1.19.3 (#792)

* start. 1.19.3

* deploy 1.19.3-dev-1

* repo state from db includes BuildRepo success

* clean up version mismatch text

* feat(containers): debounced search input and added filter by server name (#796)

* Fix cleaning Alerter resource whitelist / blacklist on resource delete re #581

* fmt

* Fix signup button not working correctly (#801)

* Improve route protection and authentication flow (#798)

* Improve route protection and authentication flow

* Cleanup

* fix: inconsistent behaviour of new resource create button (#800)

* fix monaco crashing with absolute path config files

* deploy 1.19.3-dev-2

* proofread config

* Fix #427

* deploy 1.19.3-dev-3

* poll logs use println

* Sync: Only show commit / execute when viewing pending tab

* Improve sync UX

* deploy 1.19.3-dev-4

* bold link

* remove claims about database resource usage.

* 1.19.3

---------

Co-authored-by: mbecker20 <max@mogh.tech>
Co-authored-by: Antonio Sarro <tech@antoniosarro.dev>
Co-authored-by: jack <45038833+jackra1n@users.noreply.github.com>

.cargo/config.toml

@@ -0,0 +1,2 @@
+[build]
+rustflags = ["-Wunused-crate-dependencies"]

.devcontainer/dev.compose.yaml

@@ -0,0 +1,33 @@
+services:
+  dev:
+    image: mcr.microsoft.com/devcontainers/rust:1-1-bullseye
+    volumes:
+      # Mount the root folder that contains .git
+      - ../:/workspace:cached
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /proc:/proc
+      - repos:/etc/komodo/repos
+      - stacks:/etc/komodo/stacks
+    command: sleep infinity
+    ports:
+      - "9121:9121"
+    environment:
+      KOMODO_FIRST_SERVER: http://localhost:8120
+      KOMODO_DATABASE_ADDRESS: db
+      KOMODO_ENABLE_NEW_USERS: true
+      KOMODO_LOCAL_AUTH: true
+      KOMODO_JWT_SECRET: a_random_secret
+    links:
+      - db
+    # ...
+
+  db:
+    extends:
+      file: ../dev.compose.yaml
+      service: ferretdb
+
+volumes:
+  data:
+  repo-cache:
+  repos:
+  stacks:

.devcontainer/devcontainer.json

@@ -0,0 +1,46 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/rust
+{
+	"name": "Komodo",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	//"image": "mcr.microsoft.com/devcontainers/rust:1-1-bullseye",
+	"dockerComposeFile": ["dev.compose.yaml"],
+	"workspaceFolder": "/workspace",
+  	"service": "dev",
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	"features": {
+		"ghcr.io/devcontainers/features/node:1": {
+			"version": "20.12.2"
+		},
+		"ghcr.io/devcontainers-community/features/deno:1": {
+
+		}
+	},
+
+	// Use 'mounts' to make the cargo cache persistent in a Docker Volume.
+	"mounts": [
+		{
+			"source": "devcontainer-cargo-cache-${devcontainerId}",
+			"target": "/usr/local/cargo",
+			"type": "volume"
+		}
+	],
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	"forwardPorts": [
+		9121
+	],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	"postCreateCommand": "./.devcontainer/postCreate.sh",
+
+	"runServices": [
+		"db"
+	]
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

.devcontainer/postCreate.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cargo install typeshare-cli

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+open_collective: komodo

.gitignore

@@ -1,7 +1,13 @@
-.DS_Store
+target
 node_modules
-build
-secrets
-bundle.*
-monitor_mount
-.env*
+dist
+deno.lock
+.env
+.env.development
+.DS_Store
+.idea
+
+/frontend/build
+/lib/ts_client/build
+
+.dev

.kminclude

@@ -0,0 +1 @@
+.dev

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "vadimcn.vscode-lldb",
+        "denoland.vscode-deno"
+    ]
+}

.vscode/fastify.code-snippets

@@ -1,60 +0,0 @@
-{
-	"service": {
-		"scope": "typescript",
-		"prefix": "plugin",
-		"body": [
-			"import { FastifyInstance } from \"fastify\";",
-			"import fp from \"fastify-plugin\";",
-			"",
-			"const ${1:$TM_FILENAME_BASE} = fp((app: FastifyInstance, _: {}, done: () => void) => {",
-			"\t${0}",
-			"\tdone();",
-			"});",
-			"",
-			"export default ${1:$TM_FILENAME_BASE};"
-		]
-	},
-
-	"schema": {
-		"scope": "typescript",
-		"prefix": "schema",
-		"body": [
-			"import { FastifyInstance } from \"fastify\";",
-			"import fp from \"fastify-plugin\";",
-			"import { Schema } from \"mongoose\";",
-			"import model from \"../../util/model\";",
-			"",
-			"const ${2:$TM_FILENAME_BASE} = fp((app: FastifyInstance, _: {}, done: () => void) => {",
-			"\tconst schema = new Schema({",
-			"\t\t${0}",
-			"\t});",
-			"\t",
-			"\tapp.decorate(\"${2:$TM_FILENAME_BASE}\", model(app, \"${1}\", schema));",
-			"\t",
-			"\tdone();",
-			"});",
-			"",
-			"export default ${2:$TM_FILENAME_BASE};"
-		]
-	},
-
-	"get-auth": {
-		"scope": "typescript",
-		"prefix": "get-auth",
-		"body": [
-			"app.get(\"/${1}\", { onRequest: [app.auth, app.userEnabled] }, async (req, res) => {",
-			"\t${0}",
-			"});"
-		]
-	},
-
-	"post-auth": {
-		"scope": "typescript",
-		"prefix": "post-auth",
-		"body": [
-			"app.post(\"/${1}\", { onRequest: [app.auth, app.userEnabled] }, async (req, res) => {",
-			"\t${0}",
-			"});"
-		]
-	}
-}

.vscode/ink.code-snippets

@@ -1,21 +0,0 @@
-{
-	"ink-comp": {
-		"scope": "typescriptreact,javascriptreact",
-		"prefix": "ink-comp",
-		"body": [
-			"import React from \"react\";",
-			"import { Box } from \"ink\";",
-			
-			"",
-			"const ${1:$TM_FILENAME_BASE} = ({}: {}) => {",
-			"\treturn (",
-			"\t\t<Box>",
-			"\t\t\t${0}",
-			"\t\t</Box>",
-			"\t);",
-			"}",
-			"",
-			"export default ${1:$TM_FILENAME_BASE};"
-		]
-	},
-}

.vscode/resolver.code-snippets

@@ -0,0 +1,25 @@
+{
+	"resolve": {
+		"scope": "rust",
+		"prefix": "resolve",
+		"body": [
+			"impl Resolve<${1}, User> for State {",
+			"\tasync fn resolve(&self, ${1} { ${0} }: ${1}, _: User) -> anyhow::Result<${2}> {",
+			"\t\ttodo!()",
+			"\t}",
+			"}"
+		]
+	},
+	"static": {
+		"scope": "rust",
+		"prefix": "static",
+		"body": [
+			"fn ${1}() -> &'static ${2} {",
+			"\tstatic ${3}: OnceLock<${2}> = OnceLock::new();",
+			"\t${3}.get_or_init(|| {",
+			"\t\t${0}",
+			"\t})",
+			"}"
+		]
+	}
+}

.vscode/settings.json

@@ -1,3 +0,0 @@
-{
-	"npm.exclude": "**/monitor/**"
-}

.vscode/solid.code-snippets

@@ -1,64 +0,0 @@
-{
-	"component": {
-		"scope": "typescriptreact,javascriptreact",
-		"prefix": "comp",
-		"body": [
-			"import { Component } from \"solid-js\";",
-			"",
-			"const ${1:$TM_FILENAME_BASE}: Component<{}> = (p) => {",
-			"\treturn (",
-			"\t\t<div>",
-			"\t\t\t${0}",
-			"\t\t</div>",
-			"\t);",
-			"}",
-			"",
-			"export default ${1:$TM_FILENAME_BASE};"
-		]
-	},
-	"component-with-css": {
-		"scope": "typescriptreact,javascriptreact",
-		"prefix": "css-comp",
-		"body": [
-			"import { Component } from \"solid-js\";",
-			"import s from \"./${1:$TM_FILENAME_BASE}.module.scss\";",
-			"",
-			"const ${2:$TM_FILENAME_BASE}: Component<{}> = (p) => {",
-			"\treturn (",
-			"\t\t<div class={s.${2:$TM_FILENAME_BASE}} >",
-			"\t\t\t${0}",
-			"\t\t</div>",
-			"\t);",
-			"}",
-			"",
-			"export default ${2:$TM_FILENAME_BASE};"
-		]
-	},
-	"context": {
-		"scope": "typescriptreact,javascriptreact",
-		"prefix": "provider",
-		"body": [
-			"import { Component, createContext, useContext } from \"solid-js\";",
-			"",
-			"const value = () => {",
-			"\treturn {};",
-			"}",
-			"",
-			"export type Value = ReturnType<typeof value>;",
-			"",
-			"const context = createContext<Value>();",
-			"",
-			"export const Provider: Component<{}> = (p) => {",
-			"\treturn (",
-			"\t\t<context.Provider value={value()}>",
-			"\t\t\t{p.children}",
-			"\t\t</context.Provider>",
-			"\t);",
-			"}",
-			"",
-			"export function useValue() {",
-			"\treturn useContext(context) as Value;",
-			"}"
-		]
-	}
-}

.vscode/tasks.json

@@ -0,0 +1,179 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Run Core",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Core",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Periphery",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Periphery",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Backend",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery"
+            ],
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build TS Client Types",
+            "type": "process",
+            "command": "node",
+            "args": [
+                "./client/core/ts/generate_types.mjs"
+            ],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init TS Client",
+            "type": "shell",
+            "command": "yarn && yarn build && yarn link",
+            "options": {
+                "cwd": "${workspaceFolder}/client/core/ts",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend Client",
+            "type": "shell",
+            "command": "yarn link komodo_client && yarn install",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend",
+            "dependsOn": [
+                "Build TS Client Types",
+                "Init TS Client",
+                "Init Frontend Client"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Build Frontend",
+            "type": "shell",
+            "command": "yarn build",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Prepare Frontend For Run",
+            "type": "shell",
+            "command": "cp -r ./client/core/ts/dist/. frontend/public/client/.",
+            "options": {
+                "cwd": "${workspaceFolder}",
+            },
+            "dependsOn": [
+                "Build TS Client Types",
+                "Build Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Frontend",
+            "type": "shell",
+            "command": "yarn dev",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "dependsOn": ["Prepare Frontend For Run"],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init",
+            "dependsOn": [
+                "Build Backend",
+                "Init Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Komodo",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery",
+                "Run Frontend"
+            ],
+            "problemMatcher": []
+        },
+    ]
+  }

Cargo.toml

@@ -0,0 +1,136 @@
+[workspace]
+resolver = "2"
+members = [
+	"bin/*",
+	"lib/*",
+	"client/core/rs",
+	"client/periphery/rs",
+]
+
+[workspace.package]
+version = "1.19.3"
+edition = "2024"
+authors = ["mbecker20 <becker.maxh@gmail.com>"]
+license = "GPL-3.0-or-later"
+repository = "https://github.com/moghtech/komodo"
+homepage = "https://komo.do"
+
+[workspace.dependencies]
+# LOCAL
+komodo_client = { path = "client/core/rs" }
+periphery_client = { path = "client/periphery/rs" }
+environment_file = { path = "lib/environment_file" }
+environment = { path = "lib/environment" }
+interpolate = { path = "lib/interpolate" }
+formatting = { path = "lib/formatting" }
+database = { path = "lib/database" }
+response = { path = "lib/response" }
+command = { path = "lib/command" }
+config = { path = "lib/config" }
+logger = { path = "lib/logger" }
+cache = { path = "lib/cache" }
+git = { path = "lib/git" }
+
+# MOGH
+run_command = { version = "0.0.6", features = ["async_tokio"] }
+serror = { version = "0.5.0", default-features = false }
+slack = { version = "0.4.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
+derive_default_builder = "0.1.8"
+derive_empty_traits = "0.1.0"
+async_timing_util = "1.0.0"
+partial_derive2 = "0.4.3"
+derive_variants = "1.0.0"
+mongo_indexed = "2.0.2"
+resolver_api = "3.0.0"
+toml_pretty = "1.2.0"
+mungos = "3.2.2"
+svi = "1.2.0"
+
+# ASYNC
+reqwest = { version = "0.12.23", default-features = false, features = ["json", "stream", "rustls-tls-native-roots"] }
+tokio = { version = "1.47.1", features = ["full"] }
+tokio-util = { version = "0.7.16", features = ["io", "codec"] }
+tokio-stream = { version = "0.1.17", features = ["sync"] }
+pin-project-lite = "0.2.16"
+futures = "0.3.31"
+futures-util = "0.3.31"
+arc-swap = "1.7.1"
+
+# SERVER
+tokio-tungstenite = { version = "0.27.0", features = ["rustls-tls-native-roots"] }
+axum-extra = { version = "0.10.1", features = ["typed-header"] }
+tower-http = { version = "0.6.6", features = ["fs", "cors"] }
+axum-server = { version = "0.7.2", features = ["tls-rustls"] }
+axum = { version = "0.8.4", features = ["ws", "json", "macros"] }
+
+# SER/DE
+ipnetwork = { version = "0.21.1", features = ["serde"] }
+indexmap = { version = "2.11.0", features = ["serde"] }
+serde = { version = "1.0.219", features = ["derive"] }
+strum = { version = "0.27.2", features = ["derive"] }
+bson = { version = "2.15.0" } # must keep in sync with mongodb version
+serde_yaml_ng = "0.10.0"
+serde_json = "1.0.143"
+serde_qs = "0.15.0"
+toml = "0.9.5"
+
+# ERROR
+anyhow = "1.0.99"
+thiserror = "2.0.16"
+
+# LOGGING
+opentelemetry-otlp = { version = "0.30.0", features = ["tls-roots", "reqwest-rustls"] }
+opentelemetry_sdk = { version = "0.30.0", features = ["rt-tokio"] }
+tracing-subscriber = { version = "0.3.19", features = ["json"] }
+opentelemetry-semantic-conventions = "0.30.0"
+tracing-opentelemetry = "0.31.0"
+opentelemetry = "0.30.0"
+tracing = "0.1.41"
+
+# CONFIG
+clap = { version = "4.5.45", features = ["derive"] }
+dotenvy = "0.15.7"
+envy = "0.4.2"
+
+# CRYPTO / AUTH
+uuid = { version = "1.18.0", features = ["v4", "fast-rng", "serde"] }
+jsonwebtoken = { version = "9.3.1", default-features = false }
+openidconnect = "4.0.1"
+urlencoding = "2.1.3"
+nom_pem = "4.0.0"
+bcrypt = "0.17.1"
+base64 = "0.22.1"
+rustls = "0.23.31"
+hmac = "0.12.1"
+sha2 = "0.10.9"
+rand = "0.9.2"
+hex = "0.4.3"
+
+# SYSTEM
+portable-pty = "0.9.0"
+bollard = "0.19.2"
+sysinfo = "0.37.0"
+
+# CLOUD
+aws-config = "1.8.5"
+aws-sdk-ec2 = "1.161.0"
+aws-credential-types = "1.2.5"
+
+## CRON
+english-to-cron = "0.1.6"
+chrono-tz = "0.10.4"
+chrono = "0.4.41"
+croner = "3.0.0"
+
+# MISC
+async-compression = { version = "0.4.28", features = ["tokio", "gzip"] }
+derive_builder = "0.20.2"
+comfy-table = "7.1.4"
+typeshare = "1.0.4"
+octorust = "0.10.0"
+dashmap = "6.1.0"
+wildcard = "0.3.0"
+colored = "3.0.0"
+regex = "1.11.2"
+bytes = "1.10.1"
+shell-escape = "0.1.5"

bin/binaries.Dockerfile

@@ -0,0 +1,30 @@
+## Builds the Komodo Core, Periphery, and Util binaries
+## for a specific architecture.
+
+FROM rust:1.89.0-bullseye AS builder
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+COPY ./bin/periphery ./bin/periphery
+COPY ./bin/cli ./bin/cli
+
+# Compile bin
+RUN \
+  cargo build -p komodo_core --release && \
+  cargo build -p komodo_periphery --release && \
+  cargo build -p komodo_cli --release
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+COPY --from=builder /builder/target/release/km /km
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Binaries"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/chef.binaries.Dockerfile

@@ -0,0 +1,34 @@
+## Builds the Komodo Core, Periphery, and Util binaries
+## for a specific architecture.
+
+## Uses chef for dependency caching to help speed up back-to-back builds.
+
+FROM lukemathwalker/cargo-chef:latest-rust-1.89.0-bullseye AS chef
+WORKDIR /builder
+
+# Plan just the RECIPE to see if things have changed
+FROM chef AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder
+COPY --from=planner /builder/recipe.json recipe.json
+# Build JUST dependencies - cached layer
+RUN cargo chef cook --release --recipe-path recipe.json
+# NOW copy again (this time into builder) and build app
+COPY . .
+RUN \
+  cargo build --release --bin core && \
+  cargo build --release --bin periphery && \
+  cargo build --release --bin km
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+COPY --from=builder /builder/target/release/km /km
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Binaries"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/Cargo.toml

@@ -0,0 +1,36 @@
+[package]
+name = "komodo_cli"
+description = "Command line tool for Komodo"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+
+[[bin]]
+name = "km"
+path = "src/main.rs"
+
+[dependencies]
+# local
+environment_file.workspace = true
+komodo_client.workspace = true
+database.workspace = true
+config.workspace = true
+logger.workspace = true
+# external
+futures-util.workspace = true
+comfy-table.workspace = true
+serde_json.workspace = true
+serde_qs.workspace = true
+wildcard.workspace = true
+tracing.workspace = true
+colored.workspace = true
+dotenvy.workspace = true
+anyhow.workspace = true
+chrono.workspace = true
+tokio.workspace = true
+serde.workspace = true
+clap.workspace = true
+envy.workspace = true

bin/cli/README.md

@@ -0,0 +1,118 @@
+# Komodo CLI
+
+Komodo CLI is a tool to execute actions on your Komodo instance from shell scripts.
+
+## Install
+
+```sh
+cargo install komodo_cli
+```
+
+Note: On Ubuntu, also requires `apt install build-essential pkg-config libssl-dev`.
+
+## Usage
+
+### Credentials
+
+Configure a file `~/.config/komodo/creds.toml` file with contents:
+```toml
+url = "https://your.komodo.address"
+key = "YOUR-API-KEY"
+secret = "YOUR-API-SECRET"
+```
+
+Note. You can specify a different creds file by using `--creds ./other/path.toml`.
+You can also bypass using any file and pass the information using `--url`, `--key`, `--secret`:
+
+```sh
+komodo --url "https://your.komodo.address" --key "YOUR-API-KEY" --secret "YOUR-API-SECRET" ...
+```
+
+### Run Executions
+
+```sh
+# Triggers an example build
+komodo execute run-build test_build
+```
+
+#### Manual
+`komodo --help`
+```md
+Command line tool to execute Komodo actions
+
+Usage: komodo [OPTIONS] <COMMAND>
+
+Commands:
+  execute  Runs an execution
+  help     Print this message or the help of the given subcommand(s)
+
+Options:
+      --creds <CREDS>    The path to a creds file [default: /Users/max/.config/komodo/creds.toml]
+      --url <URL>        Pass url in args instead of creds file
+      --key <KEY>        Pass api key in args instead of creds file
+      --secret <SECRET>  Pass api secret in args instead of creds file
+  -y, --yes              Always continue on user confirmation prompts
+  -h, --help             Print help (see more with '--help')
+  -V, --version          Print version
+```
+
+`komodo execute --help`
+```md
+Runs an execution
+
+Usage: komodo execute <COMMAND>
+
+Commands:
+  none                    The "null" execution. Does nothing
+  run-procedure           Runs the target procedure. Response: [Update]
+  run-build               Runs the target build. Response: [Update]
+  cancel-build            Cancels the target build. Only does anything if the build is `building` when called. Response: [Update]
+  deploy                  Deploys the container for the target deployment. Response: [Update]
+  start-deployment        Starts the container for the target deployment. Response: [Update]
+  restart-deployment      Restarts the container for the target deployment. Response: [Update]
+  pause-deployment        Pauses the container for the target deployment. Response: [Update]
+  unpause-deployment      Unpauses the container for the target deployment. Response: [Update]
+  stop-deployment         Stops the container for the target deployment. Response: [Update]
+  destroy-deployment      Stops and destroys the container for the target deployment. Reponse: [Update]
+  clone-repo              Clones the target repo. Response: [Update]
+  pull-repo               Pulls the target repo. Response: [Update]
+  build-repo              Builds the target repo, using the attached builder. Response: [Update]
+  cancel-repo-build       Cancels the target repo build. Only does anything if the repo build is `building` when called. Response: [Update]
+  start-container         Starts the container on the target server. Response: [Update]
+  restart-container       Restarts the container on the target server. Response: [Update]
+  pause-container         Pauses the container on the target server. Response: [Update]
+  unpause-container       Unpauses the container on the target server. Response: [Update]
+  stop-container          Stops the container on the target server. Response: [Update]
+  destroy-container       Stops and destroys the container on the target server. Reponse: [Update]
+  start-all-containers    Starts all containers on the target server. Response: [Update]
+  restart-all-containers  Restarts all containers on the target server. Response: [Update]
+  pause-all-containers    Pauses all containers on the target server. Response: [Update]
+  unpause-all-containers  Unpauses all containers on the target server. Response: [Update]
+  stop-all-containers     Stops all containers on the target server. Response: [Update]
+  prune-containers        Prunes the docker containers on the target server. Response: [Update]
+  delete-network          Delete a docker network. Response: [Update]
+  prune-networks          Prunes the docker networks on the target server. Response: [Update]
+  delete-image            Delete a docker image. Response: [Update]
+  prune-images            Prunes the docker images on the target server. Response: [Update]
+  delete-volume           Delete a docker volume. Response: [Update]
+  prune-volumes           Prunes the docker volumes on the target server. Response: [Update]
+  prune-system            Prunes the docker system on the target server, including volumes. Response: [Update]
+  run-sync                Runs the target resource sync. Response: [Update]
+  deploy-stack            Deploys the target stack. `docker compose up`. Response: [Update]
+  start-stack             Starts the target stack. `docker compose start`. Response: [Update]
+  restart-stack           Restarts the target stack. `docker compose restart`. Response: [Update]
+  pause-stack             Pauses the target stack. `docker compose pause`. Response: [Update]
+  unpause-stack           Unpauses the target stack. `docker compose unpause`. Response: [Update]
+  stop-stack              Starts the target stack. `docker compose stop`. Response: [Update]
+  destroy-stack           Destoys the target stack. `docker compose down`. Response: [Update]
+  sleep                   
+  help                    Print this message or the help of the given subcommand(s)
+
+Options:
+  -h, --help  Print help
+```
+
+### --yes
+
+You can use `--yes` to avoid any human prompt to continue, for use in automated environments.
+

bin/cli/aio.Dockerfile

@@ -0,0 +1,24 @@
+FROM rust:1.89.0-bullseye AS builder
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/cli ./bin/cli
+
+# Compile bin
+RUN cargo build -p komodo_cli --release
+
+# Copy binaries to distroless base
+FROM gcr.io/distroless/cc
+
+COPY --from=builder /builder/target/release/km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/docs/copy-database.md

@@ -0,0 +1,135 @@
+# Copy Database Utility
+
+Copy the Komodo database contents between running, mongo-compatible databases.
+Can be used to move between MongoDB / FerretDB, or upgrade from FerretDB v1 to v2.
+
+```yaml
+services:
+
+  copy_database:
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@source:27017
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@target:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+
+```
+
+## FerretDB v2 Update Guide
+
+Up to Komodo 1.17.5, users who wanted to use Postgres / Sqlite were instructed to deploy FerretDB v1.
+Now that v2 is out however, v1 will go largely unsupported. Users are recommended to migrate to v2 for
+the best performance and ongoing support / updates, however the internal data structures
+have changed and this cannot be done in-place. 
+
+Also note that FerretDB v2 no longer supports Sqlite, and only supports 
+a [customized Postgres distribution](https://docs.ferretdb.io/installation/documentdb/docker/).
+Nonetheless, it remains a solid option for hosts which [do not support mongo](https://github.com/moghtech/komodo/issues/59).
+
+Also note, the same basic process outlined below can also be used to move between MongoDB and FerretDB, just replace FerretDB v2
+with the database you wish to move to.
+
+### **Step 1**: *Add* the new database to the top of your existing Komodo compose file.
+
+**Don't forget to also add the new volumes.**
+
+```yaml
+## In Komodo compose.yaml
+services:
+  postgres2:
+    # Recommended: Pin to a specific version
+    # https://github.com/FerretDB/documentdb/pkgs/container/postgres-documentdb
+    image: ghcr.io/ferretdb/postgres-documentdb
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    # ports:
+    #   - 5432:5432
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: ${KOMODO_DB_USERNAME}
+      POSTGRES_PASSWORD: ${KOMODO_DB_PASSWORD}
+      POSTGRES_DB: postgres # Do not change
+
+  ferretdb2:
+    # Recommended: Pin to a specific version
+    # https://github.com/FerretDB/FerretDB/pkgs/container/ferretdb
+    image: ghcr.io/ferretdb/ferretdb
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    depends_on:
+      - postgres2
+    # ports:
+    #   - 27017:27017
+    volumes:
+      - ferretdb-state:/state
+    environment:
+      FERRETDB_POSTGRESQL_URL: postgres://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@postgres2:5432/postgres
+
+  ...(unchanged)
+
+volumes:
+  ...(unchanged)
+  postgres-data:
+  ferretdb-state:
+```
+
+### **Step 2**: *Add* the database copy utility to Komodo compose file.
+
+The SOURCE_URI points to the existing database, ie the old FerretDB v1, and it depends
+on whether it was deployed using Postgres or Sqlite. The example below uses the Postgres one,
+but if you use Sqlite it should just be something like `mongodb://ferretdb:27017`.
+
+```yaml
+## In Komodo compose.yaml
+services:
+  ...(new database)
+
+  copy_database:
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb2:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+
+  ...(unchanged)
+```
+
+### **Step 3**: *Compose Up* the new additions
+
+Run `docker compose -p komodo --env-file compose.env -f xxxxx.compose.yaml up -d`, filling in the name of your compose.yaml.
+This will start up both the old and new database, and copy the data to the new one.
+
+Wait a few moments for the `copy_database` service to finish. When it exits,
+confirm the logs show the data was moved successfully, and move on to the next step.
+
+### **Step 4**: Point Komodo Core to the new database
+
+In your Komodo compose.yaml, first *comment out* the `copy_database` service and old ferretdb v1 service/s.
+Then update the `core` service environment to point to `ferretdb2`.
+
+```yaml
+services:
+  ...
+
+  core:
+    ...(unchanged)
+    environment:
+      KOMODO_DATABASE_ADDRESS: ferretdb2:27017
+      KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME}
+      KOMODO_DATABASE_PASSWORD: ${KOMODO_DB_PASSWORD}
+```
+
+### **Step 5**: Final *Compose Up*
+
+Repeat the same `docker compose` command as before to apply the changes, and then try navigating to your Komodo web page.
+If it works, congrats, **you are done**. You can clean up the compose file if you would like, removing the old volumes etc.
+
+If it does not work, check the logs for any obvious issues, and if necessary you can undo the previous steps
+to go back to using the previous database.

bin/cli/multi-arch.Dockerfile

@@ -0,0 +1,29 @@
+## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
+## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
+ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
+
+# This is required to work with COPY --from
+FROM ${X86_64_BINARIES} AS x86_64
+FROM ${AARCH64_BINARIES} AS aarch64
+
+FROM debian:bullseye-slim
+
+WORKDIR /app
+
+## Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /km /app/arch/linux/amd64
+COPY --from=aarch64 /km /app/arch/linux/arm64
+
+ARG TARGETPLATFORM
+RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/arch
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/runfile.toml

@@ -0,0 +1,4 @@
+[install-cli]
+alias = "ic"
+description = "installs the komodo-cli, available on the command line as 'km'"
+cmd = "cargo install --path ."

bin/cli/single-arch.Dockerfile

@@ -0,0 +1,18 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+FROM gcr.io/distroless/cc
+
+COPY --from=binaries /km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/src/command/container.rs

@@ -0,0 +1,312 @@
+use std::collections::{HashMap, HashSet};
+
+use anyhow::Context;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Color};
+use futures_util::{
+  FutureExt, TryStreamExt, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::read::{
+    InspectDockerContainer, ListAllDockerContainers, ListServers,
+  },
+  entities::{
+    config::cli::args::container::{
+      Container, ContainerCommand, InspectContainer,
+    },
+    docker::{
+      self,
+      container::{ContainerListItem, ContainerStateStatusEnum},
+    },
+  },
+};
+
+use crate::{
+  command::{
+    PrintTable, clamp_sha, matches_wildcards, parse_wildcards,
+    print_items,
+  },
+  config::cli_config,
+};
+
+pub async fn handle(container: &Container) -> anyhow::Result<()> {
+  match &container.command {
+    None => list_containers(container).await,
+    Some(ContainerCommand::Inspect(inspect)) => {
+      inspect_container(inspect).await
+    }
+  }
+}
+
+async fn list_containers(
+  Container {
+    all,
+    down,
+    links,
+    reverse,
+    containers: names,
+    images,
+    networks,
+    servers,
+    format,
+    command: _,
+  }: &Container,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default()
+    }),
+  )?;
+
+  // (Option<Server Name>, Container)
+  let containers = containers.into_iter().map(|c| {
+    let server = if let Some(server_id) = c.server_id.as_ref()
+      && let Some(server) = server_map.get(server_id)
+    {
+      server
+    } else {
+      return (None, c);
+    };
+    (Some(server.name.as_str()), c)
+  });
+
+  let names = parse_wildcards(names);
+  let servers = parse_wildcards(servers);
+  let images = parse_wildcards(images);
+  let networks = parse_wildcards(networks);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|(server_name, c)| {
+      let state_check = if *all {
+        true
+      } else if *down {
+        !matches!(c.state, ContainerStateStatusEnum::Running)
+      } else {
+        matches!(c.state, ContainerStateStatusEnum::Running)
+      };
+      let network_check = matches_wildcards(
+        &networks,
+        &c.network_mode
+          .as_deref()
+          .map(|n| vec![n])
+          .unwrap_or_default(),
+      ) || matches_wildcards(
+        &networks,
+        &c.networks.iter().map(String::as_str).collect::<Vec<_>>(),
+      );
+      state_check
+        && network_check
+        && matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &server_name
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+        && matches_wildcards(
+          &images,
+          &c.image.as_deref().map(|i| vec![i]).unwrap_or_default(),
+        )
+    })
+    .collect::<Vec<_>>();
+  containers.sort_by(|(a_s, a), (b_s, b)| {
+    a.state
+      .cmp(&b.state)
+      .then(a.name.cmp(&b.name))
+      .then(a_s.cmp(b_s))
+      .then(a.network_mode.cmp(&b.network_mode))
+      .then(a.image.cmp(&b.image))
+  });
+  if *reverse {
+    containers.reverse();
+  }
+  print_items(containers, *format, *links)?;
+  Ok(())
+}
+
+pub async fn inspect_container(
+  inspect: &InspectContainer,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, mut containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default()
+    }),
+  )?;
+
+  containers.iter_mut().for_each(|c| {
+    let Some(server_id) = c.server_id.as_ref() else {
+      return;
+    };
+    let Some(server) = server_map.get(server_id) else {
+      c.server_id = Some(String::from("Unknown"));
+      return;
+    };
+    c.server_id = Some(server.name.clone());
+  });
+
+  let names = [inspect.container.to_string()];
+  let names = parse_wildcards(&names);
+  let servers = parse_wildcards(&inspect.servers);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|c| {
+      matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &c.server_id
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+    })
+    .map(|c| async move {
+      client
+        .read(InspectDockerContainer {
+          container: c.name,
+          server: c.server_id.context("No server...")?,
+        })
+        .await
+    })
+    .collect::<FuturesUnordered<_>>()
+    .try_collect::<Vec<_>>()
+    .await?;
+
+  containers.sort_by(|a, b| a.name.cmp(&b.name));
+
+  match containers.len() {
+    0 => {
+      println!(
+        "{}: Did not find any containers matching '{}'",
+        "INFO".green(),
+        inspect.container.bold()
+      );
+    }
+    1 => {
+      println!("{}", serialize_container(inspect, &containers[0])?);
+    }
+    _ => {
+      let containers = containers
+        .iter()
+        .map(|c| serialize_container(inspect, c))
+        .collect::<anyhow::Result<Vec<_>>>()?
+        .join("\n");
+      println!("{containers}");
+    }
+  }
+
+  Ok(())
+}
+
+fn serialize_container(
+  inspect: &InspectContainer,
+  container: &docker::container::Container,
+) -> anyhow::Result<String> {
+  let res = if inspect.state {
+    serde_json::to_string_pretty(&container.state)
+  } else if inspect.mounts {
+    serde_json::to_string_pretty(&container.mounts)
+  } else if inspect.host_config {
+    serde_json::to_string_pretty(&container.host_config)
+  } else if inspect.config {
+    serde_json::to_string_pretty(&container.config)
+  } else if inspect.network_settings {
+    serde_json::to_string_pretty(&container.network_settings)
+  } else {
+    serde_json::to_string_pretty(container)
+  }
+  .context("Failed to serialize items to JSON")?;
+  Ok(res)
+}
+
+// (Option<Server Name>, Container)
+impl PrintTable for (Option<&'_ str>, ContainerListItem) {
+  fn header(links: bool) -> &'static [&'static str] {
+    if links {
+      &[
+        "Container",
+        "State",
+        "Server",
+        "Ports",
+        "Networks",
+        "Image",
+        "Link",
+      ]
+    } else {
+      &["Container", "State", "Server", "Ports", "Networks", "Image"]
+    }
+  }
+  fn row(self, links: bool) -> Vec<Cell> {
+    let color = match self.1.state {
+      ContainerStateStatusEnum::Running => Color::Green,
+      ContainerStateStatusEnum::Paused => Color::DarkYellow,
+      ContainerStateStatusEnum::Empty => Color::Grey,
+      _ => Color::Red,
+    };
+    let mut networks = HashSet::new();
+    if let Some(network) = self.1.network_mode {
+      networks.insert(network);
+    }
+    for network in self.1.networks {
+      networks.insert(network);
+    }
+    let mut networks = networks.into_iter().collect::<Vec<_>>();
+    networks.sort();
+    let mut ports = self
+      .1
+      .ports
+      .into_iter()
+      .flat_map(|p| p.public_port.map(|p| p.to_string()))
+      .collect::<HashSet<_>>()
+      .into_iter()
+      .collect::<Vec<_>>();
+    ports.sort();
+    let ports = if ports.is_empty() {
+      Cell::new("")
+    } else {
+      Cell::new(format!(":{}", ports.join(", :")))
+    };
+
+    let image = self.1.image.as_deref().unwrap_or("Unknown");
+    let mut res = vec![
+      Cell::new(self.1.name.clone()).add_attribute(Attribute::Bold),
+      Cell::new(self.1.state.to_string())
+        .fg(color)
+        .add_attribute(Attribute::Bold),
+      Cell::new(self.0.unwrap_or("Unknown")),
+      ports,
+      Cell::new(networks.join(", ")),
+      Cell::new(clamp_sha(image)),
+    ];
+    if !links {
+      return res;
+    }
+    let link = if let Some(server_id) = self.1.server_id {
+      format!(
+        "{}/servers/{server_id}/container/{}",
+        cli_config().host,
+        self.1.name
+      )
+    } else {
+      String::new()
+    };
+    res.push(Cell::new(link));
+    res
+  }
+}

bin/cli/src/command/database.rs

@@ -0,0 +1,320 @@
+use std::path::Path;
+
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::entities::{
+  config::cli::args::database::DatabaseCommand, optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn handle(command: &DatabaseCommand) -> anyhow::Result<()> {
+  match command {
+    DatabaseCommand::Backup { yes, .. } => backup(*yes).await,
+    DatabaseCommand::Restore {
+      restore_folder,
+      index,
+      yes,
+      ..
+    } => restore(restore_folder.as_deref(), *index, *yes).await,
+    DatabaseCommand::Prune { yes, .. } => prune(*yes).await,
+    DatabaseCommand::Copy { yes, index, .. } => {
+      copy(*index, *yes).await
+    }
+  }
+}
+
+async fn backup(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup".green().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Backup all database contents to gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  crate::command::wait_for_enter("start backup", yes)?;
+
+  let db = database::init(&config.database).await?;
+
+  database::utils::backup(&db, &config.backups_folder).await?;
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    return Ok(());
+  }
+
+  // Know that new backup was taken successfully at this point,
+  // safe to prune old backup folders
+
+  prune_inner().await
+}
+
+async fn restore(
+  restore_folder: Option<&Path>,
+  index: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Restore".purple().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Restores database contents from gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+  println!(
+    "\n{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if let Some(restore_folder) = restore_folder {
+    println!("{}: {restore_folder:?}", " - Restore Folder".dimmed());
+  }
+
+  crate::command::wait_for_enter("start restore", yes)?;
+
+  let db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::restore(
+    &db,
+    &config.backups_folder,
+    restore_folder,
+  )
+  .await
+}
+
+async fn prune(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup Prune".cyan().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Prunes database backup folders when greater than the configured amount."
+      .dimmed()
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    info!(
+      "Backup pruning is disabled, enabled using 'max_backups' (KOMODO_CLI_MAX_BACKUPS)"
+    );
+    return Ok(());
+  }
+
+  crate::command::wait_for_enter("start backup prune", yes)?;
+
+  prune_inner().await
+}
+
+async fn prune_inner() -> anyhow::Result<()> {
+  let config = cli_config();
+
+  let mut backups_dir =
+    match tokio::fs::read_dir(&config.backups_folder)
+      .await
+      .context("Failed to read backups folder for prune")
+    {
+      Ok(backups_dir) => backups_dir,
+      Err(e) => {
+        warn!("{e:#}");
+        return Ok(());
+      }
+    };
+
+  let mut backup_folders = Vec::new();
+  loop {
+    match backups_dir.next_entry().await {
+      Ok(Some(entry)) => {
+        let Ok(metadata) = entry.metadata().await else {
+          continue;
+        };
+        if metadata.is_dir() {
+          backup_folders.push(entry.path());
+        }
+      }
+      Ok(None) => break,
+      Err(_) => {
+        continue;
+      }
+    }
+  }
+  // Ordered from oldest -> newest
+  backup_folders.sort();
+
+  let max_backups = config.max_backups as usize;
+  let backup_folders_len = backup_folders.len();
+
+  // Early return if under the backup count threshold
+  if backup_folders_len <= max_backups {
+    info!("No backups to prune");
+    return Ok(());
+  }
+
+  let to_delete =
+    &backup_folders[..(backup_folders_len - max_backups)];
+
+  info!("Pruning old backups: {to_delete:?}");
+
+  for path in to_delete {
+    if let Err(e) =
+      tokio::fs::remove_dir_all(path).await.with_context(|| {
+        format!("Failed to delete backup folder at {path:?}")
+      })
+    {
+      warn!("{e:#}");
+    }
+  }
+
+  Ok(())
+}
+
+async fn copy(index: bool, yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Copy".blue().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Copies database contents to another database.".dimmed()
+  );
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+
+  crate::command::wait_for_enter("start copy", yes)?;
+
+  let source_db = database::init(&config.database).await?;
+  let target_db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::copy(&source_db, &target_db).await
+}

bin/cli/src/command/execute.rs

@@ -0,0 +1,572 @@
+use std::time::Duration;
+
+use colored::Colorize;
+use futures_util::{StreamExt, stream::FuturesUnordered};
+use komodo_client::{
+  api::execute::{
+    BatchExecutionResponse, BatchExecutionResponseItem, Execution,
+  },
+  entities::{resource_link, update::Update},
+};
+
+use crate::config::cli_config;
+
+enum ExecutionResult {
+  Single(Box<Update>),
+  Batch(BatchExecutionResponse),
+}
+
+pub async fn handle(
+  execution: &Execution,
+  yes: bool,
+) -> anyhow::Result<()> {
+  if matches!(execution, Execution::None(_)) {
+    println!("Got 'none' execution. Doing nothing...");
+    tokio::time::sleep(Duration::from_secs(3)).await;
+    println!("Finished doing nothing. Exiting...");
+    std::process::exit(0);
+  }
+
+  println!("\n{}: Execution", "Mode".dimmed());
+  match execution {
+    Execution::None(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Deploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchCloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchPullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchBuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelRepoBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteNetwork(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneNetworks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteImage(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneImages(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteVolume(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneVolumes(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneDockerBuilders(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneBuildx(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneSystem(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CommitSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchPullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunStackService(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::TestAlerter(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::SendAlert(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::ClearRepoCache(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BackupCoreDatabase(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::GlobalAutoUpdate(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Sleep(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+  }
+
+  super::wait_for_enter("run execution", yes)?;
+
+  info!("Running Execution...");
+
+  let client = super::komodo_client().await?;
+
+  let res = match execution.clone() {
+    Execution::RunAction(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunAction(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunProcedure(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunProcedure(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunBuild(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::Deploy(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeploy(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDestroyDeployment(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CloneRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchCloneRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchPullRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::BuildRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchBuildRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelRepoBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteNetwork(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneNetworks(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteImage(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneImages(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteVolume(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneVolumes(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneDockerBuilders(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneBuildx(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneSystem(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RunSync(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CommitSync(request) => client
+      .write(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeployStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeployStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::DeployStackIfChanged(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeployStackIfChanged(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchPullStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::StartStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDestroyStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunStackService(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::TestAlerter(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::SendAlert(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::ClearRepoCache(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BackupCoreDatabase(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::GlobalAutoUpdate(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::Sleep(request) => {
+      let duration =
+        Duration::from_millis(request.duration_ms as u64);
+      tokio::time::sleep(duration).await;
+      println!("Finished sleeping!");
+      std::process::exit(0)
+    }
+    Execution::None(_) => unreachable!(),
+  };
+
+  match res {
+    Ok(ExecutionResult::Single(update)) => {
+      poll_update_until_complete(&update).await
+    }
+    Ok(ExecutionResult::Batch(updates)) => {
+      let mut handles = updates
+        .iter()
+        .map(|update| async move {
+          match update {
+            BatchExecutionResponseItem::Ok(update) => {
+              poll_update_until_complete(update).await
+            }
+            BatchExecutionResponseItem::Err(e) => {
+              error!("{e:#?}");
+              Ok(())
+            }
+          }
+        })
+        .collect::<FuturesUnordered<_>>();
+      while let Some(res) = handles.next().await {
+        match res {
+          Ok(()) => {}
+          Err(e) => {
+            error!("{e:#?}");
+          }
+        }
+      }
+      Ok(())
+    }
+    Err(e) => {
+      error!("{e:#?}");
+      Ok(())
+    }
+  }
+}
+
+async fn poll_update_until_complete(
+  update: &Update,
+) -> anyhow::Result<()> {
+  let link = if update.id.is_empty() {
+    let (resource_type, id) = update.target.extract_variant_id();
+    resource_link(&cli_config().host, resource_type, id)
+  } else {
+    format!("{}/updates/{}", cli_config().host, update.id)
+  };
+  println!("Link: '{}'", link.bold());
+
+  let client = super::komodo_client().await?;
+
+  let timer = tokio::time::Instant::now();
+  let update = client.poll_update_until_complete(&update.id).await?;
+  if update.success {
+    println!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION SUCCESSFUL".green(),
+    );
+  } else {
+    eprintln!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION FAILED".red(),
+    );
+  }
+  Ok(())
+}

