Conversation
…to general-improvements
…eneral-improvements
…p' into general-improvements
…ance' into general-improvements
…mplified redacted debugData
Removes [esbuild](https://github.com/evanw/esbuild). It's no longer used after updating ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [laravel-vite-plugin](https://github.com/laravel/vite-plugin) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). These dependencies need to be updated together. Removes `esbuild` Updates `laravel-vite-plugin` from 1.3.0 to 3.1.0 - [Release notes](https://github.com/laravel/vite-plugin/releases) - [Changelog](https://github.com/laravel/vite-plugin/blob/3.x/CHANGELOG.md) - [Upgrade guide](https://github.com/laravel/vite-plugin/blob/3.x/UPGRADE.md) - [Commits](laravel/vite-plugin@v1.3.0...v3.1.0) Updates `vite` from 6.4.2 to 8.0.16 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite) --- updated-dependencies: - dependency-name: esbuild dependency-version: dependency-type: indirect - dependency-name: laravel-vite-plugin dependency-version: 3.1.0 dependency-type: direct:development - dependency-name: vite dependency-version: 8.0.16 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
…t database truncation errors
…_strcut to prevent multibyte truncation database errors
…t database truncation errors (#161)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes in this release:
beb8427 chore: bump connect timeout
2dabe9d chore: fix whoami check
da21b13 chore: fix for remove empty
806c647 chore: fix remove empty projects
f0ba77e refactor(security): dynamic health token generation on instance creation
034bea6 chore: improve timeouts
d15971c feat: reduce status_message truncation limit to 2000 bytes and use mb_strcut to prevent multibyte truncation database errors
14dbd2e feat: change status_message to text and truncate in mutator to prevent database truncation errors
0e87449 chore(deps): bump esbuild, laravel-vite-plugin and vite
f3b6884 chore: update claw base class
2d0b773 chore: add claw tests
dcba205 chore: update deps
b416c8c sec(security): harden health check with timing-safe comparison and simplified redacted debugData
4b09696 sec(security): redact plaintext health check token from application log context
02680b4 refactor(jobs): dry up boilerplate in sequential lifecycle jobs
dc954d2 perf(filament): eager load relations in app instance resource query
132727b perf(filament): eager load counts for store app resource table
b73f812 sec(security): secure public one-time login redirect route with signed URLs
00697da sec(security): authenticate public health check route using a shared token
7d44fde sec(security): hide lagoon_deploy_private_key from serialization
Greptile Summary
This is a release PR bundling multiple security hardening, performance, and feature improvements. The primary changes add token-authenticated health checks with timing-safe comparison, dynamic health token injection at read time rather than storage time, signed URLs for one-time login redirects, and
lagoon_deploy_private_keyserialization hiding. Several performance improvements are included: eager loading for Filament resources and a DRY refactor of all lifecycle jobhandle()methods into a sharedexecuteTransitionhelper.POLYDOCK_HEALTH_TOKENquery parameter with timing-safe comparison; the token is stripped from stored URLs and re-injected at read time viagetKeyValue. The one-time login redirect route is protected with Laravel signed URLs.handle()methods are collapsed into a singleexecuteTransition()onBaseJob, removing ~200 lines of near-identical boilerplate.status_messagecolumn widened toTEXTwith a PHP-side 2000-byte mutator; UUID column gets a unique index; newpolydock_product_typestable with FK onpolydock_store_apps.Confidence Score: 5/5
Safe to merge; all changes are net improvements to security posture, correctness, and performance with no regressions found.
The security additions (token auth on health endpoint, signed redirect URLs, private key hiding) are correctly implemented with timing-safe comparison and proper token stripping at storage time. The job DRY refactor is a straightforward extraction with equivalent logic. Database migrations are well-formed with SQLite guards. No data-loss or runtime error paths were found in the changed code.
No files require special attention beyond the minor enum-value escaping note in the purge statuses migration.
Important Files Changed
Sequence Diagram
sequenceDiagram participant Email as Email Template participant Web as routes/web.php participant HC as HealthController participant AI as PolydockAppInstance Email->>Web: "GET /app-instances/{id}?signature=..." Web->>Web: validate signed URL (middleware) Web->>AI: getKeyValue('app_one_time_login_url') Web-->>Email: 302 redirect to OTL URL Note over HC, AI: Health webhook flow HC->>HC: config('polydock.health_token') HC->>HC: hash_equals(expected, supplied) alt token valid HC->>AI: find instance by uuid HC->>AI: update status / log HC-->>HC: 200 OK else token missing or invalid HC-->>HC: 401 Unauthorized end Note over AI: Dynamic token injection AI->>AI: storeKeyValue('health-webhook-url', url) AI->>AI: stripTokenFromUrl(url) store clean URL AI->>AI: "getKeyValue append ?token=... at read time"Reviews (2): Last reviewed commit: "chore: add metadata to projects (#168)" | Re-trigger Greptile