PiCloud

fabi/PiCloud

Fork 0

Commit Graph

Author	SHA1	Message	Date
MechaCat02	2d11090d1a	feat(v1.1.7-secrets): secrets SDK + table + admin API + dashboard Encrypted per-app secrets, reachable from scripts as secrets::{get,set,delete,list}(name) and managed from the dashboard Secrets tab. Values are AES-256-GCM-sealed with the process master key (picloud_shared::crypto) before they touch Postgres; the repo only ever sees ciphertext + nonce. JSON round-trip preserves Rhai types. - migration 0023_secrets.sql (PRIMARY KEY (app_id, name)). - SecretsService trait (picloud-shared) + SecretsServiceImpl + repo (manager-core), wired into the Services bundle and Rhai engine. - Capability::AppSecretsRead/Write (→ script:read / script:write); no new Scope variants (seven-scope commitment). - Admin API GET/POST/DELETE /apps/{id}/secrets (list returns names + updated_at, never values). - build_app now takes a MasterKey, sourced from PICLOUD_SECRET_KEY in main.rs; test callers pass a fixed test key. - 64 KB value cap (PICLOUD_SECRET_MAX_VALUE_BYTES); no ServiceEvent emission (secret writes don't fire triggers, by design). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 21:37:17 +02:00
MechaCat02	fcbcc576a2	feat(v1.1.6): realtime channels + v1.1.5 follow-ups + version bumps Server-side realtime SSE on per-app pub/sub topics, plus the three v1.1.5 follow-ups and the version bumps. Realtime: - topics registry (0021) + admin endpoints + Capability::AppTopicManage (-> app:admin; no new scope). - GET /realtime/topics/{topic} SSE endpoint (orchestrator-core data plane): Host -> app, RealtimeAuthority gate (404 missing/internal, 401 bad/absent token), broadcast::Receiver stream + heartbeat. - RealtimeBroadcaster / RealtimeEvent / RealtimeAuthority traits (picloud-shared); InProcessBroadcaster + GC (orchestrator-core); DB-backed RealtimeAuthorityImpl (manager-core). Publish path fans out to in-process subscribers after the durable outbox commit (best-effort, panic-isolated). - HMAC subscriber tokens (subscriber_token.rs) + app_secrets table (0022) + pubsub::subscriber_token SDK (schema 1.6 -> 1.7). TTL clamp + env overrides. - Dashboard Topics tab (register/list/edit/delete, prominent external badge, flip confirmation). v1.1.5 follow-ups: - Empty blobs accepted (NewFile/FileUpdate::validate) + round-trip test. - Orphan .tmp. sweeper (spawn_files_orphan_sweep). - Dispatcher e2e tests, one per trigger kind (DATABASE_URL-gated). Versions: workspace 1.1.6, SDK 1.7, dashboard 0.12.0. Schema-snapshot golden re-blessed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 20:18:50 +02:00

Author

SHA1

Message

Date

MechaCat02

2d11090d1a

feat(v1.1.7-secrets): secrets SDK + table + admin API + dashboard

Encrypted per-app secrets, reachable from scripts as
secrets::{get,set,delete,list}(name) and managed from the dashboard
Secrets tab. Values are AES-256-GCM-sealed with the process master key
(picloud_shared::crypto) before they touch Postgres; the repo only ever
sees ciphertext + nonce. JSON round-trip preserves Rhai types.

- migration 0023_secrets.sql (PRIMARY KEY (app_id, name)).
- SecretsService trait (picloud-shared) + SecretsServiceImpl + repo
  (manager-core), wired into the Services bundle and Rhai engine.
- Capability::AppSecretsRead/Write (→ script:read / script:write); no
  new Scope variants (seven-scope commitment).
- Admin API GET/POST/DELETE /apps/{id}/secrets (list returns names +
  updated_at, never values).
- build_app now takes a MasterKey, sourced from PICLOUD_SECRET_KEY in
  main.rs; test callers pass a fixed test key.
- 64 KB value cap (PICLOUD_SECRET_MAX_VALUE_BYTES); no ServiceEvent
  emission (secret writes don't fire triggers, by design).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-04 21:37:17 +02:00

MechaCat02

fcbcc576a2

feat(v1.1.6): realtime channels + v1.1.5 follow-ups + version bumps

Server-side realtime SSE on per-app pub/sub topics, plus the three
v1.1.5 follow-ups and the version bumps.

Realtime:
- topics registry (0021) + admin endpoints + Capability::AppTopicManage
  (-> app:admin; no new scope).
- GET /realtime/topics/{topic} SSE endpoint (orchestrator-core data
  plane): Host -> app, RealtimeAuthority gate (404 missing/internal,
  401 bad/absent token), broadcast::Receiver stream + heartbeat.
- RealtimeBroadcaster / RealtimeEvent / RealtimeAuthority traits
  (picloud-shared); InProcessBroadcaster + GC (orchestrator-core);
  DB-backed RealtimeAuthorityImpl (manager-core). Publish path fans out
  to in-process subscribers after the durable outbox commit (best-effort,
  panic-isolated).
- HMAC subscriber tokens (subscriber_token.rs) + app_secrets table (0022)
  + pubsub::subscriber_token SDK (schema 1.6 -> 1.7). TTL clamp + env
  overrides.
- Dashboard Topics tab (register/list/edit/delete, prominent external
  badge, flip confirmation).

v1.1.5 follow-ups:
- Empty blobs accepted (NewFile/FileUpdate::validate) + round-trip test.
- Orphan *.tmp.* sweeper (spawn_files_orphan_sweep).
- Dispatcher e2e tests, one per trigger kind (DATABASE_URL-gated).

Versions: workspace 1.1.6, SDK 1.7, dashboard 0.12.0. Schema-snapshot
golden re-blessed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-04 20:18:50 +02:00

2 Commits