bin/cli/src/command/mod.rs

@@ -0,0 +1,181 @@
+use std::io::Read;
+
+use anyhow::{Context, anyhow};
+use chrono::TimeZone;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Table};
+use komodo_client::{
+  KomodoClient,
+  entities::config::cli::{CliTableBorders, args::CliFormat},
+};
+use serde::Serialize;
+use tokio::sync::OnceCell;
+use wildcard::Wildcard;
+
+use crate::config::cli_config;
+
+pub mod container;
+pub mod database;
+pub mod execute;
+pub mod list;
+pub mod update;
+
+async fn komodo_client() -> anyhow::Result<&'static KomodoClient> {
+  static KOMODO_CLIENT: OnceCell<KomodoClient> =
+    OnceCell::const_new();
+  KOMODO_CLIENT
+    .get_or_try_init(|| async {
+      let config = cli_config();
+      let (Some(key), Some(secret)) =
+        (&config.cli_key, &config.cli_secret)
+      else {
+        return Err(anyhow!(
+          "Must provide both cli_key and cli_secret"
+        ));
+      };
+      KomodoClient::new(&config.host, key, secret)
+        .with_healthcheck()
+        .await
+    })
+    .await
+}
+
+fn wait_for_enter(
+  press_enter_to: &str,
+  skip: bool,
+) -> anyhow::Result<()> {
+  if skip {
+    println!();
+    return Ok(());
+  }
+  println!(
+    "\nPress {} to {}\n",
+    "ENTER".green(),
+    press_enter_to.bold()
+  );
+  let buffer = &mut [0u8];
+  std::io::stdin()
+    .read_exact(buffer)
+    .context("failed to read ENTER")?;
+  Ok(())
+}
+
+/// Sanitizes uris of the form:
+/// `protocol://username:password@address`
+fn sanitize_uri(uri: &str) -> String {
+  // protocol: `mongodb`
+  // credentials_address: `username:password@address`
+  let Some((protocol, credentials_address)) = uri.split_once("://")
+  else {
+    // If no protocol, return as-is
+    return uri.to_string();
+  };
+
+  // credentials: `username:password`
+  let Some((credentials, address)) =
+    credentials_address.split_once('@')
+  else {
+    // If no credentials, return as-is
+    return uri.to_string();
+  };
+
+  match credentials.split_once(':') {
+    Some((username, _)) => {
+      format!("{protocol}://{username}:*****@{address}")
+    }
+    None => {
+      format!("{protocol}://*****@{address}")
+    }
+  }
+}
+
+fn print_items<T: PrintTable + Serialize>(
+  items: Vec<T>,
+  format: CliFormat,
+  links: bool,
+) -> anyhow::Result<()> {
+  match format {
+    CliFormat::Table => {
+      let mut table = Table::new();
+      let preset = {
+        use comfy_table::presets::*;
+        match cli_config().table_borders {
+          None | Some(CliTableBorders::Horizontal) => {
+            UTF8_HORIZONTAL_ONLY
+          }
+          Some(CliTableBorders::Vertical) => UTF8_FULL_CONDENSED,
+          Some(CliTableBorders::Inside) => UTF8_NO_BORDERS,
+          Some(CliTableBorders::Outside) => UTF8_BORDERS_ONLY,
+          Some(CliTableBorders::All) => UTF8_FULL,
+        }
+      };
+      table.load_preset(preset).set_header(
+        T::header(links)
+          .iter()
+          .map(|h| Cell::new(h).add_attribute(Attribute::Bold)),
+      );
+      for item in items {
+        table.add_row(item.row(links));
+      }
+      println!("{table}");
+    }
+    CliFormat::Json => {
+      println!(
+        "{}",
+        serde_json::to_string_pretty(&items)
+          .context("Failed to serialize items to JSON")?
+      );
+    }
+  }
+  Ok(())
+}
+
+trait PrintTable {
+  fn header(links: bool) -> &'static [&'static str];
+  fn row(self, links: bool) -> Vec<Cell>;
+}
+
+fn parse_wildcards(items: &[String]) -> Vec<Wildcard<'_>> {
+  items
+    .iter()
+    .flat_map(|i| {
+      Wildcard::new(i.as_bytes()).inspect_err(|e| {
+        warn!("Failed to parse wildcard: {i} | {e:?}")
+      })
+    })
+    .collect::<Vec<_>>()
+}
+
+fn matches_wildcards(
+  wildcards: &[Wildcard<'_>],
+  items: &[&str],
+) -> bool {
+  if wildcards.is_empty() {
+    return true;
+  }
+  items.iter().any(|item| {
+    wildcards.iter().any(|wc| wc.is_match(item.as_bytes()))
+  })
+}
+
+fn format_timetamp(ts: i64) -> anyhow::Result<String> {
+  let ts = chrono::Local
+    .timestamp_millis_opt(ts)
+    .single()
+    .context("Invalid ts")?
+    .format("%m/%d %H:%M:%S")
+    .to_string();
+  Ok(ts)
+}
+
+fn clamp_sha(maybe_sha: &str) -> String {
+  if maybe_sha.starts_with("sha256:") {
+    maybe_sha[0..20].to_string() + "..."
+  } else {
+    maybe_sha.to_string()
+  }
+}
+
+// fn text_link(link: &str, text: &str) -> String {
+//   format!("\x1b]8;;{link}\x07{text}\x1b]8;;\x07")
+// }

bin/cli/src/command/update/mod.rs

@@ -0,0 +1,43 @@
+use komodo_client::entities::{
+  build::PartialBuildConfig,
+  config::cli::args::update::UpdateCommand,
+  deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+  server::PartialServerConfig, stack::PartialStackConfig,
+  sync::PartialResourceSyncConfig,
+};
+
+mod resource;
+mod user;
+mod variable;
+
+pub async fn handle(command: &UpdateCommand) -> anyhow::Result<()> {
+  match command {
+    UpdateCommand::Build(update) => {
+      resource::update::<PartialBuildConfig>(update).await
+    }
+    UpdateCommand::Deployment(update) => {
+      resource::update::<PartialDeploymentConfig>(update).await
+    }
+    UpdateCommand::Repo(update) => {
+      resource::update::<PartialRepoConfig>(update).await
+    }
+    UpdateCommand::Server(update) => {
+      resource::update::<PartialServerConfig>(update).await
+    }
+    UpdateCommand::Stack(update) => {
+      resource::update::<PartialStackConfig>(update).await
+    }
+    UpdateCommand::Sync(update) => {
+      resource::update::<PartialResourceSyncConfig>(update).await
+    }
+    UpdateCommand::Variable {
+      name,
+      value,
+      secret,
+      yes,
+    } => variable::update(name, value, *secret, *yes).await,
+    UpdateCommand::User { username, command } => {
+      user::update(username, command).await
+    }
+  }
+}

bin/cli/src/command/update/resource.rs

@@ -0,0 +1,152 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::{
+  api::write::{
+    UpdateBuild, UpdateDeployment, UpdateRepo, UpdateResourceSync,
+    UpdateServer, UpdateStack,
+  },
+  entities::{
+    build::PartialBuildConfig,
+    config::cli::args::update::UpdateResource,
+    deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+    server::PartialServerConfig, stack::PartialStackConfig,
+    sync::PartialResourceSyncConfig,
+  },
+};
+use serde::{Serialize, de::DeserializeOwned};
+
+pub async fn update<
+  T: std::fmt::Debug + Serialize + DeserializeOwned + ResourceUpdate,
+>(
+  UpdateResource {
+    resource,
+    update,
+    yes,
+  }: &UpdateResource,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update {}\n", "Mode".dimmed(), T::resource_type());
+  println!(" - {}: {resource}", "Name".dimmed());
+
+  let config = serde_qs::from_str::<T>(update)
+    .context("Failed to deserialize config")?;
+
+  match serde_json::to_string_pretty(&config) {
+    Ok(config) => {
+      println!(" - {}: {config}", "Update".dimmed());
+    }
+    Err(_) => {
+      println!(" - {}: {config:#?}", "Update".dimmed());
+    }
+  }
+
+  crate::command::wait_for_enter("update resource", *yes)?;
+
+  config.apply(resource).await
+}
+
+pub trait ResourceUpdate {
+  fn resource_type() -> &'static str;
+  async fn apply(self, resource: &str) -> anyhow::Result<()>;
+}
+
+impl ResourceUpdate for PartialBuildConfig {
+  fn resource_type() -> &'static str {
+    "Build"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateBuild {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update build config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialDeploymentConfig {
+  fn resource_type() -> &'static str {
+    "Deployment"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateDeployment {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update deployment config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialRepoConfig {
+  fn resource_type() -> &'static str {
+    "Repo"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateRepo {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update repo config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialServerConfig {
+  fn resource_type() -> &'static str {
+    "Server"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateServer {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update server config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialStackConfig {
+  fn resource_type() -> &'static str {
+    "Stack"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateStack {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update stack config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialResourceSyncConfig {
+  fn resource_type() -> &'static str {
+    "Sync"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateResourceSync {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update sync config")?;
+    Ok(())
+  }
+}

bin/cli/src/command/update/user.rs

@@ -0,0 +1,122 @@
+use anyhow::Context;
+use colored::Colorize;
+use database::mungos::mongodb::bson::doc;
+use komodo_client::entities::{
+  config::{
+    cli::args::{CliEnabled, update::UpdateUserCommand},
+    empty_or_redacted,
+  },
+  optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn update(
+  username: &str,
+  command: &UpdateUserCommand,
+) -> anyhow::Result<()> {
+  match command {
+    UpdateUserCommand::Password {
+      password,
+      unsanitized,
+      yes,
+    } => {
+      update_password(username, password, *unsanitized, *yes).await
+    }
+    UpdateUserCommand::SuperAdmin { enabled, yes } => {
+      update_super_admin(username, *enabled, *yes).await
+    }
+  }
+}
+
+async fn update_password(
+  username: &str,
+  password: &str,
+  unsanitized: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Password\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  if unsanitized {
+    println!(" - {}: {password}", "Password".dimmed());
+  } else {
+    println!(
+      " - {}: {}",
+      "Password".dimmed(),
+      empty_or_redacted(password)
+    );
+  }
+
+  crate::command::wait_for_enter("update password", yes)?;
+
+  info!("Updating password...");
+
+  let db = database::Client::new(&cli_config().database).await?;
+
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  db.set_user_password(&user, password).await?;
+
+  info!("Password updated ✅");
+
+  Ok(())
+}
+
+async fn update_super_admin(
+  username: &str,
+  super_admin: CliEnabled,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!("\n{}: Update Super Admin\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  println!(" - {}: {super_admin}\n", "Super Admin".dimmed());
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  crate::command::wait_for_enter("update super admin", yes)?;
+
+  info!("Updating super admin...");
+
+  let db = database::Client::new(&config.database).await?;
+
+  // Make sure the user exists first before saying it is successful.
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  let super_admin: bool = super_admin.into();
+  db.users
+    .update_one(
+      doc! { "username": user.username },
+      doc! { "$set": { "super_admin": super_admin } },
+    )
+    .await
+    .context("Failed to update user super admin on db")?;
+
+  info!("Super admin updated ✅");
+
+  Ok(())
+}

bin/cli/src/command/update/variable.rs

@@ -0,0 +1,70 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::api::{
+  read::GetVariable,
+  write::{
+    CreateVariable, UpdateVariableIsSecret, UpdateVariableValue,
+  },
+};
+
+pub async fn update(
+  name: &str,
+  value: &str,
+  secret: Option<bool>,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Variable\n", "Mode".dimmed());
+  println!(" - {}:  {name}", "Name".dimmed());
+  println!(" - {}: {value}", "Value".dimmed());
+  if let Some(secret) = secret {
+    println!(" - {}: {secret}", "Is Secret".dimmed());
+  }
+
+  crate::command::wait_for_enter("update variable", yes)?;
+
+  let client = crate::command::komodo_client().await?;
+
+  let Ok(existing) = client
+    .read(GetVariable {
+      name: name.to_string(),
+    })
+    .await
+  else {
+    // Create the variable
+    client
+      .write(CreateVariable {
+        name: name.to_string(),
+        value: value.to_string(),
+        is_secret: secret.unwrap_or_default(),
+        description: Default::default(),
+      })
+      .await
+      .context("Failed to create variable")?;
+    info!("Variable created ✅");
+    return Ok(());
+  };
+
+  client
+    .write(UpdateVariableValue {
+      name: name.to_string(),
+      value: value.to_string(),
+    })
+    .await
+    .context("Failed to update variable 'value'")?;
+  info!("Variable 'value' updated ✅");
+
+  let Some(secret) = secret else { return Ok(()) };
+
+  if secret != existing.is_secret {
+    client
+      .write(UpdateVariableIsSecret {
+        name: name.to_string(),
+        is_secret: secret,
+      })
+      .await
+      .context("Failed to update variable 'is_secret'")?;
+    info!("Variable 'is_secret' updated to {secret} ✅");
+  }
+
+  Ok(())
+}

bin/cli/src/config.rs

@@ -0,0 +1,274 @@
+use std::{path::PathBuf, sync::OnceLock};
+
+use anyhow::Context;
+use clap::Parser;
+use colored::Colorize;
+use environment_file::maybe_read_item_from_file;
+use komodo_client::entities::{
+  config::{
+    DatabaseConfig,
+    cli::{
+      CliConfig, Env,
+      args::{CliArgs, Command, Execute, database::DatabaseCommand},
+    },
+  },
+  logger::LogConfig,
+};
+
+pub fn cli_args() -> &'static CliArgs {
+  static CLI_ARGS: OnceLock<CliArgs> = OnceLock::new();
+  CLI_ARGS.get_or_init(CliArgs::parse)
+}
+
+pub fn cli_env() -> &'static Env {
+  static CLI_ARGS: OnceLock<Env> = OnceLock::new();
+  CLI_ARGS.get_or_init(|| {
+    match envy::from_env()
+      .context("Failed to parse Komodo CLI environment")
+    {
+      Ok(env) => env,
+      Err(e) => {
+        panic!("{e:?}");
+      }
+    }
+  })
+}
+
+pub fn cli_config() -> &'static CliConfig {
+  static CLI_CONFIG: OnceLock<CliConfig> = OnceLock::new();
+  CLI_CONFIG.get_or_init(|| {
+    let args = cli_args();
+    let env = cli_env().clone();
+    let config_paths = args
+      .config_path
+      .clone()
+      .unwrap_or(env.komodo_cli_config_paths);
+    let debug_startup =
+      args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+    if debug_startup {
+      println!(
+        "{}: Komodo CLI version: {}",
+        "DEBUG".cyan(),
+        env!("CARGO_PKG_VERSION").blue().bold()
+      );
+      println!(
+        "{}: {}: {config_paths:?}",
+        "DEBUG".cyan(),
+        "Config Paths".dimmed(),
+      );
+    }
+
+    let config_keywords = args
+      .config_keyword
+      .clone()
+      .unwrap_or(env.komodo_cli_config_keywords);
+    let config_keywords = config_keywords
+      .iter()
+      .map(String::as_str)
+      .collect::<Vec<_>>();
+    if debug_startup {
+      println!(
+        "{}: {}: {config_keywords:?}",
+        "DEBUG".cyan(),
+        "Config File Keywords".dimmed(),
+      );
+    }
+    let mut unparsed_config = (config::ConfigLoader {
+      paths: &config_paths
+        .iter()
+        .map(PathBuf::as_path)
+        .collect::<Vec<_>>(),
+      match_wildcards: &config_keywords,
+      include_file_name: ".kminclude",
+      merge_nested: env.komodo_cli_merge_nested_config,
+      extend_array: env.komodo_cli_extend_config_arrays,
+      debug_print: debug_startup,
+    })
+    .load::<serde_json::Map<String, serde_json::Value>>()
+    .expect("failed at parsing config from paths");
+    let init_parsed_config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config.clone()),
+    )
+    .context("Failed to parse config")
+    .unwrap();
+
+    let (host, key, secret) = match &args.command {
+      Command::Execute(Execute {
+        host, key, secret, ..
+      }) => (host.clone(), key.clone(), secret.clone()),
+      _ => (None, None, None),
+    };
+
+    let backups_folder = match &args.command {
+      Command::Database {
+        command: DatabaseCommand::Backup { backups_folder, .. },
+      } => backups_folder.clone(),
+      Command::Database {
+        command: DatabaseCommand::Restore { backups_folder, .. },
+      } => backups_folder.clone(),
+      _ => None,
+    };
+    let (uri, address, username, password, db_name) =
+      match &args.command {
+        Command::Database {
+          command:
+            DatabaseCommand::Copy {
+              uri,
+              address,
+              username,
+              password,
+              db_name,
+              ..
+            },
+        } => (
+          uri.clone(),
+          address.clone(),
+          username.clone(),
+          password.clone(),
+          db_name.clone(),
+        ),
+        _ => (None, None, None, None, None),
+      };
+
+    let profile = args
+      .profile
+      .as_ref()
+      .or(init_parsed_config.default_profile.as_ref());
+
+    let unparsed_config = if let Some(profile) = profile
+      && !profile.is_empty()
+    {
+      // Find the profile config,
+      // then merge it with the Default config.
+      let serde_json::Value::Array(profiles) = unparsed_config
+        .remove("profile")
+        .context("Config has no profiles, but a profile is required")
+        .unwrap()
+      else {
+        panic!("`config.profile` is not array");
+      };
+      let Some(profile_config) = profiles.into_iter().find(|p| {
+        let Ok(parsed) =
+          serde_json::from_value::<CliConfig>(p.clone())
+        else {
+          return false;
+        };
+        &parsed.config_profile == profile
+          || parsed
+            .config_aliases
+            .iter()
+            .any(|alias| alias == profile)
+      }) else {
+        panic!("No profile matching '{profile}' was found.");
+      };
+      let serde_json::Value::Object(profile_config) = profile_config
+      else {
+        panic!("Profile config is not Object type.");
+      };
+      config::merge_config(
+        unparsed_config,
+        profile_config.clone(),
+        env.komodo_cli_merge_nested_config,
+        env.komodo_cli_extend_config_arrays,
+      )
+      .unwrap_or(profile_config)
+    } else {
+      unparsed_config
+    };
+    let config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config),
+    )
+    .context("Failed to parse final config")
+    .unwrap();
+    let config_profile = if config.config_profile.is_empty() {
+      String::from("None")
+    } else {
+      config.config_profile
+    };
+
+    CliConfig {
+      config_profile,
+      config_aliases: config.config_aliases,
+      default_profile: config.default_profile,
+      table_borders: env
+        .komodo_cli_table_borders
+        .or(config.table_borders),
+      host: host
+        .or(env.komodo_cli_host)
+        .or(env.komodo_host)
+        .unwrap_or(config.host),
+      cli_key: key.or(env.komodo_cli_key).or(config.cli_key),
+      cli_secret: secret
+        .or(env.komodo_cli_secret)
+        .or(config.cli_secret),
+      backups_folder: backups_folder
+        .or(env.komodo_cli_backups_folder)
+        .unwrap_or(config.backups_folder),
+      max_backups: env
+        .komodo_cli_max_backups
+        .unwrap_or(config.max_backups),
+      database_target: DatabaseConfig {
+        uri: uri
+          .or(env.komodo_cli_database_target_uri)
+          .unwrap_or(config.database_target.uri),
+        address: address
+          .or(env.komodo_cli_database_target_address)
+          .unwrap_or(config.database_target.address),
+        username: username
+          .or(env.komodo_cli_database_target_username)
+          .unwrap_or(config.database_target.username),
+        password: password
+          .or(env.komodo_cli_database_target_password)
+          .unwrap_or(config.database_target.password),
+        db_name: db_name
+          .or(env.komodo_cli_database_target_db_name)
+          .unwrap_or(config.database_target.db_name),
+        app_name: config.database_target.app_name,
+      },
+      database: DatabaseConfig {
+        uri: maybe_read_item_from_file(
+          env.komodo_database_uri_file,
+          env.komodo_database_uri,
+        )
+        .unwrap_or(config.database.uri),
+        address: env
+          .komodo_database_address
+          .unwrap_or(config.database.address),
+        username: maybe_read_item_from_file(
+          env.komodo_database_username_file,
+          env.komodo_database_username,
+        )
+        .unwrap_or(config.database.username),
+        password: maybe_read_item_from_file(
+          env.komodo_database_password_file,
+          env.komodo_database_password,
+        )
+        .unwrap_or(config.database.password),
+        db_name: env
+          .komodo_database_db_name
+          .unwrap_or(config.database.db_name),
+        app_name: config.database.app_name,
+      },
+      cli_logging: LogConfig {
+        level: env
+          .komodo_cli_logging_level
+          .unwrap_or(config.cli_logging.level),
+        stdio: env
+          .komodo_cli_logging_stdio
+          .unwrap_or(config.cli_logging.stdio),
+        pretty: env
+          .komodo_cli_logging_pretty
+          .unwrap_or(config.cli_logging.pretty),
+        location: false,
+        otlp_endpoint: env
+          .komodo_cli_logging_otlp_endpoint
+          .unwrap_or(config.cli_logging.otlp_endpoint),
+        opentelemetry_service_name: env
+          .komodo_cli_logging_opentelemetry_service_name
+          .unwrap_or(config.cli_logging.opentelemetry_service_name),
+      },
+      profile: config.profile,
+    }
+  })
+}

bin/cli/src/main.rs

@@ -0,0 +1,72 @@
+#[macro_use]
+extern crate tracing;
+
+use anyhow::Context;
+use komodo_client::entities::config::cli::args;
+
+use crate::config::cli_config;
+
+mod command;
+mod config;
+
+async fn app() -> anyhow::Result<()> {
+  dotenvy::dotenv().ok();
+  logger::init(&config::cli_config().cli_logging)?;
+  let args = config::cli_args();
+  let env = config::cli_env();
+  let debug_load =
+    args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+  match &args.command {
+    args::Command::Config {
+      all_profiles,
+      unsanitized,
+    } => {
+      let mut config = if *unsanitized {
+        cli_config().clone()
+      } else {
+        cli_config().sanitized()
+      };
+      if !*all_profiles {
+        config.profile = Default::default();
+      }
+      if debug_load {
+        println!("\n{config:#?}");
+      } else {
+        println!(
+          "\nCLI Config {}",
+          serde_json::to_string_pretty(&config)
+            .context("Failed to serialize config for pretty print")?
+        );
+      }
+      Ok(())
+    }
+    args::Command::Container(container) => {
+      command::container::handle(container).await
+    }
+    args::Command::Inspect(inspect) => {
+      command::container::inspect_container(inspect).await
+    }
+    args::Command::List(list) => command::list::handle(list).await,
+    args::Command::Execute(args) => {
+      command::execute::handle(&args.execution, args.yes).await
+    }
+    args::Command::Update { command } => {
+      command::update::handle(command).await
+    }
+    args::Command::Database { command } => {
+      command::database::handle(command).await
+    }
+  }
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+  let mut term_signal = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::terminate(),
+  )?;
+  tokio::select! {
+    res = tokio::spawn(app()) => res?,
+    _ = term_signal.recv() => Ok(()),
+  }
+}

bin/core/Cargo.toml

@@ -0,0 +1,83 @@
+[package]
+name = "komodo_core"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+
+[[bin]]
+name = "core"
+path = "src/main.rs"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+# local
+komodo_client = { workspace = true, features = ["mongo"] }
+periphery_client.workspace = true
+environment_file.workspace = true
+interpolate.workspace = true
+formatting.workspace = true
+database.workspace = true
+response.workspace = true
+command.workspace = true
+config.workspace = true
+logger.workspace = true
+cache.workspace = true
+git.workspace = true
+# mogh
+serror = { workspace = true, features = ["axum"] }
+async_timing_util.workspace = true
+partial_derive2.workspace = true
+derive_variants.workspace = true
+resolver_api.workspace = true
+toml_pretty.workspace = true
+slack.workspace = true
+svi.workspace = true
+# external
+aws-credential-types.workspace = true
+tokio-tungstenite.workspace = true
+english-to-cron.workspace = true
+openidconnect.workspace = true
+jsonwebtoken.workspace = true
+axum-server.workspace = true
+urlencoding.workspace = true
+aws-sdk-ec2.workspace = true
+aws-config.workspace = true
+tokio-util.workspace = true
+axum-extra.workspace = true
+tower-http.workspace = true
+serde_json.workspace = true
+serde_yaml_ng.workspace = true
+typeshare.workspace = true
+chrono-tz.workspace = true
+indexmap.workspace = true
+octorust.workspace = true
+wildcard.workspace = true
+arc-swap.workspace = true
+colored.workspace = true
+dashmap.workspace = true
+tracing.workspace = true
+reqwest.workspace = true
+futures.workspace = true
+nom_pem.workspace = true
+dotenvy.workspace = true
+anyhow.workspace = true
+croner.workspace = true
+chrono.workspace = true
+bcrypt.workspace = true
+base64.workspace = true
+rustls.workspace = true
+tokio.workspace = true
+serde.workspace = true
+regex.workspace = true
+axum.workspace = true
+toml.workspace = true
+uuid.workspace = true
+envy.workspace = true
+rand.workspace = true
+hmac.workspace = true
+sha2.workspace = true
+hex.workspace = true

bin/core/aio.Dockerfile

@@ -0,0 +1,61 @@
+## All in one, multi stage compile + runtime Docker build for your architecture.
+
+# Build Core
+FROM rust:1.89.0-bullseye AS core-builder
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+COPY ./bin/cli ./bin/cli
+
+# Compile app
+RUN cargo build -p komodo_core --release && \
+  cargo build -p komodo_cli --release
+
+# Build Frontend
+FROM node:20.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+# Final Image
+FROM debian:bullseye-slim
+
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
+
+# Setup an application directory
+WORKDIR /app
+
+# Copy
+COPY ./config/core.config.toml /config/.default.config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
+COPY --from=core-builder /builder/target/release/km /usr/local/bin/km
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+CMD [ "core" ]
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/core/debian-deps.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+## Core deps installer
+
+apt-get update
+apt-get install -y git curl ca-certificates iproute2
+
+rm -rf /var/lib/apt/lists/*
+
+# Starship prompt
+curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /usr/local/bin
+echo 'export STARSHIP_CONFIG=/starship.toml' >> /root/.bashrc
+echo 'eval "$(starship init bash)"' >> /root/.bashrc
+

bin/core/multi-arch.Dockerfile

@@ -0,0 +1,59 @@
+## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG FRONTEND_IMAGE=ghcr.io/moghtech/komodo-frontend:latest
+ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
+ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
+
+# This is required to work with COPY --from
+FROM ${X86_64_BINARIES} AS x86_64
+FROM ${AARCH64_BINARIES} AS aarch64
+FROM ${FRONTEND_IMAGE} AS frontend
+
+# Final Image
+FROM debian:bullseye-slim
+
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
+
+WORKDIR /app
+
+ARG TARGETPLATFORM
+
+# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /core /app/core/linux/amd64
+COPY --from=aarch64 /core /app/core/linux/arm64
+RUN mv /app/core/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/core
+
+# Same for util
+COPY --from=x86_64 /km /app/km/linux/amd64
+COPY --from=aarch64 /km /app/km/linux/arm64
+RUN mv /app/km/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/km
+
+# Copy default config / static frontend / deno binary
+COPY ./config/core.config.toml /config/.default.config.toml
+COPY --from=frontend /frontend /app/frontend
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+CMD [ "core" ]
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/core/single-arch.Dockerfile

@@ -0,0 +1,48 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+# Build Frontend
+FROM node:20.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+FROM debian:bullseye-slim
+
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
+	
+# Copy
+COPY ./config/core.config.toml /config/.default.config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=binaries /core /usr/local/bin/core
+COPY --from=binaries /km /usr/local/bin/km
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+	cd /action-cache && \
+	deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+CMD [ "core" ]
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/core/src/alert/discord.rs

@@ -0,0 +1,306 @@
+use std::sync::OnceLock;
+
+use serde::Serialize;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let level = fmt_level(alert.level);
+  let content = match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter **{name}** is **working**\n{link}"
+      )
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | **{name}**{region} | Version mismatch detected ⚠️\nPeriphery: **{server_version}** | Core: **{core_version}**\n{link}"
+          )
+        }
+      }
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} is now **reachable**\n{link}"
+          )
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\n**error**: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | **{name}**{region} is **unreachable** ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | **{name}**{region} cpu usage at **{percentage:.1}%**\n{link}"
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | **{name}**{region} memory usage at **{percentage:.1}%** 💾\n\nUsing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | **{name}**{region} disk usage at **{percentage:.1}%** 💿\nmount point: `{path:?}`\nusing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to = fmt_docker_container_state(to);
+      format!(
+        "📦 Deployment **{name}** is now **{to}**\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment **{name}** has an update available\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment **{name}** was updated automatically ⏫\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to = fmt_stack_state(to);
+      format!(
+        "🥞 Stack **{name}** is now {to}\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      format!(
+        "⬆ Stack **{name}** has an update available\nserver: **{server_name}**\nservice: **{service}**\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      format!(
+        "⬆ Stack **{name}** was updated automatically ⏫\nserver: **{server_name}**\n{images_label}: **{images}**\n{link}"
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminated AWS builder instance\ninstance id: **{instance_id}**\n{message}"
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on **{name}**\n{link}"
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build **{name}** failed\nversion: **v{version}**\n{link}"
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for **{name}** failed\n{link}")
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure **{name}** failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action **{name}** failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | **{name}** ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          format_args!("")
+        } else {
+          format_args!("\n{details}")
+        }
+      )
+    }
+    AlertData::None {} => Default::default(),
+  };
+  if !content.is_empty() {
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;
+    let mut url_interpolated = url.to_string();
+
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);
+
+    interpolator.interpolate_string(&mut url_interpolated)?;
+
+    send_message(&url_interpolated, &content)
+      .await
+      .map_err(|e| {
+        let replacers = interpolator
+          .secret_replacers
+          .into_iter()
+          .collect::<Vec<_>>();
+        let sanitized_error =
+          svi::replace_in_string(&format!("{e:?}"), &replacers);
+        anyhow::Error::msg(format!(
+          "Error with slack request: {sanitized_error}"
+        ))
+      })?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  content: &str,
+) -> anyhow::Result<()> {
+  let body = DiscordMessageBody { content };
+
+  let response = http_client()
+    .post(url)
+    .json(&body)
+    .send()
+    .await
+    .context("Failed to send message")?;
+
+  let status = response.status();
+
+  if status.is_success() {
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!("Failed to send message to Discord | {status} | failed to get response text")
+    })?;
+    Err(anyhow::anyhow!(
+      "Failed to send message to Discord | {status} | {text}"
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}
+
+#[derive(Serialize)]
+struct DiscordMessageBody<'a> {
+  content: &'a str,
+}

bin/core/src/alert/mod.rs

@@ -0,0 +1,488 @@
+use ::slack::types::Block;
+use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
+use derive_variants::ExtractVariant;
+use futures::future::join_all;
+use interpolate::Interpolator;
+use komodo_client::entities::{
+  ResourceTargetVariant,
+  alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
+  alerter::*,
+  deployment::DeploymentState,
+  komodo_timestamp,
+  stack::StackState,
+};
+use tracing::Instrument;
+
+use crate::helpers::query::get_variables_and_secrets;
+use crate::helpers::{
+  maintenance::is_in_maintenance, query::VariablesAndSecrets,
+};
+use crate::{config::core_config, state::db_client};
+
+mod discord;
+mod ntfy;
+mod pushover;
+mod slack;
+
+#[instrument(level = "debug")]
+pub async fn send_alerts(alerts: &[Alert]) {
+  if alerts.is_empty() {
+    return;
+  }
+
+  let span =
+    info_span!("send_alerts", alerts = format!("{alerts:?}"));
+  async {
+    let Ok(alerters) = find_collect(
+      &db_client().alerters,
+      doc! { "config.enabled": true },
+      None,
+    )
+    .await
+    .inspect_err(|e| {
+      error!(
+      "ERROR sending alerts | failed to get alerters from db | {e:#}"
+    )
+    }) else {
+      return;
+    };
+
+    let handles = alerts
+      .iter()
+      .map(|alert| send_alert_to_alerters(&alerters, alert));
+
+    join_all(handles).await;
+  }
+  .instrument(span)
+  .await
+}
+
+#[instrument(level = "debug")]
+async fn send_alert_to_alerters(alerters: &[Alerter], alert: &Alert) {
+  if alerters.is_empty() {
+    return;
+  }
+
+  let handles = alerters
+    .iter()
+    .map(|alerter| send_alert_to_alerter(alerter, alert));
+
+  join_all(handles)
+    .await
+    .into_iter()
+    .filter_map(|res| res.err())
+    .for_each(|e| error!("{e:#}"));
+}
+
+pub async fn send_alert_to_alerter(
+  alerter: &Alerter,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  // Don't send if not enabled
+  if !alerter.config.enabled {
+    return Ok(());
+  }
+
+  if is_in_maintenance(
+    &alerter.config.maintenance_windows,
+    komodo_timestamp(),
+  ) {
+    return Ok(());
+  }
+
+  let alert_type = alert.data.extract_variant();
+
+  // In the test case, we don't want the filters inside this
+  // block to stop the test from being sent to the alerting endpoint.
+  if alert_type != AlertDataVariant::Test {
+    // Don't send if alert type not configured on the alerter
+    if !alerter.config.alert_types.is_empty()
+      && !alerter.config.alert_types.contains(&alert_type)
+    {
+      return Ok(());
+    }
+
+    // Don't send if resource is in the blacklist
+    if alerter.config.except_resources.contains(&alert.target) {
+      return Ok(());
+    }
+
+    // Don't send if whitelist configured and target is not included
+    if !alerter.config.resources.is_empty()
+      && !alerter.config.resources.contains(&alert.target)
+    {
+      return Ok(());
+    }
+  }
+
+  match &alerter.config.endpoint {
+    AlerterEndpoint::Custom(CustomAlerterEndpoint { url }) => {
+      send_custom_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Custom Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Slack(SlackAlerterEndpoint { url }) => {
+      slack::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Slack Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Discord(DiscordAlerterEndpoint { url }) => {
+      discord::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Discord Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Ntfy(NtfyAlerterEndpoint { url, email }) => {
+      ntfy::send_alert(url, email.as_deref(), alert)
+        .await
+        .with_context(|| {
+          format!(
+            "Failed to send alert to ntfy Alerter {}",
+            alerter.name
+          )
+        })
+    }
+    AlerterEndpoint::Pushover(PushoverAlerterEndpoint { url }) => {
+      pushover::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Pushover Alerter {}",
+          alerter.name
+        )
+      })
+    }
+  }
+}
+
+#[instrument(level = "debug")]
+async fn send_custom_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  let res = reqwest::Client::new()
+    .post(url_interpolated)
+    .json(alert)
+    .send()
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request: {sanitized_error}"
+      ))
+    })
+    .context("failed at post request to alerter")?;
+  let status = res.status();
+  if !status.is_success() {
+    let text = res
+      .text()
+      .await
+      .context("failed to get response text on alerter response")?;
+    return Err(anyhow!(
+      "post to alerter failed | {status} | {text}"
+    ));
+  }
+  Ok(())
+}
+
+fn fmt_region(region: &Option<String>) -> String {
+  match region {
+    Some(region) => format!(" ({region})"),
+    None => String::new(),
+  }
+}
+
+fn fmt_docker_container_state(state: &DeploymentState) -> String {
+  match state {
+    DeploymentState::Running => String::from("Running ▶️"),
+    DeploymentState::Exited => String::from("Exited 🛑"),
+    DeploymentState::Restarting => String::from("Restarting 🔄"),
+    DeploymentState::NotDeployed => String::from("Not Deployed"),
+    _ => state.to_string(),
+  }
+}
+
+fn fmt_stack_state(state: &StackState) -> String {
+  match state {
+    StackState::Running => String::from("Running ▶️"),
+    StackState::Stopped => String::from("Stopped 🛑"),
+    StackState::Restarting => String::from("Restarting 🔄"),
+    StackState::Down => String::from("Down ⬇️"),
+    _ => state.to_string(),
+  }
+}
+
+fn fmt_level(level: SeverityLevel) -> &'static str {
+  match level {
+    SeverityLevel::Critical => "CRITICAL 🚨",
+    SeverityLevel::Warning => "WARNING ‼️",
+    SeverityLevel::Ok => "OK ✅",
+  }
+}
+
+fn resource_link(
+  resource_type: ResourceTargetVariant,
+  id: &str,
+) -> String {
+  komodo_client::entities::resource_link(
+    &core_config().host,
+    resource_type,
+    id,
+  )
+}
+
+/// Standard message content format
+/// used by Ntfy, Pushover.
+fn standard_alert_content(alert: &Alert) -> String {
+  let level = fmt_level(alert.level);
+  match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter {name} is working\n{link}",
+      )
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | {name}{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | {name}{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}\n{link}"
+          )
+        }
+      }
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | {name}{region} is now reachable\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | {name}{region} is unreachable ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | {name}{region} cpu usage at {percentage:.1}%\n{link}",
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} disk usage at {percentage:.1}%💿\nmount point: {path:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to_state = fmt_docker_container_state(to);
+      format!(
+        "📦Deployment {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {name} has an update available\nserver: {server_name}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {name} was updated automatically\nserver: {server_name}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to_state = fmt_stack_state(to);
+      format!(
+        "🥞 Stack {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      format!(
+        "⬆ Stack {name} has an update available\nserver: {server_name}\nservice: {service}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images_str = images.join(", ");
+      format!(
+        "⬆ Stack {name} was updated automatically ⏫\nserver: {server_name}\n{images_label}: {images_str}\n{link}",
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminate AWS builder instance\ninstance id: {instance_id}\n{message}",
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on {name}\n{link}",
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build {name} failed\nversion: v{version}\n{link}",
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for {name} failed\n{link}",)
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure {name} failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action {name} failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          format_args!("")
+        } else {
+          format_args!("\n{details}")
+        }
+      )
+    }
+    AlertData::None {} => Default::default(),
+  }
+}

bin/core/src/alert/ntfy.rs

@@ -0,0 +1,56 @@
+use std::sync::OnceLock;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  email: Option<&str>,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let content = standard_alert_content(alert);
+  if !content.is_empty() {
+    send_message(url, email, content).await?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  email: Option<&str>,
+  content: String,
+) -> anyhow::Result<()> {
+  let mut request = http_client()
+    .post(url)
+    .header("Title", "ntfy Alert")
+    .body(content);
+
+  if let Some(email) = email {
+    request = request.header("X-Email", email);
+  }
+
+  let response =
+    request.send().await.context("Failed to send message")?;
+
+  let status = response.status();
+  if status.is_success() {
+    debug!("ntfy alert sent successfully: {}", status);
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!(
+        "Failed to send message to ntfy | {status} | failed to get response text"
+      )
+    })?;
+    Err(anyhow!(
+      "Failed to send message to ntfy | {} | {}",
+      status,
+      text
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}

bin/core/src/alert/pushover.rs

@@ -0,0 +1,55 @@
+use std::sync::OnceLock;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let content = standard_alert_content(alert);
+  if !content.is_empty() {
+    send_message(url, content).await?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  content: String,
+) -> anyhow::Result<()> {
+  // pushover needs all information to be encoded in the URL. At minimum they need
+  // the user key, the application token, and the message (url encoded).
+  // other optional params here: https://pushover.net/api (just add them to the
+  // webhook url along with the application token and the user key).
+  let content = [("message", content)];
+
+  let response = http_client()
+    .post(url)
+    .form(&content)
+    .send()
+    .await
+    .context("Failed to send message")?;
+
+  let status = response.status();
+  if status.is_success() {
+    debug!("pushover alert sent successfully: {}", status);
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!(
+        "Failed to send message to pushover | {status} | failed to get response text"
+      )
+    })?;
+    Err(anyhow!(
+      "Failed to send message to pushover | {} | {}",
+      status,
+      text
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}

bin/core/src/alert/slack.rs

@@ -0,0 +1,493 @@
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let level = fmt_level(alert.level);
+  let (text, blocks): (_, Option<_>) = match &alert.data {
+    AlertData::Test { id, name } => {
+      let text = format!(
+        "{level} | If you see this message, then Alerter *{name}* is *working*"
+      );
+      let blocks = vec![
+        Block::header(level),
+        Block::section(format!(
+          "If you see this message, then Alerter *{name}* is *working*"
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Alerter,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let text = match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | *{name}*{region} | Periphery version now matches Core version ✅"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | *{name}*{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}"
+          )
+        }
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Server,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text =
+            format!("{level} | *{name}*{region} is now *reachable*");
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} is now *reachable*"
+            )),
+          ];
+          (text, blocks.into())
+        }
+        SeverityLevel::Critical => {
+          let text =
+            format!("{level} | *{name}*{region} is *unreachable* ❌");
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e:#?}"))
+            .unwrap_or_default();
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} is *unreachable* ❌{err}"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text = format!(
+            "{level} | *{name}*{region} cpu usage at *{percentage:.1}%*"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} cpu usage at *{percentage:.1}%*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => {
+          let text = format!(
+            "{level} | *{name}*{region} cpu usage at *{percentage:.1}%* 📈"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} cpu usage at *{percentage:.1}%* 📈"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+      }
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let percentage = 100.0 * used_gb / total_gb;
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text = format!(
+            "{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} memory usage at *{percentage:.1}%* 💾"
+            )),
+            Block::section(format!(
+              "using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => {
+          let text = format!(
+            "{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} memory usage at *{percentage:.1}%* 💾"
+            )),
+            Block::section(format!(
+              "using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+      }
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let percentage = 100.0 * used_gb / total_gb;
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text = format!(
+            "{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} disk usage at *{percentage:.1}%* 💿"
+            )),
+            Block::section(format!(
+              "mount point: {path:?} | using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => {
+          let text = format!(
+            "{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} disk usage at *{percentage:.1}%* 💿"
+            )),
+            Block::section(format!(
+              "mount point: {path:?} | using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+      }
+    }
+    AlertData::ContainerStateChange {
+      name,
+      server_name,
+      from,
+      to,
+      id,
+      ..
+    } => {
+      let to = fmt_docker_container_state(to);
+      let text = format!("📦 Container *{name}* is now *{to}*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: {server_name}\nprevious: {from}",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* has an update available");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* was updated automatically ⏫");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackStateChange {
+      name,
+      server_name,
+      from,
+      to,
+      id,
+      ..
+    } => {
+      let to = fmt_stack_state(to);
+      let text = format!("🥞 Stack *{name}* is now *{to}*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nprevious: *{from}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      service,
+      image,
+    } => {
+      let text = format!("⬆ Stack *{name}* has an update available");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nservice: *{service}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      images,
+    } => {
+      let text =
+        format!("⬆ Stack *{name}* was updated automatically ⏫");
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\n{images_label}: *{images}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      let text = format!(
+        "{level} | Failed to terminated AWS builder instance "
+      );
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "instance id: *{instance_id}*\n{message}"
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let text = format!(
+        "{level} | Pending resource sync updates on *{name}*"
+      );
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "sync id: *{id}*\nsync name: *{name}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::ResourceSync,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let text = format!("{level} | Build {name} has failed");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!("version: *v{version}*",)),
+        Block::section(resource_link(
+          ResourceTargetVariant::Build,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let text =
+        format!("{level} | Repo build for *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Repo,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let text = format!("{level} | Procedure *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Procedure,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ActionFailed { id, name } => {
+      let text = format!("{level} | Action *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Action,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let text = format!(
+        "{level} | *{name}* ({resource_type}) | Scheduled run started 🕝"
+      );
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(*resource_type, id)),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::Custom { message, details } => {
+      let text = format!("{level} | {message}");
+      let blocks =
+        vec![Block::header(text.clone()), Block::section(details)];
+      (text, blocks.into())
+    }
+    AlertData::None {} => Default::default(),
+  };
+  if !text.is_empty() {
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;
+    let mut url_interpolated = url.to_string();
+
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);
+
+    interpolator.interpolate_string(&mut url_interpolated)?;
+
+    let slack = ::slack::Client::new(url_interpolated);
+    slack.send_message(text, blocks).await.map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with slack request: {sanitized_error}"
+      ))
+    })?;
+  }
+  Ok(())
+}

