Skip to content

Release (2026-06-16)#165

Merged
dan2k3k4 merged 39 commits into
prodfrom
dev
Jun 16, 2026
Merged

Release (2026-06-16)#165
dan2k3k4 merged 39 commits into
prodfrom
dev

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown

Changes in this release:

beb8427 chore: bump connect timeout
2dabe9d chore: fix whoami check
da21b13 chore: fix for remove empty
806c647 chore: fix remove empty projects
f0ba77e refactor(security): dynamic health token generation on instance creation
034bea6 chore: improve timeouts
d15971c feat: reduce status_message truncation limit to 2000 bytes and use mb_strcut to prevent multibyte truncation database errors
14dbd2e feat: change status_message to text and truncate in mutator to prevent database truncation errors
0e87449 chore(deps): bump esbuild, laravel-vite-plugin and vite
f3b6884 chore: update claw base class
2d0b773 chore: add claw tests
dcba205 chore: update deps
b416c8c sec(security): harden health check with timing-safe comparison and simplified redacted debugData
4b09696 sec(security): redact plaintext health check token from application log context
02680b4 refactor(jobs): dry up boilerplate in sequential lifecycle jobs
dc954d2 perf(filament): eager load relations in app instance resource query
132727b perf(filament): eager load counts for store app resource table
b73f812 sec(security): secure public one-time login redirect route with signed URLs
00697da sec(security): authenticate public health check route using a shared token
7d44fde sec(security): hide lagoon_deploy_private_key from serialization

Greptile Summary

This is a release PR bundling multiple security hardening, performance, and feature improvements. The primary changes add token-authenticated health checks with timing-safe comparison, dynamic health token injection at read time rather than storage time, signed URLs for one-time login redirects, and lagoon_deploy_private_key serialization hiding. Several performance improvements are included: eager loading for Filament resources and a DRY refactor of all lifecycle job handle() methods into a shared executeTransition helper.

  • Security: Health check endpoint now requires a POLYDOCK_HEALTH_TOKEN query parameter with timing-safe comparison; the token is stripped from stored URLs and re-injected at read time via getKeyValue. The one-time login redirect route is protected with Laravel signed URLs.
  • DRY job refactor: All ten lifecycle job handle() methods are collapsed into a single executeTransition() on BaseJob, removing ~200 lines of near-identical boilerplate.
  • DB/schema changes: status_message column widened to TEXT with a PHP-side 2000-byte mutator; UUID column gets a unique index; new polydock_product_types table with FK on polydock_store_apps.

Confidence Score: 5/5

Safe to merge; all changes are net improvements to security posture, correctness, and performance with no regressions found.

The security additions (token auth on health endpoint, signed redirect URLs, private key hiding) are correctly implemented with timing-safe comparison and proper token stripping at storage time. The job DRY refactor is a straightforward extraction with equivalent logic. Database migrations are well-formed with SQLite guards. No data-loss or runtime error paths were found in the changed code.

No files require special attention beyond the minor enum-value escaping note in the purge statuses migration.

Important Files Changed

Filename Overview
app/Jobs/ProcessPolydockAppInstanceJobs/BaseJob.php Adds executeTransition() template method to eliminate per-job boilerplate; fixes soft-deleted instance lookup with withTrashed(); increases overlap lock to 200s and job timeout to 180s.
app/Http/Controllers/Api/PolydockInstanceHealthController.php Adds token-based auth with timing-safe hash_equals; redacts token from all log contexts; simplifies debugData assignment.
app/Models/PolydockAppInstance.php Adds Eloquent mutator for 2000-byte truncation of status_message; adds getKeyValue override that dynamically appends health token; extracts stripTokenFromUrl helper.
app/Models/PolydockStoreApp.php Hides lagoon_deploy_private_key from serialization; adds productType relation; getUnallocatedInstancesCountAttribute short-circuits on withCount result.
app/Filament/Admin/Resources/PolydockStoreAppResource.php Adds getEloquentQuery with withCount for allocated/unallocated instances; replaces N+1 allocatedInstances count call with eager-loaded aggregate; adds product type column and create form.
app/Services/LagoonProjectPurgeService.php Filters out already-deleted Lagoon environments before counting/iterating; adds isActiveEnvironment static helper; unwraps projectByName GraphQL wrapper.
database/migrations/2026_06_13_000001_add_purge_statuses_to_polydock_app_instances_table.php Modifies the status ENUM column via raw DB::statement with string-interpolated enum values; skips on SQLite for test compatibility.
app/Models/PolydockProductType.php New model for product types with auto-slug generation on save, activity logging, and HasMany relation to PolydockStoreApp.
routes/web.php Adds signed middleware to the app-instances.show route; email templates updated to emit signed URLs.
app/Console/Commands/RemoveEmptyProjectsCommand.php Fixes missing-project detection by adding instance to candidates list; unwraps projectByName key; filters active environments before counting.

Sequence Diagram

sequenceDiagram
    participant Email as Email Template
    participant Web as routes/web.php
    participant HC as HealthController
    participant AI as PolydockAppInstance

    Email->>Web: "GET /app-instances/{id}?signature=..."
    Web->>Web: validate signed URL (middleware)
    Web->>AI: getKeyValue('app_one_time_login_url')
    Web-->>Email: 302 redirect to OTL URL

    Note over HC, AI: Health webhook flow
    HC->>HC: config('polydock.health_token')
    HC->>HC: hash_equals(expected, supplied)
    alt token valid
        HC->>AI: find instance by uuid
        HC->>AI: update status / log
        HC-->>HC: 200 OK
    else token missing or invalid
        HC-->>HC: 401 Unauthorized
    end

    Note over AI: Dynamic token injection
    AI->>AI: storeKeyValue('health-webhook-url', url)
    AI->>AI: stripTokenFromUrl(url) store clean URL
    AI->>AI: "getKeyValue append ?token=... at read time"
Loading

Reviews (2): Last reviewed commit: "chore: add metadata to projects (#168)" | Re-trigger Greptile

dan2k3k4 and others added 30 commits June 12, 2026 12:46
Removes [esbuild](https://github.com/evanw/esbuild). It's no longer used after updating ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [laravel-vite-plugin](https://github.com/laravel/vite-plugin) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). These dependencies need to be updated together.


Removes `esbuild`

Updates `laravel-vite-plugin` from 1.3.0 to 3.1.0
- [Release notes](https://github.com/laravel/vite-plugin/releases)
- [Changelog](https://github.com/laravel/vite-plugin/blob/3.x/CHANGELOG.md)
- [Upgrade guide](https://github.com/laravel/vite-plugin/blob/3.x/UPGRADE.md)
- [Commits](laravel/vite-plugin@v1.3.0...v3.1.0)

Updates `vite` from 6.4.2 to 8.0.16
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version:
  dependency-type: indirect
- dependency-name: laravel-vite-plugin
  dependency-version: 3.1.0
  dependency-type: direct:development
- dependency-name: vite
  dependency-version: 8.0.16
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
…_strcut to prevent multibyte truncation database errors
Comment thread routes/web.php
Comment thread app/Jobs/ProcessPolydockAppInstanceJobs/BaseJob.php
Comment thread app/Http/Controllers/Api/PolydockInstanceHealthController.php
Comment thread app/Models/PolydockAppInstance.php
@dan2k3k4 dan2k3k4 changed the title Release (2026-06-13) Release (2026-06-16) Jun 15, 2026
@dan2k3k4 dan2k3k4 merged commit 1481e79 into prod Jun 16, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant