Commit Graph

104 Commits

Author SHA1 Message Date
vasyansk 5662334799 fix(api): distinguish domain-not-found (404) from provider failure (502) on zone endpoints
Introduce service.ErrProviderUnavailable, wrapped only around the
provider GetRecords call in ZoneRecords. handleZoneRecords and
handleTemplateFromZone now use errors.Is against it to tell a real
provider outage (502) apart from local resolution failures such as an
unknown domain (404), instead of collapsing every ZoneRecords error
into a blanket 502. Also fixes handleTemplateFromZone's GetDomain
error branch to return 404 "domain not found" instead of 500, for
consistency with handleSetDomainTemplate/handleDomainHistory.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-05 12:14:46 +07:00
vasyansk 9ccb304d2e feat(api): read zone records without template + snapshot-to-template
LoadDomain requires a template, so a zone without one could never be
viewed or snapshotted. Adds a template-free path: store.LoadZone /
service.ZoneRef / DomainService.ZoneRecords read a zone's live records
straight from the provider (no diff, no template). GET
/domains/{did}/records exposes read-only viewing; POST
/domains/{did}/template-from-zone snapshots only managed record types
(NS/SOA excluded) into a new template and auto-attaches it to the domain.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-05 12:00:27 +07:00
vasyansk 1540140542 docs: plan for zone view without template + snapshot
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-05 11:48:21 +07:00
vasyansk b4e34f5b9b Merge feature/selectel-iam-auth: фикс 401 — project IAM-токен для Cloud DNS v2
Приложение получает 24ч IAM-токен из учётки сервисного пользователя (Identity API),
кэширует и обновляет; учётка = зашифрованный JSON {username,password,account_id,project_name};
валидация кредов пробным логином при добавлении; форма из 4 полей.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 21:25:39 +07:00
vasyansk e8e7371f09 fix: drain Identity error body (keep-alive); reject whitespace-only credential fields in form
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-04 20:36:50 +07:00
vasyansk be408a216c feat(web): Selectel service-user account form (IAM credentials)
Replace the single API-key field with 4 IAM service-user fields
(username, password, account_id, project_name) matching the new
backend contract; map 400 "invalid provider credentials" to a
user-facing message.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 20:23:34 +07:00
vasyansk 568452846a feat(api): structured provider credentials + trial-auth validation on account create
POST /accounts now accepts secret as a provider-specific JSON object
instead of an opaque string, and validates credentials via
provider.Provider.Validate before persisting — invalid credentials get
a generic 400 without ever reaching Store.CreateAccount or echoing the
secret back.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 20:12:41 +07:00
vasyansk 32107571d1 feat(selectel): project-scoped IAM auth with token cache; provider Validate
Selectel Cloud DNS v2 requires a project IAM token in X-Auth-Token, not the
raw service-user secret; the previous client sent the static secret directly
and got 401. The client now parses Credentials.Secret as a Creds JSON blob
(username/password/account_id/project_name), exchanges it for a token via
the Identity API (POST /identity/v3/auth/tokens), and caches the token in
memory per-account until 5 minutes before expiry. ListZones/GetRecords/
ApplyChanges send the cached IAM token instead of the raw secret.

provider.Provider gains a Validate(ctx, Credentials) method so a bad account
can be rejected via trial login at creation time; all Provider fakes across
provider/registry/api/service test packages implement it as a no-op stub for
now (Task 2 will make api's mock configurable).

