feat(M35): dynamic target configuration with encrypted config, test connection, and GUI updates

Mirror M34's dynamic issuer config pattern for deployment targets: AES-256-GCM encrypted config storage, sensitive field redaction in API responses, agent heartbeat-based test connection endpoint, and full frontend updates including test status indicators, source badges, and removal of stale hostname/status fields from the Target interface. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-07 16:31:33 +00:00 · 2026-04-04 01:09:53 -04:00
parent e19b8c95fe
commit e6088c79a3
23 changed files with 849 additions and 151 deletions
@@ -19,10 +19,40 @@ func NewTargetRepository(db *sql.DB) *TargetRepository {
 	return &TargetRepository{db: db}
 }

+// scanTarget scans a target row including optional M35 columns (encrypted_config, last_tested_at, test_status, source).
+func scanTarget(scanner interface {
+	Scan(dest ...interface{}) error
+}, target *domain.DeploymentTarget) error {
+	var lastTestedAt sql.NullTime
+	var testStatus sql.NullString
+	var source sql.NullString
+	if err := scanner.Scan(
+		&target.ID, &target.Name, &target.Type, &target.AgentID,
+		&target.Config, &target.EncryptedConfig, &target.Enabled,
+		&lastTestedAt, &testStatus, &source,
+		&target.CreatedAt, &target.UpdatedAt,
+	); err != nil {
+		return err
+	}
+	if lastTestedAt.Valid {
+		target.LastTestedAt = &lastTestedAt.Time
+	}
+	if testStatus.Valid {
+		target.TestStatus = testStatus.String
+	}
+	if source.Valid {
+		target.Source = source.String
+	}
+	return nil
+}
+
+// targetSelectColumns is the standard column list for target queries.
+const targetSelectColumns = `id, name, type, agent_id, config, COALESCE(encrypted_config, ''::bytea), enabled, last_tested_at, COALESCE(test_status, 'untested'), COALESCE(source, 'database'), created_at, updated_at`
+
 // List returns all targets
 func (r *TargetRepository) List(ctx context.Context) ([]*domain.DeploymentTarget, error) {
 	rows, err := r.db.QueryContext(ctx, `
-		SELECT id, name, type, agent_id, config, enabled, created_at, updated_at
+		SELECT `+targetSelectColumns+`
 		FROM deployment_targets
 		ORDER BY created_at DESC
 	`)
@@ -35,8 +65,7 @@ func (r *TargetRepository) List(ctx context.Context) ([]*domain.DeploymentTarget
 	var targets []*domain.DeploymentTarget
 	for rows.Next() {
 		var target domain.DeploymentTarget
-		if err := rows.Scan(&target.ID, &target.Name, &target.Type, &target.AgentID,
-			&target.Config, &target.Enabled, &target.CreatedAt, &target.UpdatedAt); err != nil {
+		if err := scanTarget(rows, &target); err != nil {
 			return nil, fmt.Errorf("failed to scan target: %w", err)
 		}
 		targets = append(targets, &target)
@@ -52,12 +81,11 @@ func (r *TargetRepository) List(ctx context.Context) ([]*domain.DeploymentTarget
 // Get retrieves a target by ID
 func (r *TargetRepository) Get(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
 	var target domain.DeploymentTarget
-	err := r.db.QueryRowContext(ctx, `
-		SELECT id, name, type, agent_id, config, enabled, created_at, updated_at
+	err := scanTarget(r.db.QueryRowContext(ctx, `
+		SELECT `+targetSelectColumns+`
 		FROM deployment_targets
 		WHERE id = $1
-	`, id).Scan(&target.ID, &target.Name, &target.Type, &target.AgentID,
-		&target.Config, &target.Enabled, &target.CreatedAt, &target.UpdatedAt)
+	`, id), &target)

 	if err != nil {
 		if err == sql.ErrNoRows {
@@ -76,10 +104,11 @@ func (r *TargetRepository) Create(ctx context.Context, target *domain.Deployment
 	}

 	err := r.db.QueryRowContext(ctx, `
-		INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, created_at, updated_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+		INSERT INTO deployment_targets (id, name, type, agent_id, config, encrypted_config, enabled, last_tested_at, test_status, source, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
 		RETURNING id
-	`, target.ID, target.Name, target.Type, target.AgentID, target.Config, target.Enabled,
+	`, target.ID, target.Name, target.Type, target.AgentID, target.Config, target.EncryptedConfig,
+		target.Enabled, target.LastTestedAt, target.TestStatus, target.Source,
 		target.CreatedAt, target.UpdatedAt).Scan(&target.ID)

 	if err != nil {
@@ -89,6 +118,33 @@ func (r *TargetRepository) Create(ctx context.Context, target *domain.Deployment
 	return nil
 }