bin/core/src/api/auth.rs

@@ -0,0 +1,158 @@
+use std::{sync::OnceLock, time::Instant};
+
+use axum::{Router, extract::Path, http::HeaderMap, routing::post};
+use derive_variants::{EnumVariants, ExtractVariant};
+use komodo_client::{api::auth::*, entities::user::User};
+use resolver_api::Resolve;
+use response::Response;
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::{
+    get_user_id_from_headers,
+    github::{self, client::github_oauth_client},
+    google::{self, client::google_oauth_client},
+    oidc::{self, client::oidc_client},
+  },
+  config::core_config,
+  helpers::query::get_user,
+  state::jwt_client,
+};
+
+use super::Variant;
+
+#[derive(Default)]
+pub struct AuthArgs {
+  pub headers: HeaderMap,
+}
+
+#[typeshare]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[args(AuthArgs)]
+#[response(Response)]
+#[error(serror::Error)]
+#[variant_derive(Debug)]
+#[serde(tag = "type", content = "params")]
+#[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
+pub enum AuthRequest {
+  GetLoginOptions(GetLoginOptions),
+  SignUpLocalUser(SignUpLocalUser),
+  LoginLocalUser(LoginLocalUser),
+  ExchangeForJwt(ExchangeForJwt),
+  GetUser(GetUser),
+}
+
+pub fn router() -> Router {
+  let mut router = Router::new()
+    .route("/", post(handler))
+    .route("/{variant}", post(variant_handler));
+
+  if core_config().local_auth {
+    info!("🔑 Local Login Enabled");
+  }
+
+  if github_oauth_client().is_some() {
+    info!("🔑 Github Login Enabled");
+    router = router.nest("/github", github::router())
+  }
+
+  if google_oauth_client().is_some() {
+    info!("🔑 Google Login Enabled");
+    router = router.nest("/google", google::router())
+  }
+
+  if core_config().oidc_enabled {
+    info!("🔑 OIDC Login Enabled");
+    router = router.nest("/oidc", oidc::router())
+  }
+
+  router
+}
+
+async fn variant_handler(
+  headers: HeaderMap,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: AuthRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(headers, Json(req)).await
+}
+
+#[instrument(name = "AuthHandler", level = "debug", skip(headers))]
+async fn handler(
+  headers: HeaderMap,
+  Json(request): Json<AuthRequest>,
+) -> serror::Result<axum::response::Response> {
+  let timer = Instant::now();
+  let req_id = Uuid::new_v4();
+  debug!(
+    "/auth request {req_id} | METHOD: {:?}",
+    request.extract_variant()
+  );
+  let res = request.resolve(&AuthArgs { headers }).await;
+  if let Err(e) = &res {
+    debug!("/auth request {req_id} | error: {:#}", e.error);
+  }
+  let elapsed = timer.elapsed();
+  debug!("/auth request {req_id} | resolve time: {elapsed:?}");
+  res.map(|res| res.0)
+}
+
+fn login_options_reponse() -> &'static GetLoginOptionsResponse {
+  static GET_LOGIN_OPTIONS_RESPONSE: OnceLock<
+    GetLoginOptionsResponse,
+  > = OnceLock::new();
+  GET_LOGIN_OPTIONS_RESPONSE.get_or_init(|| {
+    let config = core_config();
+    GetLoginOptionsResponse {
+      local: config.local_auth,
+      github: github_oauth_client().is_some(),
+      google: google_oauth_client().is_some(),
+      oidc: oidc_client().load().is_some(),
+      registration_disabled: config.disable_user_registration,
+    }
+  })
+}
+
+impl Resolve<AuthArgs> for GetLoginOptions {
+  #[instrument(name = "GetLoginOptions", level = "debug", skip(self))]
+  async fn resolve(
+    self,
+    _: &AuthArgs,
+  ) -> serror::Result<GetLoginOptionsResponse> {
+    Ok(*login_options_reponse())
+  }
+}
+
+impl Resolve<AuthArgs> for ExchangeForJwt {
+  #[instrument(name = "ExchangeForJwt", level = "debug", skip(self))]
+  async fn resolve(
+    self,
+    _: &AuthArgs,
+  ) -> serror::Result<ExchangeForJwtResponse> {
+    jwt_client()
+      .redeem_exchange_token(&self.token)
+      .await
+      .map_err(Into::into)
+  }
+}
+
+impl Resolve<AuthArgs> for GetUser {
+  #[instrument(name = "GetUser", level = "debug", skip(self))]
+  async fn resolve(
+    self,
+    AuthArgs { headers }: &AuthArgs,
+  ) -> serror::Result<User> {
+    let user_id = get_user_id_from_headers(headers).await?;
+    Ok(get_user(&user_id).await?)
+  }
+}

bin/core/src/api/execute/action.rs

@@ -0,0 +1,423 @@
+use std::{
+  collections::HashSet,
+  path::{Path, PathBuf},
+  str::FromStr,
+  sync::OnceLock,
+};
+
+use anyhow::Context;
+use command::run_komodo_command;
+use config::merge_objects;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
+use interpolate::Interpolator;
+use komodo_client::{
+  api::{
+    execute::{BatchExecutionResponse, BatchRunAction, RunAction},
+    user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
+  },
+  entities::{
+    FileFormat, JsonObject,
+    action::Action,
+    alert::{Alert, AlertData, SeverityLevel},
+    config::core::CoreConfig,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    update::Update,
+    user::action_user,
+  },
+  parsers::parse_key_value_list,
+};
+use resolver_api::Resolve;
+use tokio::fs;
+
+use crate::{
+  alert::send_alerts,
+  api::{execute::ExecuteRequest, user::UserArgs},
+  config::core_config,
+  helpers::{
+    query::{VariablesAndSecrets, get_variables_and_secrets},
+    random_string,
+    update::update_update,
+  },
+  permission::get_check_permissions,
+  resource::refresh_action_state_cache,
+  state::{action_states, db_client},
+};
+
+use super::ExecuteArgs;
+
+impl super::BatchExecute for BatchRunAction {
+  type Resource = Action;
+  fn single_request(action: String) -> ExecuteRequest {
+    ExecuteRequest::RunAction(RunAction {
+      action,
+      args: Default::default(),
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunAction {
+  #[instrument(name = "BatchRunAction", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunAction>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunAction {
+  #[instrument(name = "RunAction", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut action = get_check_permissions::<Action>(
+      &self.action,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    // get the action state for the action (or insert default).
+    let action_state = action_states()
+      .action
+      .get_or_insert_default(&action.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure action not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.running = true)?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let default_args = parse_action_arguments(
+      &action.config.arguments,
+      action.config.arguments_format,
+    )
+    .context("Failed to parse default Action arguments")?;
+
+    let args = merge_objects(
+      default_args,
+      self.args.unwrap_or_default(),
+      true,
+      true,
+    )
+    .context("Failed to merge request args with default args")?;
+
+    let args = serde_json::to_string(&args)
+      .context("Failed to serialize action run arguments")?;
+
+    let CreateApiKeyResponse { key, secret } = CreateApiKey {
+      name: update.id.clone(),
+      expires: 0,
+    }
+    .resolve(&UserArgs {
+      user: action_user().to_owned(),
+    })
+    .await?;
+
+    let contents = &mut action.config.file_contents;
+
+    // Wrap the file contents in the execution context.
+    *contents = full_contents(contents, &args, &key, &secret);
+
+    let replacers =
+      interpolate(contents, &mut update, key.clone(), secret.clone())
+        .await?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    let file = format!("{}.ts", random_string(10));
+    let path = core_config().action_directory.join(&file);
+
+    if let Some(parent) = path.parent() {
+      fs::create_dir_all(parent)
+        .await
+        .with_context(|| format!("Failed to initialize Action file parent directory {parent:?}"))?;
+    }
+
+    fs::write(&path, contents).await.with_context(|| {
+      format!("Failed to write action file to {path:?}")
+    })?;
+
+    let CoreConfig { ssl_enabled, .. } = core_config();
+
+    let https_cert_flag = if *ssl_enabled {
+      " --unsafely-ignore-certificate-errors=localhost"
+    } else {
+      ""
+    };
+
+    let reload = if action.config.reload_deno_deps {
+      " --reload"
+    } else {
+      ""
+    };
+
+    let mut res = run_komodo_command(
+      // Keep this stage name as is, the UI will find the latest update log by matching the stage name
+      "Execute Action",
+      None,
+      format!(
+        "deno run --allow-all{https_cert_flag}{reload} {}",
+        path.display()
+      ),
+    )
+    .await;
+
+    res.stdout = svi::replace_in_string(&res.stdout, &replacers)
+      .replace(&key, "<ACTION_API_KEY>");
+    res.stderr = svi::replace_in_string(&res.stderr, &replacers)
+      .replace(&secret, "<ACTION_API_SECRET>");
+
+    cleanup_run(file + ".js", &path).await;
+
+    if let Err(e) = (DeleteApiKey { key })
+      .resolve(&UserArgs {
+        user: action_user().to_owned(),
+      })
+      .await
+    {
+      warn!(
+        "Failed to delete API key after action execution | {:#}",
+        e.error
+      );
+    };
+
+    update.logs.push(res);
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with update_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().updates,
+        &update.id,
+        database::mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_action_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    if !update.success && action.config.failure_alert {
+      warn!("action unsuccessful, alerting...");
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::ActionFailed {
+            id: action.id,
+            name: action.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
+    Ok(update)
+  }
+}
+
+async fn interpolate(
+  contents: &mut String,
+  update: &mut Update,
+  key: String,
+  secret: String,
+) -> serror::Result<HashSet<(String, String)>> {
+  let VariablesAndSecrets {
+    variables,
+    mut secrets,
+  } = get_variables_and_secrets().await?;
+
+  secrets.insert(String::from("ACTION_API_KEY"), key);
+  secrets.insert(String::from("ACTION_API_SECRET"), secret);
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator
+    .interpolate_string(contents)?
+    .push_logs(&mut update.logs);
+
+  Ok(interpolator.secret_replacers)
+}
+
+fn full_contents(
+  contents: &str,
+  // Pre-serialized to JSON string.
+  args: &str,
+  key: &str,
+  secret: &str,
+) -> String {
+  let CoreConfig {
+    port, ssl_enabled, ..
+  } = core_config();
+  let protocol = if *ssl_enabled { "https" } else { "http" };
+  let base_url = format!("{protocol}://localhost:{port}");
+  format!(
+    "import {{ KomodoClient, Types }} from '{base_url}/client/lib.js';
+import * as __YAML__ from 'jsr:@std/yaml';
+import * as __TOML__ from 'jsr:@std/toml';
+
+const YAML = {{
+  stringify: __YAML__.stringify,
+  parse: __YAML__.parse,
+  parseAll: __YAML__.parseAll,
+  parseDockerCompose: __YAML__.parse,
+}}
+
+const TOML = {{
+  stringify: __TOML__.stringify,
+  parse: __TOML__.parse,
+  parseResourceToml: __TOML__.parse,
+  parseCargoToml: __TOML__.parse,
+}}
+
+const ARGS = {args};
+
+const komodo = KomodoClient('{base_url}', {{
+  type: 'api-key',
+  params: {{ key: '{key}', secret: '{secret}' }}
+}});
+
+async function main() {{
+{contents}
+
+console.log('🦎 Action completed successfully 🦎');
+}}
+
+main()
+.catch(error => {{
+  console.error('🚨 Action exited early with errors 🚨')
+  if (error.status !== undefined && error.result !== undefined) {{
+    console.error('Status:', error.status);
+    console.error(JSON.stringify(error.result, null, 2));
+  }} else {{
+    console.error(error);
+  }}
+  Deno.exit(1)
+}});"
+  )
+}
+
+/// Cleans up file at given path.
+/// ALSO if $DENO_DIR is set,
+/// will clean up the generated file matching "file"
+async fn cleanup_run(file: String, path: &Path) {
+  if let Err(e) = fs::remove_file(path).await {
+    warn!(
+      "Failed to delete action file after action execution | {e:#}"
+    );
+  }
+  // If $DENO_DIR is set (will be in container),
+  // will clean up the generated file matching "file" (NOT under path)
+  let Some(deno_dir) = deno_dir() else {
+    return;
+  };
+  delete_file(deno_dir.join("gen/file"), file).await;
+}
+
+fn deno_dir() -> Option<&'static Path> {
+  static DENO_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();
+  DENO_DIR
+    .get_or_init(|| {
+      let deno_dir = std::env::var("DENO_DIR").ok()?;
+      PathBuf::from_str(&deno_dir).ok()
+    })
+    .as_deref()
+}
+
+/// file is just the terminating file path,
+/// it may be nested multiple folder under path,
+/// this will find the nested file and delete it.
+/// Assumes the file is only there once.
+fn delete_file(
+  dir: PathBuf,
+  file: String,
+) -> std::pin::Pin<Box<dyn std::future::Future<Output = bool> + Send>>
+{
+  Box::pin(async move {
+    let Ok(mut dir) = fs::read_dir(dir).await else {
+      return false;
+    };
+    // Collect the nested folders for recursing
+    // only after checking all the files in directory.
+    let mut folders = Vec::<PathBuf>::new();
+
+    while let Ok(Some(entry)) = dir.next_entry().await {
+      let Ok(meta) = entry.metadata().await else {
+        continue;
+      };
+      if meta.is_file() {
+        let Ok(name) = entry.file_name().into_string() else {
+          continue;
+        };
+        if name == file {
+          if let Err(e) = fs::remove_file(entry.path()).await {
+            warn!(
+              "Failed to clean up generated file after action execution | {e:#}"
+            );
+          };
+          return true;
+        }
+      } else {
+        folders.push(entry.path());
+      }
+    }
+
+    if folders.len() == 1 {
+      // unwrap ok, folders definitely is not empty
+      let folder = folders.pop().unwrap();
+      delete_file(folder, file).await
+    } else {
+      // Check folders with file.clone
+      for folder in folders {
+        if delete_file(folder, file.clone()).await {
+          return true;
+        }
+      }
+      false
+    }
+  })
+}
+
+fn parse_action_arguments(
+  args: &str,
+  format: FileFormat,
+) -> anyhow::Result<JsonObject> {
+  match format {
+    FileFormat::KeyValue => {
+      let args = parse_key_value_list(args)
+        .context("Failed to parse args as key value list")?
+        .into_iter()
+        .map(|(k, v)| (k, serde_json::Value::String(v)))
+        .collect();
+      Ok(args)
+    }
+    FileFormat::Toml => toml::from_str(args)
+      .context("Failed to parse Toml to Action args"),
+    FileFormat::Yaml => serde_yaml_ng::from_str(args)
+      .context("Failed to parse Yaml to action args"),
+    FileFormat::Json => serde_json::from_str(args)
+      .context("Failed to parse Json to action args"),
+  }
+}

bin/core/src/api/execute/alerter.rs

@@ -0,0 +1,149 @@
+use anyhow::{Context, anyhow};
+use formatting::format_serror;
+use futures::{TryStreamExt, stream::FuturesUnordered};
+use komodo_client::{
+  api::execute::{SendAlert, TestAlerter},
+  entities::{
+    alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
+    alerter::Alerter,
+    komodo_timestamp,
+    permission::PermissionLevel,
+  },
+};
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCodeError;
+
+use crate::{
+  alert::send_alert_to_alerter, helpers::update::update_update,
+  permission::get_check_permissions, resource::list_full_for_user,
+};
+
+use super::ExecuteArgs;
+
+impl Resolve<ExecuteArgs> for TestAlerter {
+  #[instrument(name = "TestAlerter", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerter = get_check_permissions::<Alerter>(
+      &self.alerter,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let mut update = update.clone();
+
+    if !alerter.config.enabled {
+      update.push_error_log(
+        "Test Alerter",
+        String::from(
+          "Alerter is disabled. Enable the Alerter to send alerts.",
+        ),
+      );
+      update.finalize();
+      update_update(update.clone()).await?;
+      return Ok(update);
+    }
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: SeverityLevel::Ok,
+      target: update.target.clone(),
+      data: AlertData::Test {
+        id: alerter.id.clone(),
+        name: alerter.name.clone(),
+      },
+      resolved_ts: Some(ts),
+    };
+
+    if let Err(e) = send_alert_to_alerter(&alerter, &alert).await {
+      update.push_error_log("Test Alerter", format_serror(&e.into()));
+    } else {
+      update.push_simple_log("Test Alerter", String::from("Alert sent successfully. It should be visible at your alerting destination."));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+impl Resolve<ExecuteArgs> for SendAlert {
+  #[instrument(name = "SendAlert", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerters = list_full_for_user::<Alerter>(
+      Default::default(),
+      user,
+      PermissionLevel::Execute.into(),
+      &[],
+    )
+    .await?
+    .into_iter()
+    .filter(|a| {
+      a.config.enabled
+        && (self.alerters.is_empty()
+          || self.alerters.contains(&a.name)
+          || self.alerters.contains(&a.id))
+        && (a.config.alert_types.is_empty()
+          || a.config.alert_types.contains(&AlertDataVariant::Custom))
+    })
+    .collect::<Vec<_>>();
+
+    if alerters.is_empty() {
+      return Err(anyhow!(
+        "Could not find any valid alerters to send to, this required Execute permissions on the Alerter"
+      ).status_code(StatusCode::BAD_REQUEST));
+    }
+
+    let mut update = update.clone();
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: self.level,
+      target: update.target.clone(),
+      data: AlertData::Custom {
+        message: self.message,
+        details: self.details,
+      },
+      resolved_ts: Some(ts),
+    };
+
+    update.push_simple_log(
+      "Send alert",
+      serde_json::to_string_pretty(&alert)
+        .context("Failed to serialize alert to JSON")?,
+    );
+
+    if let Err(e) = alerters
+      .iter()
+      .map(|alerter| send_alert_to_alerter(alerter, &alert))
+      .collect::<FuturesUnordered<_>>()
+      .try_collect::<Vec<_>>()
+      .await
+    {
+      update.push_error_log("Send Error", format_serror(&e.into()));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/build.rs

@@ -0,0 +1,659 @@
+use std::{
+  collections::{HashMap, HashSet},
+  future::IntoFuture,
+  time::Duration,
+};
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  find::find_collect,
+  mongodb::{
+    bson::{doc, to_bson, to_document},
+    options::FindOneOptions,
+  },
+};
+use formatting::format_serror;
+use futures::future::join_all;
+use interpolate::Interpolator;
+use komodo_client::{
+  api::execute::{
+    BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
+    RunBuild,
+  },
+  entities::{
+    alert::{Alert, AlertData, SeverityLevel},
+    all_logs_success,
+    build::{Build, BuildConfig},
+    builder::{Builder, BuilderConfig},
+    deployment::DeploymentState,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    repo::Repo,
+    update::{Log, Update},
+    user::auto_redeploy_user,
+  },
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+use tokio_util::sync::CancellationToken;
+
+use crate::{
+  alert::send_alerts,
+  helpers::{
+    build_git_token,
+    builder::{cleanup_builder_instance, get_builder_periphery},
+    channel::build_cancel_channel,
+    query::{
+      VariablesAndSecrets, get_deployment_state,
+      get_variables_and_secrets,
+    },
+    registry_token,
+    update::{init_execution_update, update_update},
+  },
+  permission::get_check_permissions,
+  resource::{self, refresh_build_state_cache},
+  state::{action_states, db_client},
+};
+
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchRunBuild {
+  type Resource = Build;
+  fn single_request(build: String) -> ExecuteRequest {
+    ExecuteRequest::RunBuild(RunBuild { build })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunBuild {
+  #[instrument(name = "BatchRunBuild", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunBuild>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunBuild {
+  #[instrument(name = "RunBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let mut repo = if !build.config.files_on_host
+      && !build.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&build.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    let VariablesAndSecrets {
+      mut variables,
+      secrets,
+    } = get_variables_and_secrets().await?;
+
+    // Add the $VERSION to variables. Use with [[$VERSION]]
+    variables.insert(
+      String::from("$VERSION"),
+      build.config.version.to_string(),
+    );
+
+    if build.config.builder_id.is_empty() {
+      return Err(anyhow!("Must attach builder to RunBuild").into());
+    }
+
+    // get the action state for the build (or insert default).
+    let action_state =
+      action_states().build.get_or_insert_default(&build.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure build not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.building = true)?;
+
+    if build.config.auto_increment_version {
+      build.config.version.increment();
+    }
+
+    let mut update = update.clone();
+
+    update.version = build.config.version;
+    update_update(update.clone()).await?;
+
+    let git_token =
+      build_git_token(&mut build, repo.as_mut()).await?;
+
+    let registry_tokens =
+      validate_account_extract_registry_tokens(&build).await?;
+
+    let cancel = CancellationToken::new();
+    let cancel_clone = cancel.clone();
+    let mut cancel_recv =
+      build_cancel_channel().receiver.resubscribe();
+    let build_id = build.id.clone();
+
+    let builder =
+      resource::get::<Builder>(&build.config.builder_id).await?;
+
+    let is_server_builder =
+      matches!(&builder.config, BuilderConfig::Server(_));
+
+    tokio::spawn(async move {
+      let poll = async {
+        loop {
+          let (incoming_build_id, mut update) = tokio::select! {
+            _ = cancel_clone.cancelled() => return Ok(()),
+            id = cancel_recv.recv() => id?
+          };
+          if incoming_build_id == build_id {
+            if is_server_builder {
+              update.push_error_log("Cancel acknowledged", "Build cancellation is not possible on server builders at this time. Use an AWS builder to enable this feature.");
+            } else {
+              update.push_simple_log("Cancel acknowledged", "The build cancellation has been queued, it may still take some time.");
+            }
+            update.finalize();
+            let id = update.id.clone();
+            if let Err(e) = update_update(update).await {
+              warn!("failed to modify Update {id} on db | {e:#}");
+            }
+            if !is_server_builder {
+              cancel_clone.cancel();
+            }
+            return Ok(());
+          }
+        }
+        #[allow(unreachable_code)]
+        anyhow::Ok(())
+      };
+      tokio::select! {
+        _ = cancel_clone.cancelled() => {}
+        _ = poll => {}
+      }
+    });
+
+    // GET BUILDER PERIPHERY
+    let (periphery, cleanup_data) = match get_builder_periphery(
+      build.name.clone(),
+      Some(build.config.version),
+      builder,
+      &mut update,
+    )
+    .await
+    {
+      Ok(builder) => builder,
+      Err(e) => {
+        warn!(
+          "failed to get builder for build {} | {e:#}",
+          build.name
+        );
+        update.logs.push(Log::error(
+          "get builder",
+          format_serror(&e.context("failed to get builder").into()),
+        ));
+        return handle_early_return(
+          update, build.id, build.name, false,
+        )
+        .await;
+      }
+    };
+
+    // INTERPOLATE VARIABLES
+    let secret_replacers = if !build.config.skip_secret_interp {
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);
+
+      interpolator.interpolate_build(&mut build)?;
+
+      if let Some(repo) = repo.as_mut() {
+        interpolator.interpolate_repo(repo)?;
+      }
+
+      interpolator.push_logs(&mut update.logs);
+
+      interpolator.secret_replacers
+    } else {
+      Default::default()
+    };
+
+    let commit_message = if !build.config.files_on_host
+      && (!build.config.repo.is_empty()
+        || !build.config.linked_repo.is_empty())
+    {
+      // PULL OR CLONE REPO
+      let res = tokio::select! {
+        res = periphery
+          .request(api::git::PullOrCloneRepo {
+            args: repo.as_ref().map(Into::into).unwrap_or((&build).into()),
+            git_token,
+            environment: Default::default(),
+            env_file_path: Default::default(),
+            on_clone: None,
+            on_pull: None,
+            skip_secret_interp: Default::default(),
+            replacers: Default::default(),
+          }) => res,
+        _ = cancel.cancelled() => {
+          debug!("build cancelled during clone, cleaning up builder");
+          update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
+          cleanup_builder_instance(cleanup_data, &mut update)
+            .await;
+          info!("builder cleaned up");
+          return handle_early_return(update, build.id, build.name, true).await
+        },
+      };
+
+      let commit_message = match res {
+        Ok(res) => {
+          debug!("finished repo clone");
+          update.logs.extend(res.res.logs);
+          update.commit_hash =
+            res.res.commit_hash.unwrap_or_default().to_string();
+          res.res.commit_message.unwrap_or_default()
+        }
+        Err(e) => {
+          warn!("Failed build at clone repo | {e:#}");
+          update.push_error_log(
+            "Clone Repo",
+            format_serror(&e.context("Failed to clone repo").into()),
+          );
+          Default::default()
+        }
+      };
+
+      update_update(update.clone()).await?;
+
+      Some(commit_message)
+    } else {
+      None
+    };
+
+    if all_logs_success(&update.logs) {
+      // RUN BUILD
+      let res = tokio::select! {
+        res = periphery
+          .request(api::build::Build {
+            build: build.clone(),
+            repo,
+            registry_tokens,
+            replacers: secret_replacers.into_iter().collect(),
+            // Push a commit hash tagged image
+            additional_tags: if update.commit_hash.is_empty() {
+              Default::default()
+            } else {
+              vec![update.commit_hash.clone()]
+            },
+          }) => res.context("failed at call to periphery to build"),
+        _ = cancel.cancelled() => {
+          info!("build cancelled during build, cleaning up builder");
+          update.push_error_log("build cancelled", String::from("user cancelled build during docker build"));
+          cleanup_builder_instance(cleanup_data, &mut update)
+            .await;
+          return handle_early_return(update, build.id, build.name, true).await
+        },
+      };
+
+      match res {
+        Ok(logs) => {
+          debug!("finished build");
+          update.logs.extend(logs);
+        }
+        Err(e) => {
+          warn!("error in build | {e:#}");
+          update.push_error_log(
+            "build",
+            format_serror(&e.context("failed to build").into()),
+          )
+        }
+      };
+    }
+
+    update.finalize();
+
+    let db = db_client();
+
+    if update.success {
+      let _ = db
+        .builds
+        .update_one(
+          doc! { "name": &build.name },
+          doc! { "$set": {
+            "config.version": to_bson(&build.config.version)
+              .context("failed at converting version to bson")?,
+            "info.last_built_at": komodo_timestamp(),
+            "info.built_hash": &update.commit_hash,
+            "info.built_message": commit_message
+          }},
+        )
+        .await;
+    }
+
+    // stop the cancel listening task from going forever
+    cancel.cancel();
+
+    // If building on temporary cloud server (AWS),
+    // this will terminate the server.
+    cleanup_builder_instance(cleanup_data, &mut update).await;
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db.updates,
+        &update.id,
+        database::mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_build_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    if update.success {
+      // don't hold response up for user
+      tokio::spawn(async move {
+        handle_post_build_redeploy(&build.id).await;
+      });
+    } else {
+      warn!("build unsuccessful, alerting...");
+      let target = update.target.clone();
+      let version = update.version;
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::BuildFailed {
+            id: build.id,
+            name: build.name,
+            version,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
+    Ok(update.clone())
+  }
+}
+
+#[instrument(skip(update))]
+async fn handle_early_return(
+  mut update: Update,
+  build_id: String,
+  build_name: String,
+  is_cancel: bool,
+) -> serror::Result<Update> {
+  update.finalize();
+  // Need to manually update the update before cache refresh,
+  // and before broadcast with add_update.
+  // The Err case of to_document should be unreachable,
+  // but will fail to update cache in that case.
+  if let Ok(update_doc) = to_document(&update) {
+    let _ = update_one_by_id(
+      &db_client().updates,
+      &update.id,
+      database::mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await;
+    refresh_build_state_cache().await;
+  }
+  update_update(update.clone()).await?;
+  if !update.success && !is_cancel {
+    warn!("build unsuccessful, alerting...");
+    let target = update.target.clone();
+    let version = update.version;
+    tokio::spawn(async move {
+      let alert = Alert {
+        id: Default::default(),
+        target,
+        ts: komodo_timestamp(),
+        resolved_ts: Some(komodo_timestamp()),
+        resolved: true,
+        level: SeverityLevel::Warning,
+        data: AlertData::BuildFailed {
+          id: build_id,
+          name: build_name,
+          version,
+        },
+      };
+      send_alerts(&[alert]).await
+    });
+  }
+  Ok(update.clone())
+}
+
+pub async fn validate_cancel_build(
+  request: &ExecuteRequest,
+) -> anyhow::Result<()> {
+  if let ExecuteRequest::CancelBuild(req) = request {
+    let build = resource::get::<Build>(&req.build).await?;
+
+    let db = db_client();
+
+    let (latest_build, latest_cancel) = tokio::try_join!(
+      db.updates
+        .find_one(doc! {
+          "operation": "RunBuild",
+          "target.id": &build.id,
+        },)
+        .with_options(
+          FindOneOptions::builder()
+            .sort(doc! { "start_ts": -1 })
+            .build()
+        )
+        .into_future(),
+      db.updates
+        .find_one(doc! {
+          "operation": "CancelBuild",
+          "target.id": &build.id,
+        },)
+        .with_options(
+          FindOneOptions::builder()
+            .sort(doc! { "start_ts": -1 })
+            .build()
+        )
+        .into_future()
+    )?;
+
+    match (latest_build, latest_cancel) {
+      (Some(build), Some(cancel)) => {
+        if cancel.start_ts > build.start_ts {
+          return Err(anyhow!("Build has already been cancelled"));
+        }
+      }
+      (None, _) => return Err(anyhow!("No build in progress")),
+      _ => {}
+    };
+  }
+  Ok(())
+}
+
+impl Resolve<ExecuteArgs> for CancelBuild {
+  #[instrument(name = "CancelBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    // make sure the build is building
+    if !action_states()
+      .build
+      .get(&build.id)
+      .await
+      .and_then(|s| s.get().ok().map(|s| s.building))
+      .unwrap_or_default()
+    {
+      return Err(anyhow!("Build is not building.").into());
+    }
+
+    let mut update = update.clone();
+
+    update.push_simple_log(
+      "cancel triggered",
+      "the build cancel has been triggered",
+    );
+    update_update(update.clone()).await?;
+
+    build_cancel_channel()
+      .sender
+      .lock()
+      .await
+      .send((build.id, update.clone()))?;
+
+    // Make sure cancel is set to complete after some time in case
+    // no reciever is there to do it. Prevents update stuck in InProgress.
+    let update_id = update.id.clone();
+    tokio::spawn(async move {
+      tokio::time::sleep(Duration::from_secs(60)).await;
+      if let Err(e) = update_one_by_id(
+        &db_client().updates,
+        &update_id,
+        doc! { "$set": { "status": "Complete" } },
+        None,
+      )
+      .await
+      {
+        warn!(
+          "failed to set CancelBuild Update status Complete after timeout | {e:#}"
+        )
+      }
+    });
+
+    Ok(update)
+  }
+}
+
+#[instrument]
+async fn handle_post_build_redeploy(build_id: &str) {
+  let Ok(redeploy_deployments) = find_collect(
+    &db_client().deployments,
+    doc! {
+      "config.image.params.build_id": build_id,
+      "config.redeploy_on_build": true
+    },
+    None,
+  )
+  .await
+  else {
+    return;
+  };
+
+  let futures =
+    redeploy_deployments
+      .into_iter()
+      .map(|deployment| async move {
+        let state = get_deployment_state(&deployment.id)
+          .await
+          .unwrap_or_default();
+        if state == DeploymentState::Running {
+          let req = super::ExecuteRequest::Deploy(Deploy {
+            deployment: deployment.id.clone(),
+            stop_signal: None,
+            stop_time: None,
+          });
+          let user = auto_redeploy_user().to_owned();
+          let res = async {
+            let update = init_execution_update(&req, &user).await?;
+            Deploy {
+              deployment: deployment.id.clone(),
+              stop_signal: None,
+              stop_time: None,
+            }
+            .resolve(&ExecuteArgs { user, update })
+            .await
+          }
+          .await;
+          Some((deployment.id.clone(), res))
+        } else {
+          None
+        }
+      });
+
+  for res in join_all(futures).await {
+    let Some((id, res)) = res else {
+      continue;
+    };
+    if let Err(e) = res {
+      warn!(
+        "failed post build redeploy for deployment {id}: {:#}",
+        e.error
+      );
+    }
+  }
+}
+
+/// This will make sure that a build with non-none image registry has an account attached,
+/// and will check the core config for a token matching requirements.
+/// Otherwise it is left to periphery.
+async fn validate_account_extract_registry_tokens(
+  Build {
+    config: BuildConfig { image_registry, .. },
+    ..
+  }: &Build,
+  // Maps (domain, account) -> token
+) -> serror::Result<Vec<(String, String, String)>> {
+  let mut res = HashMap::with_capacity(image_registry.capacity());
+
+  for (domain, account) in image_registry
+    .iter()
+    .map(|r| (r.domain.as_str(), r.account.as_str()))
+    // This ensures uniqueness / prevents redundant logins
+    .collect::<HashSet<_>>()
+  {
+    if domain.is_empty() {
+      continue;
+    }
+    if account.is_empty() {
+      return Err(
+        anyhow!(
+          "Must attach account to use registry provider {domain}"
+        )
+        .into(),
+      );
+    }
+    let Some(registry_token) = registry_token(domain, account).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
+    )? else {
+      continue;
+    };
+
+    res.insert(
+      (domain.to_string(), account.to_string()),
+      registry_token,
+    );
+  }
+
+  Ok(
+    res
+      .into_iter()
+      .map(|((domain, account), token)| (domain, account, token))
+      .collect(),
+  )
+}

bin/core/src/api/execute/deployment.rs

@@ -0,0 +1,719 @@
+use std::sync::OnceLock;
+
+use anyhow::{Context, anyhow};
+use cache::TimeoutCache;
+use formatting::format_serror;
+use interpolate::Interpolator;
+use komodo_client::{
+  api::execute::*,
+  entities::{
+    Version,
+    build::{Build, ImageRegistryConfig},
+    deployment::{
+      Deployment, DeploymentImage, extract_registry_domain,
+    },
+    get_image_names, komodo_timestamp, optional_string,
+    permission::PermissionLevel,
+    server::Server,
+    update::{Log, Update},
+    user::User,
+  },
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    periphery_client,
+    query::{VariablesAndSecrets, get_variables_and_secrets},
+    registry_token,
+    update::update_update,
+  },
+  monitor::update_cache_for_server,
+  permission::get_check_permissions,
+  resource,
+  state::action_states,
+};
+
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchDeploy {
+  type Resource = Deployment;
+  fn single_request(deployment: String) -> ExecuteRequest {
+    ExecuteRequest::Deploy(Deploy {
+      deployment,
+      stop_signal: None,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchDeploy {
+  #[instrument(name = "BatchDeploy", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchDeploy>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+async fn setup_deployment_execution(
+  deployment: &str,
+  user: &User,
+) -> anyhow::Result<(Deployment, Server)> {
+  let deployment = get_check_permissions::<Deployment>(
+    deployment,
+    user,
+    PermissionLevel::Execute.into(),
+  )
+  .await?;
+
+  if deployment.config.server_id.is_empty() {
+    return Err(anyhow!("Deployment has no Server configured"));
+  }
+
+  let server =
+    resource::get::<Server>(&deployment.config.server_id).await?;
+
+  if !server.config.enabled {
+    return Err(anyhow!("Attached Server is not enabled"));
+  }
+
+  Ok((deployment, server))
+}
+
+impl Resolve<ExecuteArgs> for Deploy {
+  #[instrument(name = "Deploy", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (mut deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.deploying = true)?;
+
+    let mut update = update.clone();
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    // This block resolves the attached Build to an actual versioned image
+    let (version, registry_token) = match &deployment.config.image {
+      DeploymentImage::Build { build_id, version } => {
+        let build = resource::get::<Build>(build_id).await?;
+        let image_names = get_image_names(&build);
+        let image_name = image_names
+          .first()
+          .context("No image name could be created")
+          .context("Failed to create image name")?;
+        let version = if version.is_none() {
+          build.config.version
+        } else {
+          *version
+        };
+        let version_str = version.to_string();
+        // Potentially add the build image_tag postfix
+        let version_str = if build.config.image_tag.is_empty() {
+          version_str
+        } else {
+          format!("{version_str}-{}", build.config.image_tag)
+        };
+        // replace image with corresponding build image.
+        deployment.config.image = DeploymentImage::Image {
+          image: format!("{image_name}:{version_str}"),
+        };
+        let first_registry = build
+          .config
+          .image_registry
+          .first()
+          .unwrap_or(ImageRegistryConfig::static_default());
+        if first_registry.domain.is_empty() {
+          (version, None)
+        } else {
+          let ImageRegistryConfig {
+            domain, account, ..
+          } = first_registry;
+          if deployment.config.image_registry_account.is_empty() {
+            deployment.config.image_registry_account =
+              account.to_string();
+          }
+          let token = if !deployment
+            .config
+            .image_registry_account
+            .is_empty()
+          {
+            registry_token(domain, &deployment.config.image_registry_account).await.with_context(
+              || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
+            )?
+          } else {
+            None
+          };
+          (version, token)
+        }
+      }
+      DeploymentImage::Image { image } => {
+        let domain = extract_registry_domain(image)?;
+        let token = if !deployment
+          .config
+          .image_registry_account
+          .is_empty()
+        {
+          registry_token(&domain, &deployment.config.image_registry_account).await.with_context(
+            || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
+          )?
+        } else {
+          None
+        };
+        (Version::default(), token)
+      }
+    };
+
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers = if !deployment.config.skip_secret_interp {
+      let VariablesAndSecrets { variables, secrets } =
+        get_variables_and_secrets().await?;
+
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);
+
+      interpolator
+        .interpolate_deployment(&mut deployment)?
+        .push_logs(&mut update.logs);
+
+      interpolator.secret_replacers
+    } else {
+      Default::default()
+    };
+
+    update.version = version;
+    update_update(update.clone()).await?;
+
+    match periphery_client(&server)?
+      .request(api::container::Deploy {
+        deployment,
+        stop_signal: self.stop_signal,
+        stop_time: self.stop_time,
+        registry_token,
+        replacers: secret_replacers.into_iter().collect(),
+      })
+      .await
+    {
+      Ok(log) => update.logs.push(log),
+      Err(e) => {
+        update.push_error_log(
+          "Deploy Container",
+          format_serror(&e.into()),
+        );
+      }
+    };
+
+    update_cache_for_server(&server).await;
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+/// Wait this long after a pull to allow another pull through
+const PULL_TIMEOUT: i64 = 5_000;
+type ServerId = String;
+type Image = String;
+type PullCache = TimeoutCache<(ServerId, Image), Log>;
+
+fn pull_cache() -> &'static PullCache {
+  static PULL_CACHE: OnceLock<PullCache> = OnceLock::new();
+  PULL_CACHE.get_or_init(Default::default)
+}
+
+pub async fn pull_deployment_inner(
+  deployment: Deployment,
+  server: &Server,
+) -> anyhow::Result<Log> {
+  let (image, account, token) = match deployment.config.image {
+    DeploymentImage::Build { build_id, version } => {
+      let build = resource::get::<Build>(&build_id).await?;
+      let image_names = get_image_names(&build);
+      let image_name = image_names
+        .first()
+        .context("No image name could be created")
+        .context("Failed to create image name")?;
+      let version = if version.is_none() {
+        build.config.version.to_string()
+      } else {
+        version.to_string()
+      };
+      // Potentially add the build image_tag postfix
+      let version = if build.config.image_tag.is_empty() {
+        version
+      } else {
+        format!("{version}-{}", build.config.image_tag)
+      };
+      // replace image with corresponding build image.
+      let image = format!("{image_name}:{version}");
+      let first_registry = build
+        .config
+        .image_registry
+        .first()
+        .unwrap_or(ImageRegistryConfig::static_default());
+      if first_registry.domain.is_empty() {
+        (image, None, None)
+      } else {
+        let ImageRegistryConfig {
+          domain, account, ..
+        } = first_registry;
+        let account =
+          if deployment.config.image_registry_account.is_empty() {
+            account
+          } else {
+            &deployment.config.image_registry_account
+          };
+        let token = if !account.is_empty() {
+          registry_token(domain, account).await.with_context(
+              || format!("Failed to get git token in call to db. Stopping run. | {domain} | {account}"),
+            )?
+        } else {
+          None
+        };
+        (image, optional_string(account), token)
+      }
+    }
+    DeploymentImage::Image { image } => {
+      let domain = extract_registry_domain(&image)?;
+      let token = if !deployment
+        .config
+        .image_registry_account
+        .is_empty()
+      {
+        registry_token(&domain, &deployment.config.image_registry_account).await.with_context(
+            || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
+          )?
+      } else {
+        None
+      };
+      (
+        image,
+        optional_string(&deployment.config.image_registry_account),
+        token,
+      )
+    }
+  };
+
+  // Acquire the pull lock for this image on the server
+  let lock = pull_cache()
+    .get_lock((server.id.clone(), image.clone()))
+    .await;
+
+  // Lock the path lock, prevents simultaneous pulls by
+  // ensuring simultaneous pulls will wait for first to finish
+  // and checking cached results.
+  let mut locked = lock.lock().await;
+
+  // Early return from cache if lasted pulled with PULL_TIMEOUT
+  if locked.last_ts + PULL_TIMEOUT > komodo_timestamp() {
+    return locked.clone_res();
+  }
+
+  let res = async {
+    let log = match periphery_client(server)?
+      .request(api::image::PullImage {
+        name: image,
+        account,
+        token,
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error("Pull image", format_serror(&e.into())),
+    };
+
+    update_cache_for_server(server).await;
+    anyhow::Ok(log)
+  }
+  .await;
+
+  // Set the cache with results. Any other calls waiting on the lock will
+  // then immediately also use this same result.
+  locked.set(&res, komodo_timestamp());
+
+  res
+}
+
+impl Resolve<ExecuteArgs> for PullDeployment {
+  #[instrument(name = "PullDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pulling = true)?;
+
+    let mut update = update.clone();
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = pull_deployment_inner(deployment, &server).await?;
+
+    update.logs.push(log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for StartDeployment {
+  #[instrument(name = "StartDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.starting = true)?;
+
+    let mut update = update.clone();
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::container::StartContainer {
+        name: deployment.name,
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "start container",
+        format_serror(&e.context("failed to start container").into()),
+      ),
+    };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RestartDeployment {
+  #[instrument(name = "RestartDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.restarting = true)?;
+
+    let mut update = update.clone();
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::container::RestartContainer {
+        name: deployment.name,
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "restart container",
+        format_serror(
+          &e.context("failed to restart container").into(),
+        ),
+      ),
+    };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for PauseDeployment {
+  #[instrument(name = "PauseDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pausing = true)?;
+
+    let mut update = update.clone();
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::container::PauseContainer {
+        name: deployment.name,
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "pause container",
+        format_serror(&e.context("failed to pause container").into()),
+      ),
+    };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for UnpauseDeployment {
+  #[instrument(name = "UnpauseDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.unpausing = true)?;
+
+    let mut update = update.clone();
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::container::UnpauseContainer {
+        name: deployment.name,
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "unpause container",
+        format_serror(
+          &e.context("failed to unpause container").into(),
+        ),
+      ),
+    };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for StopDeployment {
+  #[instrument(name = "StopDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.stopping = true)?;
+
+    let mut update = update.clone();
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::container::StopContainer {
+        name: deployment.name,
+        signal: self
+          .signal
+          .unwrap_or(deployment.config.termination_signal)
+          .into(),
+        time: self
+          .time
+          .unwrap_or(deployment.config.termination_timeout)
+          .into(),
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "stop container",
+        format_serror(&e.context("failed to stop container").into()),
+      ),
+    };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl super::BatchExecute for BatchDestroyDeployment {
+  type Resource = Deployment;
+  fn single_request(deployment: String) -> ExecuteRequest {
+    ExecuteRequest::DestroyDeployment(DestroyDeployment {
+      deployment,
+      signal: None,
+      time: None,
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchDestroyDeployment {
+  #[instrument(name = "BatchDestroyDeployment", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchDestroyDeployment>(
+        &self.pattern,
+        user,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for DestroyDeployment {
+  #[instrument(name = "DestroyDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&self.deployment, user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.destroying = true)?;
+
+    let mut update = update.clone();
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::container::RemoveContainer {
+        name: deployment.name,
+        signal: self
+          .signal
+          .unwrap_or(deployment.config.termination_signal)
+          .into(),
+        time: self
+          .time
+          .unwrap_or(deployment.config.termination_timeout)
+          .into(),
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "stop container",
+        format_serror(&e.context("failed to stop container").into()),
+      ),
+    };
+
+    update.logs.push(log);
+    update.finalize();
+    update_cache_for_server(&server).await;
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/maintenance.rs

