Add BYOC page, admin section, and is_byoc team visibility gating

- Frontend: BYOC hosts page (/dashboard/byoc) with register/delete flows, shimmer loading, pulsing online status, animated token reveal checkmark - Frontend: Admin section (/admin/hosts) with platform + BYOC tabs, stat pills, skeleton loading, slide-in animations for new rows - Frontend: AdminSidebar component with accent top bar and admin pill badge - Frontend: BYOC nav item shown only when team.is_byoc is true (derived from teams store, not JWT); disabled for members - Frontend: Admin shield button in Sidebar, visible only to platform admins - Backend: is_admin in JWT claims + requireAdmin middleware (DB-validated) - Backend: is_byoc added to teamResponse so frontend derives visibility from fresh team data rather than stale JWT fields - Backend: SetBYOC admin endpoint (PUT /v1/admin/teams/{id}/byoc) - Backend: Admin hosts list enriches BYOC entries with team_name - Host agent: load .env file via godotenv on startup
2026-03-25 03:10:41 +06:00
parent 9bf67aa7f7
commit e069b3e679
36 changed files with 2200 additions and 163 deletions
--- a/internal/api/handlers_auth.go
+++ b/internal/api/handlers_auth.go
@ -168,7 +168,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, req.Name, "owner")
+	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, req.Name, "owner", false)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@ -228,7 +228,7 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@ -298,7 +298,7 @@ func (h *authHandler) SwitchTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	token, err := auth.SignJWT(h.jwtSecret, ac.UserID, req.TeamID, ac.Email, user.Name, membership.Role)
+	token, err := auth.SignJWT(h.jwtSecret, ac.UserID, req.TeamID, ac.Email, user.Name, membership.Role, user.IsAdmin)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
--- a/internal/api/handlers_hosts.go
+++ b/internal/api/handlers_hosts.go
@ -77,6 +77,7 @@ type hostResponse struct {
 	ID               string  `json:"id"`
 	Type             string  `json:"type"`
 	TeamID           *string `json:"team_id,omitempty"`
+	TeamName         *string `json:"team_name,omitempty"`
 	Provider         *string `json:"provider,omitempty"`
 	AvailabilityZone *string `json:"availability_zone,omitempty"`
 	Arch             *string `json:"arch,omitempty"`
@ -174,16 +175,41 @@ func (h *hostHandler) Create(w http.ResponseWriter, r *http.Request) {
 // List handles GET /v1/hosts.
 func (h *hostHandler) List(w http.ResponseWriter, r *http.Request) {
 	ac := auth.MustFromContext(r.Context())
+	admin := h.isAdmin(r, ac.UserID)

-	hosts, err := h.svc.List(r.Context(), ac.TeamID, h.isAdmin(r, ac.UserID))
+	hosts, err := h.svc.List(r.Context(), ac.TeamID, admin)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to list hosts")
 		return
 	}

+	// Collect unique team IDs so we can fetch team names in one pass.
+	var teamNames map[string]string
+	if admin {
+		seen := make(map[string]struct{})
+		for _, host := range hosts {
+			if host.TeamID.Valid {
+				seen[host.TeamID.String] = struct{}{}
+			}
+		}
+		if len(seen) > 0 {
+			teamNames = make(map[string]string, len(seen))
+			for id := range seen {
+				if team, err := h.queries.GetTeam(r.Context(), id); err == nil {
+					teamNames[id] = team.Name
+				}
+			}
+		}
+	}
+
 	resp := make([]hostResponse, len(hosts))
 	for i, host := range hosts {
 		resp[i] = hostToResponse(host)
+		if host.TeamID.Valid {
+			if name, ok := teamNames[host.TeamID.String]; ok {
+				resp[i].TeamName = &name
+			}
+		}
 	}

 	writeJSON(w, http.StatusOK, resp)
@ -322,7 +348,8 @@ func (h *hostHandler) Heartbeat(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := h.svc.Heartbeat(r.Context(), hc.HostID); err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to update heartbeat")
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
 		return
 	}

