default rate limit attempts to 5 per 15 sec

* start 1.19.5

* deploy 1.19.5-dev-1

* avoid execute_and_poll error when update is already complete or has no id

* improve image tagging customization

* 1.19.5 release

.gitignore

@@ -1,6 +1,7 @@
 target
 node_modules
 dist
+deno.lock
 .env
 .env.development
 .DS_Store
@@ -9,5 +10,4 @@ dist
 /frontend/build
 /lib/ts_client/build
 
-creds.toml
 .dev

.kminclude

@@ -0,0 +1 @@
+.dev

.vscode/resolver.code-snippets

@@ -3,8 +3,8 @@
 		"scope": "rust",
 		"prefix": "resolve",
 		"body": [
-			"impl Resolve<${1}, User> for State {",
-			"\tasync fn resolve(&self, ${1} { ${0} }: ${1}, _: User) -> anyhow::Result<${2}> {",
+			"impl Resolve<${0}> for ${1} {",
+			"\tasync fn resolve(self, _: &${0}) -> Result<Self::Response, Self::Error> {",
 			"\t\ttodo!()",
 			"\t}",
 			"}"
@@ -15,9 +15,9 @@
 		"prefix": "static",
 		"body": [
 			"fn ${1}() -> &'static ${2} {",
-			"\tstatic ${3}: OnceLock<${2}> = OnceLock::new();",
-			"\t${3}.get_or_init(|| {",
-			"\t\t${0}",
+			"\tstatic ${0}: OnceLock<${2}> = OnceLock::new();",
+			"\t${0}.get_or_init(|| {",
+			"\t\ttodo!()",
 			"\t})",
 			"}"
 		]

Cargo.toml

@@ -8,13 +8,16 @@ members = [
 ]
 
 [workspace.package]
-version = "1.18.4"
+version = "2.0.0-dev-91"
 edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
 repository = "https://github.com/moghtech/komodo"
 homepage = "https://komo.do"
 
+[profile.release]
+strip = "debuginfo"
+
 [workspace.dependencies]
 # LOCAL
 komodo_client = { path = "client/core/rs" }
@@ -22,110 +25,127 @@ periphery_client = { path = "client/periphery/rs" }
 environment_file = { path = "lib/environment_file" }
 environment = { path = "lib/environment" }
 interpolate = { path = "lib/interpolate" }
+secret_file = { path = "lib/secret_file" }
+validations = { path = "lib/validations" }
 formatting = { path = "lib/formatting" }
+rate_limit = { path = "lib/rate_limit" }
+transport = { path = "lib/transport" }
+database = { path = "lib/database" }
+encoding = { path = "lib/encoding" }
 response = { path = "lib/response" }
 command = { path = "lib/command" }
+config = { path = "lib/config" }
 logger = { path = "lib/logger" }
 cache = { path = "lib/cache" }
+noise = { path = "lib/noise" }
 git = { path = "lib/git" }
 
 # MOGH
-run_command = { version = "0.0.6", features = ["async_tokio"] }
-serror = { version = "0.5.0", default-features = false }
-slack = { version = "0.4.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
+serror = { version = "0.5.3", default-features = false }
+slack = { version = "2.0.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
 derive_default_builder = "0.1.8"
 derive_empty_traits = "0.1.0"
-merge_config_files = "0.1.5"
-async_timing_util = "1.0.0"
+async_timing_util = "1.1.0"
 partial_derive2 = "0.4.3"
 derive_variants = "1.0.0"
-mongo_indexed = "2.0.1"
+mongo_indexed = "2.0.2"
 resolver_api = "3.0.0"
-toml_pretty = "1.1.2"
-mungos = "3.2.0"
-svi = "1.1.0"
+toml_pretty = "2.0.0"
+mungos = "3.2.2"
+svi = "1.2.0"
 
 # ASYNC
-reqwest = { version = "0.12.20", default-features = false, features = ["json", "stream", "rustls-tls-native-roots"] }
-tokio = { version = "1.45.1", features = ["full"] }
-tokio-util = { version = "0.7.15", features = ["io", "codec"] }
+reqwest = { version = "0.12.24", default-features = false, features = ["json", "stream", "rustls-tls-native-roots"] }
+tokio = { version = "1.48.0", features = ["full"] }
+tokio-util = { version = "0.7.17", features = ["io", "codec"] }
 tokio-stream = { version = "0.1.17", features = ["sync"] }
 pin-project-lite = "0.2.16"
-futures = "0.3.31"
 futures-util = "0.3.31"
 arc-swap = "1.7.1"
 
 # SERVER
-tokio-tungstenite = { version = "0.27.0", features = ["rustls-tls-native-roots"] }
-axum-extra = { version = "0.10.1", features = ["typed-header"] }
-tower-http = { version = "0.6.4", features = ["fs", "cors"] }
-axum-server = { version = "0.7.2", features = ["tls-rustls"] }
-axum = { version = "0.8.4", features = ["ws", "json", "macros"] }
+tokio-tungstenite = { version = "0.28.0", features = ["rustls-tls-native-roots"] }
+axum-extra = { version = "0.12.2", features = ["typed-header"] }
+tower-http = { version = "0.6.7", features = ["fs", "cors", "set-header"] }
+axum-server = { version = "0.7.3", features = ["tls-rustls"] }
+axum = { version = "0.8.7", features = ["ws", "json", "macros"] }
 
 # SER/DE
-indexmap = { version = "2.9.0", features = ["serde"] }
-serde = { version = "1.0.219", features = ["derive"] }
-strum = { version = "0.27.1", features = ["derive"] }
-serde_json = "1.0.140"
-serde_yaml = "0.9.34"
+ipnetwork = { version = "0.21.1", features = ["serde"] }
+indexmap = { version = "2.12.1", features = ["serde"] }
+serde = { version = "1.0.227", features = ["derive"] }
+strum = { version = "0.27.2", features = ["derive"] }
+bson = { version = "2.15.0" } # must keep in sync with mongodb version
+serde_yaml_ng = "0.10.0"
+serde_json = "1.0.145"
 serde_qs = "0.15.0"
-toml = "0.8.23"
+toml = "0.9.8"
+url = "2.5.7"
 
 # ERROR
-anyhow = "1.0.98"
-thiserror = "2.0.12"
+anyhow = "1.0.100"
+thiserror = "2.0.17"
 
 # LOGGING
-opentelemetry-otlp = { version = "0.30.0", features = ["tls-roots", "reqwest-rustls"] }
-opentelemetry_sdk = { version = "0.30.0", features = ["rt-tokio"] }
-tracing-subscriber = { version = "0.3.19", features = ["json"] }
-opentelemetry-semantic-conventions = "0.30.0"
-tracing-opentelemetry = "0.31.0"
-opentelemetry = "0.30.0"
-tracing = "0.1.41"
+opentelemetry-otlp = { version = "0.31.0", features = ["tls-roots", "reqwest-rustls"] }
+opentelemetry_sdk = { version = "0.31.0", features = ["rt-tokio"] }
+tracing-subscriber = { version = "0.3.22", features = ["json"] }
+opentelemetry-semantic-conventions = "0.31.0"
+tracing-opentelemetry = "0.32.0"
+opentelemetry = "0.31.0"
+tracing = "0.1.43"
 
 # CONFIG
-clap = { version = "4.5.40", features = ["derive"] }
+clap = { version = "4.5.53", features = ["derive"] }
 dotenvy = "0.15.7"
 envy = "0.4.2"
 
 # CRYPTO / AUTH
-uuid = { version = "1.17.0", features = ["v4", "fast-rng", "serde"] }
-jsonwebtoken = { version = "9.3.1", default-features = false }
-openidconnect = "4.0.0"
+openidconnect = { version = "4.0.1", features = ["accept-rfc3339-timestamps"] }
+uuid = { version = "1.18.1", features = ["v4", "fast-rng", "serde"] }
+jsonwebtoken = { version = "10.2.0", features = ["aws_lc_rs"] } # locked back with octorust
+rustls = { version = "0.23.35", features = ["aws-lc-rs"] }
+pem-rfc7468 = { version = "1.0.0", features = ["alloc"] }
 urlencoding = "2.1.3"
-nom_pem = "4.0.0"
-bcrypt = "0.17.0"
+bcrypt = "0.17.1"
 base64 = "0.22.1"
-rustls = "0.23.27"
+pkcs8 = "0.10.2"
+snow = "0.10.0"
 hmac = "0.12.1"
+sha1 = "0.10.6"
 sha2 = "0.10.9"
-rand = "0.9.1"
+rand = "0.9.2"
 hex = "0.4.3"
+spki = "0.7.3"
+der = "0.7.10"
 
 # SYSTEM
+hickory-resolver = "0.25.2"
 portable-pty = "0.9.0"
-bollard = "0.19.1"
-sysinfo = "0.35.2"
+shell-escape = "0.1.5"
+crossterm = "0.29.0"
+bollard = "0.19.4"
+sysinfo = "0.37.1"
+shlex = "1.3.0"
 
 # CLOUD
-aws-config = "1.8.0"
-aws-sdk-ec2 = "1.139.0"
-aws-credential-types = "1.2.3"
+aws-config = "1.8.11"
+aws-sdk-ec2 = "1.194.0"
+aws-credential-types = "1.2.10"
 
 ## CRON
-english-to-cron = "0.1.6"
-chrono-tz = "0.10.3"
-chrono = "0.4.41"
-croner = "2.1.0"
+english-to-cron = "0.1.7"
+chrono-tz = "0.10.4"
+chrono = "0.4.42"
+croner = "3.0.1"
 
 # MISC
+async-compression = { version = "0.4.34", features = ["tokio", "gzip"] }
 derive_builder = "0.20.2"
+comfy-table = "7.2.1"
 typeshare = "1.0.4"
-octorust = "0.10.0"
 dashmap = "6.1.0"
 wildcard = "0.3.0"
 colored = "3.0.0"
-regex = "1.11.1"
-bytes = "1.10.1"
-bson = "2.15.0"
+bytes = "1.11.0"
+regex = "1.12.2"

action/build.ts

@@ -0,0 +1,2 @@
+import { run } from "./run.ts";
+await run("build-komodo");

action/deno.json

@@ -0,0 +1,5 @@
+{
+  "imports": {
+    "@std/toml": "jsr:@std/toml"
+  }
+}

action/deploy-fe.ts

@@ -0,0 +1,4 @@
+const cmd = "km run -y action deploy-komodo-fe-change";
+new Deno.Command("bash", {
+  args: ["-c", cmd],
+}).spawn();

action/deploy.ts

@@ -0,0 +1,2 @@
+import { run } from "./run.ts";
+await run("deploy-komodo");

action/run.ts

@@ -0,0 +1,52 @@
+import * as TOML from "@std/toml";
+
+export const run = async (action: string) => {
+  const branch = await new Deno.Command("bash", {
+    args: ["-c", "git rev-parse --abbrev-ref HEAD"],
+  })
+    .output()
+    .then((r) => new TextDecoder("utf-8").decode(r.stdout).trim());
+
+  const cargo_toml_str = await Deno.readTextFile("Cargo.toml");
+  const prev_version = (
+    TOML.parse(cargo_toml_str) as {
+      workspace: { package: { version: string } };
+    }
+  ).workspace.package.version;
+
+  const [version, tag, count] = prev_version.split("-");
+  const next_count = Number(count) + 1;
+
+  const next_version = `${version}-${tag}-${next_count}`;
+
+  await Deno.writeTextFile(
+    "Cargo.toml",
+    cargo_toml_str.replace(
+      `version = "${prev_version}"`,
+      `version = "${next_version}"`
+    )
+  );
+
+  // Cargo check first here to make sure lock file is updated before commit.
+  const cmd = `
+cargo check
+echo ""
+
+git add --all
+git commit --all --message "deploy ${version}-${tag}-${next_count}"
+
+echo ""
+git push
+echo ""
+
+km run -y action ${action} "KOMODO_BRANCH=${branch}&KOMODO_VERSION=${version}&KOMODO_TAG=${tag}-${next_count}"
+`
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0 && !line.startsWith("//"))
+    .join(" && ");
+
+  new Deno.Command("bash", {
+    args: ["-c", cmd],
+  }).spawn();
+};

bin/binaries.Dockerfile

@@ -1,7 +1,8 @@
 ## Builds the Komodo Core, Periphery, and Util binaries
 ## for a specific architecture.
 
-FROM rust:1.87.0-bullseye AS builder
+FROM rust:1.91.1-bullseye AS builder
+RUN cargo install cargo-strip
 
 WORKDIR /builder
 COPY Cargo.toml Cargo.lock ./
@@ -10,21 +11,22 @@ COPY ./client/core/rs ./client/core/rs
 COPY ./client/periphery ./client/periphery
 COPY ./bin/core ./bin/core
 COPY ./bin/periphery ./bin/periphery
-COPY ./bin/util ./bin/util
+COPY ./bin/cli ./bin/cli
 
 # Compile bin
 RUN \
   cargo build -p komodo_core --release && \
   cargo build -p komodo_periphery --release && \
-  cargo build -p komodo_util --release
+  cargo build -p komodo_cli --release && \
+  cargo strip
 
 # Copy just the binaries to scratch image
 FROM scratch
 
 COPY --from=builder /builder/target/release/core /core
 COPY --from=builder /builder/target/release/periphery /periphery
-COPY --from=builder /builder/target/release/util /util
+COPY --from=builder /builder/target/release/km /km
 
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo Binaries"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/chef.binaries.Dockerfile

@@ -0,0 +1,36 @@
+## Builds the Komodo Core, Periphery, and Util binaries
+## for a specific architecture.
+
+## Uses chef for dependency caching to help speed up back-to-back builds.
+
+FROM lukemathwalker/cargo-chef:latest-rust-1.90.0-bullseye AS chef
+WORKDIR /builder
+
+# Plan just the RECIPE to see if things have changed
+FROM chef AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder
+RUN cargo install cargo-strip
+COPY --from=planner /builder/recipe.json recipe.json
+# Build JUST dependencies - cached layer
+RUN cargo chef cook --release --recipe-path recipe.json
+# NOW copy again (this time into builder) and build app
+COPY . .
+RUN \
+  cargo build --release --bin core && \
+  cargo build --release --bin periphery && \
+  cargo build --release --bin km && \
+  cargo strip
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+COPY --from=builder /builder/target/release/km /km
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Binaries"
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/cli/Cargo.toml