@@ -0,0 +1,319 @@
+use std::sync::OnceLock;
+
+use anyhow::{Context, anyhow};
+use command::run_komodo_command;
+use database::mungos::{find::find_collect, mongodb::bson::doc};
+use formatting::{bold, format_serror};
+use komodo_client::{
+  api::execute::{
+    BackupCoreDatabase, ClearRepoCache, GlobalAutoUpdate,
+  },
+  entities::{
+    deployment::DeploymentState, server::ServerState,
+    stack::StackState,
+  },
+};
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCodeError;
+use tokio::sync::Mutex;
+
+use crate::{
+  api::execute::{
+    ExecuteArgs, pull_deployment_inner, pull_stack_inner,
+  },
+  config::core_config,
+  helpers::update::update_update,
+  state::{
+    db_client, deployment_status_cache, server_status_cache,
+    stack_status_cache,
+  },
+};
+
+/// Makes sure the method can only be called once at a time
+fn clear_repo_cache_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for ClearRepoCache {
+  #[instrument(
+    name = "ClearRepoCache",
+    skip(user, update),
+    fields(user_id = user.id, update_id = update.id)
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::UNAUTHORIZED),
+      );
+    }
+
+    let _lock = clear_repo_cache_lock()
+      .try_lock()
+      .context("Clear already in progress...")?;
+
+    let mut update = update.clone();
+
+    let mut contents =
+      tokio::fs::read_dir(&core_config().repo_directory)
+        .await
+        .context("Failed to read repo cache directory")?;
+
+    loop {
+      let path = match contents
+        .next_entry()
+        .await
+        .context("Failed to read contents at path")
+      {
+        Ok(Some(contents)) => contents.path(),
+        Ok(None) => break,
+        Err(e) => {
+          update.push_error_log(
+            "Read Directory",
+            format_serror(&e.into()),
+          );
+          continue;
+        }
+      };
+      if path.is_dir() {
+        match tokio::fs::remove_dir_all(&path)
+          .await
+          .context("Failed to clear contents at path")
+        {
+          Ok(_) => {}
+          Err(e) => {
+            update.push_error_log(
+              "Clear Directory",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn backup_database_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for BackupCoreDatabase {
+  #[instrument(
+    name = "BackupCoreDatabase",
+    skip(user, update),
+    fields(user_id = user.id, update_id = update.id)
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::UNAUTHORIZED),
+      );
+    }
+
+    let _lock = backup_database_lock()
+      .try_lock()
+      .context("Backup already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let res = run_komodo_command(
+      "Backup Core Database",
+      None,
+      "km database backup --yes",
+    )
+    .await;
+
+    update.logs.push(res);
+    update.finalize();
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn global_update_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
+  #[instrument(
+    name = "GlobalAutoUpdate",
+    skip(user, update),
+    fields(user_id = user.id, update_id = update.id)
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::UNAUTHORIZED),
+      );
+    }
+
+    let _lock = global_update_lock()
+      .try_lock()
+      .context("Global update already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    // This is all done in sequence because there is no rush,
+    // the pulls / deploys happen spaced out to ease the load on system.
+    let servers = find_collect(&db_client().servers, None, None)
+      .await
+      .context("Failed to query for servers from database")?;
+
+    let query = doc! {
+      "$or": [
+        { "config.poll_for_updates": true },
+        { "config.auto_update": true }
+      ]
+    };
+
+    let (stacks, repos) = tokio::try_join!(
+      find_collect(&db_client().stacks, query.clone(), None),
+      find_collect(&db_client().repos, None, None)
+    )
+    .context("Failed to query for resources from database")?;
+
+    let server_status_cache = server_status_cache();
+    let stack_status_cache = stack_status_cache();
+
+    // Will be edited later at update.logs[0]
+    update.push_simple_log("Auto Pull", String::new());
+
+    for stack in stacks {
+      let Some(status) = stack_status_cache.get(&stack.id).await
+      else {
+        continue;
+      };
+      // Only pull running stacks.
+      if !matches!(status.curr.state, StackState::Running) {
+        continue;
+      }
+      if let Some(server) =
+        servers.iter().find(|s| s.id == stack.config.server_id)
+        // This check is probably redundant along with running check
+        // but shouldn't hurt
+        && server_status_cache
+          .get(&server.id)
+          .await
+          .map(|s| matches!(s.state, ServerState::Ok))
+          .unwrap_or_default()
+      {
+        let name = stack.name.clone();
+        let repo = if stack.config.linked_repo.is_empty() {
+          None
+        } else {
+          let Some(repo) =
+            repos.iter().find(|r| r.id == stack.config.linked_repo)
+          else {
+            update.push_error_log(
+              &format!("Pull Stack {name}"),
+              format!(
+                "Did not find any Repo matching {}",
+                stack.config.linked_repo
+              ),
+            );
+            continue;
+          };
+          Some(repo.clone())
+        };
+        if let Err(e) =
+          pull_stack_inner(stack, Vec::new(), server, repo, None)
+            .await
+        {
+          update.push_error_log(
+            &format!("Pull Stack {name}"),
+            format_serror(&e.into()),
+          );
+        } else {
+          if !update.logs[0].stdout.is_empty() {
+            update.logs[0].stdout.push('\n');
+          }
+          update.logs[0]
+            .stdout
+            .push_str(&format!("Pulled Stack {} ✅", bold(name)));
+        }
+      }
+    }
+
+    let deployment_status_cache = deployment_status_cache();
+    let deployments =
+      find_collect(&db_client().deployments, query, None)
+        .await
+        .context("Failed to query for deployments from database")?;
+    for deployment in deployments {
+      let Some(status) =
+        deployment_status_cache.get(&deployment.id).await
+      else {
+        continue;
+      };
+      // Only pull running deployments.
+      if !matches!(status.curr.state, DeploymentState::Running) {
+        continue;
+      }
+      if let Some(server) =
+        servers.iter().find(|s| s.id == deployment.config.server_id)
+        // This check is probably redundant along with running check
+        // but shouldn't hurt
+        && server_status_cache
+          .get(&server.id)
+          .await
+          .map(|s| matches!(s.state, ServerState::Ok))
+          .unwrap_or_default()
+      {
+        let name = deployment.name.clone();
+        if let Err(e) =
+          pull_deployment_inner(deployment, server).await
+        {
+          update.push_error_log(
+            &format!("Pull Deployment {name}"),
+            format_serror(&e.into()),
+          );
+        } else {
+          if !update.logs[0].stdout.is_empty() {
+            update.logs[0].stdout.push('\n');
+          }
+          update.logs[0].stdout.push_str(&format!(
+            "Pulled Deployment {} ✅",
+            bold(name)
+          ));
+        }
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/mod.rs

@@ -0,0 +1,347 @@
+use std::{pin::Pin, time::Instant};
+
+use anyhow::Context;
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
+use axum_extra::{TypedHeader, headers::ContentType};
+use database::mungos::by_id::find_one_by_id;
+use derive_variants::{EnumVariants, ExtractVariant};
+use formatting::format_serror;
+use futures::future::join_all;
+use komodo_client::{
+  api::execute::*,
+  entities::{
+    Operation,
+    permission::PermissionLevel,
+    update::{Log, Update},
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+use response::JsonString;
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::auth_request,
+  helpers::update::{init_execution_update, update_update},
+  resource::{KomodoResource, list_full_for_user_using_pattern},
+  state::db_client,
+};
+
+mod action;
+mod alerter;
+mod build;
+mod deployment;
+mod maintenance;
+mod procedure;
+mod repo;
+mod server;
+mod stack;
+mod sync;
+
+use super::Variant;
+
+pub use {
+  deployment::pull_deployment_inner, stack::pull_stack_inner,
+};
+
+pub struct ExecuteArgs {
+  pub user: User,
+  pub update: Update,
+}
+
+#[typeshare]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[variant_derive(Debug)]
+#[args(ExecuteArgs)]
+#[response(JsonString)]
+#[error(serror::Error)]
+#[serde(tag = "type", content = "params")]
+pub enum ExecuteRequest {
+  // ==== SERVER ====
+  StartContainer(StartContainer),
+  RestartContainer(RestartContainer),
+  PauseContainer(PauseContainer),
+  UnpauseContainer(UnpauseContainer),
+  StopContainer(StopContainer),
+  DestroyContainer(DestroyContainer),
+  StartAllContainers(StartAllContainers),
+  RestartAllContainers(RestartAllContainers),
+  PauseAllContainers(PauseAllContainers),
+  UnpauseAllContainers(UnpauseAllContainers),
+  StopAllContainers(StopAllContainers),
+  PruneContainers(PruneContainers),
+  DeleteNetwork(DeleteNetwork),
+  PruneNetworks(PruneNetworks),
+  DeleteImage(DeleteImage),
+  PruneImages(PruneImages),
+  DeleteVolume(DeleteVolume),
+  PruneVolumes(PruneVolumes),
+  PruneDockerBuilders(PruneDockerBuilders),
+  PruneBuildx(PruneBuildx),
+  PruneSystem(PruneSystem),
+
+  // ==== STACK ====
+  DeployStack(DeployStack),
+  BatchDeployStack(BatchDeployStack),
+  DeployStackIfChanged(DeployStackIfChanged),
+  BatchDeployStackIfChanged(BatchDeployStackIfChanged),
+  PullStack(PullStack),
+  BatchPullStack(BatchPullStack),
+  StartStack(StartStack),
+  RestartStack(RestartStack),
+  StopStack(StopStack),
+  PauseStack(PauseStack),
+  UnpauseStack(UnpauseStack),
+  DestroyStack(DestroyStack),
+  BatchDestroyStack(BatchDestroyStack),
+  RunStackService(RunStackService),
+
+  // ==== DEPLOYMENT ====
+  Deploy(Deploy),
+  BatchDeploy(BatchDeploy),
+  PullDeployment(PullDeployment),
+  StartDeployment(StartDeployment),
+  RestartDeployment(RestartDeployment),
+  PauseDeployment(PauseDeployment),
+  UnpauseDeployment(UnpauseDeployment),
+  StopDeployment(StopDeployment),
+  DestroyDeployment(DestroyDeployment),
+  BatchDestroyDeployment(BatchDestroyDeployment),
+
+  // ==== BUILD ====
+  RunBuild(RunBuild),
+  BatchRunBuild(BatchRunBuild),
+  CancelBuild(CancelBuild),
+
+  // ==== REPO ====
+  CloneRepo(CloneRepo),
+  BatchCloneRepo(BatchCloneRepo),
+  PullRepo(PullRepo),
+  BatchPullRepo(BatchPullRepo),
+  BuildRepo(BuildRepo),
+  BatchBuildRepo(BatchBuildRepo),
+  CancelRepoBuild(CancelRepoBuild),
+
+  // ==== PROCEDURE ====
+  RunProcedure(RunProcedure),
+  BatchRunProcedure(BatchRunProcedure),
+
+  // ==== ACTION ====
+  RunAction(RunAction),
+  BatchRunAction(BatchRunAction),
+
+  // ==== ALERTER ====
+  TestAlerter(TestAlerter),
+  SendAlert(SendAlert),
+
+  // ==== SYNC ====
+  RunSync(RunSync),
+
+  // ==== MAINTENANCE ====
+  ClearRepoCache(ClearRepoCache),
+  BackupCoreDatabase(BackupCoreDatabase),
+  GlobalAutoUpdate(GlobalAutoUpdate),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let req: ExecuteRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteRequest>,
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let res = match inner_handler(request, user).await? {
+    ExecutionResult::Single(update) => serde_json::to_string(&update)
+      .context("Failed to serialize Update")?,
+    ExecutionResult::Batch(res) => res,
+  };
+  Ok((TypedHeader(ContentType::json()), res))
+}
+
+#[typeshare(serialized_as = "Update")]
+type BoxUpdate = Box<Update>;
+
+pub enum ExecutionResult {
+  Single(BoxUpdate),
+  /// The batch contents will be pre serialized here
+  Batch(String),
+}
+
+pub fn inner_handler(
+  request: ExecuteRequest,
+  user: User,
+) -> Pin<
+  Box<
+    dyn std::future::Future<Output = anyhow::Result<ExecutionResult>>
+      + Send,
+  >,
+> {
+  Box::pin(async move {
+    let req_id = Uuid::new_v4();
+
+    // Need to validate no cancel is active before any update is created.
+    // This ensures no double update created if Cancel is called more than once for the same request.
+    build::validate_cancel_build(&request).await?;
+    repo::validate_cancel_repo_build(&request).await?;
+
+    let update = init_execution_update(&request, &user).await?;
+
+    // This will be the case for the Batch exections,
+    // they don't have their own updates.
+    // The batch calls also call "inner_handler" themselves,
+    // and in their case will spawn tasks, so that isn't necessary
+    // here either.
+    if update.operation == Operation::None {
+      return Ok(ExecutionResult::Batch(
+        task(req_id, request, user, update).await?,
+      ));
+    }
+
+    // Spawn a task for the execution which continues
+    // running after this method returns.
+    let handle =
+      tokio::spawn(task(req_id, request, user, update.clone()));
+
+    // Spawns another task to monitor the first for failures,
+    // and add the log to Update about it (which primary task can't do because it errored out)
+    tokio::spawn({
+      let update_id = update.id.clone();
+      async move {
+        let log = match handle.await {
+          Ok(Err(e)) => {
+            warn!("/execute request {req_id} task error: {e:#}",);
+            Log::error("Task Error", format_serror(&e.into()))
+          }
+          Err(e) => {
+            warn!("/execute request {req_id} spawn error: {e:?}",);
+            Log::error("Spawn Error", format!("{e:#?}"))
+          }
+          _ => return,
+        };
+        let res = async {
+          // Nothing to do if update was never actually created,
+          // which is the case when the id is empty.
+          if update_id.is_empty() {
+            return Ok(());
+          }
+          let mut update =
+            find_one_by_id(&db_client().updates, &update_id)
+              .await
+              .context("failed to query to db")?
+              .context("no update exists with given id")?;
+          update.logs.push(log);
+          update.finalize();
+          update_update(update).await
+        }
+        .await;
+
+        if let Err(e) = res {
+          warn!(
+            "failed to update update with task error log | {e:#}"
+          );
+        }
+      }
+    });
+
+    Ok(ExecutionResult::Single(update.into()))
+  })
+}
+
+#[instrument(
+  name = "ExecuteRequest",
+  skip(user, update),
+  fields(
+    user_id = user.id,
+    update_id = update.id,
+    request = format!("{:?}", request.extract_variant()))
+  )
+]
+async fn task(
+  req_id: Uuid,
+  request: ExecuteRequest,
+  user: User,
+  update: Update,
+) -> anyhow::Result<String> {
+  info!("/execute request {req_id} | user: {}", user.username);
+  let timer = Instant::now();
+
+  let res = match request.resolve(&ExecuteArgs { user, update }).await
+  {
+    Err(e) => Err(e.error),
+    Ok(JsonString::Err(e)) => Err(
+      anyhow::Error::from(e).context("failed to serialize response"),
+    ),
+    Ok(JsonString::Ok(res)) => Ok(res),
+  };
+
+  if let Err(e) = &res {
+    warn!("/execute request {req_id} error: {e:#}");
+  }
+
+  let elapsed = timer.elapsed();
+  debug!("/execute request {req_id} | resolve time: {elapsed:?}");
+
+  res
+}
+
+trait BatchExecute {
+  type Resource: KomodoResource;
+  fn single_request(name: String) -> ExecuteRequest;
+}
+
+async fn batch_execute<E: BatchExecute>(
+  pattern: &str,
+  user: &User,
+) -> anyhow::Result<BatchExecutionResponse> {
+  let resources = list_full_for_user_using_pattern::<E::Resource>(
+    pattern,
+    Default::default(),
+    user,
+    PermissionLevel::Execute.into(),
+    &[],
+  )
+  .await?;
+  let futures = resources.into_iter().map(|resource| {
+    let user = user.clone();
+    async move {
+      inner_handler(E::single_request(resource.name.clone()), user)
+        .await
+        .map(|r| {
+          let ExecutionResult::Single(update) = r else {
+            unreachable!()
+          };
+          update
+        })
+        .map_err(|e| BatchExecutionResponseItemErr {
+          name: resource.name,
+          error: e.into(),
+        })
+        .into()
+    }
+  });
+  Ok(join_all(futures).await)
+}

bin/core/src/api/execute/procedure.rs

@@ -0,0 +1,170 @@
+use std::pin::Pin;
+
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
+use formatting::{Color, bold, colored, format_serror, muted};
+use komodo_client::{
+  api::execute::{
+    BatchExecutionResponse, BatchRunProcedure, RunProcedure,
+  },
+  entities::{
+    alert::{Alert, AlertData, SeverityLevel},
+    komodo_timestamp,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    update::Update,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+use tokio::sync::Mutex;
+
+use crate::{
+  alert::send_alerts,
+  helpers::{procedure::execute_procedure, update::update_update},
+  permission::get_check_permissions,
+  resource::refresh_procedure_state_cache,
+  state::{action_states, db_client},
+};
+
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchRunProcedure {
+  type Resource = Procedure;
+  fn single_request(procedure: String) -> ExecuteRequest {
+    ExecuteRequest::RunProcedure(RunProcedure { procedure })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunProcedure {
+  #[instrument(name = "BatchRunProcedure", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunProcedure>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunProcedure {
+  #[instrument(name = "RunProcedure", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    Ok(
+      resolve_inner(self.procedure, user.clone(), update.clone())
+        .await?,
+    )
+  }
+}
+
+fn resolve_inner(
+  procedure: String,
+  user: User,
+  mut update: Update,
+) -> Pin<
+  Box<
+    dyn std::future::Future<Output = anyhow::Result<Update>> + Send,
+  >,
+> {
+  Box::pin(async move {
+    let procedure = get_check_permissions::<Procedure>(
+      &procedure,
+      &user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    // Need to push the initial log, as execute_procedure
+    // assumes first log is already created
+    // and will panic otherwise.
+    update.push_simple_log(
+      "Execute procedure",
+      format!(
+        "{}: executing procedure '{}'",
+        muted("INFO"),
+        bold(&procedure.name)
+      ),
+    );
+
+    // get the action state for the procedure (or insert default).
+    let action_state = action_states()
+      .procedure
+      .get_or_insert_default(&procedure.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure procedure not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.running = true)?;
+
+    update_update(update.clone()).await?;
+
+    let update = Mutex::new(update);
+
+    let res = execute_procedure(&procedure, &update).await;
+
+    let mut update = update.into_inner();
+
+    match res {
+      Ok(_) => {
+        update.push_simple_log(
+          "Execution ok",
+          format!(
+            "{}: The procedure has {} with no errors",
+            muted("INFO"),
+            colored("completed", Color::Green)
+          ),
+        );
+      }
+      Err(e) => update
+        .push_error_log("execution error", format_serror(&e.into())),
+    }
+
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().updates,
+        &update.id,
+        database::mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_procedure_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    if !update.success && procedure.config.failure_alert {
+      warn!("procedure unsuccessful, alerting...");
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::ProcedureFailed {
+            id: procedure.id,
+            name: procedure.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
+    Ok(update)
+  })
+}

bin/core/src/api/execute/repo.rs

@@ -0,0 +1,730 @@
+use std::{collections::HashSet, future::IntoFuture, time::Duration};
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::{
+    bson::{doc, to_document},
+    options::FindOneOptions,
+  },
+};
+use formatting::format_serror;
+use interpolate::Interpolator;
+use komodo_client::{
+  api::{execute::*, write::RefreshRepoCache},
+  entities::{
+    alert::{Alert, AlertData, SeverityLevel},
+    builder::{Builder, BuilderConfig},
+    komodo_timestamp,
+    permission::PermissionLevel,
+    repo::Repo,
+    server::Server,
+    update::{Log, Update},
+  },
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+use tokio_util::sync::CancellationToken;
+
+use crate::{
+  alert::send_alerts,
+  api::write::WriteArgs,
+  helpers::{
+    builder::{cleanup_builder_instance, get_builder_periphery},
+    channel::repo_cancel_channel,
+    git_token, periphery_client,
+    query::{VariablesAndSecrets, get_variables_and_secrets},
+    update::update_update,
+  },
+  permission::get_check_permissions,
+  resource::{self, refresh_repo_state_cache},
+  state::{action_states, db_client},
+};
+
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchCloneRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchCloneRepo {
+  #[instrument(name = "BatchCloneRepo", skip( user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchCloneRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for CloneRepo {
+  #[instrument(name = "CloneRepo", skip( user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure repo not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.cloning = true)?;
+
+    let mut update = update.clone();
+    update_update(update.clone()).await?;
+
+    if repo.config.server_id.is_empty() {
+      return Err(anyhow!("repo has no server attached").into());
+    }
+
+    let git_token = git_token(
+      &repo.config.git_provider,
+      &repo.config.git_account,
+      |https| repo.config.git_https = https,
+    )
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
+    )?;
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers =
+      interpolate(&mut repo, &mut update).await?;
+
+    let logs = match periphery
+      .request(api::git::CloneRepo {
+        args: (&repo).into(),
+        git_token,
+        environment: repo.config.env_vars()?,
+        env_file_path: repo.config.env_file_path,
+        on_clone: repo.config.on_clone.into(),
+        on_pull: repo.config.on_pull.into(),
+        skip_secret_interp: repo.config.skip_secret_interp,
+        replacers: secret_replacers.into_iter().collect(),
+      })
+      .await
+    {
+      Ok(res) => res.res.logs,
+      Err(e) => {
+        vec![Log::error(
+          "Clone Repo",
+          format_serror(&e.context("Failed to clone repo").into()),
+        )]
+      }
+    };
+
+    update.logs.extend(logs);
+    update.finalize();
+
+    if update.success {
+      update_last_pulled_time(&repo.name).await;
+    }
+
+    if let Err(e) = (RefreshRepoCache { repo: repo.id })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+      .map_err(|e| e.error)
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
+    handle_repo_update_return(update).await
+  }
+}
+
+impl super::BatchExecute for BatchPullRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::PullRepo(PullRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchPullRepo {
+  #[instrument(name = "BatchPullRepo", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchPullRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for PullRepo {
+  #[instrument(name = "PullRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure repo not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.pulling = true)?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    if repo.config.server_id.is_empty() {
+      return Err(anyhow!("repo has no server attached").into());
+    }
+
+    let git_token = git_token(
+      &repo.config.git_provider,
+      &repo.config.git_account,
+      |https| repo.config.git_https = https,
+    )
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
+    )?;
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers =
+      interpolate(&mut repo, &mut update).await?;
+
+    let logs = match periphery
+      .request(api::git::PullRepo {
+        args: (&repo).into(),
+        git_token,
+        environment: repo.config.env_vars()?,
+        env_file_path: repo.config.env_file_path,
+        on_pull: repo.config.on_pull.into(),
+        skip_secret_interp: repo.config.skip_secret_interp,
+        replacers: secret_replacers.into_iter().collect(),
+      })
+      .await
+    {
+      Ok(res) => {
+        update.commit_hash = res.res.commit_hash.unwrap_or_default();
+        res.res.logs
+      }
+      Err(e) => {
+        vec![Log::error(
+          "pull repo",
+          format_serror(&e.context("failed to pull repo").into()),
+        )]
+      }
+    };
+
+    update.logs.extend(logs);
+
+    update.finalize();
+
+    if update.success {
+      update_last_pulled_time(&repo.name).await;
+    }
+
+    if let Err(e) = (RefreshRepoCache { repo: repo.id })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+      .map_err(|e| e.error)
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
+    handle_repo_update_return(update).await
+  }
+}
+
+#[instrument(skip_all, fields(update_id = update.id))]
+async fn handle_repo_update_return(
+  update: Update,
+) -> serror::Result<Update> {
+  // Need to manually update the update before cache refresh,
+  // and before broadcast with add_update.
+  // The Err case of to_document should be unreachable,
+  // but will fail to update cache in that case.
+  if let Ok(update_doc) = to_document(&update) {
+    let _ = update_one_by_id(
+      &db_client().updates,
+      &update.id,
+      database::mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await;
+    refresh_repo_state_cache().await;
+  }
+  update_update(update.clone()).await?;
+  Ok(update)
+}
+
+#[instrument]
+async fn update_last_pulled_time(repo_name: &str) {
+  let res = db_client()
+    .repos
+    .update_one(
+      doc! { "name": repo_name },
+      doc! { "$set": { "info.last_pulled_at": komodo_timestamp() } },
+    )
+    .await;
+  if let Err(e) = res {
+    warn!(
+      "failed to update repo last_pulled_at | repo: {repo_name} | {e:#}",
+    );
+  }
+}
+
+impl super::BatchExecute for BatchBuildRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchBuildRepo {
+  #[instrument(name = "BatchBuildRepo", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchBuildRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for BuildRepo {
+  #[instrument(name = "BuildRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    if repo.config.builder_id.is_empty() {
+      return Err(anyhow!("Must attach builder to BuildRepo").into());
+    }
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure repo not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.building = true)?;
+
+    let mut update = update.clone();
+    update_update(update.clone()).await?;
+
+    let git_token = git_token(
+      &repo.config.git_provider,
+      &repo.config.git_account,
+      |https| repo.config.git_https = https,
+    )
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
+    )?;
+
+    let cancel = CancellationToken::new();
+    let cancel_clone = cancel.clone();
+    let mut cancel_recv =
+      repo_cancel_channel().receiver.resubscribe();
+    let repo_id = repo.id.clone();
+
+    let builder =
+      resource::get::<Builder>(&repo.config.builder_id).await?;
+
+    let is_server_builder =
+      matches!(&builder.config, BuilderConfig::Server(_));
+
+    tokio::spawn(async move {
+      let poll = async {
+        loop {
+          let (incoming_repo_id, mut update) = tokio::select! {
+            _ = cancel_clone.cancelled() => return Ok(()),
+            id = cancel_recv.recv() => id?
+          };
+          if incoming_repo_id == repo_id {
+            if is_server_builder {
+              update.push_error_log("Cancel acknowledged", "Repo Build cancellation is not possible on server builders at this time. Use an AWS builder to enable this feature.");
+            } else {
+              update.push_simple_log("Cancel acknowledged", "The repo build cancellation has been queued, it may still take some time.");
+            }
+            update.finalize();
+            let id = update.id.clone();
+            if let Err(e) = update_update(update).await {
+              warn!("failed to modify Update {id} on db | {e:#}");
+            }
+            if !is_server_builder {
+              cancel_clone.cancel();
+            }
+            return Ok(());
+          }
+        }
+        #[allow(unreachable_code)]
+        anyhow::Ok(())
+      };
+      tokio::select! {
+        _ = cancel_clone.cancelled() => {}
+        _ = poll => {}
+      }
+    });
+
+    // GET BUILDER PERIPHERY
+
+    let (periphery, cleanup_data) = match get_builder_periphery(
+      repo.name.clone(),
+      None,
+      builder,
+      &mut update,
+    )
+    .await
+    {
+      Ok(builder) => builder,
+      Err(e) => {
+        warn!("failed to get builder for repo {} | {e:#}", repo.name);
+        update.logs.push(Log::error(
+          "get builder",
+          format_serror(&e.context("failed to get builder").into()),
+        ));
+        return handle_builder_early_return(
+          update, repo.id, repo.name, false,
+        )
+        .await;
+      }
+    };
+
+    // CLONE REPO
+
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers =
+      interpolate(&mut repo, &mut update).await?;
+
+    let res = tokio::select! {
+      res = periphery
+        .request(api::git::CloneRepo {
+          args: (&repo).into(),
+          git_token,
+          environment: repo.config.env_vars()?,
+          env_file_path: repo.config.env_file_path,
+          on_clone: repo.config.on_clone.into(),
+          on_pull: repo.config.on_pull.into(),
+          skip_secret_interp: repo.config.skip_secret_interp,
+          replacers: secret_replacers.into_iter().collect()
+        }) => res,
+      _ = cancel.cancelled() => {
+        debug!("build cancelled during clone, cleaning up builder");
+        update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
+        cleanup_builder_instance(cleanup_data, &mut update)
+          .await;
+        info!("builder cleaned up");
+        return handle_builder_early_return(update, repo.id, repo.name, true).await
+      },
+    };
+
+    let commit_message = match res {
+      Ok(res) => {
+        debug!("finished repo clone");
+        update.logs.extend(res.res.logs);
+        update.commit_hash = res.res.commit_hash.unwrap_or_default();
+
+        res.res.commit_message.unwrap_or_default()
+      }
+      Err(e) => {
+        update.push_error_log(
+          "Clone Repo",
+          format_serror(&e.context("Failed to clone repo").into()),
+        );
+        Default::default()
+      }
+    };
+
+    update.finalize();
+
+    let db = db_client();
+
+    if update.success {
+      let _ = db
+        .repos
+        .update_one(
+          doc! { "name": &repo.name },
+          doc! { "$set": {
+            "info.last_built_at": komodo_timestamp(),
+            "info.built_hash": &update.commit_hash,
+            "info.built_message": commit_message
+          }},
+        )
+        .await;
+    }
+
+    // stop the cancel listening task from going forever
+    cancel.cancel();
+
+    // If building on temporary cloud server (AWS),
+    // this will terminate the server.
+    cleanup_builder_instance(cleanup_data, &mut update).await;
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db.updates,
+        &update.id,
+        database::mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_repo_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    if !update.success {
+      warn!("repo build unsuccessful, alerting...");
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::RepoBuildFailed {
+            id: repo.id,
+            name: repo.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
+    Ok(update)
+  }
+}
+
+#[instrument(skip(update))]
+async fn handle_builder_early_return(
+  mut update: Update,
+  repo_id: String,
+  repo_name: String,
+  is_cancel: bool,
+) -> serror::Result<Update> {
+  update.finalize();
+  // Need to manually update the update before cache refresh,
+  // and before broadcast with add_update.
+  // The Err case of to_document should be unreachable,
+  // but will fail to update cache in that case.
+  if let Ok(update_doc) = to_document(&update) {
+    let _ = update_one_by_id(
+      &db_client().updates,
+      &update.id,
+      database::mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await;
+    refresh_repo_state_cache().await;
+  }
+  update_update(update.clone()).await?;
+  if !update.success && !is_cancel {
+    warn!("repo build unsuccessful, alerting...");
+    let target = update.target.clone();
+    tokio::spawn(async move {
+      let alert = Alert {
+        id: Default::default(),
+        target,
+        ts: komodo_timestamp(),
+        resolved_ts: Some(komodo_timestamp()),
+        resolved: true,
+        level: SeverityLevel::Warning,
+        data: AlertData::RepoBuildFailed {
+          id: repo_id,
+          name: repo_name,
+        },
+      };
+      send_alerts(&[alert]).await
+    });
+  }
+  Ok(update)
+}
+
+#[instrument(skip_all)]
+pub async fn validate_cancel_repo_build(
+  request: &ExecuteRequest,
+) -> anyhow::Result<()> {
+  if let ExecuteRequest::CancelRepoBuild(req) = request {
+    let repo = resource::get::<Repo>(&req.repo).await?;
+
+    let db = db_client();
+
+    let (latest_build, latest_cancel) = tokio::try_join!(
+      db.updates
+        .find_one(doc! {
+          "operation": "BuildRepo",
+          "target.id": &repo.id,
+        },)
+        .with_options(
+          FindOneOptions::builder()
+            .sort(doc! { "start_ts": -1 })
+            .build()
+        )
+        .into_future(),
+      db.updates
+        .find_one(doc! {
+          "operation": "CancelRepoBuild",
+          "target.id": &repo.id,
+        },)
+        .with_options(
+          FindOneOptions::builder()
+            .sort(doc! { "start_ts": -1 })
+            .build()
+        )
+        .into_future()
+    )?;
+
+    match (latest_build, latest_cancel) {
+      (Some(build), Some(cancel)) => {
+        if cancel.start_ts > build.start_ts {
+          return Err(anyhow!(
+            "Repo build has already been cancelled"
+          ));
+        }
+      }
+      (None, _) => return Err(anyhow!("No repo build in progress")),
+      _ => {}
+    };
+  }
+  Ok(())
+}
+
+impl Resolve<ExecuteArgs> for CancelRepoBuild {
+  #[instrument(name = "CancelRepoBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    // make sure the build is building
+    if !action_states()
+      .repo
+      .get(&repo.id)
+      .await
+      .and_then(|s| s.get().ok().map(|s| s.building))
+      .unwrap_or_default()
+    {
+      return Err(anyhow!("Repo is not building.").into());
+    }
+
+    let mut update = update.clone();
+
+    update.push_simple_log(
+      "cancel triggered",
+      "the repo build cancel has been triggered",
+    );
+    update_update(update.clone()).await?;
+
+    repo_cancel_channel()
+      .sender
+      .lock()
+      .await
+      .send((repo.id, update.clone()))?;
+
+    // Make sure cancel is set to complete after some time in case
+    // no reciever is there to do it. Prevents update stuck in InProgress.
+    let update_id = update.id.clone();
+    tokio::spawn(async move {
+      tokio::time::sleep(Duration::from_secs(60)).await;
+      if let Err(e) = update_one_by_id(
+        &db_client().updates,
+        &update_id,
+        doc! { "$set": { "status": "Complete" } },
+        None,
+      )
+      .await
+      {
+        warn!(
+          "failed to set CancelRepoBuild Update status Complete after timeout | {e:#}"
+        )
+      }
+    });
+
+    Ok(update)
+  }
+}
+
+async fn interpolate(
+  repo: &mut Repo,
+  update: &mut Update,
+) -> anyhow::Result<HashSet<(String, String)>> {
+  if !repo.config.skip_secret_interp {
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;
+
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);
+
+    interpolator
+      .interpolate_repo(repo)?
+      .push_logs(&mut update.logs);
+
+    Ok(interpolator.secret_replacers)
+  } else {
+    Ok(Default::default())
+  }
+}

bin/core/src/api/execute/sync.rs

@@ -0,0 +1,542 @@
+use std::{collections::HashMap, str::FromStr};
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use formatting::{Color, colored, format_serror};
+use komodo_client::{
+  api::{execute::RunSync, write::RefreshResourceSyncPending},
+  entities::{
+    self, ResourceTargetVariant,
+    action::Action,
+    alerter::Alerter,
+    build::Build,
+    builder::Builder,
+    deployment::Deployment,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    repo::Repo,
+    server::Server,
+    stack::Stack,
+    sync::ResourceSync,
+    update::{Log, Update},
+    user::sync_user,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  api::write::WriteArgs,
+  helpers::{
+    all_resources::AllResourcesById, query::get_id_to_tags,
+    update::update_update,
+  },
+  permission::get_check_permissions,
+  state::{action_states, db_client},
+  sync::{
+    ResourceSyncTrait,
+    deploy::{
+      SyncDeployParams, build_deploy_cache, deploy_from_cache,
+    },
+    execute::{ExecuteResourceSync, get_updates_for_execution},
+    remote::RemoteResources,
+  },
+};
+
+use super::ExecuteArgs;
+
+impl Resolve<ExecuteArgs> for RunSync {
+  #[instrument(name = "RunSync", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let RunSync {
+      sync,
+      resource_type: match_resource_type,
+      resources: match_resources,
+    } = self;
+    let sync = get_check_permissions::<entities::sync::ResourceSync>(
+      &sync,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let repo = if !sync.config.files_on_host
+      && !sync.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&sync.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    // get the action state for the sync (or insert default).
+    let action_state = action_states()
+      .resource_sync
+      .get_or_insert_default(&sync.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure sync not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.syncing = true)?;
+
+    let mut update = update.clone();
+
+    // Send update here for FE to recheck action state
+    update_update(update.clone()).await?;
+
+    let RemoteResources {
+      resources,
+      logs,
+      hash,
+      message,
+      file_errors,
+      ..
+    } =
+      crate::sync::remote::get_remote_resources(&sync, repo.as_ref())
+        .await
+        .context("failed to get remote resources")?;
+
+    update.logs.extend(logs);
+    update_update(update.clone()).await?;
+
+    if !file_errors.is_empty() {
+      return Err(
+        anyhow!("Found file errors. Cannot execute sync.").into(),
+      );
+    }
+
+    let resources = resources?;
+
+    let id_to_tags = get_id_to_tags(None).await?;
+    let all_resources = AllResourcesById::load().await?;
+    // Convert all match_resources to names
+    let match_resources = match_resources.map(|resources| {
+      resources
+        .into_iter()
+        .filter_map(|name_or_id| {
+          let Some(resource_type) = match_resource_type else {
+            return Some(name_or_id);
+          };
+          match ObjectId::from_str(&name_or_id) {
+            Ok(_) => match resource_type {
+              ResourceTargetVariant::Alerter => all_resources
+                .alerters
+                .get(&name_or_id)
+                .map(|a| a.name.clone()),
+              ResourceTargetVariant::Build => all_resources
+                .builds
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Builder => all_resources
+                .builders
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Deployment => all_resources
+                .deployments
+                .get(&name_or_id)
+                .map(|d| d.name.clone()),
+              ResourceTargetVariant::Procedure => all_resources
+                .procedures
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Action => all_resources
+                .actions
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Repo => all_resources
+                .repos
+                .get(&name_or_id)
+                .map(|r| r.name.clone()),
+              ResourceTargetVariant::Server => all_resources
+                .servers
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::Stack => all_resources
+                .stacks
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::ResourceSync => all_resources
+                .syncs
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::System => None,
+            },
+            Err(_) => Some(name_or_id),
+          }
+        })
+        .collect::<Vec<_>>()
+    });
+
+    let deployments_by_name = all_resources
+      .deployments
+      .values()
+      .filter(|deployment| {
+        Deployment::include_resource(
+          &deployment.name,
+          &deployment.config,
+          match_resource_type,
+          match_resources.as_deref(),
+          &deployment.tags,
+          &id_to_tags,
+          &sync.config.match_tags,
+        )
+      })
+      .map(|deployment| (deployment.name.clone(), deployment.clone()))
+      .collect::<HashMap<_, _>>();
+    let stacks_by_name = all_resources
+      .stacks
+      .values()
+      .filter(|stack| {
+        Stack::include_resource(
+          &stack.name,
+          &stack.config,
+          match_resource_type,
+          match_resources.as_deref(),
+          &stack.tags,
+          &id_to_tags,
+          &sync.config.match_tags,
+        )
+      })
+      .map(|stack| (stack.name.clone(), stack.clone()))
+      .collect::<HashMap<_, _>>();
+
+    let deploy_cache = build_deploy_cache(SyncDeployParams {
+      deployments: &resources.deployments,
+      deployment_map: &deployments_by_name,
+      stacks: &resources.stacks,
+      stack_map: &stacks_by_name,
+    })
+    .await?;
+
+    let delete = sync.config.managed || sync.config.delete;
+
+    let server_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Server>(
+        resources.servers,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let stack_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Stack>(
+        resources.stacks,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let deployment_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Deployment>(
+        resources.deployments,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let build_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Build>(
+        resources.builds,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let repo_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Repo>(
+        resources.repos,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let procedure_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Procedure>(
+        resources.procedures,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let action_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Action>(
+        resources.actions,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let builder_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Builder>(
+        resources.builders,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let alerter_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Alerter>(
+        resources.alerters,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let resource_sync_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<entities::sync::ResourceSync>(
+        resources.resource_syncs,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+
+    let (
+      variables_to_create,
+      variables_to_update,
+      variables_to_delete,
+    ) = if match_resource_type.is_none()
+      && match_resources.is_none()
+      && sync.config.include_variables
+    {
+      crate::sync::variables::get_updates_for_execution(
+        resources.variables,
+        delete,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let (
+      user_groups_to_create,
+      user_groups_to_update,
+      user_groups_to_delete,
+    ) = if match_resource_type.is_none()
+      && match_resources.is_none()
+      && sync.config.include_user_groups
+    {
+      crate::sync::user_groups::get_updates_for_execution(
+        resources.user_groups,
+        delete,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+
+    if deploy_cache.is_empty()
+      && resource_sync_deltas.no_changes()
+      && server_deltas.no_changes()
+      && deployment_deltas.no_changes()
+      && stack_deltas.no_changes()
+      && build_deltas.no_changes()
+      && builder_deltas.no_changes()
+      && alerter_deltas.no_changes()
+      && repo_deltas.no_changes()
+      && procedure_deltas.no_changes()
+      && action_deltas.no_changes()
+      && user_groups_to_create.is_empty()
+      && user_groups_to_update.is_empty()
+      && user_groups_to_delete.is_empty()
+      && variables_to_create.is_empty()
+      && variables_to_update.is_empty()
+      && variables_to_delete.is_empty()
+    {
+      update.push_simple_log(
+        "No Changes",
+        format!(
+          "{}. exiting.",
+          colored("nothing to do", Color::Green)
+        ),
+      );
+      update.finalize();
+      update_update(update.clone()).await?;
+      return Ok(update);
+    }
+
+    // =================
+
+    // No deps
+    maybe_extend(
+      &mut update.logs,
+      crate::sync::variables::run_updates(
+        variables_to_create,
+        variables_to_update,
+        variables_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      crate::sync::user_groups::run_updates(
+        user_groups_to_create,
+        user_groups_to_update,
+        user_groups_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      ResourceSync::execute_sync_updates(resource_sync_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Server::execute_sync_updates(server_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Alerter::execute_sync_updates(alerter_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Action::execute_sync_updates(action_deltas).await,
+    );
+
+    // Dependent on server
+    maybe_extend(
+      &mut update.logs,
+      Builder::execute_sync_updates(builder_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Repo::execute_sync_updates(repo_deltas).await,
+    );
+
+    // Dependant on builder
+    maybe_extend(
+      &mut update.logs,
+      Build::execute_sync_updates(build_deltas).await,
+    );
+
+    // Dependant on server / build
+    maybe_extend(
+      &mut update.logs,
+      Deployment::execute_sync_updates(deployment_deltas).await,
+    );
+    // stack only depends on server, but maybe will depend on build later.
+    maybe_extend(
+      &mut update.logs,
+      Stack::execute_sync_updates(stack_deltas).await,
+    );
+
+    // Dependant on everything
+    maybe_extend(
+      &mut update.logs,
+      Procedure::execute_sync_updates(procedure_deltas).await,
+    );
+
+    // Execute the deploy cache
+    deploy_from_cache(deploy_cache, &mut update.logs).await;
+
+    let db = db_client();
+
+    if let Err(e) = update_one_by_id(
+      &db.resource_syncs,
+      &sync.id,
+      doc! {
+        "$set": {
+          "info.last_sync_ts": komodo_timestamp(),
+          "info.last_sync_hash": hash,
+          "info.last_sync_message": message,
+        }
+      },
+      None,
+    )
+    .await
+    {
+      warn!(
+        "failed to update resource sync {} info after sync | {e:#}",
+        sync.name
+      )
+    }
+
+    if let Err(e) = (RefreshResourceSyncPending { sync: sync.id })
+      .resolve(&WriteArgs {
+        user: sync_user().to_owned(),
+      })
+      .await
+    {
+      warn!(
+        "failed to refresh sync {} after run | {:#}",
+        sync.name, e.error
+      );
+      update.push_error_log(
+        "refresh sync",
+        format_serror(
+          &e.error
+            .context("failed to refresh sync pending after run")
+            .into(),
+        ),
+      );
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+fn maybe_extend(logs: &mut Vec<Log>, log: Option<Log>) {
+  if let Some(log) = log {
+    logs.push(log);
+  }
+}

bin/core/src/api/mod.rs

@@ -0,0 +1,11 @@
+pub mod auth;
+pub mod execute;
+pub mod read;
+pub mod terminal;
+pub mod user;
+pub mod write;
+
+#[derive(serde::Deserialize)]
+struct Variant {
+  variant: String,
+}

bin/core/src/api/read/action.rs

@@ -0,0 +1,147 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    action::{
+      Action, ActionActionState, ActionListItem, ActionState,
+    },
+    permission::PermissionLevel,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
+  resource,
+  state::{action_state_cache, action_states},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetAction {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Action> {
+    Ok(
+      get_check_permissions::<Action>(
+        &self.action,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListActions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ActionListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Action>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullActions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullActionsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Action>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetActionActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ActionActionState> {
+    let action = get_check_permissions::<Action>(
+      &self.action,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .action
+      .get(&action.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetActionsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetActionsSummaryResponse> {
+    let actions = resource::list_full_for_user::<Action>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get actions from db")?;
+
+    let mut res = GetActionsSummaryResponse::default();
+
+    let cache = action_state_cache();
+    let action_states = action_states();
+
+    for action in actions {
+      res.total += 1;
+
+      match (
+        cache.get(&action.id).await.unwrap_or_default(),
+        action_states
+          .action
+          .get(&action.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.running => {
+          res.running += 1;
+        }
+        (ActionState::Ok, _) => res.ok += 1,
+        (ActionState::Failed, _) => res.failed += 1,
+        (ActionState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the running state, since that comes from action states
+        (ActionState::Running, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}

bin/core/src/api/read/alert.rs

@@ -0,0 +1,88 @@
+use anyhow::Context;
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use komodo_client::{
+  api::read::{
+    GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
+  },
+  entities::{
+    deployment::Deployment, server::Server, stack::Stack,
+    sync::ResourceSync,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config, permission::get_resource_ids_for_user,
+  state::db_client,
+};
+
+use super::ReadArgs;
+
+const NUM_ALERTS_PER_PAGE: u64 = 100;
+
+impl Resolve<ReadArgs> for ListAlerts {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListAlertsResponse> {
+    let mut query = self.query.unwrap_or_default();
+    if !user.admin && !core_config().transparent_mode {
+      let server_ids =
+        get_resource_ids_for_user::<Server>(user).await?;
+      let stack_ids =
+        get_resource_ids_for_user::<Stack>(user).await?;
+      let deployment_ids =
+        get_resource_ids_for_user::<Deployment>(user).await?;
+      let sync_ids =
+        get_resource_ids_for_user::<ResourceSync>(user).await?;
+      query.extend(doc! {
+        "$or": [
+          { "target.type": "Server", "target.id": { "$in": &server_ids } },
+          { "target.type": "Stack", "target.id": { "$in": &stack_ids } },
+          { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
+          { "target.type": "ResourceSync", "target.id": { "$in": &sync_ids } },
+        ]
+      });
+    }
+
+    let alerts = find_collect(
+      &db_client().alerts,
+      query,
+      FindOptions::builder()
+        .sort(doc! { "ts": -1 })
+        .limit(NUM_ALERTS_PER_PAGE as i64)
+        .skip(self.page * NUM_ALERTS_PER_PAGE)
+        .build(),
+    )
+    .await
+    .context("failed to get alerts from db")?;
+
+    let next_page = if alerts.len() < NUM_ALERTS_PER_PAGE as usize {
+      None
+    } else {
+      Some((self.page + 1) as i64)
+    };
+
+    let res = ListAlertsResponse { next_page, alerts };
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetAlert {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetAlertResponse> {
+    Ok(
+      find_one_by_id(&db_client().alerts, &self.id)
+        .await
+        .context("failed to query db for alert")?
+        .context("no alert found with given id")?,
+    )
+  }
+}

