Switch database IDs from TEXT to native UUID

Consolidate 16 migrations into one with UUID columns for all entity IDs. TEXT is kept only for polymorphic fields (audit_logs.actor_id, resource_id) and template names. The id package now generates UUIDs via google/uuid, with Format*/Parse* helpers for the prefixed wire format (sb-{uuid}, usr-{uuid}, etc.). Auth context, services, and handlers pass pgtype.UUID internally; conversion to/from prefixed strings happens at API and RPC boundaries. Adds PlatformTeamID (all-zeros UUID) for shared resources.
2026-03-26 16:16:21 +06:00
parent cdd89a7cee
commit 4ddd494160
66 changed files with 1350 additions and 1127 deletions
--- a/internal/api/handlers_exec.go
+++ b/internal/api/handlers_exec.go
@ -14,6 +14,7 @@ import (

 	"git.omukk.dev/wrenn/sandbox/internal/auth"
 	"git.omukk.dev/wrenn/sandbox/internal/db"
+	"git.omukk.dev/wrenn/sandbox/internal/id"
 	"git.omukk.dev/wrenn/sandbox/internal/lifecycle"
 	pb "git.omukk.dev/wrenn/sandbox/proto/hostagent/gen"
 )
@ -46,10 +47,16 @@ type execResponse struct {

 // Exec handles POST /v1/sandboxes/{id}/exec.
 func (h *execHandler) Exec(w http.ResponseWriter, r *http.Request) {
-	sandboxID := chi.URLParam(r, "id")
+	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
 	ac := auth.MustFromContext(ctx)

+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
 	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
 	if err != nil {
 		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
@ -80,7 +87,7 @@ func (h *execHandler) Exec(w http.ResponseWriter, r *http.Request) {
 	}

 	resp, err := agent.Exec(ctx, connect.NewRequest(&pb.ExecRequest{
-		SandboxId:  sandboxID,
+		SandboxId:  sandboxIDStr,
 		Cmd:        req.Cmd,
 		Args:       req.Args,
 		TimeoutSec: req.TimeoutSec,
@ -101,7 +108,7 @@ func (h *execHandler) Exec(w http.ResponseWriter, r *http.Request) {
 			Valid: true,
 		},
 	}); err != nil {
-		slog.Warn("failed to update last_active_at", "id", sandboxID, "error", err)
+		slog.Warn("failed to update last_active_at", "id", sandboxIDStr, "error", err)
 	}

 	// Use base64 encoding if output contains non-UTF-8 bytes.
@ -112,7 +119,7 @@ func (h *execHandler) Exec(w http.ResponseWriter, r *http.Request) {
 	if !utf8.Valid(stdout) || !utf8.Valid(stderr) {
 		encoding = "base64"
 		writeJSON(w, http.StatusOK, execResponse{
-			SandboxID:  sandboxID,
+			SandboxID:  sandboxIDStr,
 			Cmd:        req.Cmd,
 			Stdout:     base64.StdEncoding.EncodeToString(stdout),
 			Stderr:     base64.StdEncoding.EncodeToString(stderr),
@ -124,7 +131,7 @@ func (h *execHandler) Exec(w http.ResponseWriter, r *http.Request) {
 	}

 	writeJSON(w, http.StatusOK, execResponse{
-		SandboxID:  sandboxID,
+		SandboxID:  sandboxIDStr,
 		Cmd:        req.Cmd,
 		Stdout:     string(stdout),
 		Stderr:     string(stderr),