+// CreateIfNotExists creates a target only if the ID doesn't already exist (ON CONFLICT DO NOTHING).
+// Returns true if created, false if already existed.
+func (r *TargetRepository) CreateIfNotExists(ctx context.Context, target *domain.DeploymentTarget) (bool, error) {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+
+	result, err := r.db.ExecContext(ctx, `
+		INSERT INTO deployment_targets (id, name, type, agent_id, config, encrypted_config, enabled, last_tested_at, test_status, source, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
+		ON CONFLICT (id) DO NOTHING
+	`, target.ID, target.Name, target.Type, target.AgentID, target.Config, target.EncryptedConfig,
+		target.Enabled, target.LastTestedAt, target.TestStatus, target.Source,
+		target.CreatedAt, target.UpdatedAt)
+
+	if err != nil {
+		return false, fmt.Errorf("failed to create target: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return false, fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	return rows > 0, nil
+}
+
 // Update modifies an existing target
 func (r *TargetRepository) Update(ctx context.Context, target *domain.DeploymentTarget) error {
 	result, err := r.db.ExecContext(ctx, `
@@ -97,10 +153,16 @@ func (r *TargetRepository) Update(ctx context.Context, target *domain.Deployment
 			type = $2,
 			agent_id = $3,
 			config = $4,
-			enabled = $5,
-			updated_at = $6
-		WHERE id = $7
-	`, target.Name, target.Type, target.AgentID, target.Config, target.Enabled, target.UpdatedAt, target.ID)
+			encrypted_config = $5,
+			enabled = $6,
+			last_tested_at = $7,
+			test_status = $8,
+			source = $9,
+			updated_at = $10
+		WHERE id = $11
+	`, target.Name, target.Type, target.AgentID, target.Config, target.EncryptedConfig,
+		target.Enabled, target.LastTestedAt, target.TestStatus, target.Source,
+		target.UpdatedAt, target.ID)

 	if err != nil {
 		return fmt.Errorf("failed to update target: %w", err)
@@ -141,7 +203,7 @@ func (r *TargetRepository) Delete(ctx context.Context, id string) error {
 // ListByCertificate returns all targets for a given certificate
 func (r *TargetRepository) ListByCertificate(ctx context.Context, certID string) ([]*domain.DeploymentTarget, error) {
 	rows, err := r.db.QueryContext(ctx, `
-		SELECT dt.id, dt.name, dt.type, dt.agent_id, dt.config, dt.enabled, dt.created_at, dt.updated_at
+		SELECT dt.id, dt.name, dt.type, dt.agent_id, dt.config, COALESCE(dt.encrypted_config, ''::bytea), dt.enabled, dt.last_tested_at, COALESCE(dt.test_status, 'untested'), COALESCE(dt.source, 'database'), dt.created_at, dt.updated_at
 		FROM deployment_targets dt
 		INNER JOIN certificate_target_mappings ctm ON dt.id = ctm.target_id
 		WHERE ctm.certificate_id = $1
@@ -156,8 +218,7 @@ func (r *TargetRepository) ListByCertificate(ctx context.Context, certID string)
 	var targets []*domain.DeploymentTarget
 	for rows.Next() {
 		var target domain.DeploymentTarget
-		if err := rows.Scan(&target.ID, &target.Name, &target.Type, &target.AgentID,
-			&target.Config, &target.Enabled, &target.CreatedAt, &target.UpdatedAt); err != nil {
+		if err := scanTarget(rows, &target); err != nil {
 			return nil, fmt.Errorf("failed to scan target: %w", err)
 		}
 		targets = append(targets, &target)