bin/core/src/api/read/alerter.rs

@@ -0,0 +1,105 @@
+use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    alerter::{Alerter, AlerterListItem},
+    permission::PermissionLevel,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags, permission::get_check_permissions,
+  resource, state::db_client,
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetAlerter {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(
+      get_check_permissions::<Alerter>(
+        &self.alerter,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListAlerters {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<AlerterListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Alerter>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullAlerters {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullAlertersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Alerter>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetAlertersSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetAlertersSummaryResponse> {
+    let query = match resource::get_resource_object_ids_for_user::<
+      Alerter,
+    >(user)
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
+    let total = db_client()
+      .alerters
+      .count_documents(query)
+      .await
+      .context("failed to count all alerter documents")?;
+    let res = GetAlertersSummaryResponse {
+      total: total as u32,
+    };
+    Ok(res)
+  }
+}

bin/core/src/api/read/build.rs

@@ -0,0 +1,386 @@
+use std::collections::{HashMap, HashSet};
+
+use anyhow::Context;
+use async_timing_util::unix_timestamp_ms;
+use database::mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use futures::TryStreamExt;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    Operation,
+    build::{Build, BuildActionState, BuildListItem, BuildState},
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    update::UpdateStatus,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
+  resource,
+  state::{
+    action_states, build_state_cache, db_client, github_client,
+  },
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetBuild {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Build> {
+    Ok(
+      get_check_permissions::<Build>(
+        &self.build,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListBuilds {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<BuildListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Build>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullBuilds {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullBuildsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Build>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetBuildActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<BuildActionState> {
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .build
+      .get(&build.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetBuildsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetBuildsSummaryResponse> {
+    let builds = resource::list_full_for_user::<Build>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get all builds")?;
+
+    let mut res = GetBuildsSummaryResponse::default();
+
+    let cache = build_state_cache();
+    let action_states = action_states();
+
+    for build in builds {
+      res.total += 1;
+
+      match (
+        cache.get(&build.id).await.unwrap_or_default(),
+        action_states
+          .build
+          .get(&build.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.building => {
+          res.building += 1;
+        }
+        (BuildState::Ok, _) => res.ok += 1,
+        (BuildState::Failed, _) => res.failed += 1,
+        (BuildState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the building state, since that comes from action states
+        (BuildState::Building, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+const ONE_DAY_MS: i64 = 86400000;
+
+impl Resolve<ReadArgs> for GetBuildMonthlyStats {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetBuildMonthlyStatsResponse> {
+    let curr_ts = unix_timestamp_ms() as i64;
+    let next_day = curr_ts - curr_ts % ONE_DAY_MS + ONE_DAY_MS;
+
+    let close_ts = next_day - self.page as i64 * 30 * ONE_DAY_MS;
+    let open_ts = close_ts - 30 * ONE_DAY_MS;
+
+    let mut build_updates = db_client()
+      .updates
+      .find(doc! {
+        "start_ts": {
+          "$gte": open_ts,
+          "$lt": close_ts
+        },
+        "operation": Operation::RunBuild.to_string(),
+      })
+      .await
+      .context("failed to get updates cursor")?;
+
+    let mut days = HashMap::<i64, BuildStatsDay>::with_capacity(32);
+
+    let mut curr = open_ts;
+
+    while curr < close_ts {
+      let stats = BuildStatsDay {
+        ts: curr as f64,
+        ..Default::default()
+      };
+      days.insert(curr, stats);
+      curr += ONE_DAY_MS;
+    }
+
+    while let Some(update) = build_updates.try_next().await? {
+      if let Some(end_ts) = update.end_ts {
+        let day = update.start_ts - update.start_ts % ONE_DAY_MS;
+        let entry = days.entry(day).or_default();
+        entry.count += 1.0;
+        entry.time += ms_to_hour(end_ts - update.start_ts);
+      }
+    }
+
+    Ok(GetBuildMonthlyStatsResponse::new(
+      days.into_values().collect(),
+    ))
+  }
+}
+
+const MS_TO_HOUR_DIVISOR: f64 = 1000.0 * 60.0 * 60.0;
+fn ms_to_hour(duration: i64) -> f64 {
+  duration as f64 / MS_TO_HOUR_DIVISOR
+}
+
+impl Resolve<ReadArgs> for ListBuildVersions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<BuildVersionResponseItem>> {
+    let ListBuildVersions {
+      build,
+      major,
+      minor,
+      patch,
+      limit,
+    } = self;
+    let build = get_check_permissions::<Build>(
+      &build,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    let mut filter = doc! {
+      "target": {
+        "type": "Build",
+        "id": build.id
+      },
+      "operation": Operation::RunBuild.to_string(),
+      "status": UpdateStatus::Complete.to_string(),
+      "success": true
+    };
+    if let Some(major) = major {
+      filter.insert("version.major", major);
+    }
+    if let Some(minor) = minor {
+      filter.insert("version.minor", minor);
+    }
+    if let Some(patch) = patch {
+      filter.insert("version.patch", patch);
+    }
+
+    let versions = find_collect(
+      &db_client().updates,
+      filter,
+      FindOptions::builder()
+        .sort(doc! { "_id": -1 })
+        .limit(limit)
+        .build(),
+    )
+    .await
+    .context("failed to pull versions from mongo")?
+    .into_iter()
+    .map(|u| (u.version, u.start_ts))
+    .filter(|(v, _)| !v.is_none())
+    .map(|(version, ts)| BuildVersionResponseItem { version, ts })
+    .collect();
+    Ok(versions)
+  }
+}
+
+impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonBuildExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let builds = resource::list_full_for_user::<Build>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for build in builds {
+      for extra_arg in build.config.extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetBuildWebhookEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetBuildWebhookEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetBuildWebhookEnabledResponse {
+        managed: false,
+        enabled: false,
+      });
+    };
+
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    if build.config.git_provider != "github.com"
+      || build.config.repo.is_empty()
+    {
+      return Ok(GetBuildWebhookEnabledResponse {
+        managed: false,
+        enabled: false,
+      });
+    }
+
+    let mut split = build.config.repo.split('/');
+    let owner = split.next().context("Build repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetBuildWebhookEnabledResponse {
+        managed: false,
+        enabled: false,
+      });
+    };
+
+    let repo =
+      split.next().context("Build repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = format!("{host}/listener/github/build/{}", build.id);
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        return Ok(GetBuildWebhookEnabledResponse {
+          managed: true,
+          enabled: true,
+        });
+      }
+    }
+
+    Ok(GetBuildWebhookEnabledResponse {
+      managed: true,
+      enabled: false,
+    })
+  }
+}

bin/core/src/api/read/builder.rs

@@ -0,0 +1,105 @@
+use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    builder::{Builder, BuilderListItem},
+    permission::PermissionLevel,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags, permission::get_check_permissions,
+  resource, state::db_client,
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetBuilder {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Builder> {
+    Ok(
+      get_check_permissions::<Builder>(
+        &self.builder,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListBuilders {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<BuilderListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Builder>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullBuilders {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullBuildersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Builder>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetBuildersSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetBuildersSummaryResponse> {
+    let query = match resource::get_resource_object_ids_for_user::<
+      Builder,
+    >(user)
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
+    let total = db_client()
+      .builders
+      .count_documents(query)
+      .await
+      .context("failed to count all builder documents")?;
+    let res = GetBuildersSummaryResponse {
+      total: total as u32,
+    };
+    Ok(res)
+  }
+}

bin/core/src/api/read/deployment.rs

@@ -0,0 +1,367 @@
+use std::{cmp, collections::HashSet};
+
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    deployment::{
+      Deployment, DeploymentActionState, DeploymentConfig,
+      DeploymentListItem, DeploymentState,
+    },
+    docker::container::{Container, ContainerStats},
+    permission::PermissionLevel,
+    server::{Server, ServerState},
+    update::Log,
+  },
+};
+use periphery_client::api::{self, container::InspectContainer};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{periphery_client, query::get_all_tags},
+  permission::get_check_permissions,
+  resource,
+  state::{
+    action_states, deployment_status_cache, server_status_cache,
+  },
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetDeployment {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(
+      get_check_permissions::<Deployment>(
+        &self.deployment,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListDeployments {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<DeploymentListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let only_update_available = self.query.specific.update_available;
+    let deployments = resource::list_for_user::<Deployment>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?;
+    let deployments = if only_update_available {
+      deployments
+        .into_iter()
+        .filter(|deployment| deployment.info.update_available)
+        .collect()
+    } else {
+      deployments
+    };
+    Ok(deployments)
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullDeployments {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullDeploymentsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Deployment>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetDeploymentContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDeploymentContainerResponse> {
+    let deployment = get_check_permissions::<Deployment>(
+      &self.deployment,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let status = deployment_status_cache()
+      .get(&deployment.id)
+      .await
+      .unwrap_or_default();
+    let response = GetDeploymentContainerResponse {
+      state: status.curr.state,
+      container: status.curr.container.clone(),
+    };
+    Ok(response)
+  }
+}
+
+const MAX_LOG_LENGTH: u64 = 5000;
+
+impl Resolve<ReadArgs> for GetDeploymentLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let GetDeploymentLog {
+      deployment,
+      tail,
+      timestamps,
+    } = self;
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = get_check_permissions::<Deployment>(
+      &deployment,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Ok(Log::default());
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    let res = periphery_client(&server)?
+      .request(api::container::GetContainerLog {
+        name,
+        tail: cmp::min(tail, MAX_LOG_LENGTH),
+        timestamps,
+      })
+      .await
+      .context("failed at call to periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchDeploymentLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let SearchDeploymentLog {
+      deployment,
+      terms,
+      combinator,
+      invert,
+      timestamps,
+    } = self;
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = get_check_permissions::<Deployment>(
+      &deployment,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Ok(Log::default());
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    let res = periphery_client(&server)?
+      .request(api::container::GetContainerLogSearch {
+        name,
+        terms,
+        combinator,
+        invert,
+        timestamps,
+      })
+      .await
+      .context("failed at call to periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDeploymentContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Container> {
+    let InspectDeploymentContainer { deployment } = self;
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = get_check_permissions::<Deployment>(
+      &deployment,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Err(
+        anyhow!(
+          "Cannot inspect deployment, not attached to any server"
+        )
+        .into(),
+      );
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectContainer { name })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetDeploymentStats {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ContainerStats> {
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = get_check_permissions::<Deployment>(
+      &self.deployment,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Err(
+        anyhow!("deployment has no server attached").into(),
+      );
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    let res = periphery_client(&server)?
+      .request(api::container::GetContainerStats { name })
+      .await
+      .context("failed to get stats from periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetDeploymentActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<DeploymentActionState> {
+    let deployment = get_check_permissions::<Deployment>(
+      &self.deployment,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .deployment
+      .get(&deployment.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetDeploymentsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDeploymentsSummaryResponse> {
+    let deployments = resource::list_full_for_user::<Deployment>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get deployments from db")?;
+    let mut res = GetDeploymentsSummaryResponse::default();
+    let status_cache = deployment_status_cache();
+    for deployment in deployments {
+      res.total += 1;
+      let status =
+        status_cache.get(&deployment.id).await.unwrap_or_default();
+      match status.curr.state {
+        DeploymentState::Running => {
+          res.running += 1;
+        }
+        DeploymentState::Exited | DeploymentState::Paused => {
+          res.stopped += 1;
+        }
+        DeploymentState::NotDeployed => {
+          res.not_deployed += 1;
+        }
+        DeploymentState::Unknown => {
+          res.unknown += 1;
+        }
+        _ => {
+          res.unhealthy += 1;
+        }
+      }
+    }
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListCommonDeploymentExtraArgs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonDeploymentExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let deployments = resource::list_full_for_user::<Deployment>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for deployment in deployments {
+      for extra_arg in deployment.config.extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}

bin/core/src/api/read/mod.rs

@@ -0,0 +1,587 @@
+use std::{collections::HashSet, sync::OnceLock, time::Instant};
+
+use anyhow::{Context, anyhow};
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    ResourceTarget,
+    build::Build,
+    builder::{Builder, BuilderConfig},
+    config::{DockerRegistry, GitProvider},
+    permission::PermissionLevel,
+    repo::Repo,
+    server::Server,
+    sync::ResourceSync,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+use response::Response;
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::auth_request, config::core_config, helpers::periphery_client,
+  resource,
+};
+
+use super::Variant;
+
+mod action;
+mod alert;
+mod alerter;
+mod build;
+mod builder;
+mod deployment;
+mod permission;
+mod procedure;
+mod provider;
+mod repo;
+mod schedule;
+mod server;
+mod stack;
+mod sync;
+mod tag;
+mod toml;
+mod update;
+mod user;
+mod user_group;
+mod variable;
+
+pub struct ReadArgs {
+  pub user: User,
+}
+
+#[typeshare]
+#[derive(Serialize, Deserialize, Debug, Clone, Resolve)]
+#[args(ReadArgs)]
+#[response(Response)]
+#[error(serror::Error)]
+#[serde(tag = "type", content = "params")]
+enum ReadRequest {
+  GetVersion(GetVersion),
+  GetCoreInfo(GetCoreInfo),
+  ListSecrets(ListSecrets),
+  ListGitProvidersFromConfig(ListGitProvidersFromConfig),
+  ListDockerRegistriesFromConfig(ListDockerRegistriesFromConfig),
+
+  // ==== USER ====
+  GetUsername(GetUsername),
+  GetPermission(GetPermission),
+  FindUser(FindUser),
+  ListUsers(ListUsers),
+  ListApiKeys(ListApiKeys),
+  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
+  ListPermissions(ListPermissions),
+  ListUserTargetPermissions(ListUserTargetPermissions),
+
+  // ==== USER GROUP ====
+  GetUserGroup(GetUserGroup),
+  ListUserGroups(ListUserGroups),
+
+  // ==== PROCEDURE ====
+  GetProceduresSummary(GetProceduresSummary),
+  GetProcedure(GetProcedure),
+  GetProcedureActionState(GetProcedureActionState),
+  ListProcedures(ListProcedures),
+  ListFullProcedures(ListFullProcedures),
+
+  // ==== ACTION ====
+  GetActionsSummary(GetActionsSummary),
+  GetAction(GetAction),
+  GetActionActionState(GetActionActionState),
+  ListActions(ListActions),
+  ListFullActions(ListFullActions),
+
+  // ==== SCHEDULE ====
+  ListSchedules(ListSchedules),
+
+  // ==== SERVER ====
+  GetServersSummary(GetServersSummary),
+  GetServer(GetServer),
+  GetServerState(GetServerState),
+  GetPeripheryVersion(GetPeripheryVersion),
+  GetServerActionState(GetServerActionState),
+  GetHistoricalServerStats(GetHistoricalServerStats),
+  ListServers(ListServers),
+  ListFullServers(ListFullServers),
+  InspectDockerContainer(InspectDockerContainer),
+  GetResourceMatchingContainer(GetResourceMatchingContainer),
+  GetContainerLog(GetContainerLog),
+  SearchContainerLog(SearchContainerLog),
+  InspectDockerNetwork(InspectDockerNetwork),
+  InspectDockerImage(InspectDockerImage),
+  ListDockerImageHistory(ListDockerImageHistory),
+  InspectDockerVolume(InspectDockerVolume),
+  GetDockerContainersSummary(GetDockerContainersSummary),
+  ListAllDockerContainers(ListAllDockerContainers),
+  ListDockerContainers(ListDockerContainers),
+  ListDockerNetworks(ListDockerNetworks),
+  ListDockerImages(ListDockerImages),
+  ListDockerVolumes(ListDockerVolumes),
+  ListComposeProjects(ListComposeProjects),
+  ListTerminals(ListTerminals),
+
+  // ==== SERVER STATS ====
+  GetSystemInformation(GetSystemInformation),
+  GetSystemStats(GetSystemStats),
+  ListSystemProcesses(ListSystemProcesses),
+
+  // ==== STACK ====
+  GetStacksSummary(GetStacksSummary),
+  GetStack(GetStack),
+  GetStackActionState(GetStackActionState),
+  GetStackWebhooksEnabled(GetStackWebhooksEnabled),
+  GetStackLog(GetStackLog),
+  SearchStackLog(SearchStackLog),
+  InspectStackContainer(InspectStackContainer),
+  ListStacks(ListStacks),
+  ListFullStacks(ListFullStacks),
+  ListStackServices(ListStackServices),
+  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
+  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),
+
+  // ==== DEPLOYMENT ====
+  GetDeploymentsSummary(GetDeploymentsSummary),
+  GetDeployment(GetDeployment),
+  GetDeploymentContainer(GetDeploymentContainer),
+  GetDeploymentActionState(GetDeploymentActionState),
+  GetDeploymentStats(GetDeploymentStats),
+  GetDeploymentLog(GetDeploymentLog),
+  SearchDeploymentLog(SearchDeploymentLog),
+  InspectDeploymentContainer(InspectDeploymentContainer),
+  ListDeployments(ListDeployments),
+  ListFullDeployments(ListFullDeployments),
+  ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
+
+  // ==== BUILD ====
+  GetBuildsSummary(GetBuildsSummary),
+  GetBuild(GetBuild),
+  GetBuildActionState(GetBuildActionState),
+  GetBuildMonthlyStats(GetBuildMonthlyStats),
+  ListBuildVersions(ListBuildVersions),
+  GetBuildWebhookEnabled(GetBuildWebhookEnabled),
+  ListBuilds(ListBuilds),
+  ListFullBuilds(ListFullBuilds),
+  ListCommonBuildExtraArgs(ListCommonBuildExtraArgs),
+
+  // ==== REPO ====
+  GetReposSummary(GetReposSummary),
+  GetRepo(GetRepo),
+  GetRepoActionState(GetRepoActionState),
+  GetRepoWebhooksEnabled(GetRepoWebhooksEnabled),
+  ListRepos(ListRepos),
+  ListFullRepos(ListFullRepos),
+
+  // ==== SYNC ====
+  GetResourceSyncsSummary(GetResourceSyncsSummary),
+  GetResourceSync(GetResourceSync),
+  GetResourceSyncActionState(GetResourceSyncActionState),
+  GetSyncWebhooksEnabled(GetSyncWebhooksEnabled),
+  ListResourceSyncs(ListResourceSyncs),
+  ListFullResourceSyncs(ListFullResourceSyncs),
+
+  // ==== BUILDER ====
+  GetBuildersSummary(GetBuildersSummary),
+  GetBuilder(GetBuilder),
+  ListBuilders(ListBuilders),
+  ListFullBuilders(ListFullBuilders),
+
+  // ==== ALERTER ====
+  GetAlertersSummary(GetAlertersSummary),
+  GetAlerter(GetAlerter),
+  ListAlerters(ListAlerters),
+  ListFullAlerters(ListFullAlerters),
+
+  // ==== TOML ====
+  ExportAllResourcesToToml(ExportAllResourcesToToml),
+  ExportResourcesToToml(ExportResourcesToToml),
+
+  // ==== TAG ====
+  GetTag(GetTag),
+  ListTags(ListTags),
+
+  // ==== UPDATE ====
+  GetUpdate(GetUpdate),
+  ListUpdates(ListUpdates),
+
+  // ==== ALERT ====
+  ListAlerts(ListAlerts),
+  GetAlert(GetAlert),
+
+  // ==== VARIABLE ====
+  GetVariable(GetVariable),
+  ListVariables(ListVariables),
+
+  // ==== PROVIDER ====
+  GetGitProviderAccount(GetGitProviderAccount),
+  ListGitProviderAccounts(ListGitProviderAccounts),
+  GetDockerRegistryAccount(GetDockerRegistryAccount),
+  ListDockerRegistryAccounts(ListDockerRegistryAccounts),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: ReadRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
+#[instrument(name = "ReadHandler", level = "debug", skip(user), fields(user_id = user.id))]
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<ReadRequest>,
+) -> serror::Result<axum::response::Response> {
+  let timer = Instant::now();
+  let req_id = Uuid::new_v4();
+  debug!("/read request | user: {}", user.username);
+  let res = request.resolve(&ReadArgs { user }).await;
+  if let Err(e) = &res {
+    debug!("/read request {req_id} error: {:#}", e.error);
+  }
+  let elapsed = timer.elapsed();
+  debug!("/read request {req_id} | resolve time: {elapsed:?}");
+  res.map(|res| res.0)
+}
+
+impl Resolve<ReadArgs> for GetVersion {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetVersionResponse> {
+    Ok(GetVersionResponse {
+      version: env!("CARGO_PKG_VERSION").to_string(),
+    })
+  }
+}
+
+fn core_info() -> &'static GetCoreInfoResponse {
+  static CORE_INFO: OnceLock<GetCoreInfoResponse> = OnceLock::new();
+  CORE_INFO.get_or_init(|| {
+    let config = core_config();
+    GetCoreInfoResponse {
+      title: config.title.clone(),
+      monitoring_interval: config.monitoring_interval,
+      webhook_base_url: if config.webhook_base_url.is_empty() {
+        config.host.clone()
+      } else {
+        config.webhook_base_url.clone()
+      },
+      transparent_mode: config.transparent_mode,
+      ui_write_disabled: config.ui_write_disabled,
+      disable_confirm_dialog: config.disable_confirm_dialog,
+      disable_non_admin_create: config.disable_non_admin_create,
+      disable_websocket_reconnect: config.disable_websocket_reconnect,
+      enable_fancy_toml: config.enable_fancy_toml,
+      github_webhook_owners: config
+        .github_webhook_app
+        .installations
+        .iter()
+        .map(|i| i.namespace.to_string())
+        .collect(),
+      timezone: config.timezone.clone(),
+    }
+  })
+}
+
+impl Resolve<ReadArgs> for GetCoreInfo {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetCoreInfoResponse> {
+    Ok(core_info().clone())
+  }
+}
+
+impl Resolve<ReadArgs> for ListSecrets {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<ListSecretsResponse> {
+    let mut secrets = core_config()
+      .secrets
+      .keys()
+      .cloned()
+      .collect::<HashSet<_>>();
+
+    if let Some(target) = self.target {
+      let server_id = match target {
+        ResourceTarget::Server(id) => Some(id),
+        ResourceTarget::Builder(id) => {
+          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => None,
+            BuilderConfig::Server(config) => Some(config.server_id),
+            BuilderConfig::Aws(config) => {
+              secrets.extend(config.secrets);
+              None
+            }
+          }
+        }
+        _ => {
+          return Err(
+            anyhow!("target must be `Server` or `Builder`").into(),
+          );
+        }
+      };
+      if let Some(id) = server_id {
+        let server = resource::get::<Server>(&id).await?;
+        let more = periphery_client(&server)?
+          .request(periphery_client::api::ListSecrets {})
+          .await
+          .with_context(|| {
+            format!(
+              "failed to get secrets from server {}",
+              server.name
+            )
+          })?;
+        secrets.extend(more);
+      }
+    }
+
+    let mut secrets = secrets.into_iter().collect::<Vec<_>>();
+    secrets.sort();
+
+    Ok(secrets)
+  }
+}
+
+impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListGitProvidersFromConfigResponse> {
+    let mut providers = core_config().git_providers.clone();
+
+    if let Some(target) = self.target {
+      match target {
+        ResourceTarget::Server(id) => {
+          merge_git_providers_for_server(&mut providers, &id).await?;
+        }
+        ResourceTarget::Builder(id) => {
+          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
+            BuilderConfig::Server(config) => {
+              merge_git_providers_for_server(
+                &mut providers,
+                &config.server_id,
+              )
+              .await?;
+            }
+            BuilderConfig::Aws(config) => {
+              merge_git_providers(
+                &mut providers,
+                config.git_providers,
+              );
+            }
+          }
+        }
+        _ => {
+          return Err(
+            anyhow!("target must be `Server` or `Builder`").into(),
+          );
+        }
+      }
+    }
+
+    let (builds, repos, syncs) = tokio::try_join!(
+      resource::list_full_for_user::<Build>(
+        Default::default(),
+        user,
+        PermissionLevel::Read.into(),
+        &[]
+      ),
+      resource::list_full_for_user::<Repo>(
+        Default::default(),
+        user,
+        PermissionLevel::Read.into(),
+        &[]
+      ),
+      resource::list_full_for_user::<ResourceSync>(
+        Default::default(),
+        user,
+        PermissionLevel::Read.into(),
+        &[]
+      ),
+    )?;
+
+    for build in builds {
+      if !providers
+        .iter()
+        .any(|provider| provider.domain == build.config.git_provider)
+      {
+        providers.push(GitProvider {
+          domain: build.config.git_provider,
+          https: build.config.git_https,
+          accounts: Default::default(),
+        });
+      }
+    }
+    for repo in repos {
+      if !providers
+        .iter()
+        .any(|provider| provider.domain == repo.config.git_provider)
+      {
+        providers.push(GitProvider {
+          domain: repo.config.git_provider,
+          https: repo.config.git_https,
+          accounts: Default::default(),
+        });
+      }
+    }
+    for sync in syncs {
+      if !providers
+        .iter()
+        .any(|provider| provider.domain == sync.config.git_provider)
+      {
+        providers.push(GitProvider {
+          domain: sync.config.git_provider,
+          https: sync.config.git_https,
+          accounts: Default::default(),
+        });
+      }
+    }
+
+    providers.sort();
+
+    Ok(providers)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerRegistriesFromConfig {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<ListDockerRegistriesFromConfigResponse> {
+    let mut registries = core_config().docker_registries.clone();
+
+    if let Some(target) = self.target {
+      match target {
+        ResourceTarget::Server(id) => {
+          merge_docker_registries_for_server(&mut registries, &id)
+            .await?;
+        }
+        ResourceTarget::Builder(id) => {
+          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
+            BuilderConfig::Server(config) => {
+              merge_docker_registries_for_server(
+                &mut registries,
+                &config.server_id,
+              )
+              .await?;
+            }
+            BuilderConfig::Aws(config) => {
+              merge_docker_registries(
+                &mut registries,
+                config.docker_registries,
+              );
+            }
+          }
+        }
+        _ => {
+          return Err(
+            anyhow!("target must be `Server` or `Builder`").into(),
+          );
+        }
+      }
+    }
+
+    registries.sort();
+
+    Ok(registries)
+  }
+}
+
+async fn merge_git_providers_for_server(
+  providers: &mut Vec<GitProvider>,
+  server_id: &str,
+) -> serror::Result<()> {
+  let server = resource::get::<Server>(server_id).await?;
+  let more = periphery_client(&server)?
+    .request(periphery_client::api::ListGitProviders {})
+    .await
+    .with_context(|| {
+      format!(
+        "failed to get git providers from server {}",
+        server.name
+      )
+    })?;
+  merge_git_providers(providers, more);
+  Ok(())
+}
+
+fn merge_git_providers(
+  providers: &mut Vec<GitProvider>,
+  more: Vec<GitProvider>,
+) {
+  for incoming_provider in more {
+    if let Some(provider) = providers
+      .iter_mut()
+      .find(|provider| provider.domain == incoming_provider.domain)
+    {
+      for account in incoming_provider.accounts {
+        if !provider.accounts.contains(&account) {
+          provider.accounts.push(account);
+        }
+      }
+    } else {
+      providers.push(incoming_provider);
+    }
+  }
+}
+
+async fn merge_docker_registries_for_server(
+  registries: &mut Vec<DockerRegistry>,
+  server_id: &str,
+) -> serror::Result<()> {
+  let server = resource::get::<Server>(server_id).await?;
+  let more = periphery_client(&server)?
+    .request(periphery_client::api::ListDockerRegistries {})
+    .await
+    .with_context(|| {
+      format!(
+        "failed to get docker registries from server {}",
+        server.name
+      )
+    })?;
+  merge_docker_registries(registries, more);
+  Ok(())
+}
+
+fn merge_docker_registries(
+  registries: &mut Vec<DockerRegistry>,
+  more: Vec<DockerRegistry>,
+) {
+  for incoming_registry in more {
+    if let Some(registry) = registries
+      .iter_mut()
+      .find(|registry| registry.domain == incoming_registry.domain)
+    {
+      for account in incoming_registry.accounts {
+        if !registry.accounts.contains(&account) {
+          registry.accounts.push(account);
+        }
+      }
+    } else {
+      registries.push(incoming_registry);
+    }
+  }
+}

bin/core/src/api/read/permission.rs

@@ -0,0 +1,71 @@
+use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
+use komodo_client::{
+  api::read::{
+    GetPermission, GetPermissionResponse, ListPermissions,
+    ListPermissionsResponse, ListUserTargetPermissions,
+    ListUserTargetPermissionsResponse,
+  },
+  entities::permission::PermissionLevel,
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_user_permission_on_target, state::db_client,
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for ListPermissions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListPermissionsResponse> {
+    let res = find_collect(
+      &db_client().permissions,
+      doc! {
+        "user_target.type": "User",
+        "user_target.id": &user.id
+      },
+      None,
+    )
+    .await
+    .context("failed to query db for permissions")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetPermission {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetPermissionResponse> {
+    if user.admin {
+      return Ok(PermissionLevel::Write.all());
+    }
+    Ok(get_user_permission_on_target(user, &self.target).await?)
+  }
+}
+
+impl Resolve<ReadArgs> for ListUserTargetPermissions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUserTargetPermissionsResponse> {
+    if !user.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+    let (variant, id) = self.user_target.extract_variant_id();
+    let res = find_collect(
+      &db_client().permissions,
+      doc! {
+        "user_target.type": variant.as_ref(),
+        "user_target.id": id
+      },
+      None,
+    )
+    .await
+    .context("failed to query db for permissions")?;
+    Ok(res)
+  }
+}

bin/core/src/api/read/procedure.rs

@@ -0,0 +1,145 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    procedure::{Procedure, ProcedureState},
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, procedure_state_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetProcedure {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetProcedureResponse> {
+    Ok(
+      get_check_permissions::<Procedure>(
+        &self.procedure,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListProcedures {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListProceduresResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Procedure>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullProcedures {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullProceduresResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Procedure>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetProceduresSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetProceduresSummaryResponse> {
+    let procedures = resource::list_full_for_user::<Procedure>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get procedures from db")?;
+
+    let mut res = GetProceduresSummaryResponse::default();
+
+    let cache = procedure_state_cache();
+    let action_states = action_states();
+
+    for procedure in procedures {
+      res.total += 1;
+
+      match (
+        cache.get(&procedure.id).await.unwrap_or_default(),
+        action_states
+          .procedure
+          .get(&procedure.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.running => {
+          res.running += 1;
+        }
+        (ProcedureState::Ok, _) => res.ok += 1,
+        (ProcedureState::Failed, _) => res.failed += 1,
+        (ProcedureState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the running state, since that comes from action states
+        (ProcedureState::Running, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetProcedureActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetProcedureActionStateResponse> {
+    let procedure = get_check_permissions::<Procedure>(
+      &self.procedure,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .procedure
+      .get(&procedure.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}

bin/core/src/api/read/provider.rs

@@ -0,0 +1,115 @@
+use anyhow::{Context, anyhow};
+use database::mongo_indexed::{Document, doc};
+use database::mungos::{
+  by_id::find_one_by_id, find::find_collect,
+  mongodb::options::FindOptions,
+};
+use komodo_client::api::read::*;
+use resolver_api::Resolve;
+
+use crate::state::db_client;
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetGitProviderAccount {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read git provider accounts").into(),
+      );
+    }
+    let res = find_one_by_id(&db_client().git_accounts, &self.id)
+      .await
+      .context("failed to query db for git provider accounts")?
+      .context(
+        "did not find git provider account with the given id",
+      )?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListGitProviderAccounts {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListGitProviderAccountsResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read git provider accounts").into(),
+      );
+    }
+    let mut filter = Document::new();
+    if let Some(domain) = self.domain {
+      filter.insert("domain", domain);
+    }
+    if let Some(username) = self.username {
+      filter.insert("username", username);
+    }
+    let res = find_collect(
+      &db_client().git_accounts,
+      filter,
+      FindOptions::builder()
+        .sort(doc! { "domain": 1, "username": 1 })
+        .build(),
+    )
+    .await
+    .context("failed to query db for git provider accounts")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetDockerRegistryAccount {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read docker registry accounts")
+          .into(),
+      );
+    }
+    let res =
+      find_one_by_id(&db_client().registry_accounts, &self.id)
+        .await
+        .context("failed to query db for docker registry accounts")?
+        .context(
+          "did not find docker registry account with the given id",
+        )?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerRegistryAccounts {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerRegistryAccountsResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read docker registry accounts")
+          .into(),
+      );
+    }
+    let mut filter = Document::new();
+    if let Some(domain) = self.domain {
+      filter.insert("domain", domain);
+    }
+    if let Some(username) = self.username {
+      filter.insert("username", username);
+    }
+    let res = find_collect(
+      &db_client().registry_accounts,
+      filter,
+      FindOptions::builder()
+        .sort(doc! { "domain": 1, "username": 1 })
+        .build(),
+    )
+    .await
+    .context("failed to query db for docker registry accounts")?;
+    Ok(res)
+  }
+}

bin/core/src/api/read/repo.rs

@@ -0,0 +1,258 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    repo::{Repo, RepoActionState, RepoListItem, RepoState},
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, github_client, repo_state_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetRepo {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Repo> {
+    Ok(
+      get_check_permissions::<Repo>(
+        &self.repo,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListRepos {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<RepoListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Repo>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullRepos {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullReposResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Repo>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetRepoActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<RepoActionState> {
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .repo
+      .get(&repo.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetReposSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetReposSummaryResponse> {
+    let repos = resource::list_full_for_user::<Repo>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get repos from db")?;
+
+    let mut res = GetReposSummaryResponse::default();
+
+    let cache = repo_state_cache();
+    let action_states = action_states();
+
+    for repo in repos {
+      res.total += 1;
+
+      match (
+        cache.get(&repo.id).await.unwrap_or_default(),
+        action_states
+          .repo
+          .get(&repo.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.cloning => {
+          res.cloning += 1;
+        }
+        (_, action_states) if action_states.pulling => {
+          res.pulling += 1;
+        }
+        (_, action_states) if action_states.building => {
+          res.building += 1;
+        }
+        (RepoState::Ok, _) => res.ok += 1,
+        (RepoState::Failed, _) => res.failed += 1,
+        (RepoState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the building state, since that comes from action states
+        (RepoState::Cloning, _)
+        | (RepoState::Pulling, _)
+        | (RepoState::Building, _) => {
+          unreachable!()
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetRepoWebhooksEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetRepoWebhooksEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetRepoWebhooksEnabledResponse {
+        managed: false,
+        clone_enabled: false,
+        pull_enabled: false,
+        build_enabled: false,
+      });
+    };
+
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    if repo.config.git_provider != "github.com"
+      || repo.config.repo.is_empty()
+    {
+      return Ok(GetRepoWebhooksEnabledResponse {
+        managed: false,
+        clone_enabled: false,
+        pull_enabled: false,
+        build_enabled: false,
+      });
+    }
+
+    let mut split = repo.config.repo.split('/');
+    let owner = split.next().context("Repo repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetRepoWebhooksEnabledResponse {
+        managed: false,
+        clone_enabled: false,
+        pull_enabled: false,
+        build_enabled: false,
+      });
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let clone_url =
+      format!("{host}/listener/github/repo/{}/clone", repo.id);
+    let pull_url =
+      format!("{host}/listener/github/repo/{}/pull", repo.id);
+    let build_url =
+      format!("{host}/listener/github/repo/{}/build", repo.id);
+
+    let mut clone_enabled = false;
+    let mut pull_enabled = false;
+    let mut build_enabled = false;
+
+    for webhook in webhooks {
+      if !webhook.active {
+        continue;
+      }
+      if webhook.config.url == clone_url {
+        clone_enabled = true
+      }
+      if webhook.config.url == pull_url {
+        pull_enabled = true
+      }
+      if webhook.config.url == build_url {
+        build_enabled = true
+      }
+    }
+
+    Ok(GetRepoWebhooksEnabledResponse {
+      managed: true,
+      clone_enabled,
+      pull_enabled,
+      build_enabled,
+    })
+  }
+}

bin/core/src/api/read/schedule.rs

@@ -0,0 +1,107 @@
+use futures::future::join_all;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    ResourceTarget,
+    action::Action,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    resource::{ResourceQuery, TemplatesQueryBehavior},
+    schedule::Schedule,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::{get_all_tags, get_last_run_at},
+  resource::list_full_for_user,
+  schedule::get_schedule_item_info,
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for ListSchedules {
+  async fn resolve(
+    self,
+    args: &ReadArgs,
+  ) -> serror::Result<Vec<Schedule>> {
+    let all_tags = get_all_tags(None).await?;
+    let (actions, procedures) = tokio::try_join!(
+      list_full_for_user::<Action>(
+        ResourceQuery {
+          names: Default::default(),
+          templates: TemplatesQueryBehavior::Include,
+          tag_behavior: self.tag_behavior,
+          tags: self.tags.clone(),
+          specific: Default::default(),
+        },
+        &args.user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      ),
+      list_full_for_user::<Procedure>(
+        ResourceQuery {
+          names: Default::default(),
+          templates: TemplatesQueryBehavior::Include,
+          tag_behavior: self.tag_behavior,
+          tags: self.tags.clone(),
+          specific: Default::default(),
+        },
+        &args.user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+    )?;
+    let actions = actions.into_iter().map(async |action| {
+      let (next_scheduled_run, schedule_error) =
+        get_schedule_item_info(&ResourceTarget::Action(
+          action.id.clone(),
+        ));
+      let last_run_at =
+        get_last_run_at::<Action>(&action.id).await.unwrap_or(None);
+      Schedule {
+        target: ResourceTarget::Action(action.id),
+        name: action.name,
+        enabled: action.config.schedule_enabled,
+        schedule_format: action.config.schedule_format,
+        schedule: action.config.schedule,
+        schedule_timezone: action.config.schedule_timezone,
+        tags: action.tags,
+        last_run_at,
+        next_scheduled_run,
+        schedule_error,
+      }
+    });
+    let procedures = procedures.into_iter().map(async |procedure| {
+      let (next_scheduled_run, schedule_error) =
+        get_schedule_item_info(&ResourceTarget::Procedure(
+          procedure.id.clone(),
+        ));
+      let last_run_at = get_last_run_at::<Procedure>(&procedure.id)
+        .await
+        .unwrap_or(None);
+      Schedule {
+        target: ResourceTarget::Procedure(procedure.id),
+        name: procedure.name,
+        enabled: procedure.config.schedule_enabled,
+        schedule_format: procedure.config.schedule_format,
+        schedule: procedure.config.schedule,
+        schedule_timezone: procedure.config.schedule_timezone,
+        tags: procedure.tags,
+        last_run_at,
+        next_scheduled_run,
+        schedule_error,
+      }
+    });
+    let (actions, procedures) =
+      tokio::join!(join_all(actions), join_all(procedures));
+
+    Ok(
+      actions
+        .into_iter()
+        .chain(procedures)
+        .filter(|s| !s.schedule.is_empty())
+        .collect(),
+    )
+  }
+}