@@ -1,30 +1,39 @@
 [package]
 name = "komodo_cli"
-description = "Command line tool to execute Komodo actions"
+description = "Command line tool for Komodo"
 version.workspace = true
 edition.workspace = true
 authors.workspace = true
 license.workspace = true
-homepage.workspace = true
 repository.workspace = true
+homepage.workspace = true
 
 [[bin]]
-name = "komodo"
+name = "km"
 path = "src/main.rs"
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [dependencies]
 # local
-# komodo_client = "1.16.12"
+environment_file.workspace = true
 komodo_client.workspace = true
+database.workspace = true
+config.workspace = true
+logger.workspace = true
+noise.workspace = true
 # external
-tracing-subscriber.workspace = true
-merge_config_files.workspace = true
-futures.workspace = true
+futures-util.workspace = true
+comfy-table.workspace = true
+tokio-util.workspace = true
+serde_json.workspace = true
+crossterm.workspace = true
+serde_qs.workspace = true
+wildcard.workspace = true
 tracing.workspace = true
 colored.workspace = true
+dotenvy.workspace = true
 anyhow.workspace = true
+chrono.workspace = true
 tokio.workspace = true
 serde.workspace = true
 clap.workspace = true
+envy.workspace = true

bin/cli/aio.Dockerfile

@@ -0,0 +1,25 @@
+FROM rust:1.91.1-bullseye AS builder
+RUN cargo install cargo-strip
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/cli ./bin/cli
+
+# Compile bin
+RUN cargo build -p komodo_cli --release && cargo strip
+
+# Copy binaries to distroless base
+FROM gcr.io/distroless/cc
+
+COPY --from=builder /builder/target/release/km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/cli/docs/copy-database.md

@@ -7,13 +7,13 @@ Can be used to move between MongoDB / FerretDB, or upgrade from FerretDB v1 to v
 services:
 
   copy_database:
-    image: ghcr.io/moghtech/komodo-util
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
     environment:
-      MODE: CopyDatabase
-      SOURCE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@source:27017
-      SOURCE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
-      TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@target:27017
-      TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@source:27017
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@target:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
 
 ```
 
@@ -90,13 +90,13 @@ services:
   ...(new database)
 
   copy_database:
-    image: ghcr.io/moghtech/komodo-util
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
     environment:
-      MODE: CopyDatabase
-      SOURCE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN
-      SOURCE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
-      TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb2:27017
-      TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb2:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
 
   ...(unchanged)
 ```

bin/cli/multi-arch.Dockerfile

@@ -14,14 +14,16 @@ FROM debian:bullseye-slim
 WORKDIR /app
 
 ## Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
-COPY --from=x86_64 /util /app/arch/linux/amd64
-COPY --from=aarch64 /util /app/arch/linux/arm64
+COPY --from=x86_64 /km /app/arch/linux/amd64
+COPY --from=aarch64 /km /app/arch/linux/arm64
 
 ARG TARGETPLATFORM
-RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/util && rm -r /app/arch
+RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/arch
 
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
-LABEL org.opencontainers.image.description="Komodo Util"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
 
-CMD [ "util" ]
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/cli/runfile.toml

@@ -0,0 +1,4 @@
+[install-cli]
+alias = "ic"
+description = "installs the komodo-cli, available on the command line as 'km'"
+cmd = "cargo install --path ."

bin/cli/single-arch.Dockerfile

@@ -0,0 +1,18 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+FROM gcr.io/distroless/cc
+
+COPY --from=binaries /km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/cli/src/args.rs

@@ -1,55 +0,0 @@
-use clap::{Parser, Subcommand};
-use komodo_client::api::execute::Execution;
-use serde::Deserialize;
-
-#[derive(Parser, Debug)]
-#[command(version, about, long_about = None)]
-pub struct CliArgs {
-  /// Sync or Exec
-  #[command(subcommand)]
-  pub command: Command,
-
-  /// The path to a creds file.
-  ///
-  /// Note: If each of `url`, `key` and `secret` are passed,
-  /// no file is required at this path.
-  #[arg(long, default_value_t = default_creds())]
-  pub creds: String,
-
-  /// Pass url in args instead of creds file
-  #[arg(long)]
-  pub url: Option<String>,
-  /// Pass api key in args instead of creds file
-  #[arg(long)]
-  pub key: Option<String>,
-  /// Pass api secret in args instead of creds file
-  #[arg(long)]
-  pub secret: Option<String>,
-
-  /// Always continue on user confirmation prompts.
-  #[arg(long, short, default_value_t = false)]
-  pub yes: bool,
-}
-
-fn default_creds() -> String {
-  let home =
-    std::env::var("HOME").unwrap_or_else(|_| String::from("/root"));
-  format!("{home}/.config/komodo/creds.toml")
-}
-
-#[derive(Debug, Clone, Subcommand)]
-pub enum Command {
-  /// Runs an execution
-  Execute {
-    #[command(subcommand)]
-    execution: Execution,
-  },
-  // Room for more
-}
-
-#[derive(Debug, Deserialize)]
-pub struct CredsFile {
-  pub url: String,
-  pub key: String,
-  pub secret: String,
-}

bin/cli/src/command/container.rs

@@ -0,0 +1,314 @@
+use std::collections::{HashMap, HashSet};
+
+use anyhow::Context;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Color};
+use futures_util::{
+  FutureExt, TryStreamExt, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::read::{
+    InspectDockerContainer, ListAllDockerContainers, ListServers,
+  },
+  entities::{
+    config::cli::args::container::{
+      Container, ContainerCommand, InspectContainer,
+    },
+    docker::{
+      self,
+      container::{ContainerListItem, ContainerStateStatusEnum},
+    },
+  },
+};
+
+use crate::{
+  command::{
+    PrintTable, clamp_sha, matches_wildcards, parse_wildcards,
+    print_items,
+  },
+  config::cli_config,
+};
+
+pub async fn handle(container: &Container) -> anyhow::Result<()> {
+  match &container.command {
+    None => list_containers(container).await,
+    Some(ContainerCommand::Inspect(inspect)) => {
+      inspect_container(inspect).await
+    }
+  }
+}
+
+async fn list_containers(
+  Container {
+    all,
+    down,
+    links,
+    reverse,
+    containers: names,
+    images,
+    networks,
+    servers,
+    format,
+    command: _,
+  }: &Container,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default(),
+      containers: Default::default(),
+    }),
+  )?;
+
+  // (Option<Server Name>, Container)
+  let containers = containers.into_iter().map(|c| {
+    let server = if let Some(server_id) = c.server_id.as_ref()
+      && let Some(server) = server_map.get(server_id)
+    {
+      server
+    } else {
+      return (None, c);
+    };
+    (Some(server.name.as_str()), c)
+  });
+
+  let names = parse_wildcards(names);
+  let servers = parse_wildcards(servers);
+  let images = parse_wildcards(images);
+  let networks = parse_wildcards(networks);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|(server_name, c)| {
+      let state_check = if *all {
+        true
+      } else if *down {
+        !matches!(c.state, ContainerStateStatusEnum::Running)
+      } else {
+        matches!(c.state, ContainerStateStatusEnum::Running)
+      };
+      let network_check = matches_wildcards(
+        &networks,
+        &c.network_mode
+          .as_deref()
+          .map(|n| vec![n])
+          .unwrap_or_default(),
+      ) || matches_wildcards(
+        &networks,
+        &c.networks.iter().map(String::as_str).collect::<Vec<_>>(),
+      );
+      state_check
+        && network_check
+        && matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &server_name
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+        && matches_wildcards(
+          &images,
+          &c.image.as_deref().map(|i| vec![i]).unwrap_or_default(),
+        )
+    })
+    .collect::<Vec<_>>();
+  containers.sort_by(|(a_s, a), (b_s, b)| {
+    a.state
+      .cmp(&b.state)
+      .then(a.name.cmp(&b.name))
+      .then(a_s.cmp(b_s))
+      .then(a.network_mode.cmp(&b.network_mode))
+      .then(a.image.cmp(&b.image))
+  });
+  if *reverse {
+    containers.reverse();
+  }
+  print_items(containers, *format, *links)?;
+  Ok(())
+}
+
+pub async fn inspect_container(
+  inspect: &InspectContainer,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, mut containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default(),
+      containers: Default::default()
+    }),
+  )?;
+
+  containers.iter_mut().for_each(|c| {
+    let Some(server_id) = c.server_id.as_ref() else {
+      return;
+    };
+    let Some(server) = server_map.get(server_id) else {
+      c.server_id = Some(String::from("Unknown"));
+      return;
+    };
+    c.server_id = Some(server.name.clone());
+  });
+
+  let names = [inspect.container.to_string()];
+  let names = parse_wildcards(&names);
+  let servers = parse_wildcards(&inspect.servers);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|c| {
+      matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &c.server_id
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+    })
+    .map(|c| async move {
+      client
+        .read(InspectDockerContainer {
+          container: c.name,
+          server: c.server_id.context("No server...")?,
+        })
+        .await
+    })
+    .collect::<FuturesUnordered<_>>()
+    .try_collect::<Vec<_>>()
+    .await?;
+
+  containers.sort_by(|a, b| a.name.cmp(&b.name));
+
+  match containers.len() {
+    0 => {
+      println!(
+        "{}: Did not find any containers matching '{}'",
+        "INFO".green(),
+        inspect.container.bold()
+      );
+    }
+    1 => {
+      println!("{}", serialize_container(inspect, &containers[0])?);
+    }
+    _ => {
+      let containers = containers
+        .iter()
+        .map(|c| serialize_container(inspect, c))
+        .collect::<anyhow::Result<Vec<_>>>()?
+        .join("\n");
+      println!("{containers}");
+    }
+  }
+
+  Ok(())
+}
+
+fn serialize_container(
+  inspect: &InspectContainer,
+  container: &docker::container::Container,
+) -> anyhow::Result<String> {
+  let res = if inspect.state {
+    serde_json::to_string_pretty(&container.state)
+  } else if inspect.mounts {
+    serde_json::to_string_pretty(&container.mounts)
+  } else if inspect.host_config {
+    serde_json::to_string_pretty(&container.host_config)
+  } else if inspect.config {
+    serde_json::to_string_pretty(&container.config)
+  } else if inspect.network_settings {
+    serde_json::to_string_pretty(&container.network_settings)
+  } else {
+    serde_json::to_string_pretty(container)
+  }
+  .context("Failed to serialize items to JSON")?;
+  Ok(res)
+}
+
+// (Option<Server Name>, Container)
+impl PrintTable for (Option<&'_ str>, ContainerListItem) {
+  fn header(links: bool) -> &'static [&'static str] {
+    if links {
+      &[
+        "Container",
+        "State",
+        "Server",
+        "Ports",
+        "Networks",
+        "Image",
+        "Link",
+      ]
+    } else {
+      &["Container", "State", "Server", "Ports", "Networks", "Image"]
+    }
+  }
+  fn row(self, links: bool) -> Vec<Cell> {
+    let color = match self.1.state {
+      ContainerStateStatusEnum::Running => Color::Green,
+      ContainerStateStatusEnum::Paused => Color::DarkYellow,
+      ContainerStateStatusEnum::Empty => Color::Grey,
+      _ => Color::Red,
+    };
+    let mut networks = HashSet::new();
+    if let Some(network) = self.1.network_mode {
+      networks.insert(network);
+    }
+    for network in self.1.networks {
+      networks.insert(network);
+    }
+    let mut networks = networks.into_iter().collect::<Vec<_>>();
+    networks.sort();
+    let mut ports = self
+      .1
+      .ports
+      .into_iter()
+      .flat_map(|p| p.public_port.map(|p| p.to_string()))
+      .collect::<HashSet<_>>()
+      .into_iter()
+      .collect::<Vec<_>>();
+    ports.sort();
+    let ports = if ports.is_empty() {
+      Cell::new("")
+    } else {
+      Cell::new(format!(":{}", ports.join(", :")))
+    };
+
+    let image = self.1.image.as_deref().unwrap_or("Unknown");
+    let mut res = vec![
+      Cell::new(self.1.name.clone()).add_attribute(Attribute::Bold),
+      Cell::new(self.1.state.to_string())
+        .fg(color)
+        .add_attribute(Attribute::Bold),
+      Cell::new(self.0.unwrap_or("Unknown")),
+      ports,
+      Cell::new(networks.join(", ")),
+      Cell::new(clamp_sha(image)),
+    ];
+    if !links {
+      return res;
+    }
+    let link = if let Some(server_id) = self.1.server_id {
+      format!(
+        "{}/servers/{server_id}/container/{}",
+        cli_config().host,
+        self.1.name
+      )
+    } else {
+      String::new()
+    };
+    res.push(Cell::new(link));
+    res
+  }
+}

