4c41374db4
Apps become the isolation boundary for scripts, routes, domains, and
later data. Doing this now — while the surface is small — avoids
several migrations on populated tables once v1.1 data-plane services
ship.
Schema (migration 0005_apps.sql):
- New tables: apps, app_domains (with shape_key UNIQUE for collision
detection), app_slug_history (for permanent slug-rename redirects).
- app_id added to scripts, routes, execution_logs (non-null, cascading
rules per row).
- Script-name uniqueness becomes per-app; the route unique index is
swapped for an app-scoped version.
- The "default" app is seeded unconditionally with a localhost claim;
existing scripts/routes backfill into it. Fresh installs additionally
get the Hello World seed via seed_hello_world_if_fresh after
migrations run (idempotent — only fires when the default app has no
scripts).
Orchestrator dispatch is two-phase: AppDomainTable resolves Host →
app_id (most-specific match wins, exact beats wildcard), then the
existing route matcher runs against that app's partitioned slice via
RouteTable. Unknown hosts return 404 at the app layer with a clear
message; /api/v1/execute/{id} still works as the implicit
__internal__ claim, decoupled from any public domain.
Manager API: full CRUD for /api/v1/admin/apps/* and
/api/v1/admin/apps/{id_or_slug}/domains/*, with slug:check + force
takeover semantics implementing the rename-history flow (two-step
check → confirm, never a single endpoint). Script create requires
app_id; list accepts ?app= filter. Route create validates host
against the parent app's claims; conflict detection stays strictly
intra-app.
Dashboard: /admin/apps and /admin/apps/{slug} (overview + scripts +
domains + settings tabs, with slug-history-aware redirects). Root
path redirects to the apps list. Script detail page gains an app
breadcrumb and threads app_id into the route preview.
Deferred per design: per-app admin roles. The require_admin middleware
remains the seam where role checks will slot in later.
Blueprint §11.5 and roadmap updated to reflect what shipped; docs/
versioning.md notes the schema 3 → 5 bump.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
39 lines
1.4 KiB
Rust
39 lines
1.4 KiB
Rust
use chrono::{DateTime, Utc};
|
|
use serde::{Deserialize, Serialize};
|
|
|
|
use crate::{AppId, ScriptId, ScriptSandbox};
|
|
|
|
/// A user-uploaded Rhai script and its execution configuration.
|
|
///
|
|
/// This is the canonical representation that flows between manager (storage),
|
|
/// orchestrator (dispatch), and executor (run). It must stay serializable
|
|
/// because in cluster mode it crosses process boundaries on every invocation.
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
pub struct Script {
|
|
pub id: ScriptId,
|
|
/// Owning app. Set on create, immutable thereafter — a "move to
|
|
/// another app" is a copy+delete, not an in-place edit (snapshot
|
|
/// semantics — see blueprint §11.5).
|
|
pub app_id: AppId,
|
|
pub name: String,
|
|
pub description: Option<String>,
|
|
pub version: i32,
|
|
pub source: String,
|
|
|
|
pub timeout_seconds: u32,
|
|
|
|
/// Per-script overrides for Rhai sandbox limits. Empty = platform
|
|
/// defaults. Values are admin-ceiling-clamped at write time.
|
|
#[serde(default)]
|
|
pub sandbox: ScriptSandbox,
|
|
|
|
/// **v1.3+ advisory only.** Real heap limits require OS-level
|
|
/// isolation (cgroups, process limits) which lands with cluster-mode
|
|
/// executor sandboxing. The field stays in the schema so we don't
|
|
/// have to add it back when that's built.
|
|
pub memory_limit_mb: u32,
|
|
|
|
pub created_at: DateTime<Utc>,
|
|
pub updated_at: DateTime<Utc>,
|
|
}
|