bin/core/src/api/read/server.rs

@@ -0,0 +1,878 @@
+use std::{
+  cmp,
+  collections::HashMap,
+  sync::{Arc, OnceLock},
+};
+
+use anyhow::{Context, anyhow};
+use async_timing_util::{
+  FIFTEEN_SECONDS_MS, get_timelength_in_ms, unix_timestamp_ms,
+};
+use database::mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    ResourceTarget,
+    deployment::Deployment,
+    docker::{
+      container::{
+        Container, ContainerListItem, ContainerStateStatusEnum,
+      },
+      image::{Image, ImageHistoryResponseItem},
+      network::Network,
+      volume::Volume,
+    },
+    komodo_timestamp,
+    permission::PermissionLevel,
+    server::{
+      Server, ServerActionState, ServerListItem, ServerState,
+      TerminalInfo,
+    },
+    stack::{Stack, StackServiceNames},
+    stats::{SystemInformation, SystemProcess},
+    update::Log,
+  },
+};
+use periphery_client::api::{
+  self as periphery,
+  container::InspectContainer,
+  image::{ImageHistory, InspectImage},
+  network::InspectNetwork,
+  volume::InspectVolume,
+};
+use resolver_api::Resolve;
+use tokio::sync::Mutex;
+
+use crate::{
+  helpers::{
+    periphery_client,
+    query::{get_all_tags, get_system_info},
+  },
+  permission::get_check_permissions,
+  resource,
+  stack::compose_container_match_regex,
+  state::{action_states, db_client, server_status_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetServersSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetServersSummaryResponse> {
+    let servers = resource::list_for_user::<Server>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await?;
+
+    let core_version = env!("CARGO_PKG_VERSION");
+    let mut res = GetServersSummaryResponse::default();
+
+    for server in servers {
+      res.total += 1;
+      match server.info.state {
+        ServerState::Ok => {
+          // Check for version mismatch
+          let has_version_mismatch = !server.info.version.is_empty()
+            && server.info.version != "Unknown"
+            && server.info.version != core_version;
+
+          if has_version_mismatch {
+            res.warning += 1;
+          } else {
+            res.healthy += 1;
+          }
+        }
+        ServerState::NotOk => {
+          res.unhealthy += 1;
+        }
+        ServerState::Disabled => {
+          res.disabled += 1;
+        }
+      }
+    }
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetPeripheryVersion {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetPeripheryVersionResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let version = server_status_cache()
+      .get(&server.id)
+      .await
+      .map(|s| s.version.clone())
+      .unwrap_or(String::from("unknown"));
+    Ok(GetPeripheryVersionResponse { version })
+  }
+}
+
+impl Resolve<ReadArgs> for GetServer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Server> {
+    Ok(
+      get_check_permissions::<Server>(
+        &self.server,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListServers {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ServerListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Server>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullServers {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullServersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Server>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetServerState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetServerStateResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let status = server_status_cache()
+      .get(&server.id)
+      .await
+      .ok_or(anyhow!("did not find cached status for server"))?;
+    let response = GetServerStateResponse {
+      status: status.state,
+    };
+    Ok(response)
+  }
+}
+
+impl Resolve<ReadArgs> for GetServerActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ServerActionState> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .server
+      .get(&server.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSystemInformation {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<SystemInformation> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    get_system_info(&server).await.map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSystemStats {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetSystemStatsResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let status =
+      server_status_cache().get(&server.id).await.with_context(
+        || format!("did not find status for server at {}", server.id),
+      )?;
+    let stats = status
+      .stats
+      .as_ref()
+      .context("server stats not available")?;
+    Ok(stats.clone())
+  }
+}
+
+// This protects the peripheries from spam requests
+const PROCESSES_EXPIRY: u128 = FIFTEEN_SECONDS_MS;
+type ProcessesCache =
+  Mutex<HashMap<String, Arc<(Vec<SystemProcess>, u128)>>>;
+fn processes_cache() -> &'static ProcessesCache {
+  static PROCESSES_CACHE: OnceLock<ProcessesCache> = OnceLock::new();
+  PROCESSES_CACHE.get_or_init(Default::default)
+}
+
+impl Resolve<ReadArgs> for ListSystemProcesses {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSystemProcessesResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.processes(),
+    )
+    .await?;
+    let mut lock = processes_cache().lock().await;
+    let res = match lock.get(&server.id) {
+      Some(cached) if cached.1 > unix_timestamp_ms() => {
+        cached.0.clone()
+      }
+      _ => {
+        let stats = periphery_client(&server)?
+          .request(periphery::stats::GetSystemProcesses {})
+          .await?;
+        lock.insert(
+          server.id,
+          (stats.clone(), unix_timestamp_ms() + PROCESSES_EXPIRY)
+            .into(),
+        );
+        stats
+      }
+    };
+    Ok(res)
+  }
+}
+
+const STATS_PER_PAGE: i64 = 200;
+
+impl Resolve<ReadArgs> for GetHistoricalServerStats {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetHistoricalServerStatsResponse> {
+    let GetHistoricalServerStats {
+      server,
+      granularity,
+      page,
+    } = self;
+    let server = get_check_permissions::<Server>(
+      &server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let granularity =
+      get_timelength_in_ms(granularity.to_string().parse().unwrap())
+        as i64;
+    let mut ts_vec = Vec::<i64>::new();
+    let curr_ts = unix_timestamp_ms() as i64;
+    let mut curr_ts = curr_ts
+      - curr_ts % granularity
+      - granularity * STATS_PER_PAGE * page as i64;
+    for _ in 0..STATS_PER_PAGE {
+      ts_vec.push(curr_ts);
+      curr_ts -= granularity;
+    }
+
+    let stats = find_collect(
+      &db_client().stats,
+      doc! {
+        "sid": server.id,
+        "ts": { "$in": ts_vec },
+      },
+      FindOptions::builder()
+        .sort(doc! { "ts": -1 })
+        .skip(page as u64 * STATS_PER_PAGE as u64)
+        .limit(STATS_PER_PAGE)
+        .build(),
+    )
+    .await
+    .context("failed to pull stats from db")?;
+    let next_page = if stats.len() == STATS_PER_PAGE as usize {
+      Some(page + 1)
+    } else {
+      None
+    };
+    let res = GetHistoricalServerStatsResponse { stats, next_page };
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerContainers {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerContainersResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(containers) = &cache.containers {
+      Ok(containers.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for ListAllDockerContainers {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListAllDockerContainersResponse> {
+    let servers = resource::list_for_user::<Server>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await?
+    .into_iter()
+    .filter(|server| {
+      self.servers.is_empty()
+        || self.servers.contains(&server.id)
+        || self.servers.contains(&server.name)
+    });
+
+    let mut containers = Vec::<ContainerListItem>::new();
+
+    for server in servers {
+      let cache = server_status_cache()
+        .get_or_insert_default(&server.id)
+        .await;
+      if let Some(more_containers) = &cache.containers {
+        containers.extend(more_containers.clone());
+      }
+    }
+
+    Ok(containers)
+  }
+}
+
+impl Resolve<ReadArgs> for GetDockerContainersSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDockerContainersSummaryResponse> {
+    let servers = resource::list_full_for_user::<Server>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get servers from db")?;
+
+    let mut res = GetDockerContainersSummaryResponse::default();
+
+    for server in servers {
+      let cache = server_status_cache()
+        .get_or_insert_default(&server.id)
+        .await;
+
+      if let Some(containers) = &cache.containers {
+        for container in containers {
+          res.total += 1;
+          match container.state {
+            ContainerStateStatusEnum::Created
+            | ContainerStateStatusEnum::Paused
+            | ContainerStateStatusEnum::Exited => res.stopped += 1,
+            ContainerStateStatusEnum::Running => res.running += 1,
+            ContainerStateStatusEnum::Empty => res.unknown += 1,
+            _ => res.unhealthy += 1,
+          }
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDockerContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Container> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectContainer {
+        name: self.container,
+      })
+      .await?;
+    Ok(res)
+  }
+}
+
+const MAX_LOG_LENGTH: u64 = 5000;
+
+impl Resolve<ReadArgs> for GetContainerLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let GetContainerLog {
+      server,
+      container,
+      tail,
+      timestamps,
+    } = self;
+    let server = get_check_permissions::<Server>(
+      &server,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    let res = periphery_client(&server)?
+      .request(periphery::container::GetContainerLog {
+        name: container,
+        tail: cmp::min(tail, MAX_LOG_LENGTH),
+        timestamps,
+      })
+      .await
+      .context("failed at call to periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchContainerLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let SearchContainerLog {
+      server,
+      container,
+      terms,
+      combinator,
+      invert,
+      timestamps,
+    } = self;
+    let server = get_check_permissions::<Server>(
+      &server,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    let res = periphery_client(&server)?
+      .request(periphery::container::GetContainerLogSearch {
+        name: container,
+        terms,
+        combinator,
+        invert,
+        timestamps,
+      })
+      .await
+      .context("failed at call to periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetResourceMatchingContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetResourceMatchingContainerResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    // first check deployments
+    if let Ok(deployment) =
+      resource::get::<Deployment>(&self.container).await
+    {
+      return Ok(GetResourceMatchingContainerResponse {
+        resource: ResourceTarget::Deployment(deployment.id).into(),
+      });
+    }
+
+    // then check stacks
+    let stacks =
+      resource::list_full_for_user_using_document::<Stack>(
+        doc! { "config.server_id": &server.id },
+        user,
+      )
+      .await?;
+
+    // check matching stack
+    for stack in stacks {
+      for StackServiceNames {
+        service_name,
+        container_name,
+        ..
+      } in stack
+        .info
+        .deployed_services
+        .unwrap_or(stack.info.latest_services)
+      {
+        let is_match = match compose_container_match_regex(&container_name)
+          .with_context(|| format!("failed to construct container name matching regex for service {service_name}")) 
+        {
+          Ok(regex) => regex,
+          Err(e) => {
+            warn!("{e:#}");
+            continue;
+          }
+        }.is_match(&self.container);
+
+        if is_match {
+          return Ok(GetResourceMatchingContainerResponse {
+            resource: ResourceTarget::Stack(stack.id).into(),
+          });
+        }
+      }
+    }
+
+    Ok(GetResourceMatchingContainerResponse { resource: None })
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerNetworks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerNetworksResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(networks) = &cache.networks {
+      Ok(networks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDockerNetwork {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Network> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect network: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectNetwork { name: self.network })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerImages {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerImagesResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(images) = &cache.images {
+      Ok(images.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDockerImage {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Image> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!("Cannot inspect image: server is {:?}", cache.state)
+          .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectImage { name: self.image })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerImageHistory {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ImageHistoryResponseItem>> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot get image history: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(ImageHistory { name: self.image })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerVolumes {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerVolumesResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(volumes) = &cache.volumes {
+      Ok(volumes.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDockerVolume {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Volume> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!("Cannot inspect volume: server is {:?}", cache.state)
+          .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectVolume { name: self.volume })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListComposeProjects {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListComposeProjectsResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(projects) = &cache.projects {
+      Ok(projects.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+#[derive(Default)]
+struct TerminalCacheItem {
+  list: Vec<TerminalInfo>,
+  ttl: i64,
+}
+
+const TERMINAL_CACHE_TIMEOUT: i64 = 30_000;
+
+#[derive(Default)]
+struct TerminalCache(
+  std::sync::Mutex<
+    HashMap<String, Arc<tokio::sync::Mutex<TerminalCacheItem>>>,
+  >,
+);
+
+impl TerminalCache {
+  fn get_or_insert(
+    &self,
+    server_id: String,
+  ) -> Arc<tokio::sync::Mutex<TerminalCacheItem>> {
+    if let Some(cached) =
+      self.0.lock().unwrap().get(&server_id).cloned()
+    {
+      return cached;
+    }
+    let to_cache =
+      Arc::new(tokio::sync::Mutex::new(TerminalCacheItem::default()));
+    self.0.lock().unwrap().insert(server_id, to_cache.clone());
+    to_cache
+  }
+}
+
+fn terminals_cache() -> &'static TerminalCache {
+  static TERMINALS: OnceLock<TerminalCache> = OnceLock::new();
+  TERMINALS.get_or_init(Default::default)
+}
+
+impl Resolve<ReadArgs> for ListTerminals {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListTerminalsResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+    let cache = terminals_cache().get_or_insert(server.id.clone());
+    let mut cache = cache.lock().await;
+    if self.fresh || komodo_timestamp() > cache.ttl {
+      cache.list = periphery_client(&server)?
+        .request(periphery_client::api::terminal::ListTerminals {})
+        .await
+        .context("Failed to get fresh terminal list")?;
+      cache.ttl = komodo_timestamp() + TERMINAL_CACHE_TIMEOUT;
+      Ok(cache.list.clone())
+    } else {
+      Ok(cache.list.clone())
+    }
+  }
+}

bin/core/src/api/read/stack.rs

@@ -0,0 +1,461 @@
+use std::collections::HashSet;
+
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    config::core::CoreConfig,
+    docker::container::Container,
+    permission::PermissionLevel,
+    server::{Server, ServerState},
+    stack::{Stack, StackActionState, StackListItem, StackState},
+  },
+};
+use periphery_client::api::{
+  compose::{GetComposeLog, GetComposeLogSearch},
+  container::InspectContainer,
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::{periphery_client, query::get_all_tags},
+  permission::get_check_permissions,
+  resource,
+  stack::get_stack_and_server,
+  state::{
+    action_states, github_client, server_status_cache,
+    stack_status_cache,
+  },
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetStack {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Stack> {
+    Ok(
+      get_check_permissions::<Stack>(
+        &self.stack,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListStackServices {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListStackServicesResponse> {
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    let services = stack_status_cache()
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .curr
+      .services
+      .clone();
+
+    Ok(services)
+  }
+}
+
+impl Resolve<ReadArgs> for GetStackLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetStackLogResponse> {
+    let GetStackLog {
+      stack,
+      services,
+      tail,
+      timestamps,
+    } = self;
+    let (stack, server) = get_stack_and_server(
+      &stack,
+      user,
+      PermissionLevel::Read.logs(),
+      true,
+    )
+    .await?;
+    let res = periphery_client(&server)?
+      .request(GetComposeLog {
+        project: stack.project_name(false),
+        services,
+        tail,
+        timestamps,
+      })
+      .await
+      .context("Failed to get stack log from periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchStackLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<SearchStackLogResponse> {
+    let SearchStackLog {
+      stack,
+      services,
+      terms,
+      combinator,
+      invert,
+      timestamps,
+    } = self;
+    let (stack, server) = get_stack_and_server(
+      &stack,
+      user,
+      PermissionLevel::Read.logs(),
+      true,
+    )
+    .await?;
+    let res = periphery_client(&server)?
+      .request(GetComposeLogSearch {
+        project: stack.project_name(false),
+        services,
+        terms,
+        combinator,
+        invert,
+        timestamps,
+      })
+      .await
+      .context("Failed to search stack log from periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectStackContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Container> {
+    let InspectStackContainer { stack, service } = self;
+    let stack = get_check_permissions::<Stack>(
+      &stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    if stack.config.server_id.is_empty() {
+      return Err(
+        anyhow!("Cannot inspect stack, not attached to any server")
+          .into(),
+      );
+    }
+    let server =
+      resource::get::<Server>(&stack.config.server_id).await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let services = &stack_status_cache()
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .curr
+      .services;
+    let Some(name) = services
+      .iter()
+      .find(|s| s.service == service)
+      .and_then(|s| s.container.as_ref().map(|c| c.name.clone()))
+    else {
+      return Err(anyhow!(
+        "No service found matching '{service}'. Was the stack last deployed manually?"
+      ).into());
+    };
+    let res = periphery_client(&server)?
+      .request(InspectContainer { name })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonStackExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks = resource::list_full_for_user::<Stack>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for stack in stacks {
+      for extra_arg in stack.config.extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonStackBuildExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks = resource::list_full_for_user::<Stack>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for stack in stacks {
+      for extra_arg in stack.config.build_extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<StackListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let only_update_available = self.query.specific.update_available;
+    let stacks = resource::list_for_user::<Stack>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?;
+    let stacks = if only_update_available {
+      stacks
+        .into_iter()
+        .filter(|stack| {
+          stack
+            .info
+            .services
+            .iter()
+            .any(|service| service.update_available)
+        })
+        .collect()
+    } else {
+      stacks
+    };
+    Ok(stacks)
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullStacksResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Stack>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetStackActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<StackActionState> {
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .stack
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetStacksSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetStacksSummaryResponse> {
+    let stacks = resource::list_full_for_user::<Stack>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get stacks from db")?;
+
+    let mut res = GetStacksSummaryResponse::default();
+
+    let cache = stack_status_cache();
+
+    for stack in stacks {
+      res.total += 1;
+      match cache.get(&stack.id).await.unwrap_or_default().curr.state
+      {
+        StackState::Running => res.running += 1,
+        StackState::Stopped | StackState::Paused => res.stopped += 1,
+        StackState::Down => res.down += 1,
+        StackState::Unknown => res.unknown += 1,
+        _ => res.unhealthy += 1,
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetStackWebhooksEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetStackWebhooksEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetStackWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        deploy_enabled: false,
+      });
+    };
+
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    if stack.config.git_provider != "github.com"
+      || stack.config.repo.is_empty()
+    {
+      return Ok(GetStackWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        deploy_enabled: false,
+      });
+    }
+
+    let mut split = stack.config.repo.split('/');
+    let owner = split.next().context("Sync repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetStackWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        deploy_enabled: false,
+      });
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let refresh_url =
+      format!("{host}/listener/github/stack/{}/refresh", stack.id);
+    let deploy_url =
+      format!("{host}/listener/github/stack/{}/deploy", stack.id);
+
+    let mut refresh_enabled = false;
+    let mut deploy_enabled = false;
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == refresh_url {
+        refresh_enabled = true
+      }
+      if webhook.active && webhook.config.url == deploy_url {
+        deploy_enabled = true
+      }
+    }
+
+    Ok(GetStackWebhooksEnabledResponse {
+      managed: true,
+      refresh_enabled,
+      deploy_enabled,
+    })
+  }
+}

bin/core/src/api/read/sync.rs

@@ -0,0 +1,244 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    sync::{
+      ResourceSync, ResourceSyncActionState, ResourceSyncListItem,
+    },
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, github_client},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetResourceSync {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ResourceSync> {
+    Ok(
+      get_check_permissions::<ResourceSync>(
+        &self.sync,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListResourceSyncs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ResourceSyncListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<ResourceSync>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullResourceSyncs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullResourceSyncsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<ResourceSync>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetResourceSyncActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ResourceSyncActionState> {
+    let sync = get_check_permissions::<ResourceSync>(
+      &self.sync,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .resource_sync
+      .get(&sync.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetResourceSyncsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetResourceSyncsSummaryResponse> {
+    let resource_syncs =
+      resource::list_full_for_user::<ResourceSync>(
+        Default::default(),
+        user,
+        PermissionLevel::Read.into(),
+        &[],
+      )
+      .await
+      .context("failed to get resource_syncs from db")?;
+
+    let mut res = GetResourceSyncsSummaryResponse::default();
+
+    let action_states = action_states();
+
+    for resource_sync in resource_syncs {
+      res.total += 1;
+
+      if !(resource_sync.info.pending_deploy.to_deploy == 0
+        && resource_sync.info.resource_updates.is_empty()
+        && resource_sync.info.variable_updates.is_empty()
+        && resource_sync.info.user_group_updates.is_empty())
+      {
+        res.pending += 1;
+        continue;
+      } else if resource_sync.info.pending_error.is_some()
+        || !resource_sync.info.remote_errors.is_empty()
+      {
+        res.failed += 1;
+        continue;
+      }
+      if action_states
+        .resource_sync
+        .get(&resource_sync.id)
+        .await
+        .unwrap_or_default()
+        .get()?
+        .syncing
+      {
+        res.syncing += 1;
+        continue;
+      }
+      res.ok += 1;
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSyncWebhooksEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetSyncWebhooksEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetSyncWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        sync_enabled: false,
+      });
+    };
+
+    let sync = get_check_permissions::<ResourceSync>(
+      &self.sync,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    if sync.config.git_provider != "github.com"
+      || sync.config.repo.is_empty()
+    {
+      return Ok(GetSyncWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        sync_enabled: false,
+      });
+    }
+
+    let mut split = sync.config.repo.split('/');
+    let owner = split.next().context("Sync repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetSyncWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        sync_enabled: false,
+      });
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let refresh_url =
+      format!("{host}/listener/github/sync/{}/refresh", sync.id);
+    let sync_url =
+      format!("{host}/listener/github/sync/{}/sync", sync.id);
+
+    let mut refresh_enabled = false;
+    let mut sync_enabled = false;
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == refresh_url {
+        refresh_enabled = true
+      }
+      if webhook.active && webhook.config.url == sync_url {
+        sync_enabled = true
+      }
+    }
+
+    Ok(GetSyncWebhooksEnabledResponse {
+      managed: true,
+      refresh_enabled,
+      sync_enabled,
+    })
+  }
+}

bin/core/src/api/read/tag.rs

@@ -0,0 +1,33 @@
+use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  find::find_collect, mongodb::options::FindOptions,
+};
+use komodo_client::{
+  api::read::{GetTag, ListTags},
+  entities::tag::Tag,
+};
+use resolver_api::Resolve;
+
+use crate::{helpers::query::get_tag, state::db_client};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetTag {
+  async fn resolve(self, _: &ReadArgs) -> serror::Result<Tag> {
+    Ok(get_tag(&self.tag).await?)
+  }
+}
+
+impl Resolve<ReadArgs> for ListTags {
+  async fn resolve(self, _: &ReadArgs) -> serror::Result<Vec<Tag>> {
+    let res = find_collect(
+      &db_client().tags,
+      self.query,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to get tags from db")?;
+    Ok(res)
+  }
+}

bin/core/src/api/read/toml.rs

@@ -0,0 +1,516 @@
+use anyhow::Context;
+use database::mungos::find::find_collect;
+use komodo_client::{
+  api::read::{
+    ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
+    ExportResourcesToToml, ExportResourcesToTomlResponse,
+    ListUserGroups,
+  },
+  entities::{
+    ResourceTarget, action::Action, alerter::Alerter, build::Build,
+    builder::Builder, deployment::Deployment,
+    permission::PermissionLevel, procedure::Procedure, repo::Repo,
+    resource::ResourceQuery, server::Server, stack::Stack,
+    sync::ResourceSync, toml::ResourcesToml, user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::{
+    get_all_tags, get_id_to_tags, get_user_user_group_ids,
+  },
+  permission::get_check_permissions,
+  resource,
+  state::db_client,
+  sync::{
+    toml::{ToToml, convert_resource},
+    user_groups::{convert_user_groups, user_group_to_toml},
+    variables::variable_to_toml,
+  },
+};
+
+use super::ReadArgs;
+
+async fn get_all_targets(
+  tags: &[String],
+  user: &User,
+) -> anyhow::Result<Vec<ResourceTarget>> {
+  let mut targets = Vec::<ResourceTarget>::new();
+  let all_tags = if tags.is_empty() {
+    vec![]
+  } else {
+    get_all_tags(None).await?
+  };
+  targets.extend(
+    resource::list_full_for_user::<Alerter>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Alerter(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Builder>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Builder(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Server>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Server(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Stack>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Stack(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Deployment>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Deployment(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Build>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Build(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Repo>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Repo(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Procedure>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Procedure(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Action>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Action(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<ResourceSync>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    // These will already be filtered by [ExportResourcesToToml]
+    .map(|resource| ResourceTarget::ResourceSync(resource.id)),
+  );
+  Ok(targets)
+}
+
+impl Resolve<ReadArgs> for ExportAllResourcesToToml {
+  async fn resolve(
+    self,
+    args: &ReadArgs,
+  ) -> serror::Result<ExportAllResourcesToTomlResponse> {
+    let targets = if self.include_resources {
+      get_all_targets(&self.tags, &args.user).await?
+    } else {
+      Vec::new()
+    };
+
+    let user_groups = if self.include_user_groups {
+      if args.user.admin {
+        find_collect(&db_client().user_groups, None, None)
+          .await
+          .context("failed to query db for user groups")?
+          .into_iter()
+          .map(|user_group| user_group.id)
+          .collect()
+      } else {
+        get_user_user_group_ids(&args.user.id).await?
+      }
+    } else {
+      Vec::new()
+    };
+
+    ExportResourcesToToml {
+      targets,
+      user_groups,
+      include_variables: self.include_variables,
+    }
+    .resolve(args)
+    .await
+  }
+}
+
+impl Resolve<ReadArgs> for ExportResourcesToToml {
+  async fn resolve(
+    self,
+    args: &ReadArgs,
+  ) -> serror::Result<ExportResourcesToTomlResponse> {
+    let ExportResourcesToToml {
+      targets,
+      user_groups,
+      include_variables,
+    } = self;
+    let mut res = ResourcesToml::default();
+    let id_to_tags = get_id_to_tags(None).await?;
+    let ReadArgs { user } = args;
+    for target in targets {
+      match target {
+        ResourceTarget::Alerter(id) => {
+          let mut alerter = get_check_permissions::<Alerter>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Alerter::replace_ids(&mut alerter);
+          res.alerters.push(convert_resource::<Alerter>(
+            alerter,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::ResourceSync(id) => {
+          let mut sync = get_check_permissions::<ResourceSync>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          if sync.config.file_contents.is_empty()
+            && (sync.config.files_on_host
+              || !sync.config.repo.is_empty()
+              || !sync.config.linked_repo.is_empty())
+          {
+            ResourceSync::replace_ids(&mut sync);
+            res.resource_syncs.push(convert_resource::<ResourceSync>(
+              sync,
+              false,
+              vec![],
+              &id_to_tags,
+            ))
+          }
+        }
+        ResourceTarget::Server(id) => {
+          let mut server = get_check_permissions::<Server>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Server::replace_ids(&mut server);
+          res.servers.push(convert_resource::<Server>(
+            server,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Builder(id) => {
+          let mut builder = get_check_permissions::<Builder>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Builder::replace_ids(&mut builder);
+          res.builders.push(convert_resource::<Builder>(
+            builder,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Build(id) => {
+          let mut build = get_check_permissions::<Build>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Build::replace_ids(&mut build);
+          res.builds.push(convert_resource::<Build>(
+            build,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Deployment(id) => {
+          let mut deployment = get_check_permissions::<Deployment>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Deployment::replace_ids(&mut deployment);
+          res.deployments.push(convert_resource::<Deployment>(
+            deployment,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Repo(id) => {
+          let mut repo = get_check_permissions::<Repo>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Repo::replace_ids(&mut repo);
+          res.repos.push(convert_resource::<Repo>(
+            repo,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Stack(id) => {
+          let mut stack = get_check_permissions::<Stack>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Stack::replace_ids(&mut stack);
+          res.stacks.push(convert_resource::<Stack>(
+            stack,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Procedure(id) => {
+          let mut procedure = get_check_permissions::<Procedure>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Procedure::replace_ids(&mut procedure);
+          res.procedures.push(convert_resource::<Procedure>(
+            procedure,
+            false,
+            vec![],
+            &id_to_tags,
+          ));
+        }
+        ResourceTarget::Action(id) => {
+          let mut action = get_check_permissions::<Action>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Action::replace_ids(&mut action);
+          res.actions.push(convert_resource::<Action>(
+            action,
+            false,
+            vec![],
+            &id_to_tags,
+          ));
+        }
+        ResourceTarget::System(_) => continue,
+      };
+    }
+
+    add_user_groups(user_groups, &mut res, args)
+      .await
+      .context("failed to add user groups")?;
+
+    if include_variables {
+      res.variables =
+        find_collect(&db_client().variables, None, None)
+          .await
+          .context("failed to get variables from db")?
+          .into_iter()
+          .map(|mut variable| {
+            if !user.admin && variable.is_secret {
+              variable.value = "#".repeat(variable.value.len())
+            }
+            variable
+          })
+          .collect();
+    }
+
+    let toml = serialize_resources_toml(res)
+      .context("failed to serialize resources to toml")?;
+
+    Ok(ExportResourcesToTomlResponse { toml })
+  }
+}
+
+async fn add_user_groups(
+  user_groups: Vec<String>,
+  res: &mut ResourcesToml,
+  args: &ReadArgs,
+) -> anyhow::Result<()> {
+  let user_groups = ListUserGroups {}
+    .resolve(args)
+    .await
+    .map_err(|e| e.error)?
+    .into_iter()
+    .filter(|ug| {
+      user_groups.contains(&ug.name) || user_groups.contains(&ug.id)
+    });
+  let mut ug = Vec::with_capacity(user_groups.size_hint().0);
+  convert_user_groups(user_groups, &mut ug).await?;
+  res.user_groups = ug.into_iter().map(|ug| ug.1).collect();
+
+  Ok(())
+}
+
+fn serialize_resources_toml(
+  resources: ResourcesToml,
+) -> anyhow::Result<String> {
+  let mut toml = String::new();
+
+  for server in resources.servers {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[server]]\n");
+    Server::push_to_toml_string(server, &mut toml)?;
+  }
+
+  for stack in resources.stacks {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[stack]]\n");
+    Stack::push_to_toml_string(stack, &mut toml)?;
+  }
+
+  for deployment in resources.deployments {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[deployment]]\n");
+    Deployment::push_to_toml_string(deployment, &mut toml)?;
+  }
+
+  for build in resources.builds {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[build]]\n");
+    Build::push_to_toml_string(build, &mut toml)?;
+  }
+
+  for repo in resources.repos {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[repo]]\n");
+    Repo::push_to_toml_string(repo, &mut toml)?;
+  }
+
+  for procedure in resources.procedures {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[procedure]]\n");
+    Procedure::push_to_toml_string(procedure, &mut toml)?;
+  }
+
+  for action in resources.actions {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[action]]\n");
+    Action::push_to_toml_string(action, &mut toml)?;
+  }
+
+  for alerter in resources.alerters {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[alerter]]\n");
+    Alerter::push_to_toml_string(alerter, &mut toml)?;
+  }
+
+  for builder in resources.builders {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[builder]]\n");
+    Builder::push_to_toml_string(builder, &mut toml)?;
+  }
+
+  for resource_sync in resources.resource_syncs {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[resource_sync]]\n");
+    ResourceSync::push_to_toml_string(resource_sync, &mut toml)?;
+  }
+
+  for variable in &resources.variables {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str(&variable_to_toml(variable)?);
+  }
+
+  for user_group in resources.user_groups {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str(&user_group_to_toml(user_group)?);
+  }
+
+  Ok(toml)
+}

bin/core/src/api/read/update.rs

@@ -0,0 +1,314 @@
+use std::collections::HashMap;
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use komodo_client::{
+  api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
+  entities::{
+    ResourceTarget,
+    action::Action,
+    alerter::Alerter,
+    build::Build,
+    builder::Builder,
+    deployment::Deployment,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    repo::Repo,
+    server::Server,
+    stack::Stack,
+    sync::ResourceSync,
+    update::{Update, UpdateListItem},
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  permission::{get_check_permissions, get_resource_ids_for_user},
+  state::db_client,
+};
+
+use super::ReadArgs;
+
+const UPDATES_PER_PAGE: i64 = 100;
+
+impl Resolve<ReadArgs> for ListUpdates {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUpdatesResponse> {
+    let query = if user.admin || core_config().transparent_mode {
+      self.query
+    } else {
+      let server_query = get_resource_ids_for_user::<Server>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Server", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Server" });
+
+      let deployment_query =
+        get_resource_ids_for_user::<Deployment>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Deployment", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Deployment" });
+
+      let stack_query = get_resource_ids_for_user::<Stack>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Stack", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Stack" });
+
+      let build_query = get_resource_ids_for_user::<Build>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Build", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Build" });
+
+      let repo_query = get_resource_ids_for_user::<Repo>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Repo", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Repo" });
+
+      let procedure_query =
+        get_resource_ids_for_user::<Procedure>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Procedure", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Procedure" });
+
+      let action_query = get_resource_ids_for_user::<Action>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Action", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Action" });
+
+      let builder_query = get_resource_ids_for_user::<Builder>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Builder", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Builder" });
+
+      let alerter_query = get_resource_ids_for_user::<Alerter>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Alerter", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Alerter" });
+
+      let resource_sync_query = get_resource_ids_for_user::<
+        ResourceSync,
+      >(user)
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "ResourceSync", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
+
+      let mut query = self.query.unwrap_or_default();
+      query.extend(doc! {
+        "$or": [
+          server_query,
+          deployment_query,
+          stack_query,
+          build_query,
+          repo_query,
+          procedure_query,
+          action_query,
+          alerter_query,
+          builder_query,
+          resource_sync_query,
+        ]
+      });
+      query.into()
+    };
+
+    let usernames = find_collect(&db_client().users, None, None)
+      .await
+      .context("failed to pull users from db")?
+      .into_iter()
+      .map(|u| (u.id, u.username))
+      .collect::<HashMap<_, _>>();
+
+    let updates = find_collect(
+      &db_client().updates,
+      query,
+      FindOptions::builder()
+        .sort(doc! { "start_ts": -1 })
+        .skip(self.page as u64 * UPDATES_PER_PAGE as u64)
+        .limit(UPDATES_PER_PAGE)
+        .build(),
+    )
+    .await
+    .context("failed to pull updates from db")?
+    .into_iter()
+    .map(|u| {
+      let username = if User::is_service_user(&u.operator) {
+        u.operator.clone()
+      } else {
+        usernames
+          .get(&u.operator)
+          .cloned()
+          .unwrap_or("unknown".to_string())
+      };
+      UpdateListItem {
+        username,
+        id: u.id,
+        operation: u.operation,
+        start_ts: u.start_ts,
+        success: u.success,
+        operator: u.operator,
+        target: u.target,
+        status: u.status,
+        version: u.version,
+        other_data: u.other_data,
+      }
+    })
+    .collect::<Vec<_>>();
+
+    let next_page = if updates.len() == UPDATES_PER_PAGE as usize {
+      Some(self.page + 1)
+    } else {
+      None
+    };
+
+    Ok(ListUpdatesResponse { updates, next_page })
+  }
+}
+
+impl Resolve<ReadArgs> for GetUpdate {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Update> {
+    let update = find_one_by_id(&db_client().updates, &self.id)
+      .await
+      .context("failed to query to db")?
+      .context("no update exists with given id")?;
+    if user.admin || core_config().transparent_mode {
+      return Ok(update);
+    }
+    match &update.target {
+      ResourceTarget::System(_) => {
+        return Err(
+          anyhow!("user must be admin to view system updates").into(),
+        );
+      }
+      ResourceTarget::Server(id) => {
+        get_check_permissions::<Server>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Deployment(id) => {
+        get_check_permissions::<Deployment>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Build(id) => {
+        get_check_permissions::<Build>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Repo(id) => {
+        get_check_permissions::<Repo>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Builder(id) => {
+        get_check_permissions::<Builder>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        get_check_permissions::<Alerter>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Procedure(id) => {
+        get_check_permissions::<Procedure>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Action(id) => {
+        get_check_permissions::<Action>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::ResourceSync(id) => {
+        get_check_permissions::<ResourceSync>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Stack(id) => {
+        get_check_permissions::<Stack>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+    }
+    Ok(update)
+  }
+}

bin/core/src/api/read/user.rs

@@ -0,0 +1,137 @@
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use komodo_client::{
+  api::read::{
+    FindUser, FindUserResponse, GetUsername, GetUsernameResponse,
+    ListApiKeys, ListApiKeysForServiceUser,
+    ListApiKeysForServiceUserResponse, ListApiKeysResponse,
+    ListUsers, ListUsersResponse,
+  },
+  entities::user::{UserConfig, admin_service_user},
+};
+use resolver_api::Resolve;
+
+use crate::{helpers::query::get_user, state::db_client};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetUsername {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetUsernameResponse> {
+    if let Some(user) = admin_service_user(&self.user_id) {
+      return Ok(GetUsernameResponse {
+        username: user.username,
+        avatar: None,
+      });
+    }
+
+    let user = find_one_by_id(&db_client().users, &self.user_id)
+      .await
+      .context("failed at mongo query for user")?
+      .context("no user found with id")?;
+
+    let avatar = match user.config {
+      UserConfig::Github { avatar, .. } => Some(avatar),
+      UserConfig::Google { avatar, .. } => Some(avatar),
+      _ => None,
+    };
+
+    Ok(GetUsernameResponse {
+      username: user.username,
+      avatar,
+    })
+  }
+}
+
+impl Resolve<ReadArgs> for FindUser {
+  async fn resolve(
+    self,
+    ReadArgs { user: admin }: &ReadArgs,
+  ) -> serror::Result<FindUserResponse> {
+    if !admin.admin {
+      return Err(anyhow!("This method is admin only.").into());
+    }
+    Ok(get_user(&self.user).await?)
+  }
+}
+
+impl Resolve<ReadArgs> for ListUsers {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUsersResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("this route is only accessable by admins").into(),
+      );
+    }
+    let mut users = find_collect(
+      &db_client().users,
+      None,
+      FindOptions::builder().sort(doc! { "username": 1 }).build(),
+    )
+    .await
+    .context("failed to pull users from db")?;
+    users.iter_mut().for_each(|user| user.sanitize());
+    Ok(users)
+  }
+}
+
+impl Resolve<ReadArgs> for ListApiKeys {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListApiKeysResponse> {
+    let api_keys = find_collect(
+      &db_client().api_keys,
+      doc! { "user_id": &user.id },
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for api keys")?
+    .into_iter()
+    .map(|mut api_keys| {
+      api_keys.sanitize();
+      api_keys
+    })
+    .collect();
+    Ok(api_keys)
+  }
+}
+
+impl Resolve<ReadArgs> for ListApiKeysForServiceUser {
+  async fn resolve(
+    self,
+    ReadArgs { user: admin }: &ReadArgs,
+  ) -> serror::Result<ListApiKeysForServiceUserResponse> {
+    if !admin.admin {
+      return Err(anyhow!("This method is admin only.").into());
+    }
+
+    let user = get_user(&self.user).await?;
+
+    let UserConfig::Service { .. } = user.config else {
+      return Err(anyhow!("Given user is not service user").into());
+    };
+    let api_keys = find_collect(
+      &db_client().api_keys,
+      doc! { "user_id": &user.id },
+      None,
+    )
+    .await
+    .context("failed to query db for api keys")?
+    .into_iter()
+    .map(|mut api_keys| {
+      api_keys.sanitize();
+      api_keys
+    })
+    .collect();
+    Ok(api_keys)
+  }
+}

bin/core/src/api/read/user_group.rs

@@ -0,0 +1,60 @@
+use std::str::FromStr;
+
+use anyhow::Context;
+use database::mungos::{
+  find::find_collect,
+  mongodb::{
+    bson::{Document, doc, oid::ObjectId},
+    options::FindOptions,
+  },
+};
+use komodo_client::api::read::*;
+use resolver_api::Resolve;
+
+use crate::state::db_client;
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetUserGroup {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetUserGroupResponse> {
+    let mut filter = match ObjectId::from_str(&self.user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &self.user_group },
+    };
+    // Don't allow non admin users to get UserGroups they aren't a part of.
+    if !user.admin {
+      // Filter for only UserGroups which contain the users id
+      filter.insert("users", &user.id);
+    }
+    let res = db_client()
+      .user_groups
+      .find_one(filter)
+      .await
+      .context("failed to query db for user groups")?
+      .context("no UserGroup found with given name or id")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListUserGroups {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUserGroupsResponse> {
+    let mut filter = Document::new();
+    if !user.admin {
+      filter.insert("users", &user.id);
+    }
+    let res = find_collect(
+      &db_client().user_groups,
+      filter,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for UserGroups")?;
+    Ok(res)
+  }
+}

bin/core/src/api/read/variable.rs

@@ -0,0 +1,53 @@
+use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  find::find_collect, mongodb::options::FindOptions,
+};
+use komodo_client::api::read::*;
+use resolver_api::Resolve;
+
+use crate::{helpers::query::get_variable, state::db_client};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetVariable {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetVariableResponse> {
+    let mut variable = get_variable(&self.name).await?;
+    if !variable.is_secret || user.admin {
+      return Ok(variable);
+    }
+    variable.value = "#".repeat(variable.value.len());
+    Ok(variable)
+  }
+}
+
+impl Resolve<ReadArgs> for ListVariables {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListVariablesResponse> {
+    let variables = find_collect(
+      &db_client().variables,
+      None,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for variables")?;
+    if user.admin {
+      return Ok(variables);
+    }
+    let variables = variables
+      .into_iter()
+      .map(|mut variable| {
+        if variable.is_secret {
+          variable.value = "#".repeat(variable.value.len());
+        }
+        variable
+      })
+      .collect();
+    Ok(variables)
+  }
+}

bin/core/src/api/terminal.rs

@@ -0,0 +1,299 @@
+use anyhow::Context;
+use axum::{Extension, Router, middleware, routing::post};
+use komodo_client::{
+  api::terminal::*,
+  entities::{
+    deployment::Deployment, permission::PermissionLevel,
+    server::Server, stack::Stack, user::User,
+  },
+};
+use serror::Json;
+use uuid::Uuid;
+
+use crate::{
+  auth::auth_request, helpers::periphery_client,
+  permission::get_check_permissions, resource::get,
+  state::stack_status_cache,
+};
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/execute", post(execute_terminal))
+    .route("/execute/container", post(execute_container_exec))
+    .route("/execute/deployment", post(execute_deployment_exec))
+    .route("/execute/stack", post(execute_stack_exec))
+    .layer(middleware::from_fn(auth_request))
+}
+
+// =================
+//  ExecuteTerminal
+// =================
+
+async fn execute_terminal(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteTerminalBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_terminal_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteTerminal",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_terminal_inner(
+  req_id: Uuid,
+  ExecuteTerminalBody {
+    server,
+    terminal,
+    command,
+  }: ExecuteTerminalBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!("/terminal/execute request | user: {}", user.username);
+
+  let res = async {
+    let server = get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_terminal(terminal, command)
+      .await
+      .context("Failed to execute command on periphery")?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!("/terminal/execute request {req_id} error: {e:#}");
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}
+
+// ======================
+//  ExecuteContainerExec
+// ======================
+
+async fn execute_container_exec(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteContainerExecBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_container_exec_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteContainerExec",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_container_exec_inner(
+  req_id: Uuid,
+  ExecuteContainerExecBody {
+    server,
+    container,
+    shell,
+    command,
+  }: ExecuteContainerExecBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!(
+    "/terminal/execute/container request | user: {}",
+    user.username
+  );
+
+  let res = async {
+    let server = get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_container_exec(container, shell, command)
+      .await
+      .context(
+        "Failed to execute container exec command on periphery",
+      )?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!(
+        "/terminal/execute/container request {req_id} error: {e:#}"
+      );
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}
+
+// =======================
+//  ExecuteDeploymentExec
+// =======================
+
+async fn execute_deployment_exec(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteDeploymentExecBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_deployment_exec_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteDeploymentExec",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_deployment_exec_inner(
+  req_id: Uuid,
+  ExecuteDeploymentExecBody {
+    deployment,
+    shell,
+    command,
+  }: ExecuteDeploymentExecBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!(
+    "/terminal/execute/deployment request | user: {}",
+    user.username
+  );
+
+  let res = async {
+    let deployment = get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let server = get::<Server>(&deployment.config.server_id).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_container_exec(deployment.name, shell, command)
+      .await
+      .context(
+        "Failed to execute container exec command on periphery",
+      )?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!(
+        "/terminal/execute/deployment request {req_id} error: {e:#}"
+      );
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}
+
+// ==================
+//  ExecuteStackExec
+// ==================
+
+async fn execute_stack_exec(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteStackExecBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_stack_exec_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteStackExec",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_stack_exec_inner(
+  req_id: Uuid,
+  ExecuteStackExecBody {
+    stack,
+    service,
+    shell,
+    command,
+  }: ExecuteStackExecBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!("/terminal/execute/stack request | user: {}", user.username);
+
+  let res = async {
+    let stack = get_check_permissions::<Stack>(
+      &stack,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let server = get::<Server>(&stack.config.server_id).await?;
+
+    let container = stack_status_cache()
+      .get(&stack.id)
+      .await
+      .context("could not get stack status")?
+      .curr
+      .services
+      .iter()
+      .find(|s| s.service == service)
+      .context("could not find service")?
+      .container
+      .as_ref()
+      .context("could not find service container")?
+      .name
+      .clone();
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_container_exec(container, shell, command)
+      .await
+      .context(
+        "Failed to execute container exec command on periphery",
+      )?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!("/terminal/execute/stack request {req_id} error: {e:#}");
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}

bin/core/src/api/user.rs

@@ -0,0 +1,213 @@
+use std::{collections::VecDeque, time::Instant};
+
+use anyhow::{Context, anyhow};
+use axum::{
+  Extension, Json, Router, extract::Path, middleware, routing::post,
+};
+use database::mongo_indexed::doc;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_bson,
+};
+use derive_variants::EnumVariants;
+use komodo_client::{
+  api::user::*,
+  entities::{api_key::ApiKey, komodo_timestamp, user::User},
+};
+use resolver_api::Resolve;
+use response::Response;
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::auth_request,
+  helpers::{query::get_user, random_string},
+  state::db_client,
+};
+
+use super::Variant;
+
+pub struct UserArgs {
+  pub user: User,
+}
+
+#[typeshare]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[args(UserArgs)]
+#[response(Response)]
+#[error(serror::Error)]
+#[serde(tag = "type", content = "params")]
+enum UserRequest {
+  PushRecentlyViewed(PushRecentlyViewed),
+  SetLastSeenUpdate(SetLastSeenUpdate),
+  CreateApiKey(CreateApiKey),
+  DeleteApiKey(DeleteApiKey),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: UserRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
+#[instrument(name = "UserHandler", level = "debug", skip(user))]
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<UserRequest>,
+) -> serror::Result<axum::response::Response> {
+  let timer = Instant::now();
+  let req_id = Uuid::new_v4();
+  debug!(
+    "/user request {req_id} | user: {} ({})",
+    user.username, user.id
+  );
+  let res = request.resolve(&UserArgs { user }).await;
+  if let Err(e) = &res {
+    warn!("/user request {req_id} error: {:#}", e.error);
+  }
+  let elapsed = timer.elapsed();
+  debug!("/user request {req_id} | resolve time: {elapsed:?}");
+  res.map(|res| res.0)
+}
+
+const RECENTLY_VIEWED_MAX: usize = 10;
+
+impl Resolve<UserArgs> for PushRecentlyViewed {
+  #[instrument(
+    name = "PushRecentlyViewed",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<PushRecentlyViewedResponse> {
+    let user = get_user(&user.id).await?;
+
+    let (resource_type, id) = self.resource.extract_variant_id();
+    let update = match user.recents.get(&resource_type) {
+      Some(recents) => {
+        let mut recents = recents
+          .iter()
+          .filter(|_id| !id.eq(*_id))
+          .take(RECENTLY_VIEWED_MAX - 1)
+          .collect::<VecDeque<_>>();
+        recents.push_front(id);
+        doc! { format!("recents.{resource_type}"): to_bson(&recents)? }
+      }
+      None => {
+        doc! { format!("recents.{resource_type}"): [id] }
+      }
+    };
+    update_one_by_id(
+      &db_client().users,
+      &user.id,
+      database::mungos::update::Update::Set(update),
+      None,
+    )
+    .await
+    .with_context(|| {
+      format!("failed to update recents.{resource_type}")
+    })?;
+
+    Ok(PushRecentlyViewedResponse {})
+  }
+}
+
+impl Resolve<UserArgs> for SetLastSeenUpdate {
+  #[instrument(
+    name = "SetLastSeenUpdate",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<SetLastSeenUpdateResponse> {
+    update_one_by_id(
+      &db_client().users,
+      &user.id,
+      database::mungos::update::Update::Set(doc! {
+        "last_update_view": komodo_timestamp()
+      }),
+      None,
+    )
+    .await
+    .context("failed to update user last_update_view")?;
+    Ok(SetLastSeenUpdateResponse {})
+  }
+}
+
+const SECRET_LENGTH: usize = 40;
+const BCRYPT_COST: u32 = 10;
+
+impl Resolve<UserArgs> for CreateApiKey {
+  #[instrument(name = "CreateApiKey", level = "debug", skip(user))]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<CreateApiKeyResponse> {
+    let user = get_user(&user.id).await?;
+
+    let key = format!("K-{}", random_string(SECRET_LENGTH));
+    let secret = format!("S-{}", random_string(SECRET_LENGTH));
+    let secret_hash = bcrypt::hash(&secret, BCRYPT_COST)
+      .context("failed at hashing secret string")?;
+
+    let api_key = ApiKey {
+      name: self.name,
+      key: key.clone(),
+      secret: secret_hash,
+      user_id: user.id.clone(),
+      created_at: komodo_timestamp(),
+      expires: self.expires,
+    };
+    db_client()
+      .api_keys
+      .insert_one(api_key)
+      .await
+      .context("failed to create api key on db")?;
+    Ok(CreateApiKeyResponse { key, secret })
+  }
+}
+
+impl Resolve<UserArgs> for DeleteApiKey {
+  #[instrument(name = "DeleteApiKey", level = "debug", skip(user))]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<DeleteApiKeyResponse> {
+    let client = db_client();
+    let key = client
+      .api_keys
+      .find_one(doc! { "key": &self.key })
+      .await
+      .context("failed at db query")?
+      .context("no api key with key found")?;
+    if user.id != key.user_id {
+      return Err(anyhow!("api key does not belong to user").into());
+    }
+    client
+      .api_keys
+      .delete_one(doc! { "key": key.key })
+      .await
+      .context("failed to delete api key from db")?;
+    Ok(DeleteApiKeyResponse {})
+  }
+}