bin/cli/src/command/database.rs

@@ -0,0 +1,366 @@
+use std::path::Path;
+
+use anyhow::Context;
+use colored::Colorize;
+use database::mungos::mongodb::bson::{Document, doc};
+use komodo_client::entities::{
+  config::cli::args::database::DatabaseCommand, optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn handle(command: &DatabaseCommand) -> anyhow::Result<()> {
+  match command {
+    DatabaseCommand::Backup { yes, .. } => backup(*yes).await,
+    DatabaseCommand::Restore {
+      restore_folder,
+      index,
+      yes,
+      ..
+    } => restore(restore_folder.as_deref(), *index, *yes).await,
+    DatabaseCommand::Prune { yes, .. } => prune(*yes).await,
+    DatabaseCommand::Copy { yes, index, .. } => {
+      copy(*index, *yes).await
+    }
+    DatabaseCommand::V1Downgrade { yes } => v1_downgrade(*yes).await,
+  }
+}
+
+async fn backup(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup".green().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Backup all database contents to gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  crate::command::wait_for_enter("start backup", yes)?;
+
+  let db = database::init(&config.database).await?;
+
+  database::utils::backup(&db, &config.backups_folder).await?;
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    return Ok(());
+  }
+
+  // Know that new backup was taken successfully at this point,
+  // safe to prune old backup folders
+
+  prune_inner().await
+}
+
+async fn restore(
+  restore_folder: Option<&Path>,
+  index: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Restore".purple().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Restores database contents from gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+  println!(
+    "\n{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if let Some(restore_folder) = restore_folder {
+    println!("{}: {restore_folder:?}", " - Restore Folder".dimmed());
+  }
+
+  crate::command::wait_for_enter("start restore", yes)?;
+
+  let db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::restore(
+    &db,
+    &config.backups_folder,
+    restore_folder,
+  )
+  .await
+}
+
+async fn prune(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup Prune".cyan().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Prunes database backup folders when greater than the configured amount."
+      .dimmed()
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    info!(
+      "Backup pruning is disabled, enabled using 'max_backups' (KOMODO_CLI_MAX_BACKUPS)"
+    );
+    return Ok(());
+  }
+
+  crate::command::wait_for_enter("start backup prune", yes)?;
+
+  prune_inner().await
+}
+
+async fn prune_inner() -> anyhow::Result<()> {
+  let config = cli_config();
+
+  let mut backups_dir =
+    match tokio::fs::read_dir(&config.backups_folder)
+      .await
+      .context("Failed to read backups folder for prune")
+    {
+      Ok(backups_dir) => backups_dir,
+      Err(e) => {
+        warn!("{e:#}");
+        return Ok(());
+      }
+    };
+
+  let mut backup_folders = Vec::new();
+  loop {
+    match backups_dir.next_entry().await {
+      Ok(Some(entry)) => {
+        let Ok(metadata) = entry.metadata().await else {
+          continue;
+        };
+        if metadata.is_dir() {
+          backup_folders.push(entry.path());
+        }
+      }
+      Ok(None) => break,
+      Err(_) => {
+        continue;
+      }
+    }
+  }
+  // Ordered from oldest -> newest
+  backup_folders.sort();
+
+  let max_backups = config.max_backups as usize;
+  let backup_folders_len = backup_folders.len();
+
+  // Early return if under the backup count threshold
+  if backup_folders_len <= max_backups {
+    info!("No backups to prune");
+    return Ok(());
+  }
+
+  let to_delete =
+    &backup_folders[..(backup_folders_len - max_backups)];
+
+  info!("Pruning old backups: {to_delete:?}");
+
+  for path in to_delete {
+    if let Err(e) =
+      tokio::fs::remove_dir_all(path).await.with_context(|| {
+        format!("Failed to delete backup folder at {path:?}")
+      })
+    {
+      warn!("{e:#}");
+    }
+  }
+
+  Ok(())
+}
+
+async fn copy(index: bool, yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Copy".blue().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Copies database contents to another database.".dimmed()
+  );
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+
+  crate::command::wait_for_enter("start copy", yes)?;
+
+  let source_db = database::init(&config.database).await?;
+  let target_db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::copy(&source_db, &target_db).await
+}
+
+async fn v1_downgrade(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {}  🦎",
+    "Komodo".bold(),
+    "V1 Downgrade".purple().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Downgrade the database to V1 compatible data structures."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  crate::command::wait_for_enter("run downgrade", yes)?;
+
+  let db = database::init(&config.database).await?;
+
+  db.collection::<Document>("Server")
+    .update_many(doc! {}, doc! { "$set": { "info": null } })
+    .await
+    .context("Failed to downgrade Server schema")?;
+
+  info!(
+    "V1 Downgrade complete. Ready to downgrade to komodo-core:1 ✅"
+  );
+
+  Ok(())
+}

bin/cli/src/command/execute.rs

@@ -1,22 +1,25 @@
 use std::time::Duration;
 
 use colored::Colorize;
+use futures_util::{StreamExt, stream::FuturesUnordered};
 use komodo_client::{
-  api::execute::{BatchExecutionResponse, Execution},
-  entities::update::Update,
+  api::execute::{
+    BatchExecutionResponse, BatchExecutionResponseItem, Execution,
+  },
+  entities::{resource_link, update::Update},
 };
 
-use crate::{
-  helpers::wait_for_enter,
-  state::{cli_args, komodo_client},
-};
+use crate::config::cli_config;
 
-pub enum ExecutionResult {
+enum ExecutionResult {
   Single(Box<Update>),
   Batch(BatchExecutionResponse),
 }
 
-pub async fn run(execution: Execution) -> anyhow::Result<()> {
+pub async fn handle(
+  execution: &Execution,
+  yes: bool,
+) -> anyhow::Result<()> {
   if matches!(execution, Execution::None(_)) {
     println!("Got 'none' execution. Doing nothing...");
     tokio::time::sleep(Duration::from_secs(3)).await;
@@ -25,7 +28,7 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
   }
 
   println!("\n{}: Execution", "Mode".dimmed());
-  match &execution {
+  match execution {
     Execution::None(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -209,262 +212,299 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::BatchDestroyStack(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::RunStackService(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::TestAlerter(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::SendAlert(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::ClearRepoCache(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BackupCoreDatabase(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::GlobalAutoUpdate(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateAllServerKeys(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateCoreKeys(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::Sleep(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
   }
 
-  if !cli_args().yes {
-    wait_for_enter("run execution")?;
-  }
+  super::wait_for_enter("run execution", yes)?;
 
   info!("Running Execution...");
 
-  let res = match execution {
-    Execution::RunAction(request) => komodo_client()
+  let client = super::komodo_client().await?;
+
+  let res = match execution.clone() {
+    Execution::RunAction(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchRunAction(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::RunProcedure(request) => komodo_client()
+    Execution::BatchRunAction(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunProcedure(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchRunProcedure(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::RunBuild(request) => komodo_client()
+    Execution::BatchRunProcedure(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunBuild(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchRunBuild(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::CancelBuild(request) => komodo_client()
+    Execution::BatchRunBuild(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelBuild(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::Deploy(request) => komodo_client()
+    Execution::Deploy(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchDeploy(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::PullDeployment(request) => komodo_client()
+    Execution::BatchDeploy(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullDeployment(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::StartDeployment(request) => komodo_client()
+    Execution::StartDeployment(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::RestartDeployment(request) => komodo_client()
+    Execution::RestartDeployment(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PauseDeployment(request) => komodo_client()
+    Execution::PauseDeployment(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::UnpauseDeployment(request) => komodo_client()
+    Execution::UnpauseDeployment(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::StopDeployment(request) => komodo_client()
+    Execution::StopDeployment(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::DestroyDeployment(request) => komodo_client()
+    Execution::DestroyDeployment(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchDestroyDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::CloneRepo(request) => komodo_client()
+    Execution::BatchDestroyDeployment(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CloneRepo(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchCloneRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::PullRepo(request) => komodo_client()
+    Execution::BatchCloneRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullRepo(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchPullRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::BuildRepo(request) => komodo_client()
+    Execution::BatchPullRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::BuildRepo(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchBuildRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::CancelRepoBuild(request) => komodo_client()
+    Execution::BatchBuildRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelRepoBuild(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::StartContainer(request) => komodo_client()
+    Execution::StartContainer(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::RestartContainer(request) => komodo_client()
+    Execution::RestartContainer(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PauseContainer(request) => komodo_client()
+    Execution::PauseContainer(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::UnpauseContainer(request) => komodo_client()
+    Execution::UnpauseContainer(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::StopContainer(request) => komodo_client()
+    Execution::StopContainer(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::DestroyContainer(request) => komodo_client()
+    Execution::DestroyContainer(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::StartAllContainers(request) => komodo_client()
+    Execution::StartAllContainers(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::RestartAllContainers(request) => komodo_client()
+    Execution::RestartAllContainers(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PauseAllContainers(request) => komodo_client()
+    Execution::PauseAllContainers(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::UnpauseAllContainers(request) => komodo_client()
+    Execution::UnpauseAllContainers(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::StopAllContainers(request) => komodo_client()
+    Execution::StopAllContainers(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PruneContainers(request) => komodo_client()
+    Execution::PruneContainers(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::DeleteNetwork(request) => komodo_client()
+    Execution::DeleteNetwork(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PruneNetworks(request) => komodo_client()
+    Execution::PruneNetworks(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::DeleteImage(request) => komodo_client()
+    Execution::DeleteImage(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PruneImages(request) => komodo_client()
+    Execution::PruneImages(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::DeleteVolume(request) => komodo_client()
+    Execution::DeleteVolume(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PruneVolumes(request) => komodo_client()
+    Execution::PruneVolumes(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PruneDockerBuilders(request) => komodo_client()
+    Execution::PruneDockerBuilders(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PruneBuildx(request) => komodo_client()
+    Execution::PruneBuildx(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PruneSystem(request) => komodo_client()
+    Execution::PruneSystem(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::RunSync(request) => komodo_client()
+    Execution::RunSync(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::CommitSync(request) => komodo_client()
+    Execution::CommitSync(request) => client
       .write(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::DeployStack(request) => komodo_client()
+    Execution::DeployStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchDeployStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::DeployStackIfChanged(request) => komodo_client()
+    Execution::BatchDeployStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::DeployStackIfChanged(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchDeployStackIfChanged(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::PullStack(request) => komodo_client()
+    Execution::BatchDeployStackIfChanged(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchPullStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::StartStack(request) => komodo_client()
+    Execution::BatchPullStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::StartStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::RestartStack(request) => komodo_client()
+    Execution::RestartStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::PauseStack(request) => komodo_client()
+    Execution::PauseStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::UnpauseStack(request) => komodo_client()
+    Execution::UnpauseStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::StopStack(request) => komodo_client()
+    Execution::StopStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::DestroyStack(request) => komodo_client()
+    Execution::DestroyStack(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
-    Execution::BatchDestroyStack(request) => komodo_client()
+    Execution::BatchDestroyStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunStackService(request) => client
       .execute(request)
       .await
-      .map(ExecutionResult::Batch),
-    Execution::TestAlerter(request) => komodo_client()
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::TestAlerter(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::SendAlert(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::ClearRepoCache(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BackupCoreDatabase(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::GlobalAutoUpdate(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateAllServerKeys(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateCoreKeys(request) => client
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
@@ -480,13 +520,67 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
 
   match res {
     Ok(ExecutionResult::Single(update)) => {
-      println!("\n{}: {update:#?}", "SUCCESS".green())
+      poll_update_until_complete(&update).await
     }
-    Ok(ExecutionResult::Batch(update)) => {
-      println!("\n{}: {update:#?}", "SUCCESS".green())
+    Ok(ExecutionResult::Batch(updates)) => {
+      let mut handles = updates
+        .iter()
+        .map(|update| async move {
+          match update {
+            BatchExecutionResponseItem::Ok(update) => {
+              poll_update_until_complete(update).await
+            }
+            BatchExecutionResponseItem::Err(e) => {
+              error!("{e:#?}");
+              Ok(())
+            }
+          }
+        })
+        .collect::<FuturesUnordered<_>>();
+      while let Some(res) = handles.next().await {
+        match res {
+          Ok(()) => {}
+          Err(e) => {
+            error!("{e:#?}");
+          }
+        }
+      }
+      Ok(())
+    }
+    Err(e) => {
+      error!("{e:#?}");
+      Ok(())
     }
-    Err(e) => println!("{}\n\n{e:#?}", "ERROR".red()),
   }
+}
 
+async fn poll_update_until_complete(
+  update: &Update,
+) -> anyhow::Result<()> {
+  let link = if update.id.is_empty() {
+    let (resource_type, id) = update.target.extract_variant_id();
+    resource_link(&cli_config().host, resource_type, id)
+  } else {
+    format!("{}/updates/{}", cli_config().host, update.id)
+  };
+  println!("Link: '{}'", link.bold());
+
+  let client = super::komodo_client().await?;
+
+  let timer = tokio::time::Instant::now();
+  let update = client.poll_update_until_complete(&update.id).await?;
+  if update.success {
+    println!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION SUCCESSFUL".green(),
+    );
+  } else {
+    eprintln!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION FAILED".red(),
+    );
+  }
   Ok(())
 }

bin/cli/src/command/mod.rs

@@ -0,0 +1,182 @@
+use std::io::Read;
+
+use anyhow::{Context, anyhow};
+use chrono::TimeZone;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Table};
+use komodo_client::{
+  KomodoClient,
+  entities::config::cli::{CliTableBorders, args::CliFormat},
+};
+use serde::Serialize;
+use tokio::sync::OnceCell;
+use wildcard::Wildcard;
+
+use crate::config::cli_config;
+
+pub mod container;
+pub mod database;
+pub mod execute;
+pub mod list;
+pub mod terminal;
+pub mod update;
+
+async fn komodo_client() -> anyhow::Result<&'static KomodoClient> {
+  static KOMODO_CLIENT: OnceCell<KomodoClient> =
+    OnceCell::const_new();
+  KOMODO_CLIENT
+    .get_or_try_init(|| async {
+      let config = cli_config();
+      let (Some(key), Some(secret)) =
+        (&config.cli_key, &config.cli_secret)
+      else {
+        return Err(anyhow!(
+          "Must provide both cli_key and cli_secret"
+        ));
+      };
+      KomodoClient::new(&config.host, key, secret)
+        .with_healthcheck()
+        .await
+    })
+    .await
+}
+
+fn wait_for_enter(
+  press_enter_to: &str,
+  skip: bool,
+) -> anyhow::Result<()> {
+  if skip {
+    println!();
+    return Ok(());
+  }
+  println!(
+    "\nPress {} to {}\n",
+    "ENTER".green(),
+    press_enter_to.bold()
+  );
+  let buffer = &mut [0u8];
+  std::io::stdin()
+    .read_exact(buffer)
+    .context("failed to read ENTER")?;
+  Ok(())
+}
+
+/// Sanitizes uris of the form:
+/// `protocol://username:password@address`
+fn sanitize_uri(uri: &str) -> String {
+  // protocol: `mongodb`
+  // credentials_address: `username:password@address`
+  let Some((protocol, credentials_address)) = uri.split_once("://")
+  else {
+    // If no protocol, return as-is
+    return uri.to_string();
+  };
+
+  // credentials: `username:password`
+  let Some((credentials, address)) =
+    credentials_address.split_once('@')
+  else {
+    // If no credentials, return as-is
+    return uri.to_string();
+  };
+
+  match credentials.split_once(':') {
+    Some((username, _)) => {
+      format!("{protocol}://{username}:*****@{address}")
+    }
+    None => {
+      format!("{protocol}://*****@{address}")
+    }
+  }
+}
+
+fn print_items<T: PrintTable + Serialize>(
+  items: Vec<T>,
+  format: CliFormat,
+  links: bool,
+) -> anyhow::Result<()> {
+  match format {
+    CliFormat::Table => {
+      let mut table = Table::new();
+      let preset = {
+        use comfy_table::presets::*;
+        match cli_config().table_borders {
+          None | Some(CliTableBorders::Horizontal) => {
+            UTF8_HORIZONTAL_ONLY
+          }
+          Some(CliTableBorders::Vertical) => UTF8_FULL_CONDENSED,
+          Some(CliTableBorders::Inside) => UTF8_NO_BORDERS,
+          Some(CliTableBorders::Outside) => UTF8_BORDERS_ONLY,
+          Some(CliTableBorders::All) => UTF8_FULL,
+        }
+      };
+      table.load_preset(preset).set_header(
+        T::header(links)
+          .iter()
+          .map(|h| Cell::new(h).add_attribute(Attribute::Bold)),
+      );
+      for item in items {
+        table.add_row(item.row(links));
+      }
+      println!("{table}");
+    }
+    CliFormat::Json => {
+      println!(
+        "{}",
+        serde_json::to_string_pretty(&items)
+          .context("Failed to serialize items to JSON")?
+      );
+    }
+  }
+  Ok(())
+}
+
+trait PrintTable {
+  fn header(links: bool) -> &'static [&'static str];
+  fn row(self, links: bool) -> Vec<Cell>;
+}
+
+fn parse_wildcards(items: &[String]) -> Vec<Wildcard<'_>> {
+  items
+    .iter()
+    .flat_map(|i| {
+      Wildcard::new(i.as_bytes()).inspect_err(|e| {
+        warn!("Failed to parse wildcard: {i} | {e:?}")
+      })
+    })
+    .collect::<Vec<_>>()
+}
+
+fn matches_wildcards(
+  wildcards: &[Wildcard<'_>],
+  items: &[&str],
+) -> bool {
+  if wildcards.is_empty() {
+    return true;
+  }
+  items.iter().any(|item| {
+    wildcards.iter().any(|wc| wc.is_match(item.as_bytes()))
+  })
+}
+
+fn format_timetamp(ts: i64) -> anyhow::Result<String> {
+  let ts = chrono::Local
+    .timestamp_millis_opt(ts)
+    .single()
+    .context("Invalid ts")?
+    .format("%m/%d %H:%M:%S")
+    .to_string();
+  Ok(ts)
+}
+
+fn clamp_sha(maybe_sha: &str) -> String {
+  if maybe_sha.starts_with("sha256:") {
+    maybe_sha[0..20].to_string() + "..."
+  } else {
+    maybe_sha.to_string()
+  }
+}
+
+// fn text_link(link: &str, text: &str) -> String {
+//   format!("\x1b]8;;{link}\x07{text}\x1b]8;;\x07")
+// }