Security: the service-user password is folded into the token cache key via
SHA-256 (never stored in the clear) so a password change invalidates the
cached token; identity errors are generic and never echo the request body.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 20:02:36 +07:00
vasyansk 617b02dbfb docs: plan for Selectel IAM auth (Cloud DNS v2)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 19:52:42 +07:00
vasyansk 774b480677 Merge feature/tech-debt-docker: техдолг Фаз 1-3 + docker compose
T1 graceful scheduler shutdown + /healthz + healthcheck-режим;
T2 per-channel notification metrics; T3 frontend code-splitting + allowlist;
T4 multi-stage Dockerfile (distroless nonroot); T5 docker compose (app+postgres).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 16:38:45 +07:00
vasyansk 77ca0200ae build: docker compose (app + postgres) with healthchecks and .env
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 16:27:16 +07:00
vasyansk 675136e488 build: mirror .gitignore dist rules in .dockerignore for hermetic builds
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 16:23:20 +07:00
vasyansk 7d875ea19a build: multi-stage Dockerfile (node build -> go embed -> distroless)
Three-stage image: node:22-alpine builds the Vite SPA, golang:1.26.4-alpine
compiles the server with the built SPA copied into the //go:embed path
before build, distroless/static-debian12:nonroot runs the static binary
as non-root on :8080. .dockerignore keeps node_modules/dist/docs/git out
of the build context while preserving the internal/web/dist/index.html
placeholder needed for a valid embed target pre-COPY.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 16:15:55 +07:00
vasyansk 7256adf637 fix(web): scope Suspense to page body; guard formatConfig against null config
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-04 16:12:21 +07:00
vasyansk 8c35aed8f2 perf(web): route-level code-splitting; harden channel config rendering
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 16:04:17 +07:00
vasyansk 41844d49a0 test(notify): assert per-channel results on decrypt-fail and unknown-type
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-04 16:01:14 +07:00
vasyansk f14916396c feat(notify): per-channel delivery results + accurate notification metrics
Dispatcher.Send now returns []ChannelResult{Type, Err} alongside the
aggregated error, and scheduler.checkDomain increments
NotificationsTotal per channel type/status instead of a single
unconditional IncNotification("dispatch", newStatus) placeholder that
ignored per-channel delivery outcome.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 15:56:15 +07:00
vasyansk e9a100ab4a fix(server): drain scheduler on unexpected serve error before exit
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-04 15:52:40 +07:00
vasyansk a27ddc79e8 feat(server): graceful scheduler shutdown, /healthz, healthcheck mode
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 15:46:56 +07:00
vasyansk c265d36bdb docs: plan for tech-debt cleanup + docker compose
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 15:43:00 +07:00
vasyansk f80d700a83 Merge feature/phase-3: scheduler, notifications (Telegram/Webhook), Prometheus metrics
Планировщик периодических проверок (read-only), уведомления по смене статуса
(bot_token шифруется, SSRF-guard с пиннингом IP + CGNAT), Prometheus /metrics.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 15:16:58 +07:00
vasyansk 504c4c081f fix(phase3): skip templateless domains in scheduler; block CGNAT range in webhook SSRF guard
Domains imported without a template (TemplateID == nil) are a valid,
unconfigured state, not a failure — RunOnce now skips them before
calling checkDomain instead of letting LoadDomain's "no template" error
turn into StatusError and a spammy unknown->error notification.

isBlockedIP now also rejects 100.64.0.0/10 (RFC 6598 carrier-grade
NAT), which net.IP.IsPrivate() does not cover, closing an SSRF gap in
the webhook destination guard (both the pre-request check and the
per-dial check use isBlockedIP).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 14:58:09 +07:00
vasyansk 34422420ca feat(web): расписание, каналы уведомлений, история проверок, drift-badge 2026-07-04 14:40:29 +07:00
vasyansk 45259b9720 feat(web,api): клиент/хуки расписания/каналов/истории + lastCheckStatus в domainResponse
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-04 14:24:02 +07:00
vasyansk b31f886ae2 feat(server): запуск планировщика, /metrics, graceful shutdown 2026-07-04 14:14:00 +07:00
vasyansk 9475af441e fix(scheduler): убрать двойной SaveCheckRun (Checker персистит), SetDrift через CountDriftDomains, resolved после error 2026-07-04 14:03:49 +07:00
vasyansk 23e02d6804 feat(scheduler): in-process планировщик проверок + смена статуса + уведомления + метрики 2026-07-04 13:53:06 +07:00
vasyansk 070a32717f fix(sec): webhook SSRF-guard через Dialer.Control (закрытие DNS-rebinding TOCTOU) 2026-07-04 13:48:22 +07:00
vasyansk 29f448d4b5 fix(sec): санитизация Telegram-ошибок, SSRF-guard Webhook, чистка логов test-канала, go mod tidy, histogram-бакеты 2026-07-04 13:40:29 +07:00
vasyansk 5a2903ca1e merge 3 wave: worktree-agent-ab476f3616a493a88 2026-07-04 13:32:02 +07:00
vasyansk d3e83ee81f merge 3 wave: worktree-agent-abf50211e004f196f 2026-07-04 13:32:02 +07:00
vasyansk d184b12b29 merge 3 wave: worktree-agent-a23ea3cfa26561e67 2026-07-04 13:32:02 +07:00
vasyansk 7d4bf153d7 feat(api): CRUD расписания/каналов + тест-отправка + история проверок
Task 5 Фазы 3: GET/PUT /schedule (дефолт при отсутствии строки, валидация
interval>=60), POST/GET/DELETE /channels (секрет шифруется Cipher, никогда
не возвращается в ответах), POST /channels/{cid}/test через узкий
TestSender-интерфейс (200/502 без утечки секрета), GET /domains/{did}/history
(сначала GetDomain для project-scoping, затем ListCheckRuns — иначе IDOR
через check_runs, который сам по себе не scoped по project).