bin/core/src/api/write/action.rs

@@ -0,0 +1,70 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    action::Action, permission::PermissionLevel, update::Update,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{permission::get_check_permissions, resource};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateAction {
+  #[instrument(name = "CreateAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Action> {
+    Ok(
+      resource::create::<Action>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyAction {
+  #[instrument(name = "CopyAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Action> {
+    let Action { config, .. } = get_check_permissions::<Action>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+    Ok(
+      resource::create::<Action>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateAction {
+  #[instrument(name = "UpdateAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Action> {
+    Ok(resource::update::<Action>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameAction {
+  #[instrument(name = "RenameAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Action>(&self.id, &self.name, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteAction {
+  #[instrument(name = "DeleteAction", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Action> {
+    Ok(resource::delete::<Action>(&self.id, args).await?)
+  }
+}

bin/core/src/api/write/alerter.rs

@@ -0,0 +1,76 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    alerter::Alerter, permission::PermissionLevel, update::Update,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{permission::get_check_permissions, resource};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateAlerter {
+  #[instrument(name = "CreateAlerter", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(
+      resource::create::<Alerter>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyAlerter {
+  #[instrument(name = "CopyAlerter", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    let Alerter { config, .. } = get_check_permissions::<Alerter>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+    Ok(
+      resource::create::<Alerter>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteAlerter {
+  #[instrument(name = "DeleteAlerter", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(resource::delete::<Alerter>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateAlerter {
+  #[instrument(name = "UpdateAlerter", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(
+      resource::update::<Alerter>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameAlerter {
+  #[instrument(name = "RenameAlerter", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Alerter>(&self.id, &self.name, user).await?)
+  }
+}

bin/core/src/api/write/build.rs

@@ -0,0 +1,735 @@
+use std::{path::PathBuf, str::FromStr, time::Duration};
+
+use anyhow::{Context, anyhow};
+use database::mongo_indexed::doc;
+use database::mungos::mongodb::bson::to_document;
+use formatting::format_serror;
+use komodo_client::{
+  api::write::*,
+  entities::{
+    FileContents, NoData, Operation, RepoExecutionArgs,
+    all_logs_success,
+    build::{Build, BuildInfo, PartialBuildConfig},
+    builder::{Builder, BuilderConfig},
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    repo::Repo,
+    server::ServerState,
+    update::Update,
+  },
+};
+use octorust::types::{
+  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
+};
+use periphery_client::{
+  PeripheryClient,
+  api::build::{
+    GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
+  },
+};
+use resolver_api::Resolve;
+use tokio::fs;
+
+use crate::{
+  config::core_config,
+  helpers::{
+    git_token, periphery_client,
+    query::get_server_with_state,
+    update::{add_update, make_update},
+  },
+  permission::get_check_permissions,
+  resource,
+  state::{db_client, github_client},
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateBuild {
+  #[instrument(name = "CreateBuild", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Build> {
+    Ok(
+      resource::create::<Build>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyBuild {
+  #[instrument(name = "CopyBuild", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Build> {
+    let Build { mut config, .. } = get_check_permissions::<Build>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    // reset version to 0.0.0
+    config.version = Default::default();
+    Ok(
+      resource::create::<Build>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteBuild {
+  #[instrument(name = "DeleteBuild", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Build> {
+    Ok(resource::delete::<Build>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateBuild {
+  #[instrument(name = "UpdateBuild", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Build> {
+    Ok(resource::update::<Build>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameBuild {
+  #[instrument(name = "RenameBuild", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Build>(&self.id, &self.name, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for WriteBuildFileContents {
+  #[instrument(name = "WriteBuildFileContents", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      &args.user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if !build.config.files_on_host
+      && build.config.repo.is_empty()
+      && build.config.linked_repo.is_empty()
+    {
+      return Err(anyhow!(
+        "Build is not configured to use Files on Host or Git Repo, can't write dockerfile contents"
+      ).into());
+    }
+
+    let mut update =
+      make_update(&build, Operation::WriteDockerfile, &args.user);
+
+    update.push_simple_log("Dockerfile to write", &self.contents);
+
+    if build.config.files_on_host {
+      match get_on_host_periphery(&build)
+        .await?
+        .request(WriteDockerfileContentsToHost {
+          name: build.name,
+          build_path: build.config.build_path,
+          dockerfile_path: build.config.dockerfile_path,
+          contents: self.contents,
+        })
+        .await
+        .context("Failed to write dockerfile contents to host")
+      {
+        Ok(log) => {
+          update.logs.push(log);
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Write Dockerfile Contents",
+            format_serror(&e.into()),
+          );
+        }
+      };
+
+      if !all_logs_success(&update.logs) {
+        update.finalize();
+        update.id = add_update(update.clone()).await?;
+
+        return Ok(update);
+      }
+
+      if let Err(e) =
+        (RefreshBuildCache { build: build.id }).resolve(args).await
+      {
+        update.push_error_log(
+          "Refresh build cache",
+          format_serror(&e.error.into()),
+        );
+      }
+
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      Ok(update)
+    } else {
+      write_dockerfile_contents_git(self, args, build, update).await
+    }
+  }
+}
+
+async fn write_dockerfile_contents_git(
+  req: WriteBuildFileContents,
+  args: &WriteArgs,
+  build: Build,
+  mut update: Update,
+) -> serror::Result<Update> {
+  let WriteBuildFileContents { build: _, contents } = req;
+
+  let mut repo_args: RepoExecutionArgs = if !build
+    .config
+    .files_on_host
+    && !build.config.linked_repo.is_empty()
+  {
+    (&crate::resource::get::<Repo>(&build.config.linked_repo).await?)
+      .into()
+  } else {
+    (&build).into()
+  };
+  let root = repo_args.unique_path(&core_config().repo_directory)?;
+  repo_args.destination = Some(root.display().to_string());
+
+  let build_path = build
+    .config
+    .build_path
+    .parse::<PathBuf>()
+    .context("Invalid build path")?;
+  let dockerfile_path = build
+    .config
+    .dockerfile_path
+    .parse::<PathBuf>()
+    .context("Invalid dockerfile path")?;
+
+  let full_path = root.join(&build_path).join(&dockerfile_path);
+
+  if let Some(parent) = full_path.parent() {
+    fs::create_dir_all(parent).await.with_context(|| {
+      format!(
+        "Failed to initialize dockerfile parent directory {parent:?}"
+      )
+    })?;
+  }
+
+  let access_token = if let Some(account) = &repo_args.account {
+    git_token(&repo_args.provider, account, |https| repo_args.https = https)
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", repo_args.provider),
+    )?
+  } else {
+    None
+  };
+
+  // Ensure the folder is initialized as git repo.
+  // This allows a new file to be committed on a branch that may not exist.
+  if !root.join(".git").exists() {
+    git::init_folder_as_repo(
+      &root,
+      &repo_args,
+      access_token.as_deref(),
+      &mut update.logs,
+    )
+    .await;
+
+    if !all_logs_success(&update.logs) {
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      return Ok(update);
+    }
+  }
+
+  // Save this for later -- repo_args moved next.
+  let branch = repo_args.branch.clone();
+  // Pull latest changes to repo to ensure linear commit history
+  match git::pull_or_clone(
+    repo_args,
+    &core_config().repo_directory,
+    access_token,
+  )
+  .await
+  .context("Failed to pull latest changes before commit")
+  {
+    Ok((res, _)) => update.logs.extend(res.logs),
+    Err(e) => {
+      update.push_error_log("Pull Repo", format_serror(&e.into()));
+      update.finalize();
+      return Ok(update);
+    }
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    return Ok(update);
+  }
+
+  if let Err(e) =
+    fs::write(&full_path, &contents).await.with_context(|| {
+      format!("Failed to write dockerfile contents to {full_path:?}")
+    })
+  {
+    update
+      .push_error_log("Write Dockerfile", format_serror(&e.into()));
+  } else {
+    update.push_simple_log(
+      "Write Dockerfile",
+      format!("File written to {full_path:?}"),
+    );
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    return Ok(update);
+  }
+
+  let commit_res = git::commit_file(
+    &format!("{}: Commit Dockerfile", args.user.username),
+    &root,
+    &build_path.join(&dockerfile_path),
+    &branch,
+  )
+  .await;
+
+  update.logs.extend(commit_res.logs);
+
+  if let Err(e) = (RefreshBuildCache { build: build.name })
+    .resolve(args)
+    .await
+  {
+    update.push_error_log(
+      "Refresh build cache",
+      format_serror(&e.error.into()),
+    );
+  }
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+
+  Ok(update)
+}
+
+impl Resolve<WriteArgs> for RefreshBuildCache {
+  #[instrument(
+    name = "RefreshBuildCache",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // build should be able to do this.
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let repo = if !build.config.files_on_host
+      && !build.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&build.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    let (
+      remote_path,
+      remote_contents,
+      remote_error,
+      latest_hash,
+      latest_message,
+    ) = if build.config.files_on_host {
+      // =============
+      // FILES ON HOST
+      // =============
+      match get_on_host_dockerfile(&build).await {
+        Ok(FileContents { path, contents }) => {
+          (Some(path), Some(contents), None, None, None)
+        }
+        Err(e) => {
+          (None, None, Some(format_serror(&e.into())), None, None)
+        }
+      }
+    } else if let Some(repo) = &repo {
+      let Some(res) = get_git_remote(&build, repo.into()).await?
+      else {
+        // Nothing to do here
+        return Ok(NoData {});
+      };
+      res
+    } else if !build.config.repo.is_empty() {
+      let Some(res) = get_git_remote(&build, (&build).into()).await?
+      else {
+        // Nothing to do here
+        return Ok(NoData {});
+      };
+      res
+    } else {
+      // =============
+      // UI BASED FILE
+      // =============
+      (None, None, None, None, None)
+    };
+
+    let info = BuildInfo {
+      last_built_at: build.info.last_built_at,
+      built_hash: build.info.built_hash,
+      built_message: build.info.built_message,
+      built_contents: build.info.built_contents,
+      remote_path,
+      remote_contents,
+      remote_error,
+      latest_hash,
+      latest_message,
+    };
+
+    let info = to_document(&info)
+      .context("failed to serialize build info to bson")?;
+
+    db_client()
+      .builds
+      .update_one(
+        doc! { "name": &build.name },
+        doc! { "$set": { "info": info } },
+      )
+      .await
+      .context("failed to update build info on db")?;
+
+    Ok(NoData {})
+  }
+}
+
+async fn get_on_host_periphery(
+  build: &Build,
+) -> anyhow::Result<PeripheryClient> {
+  if build.config.builder_id.is_empty() {
+    return Err(anyhow!("No builder associated with build"));
+  }
+
+  let builder = resource::get::<Builder>(&build.config.builder_id)
+    .await
+    .context("Failed to get builder")?;
+
+  match builder.config {
+    BuilderConfig::Aws(_) => {
+      Err(anyhow!("Files on host doesn't work with AWS builder"))
+    }
+    BuilderConfig::Url(config) => {
+      let periphery = PeripheryClient::new(
+        config.address,
+        config.passkey,
+        Duration::from_secs(3),
+      );
+      periphery.health_check().await?;
+      Ok(periphery)
+    }
+    BuilderConfig::Server(config) => {
+      if config.server_id.is_empty() {
+        return Err(anyhow!(
+          "Builder is type server, but has no server attached"
+        ));
+      }
+      let (server, state) =
+        get_server_with_state(&config.server_id).await?;
+      if state != ServerState::Ok {
+        return Err(anyhow!(
+          "Builder server is disabled or not reachable"
+        ));
+      };
+      periphery_client(&server)
+    }
+  }
+}
+
+/// The successful case will be included as Some(remote_contents).
+/// The error case will be included as Some(remote_error)
+async fn get_on_host_dockerfile(
+  build: &Build,
+) -> anyhow::Result<FileContents> {
+  get_on_host_periphery(build)
+    .await?
+    .request(GetDockerfileContentsOnHost {
+      name: build.name.clone(),
+      build_path: build.config.build_path.clone(),
+      dockerfile_path: build.config.dockerfile_path.clone(),
+    })
+    .await
+}
+
+async fn get_git_remote(
+  build: &Build,
+  mut clone_args: RepoExecutionArgs,
+) -> anyhow::Result<
+  Option<(
+    Option<String>,
+    Option<String>,
+    Option<String>,
+    Option<String>,
+    Option<String>,
+  )>,
+> {
+  if clone_args.provider.is_empty() {
+    // Nothing to do here
+    return Ok(None);
+  }
+  let config = core_config();
+  let repo_path = clone_args.unique_path(&config.repo_directory)?;
+  clone_args.destination = Some(repo_path.display().to_string());
+
+  let access_token = if let Some(username) = &clone_args.account {
+    git_token(&clone_args.provider, username, |https| {
+          clone_args.https = https
+        })
+        .await
+        .with_context(
+          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
+        )?
+  } else {
+    None
+  };
+
+  let (res, _) = git::pull_or_clone(
+    clone_args,
+    &config.repo_directory,
+    access_token,
+  )
+  .await
+  .context("failed to clone build repo")?;
+
+  let relative_path = PathBuf::from_str(&build.config.build_path)
+    .context("Invalid build path")?
+    .join(&build.config.dockerfile_path);
+
+  let full_path = repo_path.join(&relative_path);
+  let (contents, error) =
+    match fs::read_to_string(&full_path).await.with_context(|| {
+      format!("Failed to read dockerfile contents at {full_path:?}")
+    }) {
+      Ok(contents) => (Some(contents), None),
+      Err(e) => (None, Some(format_serror(&e.into()))),
+    };
+  Ok(Some((
+    Some(relative_path.display().to_string()),
+    contents,
+    error,
+    res.commit_hash,
+    res.commit_message,
+  )))
+}
+
+impl Resolve<WriteArgs> for CreateBuildWebhook {
+  #[instrument(name = "CreateBuildWebhook", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<CreateBuildWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let WriteArgs { user } = args;
+
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if build.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = build.config.repo.split('/');
+    let owner = split.next().context("Build repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo =
+      split.next().context("Build repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      webhook_secret,
+      ..
+    } = core_config();
+
+    let webhook_secret = if build.config.webhook_secret.is_empty() {
+      webhook_secret
+    } else {
+      &build.config.webhook_secret
+    };
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = format!("{host}/listener/github/build/{}", build.id);
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        return Ok(NoData {});
+      }
+    }
+
+    // Now good to create the webhook
+    let request = ReposCreateWebhookRequest {
+      active: Some(true),
+      config: Some(ReposCreateWebhookRequestConfig {
+        url,
+        secret: webhook_secret.to_string(),
+        content_type: String::from("json"),
+        insecure_ssl: None,
+        digest: Default::default(),
+        token: Default::default(),
+      }),
+      events: vec![String::from("push")],
+      name: String::from("web"),
+    };
+    github_repos
+      .create_webhook(owner, repo, &request)
+      .await
+      .context("failed to create webhook")?;
+
+    if !build.config.webhook_enabled {
+      UpdateBuild {
+        id: build.id,
+        config: PartialBuildConfig {
+          webhook_enabled: Some(true),
+          ..Default::default()
+        },
+      }
+      .resolve(args)
+      .await
+      .map_err(|e| e.error)
+      .context("failed to update build to enable webhook")?;
+    }
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteBuildWebhook {
+  #[instrument(name = "DeleteBuildWebhook", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteBuildWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if build.config.git_provider != "github.com" {
+      return Err(
+        anyhow!("Can only manage github.com repo webhooks").into(),
+      );
+    }
+
+    if build.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't delete webhook").into(),
+      );
+    }
+
+    let mut split = build.config.repo.split('/');
+    let owner = split.next().context("Build repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo =
+      split.next().context("Build repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = format!("{host}/listener/github/build/{}", build.id);
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        github_repos
+          .delete_webhook(owner, repo, webhook.id)
+          .await
+          .context("failed to delete webhook")?;
+        return Ok(NoData {});
+      }
+    }
+
+    // No webhook to delete, all good
+    Ok(NoData {})
+  }
+}

bin/core/src/api/write/builder.rs

@@ -0,0 +1,76 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    builder::Builder, permission::PermissionLevel, update::Update,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{permission::get_check_permissions, resource};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateBuilder {
+  #[instrument(name = "CreateBuilder", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    Ok(
+      resource::create::<Builder>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyBuilder {
+  #[instrument(name = "CopyBuilder", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    let Builder { config, .. } = get_check_permissions::<Builder>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+    Ok(
+      resource::create::<Builder>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteBuilder {
+  #[instrument(name = "DeleteBuilder", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    Ok(resource::delete::<Builder>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateBuilder {
+  #[instrument(name = "UpdateBuilder", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    Ok(
+      resource::update::<Builder>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameBuilder {
+  #[instrument(name = "RenameBuilder", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Builder>(&self.id, &self.name, user).await?)
+  }
+}

bin/core/src/api/write/deployment.rs

@@ -0,0 +1,263 @@
+use anyhow::{Context, anyhow};
+use database::mungos::{by_id::update_one_by_id, mongodb::bson::doc};
+use komodo_client::{
+  api::write::*,
+  entities::{
+    Operation,
+    deployment::{
+      Deployment, DeploymentImage, DeploymentState,
+      PartialDeploymentConfig, RestartMode,
+    },
+    docker::container::RestartPolicyNameEnum,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    server::{Server, ServerState},
+    to_container_compatible_name,
+    update::Update,
+  },
+};
+use periphery_client::api::{self, container::InspectContainer};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    periphery_client,
+    query::get_deployment_state,
+    update::{add_update, make_update},
+  },
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, db_client, server_status_cache},
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateDeployment {
+  #[instrument(name = "CreateDeployment", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(
+      resource::create::<Deployment>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyDeployment {
+  #[instrument(name = "CopyDeployment", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    let Deployment { config, .. } =
+      get_check_permissions::<Deployment>(
+        &self.id,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?;
+    Ok(
+      resource::create::<Deployment>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
+  #[instrument(name = "CreateDeploymentFromContainer", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.inspect().attach(),
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let container = periphery_client(&server)?
+      .request(InspectContainer {
+        name: self.name.clone(),
+      })
+      .await
+      .context("Failed to inspect container")?;
+
+    let mut config = PartialDeploymentConfig {
+      server_id: server.id.into(),
+      ..Default::default()
+    };
+
+    if let Some(container_config) = container.config {
+      config.image = container_config
+        .image
+        .map(|image| DeploymentImage::Image { image });
+      config.command = container_config.cmd.join(" ").into();
+      config.environment = container_config
+        .env
+        .into_iter()
+        .map(|env| format!("  {env}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.labels = container_config
+        .labels
+        .into_iter()
+        .map(|(key, val)| format!("  {key}: {val}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+    }
+    if let Some(host_config) = container.host_config {
+      config.volumes = host_config
+        .binds
+        .into_iter()
+        .map(|bind| format!("  {bind}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.network = host_config.network_mode;
+      config.ports = host_config
+        .port_bindings
+        .into_iter()
+        .filter_map(|(container, mut host)| {
+          let host = host.pop()?.host_port?;
+          Some(format!("  {host}:{}", container.replace("/tcp", "")))
+        })
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.restart = host_config.restart_policy.map(|restart| {
+        match restart.name {
+          RestartPolicyNameEnum::Always => RestartMode::Always,
+          RestartPolicyNameEnum::No
+          | RestartPolicyNameEnum::Empty => RestartMode::NoRestart,
+          RestartPolicyNameEnum::UnlessStopped => {
+            RestartMode::UnlessStopped
+          }
+          RestartPolicyNameEnum::OnFailure => RestartMode::OnFailure,
+        }
+      });
+    }
+
+    Ok(
+      resource::create::<Deployment>(&self.name, config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteDeployment {
+  #[instrument(name = "DeleteDeployment", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(resource::delete::<Deployment>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateDeployment {
+  #[instrument(name = "UpdateDeployment", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(
+      resource::update::<Deployment>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameDeployment {
+  #[instrument(name = "RenameDeployment", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    let deployment = get_check_permissions::<Deployment>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.renaming = true)?;
+
+    let name = to_container_compatible_name(&self.name);
+
+    let container_state =
+      get_deployment_state(&deployment.id).await?;
+
+    if container_state == DeploymentState::Unknown {
+      return Err(
+        anyhow!(
+          "Cannot rename Deployment when container status is unknown"
+        )
+        .into(),
+      );
+    }
+
+    let mut update =
+      make_update(&deployment, Operation::RenameDeployment, user);
+
+    update_one_by_id(
+      &db_client().deployments,
+      &deployment.id,
+      database::mungos::update::Update::Set(
+        doc! { "name": &name, "updated_at": komodo_timestamp() },
+      ),
+      None,
+    )
+    .await
+    .context("Failed to update Deployment name on db")?;
+
+    if container_state != DeploymentState::NotDeployed {
+      let server =
+        resource::get::<Server>(&deployment.config.server_id).await?;
+      let log = periphery_client(&server)?
+        .request(api::container::RenameContainer {
+          curr_name: deployment.name.clone(),
+          new_name: name.clone(),
+        })
+        .await
+        .context("Failed to rename container on server")?;
+      update.logs.push(log);
+    }
+
+    update.push_simple_log(
+      "Rename Deployment",
+      format!(
+        "Renamed Deployment from {} to {}",
+        deployment.name, name
+      ),
+    );
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/write/mod.rs

@@ -0,0 +1,256 @@
+use std::time::Instant;
+
+use anyhow::Context;
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
+use derive_variants::{EnumVariants, ExtractVariant};
+use komodo_client::{api::write::*, entities::user::User};
+use resolver_api::Resolve;
+use response::Response;
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::auth::auth_request;
+
+use super::Variant;
+
+mod action;
+mod alerter;
+mod build;
+mod builder;
+mod deployment;
+mod permissions;
+mod procedure;
+mod provider;
+mod repo;
+mod resource;
+mod server;
+mod service_user;
+mod stack;
+mod sync;
+mod tag;
+mod user;
+mod user_group;
+mod variable;
+
+pub struct WriteArgs {
+  pub user: User,
+}
+
+#[typeshare]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[variant_derive(Debug)]
+#[args(WriteArgs)]
+#[response(Response)]
+#[error(serror::Error)]
+#[serde(tag = "type", content = "params")]
+pub enum WriteRequest {
+  // ==== USER ====
+  CreateLocalUser(CreateLocalUser),
+  UpdateUserUsername(UpdateUserUsername),
+  UpdateUserPassword(UpdateUserPassword),
+  DeleteUser(DeleteUser),
+
+  // ==== SERVICE USER ====
+  CreateServiceUser(CreateServiceUser),
+  UpdateServiceUserDescription(UpdateServiceUserDescription),
+  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
+  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
+
+  // ==== USER GROUP ====
+  CreateUserGroup(CreateUserGroup),
+  RenameUserGroup(RenameUserGroup),
+  DeleteUserGroup(DeleteUserGroup),
+  AddUserToUserGroup(AddUserToUserGroup),
+  RemoveUserFromUserGroup(RemoveUserFromUserGroup),
+  SetUsersInUserGroup(SetUsersInUserGroup),
+  SetEveryoneUserGroup(SetEveryoneUserGroup),
+
+  // ==== PERMISSIONS ====
+  UpdateUserAdmin(UpdateUserAdmin),
+  UpdateUserBasePermissions(UpdateUserBasePermissions),
+  UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
+  UpdatePermissionOnTarget(UpdatePermissionOnTarget),
+
+  // ==== RESOURCE ====
+  UpdateResourceMeta(UpdateResourceMeta),
+
+  // ==== SERVER ====
+  CreateServer(CreateServer),
+  CopyServer(CopyServer),
+  DeleteServer(DeleteServer),
+  UpdateServer(UpdateServer),
+  RenameServer(RenameServer),
+  CreateNetwork(CreateNetwork),
+  CreateTerminal(CreateTerminal),
+  DeleteTerminal(DeleteTerminal),
+  DeleteAllTerminals(DeleteAllTerminals),
+
+  // ==== STACK ====
+  CreateStack(CreateStack),
+  CopyStack(CopyStack),
+  DeleteStack(DeleteStack),
+  UpdateStack(UpdateStack),
+  RenameStack(RenameStack),
+  WriteStackFileContents(WriteStackFileContents),
+  RefreshStackCache(RefreshStackCache),
+  CreateStackWebhook(CreateStackWebhook),
+  DeleteStackWebhook(DeleteStackWebhook),
+
+  // ==== DEPLOYMENT ====
+  CreateDeployment(CreateDeployment),
+  CopyDeployment(CopyDeployment),
+  CreateDeploymentFromContainer(CreateDeploymentFromContainer),
+  DeleteDeployment(DeleteDeployment),
+  UpdateDeployment(UpdateDeployment),
+  RenameDeployment(RenameDeployment),
+
+  // ==== BUILD ====
+  CreateBuild(CreateBuild),
+  CopyBuild(CopyBuild),
+  DeleteBuild(DeleteBuild),
+  UpdateBuild(UpdateBuild),
+  RenameBuild(RenameBuild),
+  WriteBuildFileContents(WriteBuildFileContents),
+  RefreshBuildCache(RefreshBuildCache),
+  CreateBuildWebhook(CreateBuildWebhook),
+  DeleteBuildWebhook(DeleteBuildWebhook),
+
+  // ==== BUILDER ====
+  CreateBuilder(CreateBuilder),
+  CopyBuilder(CopyBuilder),
+  DeleteBuilder(DeleteBuilder),
+  UpdateBuilder(UpdateBuilder),
+  RenameBuilder(RenameBuilder),
+
+  // ==== REPO ====
+  CreateRepo(CreateRepo),
+  CopyRepo(CopyRepo),
+  DeleteRepo(DeleteRepo),
+  UpdateRepo(UpdateRepo),
+  RenameRepo(RenameRepo),
+  RefreshRepoCache(RefreshRepoCache),
+  CreateRepoWebhook(CreateRepoWebhook),
+  DeleteRepoWebhook(DeleteRepoWebhook),
+
+  // ==== ALERTER ====
+  CreateAlerter(CreateAlerter),
+  CopyAlerter(CopyAlerter),
+  DeleteAlerter(DeleteAlerter),
+  UpdateAlerter(UpdateAlerter),
+  RenameAlerter(RenameAlerter),
+
+  // ==== PROCEDURE ====
+  CreateProcedure(CreateProcedure),
+  CopyProcedure(CopyProcedure),
+  DeleteProcedure(DeleteProcedure),
+  UpdateProcedure(UpdateProcedure),
+  RenameProcedure(RenameProcedure),
+
+  // ==== ACTION ====
+  CreateAction(CreateAction),
+  CopyAction(CopyAction),
+  DeleteAction(DeleteAction),
+  UpdateAction(UpdateAction),
+  RenameAction(RenameAction),
+
+  // ==== SYNC ====
+  CreateResourceSync(CreateResourceSync),
+  CopyResourceSync(CopyResourceSync),
+  DeleteResourceSync(DeleteResourceSync),
+  UpdateResourceSync(UpdateResourceSync),
+  RenameResourceSync(RenameResourceSync),
+  WriteSyncFileContents(WriteSyncFileContents),
+  CommitSync(CommitSync),
+  RefreshResourceSyncPending(RefreshResourceSyncPending),
+  CreateSyncWebhook(CreateSyncWebhook),
+  DeleteSyncWebhook(DeleteSyncWebhook),
+
+  // ==== TAG ====
+  CreateTag(CreateTag),
+  DeleteTag(DeleteTag),
+  RenameTag(RenameTag),
+  UpdateTagColor(UpdateTagColor),
+
+  // ==== VARIABLE ====
+  CreateVariable(CreateVariable),
+  UpdateVariableValue(UpdateVariableValue),
+  UpdateVariableDescription(UpdateVariableDescription),
+  UpdateVariableIsSecret(UpdateVariableIsSecret),
+  DeleteVariable(DeleteVariable),
+
+  // ==== PROVIDERS ====
+  CreateGitProviderAccount(CreateGitProviderAccount),
+  UpdateGitProviderAccount(UpdateGitProviderAccount),
+  DeleteGitProviderAccount(DeleteGitProviderAccount),
+  CreateDockerRegistryAccount(CreateDockerRegistryAccount),
+  UpdateDockerRegistryAccount(UpdateDockerRegistryAccount),
+  DeleteDockerRegistryAccount(DeleteDockerRegistryAccount),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: WriteRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<WriteRequest>,
+) -> serror::Result<axum::response::Response> {
+  let req_id = Uuid::new_v4();
+
+  let res = tokio::spawn(task(req_id, request, user))
+    .await
+    .context("failure in spawned task");
+
+  res?
+}
+
+#[instrument(
+  name = "WriteRequest",
+  skip(user, request),
+  fields(
+    user_id = user.id,
+    request = format!("{:?}", request.extract_variant())
+  )
+)]
+async fn task(
+  req_id: Uuid,
+  request: WriteRequest,
+  user: User,
+) -> serror::Result<axum::response::Response> {
+  info!("/write request | user: {}", user.username);
+
+  let timer = Instant::now();
+
+  let res = request.resolve(&WriteArgs { user }).await;
+
+  if let Err(e) = &res {
+    warn!("/write request {req_id} error: {:#}", e.error);
+  }
+
+  let elapsed = timer.elapsed();
+  debug!("/write request {req_id} | resolve time: {elapsed:?}");
+
+  res.map(|res| res.0)
+}

bin/core/src/api/write/permissions.rs

@@ -0,0 +1,444 @@
+use std::str::FromStr;
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{find_one_by_id, update_one_by_id},
+  mongodb::{
+    bson::{Document, doc, oid::ObjectId, to_bson},
+    options::UpdateOptions,
+  },
+};
+use komodo_client::{
+  api::write::*,
+  entities::{
+    ResourceTarget, ResourceTargetVariant,
+    permission::{UserTarget, UserTargetVariant},
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{helpers::query::get_user, state::db_client};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for UpdateUserAdmin {
+  #[instrument(name = "UpdateUserAdmin", skip(super_admin))]
+  async fn resolve(
+    self,
+    WriteArgs { user: super_admin }: &WriteArgs,
+  ) -> serror::Result<UpdateUserAdminResponse> {
+    if !super_admin.super_admin {
+      return Err(
+        anyhow!("Only super admins can call this method.").into(),
+      );
+    }
+    let user = find_one_by_id(&db_client().users, &self.user_id)
+      .await
+      .context("failed to query mongo for user")?
+      .context("did not find user with given id")?;
+
+    if !user.enabled {
+      return Err(
+        anyhow!("User is disabled. Enable user first.").into(),
+      );
+    }
+
+    if user.super_admin {
+      return Err(anyhow!("Cannot update other super admins").into());
+    }
+
+    update_one_by_id(
+      &db_client().users,
+      &self.user_id,
+      doc! { "$set": { "admin": self.admin } },
+      None,
+    )
+    .await?;
+
+    Ok(UpdateUserAdminResponse {})
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateUserBasePermissions {
+  #[instrument(name = "UpdateUserBasePermissions", skip(admin))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UpdateUserBasePermissionsResponse> {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+
+    let UpdateUserBasePermissions {
+      user_id,
+      enabled,
+      create_servers,
+      create_builds,
+    } = self;
+
+    let user = find_one_by_id(&db_client().users, &user_id)
+      .await
+      .context("failed to query mongo for user")?
+      .context("did not find user with given id")?;
+    if user.super_admin {
+      return Err(
+        anyhow!(
+          "Cannot use this method to update super admins permissions"
+        )
+        .into(),
+      );
+    }
+    if user.admin && !admin.super_admin {
+      return Err(anyhow!(
+        "Only super admins can use this method to update other admins permissions"
+      ).into());
+    }
+    let mut update_doc = Document::new();
+    if let Some(enabled) = enabled {
+      update_doc.insert("enabled", enabled);
+    }
+    if let Some(create_servers) = create_servers {
+      update_doc.insert("create_server_permissions", create_servers);
+    }
+    if let Some(create_builds) = create_builds {
+      update_doc.insert("create_build_permissions", create_builds);
+    }
+
+    update_one_by_id(
+      &db_client().users,
+      &user_id,
+      database::mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await?;
+
+    Ok(UpdateUserBasePermissionsResponse {})
+  }
+}
+
+impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
+  #[instrument(name = "UpdatePermissionOnResourceType", skip(admin))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UpdatePermissionOnResourceTypeResponse> {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+
+    let Self {
+      user_target,
+      resource_type,
+      permission,
+    } = self;
+
+    // Some extra checks if user target is an actual User
+    if let UserTarget::User(user_id) = &user_target {
+      let user = get_user(user_id).await?;
+      if user.admin {
+        return Err(
+          anyhow!(
+          "cannot use this method to update other admins permissions"
+        )
+          .into(),
+        );
+      }
+      if !user.enabled {
+        return Err(anyhow!("user not enabled").into());
+      }
+    }
+
+    let (user_target_variant, user_target_id) =
+      extract_user_target_with_validation(&user_target).await?;
+
+    let id = ObjectId::from_str(&user_target_id)
+      .context("id is not ObjectId")?;
+    let filter = doc! { "_id": id };
+    let field = format!("all.{resource_type}");
+    let set =
+      to_bson(&permission).context("permission is not Bson")?;
+    let update = doc! { "$set": { &field: &set } };
+
+    match user_target_variant {
+      UserTargetVariant::User => {
+        db_client()
+          .users
+          .update_one(filter, update)
+          .await
+          .with_context(|| {
+            format!("failed to set {field}: {set} on db")
+          })?;
+      }
+      UserTargetVariant::UserGroup => {
+        db_client()
+          .user_groups
+          .update_one(filter, update)
+          .await
+          .with_context(|| {
+            format!("failed to set {field}: {set} on db")
+          })?;
+      }
+    }
+
+    Ok(UpdatePermissionOnResourceTypeResponse {})
+  }
+}
+
+impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
+  #[instrument(name = "UpdatePermissionOnTarget", skip(admin))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UpdatePermissionOnTargetResponse> {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+
+    let UpdatePermissionOnTarget {
+      user_target,
+      resource_target,
+      permission,
+    } = self;
+
+    // Some extra checks relevant if user target is an actual User
+    if let UserTarget::User(user_id) = &user_target {
+      let user = get_user(user_id).await?;
+      if !user.enabled {
+        return Err(anyhow!("user not enabled").into());
+      }
+      if user.admin {
+        return Err(
+          anyhow!(
+          "cannot use this method to update other admins permissions"
+        )
+          .into(),
+        );
+      }
+    }
+
+    let (user_target_variant, user_target_id) =
+      extract_user_target_with_validation(&user_target).await?;
+    let (resource_variant, resource_id) =
+      extract_resource_target_with_validation(&resource_target)
+        .await?;
+
+    let (user_target_variant, resource_variant) =
+      (user_target_variant.as_ref(), resource_variant.as_ref());
+
+    let specific = to_bson(&permission.specific)
+      .context("permission.specific is not valid Bson")?;
+
+    db_client()
+      .permissions
+      .update_one(
+        doc! {
+          "user_target.type": user_target_variant,
+          "user_target.id": &user_target_id,
+          "resource_target.type": resource_variant,
+          "resource_target.id": &resource_id
+        },
+        doc! {
+          "$set": {
+            "user_target.type": user_target_variant,
+            "user_target.id": user_target_id,
+            "resource_target.type": resource_variant,
+            "resource_target.id": resource_id,
+            "level": permission.level.as_ref(),
+            "specific": specific
+          }
+        },
+      )
+      .with_options(UpdateOptions::builder().upsert(true).build())
+      .await?;
+
+    Ok(UpdatePermissionOnTargetResponse {})
+  }
+}
+
+/// checks if inner id is actually a `name`, and replaces it with id if so.
+async fn extract_user_target_with_validation(
+  user_target: &UserTarget,
+) -> serror::Result<(UserTargetVariant, String)> {
+  match user_target {
+    UserTarget::User(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "username": ident },
+      };
+      let id = db_client()
+        .users
+        .find_one(filter)
+        .await
+        .context("failed to query db for users")?
+        .context("no matching user found")?
+        .id;
+      Ok((UserTargetVariant::User, id))
+    }
+    UserTarget::UserGroup(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .user_groups
+        .find_one(filter)
+        .await
+        .context("failed to query db for user_groups")?
+        .context("no matching user_group found")?
+        .id;
+      Ok((UserTargetVariant::UserGroup, id))
+    }
+  }
+}
+
+/// checks if inner id is actually a `name`, and replaces it with id if so.
+async fn extract_resource_target_with_validation(
+  resource_target: &ResourceTarget,
+) -> serror::Result<(ResourceTargetVariant, String)> {
+  match resource_target {
+    ResourceTarget::System(_) => {
+      let res = resource_target.extract_variant_id();
+      Ok((res.0, res.1.clone()))
+    }
+    ResourceTarget::Build(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .builds
+        .find_one(filter)
+        .await
+        .context("failed to query db for builds")?
+        .context("no matching build found")?
+        .id;
+      Ok((ResourceTargetVariant::Build, id))
+    }
+    ResourceTarget::Builder(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .builders
+        .find_one(filter)
+        .await
+        .context("failed to query db for builders")?
+        .context("no matching builder found")?
+        .id;
+      Ok((ResourceTargetVariant::Builder, id))
+    }
+    ResourceTarget::Deployment(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .deployments
+        .find_one(filter)
+        .await
+        .context("failed to query db for deployments")?
+        .context("no matching deployment found")?
+        .id;
+      Ok((ResourceTargetVariant::Deployment, id))
+    }
+    ResourceTarget::Server(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .servers
+        .find_one(filter)
+        .await
+        .context("failed to query db for servers")?
+        .context("no matching server found")?
+        .id;
+      Ok((ResourceTargetVariant::Server, id))
+    }
+    ResourceTarget::Repo(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .repos
+        .find_one(filter)
+        .await
+        .context("failed to query db for repos")?
+        .context("no matching repo found")?
+        .id;
+      Ok((ResourceTargetVariant::Repo, id))
+    }
+    ResourceTarget::Alerter(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .alerters
+        .find_one(filter)
+        .await
+        .context("failed to query db for alerters")?
+        .context("no matching alerter found")?
+        .id;
+      Ok((ResourceTargetVariant::Alerter, id))
+    }
+    ResourceTarget::Procedure(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .procedures
+        .find_one(filter)
+        .await
+        .context("failed to query db for procedures")?
+        .context("no matching procedure found")?
+        .id;
+      Ok((ResourceTargetVariant::Procedure, id))
+    }
+    ResourceTarget::Action(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .actions
+        .find_one(filter)
+        .await
+        .context("failed to query db for actions")?
+        .context("no matching action found")?
+        .id;
+      Ok((ResourceTargetVariant::Action, id))
+    }
+    ResourceTarget::ResourceSync(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .resource_syncs
+        .find_one(filter)
+        .await
+        .context("failed to query db for resource syncs")?
+        .context("no matching resource sync found")?
+        .id;
+      Ok((ResourceTargetVariant::ResourceSync, id))
+    }
+    ResourceTarget::Stack(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .stacks
+        .find_one(filter)
+        .await
+        .context("failed to query db for stacks")?
+        .context("no matching stack found")?
+        .id;
+      Ok((ResourceTargetVariant::Stack, id))
+    }
+  }
+}

bin/core/src/api/write/procedure.rs

@@ -0,0 +1,80 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    permission::PermissionLevel, procedure::Procedure, update::Update,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{permission::get_check_permissions, resource};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateProcedure {
+  #[instrument(name = "CreateProcedure", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateProcedureResponse> {
+    Ok(
+      resource::create::<Procedure>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyProcedure {
+  #[instrument(name = "CopyProcedure", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CopyProcedureResponse> {
+    let Procedure { config, .. } =
+      get_check_permissions::<Procedure>(
+        &self.id,
+        user,
+        PermissionLevel::Write.into(),
+      )
+      .await?;
+    Ok(
+      resource::create::<Procedure>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateProcedure {
+  #[instrument(name = "UpdateProcedure", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateProcedureResponse> {
+    Ok(
+      resource::update::<Procedure>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameProcedure {
+  #[instrument(name = "RenameProcedure", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(
+      resource::rename::<Procedure>(&self.id, &self.name, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteProcedure {
+  #[instrument(name = "DeleteProcedure", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<DeleteProcedureResponse> {
+    Ok(resource::delete::<Procedure>(&self.id, args).await?)
+  }
+}

bin/core/src/api/write/provider.rs

@@ -0,0 +1,410 @@
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
+  mongodb::bson::{doc, to_document},
+};
+use komodo_client::{
+  api::write::*,
+  entities::{
+    Operation, ResourceTarget,
+    provider::{DockerRegistryAccount, GitProviderAccount},
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::update::{add_update, make_update},
+  state::db_client,
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateGitProviderAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can create git provider accounts")
+          .into(),
+      );
+    }
+
+    let mut account: GitProviderAccount = self.account.into();
+
+    if account.domain.is_empty() {
+      return Err(anyhow!("domain cannot be empty string.").into());
+    }
+
+    if account.username.is_empty() {
+      return Err(anyhow!("username cannot be empty string.").into());
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::CreateGitProviderAccount,
+      user,
+    );
+
+    account.id = db_client()
+      .git_accounts
+      .insert_one(&account)
+      .await
+      .context("failed to create git provider account on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not ObjectId")?
+      .to_string();
+
+    update.push_simple_log(
+      "create git provider account",
+      format!(
+        "Created git provider account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for create git provider account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateGitProviderAccount {
+  async fn resolve(
+    mut self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can update git provider accounts")
+          .into(),
+      );
+    }
+
+    if let Some(domain) = &self.account.domain
+      && domain.is_empty()
+    {
+      return Err(
+        anyhow!("cannot update git provider with empty domain")
+          .into(),
+      );
+    }
+
+    if let Some(username) = &self.account.username
+      && username.is_empty()
+    {
+      return Err(
+        anyhow!("cannot update git provider with empty username")
+          .into(),
+      );
+    }
+
+    // Ensure update does not change id
+    self.account.id = None;
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateGitProviderAccount,
+      user,
+    );
+
+    let account = to_document(&self.account).context(
+      "failed to serialize partial git provider account to bson",
+    )?;
+    let db = db_client();
+    update_one_by_id(
+      &db.git_accounts,
+      &self.id,
+      doc! { "$set": account },
+      None,
+    )
+    .await
+    .context("failed to update git provider account on db")?;
+
+    let Some(account) = find_one_by_id(&db.git_accounts, &self.id)
+      .await
+      .context("failed to query db for git accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+
+    update.push_simple_log(
+      "update git provider account",
+      format!(
+        "Updated git provider account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for update git provider account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteGitProviderAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can delete git provider accounts")
+          .into(),
+      );
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateGitProviderAccount,
+      user,
+    );
+
+    let db = db_client();
+    let Some(account) = find_one_by_id(&db.git_accounts, &self.id)
+      .await
+      .context("failed to query db for git accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+    delete_one_by_id(&db.git_accounts, &self.id, None)
+      .await
+      .context("failed to delete git account on db")?;
+
+    update.push_simple_log(
+      "delete git provider account",
+      format!(
+        "Deleted git provider account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for delete git provider account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!(
+          "only admins can create docker registry account accounts"
+        )
+        .into(),
+      );
+    }
+
+    let mut account: DockerRegistryAccount = self.account.into();
+
+    if account.domain.is_empty() {
+      return Err(anyhow!("domain cannot be empty string.").into());
+    }
+
+    if account.username.is_empty() {
+      return Err(anyhow!("username cannot be empty string.").into());
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::CreateDockerRegistryAccount,
+      user,
+    );
+
+    account.id = db_client()
+      .registry_accounts
+      .insert_one(&account)
+      .await
+      .context(
+        "failed to create docker registry account account on db",
+      )?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not ObjectId")?
+      .to_string();
+
+    update.push_simple_log(
+      "create docker registry account",
+      format!(
+        "Created docker registry account account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for create docker registry account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
+  async fn resolve(
+    mut self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can update docker registry accounts")
+          .into(),
+      );
+    }
+
+    if let Some(domain) = &self.account.domain
+      && domain.is_empty()
+    {
+      return Err(
+        anyhow!(
+          "cannot update docker registry account with empty domain"
+        )
+        .into(),
+      );
+    }
+
+    if let Some(username) = &self.account.username
+      && username.is_empty()
+    {
+      return Err(
+        anyhow!(
+          "cannot update docker registry account with empty username"
+        )
+        .into(),
+      );
+    }
+
+    self.account.id = None;
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateDockerRegistryAccount,
+      user,
+    );
+
+    let account = to_document(&self.account).context(
+      "failed to serialize partial docker registry account account to bson",
+    )?;
+
+    let db = db_client();
+    update_one_by_id(
+      &db.registry_accounts,
+      &self.id,
+      doc! { "$set": account },
+      None,
+    )
+    .await
+    .context(
+      "failed to update docker registry account account on db",
+    )?;
+
+    let Some(account) =
+      find_one_by_id(&db.registry_accounts, &self.id)
+        .await
+        .context("failed to query db for registry accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+
+    update.push_simple_log(
+      "update docker registry account",
+      format!(
+        "Updated docker registry account account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for update docker registry account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteDockerRegistryAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can delete docker registry accounts")
+          .into(),
+      );
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateDockerRegistryAccount,
+      user,
+    );
+
+    let db = db_client();
+    let Some(account) =
+      find_one_by_id(&db.registry_accounts, &self.id)
+        .await
+        .context("failed to query db for git accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+    delete_one_by_id(&db.registry_accounts, &self.id, None)
+      .await
+      .context("failed to delete registry account on db")?;
+
+    update.push_simple_log(
+      "delete registry account",
+      format!(
+        "Deleted registry account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for delete docker registry account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}