--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@ -156,7 +156,7 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
+		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
 		if err != nil {
 			slog.Error("oauth login: failed to sign jwt", "error", err)
 			redirectWithError(w, r, redirectBase, "internal_error")
@ -255,7 +255,7 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, profile.Name, "owner")
+	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, profile.Name, "owner", false)
 	if err != nil {
 		slog.Error("oauth: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
@ -290,7 +290,7 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
--- a/internal/api/handlers_team.go
+++ b/internal/api/handlers_team.go
@ -25,6 +25,7 @@ type teamResponse struct {
 	ID        string `json:"id"`
 	Name      string `json:"name"`
 	Slug      string `json:"slug"`
+	IsByoc    bool   `json:"is_byoc"`
 	CreatedAt string `json:"created_at"`
 }

@ -44,9 +45,10 @@ type memberResponse struct {

 func teamToResponse(t db.Team) teamResponse {
 	resp := teamResponse{
-		ID:   t.ID,
-		Name: t.Name,
-		Slug: t.Slug,
+		ID:     t.ID,
+		Name:   t.Name,
+		Slug:   t.Slug,
+		IsByoc: t.IsByoc,
 	}
 	if t.CreatedAt.Valid {
 		resp.CreatedAt = t.CreatedAt.Time.Format(time.RFC3339)
@ -321,3 +323,25 @@ func (h *teamHandler) Leave(w http.ResponseWriter, r *http.Request) {

 	w.WriteHeader(http.StatusNoContent)
 }
+
+// SetBYOC handles PUT /v1/admin/teams/{id}/byoc (admin only).
+// Enables or disables the BYOC feature flag for a team.
+func (h *teamHandler) SetBYOC(w http.ResponseWriter, r *http.Request) {
+	teamID := chi.URLParam(r, "id")
+
+	var req struct {
+		Enabled bool `json:"enabled"`
+	}
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	if err := h.svc.SetBYOC(r.Context(), teamID, req.Enabled); err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
--- a/internal/api/host_monitor.go
+++ b/internal/api/host_monitor.go
@ -45,6 +45,10 @@ func (m *HostMonitor) Start(ctx context.Context) {
 		ticker := time.NewTicker(m.interval)
 		defer ticker.Stop()

+		// Run immediately on startup so the CP doesn't wait one full interval
+		// before reconciling host and sandbox state.
+		m.run(ctx)
+
 		for {
 			select {
 			case <-ctx.Done():
--- a/internal/api/middleware_admin.go
+++ b/internal/api/middleware_admin.go
@ -0,0 +1,30 @@
+package api
+
+import (
+	"net/http"
+
+	"git.omukk.dev/wrenn/sandbox/internal/auth"
+	"git.omukk.dev/wrenn/sandbox/internal/db"
+)
+
+// requireAdmin validates that the authenticated user is a platform admin.
+// Must run after requireJWT (depends on AuthContext being present).
+// Re-validates against the DB — the JWT is_admin claim is for UI only;
+// the DB is the source of truth for admin access.
+func requireAdmin(queries *db.Queries) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ac, ok := auth.FromContext(r.Context())
+			if !ok {
+				writeError(w, http.StatusUnauthorized, "unauthorized", "authentication required")
+				return
+			}
+			user, err := queries.GetUserByID(r.Context(), ac.UserID)
+			if err != nil || !user.IsAdmin {
+				writeError(w, http.StatusForbidden, "forbidden", "admin access required")
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@ -26,12 +26,14 @@ func requireJWT(secret []byte) func(http.Handler) http.Handler {
 			}

 			ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
-				TeamID: claims.TeamID,
-				UserID: claims.Subject,
-				Email:  claims.Email,
-				Name:   claims.Name,
-				Role:   claims.Role,
+				TeamID:  claims.TeamID,
+				UserID:  claims.Subject,
+				Email:   claims.Email,
+				Name:    claims.Name,
+				Role:    claims.Role,
+				IsAdmin: claims.IsAdmin,
 			})
+
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
--- a/internal/api/server.go
+++ b/internal/api/server.go
@ -156,6 +156,13 @@ func New(
 		})
 	})

+	// Platform admin routes — require JWT + DB-validated admin status.
+	r.Route("/v1/admin", func(r chi.Router) {
+		r.Use(requireJWT(jwtSecret))
+		r.Use(requireAdmin(queries))
+		r.Put("/teams/{id}/byoc", teamH.SetBYOC)
+	})
+
 	return &Server{router: r}
 }