Initial commit

routes/api/volumes/[name]/+server.ts

@@ -0,0 +1,63 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { removeVolume, inspectVolume } from '$lib/server/docker';
+import { authorize } from '$lib/server/authorize';
+import { auditVolume } from '$lib/server/audit';
+
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'inspect', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	// Environment access check (enterprise only)
+	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
+		return json({ error: 'Access denied to this environment' }, { status: 403 });
+	}
+
+	try {
+
+		const volume = await inspectVolume(params.name, envIdNum);
+		return json(volume);
+	} catch (error) {
+		console.error('Failed to inspect volume:', error);
+		return json({ error: 'Failed to inspect volume' }, { status: 500 });
+	}
+};
+
+export const DELETE: RequestHandler = async (event) => {
+	const { params, url, cookies } = event;
+	const auth = await authorize(cookies);
+
+	const force = url.searchParams.get('force') === 'true';
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'remove', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	// Environment access check (enterprise only)
+	if (envIdNum && auth.isEnterprise && !await auth.canAccessEnvironment(envIdNum)) {
+		return json({ error: 'Access denied to this environment' }, { status: 403 });
+	}
+
+	try {
+
+		await removeVolume(params.name, force, envIdNum);
+
+		// Audit log
+		await auditVolume(event, 'delete', params.name, params.name, envIdNum, { force });
+
+		return json({ success: true });
+	} catch (error: any) {
+		console.error('Failed to remove volume:', error);
+		return json({ error: 'Failed to remove volume', details: error.message }, { status: 500 });
+	}
+};

routes/api/volumes/[name]/browse/+server.ts

@@ -0,0 +1,52 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { listVolumeDirectory, getVolumeUsage } from '$lib/server/docker';
+import { authorize } from '$lib/server/authorize';
+
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+	const path = url.searchParams.get('path') || '/';
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'inspect', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		// Check if volume is in use by any containers
+		const usage = await getVolumeUsage(params.name, envIdNum);
+		const isInUse = usage.length > 0;
+
+		// Mount read-only if in use, otherwise writable
+		const result = await listVolumeDirectory(params.name, path, envIdNum, isInUse);
+
+		// Note: Helper container is cached and reused for subsequent requests.
+		// Cache TTL handles cleanup automatically.
+
+		return json({
+			path: result.path,
+			entries: result.entries,
+			usage,
+			isInUse,
+			// Expose helper container ID so frontend can use container file endpoints
+			helperId: result.containerId
+		});
+	} catch (error: any) {
+		console.error('Failed to browse volume:', error);
+
+		if (error.message?.includes('No such file or directory')) {
+			return json({ error: 'Directory not found', path: url.searchParams.get('path') || '/' }, { status: 404 });
+		}
+		if (error.message?.includes('Permission denied')) {
+			return json({ error: 'Permission denied to access this path' }, { status: 403 });
+		}
+
+		return json({
+			error: 'Failed to browse volume',
+			details: error.message || String(error)
+		}, { status: 500 });
+	}
+};

routes/api/volumes/[name]/browse/content/+server.ts

@@ -0,0 +1,53 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { readVolumeFile } from '$lib/server/docker';
+import { authorize } from '$lib/server/authorize';
+
+// Max file size for reading (1MB)
+const MAX_FILE_SIZE = 1024 * 1024;
+
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const path = url.searchParams.get('path');
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'inspect', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		if (!path) {
+			return json({ error: 'Path is required' }, { status: 400 });
+		}
+
+		const content = await readVolumeFile(
+			params.name,
+			path,
+			envIdNum
+		);
+
+		// Check if content is too large
+		if (content.length > MAX_FILE_SIZE) {
+			return json({ error: 'File is too large to view (max 1MB)' }, { status: 413 });
+		}
+
+		return json({ content, path });
+	} catch (error: any) {
+		console.error('Error reading volume file:', error);
+
+		if (error.message?.includes('No such file or directory')) {
+			return json({ error: 'File not found' }, { status: 404 });
+		}
+		if (error.message?.includes('Permission denied')) {
+			return json({ error: 'Permission denied to read this file' }, { status: 403 });
+		}
+		if (error.message?.includes('Is a directory')) {
+			return json({ error: 'Cannot read a directory' }, { status: 400 });
+		}
+
+		return json({ error: 'Failed to read file' }, { status: 500 });
+	}
+};

routes/api/volumes/[name]/browse/release/+server.ts

@@ -0,0 +1,33 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { releaseVolumeHelperContainer } from '$lib/server/docker';
+import { authorize } from '$lib/server/authorize';
+
+/**
+ * Release the cached volume helper container when done browsing.
+ * This is called when the volume browser modal is closed.
+ */
+export const POST: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'inspect', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+
+		await releaseVolumeHelperContainer(params.name, envIdNum);
+
+		return json({ success: true });
+	} catch (error: any) {
+		console.error('Failed to release volume helper:', error);
+		return json({
+			error: 'Failed to release volume helper',
+			details: error.message || String(error)
+		}, { status: 500 });
+	}
+};