bin/cli/src/command/terminal.rs

@@ -0,0 +1,334 @@
+use anyhow::{Context, anyhow};
+use colored::Colorize;
+use komodo_client::{
+  api::{
+    read::{ListAllDockerContainers, ListServers},
+    terminal::InitTerminal,
+  },
+  entities::{
+    config::cli::args::terminal::{Attach, Connect, Exec},
+    server::ServerQuery,
+    terminal::{
+      ContainerTerminalMode, TerminalRecreateMode,
+      TerminalResizeMessage, TerminalStdinMessage,
+    },
+  },
+  ws::terminal::TerminalWebsocket,
+};
+use tokio::io::{AsyncReadExt as _, AsyncWriteExt as _};
+use tokio_util::sync::CancellationToken;
+
+pub async fn handle_connect(
+  Connect {
+    server,
+    name,
+    command,
+    recreate,
+  }: &Connect,
+) -> anyhow::Result<()> {
+  handle_terminal_forwarding(async {
+    super::komodo_client()
+      .await?
+      .connect_server_terminal(
+        server.to_string(),
+        Some(name.to_string()),
+        Some(InitTerminal {
+          command: command.clone(),
+          recreate: if *recreate {
+            TerminalRecreateMode::Always
+          } else {
+            TerminalRecreateMode::DifferentCommand
+          },
+          mode: None,
+        }),
+      )
+      .await
+  })
+  .await
+}
+
+pub async fn handle_exec(
+  Exec {
+    server,
+    container,
+    shell,
+    recreate,
+  }: &Exec,
+) -> anyhow::Result<()> {
+  let server = get_server(server.clone(), container).await?;
+  handle_terminal_forwarding(async {
+    super::komodo_client()
+      .await?
+      .connect_container_terminal(
+        server,
+        container.to_string(),
+        None,
+        Some(InitTerminal {
+          command: Some(shell.to_string()),
+          recreate: if *recreate {
+            TerminalRecreateMode::Always
+          } else {
+            TerminalRecreateMode::DifferentCommand
+          },
+          mode: Some(ContainerTerminalMode::Exec),
+        }),
+      )
+      .await
+  })
+  .await
+}
+
+pub async fn handle_attach(
+  Attach {
+    server,
+    container,
+    recreate,
+  }: &Attach,
+) -> anyhow::Result<()> {
+  let server = get_server(server.clone(), container).await?;
+  handle_terminal_forwarding(async {
+    super::komodo_client()
+      .await?
+      .connect_container_terminal(
+        server,
+        container.to_string(),
+        None,
+        Some(InitTerminal {
+          command: None,
+          recreate: if *recreate {
+            TerminalRecreateMode::Always
+          } else {
+            TerminalRecreateMode::DifferentCommand
+          },
+          mode: Some(ContainerTerminalMode::Attach),
+        }),
+      )
+      .await
+  })
+  .await
+}
+
+async fn get_server(
+  server: Option<String>,
+  container: &str,
+) -> anyhow::Result<String> {
+  if let Some(server) = server {
+    return Ok(server);
+  }
+
+  let client = super::komodo_client().await?;
+
+  let mut containers = client
+    .read(ListAllDockerContainers {
+      servers: Default::default(),
+      containers: vec![container.to_string()],
+    })
+    .await?;
+
+  if containers.is_empty() {
+    return Err(anyhow!(
+      "Did not find any container matching {container}"
+    ));
+  }
+
+  if containers.len() == 1 {
+    return containers
+      .pop()
+      .context("Shouldn't happen")?
+      .server_id
+      .context("Container doesn't have server_id");
+  }
+
+  let servers = containers
+    .into_iter()
+    .flat_map(|container| container.server_id)
+    .collect::<Vec<_>>();
+
+  let servers = client
+    .read(ListServers {
+      query: ServerQuery::builder().names(servers).build(),
+    })
+    .await?
+    .into_iter()
+    .map(|server| format!("\t- {}", server.name.bold()))
+    .collect::<Vec<_>>()
+    .join("\n");
+
+  Err(anyhow!(
+    "Multiple containers matching '{}' on Servers:\n{servers}",
+    container.bold(),
+  ))
+}
+
+async fn handle_terminal_forwarding<
+  C: Future<Output = anyhow::Result<TerminalWebsocket>>,
+>(
+  connect: C,
+) -> anyhow::Result<()> {
+  // Need to forward multiple sources into ws write
+  let (write_tx, mut write_rx) =
+    tokio::sync::mpsc::channel::<TerminalStdinMessage>(1024);
+
+  // ================
+  //  SETUP RESIZING
+  // ================
+
+  // Subscribe to SIGWINCH for resize messages
+  let mut sigwinch = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::window_change(),
+  )
+  .context("failed to register SIGWINCH handler")?;
+
+  // Send first resize messsage, bailing if it fails to get the size.
+  write_tx.send(resize_message()?).await?;
+
+  let cancel = CancellationToken::new();
+
+  let forward_resize = async {
+    while future_or_cancel(sigwinch.recv(), &cancel)
+      .await
+      .flatten()
+      .is_some()
+    {
+      if let Ok(resize_message) = resize_message()
+        && write_tx.send(resize_message).await.is_err()
+      {
+        break;
+      }
+    }
+    cancel.cancel();
+  };
+
+  let forward_stdin = async {
+    let mut stdin = tokio::io::stdin();
+    let mut buf = [0u8; 8192];
+    while let Some(Ok(n)) =
+      future_or_cancel(stdin.read(&mut buf), &cancel).await
+    {
+      // EOF
+      if n == 0 {
+        break;
+      }
+      let bytes = &buf[..n];
+      // Check for disconnect sequence (alt + q)
+      if bytes == [197, 147] {
+        break;
+      }
+      // Forward bytes
+      if write_tx
+        .send(TerminalStdinMessage::Forward(bytes.to_vec()))
+        .await
+        .is_err()
+      {
+        break;
+      };
+    }
+    cancel.cancel();
+  };
+
+  // =====================
+  //  CONNECT AND FORWARD
+  // =====================
+
+  let (mut ws_write, mut ws_read) = connect.await?.split();
+
+  let forward_write = async {
+    while let Some(message) =
+      future_or_cancel(write_rx.recv(), &cancel).await.flatten()
+    {
+      if let Err(e) = ws_write.send_stdin_message(message).await {
+        cancel.cancel();
+        return Some(e);
+      };
+    }
+    cancel.cancel();
+    None
+  };
+
+  let forward_read = async {
+    let mut stdout = tokio::io::stdout();
+    while let Some(msg) =
+      future_or_cancel(ws_read.receive_stdout(), &cancel).await
+    {
+      let bytes = match msg {
+        Ok(Some(bytes)) => bytes,
+        Ok(None) => break,
+        Err(e) => {
+          cancel.cancel();
+          return Some(e.context("Websocket read error"));
+        }
+      };
+      if let Err(e) = stdout
+        .write_all(&bytes)
+        .await
+        .context("Failed to write text to stdout")
+      {
+        cancel.cancel();
+        return Some(e);
+      }
+      let _ = stdout.flush().await;
+    }
+    cancel.cancel();
+    None
+  };
+
+  let guard = RawModeGuard::enable_raw_mode()?;
+
+  let (_, _, write_error, read_error) = tokio::join!(
+    forward_resize,
+    forward_stdin,
+    forward_write,
+    forward_read
+  );
+
+  drop(guard);
+
+  if let Some(e) = write_error {
+    eprintln!("\nFailed to forward stdin | {e:#}");
+  }
+
+  if let Some(e) = read_error {
+    eprintln!("\nFailed to forward stdout | {e:#}");
+  }
+
+  println!("\n\n{} {}", "connection".bold(), "closed".red().bold());
+
+  // It doesn't seem to exit by itself after the raw mode stuff.
+  std::process::exit(0)
+}
+
+fn resize_message() -> anyhow::Result<TerminalStdinMessage> {
+  let (cols, rows) = crossterm::terminal::size()
+    .context("Failed to get terminal size")?;
+  Ok(TerminalStdinMessage::Resize(TerminalResizeMessage {
+    rows,
+    cols,
+  }))
+}
+
+struct RawModeGuard;
+
+impl RawModeGuard {
+  fn enable_raw_mode() -> anyhow::Result<Self> {
+    crossterm::terminal::enable_raw_mode()
+      .context("Failed to enable terminal raw mode")?;
+    Ok(Self)
+  }
+}
+impl Drop for RawModeGuard {
+  fn drop(&mut self) {
+    if let Err(e) = crossterm::terminal::disable_raw_mode() {
+      eprintln!("Failed to disable terminal raw mode | {e:?}");
+    }
+  }
+}
+
+async fn future_or_cancel<T, F: Future<Output = T>>(
+  fut: F,
+  cancel: &CancellationToken,
+) -> Option<T> {
+  tokio::select! {
+    res = fut => Some(res),
+    _ = cancel.cancelled() => None
+  }
+}

bin/cli/src/command/update/mod.rs

@@ -0,0 +1,43 @@
+use komodo_client::entities::{
+  build::PartialBuildConfig,
+  config::cli::args::update::UpdateCommand,
+  deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+  server::PartialServerConfig, stack::PartialStackConfig,
+  sync::PartialResourceSyncConfig,
+};
+
+mod resource;
+mod user;
+mod variable;
+
+pub async fn handle(command: &UpdateCommand) -> anyhow::Result<()> {
+  match command {
+    UpdateCommand::Build(update) => {
+      resource::update::<PartialBuildConfig>(update).await
+    }
+    UpdateCommand::Deployment(update) => {
+      resource::update::<PartialDeploymentConfig>(update).await
+    }
+    UpdateCommand::Repo(update) => {
+      resource::update::<PartialRepoConfig>(update).await
+    }
+    UpdateCommand::Server(update) => {
+      resource::update::<PartialServerConfig>(update).await
+    }
+    UpdateCommand::Stack(update) => {
+      resource::update::<PartialStackConfig>(update).await
+    }
+    UpdateCommand::Sync(update) => {
+      resource::update::<PartialResourceSyncConfig>(update).await
+    }
+    UpdateCommand::Variable {
+      name,
+      value,
+      secret,
+      yes,
+    } => variable::update(name, value, *secret, *yes).await,
+    UpdateCommand::User { username, command } => {
+      user::update(username, command).await
+    }
+  }
+}

bin/cli/src/command/update/resource.rs

@@ -0,0 +1,152 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::{
+  api::write::{
+    UpdateBuild, UpdateDeployment, UpdateRepo, UpdateResourceSync,
+    UpdateServer, UpdateStack,
+  },
+  entities::{
+    build::PartialBuildConfig,
+    config::cli::args::update::UpdateResource,
+    deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+    server::PartialServerConfig, stack::PartialStackConfig,
+    sync::PartialResourceSyncConfig,
+  },
+};
+use serde::{Serialize, de::DeserializeOwned};
+
+pub async fn update<
+  T: std::fmt::Debug + Serialize + DeserializeOwned + ResourceUpdate,
+>(
+  UpdateResource {
+    resource,
+    update,
+    yes,
+  }: &UpdateResource,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update {}\n", "Mode".dimmed(), T::resource_type());
+  println!(" - {}: {resource}", "Name".dimmed());
+
+  let config = serde_qs::from_str::<T>(update)
+    .context("Failed to deserialize config")?;
+
+  match serde_json::to_string_pretty(&config) {
+    Ok(config) => {
+      println!(" - {}: {config}", "Update".dimmed());
+    }
+    Err(_) => {
+      println!(" - {}: {config:#?}", "Update".dimmed());
+    }
+  }
+
+  crate::command::wait_for_enter("update resource", *yes)?;
+
+  config.apply(resource).await
+}
+
+pub trait ResourceUpdate {
+  fn resource_type() -> &'static str;
+  async fn apply(self, resource: &str) -> anyhow::Result<()>;
+}
+
+impl ResourceUpdate for PartialBuildConfig {
+  fn resource_type() -> &'static str {
+    "Build"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateBuild {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update build config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialDeploymentConfig {
+  fn resource_type() -> &'static str {
+    "Deployment"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateDeployment {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update deployment config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialRepoConfig {
+  fn resource_type() -> &'static str {
+    "Repo"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateRepo {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update repo config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialServerConfig {
+  fn resource_type() -> &'static str {
+    "Server"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateServer {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update server config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialStackConfig {
+  fn resource_type() -> &'static str {
+    "Stack"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateStack {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update stack config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialResourceSyncConfig {
+  fn resource_type() -> &'static str {
+    "Sync"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateResourceSync {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update sync config")?;
+    Ok(())
+  }
+}

