result.error) {
+			return json({ files: [], error: result.error }, { status: 400 });
+		}
+
+		return json({ files: result.files });
+	} catch (error) {
+		console.error('Failed to list env files:', error);
+		return json({ error: 'Failed to list env files' }, { status: 500 });
+	}
+};
+
+/**
+ * POST /api/git/stacks/[id]/env-files
+ * Read and parse a specific .env file from the git stack's repository.
+ * Body: { path: string }
+ * Returns: { vars: Record<string, string> }
+ */
+export const POST: RequestHandler = async ({ params, cookies, request }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const body = await request.json();
+		if (!body.path || typeof body.path !== 'string') {
+			return json({ error: 'File path is required' }, { status: 400 });
+		}
+
+		const result = await readGitStackEnvFile(id, body.path);
+		if (result.error) {
+			return json({ vars: {}, error: result.error }, { status: 400 });
+		}
+
+		return json({ vars: result.vars });
+	} catch (error) {
+		console.error('Failed to read env file:', error);
+		return json({ error: 'Failed to read env file' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/sync/+server.ts

@@ -0,0 +1,28 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { syncGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'edit', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await syncGitStack(id);
+		return json(result);
+	} catch (error) {
+		console.error('Failed to sync git stack:', error);
+		return json({ error: 'Failed to sync git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/test/+server.ts

@@ -0,0 +1,28 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { testGitStack } from '$lib/server/git';
+import { authorize } from '$lib/server/authorize';
+
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	try {
+		const id = parseInt(params.id);
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		// Permission check with environment context
+		if (auth.authEnabled && !await auth.can('stacks', 'view', gitStack.environmentId || undefined)) {
+			return json({ error: 'Permission denied' }, { status: 403 });
+		}
+
+		const result = await testGitStack(id);
+		return json(result);
+	} catch (error) {
+		console.error('Failed to test git stack:', error);
+		return json({ error: 'Failed to test git stack' }, { status: 500 });
+	}
+};

routes/api/git/stacks/[id]/webhook/+server.ts

@@ -0,0 +1,97 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getGitStack } from '$lib/server/db';
+import { deployGitStack } from '$lib/server/git';
+import crypto from 'node:crypto';
+
+function verifySignature(payload: string, signature: string | null, secret: string): boolean {
+	if (!signature) return false;
+
+	// Support both GitHub and GitLab webhook signatures
+	// GitHub: sha256=<hash>
+	// GitLab: just the token value in X-Gitlab-Token header
+
+	if (signature.startsWith('sha256=')) {
+		const expectedSignature = 'sha256=' + crypto
+			.createHmac('sha256', secret)
+			.update(payload)
+			.digest('hex');
+		return crypto.timingSafeEqual(
+			Buffer.from(signature),
+			Buffer.from(expectedSignature)
+		);
+	}
+
+	// GitLab uses X-Gitlab-Token which should match exactly
+	return signature === secret;
+}
+
+export const POST: RequestHandler = async ({ params, request }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid stack ID' }, { status: 400 });
+		}
+
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		if (!gitStack.webhookEnabled) {
+			return json({ error: 'Webhook is not enabled for this stack' }, { status: 403 });
+		}
+
+		// Verify webhook secret if set
+		if (gitStack.webhookSecret) {
+			const payload = await request.text();
+			const githubSignature = request.headers.get('x-hub-signature-256');
+			const gitlabToken = request.headers.get('x-gitlab-token');
+
+			const signature = githubSignature || gitlabToken;
+
+			if (!verifySignature(payload, signature, gitStack.webhookSecret)) {
+				return json({ error: 'Invalid webhook signature' }, { status: 401 });
+			}
+		}
+
+		// Deploy the git stack (syncs and deploys only if there are changes)
+		const result = await deployGitStack(id, { force: false });
+		return json(result);
+	} catch (error: any) {
+		console.error('Webhook error:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};
+
+// Also support GET for simple polling/manual triggers
+export const GET: RequestHandler = async ({ params, url }) => {
+	try {
+		const id = parseInt(params.id);
+		if (isNaN(id)) {
+			return json({ error: 'Invalid stack ID' }, { status: 400 });
+		}
+
+		const gitStack = await getGitStack(id);
+		if (!gitStack) {
+			return json({ error: 'Git stack not found' }, { status: 404 });
+		}
+
+		if (!gitStack.webhookEnabled) {
+			return json({ error: 'Webhook is not enabled for this stack' }, { status: 403 });
+		}
+
+		// Verify secret via query parameter for GET requests
+		const secret = url.searchParams.get('secret');
+		if (gitStack.webhookSecret && secret !== gitStack.webhookSecret) {
+			return json({ error: 'Invalid webhook secret' }, { status: 401 });
+		}
+
+		// Deploy the git stack (syncs and deploys only if there are changes)
+		const result = await deployGitStack(id, { force: false });
+		return json(result);
+	} catch (error: any) {
+		console.error('Webhook GET error:', error);
+		return json({ success: false, error: error.message }, { status: 500 });
+	}
+};