routes/api/volumes/[name]/clone/+server.ts

@@ -0,0 +1,55 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { inspectVolume, createVolume, type CreateVolumeOptions } from '$lib/server/docker';
+import { authorize } from '$lib/server/authorize';
+import { auditVolume } from '$lib/server/audit';
+
+export const POST: RequestHandler = async (event) => {
+	const { params, url, request, cookies } = event;
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'create', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+
+		const body = await request.json();
+		const newName = body.name;
+
+		if (!newName) {
+			return json({ error: 'New volume name is required' }, { status: 400 });
+		}
+
+		// Get source volume info
+		const sourceVolume = await inspectVolume(params.name, envIdNum);
+
+		// Create new volume with same driver and options
+		const options: CreateVolumeOptions = {
+			name: newName,
+			driver: sourceVolume.Driver || 'local',
+			driverOpts: sourceVolume.Options || {},
+			labels: { ...sourceVolume.Labels, 'dockhand.cloned.from': params.name }
+		};
+
+		const newVolume = await createVolume(options, envIdNum);
+
+		// Audit log
+		await auditVolume(event, 'clone', newVolume.Name, `${params.name} → ${newName}`, envIdNum, {
+			source: params.name,
+			driver: options.driver
+		});
+
+		return json({ success: true, name: newVolume.Name });
+	} catch (error: any) {
+		console.error('Failed to clone volume:', error);
+		return json({
+			error: 'Failed to clone volume',
+			details: error.message || String(error)
+		}, { status: 500 });
+	}
+};

routes/api/volumes/[name]/export/+server.ts

@@ -0,0 +1,73 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { getVolumeArchive } from '$lib/server/docker';
+import { authorize } from '$lib/server/authorize';
+
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+	const path = url.searchParams.get('path') || '/';
+	const format = url.searchParams.get('format') || 'tar';
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'inspect', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+
+		const { response } = await getVolumeArchive(params.name, path, envIdNum);
+
+		// Determine filename
+		const volumeName = params.name.replace(/[:/]/g, '_');
+		const pathPart = path === '/' ? '' : `-${path.replace(/^\//, '').replace(/\//g, '-')}`;
+		let filename = `${volumeName}${pathPart}`;
+		let contentType = 'application/x-tar';
+		let extension = '.tar';
+
+		// Prepare response based on format
+		let body: ReadableStream<Uint8Array> | Uint8Array = response.body!;
+
+		if (format === 'tar.gz') {
+			// Compress with gzip using Bun's native implementation
+			const tarData = new Uint8Array(await response.arrayBuffer());
+			body = Bun.gzipSync(tarData);
+			contentType = 'application/gzip';
+			extension = '.tar.gz';
+		}
+
+		// Note: Helper container is cached and reused for subsequent requests.
+		// Cache TTL handles cleanup automatically.
+
+		const headers: Record<string, string> = {
+			'Content-Type': contentType,
+			'Content-Disposition': `attachment; filename="${filename}${extension}"`
+		};
+
+		// Set content length for compressed data
+		if (body instanceof Uint8Array) {
+			headers['Content-Length'] = body.length.toString();
+		} else {
+			// Pass through content length for streaming tar
+			const contentLength = response.headers.get('Content-Length');
+			if (contentLength) {
+				headers['Content-Length'] = contentLength;
+			}
+		}
+
+		return new Response(body, { headers });
+	} catch (error: any) {
+		console.error('Failed to export volume:', error);
+
+		if (error.message?.includes('No such file or directory')) {
+			return json({ error: 'Path not found' }, { status: 404 });
+		}
+
+		return json({
+			error: 'Failed to export volume',
+			details: error.message || String(error)
+		}, { status: 500 });
+	}
+};

routes/api/volumes/[name]/inspect/+server.ts

@@ -0,0 +1,24 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { inspectVolume } from '$lib/server/docker';
+import { authorize } from '$lib/server/authorize';
+
+export const GET: RequestHandler = async ({ params, url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	const envId = url.searchParams.get('env');
+	const envIdNum = envId ? parseInt(envId) : undefined;
+
+	// Permission check with environment context
+	if (auth.authEnabled && !await auth.can('volumes', 'inspect', envIdNum)) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const volumeData = await inspectVolume(params.name, envIdNum);
+		return json(volumeData);
+	} catch (error) {
+		console.error('Failed to inspect volume:', error);
+		return json({ error: 'Failed to inspect volume' }, { status: 500 });
+	}
+};