bin/cli/src/command/update/user.rs

@@ -0,0 +1,122 @@
+use anyhow::Context;
+use colored::Colorize;
+use database::mungos::mongodb::bson::doc;
+use komodo_client::entities::{
+  config::{
+    cli::args::{CliEnabled, update::UpdateUserCommand},
+    empty_or_redacted,
+  },
+  optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn update(
+  username: &str,
+  command: &UpdateUserCommand,
+) -> anyhow::Result<()> {
+  match command {
+    UpdateUserCommand::Password {
+      password,
+      unsanitized,
+      yes,
+    } => {
+      update_password(username, password, *unsanitized, *yes).await
+    }
+    UpdateUserCommand::SuperAdmin { enabled, yes } => {
+      update_super_admin(username, *enabled, *yes).await
+    }
+  }
+}
+
+async fn update_password(
+  username: &str,
+  password: &str,
+  unsanitized: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Password\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  if unsanitized {
+    println!(" - {}: {password}", "Password".dimmed());
+  } else {
+    println!(
+      " - {}: {}",
+      "Password".dimmed(),
+      empty_or_redacted(password)
+    );
+  }
+
+  crate::command::wait_for_enter("update password", yes)?;
+
+  info!("Updating password...");
+
+  let db = database::Client::new(&cli_config().database).await?;
+
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  db.set_user_password(&user, password).await?;
+
+  info!("Password updated ✅");
+
+  Ok(())
+}
+
+async fn update_super_admin(
+  username: &str,
+  super_admin: CliEnabled,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!("\n{}: Update Super Admin\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  println!(" - {}: {super_admin}\n", "Super Admin".dimmed());
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  crate::command::wait_for_enter("update super admin", yes)?;
+
+  info!("Updating super admin...");
+
+  let db = database::Client::new(&config.database).await?;
+
+  // Make sure the user exists first before saying it is successful.
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  let super_admin: bool = super_admin.into();
+  db.users
+    .update_one(
+      doc! { "username": user.username },
+      doc! { "$set": { "super_admin": super_admin } },
+    )
+    .await
+    .context("Failed to update user super admin on db")?;
+
+  info!("Super admin updated ✅");
+
+  Ok(())
+}

bin/cli/src/command/update/variable.rs

@@ -0,0 +1,70 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::api::{
+  read::GetVariable,
+  write::{
+    CreateVariable, UpdateVariableIsSecret, UpdateVariableValue,
+  },
+};
+
+pub async fn update(
+  name: &str,
+  value: &str,
+  secret: Option<bool>,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Variable\n", "Mode".dimmed());
+  println!(" - {}:  {name}", "Name".dimmed());
+  println!(" - {}: {value}", "Value".dimmed());
+  if let Some(secret) = secret {
+    println!(" - {}: {secret}", "Is Secret".dimmed());
+  }
+
+  crate::command::wait_for_enter("update variable", yes)?;
+
+  let client = crate::command::komodo_client().await?;
+
+  let Ok(existing) = client
+    .read(GetVariable {
+      name: name.to_string(),
+    })
+    .await
+  else {
+    // Create the variable
+    client
+      .write(CreateVariable {
+        name: name.to_string(),
+        value: value.to_string(),
+        is_secret: secret.unwrap_or_default(),
+        description: Default::default(),
+      })
+      .await
+      .context("Failed to create variable")?;
+    info!("Variable created ✅");
+    return Ok(());
+  };
+
+  client
+    .write(UpdateVariableValue {
+      name: name.to_string(),
+      value: value.to_string(),
+    })
+    .await
+    .context("Failed to update variable 'value'")?;
+  info!("Variable 'value' updated ✅");
+
+  let Some(secret) = secret else { return Ok(()) };
+
+  if secret != existing.is_secret {
+    client
+      .write(UpdateVariableIsSecret {
+        name: name.to_string(),
+        is_secret: secret,
+      })
+      .await
+      .context("Failed to update variable 'is_secret'")?;
+    info!("Variable 'is_secret' updated to {secret} ✅");
+  }
+
+  Ok(())
+}

bin/cli/src/config.rs

@@ -0,0 +1,280 @@
+use std::{path::PathBuf, sync::OnceLock};
+
+use anyhow::Context;
+use clap::Parser;
+use colored::Colorize;
+use environment_file::maybe_read_item_from_file;
+use komodo_client::entities::{
+  config::{
+    DatabaseConfig,
+    cli::{
+      CliConfig, Env,
+      args::{CliArgs, Command, Execute, database::DatabaseCommand},
+    },
+  },
+  logger::LogConfig,
+};
+
+pub fn cli_args() -> &'static CliArgs {
+  static CLI_ARGS: OnceLock<CliArgs> = OnceLock::new();
+  CLI_ARGS.get_or_init(CliArgs::parse)
+}
+
+pub fn cli_env() -> &'static Env {
+  static CLI_ARGS: OnceLock<Env> = OnceLock::new();
+  CLI_ARGS.get_or_init(|| {
+    match envy::from_env()
+      .context("Failed to parse Komodo CLI environment")
+    {
+      Ok(env) => env,
+      Err(e) => {
+        panic!("{e:?}")
+      }
+    }
+  })
+}
+
+pub fn cli_config() -> &'static CliConfig {
+  static CLI_CONFIG: OnceLock<CliConfig> = OnceLock::new();
+  CLI_CONFIG.get_or_init(|| {
+    let args = cli_args();
+    let env = cli_env().clone();
+    let config_paths = args
+      .config_path
+      .clone()
+      .unwrap_or(env.komodo_cli_config_paths);
+    let debug_startup =
+      args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+    if debug_startup {
+      println!(
+        "{}: Komodo CLI version: {}",
+        "DEBUG".cyan(),
+        env!("CARGO_PKG_VERSION").blue().bold()
+      );
+      println!(
+        "{}: {}: {config_paths:?}",
+        "DEBUG".cyan(),
+        "Config Paths".dimmed(),
+      );
+    }
+
+    let config_keywords = args
+      .config_keyword
+      .clone()
+      .unwrap_or(env.komodo_cli_config_keywords);
+    let config_keywords = config_keywords
+      .iter()
+      .map(String::as_str)
+      .collect::<Vec<_>>();
+    if debug_startup {
+      println!(
+        "{}: {}: {config_keywords:?}",
+        "DEBUG".cyan(),
+        "Config File Keywords".dimmed(),
+      );
+    }
+    let mut unparsed_config = (config::ConfigLoader {
+      paths: &config_paths
+        .iter()
+        .map(PathBuf::as_path)
+        .collect::<Vec<_>>(),
+      match_wildcards: &config_keywords,
+      include_file_name: ".kminclude",
+      merge_nested: env.komodo_cli_merge_nested_config,
+      extend_array: env.komodo_cli_extend_config_arrays,
+      debug_print: debug_startup,
+    })
+    .load::<serde_json::Map<String, serde_json::Value>>()
+    .expect("failed at parsing config from paths");
+    let init_parsed_config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config.clone()),
+    )
+    .context("Failed to parse config")
+    .unwrap();
+
+    let (host, key, secret) = match &args.command {
+      Command::Execute(Execute {
+        host, key, secret, ..
+      }) => (host.clone(), key.clone(), secret.clone()),
+      _ => (None, None, None),
+    };
+
+    let backups_folder = match &args.command {
+      Command::Database {
+        command: DatabaseCommand::Backup { backups_folder, .. },
+      } => backups_folder.clone(),
+      Command::Database {
+        command: DatabaseCommand::Restore { backups_folder, .. },
+      } => backups_folder.clone(),
+      _ => None,
+    };
+    let (uri, address, username, password, db_name) =
+      match &args.command {
+        Command::Database {
+          command:
+            DatabaseCommand::Copy {
+              uri,
+              address,
+              username,
+              password,
+              db_name,
+              ..
+            },
+        } => (
+          uri.clone(),
+          address.clone(),
+          username.clone(),
+          password.clone(),
+          db_name.clone(),
+        ),
+        _ => (None, None, None, None, None),
+      };
+
+    let profile = args
+      .profile
+      .as_ref()
+      .or(init_parsed_config.default_profile.as_ref());
+
+    let unparsed_config = if let Some(profile) = profile
+      && !profile.is_empty()
+    {
+      // Find the profile config,
+      // then merge it with the Default config.
+      let serde_json::Value::Array(profiles) = unparsed_config
+        .remove("profile")
+        .context("Config has no profiles, but a profile is required")
+        .unwrap()
+      else {
+        panic!("`config.profile` is not array");
+      };
+      let Some(profile_config) = profiles.into_iter().find(|p| {
+        let Ok(parsed) =
+          serde_json::from_value::<CliConfig>(p.clone())
+        else {
+          return false;
+        };
+        &parsed.config_profile == profile
+          || parsed
+            .config_aliases
+            .iter()
+            .any(|alias| alias == profile)
+      }) else {
+        panic!("No profile matching '{profile}' was found.");
+      };
+      let serde_json::Value::Object(profile_config) = profile_config
+      else {
+        panic!("Profile config is not Object type.");
+      };
+      config::merge_config(
+        unparsed_config,
+        profile_config.clone(),
+        env.komodo_cli_merge_nested_config,
+        env.komodo_cli_extend_config_arrays,
+      )
+      .unwrap_or(profile_config)
+    } else {
+      unparsed_config
+    };
+    let config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config),
+    )
+    .context("Failed to parse final config")
+    .unwrap();
+    let config_profile = if config.config_profile.is_empty() {
+      String::from("None")
+    } else {
+      config.config_profile
+    };
+
+    CliConfig {
+      config_profile,
+      config_aliases: config.config_aliases,
+      default_profile: config.default_profile,
+      table_borders: env
+        .komodo_cli_table_borders
+        .or(config.table_borders),
+      host: host
+        .or(env.komodo_cli_host)
+        .or(env.komodo_host)
+        .unwrap_or(config.host),
+      cli_key: key.or(env.komodo_cli_key).or(config.cli_key),
+      cli_secret: secret
+        .or(env.komodo_cli_secret)
+        .or(config.cli_secret),
+      backups_folder: backups_folder
+        .or(env.komodo_cli_backups_folder)
+        .unwrap_or(config.backups_folder),
+      max_backups: env
+        .komodo_cli_max_backups
+        .unwrap_or(config.max_backups),
+      database_target: DatabaseConfig {
+        uri: uri
+          .or(env.komodo_cli_database_target_uri)
+          .unwrap_or(config.database_target.uri),
+        address: address
+          .or(env.komodo_cli_database_target_address)
+          .unwrap_or(config.database_target.address),
+        username: username
+          .or(env.komodo_cli_database_target_username)
+          .unwrap_or(config.database_target.username),
+        password: password
+          .or(env.komodo_cli_database_target_password)
+          .unwrap_or(config.database_target.password),
+        db_name: db_name
+          .or(env.komodo_cli_database_target_db_name)
+          .unwrap_or(config.database_target.db_name),
+        app_name: config.database_target.app_name,
+      },
+      database: DatabaseConfig {
+        uri: maybe_read_item_from_file(
+          env.komodo_database_uri_file,
+          env.komodo_database_uri,
+        )
+        .unwrap_or(config.database.uri),
+        address: env
+          .komodo_database_address
+          .unwrap_or(config.database.address),
+        username: maybe_read_item_from_file(
+          env.komodo_database_username_file,
+          env.komodo_database_username,
+        )
+        .unwrap_or(config.database.username),
+        password: maybe_read_item_from_file(
+          env.komodo_database_password_file,
+          env.komodo_database_password,
+        )
+        .unwrap_or(config.database.password),
+        db_name: env
+          .komodo_database_db_name
+          .unwrap_or(config.database.db_name),
+        app_name: config.database.app_name,
+      },
+      cli_logging: LogConfig {
+        level: env
+          .komodo_cli_logging_level
+          .unwrap_or(config.cli_logging.level),
+        stdio: env
+          .komodo_cli_logging_stdio
+          .unwrap_or(config.cli_logging.stdio),
+        pretty: env
+          .komodo_cli_logging_pretty
+          .unwrap_or(config.cli_logging.pretty),
+        location: false,
+        ansi: env
+          .komodo_cli_logging_ansi
+          .unwrap_or(config.cli_logging.ansi),
+        otlp_endpoint: env
+          .komodo_cli_logging_otlp_endpoint
+          .unwrap_or(config.cli_logging.otlp_endpoint),
+        opentelemetry_service_name: env
+          .komodo_cli_logging_opentelemetry_service_name
+          .unwrap_or(config.cli_logging.opentelemetry_service_name),
+        opentelemetry_scope_name: env
+          .komodo_cli_logging_opentelemetry_scope_name
+          .unwrap_or(config.cli_logging.opentelemetry_scope_name),
+      },
+      profile: config.profile,
+    }
+  })
+}

bin/cli/src/helpers.rs

@@ -1,17 +0,0 @@
-use std::io::Read;
-
-use anyhow::Context;
-use colored::Colorize;
-
-pub fn wait_for_enter(press_enter_to: &str) -> anyhow::Result<()> {
-  println!(
-    "\nPress {} to {}\n",
-    "ENTER".green(),
-    press_enter_to.bold()
-  );
-  let buffer = &mut [0u8];
-  std::io::stdin()
-    .read_exact(buffer)
-    .context("failed to read ENTER")?;
-  Ok(())
-}

bin/cli/src/main.rs

@@ -1,32 +1,96 @@
 #[macro_use]
 extern crate tracing;
 
+use anyhow::Context;
 use colored::Colorize;
-use komodo_client::api::read::GetVersion;
+use komodo_client::entities::config::cli::args;
 