Добавлены store.GetDomain (обёртка над существующим sqlc-запросом) и
store.ListCheckRuns (новый запрос + sqlc regen) для поддержки истории.
2026-07-04 13:24:50 +07:00
vasyansk e82fb0b13d feat(notify): Telegram/Webhook нотификаторы + Dispatcher по каналам проекта 2026-07-04 13:19:21 +07:00
vasyansk 98d8dee413 feat(metrics): Prometheus registry (checks/drift/notifications) + /metrics handler 2026-07-04 13:18:58 +07:00
vasyansk 6fd847a909 feat(store): schedules, notification_channels, domain last_check_status + методы 2026-07-04 13:10:42 +07:00
vasyansk 1cdb32b747 docs: план реализации Фазы 3 (расписание, уведомления, метрики)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-04 13:02:44 +07:00
vasyansk 6125af4bab docs: детализация дизайна Фазы 3 (расписание, уведомления, метрики)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-04 12:58:59 +07:00
vasyansk 0c21694ec4 merge: Фаза 2 — авторизация
- internal/store: миграция sessions/password + методы users/sessions/projects
- internal/auth: argon2id пароли + session store (sha256 токена)
- internal/api: auth-хендлеры (register/login/logout/me) + cookie, RequireAuth+RequireProjectAccess middleware
- IDOR закрыт: все /projects/{pid}/* под middleware, LoadDomainFull scoped, projectID из контекста
- web: AuthContext + клиент под cookie, Login/Register, protected routes, logout, 401→/login
Финальный ревью: READY TO MERGE, IDOR закрыт end-to-end. Go 105+/15 пакетов, web 58 тестов.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 21:40:45 +07:00
vasyansk 901eb51e2a fix(auth): серверная проверка длины пароля, loading-guard и различение ошибок на auth-страницах 2026-07-03 21:33:03 +07:00
vasyansk 5a4d560e70 feat(web): Login/Register страницы, protected routes, logout
- ProtectedRoute: loading -> спиннер, !user -> /login, иначе children
- LoginPage/RegisterPage: field+react-hook-form/zod, ошибка через role=alert,
  редирект на /domains при успехе/уже авторизован
- main.tsx: AuthProvider + QueryCache/MutationCache onError -> notifyUnauthorized
  на UnauthorizedError (сброс сессии из кода вне React-дерева)
- AuthContext: logout и notifyUnauthorized чистят react-query кэш (qc.clear())
- Layout: email пользователя + кнопка Выйти
- App: /login и /register публичные (авторизованный -> /domains), остальное
  под ProtectedRoute

Починка page-тестов (Accounts/Domains/Templates/DomainDiff/App): AuthProvider
+ мок api.auth.me, спай-ассерты обновлены под projectId-первым-аргументом
сигнатур api.* (T5).
2026-07-03 21:21:29 +07:00
vasyansk 222d6c0453 fix(web): null-guard в мутациях (no active project), AuthContext различает 401 и ошибки сервера
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-03 21:07:48 +07:00
vasyansk b5d9e8f7ab feat(web): AuthContext + клиент под cookie-сессии, projectId из контекста 2026-07-03 21:00:18 +07:00
vasyansk 4533b0ca25 feat(api): RequireAuth+RequireProjectAccess middleware, IDOR-scope check/apply по projectID 2026-07-03 20:47:40 +07:00
vasyansk 35ffe73ae3 fix(auth): wiring Auth/Sessions, нормализация email, GetUserByID для /me, 409 на дубль, timing-guard логина 2026-07-03 20:29:05 +07:00
vasyansk aa0ef1c6a9 feat(api): auth-хендлеры register/login/logout/me + session cookie 2026-07-03 20:11:00 +07:00
vasyansk a584cf5c37 fix(auth): VerifyPassword валидирует параметры/версию, не паникует на битом хэше 2026-07-03 19:58:54 +07:00
vasyansk 12b7945efc feat(auth): argon2id пароли + session store (sha256 токена) 2026-07-03 19:50:11 +07:00
vasyansk 3bd237d562 feat(store): миграция sessions/password + методы users/sessions/projects
Фаза 2, Task 1: добавлена таблица sessions и nullable password_hash у
users, sqlc-запросы и *Store-обёртки (CreateUser, GetUserByEmail,
CreateProjectForUser, GetProjectOwned, GetUserProject, CreateSession,
GetSessionUser, DeleteSession, RegisterUser в транзакции), интеграционные
тесты на testcontainers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
2026-07-03 19:44:36 +07:00
vasyansk bd82fe5509 docs: план реализации Фазы 2 (авторизация)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-03 19:37:27 +07:00