bin/core/src/api/write/repo.rs

@@ -0,0 +1,454 @@
+use anyhow::{Context, anyhow};
+use database::mongo_indexed::doc;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
+use formatting::format_serror;
+use komodo_client::{
+  api::write::*,
+  entities::{
+    NoData, Operation, RepoExecutionArgs,
+    config::core::CoreConfig,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    repo::{PartialRepoConfig, Repo, RepoInfo},
+    server::Server,
+    to_path_compatible_name,
+    update::{Log, Update},
+  },
+};
+use octorust::types::{
+  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::{
+    git_token, periphery_client,
+    update::{add_update, make_update},
+  },
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, db_client, github_client},
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateRepo {
+  #[instrument(name = "CreateRepo", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Repo> {
+    Ok(resource::create::<Repo>(&self.name, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for CopyRepo {
+  #[instrument(name = "CopyRepo", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Repo> {
+    let Repo { config, .. } = get_check_permissions::<Repo>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    Ok(
+      resource::create::<Repo>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteRepo {
+  #[instrument(name = "DeleteRepo", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Repo> {
+    Ok(resource::delete::<Repo>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateRepo {
+  #[instrument(name = "UpdateRepo", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Repo> {
+    Ok(resource::update::<Repo>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameRepo {
+  #[instrument(name = "RenameRepo", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    let repo = get_check_permissions::<Repo>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if repo.config.server_id.is_empty()
+      || !repo.config.path.is_empty()
+    {
+      return Ok(
+        resource::rename::<Repo>(&repo.id, &self.name, user).await?,
+      );
+    }
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // Will check to ensure repo not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.renaming = true)?;
+
+    let name = to_path_compatible_name(&self.name);
+
+    let mut update = make_update(&repo, Operation::RenameRepo, user);
+
+    update_one_by_id(
+      &db_client().repos,
+      &repo.id,
+      database::mungos::update::Update::Set(
+        doc! { "name": &name, "updated_at": komodo_timestamp() },
+      ),
+      None,
+    )
+    .await
+    .context("Failed to update Repo name on db")?;
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::git::RenameRepo {
+        curr_name: to_path_compatible_name(&repo.name),
+        new_name: name.clone(),
+      })
+      .await
+      .context("Failed to rename Repo directory on Server")
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "Rename Repo directory failure",
+        format_serror(&e.into()),
+      ),
+    };
+
+    update.logs.push(log);
+
+    update.push_simple_log(
+      "Rename Repo",
+      format!("Renamed Repo from {} to {}", repo.name, name),
+    );
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<WriteArgs> for RefreshRepoCache {
+  #[instrument(
+    name = "RefreshRepoCache",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // repo should be able to do this.
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    if repo.config.git_provider.is_empty()
+      || repo.config.repo.is_empty()
+    {
+      // Nothing to do
+      return Ok(NoData {});
+    }
+
+    let mut clone_args: RepoExecutionArgs = (&repo).into();
+    let repo_path =
+      clone_args.unique_path(&core_config().repo_directory)?;
+    clone_args.destination = Some(repo_path.display().to_string());
+
+    let access_token = if let Some(username) = &clone_args.account {
+      git_token(&clone_args.provider, username, |https| {
+          clone_args.https = https
+        })
+        .await
+        .with_context(
+          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
+        )?
+    } else {
+      None
+    };
+
+    let (res, _) = git::pull_or_clone(
+      clone_args,
+      &core_config().repo_directory,
+      access_token,
+    )
+    .await
+    .with_context(|| {
+      format!("Failed to update repo at {repo_path:?}")
+    })?;
+
+    let info = RepoInfo {
+      last_pulled_at: repo.info.last_pulled_at,
+      last_built_at: repo.info.last_built_at,
+      built_hash: repo.info.built_hash,
+      built_message: repo.info.built_message,
+      latest_hash: res.commit_hash,
+      latest_message: res.commit_message,
+    };
+
+    let info = to_document(&info)
+      .context("failed to serialize repo info to bson")?;
+
+    db_client()
+      .repos
+      .update_one(
+        doc! { "name": &repo.name },
+        doc! { "$set": { "info": info } },
+      )
+      .await
+      .context("failed to update repo info on db")?;
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for CreateRepoWebhook {
+  #[instrument(name = "CreateRepoWebhook", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<CreateRepoWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      &args.user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if repo.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = repo.config.repo.split('/');
+    let owner = split.next().context("Repo repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      webhook_secret,
+      ..
+    } = core_config();
+
+    let webhook_secret = if repo.config.webhook_secret.is_empty() {
+      webhook_secret
+    } else {
+      &repo.config.webhook_secret
+    };
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = match self.action {
+      RepoWebhookAction::Clone => {
+        format!("{host}/listener/github/repo/{}/clone", repo.id)
+      }
+      RepoWebhookAction::Pull => {
+        format!("{host}/listener/github/repo/{}/pull", repo.id)
+      }
+      RepoWebhookAction::Build => {
+        format!("{host}/listener/github/repo/{}/build", repo.id)
+      }
+    };
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        return Ok(NoData {});
+      }
+    }
+
+    // Now good to create the webhook
+    let request = ReposCreateWebhookRequest {
+      active: Some(true),
+      config: Some(ReposCreateWebhookRequestConfig {
+        url,
+        secret: webhook_secret.to_string(),
+        content_type: String::from("json"),
+        insecure_ssl: None,
+        digest: Default::default(),
+        token: Default::default(),
+      }),
+      events: vec![String::from("push")],
+      name: String::from("web"),
+    };
+    github_repos
+      .create_webhook(owner, repo_name, &request)
+      .await
+      .context("failed to create webhook")?;
+
+    if !repo.config.webhook_enabled {
+      UpdateRepo {
+        id: repo.id,
+        config: PartialRepoConfig {
+          webhook_enabled: Some(true),
+          ..Default::default()
+        },
+      }
+      .resolve(args)
+      .await
+      .map_err(|e| e.error)
+      .context("failed to update repo to enable webhook")?;
+    }
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteRepoWebhook {
+  #[instrument(name = "DeleteRepoWebhook", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteRepoWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if repo.config.git_provider != "github.com" {
+      return Err(
+        anyhow!("Can only manage github.com repo webhooks").into(),
+      );
+    }
+
+    if repo.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = repo.config.repo.split('/');
+    let owner = split.next().context("Repo repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = match self.action {
+      RepoWebhookAction::Clone => {
+        format!("{host}/listener/github/repo/{}/clone", repo.id)
+      }
+      RepoWebhookAction::Pull => {
+        format!("{host}/listener/github/repo/{}/pull", repo.id)
+      }
+      RepoWebhookAction::Build => {
+        format!("{host}/listener/github/repo/{}/build", repo.id)
+      }
+    };
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        github_repos
+          .delete_webhook(owner, repo_name, webhook.id)
+          .await
+          .context("failed to delete webhook")?;
+        return Ok(NoData {});
+      }
+    }
+
+    // No webhook to delete, all good
+    Ok(NoData {})
+  }
+}

bin/core/src/api/write/resource.rs

@@ -0,0 +1,68 @@
+use anyhow::anyhow;
+use komodo_client::{
+  api::write::{UpdateResourceMeta, UpdateResourceMetaResponse},
+  entities::{
+    ResourceTarget, action::Action, alerter::Alerter, build::Build,
+    builder::Builder, deployment::Deployment, procedure::Procedure,
+    repo::Repo, server::Server, stack::Stack, sync::ResourceSync,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::resource::{self, ResourceMetaUpdate};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for UpdateResourceMeta {
+  #[instrument(name = "UpdateResourceMeta", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<UpdateResourceMetaResponse> {
+    let meta = ResourceMetaUpdate {
+      description: self.description,
+      template: self.template,
+      tags: self.tags,
+    };
+    match self.target {
+      ResourceTarget::System(_) => {
+        return Err(
+          anyhow!("cannot update meta of System resource target")
+            .into(),
+        );
+      }
+      ResourceTarget::Server(id) => {
+        resource::update_meta::<Server>(&id, meta, args).await?;
+      }
+      ResourceTarget::Deployment(id) => {
+        resource::update_meta::<Deployment>(&id, meta, args).await?;
+      }
+      ResourceTarget::Build(id) => {
+        resource::update_meta::<Build>(&id, meta, args).await?;
+      }
+      ResourceTarget::Repo(id) => {
+        resource::update_meta::<Repo>(&id, meta, args).await?;
+      }
+      ResourceTarget::Builder(id) => {
+        resource::update_meta::<Builder>(&id, meta, args).await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        resource::update_meta::<Alerter>(&id, meta, args).await?;
+      }
+      ResourceTarget::Procedure(id) => {
+        resource::update_meta::<Procedure>(&id, meta, args).await?;
+      }
+      ResourceTarget::Action(id) => {
+        resource::update_meta::<Action>(&id, meta, args).await?;
+      }
+      ResourceTarget::ResourceSync(id) => {
+        resource::update_meta::<ResourceSync>(&id, meta, args)
+          .await?;
+      }
+      ResourceTarget::Stack(id) => {
+        resource::update_meta::<Stack>(&id, meta, args).await?;
+      }
+    }
+    Ok(UpdateResourceMetaResponse {})
+  }
+}

bin/core/src/api/write/server.rs

@@ -0,0 +1,203 @@
+use anyhow::Context;
+use formatting::format_serror;
+use komodo_client::{
+  api::write::*,
+  entities::{
+    NoData, Operation,
+    permission::PermissionLevel,
+    server::Server,
+    to_docker_compatible_name,
+    update::{Update, UpdateStatus},
+  },
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    periphery_client,
+    update::{add_update, make_update, update_update},
+  },
+  permission::get_check_permissions,
+  resource,
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateServer {
+  #[instrument(name = "CreateServer", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Server> {
+    Ok(
+      resource::create::<Server>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyServer {
+  #[instrument(name = "CopyServer", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Server> {
+    let Server { config, .. } = get_check_permissions::<Server>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    Ok(
+      resource::create::<Server>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteServer {
+  #[instrument(name = "DeleteServer", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Server> {
+    Ok(resource::delete::<Server>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateServer {
+  #[instrument(name = "UpdateServer", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Server> {
+    Ok(resource::update::<Server>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameServer {
+  #[instrument(name = "RenameServer", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Server>(&self.id, &self.name, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for CreateNetwork {
+  #[instrument(name = "CreateNetwork", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let mut update =
+      make_update(&server, Operation::CreateNetwork, user);
+    update.status = UpdateStatus::InProgress;
+    update.id = add_update(update.clone()).await?;
+
+    match periphery
+      .request(api::network::CreateNetwork {
+        name: to_docker_compatible_name(&self.name),
+        driver: None,
+      })
+      .await
+    {
+      Ok(log) => update.logs.push(log),
+      Err(e) => update.push_error_log(
+        "create network",
+        format_serror(&e.context("failed to create network").into()),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<WriteArgs> for CreateTerminal {
+  #[instrument(name = "CreateTerminal", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    periphery
+      .request(api::terminal::CreateTerminal {
+        name: self.name,
+        command: self.command,
+        recreate: self.recreate,
+      })
+      .await
+      .context("Failed to create terminal on periphery")?;
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteTerminal {
+  #[instrument(name = "DeleteTerminal", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    periphery
+      .request(api::terminal::DeleteTerminal {
+        terminal: self.terminal,
+      })
+      .await
+      .context("Failed to delete terminal on periphery")?;
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteAllTerminals {
+  #[instrument(name = "DeleteAllTerminals", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    periphery
+      .request(api::terminal::DeleteAllTerminals {})
+      .await
+      .context("Failed to delete all terminals on periphery")?;
+
+    Ok(NoData {})
+  }
+}

bin/core/src/api/write/service_user.rs

@@ -0,0 +1,157 @@
+use std::str::FromStr;
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use komodo_client::{
+  api::{user::CreateApiKey, write::*},
+  entities::{
+    komodo_timestamp,
+    user::{User, UserConfig},
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{api::user::UserArgs, state::db_client};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateServiceUser {
+  #[instrument(name = "CreateServiceUser", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    if ObjectId::from_str(&self.username).is_ok() {
+      return Err(
+        anyhow!("username cannot be valid ObjectId").into(),
+      );
+    }
+    let config = UserConfig::Service {
+      description: self.description,
+    };
+    let mut user = User {
+      id: Default::default(),
+      username: self.username,
+      config,
+      enabled: true,
+      admin: false,
+      super_admin: false,
+      create_server_permissions: false,
+      create_build_permissions: false,
+      last_update_view: 0,
+      recents: Default::default(),
+      all: Default::default(),
+      updated_at: komodo_timestamp(),
+    };
+    user.id = db_client()
+      .users
+      .insert_one(&user)
+      .await
+      .context("failed to create service user on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not object id")?
+      .to_string();
+    Ok(user)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateServiceUserDescription {
+  #[instrument(name = "UpdateServiceUserDescription", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateServiceUserDescriptionResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    let db = db_client();
+    let service_user = db
+      .users
+      .find_one(doc! { "username": &self.username })
+      .await
+      .context("failed to query db for user")?
+      .context("no user with given username")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user").into());
+    };
+    db.users
+      .update_one(
+        doc! { "username": &self.username },
+        doc! { "$set": { "config.data.description": self.description } },
+      )
+      .await
+      .context("failed to update user on db")?;
+    let res = db
+      .users
+      .find_one(doc! { "username": &self.username })
+      .await
+      .context("failed to query db for user")?
+      .context("user with username not found")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<WriteArgs> for CreateApiKeyForServiceUser {
+  #[instrument(name = "CreateApiKeyForServiceUser", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateApiKeyForServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    let service_user =
+      find_one_by_id(&db_client().users, &self.user_id)
+        .await
+        .context("failed to query db for user")?
+        .context("no user found with id")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user").into());
+    };
+    CreateApiKey {
+      name: self.name,
+      expires: self.expires,
+    }
+    .resolve(&UserArgs { user: service_user })
+    .await
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteApiKeyForServiceUser {
+  #[instrument(name = "DeleteApiKeyForServiceUser", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteApiKeyForServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    let db = db_client();
+    let api_key = db
+      .api_keys
+      .find_one(doc! { "key": &self.key })
+      .await
+      .context("failed to query db for api key")?
+      .context("did not find matching api key")?;
+    let service_user =
+      find_one_by_id(&db_client().users, &api_key.user_id)
+        .await
+        .context("failed to query db for user")?
+        .context("no user found with id")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user").into());
+    };
+    db.api_keys
+      .delete_one(doc! { "key": self.key })
+      .await
+      .context("failed to delete api key on db")?;
+    Ok(DeleteApiKeyForServiceUserResponse {})
+  }
+}

bin/core/src/api/write/stack.rs

@@ -0,0 +1,783 @@
+use std::path::PathBuf;
+
+use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::{doc, to_document};
+use formatting::format_serror;
+use komodo_client::{
+  api::write::*,
+  entities::{
+    FileContents, NoData, Operation, RepoExecutionArgs,
+    all_logs_success,
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    repo::Repo,
+    server::ServerState,
+    stack::{PartialStackConfig, Stack, StackInfo},
+    update::Update,
+    user::stack_user,
+  },
+};
+use octorust::types::{
+  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
+};
+use periphery_client::api::compose::{
+  GetComposeContentsOnHost, GetComposeContentsOnHostResponse,
+  WriteComposeContentsToHost,
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::{
+    periphery_client,
+    query::get_server_with_state,
+    stack_git_token,
+    update::{add_update, make_update},
+  },
+  permission::get_check_permissions,
+  resource,
+  stack::{
+    remote::{RemoteComposeContents, get_repo_compose_contents},
+    services::extract_services_into_res,
+  },
+  state::{db_client, github_client},
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateStack {
+  #[instrument(name = "CreateStack", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Stack> {
+    Ok(
+      resource::create::<Stack>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyStack {
+  #[instrument(name = "CopyStack", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Stack> {
+    let Stack { config, .. } = get_check_permissions::<Stack>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    Ok(
+      resource::create::<Stack>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteStack {
+  #[instrument(name = "DeleteStack", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Stack> {
+    Ok(resource::delete::<Stack>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateStack {
+  #[instrument(name = "UpdateStack", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Stack> {
+    Ok(resource::update::<Stack>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameStack {
+  #[instrument(name = "RenameStack", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Stack>(&self.id, &self.name, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for WriteStackFileContents {
+  #[instrument(name = "WriteStackFileContents", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    let WriteStackFileContents {
+      stack,
+      file_path,
+      contents,
+    } = self;
+    let stack = get_check_permissions::<Stack>(
+      &stack,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if !stack.config.files_on_host
+      && stack.config.repo.is_empty()
+      && stack.config.linked_repo.is_empty()
+    {
+      return Err(anyhow!(
+        "Stack is not configured to use Files on Host, Git Repo, or Linked Repo, can't write file contents"
+      ).into());
+    }
+
+    let mut update =
+      make_update(&stack, Operation::WriteStackContents, user);
+
+    update.push_simple_log("File contents to write", &contents);
+
+    if stack.config.files_on_host {
+      write_stack_file_contents_on_host(
+        stack, file_path, contents, update,
+      )
+      .await
+    } else {
+      write_stack_file_contents_git(
+        stack,
+        &file_path,
+        &contents,
+        &user.username,
+        update,
+      )
+      .await
+    }
+  }
+}
+
+async fn write_stack_file_contents_on_host(
+  stack: Stack,
+  file_path: String,
+  contents: String,
+  mut update: Update,
+) -> serror::Result<Update> {
+  if stack.config.server_id.is_empty() {
+    return Err(anyhow!(
+      "Cannot write file, Files on host Stack has not configured a Server"
+    ).into());
+  }
+  let (server, state) =
+    get_server_with_state(&stack.config.server_id).await?;
+  if state != ServerState::Ok {
+    return Err(
+      anyhow!(
+        "Cannot write file when server is unreachable or disabled"
+      )
+      .into(),
+    );
+  }
+  match periphery_client(&server)?
+    .request(WriteComposeContentsToHost {
+      name: stack.name,
+      run_directory: stack.config.run_directory,
+      file_path,
+      contents,
+    })
+    .await
+    .context("Failed to write contents to host")
+  {
+    Ok(log) => {
+      update.logs.push(log);
+    }
+    Err(e) => {
+      update.push_error_log(
+        "Write File Contents",
+        format_serror(&e.into()),
+      );
+    }
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+    return Ok(update);
+  }
+
+  // Finish with a cache refresh
+  if let Err(e) = (RefreshStackCache { stack: stack.id })
+    .resolve(&WriteArgs {
+      user: stack_user().to_owned(),
+    })
+    .await
+    .map_err(|e| e.error)
+    .context(
+      "Failed to refresh stack cache after writing file contents",
+    )
+  {
+    update.push_error_log(
+      "Refresh stack cache",
+      format_serror(&e.into()),
+    );
+  }
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+
+  Ok(update)
+}
+
+async fn write_stack_file_contents_git(
+  mut stack: Stack,
+  file_path: &str,
+  contents: &str,
+  username: &str,
+  mut update: Update,
+) -> serror::Result<Update> {
+  let mut repo = if !stack.config.linked_repo.is_empty() {
+    crate::resource::get::<Repo>(&stack.config.linked_repo)
+      .await?
+      .into()
+  } else {
+    None
+  };
+  let git_token = stack_git_token(&mut stack, repo.as_mut()).await?;
+
+  let mut repo_args: RepoExecutionArgs = if let Some(repo) = &repo {
+    repo.into()
+  } else {
+    (&stack).into()
+  };
+  let root = repo_args.unique_path(&core_config().repo_directory)?;
+  repo_args.destination = Some(root.display().to_string());
+
+  let file_path = stack
+    .config
+    .run_directory
+    .parse::<PathBuf>()
+    .context("Run directory is not a valid path")?
+    .join(file_path);
+  let full_path =
+    root.join(&file_path).components().collect::<PathBuf>();
+
+  if let Some(parent) = full_path.parent() {
+    tokio::fs::create_dir_all(parent).await.with_context(|| {
+      format!(
+        "Failed to initialize stack file parent directory {parent:?}"
+      )
+    })?;
+  }
+
+  // Ensure the folder is initialized as git repo.
+  // This allows a new file to be committed on a branch that may not exist.
+  if !root.join(".git").exists() {
+    git::init_folder_as_repo(
+      &root,
+      &repo_args,
+      git_token.as_deref(),
+      &mut update.logs,
+    )
+    .await;
+
+    if !all_logs_success(&update.logs) {
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+      return Ok(update);
+    }
+  }
+
+  // Save this for later -- repo_args moved next.
+  let branch = repo_args.branch.clone();
+  // Pull latest changes to repo to ensure linear commit history
+  match git::pull_or_clone(
+    repo_args,
+    &core_config().repo_directory,
+    git_token,
+  )
+  .await
+  .context("Failed to pull latest changes before commit")
+  {
+    Ok((res, _)) => update.logs.extend(res.logs),
+    Err(e) => {
+      update.push_error_log("Pull Repo", format_serror(&e.into()));
+      update.finalize();
+      return Ok(update);
+    }
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+    return Ok(update);
+  }
+
+  if let Err(e) = tokio::fs::write(&full_path, &contents)
+    .await
+    .with_context(|| {
+      format!(
+        "Failed to write compose file contents to {full_path:?}"
+      )
+    })
+  {
+    update.push_error_log("Write File", format_serror(&e.into()));
+  } else {
+    update.push_simple_log(
+      "Write File",
+      format!("File written to {full_path:?}"),
+    );
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    return Ok(update);
+  }
+
+  let commit_res = git::commit_file(
+    &format!("{username}: Write Stack File"),
+    &root,
+    &file_path,
+    &branch,
+  )
+  .await;
+
+  update.logs.extend(commit_res.logs);
+
+  // Finish with a cache refresh
+  if let Err(e) = (RefreshStackCache { stack: stack.id })
+    .resolve(&WriteArgs {
+      user: stack_user().to_owned(),
+    })
+    .await
+    .map_err(|e| e.error)
+    .context(
+      "Failed to refresh stack cache after writing file contents",
+    )
+  {
+    update.push_error_log(
+      "Refresh stack cache",
+      format_serror(&e.into()),
+    );
+  }
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+
+  Ok(update)
+}
+
+impl Resolve<WriteArgs> for RefreshStackCache {
+  #[instrument(
+    name = "RefreshStackCache",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // stack should be able to do this.
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let repo = if !stack.config.files_on_host
+      && !stack.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&stack.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    let file_contents_empty = stack.config.file_contents.is_empty();
+    let repo_empty =
+      stack.config.repo.is_empty() && repo.as_ref().is_none();
+
+    if !stack.config.files_on_host
+      && file_contents_empty
+      && repo_empty
+    {
+      // Nothing to do without one of these
+      return Ok(NoData {});
+    }
+
+    let mut missing_files = Vec::new();
+
+    let (
+      latest_services,
+      remote_contents,
+      remote_errors,
+      latest_hash,
+      latest_message,
+    ) = if stack.config.files_on_host {
+      // =============
+      // FILES ON HOST
+      // =============
+      let (server, state) = if stack.config.server_id.is_empty() {
+        (None, ServerState::Disabled)
+      } else {
+        let (server, state) =
+          get_server_with_state(&stack.config.server_id).await?;
+        (Some(server), state)
+      };
+      if state != ServerState::Ok {
+        (vec![], None, None, None, None)
+      } else if let Some(server) = server {
+        let GetComposeContentsOnHostResponse { contents, errors } =
+          match periphery_client(&server)?
+            .request(GetComposeContentsOnHost {
+              file_paths: stack.all_file_dependencies(),
+              name: stack.name.clone(),
+              run_directory: stack.config.run_directory.clone(),
+            })
+            .await
+            .context("failed to get compose file contents from host")
+          {
+            Ok(res) => res,
+            Err(e) => GetComposeContentsOnHostResponse {
+              contents: Default::default(),
+              errors: vec![FileContents {
+                path: stack.config.run_directory.clone(),
+                contents: format_serror(&e.into()),
+              }],
+            },
+          };
+
+        let project_name = stack.project_name(true);
+
+        let mut services = Vec::new();
+
+        for contents in &contents {
+          // Don't include additional files in service parsing
+          if !stack.is_compose_file(&contents.path) {
+            continue;
+          }
+          if let Err(e) = extract_services_into_res(
+            &project_name,
+            &contents.contents,
+            &mut services,
+          ) {
+            warn!(
+              "failed to extract stack services, things won't works correctly. stack: {} | {e:#}",
+              stack.name
+            );
+          }
+        }
+
+        (services, Some(contents), Some(errors), None, None)
+      } else {
+        (vec![], None, None, None, None)
+      }
+    } else if !repo_empty {
+      // ================
+      // REPO BASED STACK
+      // ================
+      let RemoteComposeContents {
+        successful: remote_contents,
+        errored: remote_errors,
+        hash: latest_hash,
+        message: latest_message,
+        ..
+      } = get_repo_compose_contents(
+        &stack,
+        repo.as_ref(),
+        Some(&mut missing_files),
+      )
+      .await?;
+
+      let project_name = stack.project_name(true);
+
+      let mut services = Vec::new();
+
+      for contents in &remote_contents {
+        // Don't include additional files in service parsing
+        if !stack.is_compose_file(&contents.path) {
+          continue;
+        }
+        if let Err(e) = extract_services_into_res(
+          &project_name,
+          &contents.contents,
+          &mut services,
+        ) {
+          warn!(
+            "failed to extract stack services, things won't works correctly. stack: {} | {e:#}",
+            stack.name
+          );
+        }
+      }
+
+      (
+        services,
+        Some(remote_contents),
+        Some(remote_errors),
+        latest_hash,
+        latest_message,
+      )
+    } else {
+      // =============
+      // UI BASED FILE
+      // =============
+      let mut services = Vec::new();
+      if let Err(e) = extract_services_into_res(
+        // this should latest (not deployed), so make the project name fresh.
+        &stack.project_name(true),
+        &stack.config.file_contents,
+        &mut services,
+      ) {
+        warn!(
+          "Failed to extract Stack services for {}, things may not work correctly. | {e:#}",
+          stack.name
+        );
+        services.extend(stack.info.latest_services.clone());
+      };
+      (services, None, None, None, None)
+    };
+
+    let info = StackInfo {
+      missing_files,
+      deployed_services: stack.info.deployed_services.clone(),
+      deployed_project_name: stack.info.deployed_project_name.clone(),
+      deployed_contents: stack.info.deployed_contents.clone(),
+      deployed_config: stack.info.deployed_config.clone(),
+      deployed_hash: stack.info.deployed_hash.clone(),
+      deployed_message: stack.info.deployed_message.clone(),
+      latest_services,
+      remote_contents,
+      remote_errors,
+      latest_hash,
+      latest_message,
+    };
+
+    let info = to_document(&info)
+      .context("failed to serialize stack info to bson")?;
+
+    db_client()
+      .stacks
+      .update_one(
+        doc! { "name": &stack.name },
+        doc! { "$set": { "info": info } },
+      )
+      .await
+      .context("failed to update stack info on db")?;
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for CreateStackWebhook {
+  #[instrument(name = "CreateStackWebhook", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<CreateStackWebhookResponse> {
+    let WriteArgs { user } = args;
+
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if stack.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = stack.config.repo.split('/');
+    let owner = split.next().context("Stack repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo =
+      split.next().context("Stack repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      webhook_secret,
+      ..
+    } = core_config();
+
+    let webhook_secret = if stack.config.webhook_secret.is_empty() {
+      webhook_secret
+    } else {
+      &stack.config.webhook_secret
+    };
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = match self.action {
+      StackWebhookAction::Refresh => {
+        format!("{host}/listener/github/stack/{}/refresh", stack.id)
+      }
+      StackWebhookAction::Deploy => {
+        format!("{host}/listener/github/stack/{}/deploy", stack.id)
+      }
+    };
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        return Ok(NoData {});
+      }
+    }
+
+    // Now good to create the webhook
+    let request = ReposCreateWebhookRequest {
+      active: Some(true),
+      config: Some(ReposCreateWebhookRequestConfig {
+        url,
+        secret: webhook_secret.to_string(),
+        content_type: String::from("json"),
+        insecure_ssl: None,
+        digest: Default::default(),
+        token: Default::default(),
+      }),
+      events: vec![String::from("push")],
+      name: String::from("web"),
+    };
+    github_repos
+      .create_webhook(owner, repo, &request)
+      .await
+      .context("failed to create webhook")?;
+
+    if !stack.config.webhook_enabled {
+      UpdateStack {
+        id: stack.id,
+        config: PartialStackConfig {
+          webhook_enabled: Some(true),
+          ..Default::default()
+        },
+      }
+      .resolve(args)
+      .await
+      .map_err(|e| e.error)
+      .context("failed to update stack to enable webhook")?;
+    }
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteStackWebhook {
+  #[instrument(name = "DeleteStackWebhook", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteStackWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if stack.config.git_provider != "github.com" {
+      return Err(
+        anyhow!("Can only manage github.com repo webhooks").into(),
+      );
+    }
+
+    if stack.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = stack.config.repo.split('/');
+    let owner = split.next().context("Stack repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo =
+      split.next().context("Sync repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = match self.action {
+      StackWebhookAction::Refresh => {
+        format!("{host}/listener/github/stack/{}/refresh", stack.id)
+      }
+      StackWebhookAction::Deploy => {
+        format!("{host}/listener/github/stack/{}/deploy", stack.id)
+      }
+    };
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        github_repos
+          .delete_webhook(owner, repo, webhook.id)
+          .await
+          .context("failed to delete webhook")?;
+        return Ok(NoData {});
+      }
+    }
+
+    // No webhook to delete, all good
+    Ok(NoData {})
+  }
+}

bin/core/src/api/write/tag.rs

@@ -0,0 +1,128 @@
+use std::str::FromStr;
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{delete_one_by_id, update_one_by_id},
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use komodo_client::{
+  api::write::{CreateTag, DeleteTag, RenameTag, UpdateTagColor},
+  entities::{
+    action::Action, alerter::Alerter, build::Build, builder::Builder,
+    deployment::Deployment, procedure::Procedure, repo::Repo,
+    server::Server, stack::Stack, sync::ResourceSync, tag::Tag,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::{get_tag, get_tag_check_owner},
+  resource,
+  state::db_client,
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateTag {
+  #[instrument(name = "CreateTag", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Tag> {
+    if ObjectId::from_str(&self.name).is_ok() {
+      return Err(anyhow!("tag name cannot be ObjectId").into());
+    }
+
+    let mut tag = Tag {
+      id: Default::default(),
+      name: self.name,
+      color: self.color.unwrap_or_default(),
+      owner: user.id.clone(),
+    };
+
+    tag.id = db_client()
+      .tags
+      .insert_one(&tag)
+      .await
+      .context("failed to create tag on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted_id is not ObjectId")?
+      .to_string();
+
+    Ok(tag)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameTag {
+  #[instrument(name = "RenameTag", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Tag> {
+    if ObjectId::from_str(&self.name).is_ok() {
+      return Err(anyhow!("tag name cannot be ObjectId").into());
+    }
+
+    get_tag_check_owner(&self.id, user).await?;
+
+    update_one_by_id(
+      &db_client().tags,
+      &self.id,
+      doc! { "$set": { "name": self.name } },
+      None,
+    )
+    .await
+    .context("failed to rename tag on db")?;
+
+    Ok(get_tag(&self.id).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateTagColor {
+  #[instrument(name = "UpdateTagColor", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Tag> {
+    let tag = get_tag_check_owner(&self.tag, user).await?;
+
+    update_one_by_id(
+      &db_client().tags,
+      &tag.id,
+      doc! { "$set": { "color": self.color.as_ref() } },
+      None,
+    )
+    .await
+    .context("failed to rename tag on db")?;
+
+    Ok(get_tag(&self.tag).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteTag {
+  #[instrument(name = "DeleteTag", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Tag> {
+    let tag = get_tag_check_owner(&self.id, user).await?;
+
+    tokio::try_join!(
+      resource::remove_tag_from_all::<Server>(&self.id),
+      resource::remove_tag_from_all::<Stack>(&self.id),
+      resource::remove_tag_from_all::<Deployment>(&self.id),
+      resource::remove_tag_from_all::<Build>(&self.id),
+      resource::remove_tag_from_all::<Repo>(&self.id),
+      resource::remove_tag_from_all::<Procedure>(&self.id),
+      resource::remove_tag_from_all::<Action>(&self.id),
+      resource::remove_tag_from_all::<ResourceSync>(&self.id),
+      resource::remove_tag_from_all::<Builder>(&self.id),
+      resource::remove_tag_from_all::<Alerter>(&self.id),
+    )?;
+
+    delete_one_by_id(&db_client().tags, &self.id, None).await?;
+
+    Ok(tag)
+  }
+}

bin/core/src/api/write/user.rs

@@ -0,0 +1,233 @@
+use std::str::FromStr;
+
+use anyhow::{Context, anyhow};
+use async_timing_util::unix_timestamp_ms;
+use database::{
+  hash_password,
+  mungos::mongodb::bson::{doc, oid::ObjectId},
+};
+use komodo_client::{
+  api::write::*,
+  entities::{
+    NoData,
+    user::{User, UserConfig},
+  },
+};
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCodeError;
+
+use crate::{config::core_config, state::db_client};
+
+use super::WriteArgs;
+
+//
+
+impl Resolve<WriteArgs> for CreateLocalUser {
+  #[instrument(name = "CreateLocalUser", skip(admin, self), fields(admin_id = admin.id, username = self.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<CreateLocalUserResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This method is admin-only.")
+          .status_code(StatusCode::UNAUTHORIZED),
+      );
+    }
+
+    if self.username.is_empty() {
+      return Err(anyhow!("Username cannot be empty.").into());
+    }
+
+    if ObjectId::from_str(&self.username).is_ok() {
+      return Err(
+        anyhow!("Username cannot be valid ObjectId").into(),
+      );
+    }
+
+    if self.password.is_empty() {
+      return Err(anyhow!("Password cannot be empty.").into());
+    }
+
+    let db = db_client();
+
+    if db
+      .users
+      .find_one(doc! { "username": &self.username })
+      .await
+      .context("Failed to query for existing users")?
+      .is_some()
+    {
+      return Err(anyhow!("Username already taken.").into());
+    }
+
+    let ts = unix_timestamp_ms() as i64;
+    let hashed_password = hash_password(self.password)?;
+
+    let mut user = User {
+      id: Default::default(),
+      username: self.username,
+      enabled: true,
+      admin: false,
+      super_admin: false,
+      create_server_permissions: false,
+      create_build_permissions: false,
+      updated_at: ts,
+      last_update_view: 0,
+      recents: Default::default(),
+      all: Default::default(),
+      config: UserConfig::Local {
+        password: hashed_password,
+      },
+    };
+
+    user.id = db_client()
+      .users
+      .insert_one(&user)
+      .await
+      .context("failed to create user")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted_id is not ObjectId")?
+      .to_string();
+
+    user.sanitize();
+
+    Ok(user)
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for UpdateUserUsername {
+  #[instrument(name = "UpdateUserUsername", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateUserUsernameResponse> {
+    for locked_username in &core_config().lock_login_credentials_for {
+      if locked_username == "__ALL__"
+        || *locked_username == user.username
+      {
+        return Err(
+          anyhow!("User not allowed to update their username.")
+            .into(),
+        );
+      }
+    }
+    if self.username.is_empty() {
+      return Err(anyhow!("Username cannot be empty.").into());
+    }
+
+    if ObjectId::from_str(&self.username).is_ok() {
+      return Err(
+        anyhow!("Username cannot be valid ObjectId").into(),
+      );
+    }
+
+    let db = db_client();
+    if db
+      .users
+      .find_one(doc! { "username": &self.username })
+      .await
+      .context("Failed to query for existing users")?
+      .is_some()
+    {
+      return Err(anyhow!("Username already taken.").into());
+    }
+    let id = ObjectId::from_str(&user.id)
+      .context("User id not valid ObjectId.")?;
+    db.users
+      .update_one(
+        doc! { "_id": id },
+        doc! { "$set": { "username": self.username } },
+      )
+      .await
+      .context("Failed to update user username on database.")?;
+    Ok(NoData {})
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for UpdateUserPassword {
+  #[instrument(name = "UpdateUserPassword", skip(user, self), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateUserPasswordResponse> {
+    for locked_username in &core_config().lock_login_credentials_for {
+      if locked_username == "__ALL__"
+        || *locked_username == user.username
+      {
+        return Err(
+          anyhow!("User not allowed to update their password.")
+            .into(),
+        );
+      }
+    }
+    db_client().set_user_password(user, &self.password).await?;
+    Ok(NoData {})
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for DeleteUser {
+  #[instrument(name = "DeleteUser", skip(admin), fields(user = self.user))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<DeleteUserResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This method is admin-only.")
+          .status_code(StatusCode::UNAUTHORIZED),
+      );
+    }
+    if admin.username == self.user || admin.id == self.user {
+      return Err(anyhow!("User cannot delete themselves.").into());
+    }
+    let query = if let Ok(id) = ObjectId::from_str(&self.user) {
+      doc! { "_id": id }
+    } else {
+      doc! { "username": self.user }
+    };
+    let db = db_client();
+    let Some(user) = db
+      .users
+      .find_one(query.clone())
+      .await
+      .context("Failed to query database for users.")?
+    else {
+      return Err(
+        anyhow!("No user found with given id / username").into(),
+      );
+    };
+    if user.super_admin {
+      return Err(
+        anyhow!("Cannot delete a super admin user.").into(),
+      );
+    }
+    if user.admin && !admin.super_admin {
+      return Err(
+        anyhow!("Only a Super Admin can delete an admin user.")
+          .into(),
+      );
+    }
+    db.users
+      .delete_one(query)
+      .await
+      .context("Failed to delete user from database")?;
+    // Also remove user id from all user groups
+    if let Err(e) = db
+      .user_groups
+      .update_many(doc! {}, doc! { "$pull": { "users": &user.id } })
+      .await
+    {
+      warn!("Failed to remove deleted user from user groups | {e:?}");
+    };
+    Ok(user)
+  }
+}

bin/core/src/api/write/user_group.rs

@@ -0,0 +1,279 @@
+use std::{collections::HashMap, str::FromStr};
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
+  find::find_collect,
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use komodo_client::{
+  api::write::*,
+  entities::{komodo_timestamp, user_group::UserGroup},
+};
+use resolver_api::Resolve;
+
+use crate::state::db_client;
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateUserGroup {
+  #[instrument(name = "CreateUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only").into());
+    }
+    let user_group = UserGroup {
+      name: self.name,
+      id: Default::default(),
+      everyone: Default::default(),
+      users: Default::default(),
+      all: Default::default(),
+      updated_at: komodo_timestamp(),
+    };
+    let db = db_client();
+    let id = db
+      .user_groups
+      .insert_one(user_group)
+      .await
+      .context("failed to create UserGroup on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not ObjectId")?
+      .to_string();
+    let res = find_one_by_id(&db.user_groups, &id)
+      .await
+      .context("failed to query db for user groups")?
+      .context("user group at id not found")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameUserGroup {
+  #[instrument(name = "RenameUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only").into());
+    }
+    let db = db_client();
+    update_one_by_id(
+      &db.user_groups,
+      &self.id,
+      doc! { "$set": { "name": self.name } },
+      None,
+    )
+    .await
+    .context("failed to rename UserGroup on db")?;
+    let res = find_one_by_id(&db.user_groups, &self.id)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteUserGroup {
+  #[instrument(name = "DeleteUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only").into());
+    }
+
+    let db = db_client();
+
+    let ug = find_one_by_id(&db.user_groups, &self.id)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no UserGroup found with given id")?;
+
+    delete_one_by_id(&db.user_groups, &self.id, None)
+      .await
+      .context("failed to delete UserGroup from db")?;
+
+    db.permissions
+      .delete_many(doc! {
+        "user_target.type": "UserGroup",
+        "user_target.id": self.id,
+      })
+      .await
+      .context("failed to clean up UserGroups permissions. User Group has been deleted")?;
+
+    Ok(ug)
+  }
+}
+
+impl Resolve<WriteArgs> for AddUserToUserGroup {
+  #[instrument(name = "AddUserToUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only").into());
+    }
+
+    let db = db_client();
+
+    let filter = match ObjectId::from_str(&self.user) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "username": &self.user },
+    };
+    let user = db
+      .users
+      .find_one(filter)
+      .await
+      .context("failed to query mongo for users")?
+      .context("no matching user found")?;
+
+    let filter = match ObjectId::from_str(&self.user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &self.user_group },
+    };
+    db.user_groups
+      .update_one(
+        filter.clone(),
+        doc! { "$addToSet": { "users": &user.id } },
+      )
+      .await
+      .context("failed to add user to group on db")?;
+    let res = db
+      .user_groups
+      .find_one(filter)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<WriteArgs> for RemoveUserFromUserGroup {
+  #[instrument(name = "RemoveUserFromUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only").into());
+    }
+
+    let db = db_client();
+
+    let filter = match ObjectId::from_str(&self.user) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "username": &self.user },
+    };
+    let user = db
+      .users
+      .find_one(filter)
+      .await
+      .context("failed to query mongo for users")?
+      .context("no matching user found")?;
+
+    let filter = match ObjectId::from_str(&self.user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &self.user_group },
+    };
+    db.user_groups
+      .update_one(
+        filter.clone(),
+        doc! { "$pull": { "users": &user.id } },
+      )
+      .await
+      .context("failed to add user to group on db")?;
+    let res = db
+      .user_groups
+      .find_one(filter)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<WriteArgs> for SetUsersInUserGroup {
+  #[instrument(name = "SetUsersInUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only").into());
+    }
+
+    let db = db_client();
+
+    let all_users = find_collect(&db.users, None, None)
+      .await
+      .context("failed to query db for users")?
+      .into_iter()
+      .map(|u| (u.username, u.id))
+      .collect::<HashMap<_, _>>();
+
+    // Make sure all users are user ids
+    let users = self
+      .users
+      .into_iter()
+      .filter_map(|user| match ObjectId::from_str(&user) {
+        Ok(_) => Some(user),
+        Err(_) => all_users.get(&user).cloned(),
+      })
+      .collect::<Vec<_>>();
+
+    let filter = match ObjectId::from_str(&self.user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &self.user_group },
+    };
+    db.user_groups
+      .update_one(filter.clone(), doc! { "$set": { "users": users } })
+      .await
+      .context("failed to set users on user group")?;
+    let res = db
+      .user_groups
+      .find_one(filter)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<WriteArgs> for SetEveryoneUserGroup {
+  #[instrument(name = "SetEveryoneUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only").into());
+    }
+
+    let db = db_client();
+
+    let filter = match ObjectId::from_str(&self.user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &self.user_group },
+    };
+    db.user_groups
+      .update_one(
+        filter.clone(),
+        doc! { "$set": { "everyone": self.everyone } },
+      )
+      .await
+      .context("failed to set everyone on user group")?;
+    let res = db
+      .user_groups
+      .find_one(filter)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")?;
+    Ok(res)
+  }
+}