-mod args;
-mod exec;
-mod helpers;
-mod state;
+use crate::config::cli_config;
+
+mod command;
+mod config;
+
+async fn app() -> anyhow::Result<()> {
+  dotenvy::dotenv().ok();
+  logger::init(&config::cli_config().cli_logging)?;
+  let args = config::cli_args();
+  let env = config::cli_env();
+  let debug_load =
+    args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+  match &args.command {
+    args::Command::Config {
+      all_profiles,
+      unsanitized,
+    } => {
+      let mut config = if *unsanitized {
+        cli_config().clone()
+      } else {
+        cli_config().sanitized()
+      };
+      if !*all_profiles {
+        config.profile = Default::default();
+      }
+      if debug_load {
+        println!("\n{config:#?}");
+      } else {
+        println!(
+          "\nCLI Config {}",
+          serde_json::to_string_pretty(&config)
+            .context("Failed to serialize config for pretty print")?
+        );
+      }
+      Ok(())
+    }
+    args::Command::Container(container) => {
+      command::container::handle(container).await
+    }
+    args::Command::Inspect(inspect) => {
+      command::container::inspect_container(inspect).await
+    }
+    args::Command::List(list) => command::list::handle(list).await,
+    args::Command::Execute(args) => {
+      command::execute::handle(&args.execution, args.yes).await
+    }
+    args::Command::Update { command } => {
+      command::update::handle(command).await
+    }
+    args::Command::Connect(connect) => {
+      command::terminal::handle_connect(connect).await
+    }
+    args::Command::Exec(exec) => {
+      command::terminal::handle_exec(exec).await
+    }
+    args::Command::Attach(attach) => {
+      command::terminal::handle_attach(attach).await
+    }
+    args::Command::Key { command } => {
+      noise::key::command::handle(command).await
+    }
+    args::Command::Database { command } => {
+      command::database::handle(command).await
+    }
+  }
+}
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
-  tracing_subscriber::fmt().with_target(false).init();
-
-  info!(
-    "Komodo CLI version: {}",
-    env!("CARGO_PKG_VERSION").blue().bold()
-  );
-
-  let version =
-    state::komodo_client().read(GetVersion {}).await?.version;
-  info!("Komodo Core version: {}", version.blue().bold());
-
-  match &state::cli_args().command {
-    args::Command::Execute { execution } => {
-      exec::run(execution.to_owned()).await?
-    }
+  let mut term_signal = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::terminate(),
+  )?;
+  tokio::select! {
+    res = tokio::spawn(app()) => match res {
+      Ok(Err(e)) => {
+        eprintln!("{}: {e}", "ERROR".red());
+        std::process::exit(1)
+      }
+      Err(e) => {
+        eprintln!("{}: {e}", "ERROR".red());
+        std::process::exit(1)
+      },
+      Ok(_) => {}
+    },
+    _ = term_signal.recv() => {},
   }
-
   Ok(())
 }

bin/cli/src/state.rs

@@ -1,48 +0,0 @@
-use std::sync::OnceLock;
-
-use clap::Parser;
-use komodo_client::KomodoClient;
-use merge_config_files::parse_config_file;
-
-pub fn cli_args() -> &'static crate::args::CliArgs {
-  static CLI_ARGS: OnceLock<crate::args::CliArgs> = OnceLock::new();
-  CLI_ARGS.get_or_init(crate::args::CliArgs::parse)
-}
-
-pub fn komodo_client() -> &'static KomodoClient {
-  static KOMODO_CLIENT: OnceLock<KomodoClient> = OnceLock::new();
-  KOMODO_CLIENT.get_or_init(|| {
-    let args = cli_args();
-    let crate::args::CredsFile { url, key, secret } =
-      match (&args.url, &args.key, &args.secret) {
-        (Some(url), Some(key), Some(secret)) => {
-          crate::args::CredsFile {
-            url: url.clone(),
-            key: key.clone(),
-            secret: secret.clone(),
-          }
-        }
-        (url, key, secret) => {
-          let mut creds: crate::args::CredsFile =
-            parse_config_file(cli_args().creds.as_str())
-              .expect("failed to parse Komodo credentials");
-
-          if let Some(url) = url {
-            creds.url.clone_from(url);
-          }
-          if let Some(key) = key {
-            creds.key.clone_from(key);
-          }
-          if let Some(secret) = secret {
-            creds.secret.clone_from(secret);
-          }
-
-          creds
-        }
-      };
-    futures::executor::block_on(
-      KomodoClient::new(url, key, secret).with_healthcheck(),
-    )
-    .expect("failed to initialize Komodo client")
-  })
-}

bin/core/Cargo.toml

@@ -19,30 +19,35 @@ komodo_client = { workspace = true, features = ["mongo"] }
 periphery_client.workspace = true
 environment_file.workspace = true
 interpolate.workspace = true
+secret_file.workspace = true
+validations.workspace = true
 formatting.workspace = true
+rate_limit.workspace = true
+transport.workspace = true
+database.workspace = true
+encoding.workspace = true
 response.workspace = true
 command.workspace = true
+config.workspace = true
 logger.workspace = true
 cache.workspace = true
+noise.workspace = true
 git.workspace = true
 # mogh
 serror = { workspace = true, features = ["axum"] }
-merge_config_files.workspace = true
 async_timing_util.workspace = true
 partial_derive2.workspace = true
 derive_variants.workspace = true
-mongo_indexed.workspace = true
 resolver_api.workspace = true
 toml_pretty.workspace = true
-mungos.workspace = true
 slack.workspace = true
 svi.workspace = true
 # external
 aws-credential-types.workspace = true
-tokio-tungstenite.workspace = true
 english-to-cron.workspace = true
 openidconnect.workspace = true
 jsonwebtoken.workspace = true
+futures-util.workspace = true
 axum-server.workspace = true
 urlencoding.workspace = true
 aws-sdk-ec2.workspace = true
@@ -51,18 +56,17 @@ tokio-util.workspace = true
 axum-extra.workspace = true
 tower-http.workspace = true
 serde_json.workspace = true
-serde_yaml.workspace = true
+serde_yaml_ng.workspace = true
+serde_qs.workspace = true
 typeshare.workspace = true
 chrono-tz.workspace = true
 indexmap.workspace = true
-octorust.workspace = true
 wildcard.workspace = true
 arc-swap.workspace = true
+colored.workspace = true
 dashmap.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
-futures.workspace = true
-nom_pem.workspace = true
 dotenvy.workspace = true
 anyhow.workspace = true
 croner.workspace = true
@@ -70,14 +74,16 @@ chrono.workspace = true
 bcrypt.workspace = true
 base64.workspace = true
 rustls.workspace = true
+bytes.workspace = true
 tokio.workspace = true
 serde.workspace = true
+strum.workspace = true
 regex.workspace = true
 axum.workspace = true
 toml.workspace = true
 uuid.workspace = true
 envy.workspace = true
-rand.workspace = true
 hmac.workspace = true
 sha2.workspace = true
 hex.workspace = true
+url.workspace = true

bin/core/aio.Dockerfile

@@ -1,7 +1,8 @@
 ## All in one, multi stage compile + runtime Docker build for your architecture.
 
 # Build Core
-FROM rust:1.87.0-bullseye AS core-builder
+FROM rust:1.91.1-trixie AS core-builder
+RUN cargo install cargo-strip
 
 WORKDIR /builder
 COPY Cargo.toml Cargo.lock ./
@@ -9,9 +10,12 @@ COPY ./lib ./lib
 COPY ./client/core/rs ./client/core/rs
 COPY ./client/periphery ./client/periphery
 COPY ./bin/core ./bin/core
+COPY ./bin/cli ./bin/cli
 
 # Compile app
-RUN cargo build -p komodo_core --release
+RUN cargo build -p komodo_core --release && \
+  cargo build -p komodo_cli --release && \
+  cargo strip
 
 # Build Frontend
 FROM node:20.12-alpine AS frontend-builder
@@ -22,9 +26,9 @@ RUN cd client && yarn && yarn build && yarn link
 RUN cd frontend && yarn link komodo_client && yarn && yarn build
 
 # Final Image
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
-COPY ./bin/core/starship.toml /config/starship.toml
+COPY ./bin/core/starship.toml /starship.toml
 COPY ./bin/core/debian-deps.sh .
 RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 
@@ -32,9 +36,10 @@ RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 WORKDIR /app
 
 # Copy
-COPY ./config/core.config.toml /config/config.toml
+COPY ./config/core.config.toml /config/.default.config.toml
 COPY --from=frontend-builder /builder/frontend/dist /app/frontend
 COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
+COPY --from=core-builder /builder/target/release/km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
 
 # Set $DENO_DIR and preload external Deno deps
@@ -43,12 +48,21 @@ RUN mkdir /action-cache && \
   cd /action-cache && \
   deno install jsr:@std/yaml jsr:@std/toml
 
+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
 # Hint at the port
 EXPOSE 9120
 
-# Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
-LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
 
-ENTRYPOINT [ "core" ]
+CMD [ "/bin/bash", "-c", "update-ca-certificates && core" ]
+
+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
+# Label for Ghcr
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/core/debian-deps.sh

@@ -3,12 +3,12 @@
 ## Core deps installer
 
 apt-get update
-apt-get install -y git curl ca-certificates
+apt-get install -y git curl ca-certificates iproute2
 
 rm -rf /var/lib/apt/lists/*
 
 # Starship prompt
 curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /usr/local/bin
-echo 'export STARSHIP_CONFIG=/config/starship.toml' >> /root/.bashrc
+echo 'export STARSHIP_CONFIG=/starship.toml' >> /root/.bashrc
 echo 'eval "$(starship init bash)"' >> /root/.bashrc
 

bin/core/multi-arch.Dockerfile

@@ -13,22 +13,28 @@ FROM ${AARCH64_BINARIES} AS aarch64
 FROM ${FRONTEND_IMAGE} AS frontend
 
 # Final Image
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
-COPY ./bin/core/starship.toml /config/starship.toml
+COPY ./bin/core/starship.toml /starship.toml
 COPY ./bin/core/debian-deps.sh .
 RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 
 WORKDIR /app
 
-# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
-COPY --from=x86_64 /core /app/arch/linux/amd64
-COPY --from=aarch64 /core /app/arch/linux/arm64
 ARG TARGETPLATFORM
-RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/arch
+
+# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /core /app/core/linux/amd64
+COPY --from=aarch64 /core /app/core/linux/arm64
+RUN mv /app/core/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/core
+
+# Same for km
+COPY --from=x86_64 /km /app/km/linux/amd64
+COPY --from=aarch64 /km /app/km/linux/arm64
+RUN mv /app/km/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/km
 
 # Copy default config / static frontend / deno binary
-COPY ./config/core.config.toml /config/config.toml
+COPY ./config/core.config.toml /config/.default.config.toml
 COPY --from=frontend /frontend /app/frontend
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
 
@@ -38,12 +44,22 @@ RUN mkdir /action-cache && \
   cd /action-cache && \
   deno install jsr:@std/yaml jsr:@std/toml
 
+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
 # Hint at the port
 EXPOSE 9120
 
-# Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
-LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
 
-CMD [ "core" ]
+ENTRYPOINT [ "entrypoint.sh" ]
+CMD [ "core" ]
+
+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
+# Label for Ghcr
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/core/single-arch.Dockerfile

@@ -14,16 +14,17 @@ COPY ./client/core/ts ./client
 RUN cd client && yarn && yarn build && yarn link
 RUN cd frontend && yarn link komodo_client && yarn && yarn build
 
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
-COPY ./bin/core/starship.toml /config/starship.toml
+COPY ./bin/core/starship.toml /starship.toml
 COPY ./bin/core/debian-deps.sh .
 RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 	
 # Copy
-COPY ./config/core.config.toml /config/config.toml
+COPY ./config/core.config.toml /config/.default.config.toml
 COPY --from=frontend-builder /builder/frontend/dist /app/frontend
 COPY --from=binaries /core /usr/local/bin/core
+COPY --from=binaries /km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
 
 # Set $DENO_DIR and preload external Deno deps
@@ -32,12 +33,22 @@ RUN mkdir /action-cache && \
 	cd /action-cache && \
 	deno install jsr:@std/yaml jsr:@std/toml
 
+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
 # Hint at the port
 EXPOSE 9120
 
-# Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
-LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
 
-CMD [ "core" ]
+ENTRYPOINT [ "entrypoint.sh" ]
+CMD [ "core" ]
+
+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
+# Label for Ghcr
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses="GPL-3.0"

bin/core/src/alert/discord.rs

@@ -4,7 +4,6 @@ use serde::Serialize;
 
 use super::*;
 
-#[instrument(level = "debug")]
 pub async fn send_alert(
   url: &str,
   alert: &Alert,
@@ -17,6 +16,28 @@ pub async fn send_alert(
         "{level} | If you see this message, then Alerter **{name}** is **working**\n{link}"
       )
     }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | **{name}**{region} | Version mismatch detected ⚠️\nPeriphery: **{server_version}** | Core: **{core_version}**\n{link}"
+          )
+        }
+      }
+    }
     AlertData::ServerUnreachable {
       id,
       name,
@@ -28,7 +49,7 @@ pub async fn send_alert(
       match alert.level {
         SeverityLevel::Ok => {
           format!(
-            "{level} | **{name}**{region} is now **reachable**\n{link}"
+            "{level} | **{name}**{region} is now **connected**\n{link}"
           )
         }
         SeverityLevel::Critical => {
@@ -207,34 +228,45 @@ pub async fn send_alert(
         "{level} | **{name}** ({resource_type}) | Scheduled run started 🕝\n{link}"
       )
     }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          String::new()
+        } else {
+          format!("\n{details}")
+        }
+      )
+    }
     AlertData::None {} => Default::default(),
   };
-  if !content.is_empty() {
-    let VariablesAndSecrets { variables, secrets } =
-      get_variables_and_secrets().await?;
-    let mut url_interpolated = url.to_string();
 
-    let mut interpolator =
-      Interpolator::new(Some(&variables), &secrets);
-
-    interpolator.interpolate_string(&mut url_interpolated)?;
-
-    send_message(&url_interpolated, &content)
-      .await
-      .map_err(|e| {
-        let replacers = interpolator
-          .secret_replacers
-          .into_iter()
-          .collect::<Vec<_>>();
-        let sanitized_error =
-          svi::replace_in_string(&format!("{e:?}"), &replacers);
-        anyhow::Error::msg(format!(
-          "Error with slack request: {}",
-          sanitized_error
-        ))
-      })?;
+  if content.is_empty() {
+    return Ok(());
   }
-  Ok(())
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, &content)
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with slack request: {sanitized_error}"
+      ))
+    })
 }
 
 async fn send_message(

bin/core/src/alert/mod.rs

@@ -1,7 +1,7 @@
-use ::slack::types::Block;
 use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
 use derive_variants::ExtractVariant;
-use futures::future::join_all;
+use futures_util::future::join_all;
 use interpolate::Interpolator;
 use komodo_client::entities::{
   ResourceTargetVariant,
@@ -11,8 +11,6 @@ use komodo_client::entities::{
   komodo_timestamp,
   stack::StackState,
 };
-use mungos::{find::find_collect, mongodb::bson::doc};
-use tracing::Instrument;
 
 use crate::helpers::query::get_variables_and_secrets;
 use crate::helpers::{
@@ -25,40 +23,33 @@ mod ntfy;
 mod pushover;
 mod slack;
 
