feat: validate required SSH permissions before creating server
- New server_permissions table (migration 007) stores required SSH permissions per server - PermissionValidator service connects via SSH and validates each permission before save - ServerPermission model for CRUD on server_permissions table - Web flow: create/edit forms include dynamic permission rows with quick-add presets - API flow: serverAdd/serverUpdate accept permissions array, return 400 on failure - Show view displays required permissions on server detail page - Form input preserved on validation failure (credentials excluded) - AGENTS.md updated with new conventions
This commit is contained in:
11
AGENTS.md
11
AGENTS.md
@@ -39,11 +39,20 @@ Repo-specific guidance for OpenCode sessions. Verified against code.
|
||||
- Rate limiting on `POST /login` only (via `RateLimitMiddleware`)
|
||||
- Every credential access must be logged at `warning` level via `AuditService`
|
||||
|
||||
## Permission validation on server create/edit
|
||||
- When creating or editing a server, required SSH permissions can be specified and are validated via SSH before saving.
|
||||
- `PermissionValidator::validate(array $serverConfig, array $permissions)` connects to the remote server and runs check commands for each permission.
|
||||
- Permission types: `sudo` (checks passwordless sudo), `command` (checks `command -v`), `file_read` (`test -r`), `file_write` (`test -w`), `custom` (arbitrary command, exit code 0 = pass).
|
||||
- `ServerPermission` model handles CRUD for the `server_permissions` table.
|
||||
- Both web (`ServerController::store/update`) and API (`ApiController::serverAdd/serverUpdate`) flows include permission validation.
|
||||
- On validation failure, the web flow preserves form input via `$_SESSION['_form_input']` and redirects back with error details.
|
||||
|
||||
## Database
|
||||
- Migrations run manually: `mysql servermanager < database/migrations/NNN_name.sql`
|
||||
- 5 migrations: `001_initial_schema`, `002_server_access`, `003_teams`, `004_soft_deletes`, `005_app_config_and_notifications`
|
||||
- 7 migrations: `001_initial_schema`, `002_server_access`, `003_teams`, `004_soft_deletes`, `005_app_config_and_notifications`, `006_agent_tokens`, `007_server_permission_checks`
|
||||
- Users table has `role` ENUM: `super_admin`, `admin`, `operator`
|
||||
- `api_token` column on users for Bearer token auth
|
||||
- `server_permissions` table stores required SSH permissions per server (FK to `servers.id` CASCADE)
|
||||
|
||||
## Testing / CI
|
||||
- **No tests, no CI, no linter, no formatter, no typechecker** exist in this repo
|
||||
|
||||
Reference in New Issue
Block a user