-#[instrument(level = "debug")]
 pub async fn send_alerts(alerts: &[Alert]) {
   if alerts.is_empty() {
     return;
   }
 
-  let span =
-    info_span!("send_alerts", alerts = format!("{alerts:?}"));
-  async {
-    let Ok(alerters) = find_collect(
-      &db_client().alerters,
-      doc! { "config.enabled": true },
-      None,
-    )
-    .await
-    .inspect_err(|e| {
-      error!(
+  let Ok(alerters) = find_collect(
+    &db_client().alerters,
+    doc! { "config.enabled": true },
+    None,
+  )
+  .await
+  .inspect_err(|e| {
+    error!(
       "ERROR sending alerts | failed to get alerters from db | {e:#}"
     )
-    }) else {
-      return;
-    };
+  }) else {
+    return;
+  };
 
-    let handles =
-      alerts.iter().map(|alert| send_alert(&alerters, alert));
+  let handles = alerts
+    .iter()
+    .map(|alert| send_alert_to_alerters(&alerters, alert));
 
-    join_all(handles).await;
-  }
-  .instrument(span)
-  .await
+  join_all(handles).await;
 }
 
-#[instrument(level = "debug")]
-async fn send_alert(alerters: &[Alerter], alert: &Alert) {
+async fn send_alert_to_alerters(alerters: &[Alerter], alert: &Alert) {
   if alerters.is_empty() {
     return;
   }
@@ -161,7 +152,6 @@ pub async fn send_alert_to_alerter(
   }
 }
 
-#[instrument(level = "debug")]
 async fn send_custom_alert(
   url: &str,
   alert: &Alert,
@@ -188,8 +178,7 @@ async fn send_custom_alert(
       let sanitized_error =
         svi::replace_in_string(&format!("{e:?}"), &replacers);
       anyhow::Error::msg(format!(
-        "Error with request: {}",
-        sanitized_error
+        "Error with request: {sanitized_error}"
       ))
     })
     .context("failed at post request to alerter")?;
@@ -245,35 +234,244 @@ fn resource_link(
   resource_type: ResourceTargetVariant,
   id: &str,
 ) -> String {
-  let path = match resource_type {
-    ResourceTargetVariant::System => unreachable!(),
-    ResourceTargetVariant::Build => format!("/builds/{id}"),
-    ResourceTargetVariant::Builder => {
-      format!("/builders/{id}")
-    }
-    ResourceTargetVariant::Deployment => {
-      format!("/deployments/{id}")
-    }
-    ResourceTargetVariant::Stack => {
-      format!("/stacks/{id}")
-    }
-    ResourceTargetVariant::Server => {
-      format!("/servers/{id}")
-    }
-    ResourceTargetVariant::Repo => format!("/repos/{id}"),
-    ResourceTargetVariant::Alerter => {
-      format!("/alerters/{id}")
-    }
-    ResourceTargetVariant::Procedure => {
-      format!("/procedures/{id}")
-    }
-    ResourceTargetVariant::Action => {
-      format!("/actions/{id}")
-    }
-    ResourceTargetVariant::ResourceSync => {
-      format!("/resource-syncs/{id}")
-    }
-  };
-
-  format!("{}{path}", core_config().host)
+  komodo_client::entities::resource_link(
+    &core_config().host,
+    resource_type,
+    id,
+  )
+}
+
+/// Standard message content format
+/// used by Ntfy, Pushover.
+fn standard_alert_content(alert: &Alert) -> String {
+  let level = fmt_level(alert.level);
+  match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter {name} is working\n{link}",
+      )
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | {name}{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | {name}{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}\n{link}"
+          )
+        }
+      }
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | {name}{region} is now connected\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | {name}{region} is unreachable ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | {name}{region} cpu usage at {percentage:.1}%\n{link}",
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} disk usage at {percentage:.1}%💿\nmount point: {path:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to_state = fmt_docker_container_state(to);
+      format!(
+        "📦Deployment {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {name} has an update available\nserver: {server_name}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {name} was updated automatically\nserver: {server_name}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to_state = fmt_stack_state(to);
+      format!(
+        "🥞 Stack {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      format!(
+        "⬆ Stack {name} has an update available\nserver: {server_name}\nservice: {service}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images_str = images.join(", ");
+      format!(
+        "⬆ Stack {name} was updated automatically ⏫\nserver: {server_name}\n{images_label}: {images_str}\n{link}",
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminate AWS builder instance\ninstance id: {instance_id}\n{message}",
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on {name}\n{link}",
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build {name} failed\nversion: v{version}\n{link}",
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for {name} failed\n{link}",)
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure {name} failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action {name} failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          String::new()
+        } else {
+          format!("\n{details}")
+        }
+      )
+    }
+    AlertData::None {} => Default::default(),
+  }
 }

bin/core/src/alert/ntfy.rs

@@ -2,232 +2,38 @@ use std::sync::OnceLock;
 
 use super::*;
 
-#[instrument(level = "debug")]
 pub async fn send_alert(
   url: &str,
   email: Option<&str>,
   alert: &Alert,
 ) -> anyhow::Result<()> {
-  let level = fmt_level(alert.level);
-  let content = match &alert.data {
-    AlertData::Test { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Alerter, id);
-      format!(
-        "{level} | If you see this message, then Alerter {} is working\n{link}",
-        name,
-      )
-    }
-    AlertData::ServerUnreachable {
-      id,
-      name,
-      region,
-      err,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      match alert.level {
-        SeverityLevel::Ok => {
-          format!(
-            "{level} | {}{} is now reachable\n{link}",
-            name, region
-          )
-        }
-        SeverityLevel::Critical => {
-          let err = err
-            .as_ref()
-            .map(|e| format!("\nerror: {:#?}", e))
-            .unwrap_or_default();
-          format!(
-            "{level} | {}{} is unreachable ❌\n{link}{err}",
-            name, region
-          )
-        }
-        _ => unreachable!(),
-      }
-    }
-    AlertData::ServerCpu {
-      id,
-      name,
-      region,
-      percentage,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      format!(
-        "{level} | {}{} cpu usage at {percentage:.1}%\n{link}",
-        name, region,
-      )
-    }
-    AlertData::ServerMem {
-      id,
-      name,
-      region,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {}{} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-        name, region,
-      )
-    }
-    AlertData::ServerDisk {
-      id,
-      name,
-      region,
-      path,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {}{} disk usage at {percentage:.1}%💿\nmount point: {:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-        name, region, path,
-      )
-    }
-    AlertData::ContainerStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      let to_state = fmt_docker_container_state(to);
-      format!(
-        "📦Deployment {} is now {}\nserver: {}\nprevious: {}\n{link}",
-        name, to_state, server_name, from,
-      )
-    }
-    AlertData::DeploymentImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {} has an update available\nserver: {}\nimage: {}\n{link}",
-        name, server_name, image,
-      )
-    }
-    AlertData::DeploymentAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {} was updated automatically\nserver: {}\nimage: {}\n{link}",
-        name, server_name, image,
-      )
-    }
-    AlertData::StackStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let to_state = fmt_stack_state(to);
-      format!(
-        "🥞 Stack {} is now {}\nserver: {}\nprevious: {}\n{link}",
-        name, to_state, server_name, from,
-      )
-    }
-    AlertData::StackImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      service,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      format!(
-        "⬆ Stack {} has an update available\nserver: {}\nservice: {}\nimage: {}\n{link}",
-        name, server_name, service, image,
-      )
-    }
-    AlertData::StackAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      images,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let images_label =
-        if images.len() > 1 { "images" } else { "image" };
-      let images_str = images.join(", ");
-      format!(
-        "⬆ Stack {} was updated automatically ⏫\nserver: {}\n{}: {}\n{link}",
-        name, server_name, images_label, images_str,
-      )
-    }
-    AlertData::AwsBuilderTerminationFailed {
-      instance_id,
-      message,
-    } => {
-      format!(
-        "{level} | Failed to terminate AWS builder instance\ninstance id: {}\n{}",
-        instance_id, message,
-      )
-    }
-    AlertData::ResourceSyncPendingUpdates { id, name } => {
-      let link =
-        resource_link(ResourceTargetVariant::ResourceSync, id);
-      format!(
-        "{level} | Pending resource sync updates on {}\n{link}",
-        name,
-      )
-    }
-    AlertData::BuildFailed { id, name, version } => {
-      let link = resource_link(ResourceTargetVariant::Build, id);
-      format!(
-        "{level} | Build {} failed\nversion: v{}\n{link}",
-        name, version,
-      )
-    }
-    AlertData::RepoBuildFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Repo, id);
-      format!("{level} | Repo build for {} failed\n{link}", name,)
-    }
-    AlertData::ProcedureFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Procedure, id);
-      format!("{level} | Procedure {name} failed\n{link}")
-    }
-    AlertData::ActionFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Action, id);
-      format!("{level} | Action {name} failed\n{link}")
-    }
-    AlertData::ScheduleRun {
-      resource_type,
-      id,
-      name,
-    } => {
-      let link = resource_link(*resource_type, id);
-      format!(
-        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
-      )
-    }
-    AlertData::None {} => Default::default(),
-  };
-
-  if !content.is_empty() {
-    send_message(url, email, content).await?;
+  let content = standard_alert_content(alert);
+  if content.is_empty() {
+    return Ok(());
   }
-  Ok(())
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, email, content)
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with slack request: {sanitized_error}"
+      ))
+    })
 }
 
 async fn send_message(
@@ -237,7 +43,7 @@ async fn send_message(
 ) -> anyhow::Result<()> {
   let mut request = http_client()
     .post(url)
-    .header("Title", "ntfy Alert")
+    .header("Title", "Komodo Alert")
     .body(content);
 
   if let Some(email) = email {
@@ -254,14 +60,11 @@ async fn send_message(
   } else {
     let text = response.text().await.with_context(|| {
       format!(
-        "Failed to send message to ntfy | {} | failed to get response text",
-        status
+        "Failed to send message to ntfy | {status} | failed to get response text"
       )
     })?;
     Err(anyhow!(
-      "Failed to send message to ntfy | {} | {}",
-      status,
-      text
+      "Failed to send message to ntfy | {status} | {text}",
     ))
   }
 }

bin/core/src/alert/pushover.rs

@@ -2,230 +2,35 @@ use std::sync::OnceLock;
 
 use super::*;
 
-#[instrument(level = "debug")]
 pub async fn send_alert(
   url: &str,
   alert: &Alert,
 ) -> anyhow::Result<()> {
-  let level = fmt_level(alert.level);
-  let content = match &alert.data {
-    AlertData::Test { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Alerter, id);
-      format!(
-        "{level} | If you see this message, then Alerter {} is working\n{link}",
-        name,
-      )
-    }
-    AlertData::ServerUnreachable {
-      id,
-      name,
-      region,
-      err,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      match alert.level {
-        SeverityLevel::Ok => {
-          format!(
-            "{level} | {}{} is now reachable\n{link}",
-            name, region
-          )
-        }
-        SeverityLevel::Critical => {
-          let err = err
-            .as_ref()
-            .map(|e| format!("\nerror: {:#?}", e))
-            .unwrap_or_default();
-          format!(
-            "{level} | {}{} is unreachable ❌\n{link}{err}",
-            name, region
-          )
-        }
-        _ => unreachable!(),
-      }
-    }
-    AlertData::ServerCpu {
-      id,
-      name,
-      region,
-      percentage,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      format!(
-        "{level} | {}{} cpu usage at {percentage:.1}%\n{link}",
-        name, region,
-      )
-    }
-    AlertData::ServerMem {
-      id,
-      name,
-      region,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {}{} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-        name, region,
-      )
-    }
-    AlertData::ServerDisk {
-      id,
-      name,
-      region,
-      path,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {}{} disk usage at {percentage:.1}%💿\nmount point: {:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-        name, region, path,
-      )
-    }
-    AlertData::ContainerStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      let to_state = fmt_docker_container_state(to);
-      format!(
-        "📦Deployment {} is now {}\nserver: {}\nprevious: {}\n{link}",
-        name, to_state, server_name, from,
-      )
-    }
-    AlertData::DeploymentImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {} has an update available\nserver: {}\nimage: {}\n{link}",
-        name, server_name, image,
-      )
-    }
-    AlertData::DeploymentAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {} was updated automatically\nserver: {}\nimage: {}\n{link}",
-        name, server_name, image,
-      )
-    }
-    AlertData::StackStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let to_state = fmt_stack_state(to);
-      format!(
-        "🥞 Stack {} is now {}\nserver: {}\nprevious: {}\n{link}",
-        name, to_state, server_name, from,
-      )
-    }
-    AlertData::StackImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      service,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      format!(
-        "⬆ Stack {} has an update available\nserver: {}\nservice: {}\nimage: {}\n{link}",
-        name, server_name, service, image,
-      )
-    }
-    AlertData::StackAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      images,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let images_label =
-        if images.len() > 1 { "images" } else { "image" };
-      let images_str = images.join(", ");
-      format!(
-        "⬆ Stack {} was updated automatically ⏫\nserver: {}\n{}: {}\n{link}",
-        name, server_name, images_label, images_str,
-      )
-    }
-    AlertData::AwsBuilderTerminationFailed {
-      instance_id,
-      message,
-    } => {
-      format!(
-        "{level} | Failed to terminate AWS builder instance\ninstance id: {}\n{}",
-        instance_id, message,
-      )
-    }
-    AlertData::ResourceSyncPendingUpdates { id, name } => {
-      let link =
-        resource_link(ResourceTargetVariant::ResourceSync, id);
-      format!(
-        "{level} | Pending resource sync updates on {}\n{link}",
-        name,
-      )
-    }
-    AlertData::BuildFailed { id, name, version } => {
-      let link = resource_link(ResourceTargetVariant::Build, id);
-      format!(
-        "{level} | Build {name} failed\nversion: v{version}\n{link}",
-      )
-    }
-    AlertData::RepoBuildFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Repo, id);
-      format!("{level} | Repo build for {} failed\n{link}", name,)
-    }
-    AlertData::ProcedureFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Procedure, id);
-      format!("{level} | Procedure {name} failed\n{link}")
-    }
-    AlertData::ActionFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Action, id);
-      format!("{level} | Action {name} failed\n{link}")
-    }
-    AlertData::ScheduleRun {
-      resource_type,
-      id,
-      name,
-    } => {
-      let link = resource_link(*resource_type, id);
-      format!(
-        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
-      )
-    }
-    AlertData::None {} => Default::default(),
-  };
-
-  if !content.is_empty() {
-    send_message(url, content).await?;
+  let content = standard_alert_content(alert);
+  if content.is_empty() {
+    return Ok(());
   }
-  Ok(())
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, content).await.map_err(|e| {
+    let replacers = interpolator
+      .secret_replacers
+      .into_iter()
+      .collect::<Vec<_>>();
+    let sanitized_error =
+      svi::replace_in_string(&format!("{e:?}"), &replacers);
+    anyhow::Error::msg(format!(
+      "Error with slack request: {sanitized_error}"
+    ))
+  })
 }
 
 async fn send_message(
@@ -252,8 +57,7 @@ async fn send_message(
   } else {
     let text = response.text().await.with_context(|| {
       format!(
-        "Failed to send message to pushover | {} | failed to get response text",
-        status
+        "Failed to send message to pushover | {status} | failed to get response text"
       )
     })?;
     Err(anyhow!(

bin/core/src/alert/slack.rs

@@ -1,6 +1,7 @@
+use ::slack::types::OwnedBlock as Block;
+
 use super::*;
 
-#[instrument(level = "debug")]
 pub async fn send_alert(
   url: &str,
   alert: &Alert,
@@ -23,6 +24,35 @@ pub async fn send_alert(
       ];
       (text, blocks.into())
     }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let text = match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | *{name}*{region} | Periphery version now matches Core version ✅"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | *{name}*{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}"
+          )
+        }
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Server,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
     AlertData::ServerUnreachable {
       id,
       name,
@@ -33,11 +63,11 @@ pub async fn send_alert(
       match alert.level {
         SeverityLevel::Ok => {
           let text =
-            format!("{level} | *{name}*{region} is now *reachable*");
+            format!("{level} | *{name}*{region} is now *connected*");
           let blocks = vec![
             Block::header(level),
             Block::section(format!(
-              "*{name}*{region} is now *reachable*"
+              "*{name}*{region} is now *connnected*"
             )),
           ];
           (text, blocks.into())
@@ -429,20 +459,31 @@ pub async fn send_alert(
       ];
       (text, blocks.into())
     }
+    AlertData::Custom { message, details } => {
+      let text = format!("{level} | {message}");
+      let blocks =
+        vec![Block::header(text.clone()), Block::section(details)];
+      (text, blocks.into())
+    }
     AlertData::None {} => Default::default(),
   };
-  if !text.is_empty() {
-    let VariablesAndSecrets { variables, secrets } =
-      get_variables_and_secrets().await?;
-    let mut url_interpolated = url.to_string();
+  if text.is_empty() {
+    return Ok(());
+  }
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
 
-    let mut interpolator =
-      Interpolator::new(Some(&variables), &secrets);
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
 
-    interpolator.interpolate_string(&mut url_interpolated)?;
+  interpolator.interpolate_string(&mut url_interpolated)?;
 
-    let slack = ::slack::Client::new(url_interpolated);
-    slack.send_message(text, blocks).await.map_err(|e| {
+  let slack = ::slack::Client::new(url_interpolated);
+  slack
+    .send_owned_message_single(&text, None, blocks.as_deref())
+    .await
+    .map_err(|e| {
       let replacers = interpolator
         .secret_replacers
         .into_iter()
@@ -450,10 +491,8 @@ pub async fn send_alert(
       let sanitized_error =
         svi::replace_in_string(&format!("{e:?}"), &replacers);
       anyhow::Error::msg(format!(
-        "Error with slack request: {}",
-        sanitized_error
+        "Error with slack request: {sanitized_error}"
       ))
     })?;
-  }
   Ok(())
 }

bin/core/src/api/auth.rs

@@ -1,13 +1,24 @@
-use std::{sync::OnceLock, time::Instant};
+use std::{
+  net::{IpAddr, SocketAddr},
+  sync::OnceLock,
+  time::Instant,
+};
 
-use axum::{Router, extract::Path, http::HeaderMap, routing::post};
+use axum::{
+  Router,
+  extract::{ConnectInfo, Path},
+  http::HeaderMap,
+  routing::post,
+};
 use derive_variants::{EnumVariants, ExtractVariant};
 use komodo_client::{api::auth::*, entities::user::User};
+use rate_limit::WithFailureRateLimit;
+use reqwest::StatusCode;
 use resolver_api::Resolve;
 use response::Response;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use serror::Json;
+use serror::{AddStatusCode, Json};
 use typeshare::typeshare;
 use uuid::Uuid;
 
@@ -20,13 +31,16 @@ use crate::{
   },
   config::core_config,
   helpers::query::get_user,
-  state::jwt_client,
+  state::{auth_rate_limiter, jwt_client},
 };
 
 use super::Variant;
 
 pub struct AuthArgs {
   pub headers: HeaderMap,
+  /// Prefer extracting IP from headers.
+  /// This IP will be the IP of reverse proxy itself.
+  pub ip: IpAddr,
 }
 
 #[typeshare]
@@ -41,7 +55,7 @@ pub struct AuthArgs {
 #[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
 pub enum AuthRequest {
   GetLoginOptions(GetLoginOptions),
-  CreateLocalUser(CreateLocalUser),
+  SignUpLocalUser(SignUpLocalUser),
   LoginLocalUser(LoginLocalUser),
   ExchangeForJwt(ExchangeForJwt),
   GetUser(GetUser),
@@ -62,7 +76,7 @@ pub fn router() -> Router {
   }
 
   if google_oauth_client().is_some() {
-    info!("🔑 Github Login Enabled");
+    info!("🔑 Google Login Enabled");
     router = router.nest("/google", google::router())
   }
 
@@ -76,6 +90,7 @@ pub fn router() -> Router {
 
 async fn variant_handler(
   headers: HeaderMap,
+  info: ConnectInfo<SocketAddr>,
   Path(Variant { variant }): Path<Variant>,
   Json(params): Json<serde_json::Value>,
 ) -> serror::Result<axum::response::Response> {
@@ -83,12 +98,12 @@ async fn variant_handler(
     "type": variant,
     "params": params,
   }))?;
-  handler(headers, Json(req)).await
+  handler(headers, info, Json(req)).await
 }
 
-#[instrument(name = "AuthHandler", level = "debug", skip(headers))]
 async fn handler(
   headers: HeaderMap,
+  ConnectInfo(info): ConnectInfo<SocketAddr>,
   Json(request): Json<AuthRequest>,
 ) -> serror::Result<axum::response::Response> {
   let timer = Instant::now();
@@ -97,7 +112,12 @@ async fn handler(
     "/auth request {req_id} | METHOD: {:?}",
     request.extract_variant()
   );
-  let res = request.resolve(&AuthArgs { headers }).await;
+  let res = request
+    .resolve(&AuthArgs {
+      headers,
+      ip: info.ip(),
+    })
+    .await;
   if let Err(e) = &res {
     debug!("/auth request {req_id} | error: {:#}", e.error);
   }
@@ -123,7 +143,6 @@ fn login_options_reponse() -> &'static GetLoginOptionsResponse {
 }
 
 impl Resolve<AuthArgs> for GetLoginOptions {
-  #[instrument(name = "GetLoginOptions", level = "debug", skip(self))]
   async fn resolve(
     self,
     _: &AuthArgs,
@@ -133,23 +152,39 @@ impl Resolve<AuthArgs> for GetLoginOptions {
 }
 
 impl Resolve<AuthArgs> for ExchangeForJwt {
-  #[instrument(name = "ExchangeForJwt", level = "debug", skip(self))]
   async fn resolve(
     self,
-    _: &AuthArgs,
+    AuthArgs { headers, ip }: &AuthArgs,
   ) -> serror::Result<ExchangeForJwtResponse> {
-    let jwt = jwt_client().redeem_exchange_token(&self.token).await?;
-    Ok(ExchangeForJwtResponse { jwt })
+    jwt_client()
+      .redeem_exchange_token(&self.token)
+      .with_failure_rate_limit_using_headers(
+        auth_rate_limiter(),
+        headers,
+        Some(*ip),
+      )
+      .await
   }
 }
 
 impl Resolve<AuthArgs> for GetUser {
-  #[instrument(name = "GetUser", level = "debug", skip(self))]
   async fn resolve(
     self,
-    AuthArgs { headers }: &AuthArgs,
+    AuthArgs { headers, ip }: &AuthArgs,
   ) -> serror::Result<User> {
-    let user_id = get_user_id_from_headers(headers).await?;
-    Ok(get_user(&user_id).await?)
+    async {
+      let user_id = get_user_id_from_headers(headers)
+        .await
+        .status_code(StatusCode::UNAUTHORIZED)?;
+      get_user(&user_id)
+        .await
+        .status_code(StatusCode::UNAUTHORIZED)
+    }
+    .with_failure_rate_limit_using_headers(
+      auth_rate_limiter(),
+      headers,
+      Some(*ip),
+    )
+    .await
   }
 }

bin/core/src/api/execute/action.rs

@@ -1,12 +1,15 @@
 use std::{
   collections::HashSet,
   path::{Path, PathBuf},
-  str::FromStr,
   sync::OnceLock,
 };
 
 use anyhow::Context;
-use command::run_komodo_command;
+use command::run_komodo_standard_command;
+use config::merge_objects;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
 use interpolate::Interpolator;
 use komodo_client::{
   api::{
@@ -14,16 +17,18 @@ use komodo_client::{
     user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
   },
   entities::{
+    FileFormat, JsonObject,
     action::Action,
     alert::{Alert, AlertData, SeverityLevel},
     config::core::CoreConfig,
     komodo_timestamp,
     permission::PermissionLevel,
+    random_string,
     update::Update,
     user::action_user,
   },
+  parsers::parse_key_value_list,
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use resolver_api::Resolve;
 use tokio::fs;
 
@@ -33,7 +38,6 @@ use crate::{
   config::core_config,
   helpers::{
     query::{VariablesAndSecrets, get_variables_and_secrets},
-    random_string,
     update::update_update,
   },
   permission::get_check_permissions,
@@ -46,15 +50,26 @@ use super::ExecuteArgs;
 impl super::BatchExecute for BatchRunAction {
   type Resource = Action;
   fn single_request(action: String) -> ExecuteRequest {
-    ExecuteRequest::RunAction(RunAction { action })
+    ExecuteRequest::RunAction(RunAction {
+      action,
+      args: Default::default(),
+    })
   }
 }
 
 impl Resolve<ExecuteArgs> for BatchRunAction {
-  #[instrument(name = "BatchRunAction", skip(self, user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchRunAction",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchRunAction>(&self.pattern, user)
@@ -64,10 +79,19 @@ impl Resolve<ExecuteArgs> for BatchRunAction {
 }
 
 impl Resolve<ExecuteArgs> for RunAction {
-  #[instrument(name = "RunAction", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunAction",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      action = self.action,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let mut action = get_check_permissions::<Action>(
       &self.action,
@@ -84,13 +108,33 @@ impl Resolve<ExecuteArgs> for RunAction {
 
     // This will set action state back to default when dropped.
     // Will also check to ensure action not already busy before updating.
-    let _action_guard =
-      action_state.update(|state| state.running = true)?;
+    let _action_guard = action_state.update_custom(
+      |state| state.running += 1,
+      |state| state.running -= 1,
+      false,
+    )?;
 
     let mut update = update.clone();
 
     update_update(update.clone()).await?;
 
+    let default_args = parse_action_arguments(
+      &action.config.arguments,
+      action.config.arguments_format,
+    )
+    .context("Failed to parse default Action arguments")?;
+
+    let args = merge_objects(
+      default_args,
+      self.args.unwrap_or_default(),
+      true,
+      true,
+    )
+    .context("Failed to merge request args with default args")?;
+
+    let args = serde_json::to_string(&args)
+      .context("Failed to serialize action run arguments")?;
+
     let CreateApiKeyResponse { key, secret } = CreateApiKey {
       name: update.id.clone(),
       expires: 0,
@@ -103,7 +147,7 @@ impl Resolve<ExecuteArgs> for RunAction {
     let contents = &mut action.config.file_contents;
 
     // Wrap the file contents in the execution context.
-    *contents = full_contents(contents, &key, &secret);
+    *contents = full_contents(contents, &args, &key, &secret);
 
     let replacers =
       interpolate(contents, &mut update, key.clone(), secret.clone())
@@ -114,15 +158,11 @@ impl Resolve<ExecuteArgs> for RunAction {
     let file = format!("{}.ts", random_string(10));
     let path = core_config().action_directory.join(&file);
 
-    if let Some(parent) = path.parent() {
-      fs::create_dir_all(parent)
-        .await
-        .with_context(|| format!("Failed to initialize Action file parent directory {parent:?}"))?;
-    }
-
-    fs::write(&path, contents).await.with_context(|| {
-      format!("Failed to write action file to {path:?}")
-    })?;
+    secret_file::write_async(&path, contents)
+      .await
+      .with_context(|| {
+        format!("Failed to write action file to {path:?}")
+      })?;
 
     let CoreConfig { ssl_enabled, .. } = core_config();
 
@@ -138,7 +178,7 @@ impl Resolve<ExecuteArgs> for RunAction {
       ""
     };
 
-    let mut res = run_komodo_command(
+    let mut res = run_komodo_standard_command(
       // Keep this stage name as is, the UI will find the latest update log by matching the stage name
       "Execute Action",
       None,
@@ -179,7 +219,7 @@ impl Resolve<ExecuteArgs> for RunAction {
       let _ = update_one_by_id(
         &db_client().updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -189,7 +229,6 @@ impl Resolve<ExecuteArgs> for RunAction {
     update_update(update.clone()).await?;
 
     if !update.success && action.config.failure_alert {
-      warn!("action unsuccessful, alerting...");
       let target = update.target.clone();
       tokio::spawn(async move {
         let alert = Alert {
@@ -212,6 +251,7 @@ impl Resolve<ExecuteArgs> for RunAction {
   }
 }
 
+#[instrument("Interpolate", skip(contents, update, secret))]
 async fn interpolate(
   contents: &mut String,
   update: &mut Update,
@@ -236,7 +276,13 @@ async fn interpolate(
   Ok(interpolator.secret_replacers)
 }
 
-fn full_contents(contents: &str, key: &str, secret: &str) -> String {
+fn full_contents(
+  contents: &str,
+  // Pre-serialized to JSON string.
+  args: &str,
+  key: &str,
+  secret: &str,
+) -> String {
   let CoreConfig {
     port, ssl_enabled, ..
   } = core_config();
@@ -261,6 +307,8 @@ const TOML = {{
   parseCargoToml: __TOML__.parse,
 }}
 
+const ARGS = {args};
+
 const komodo = KomodoClient('{base_url}', {{
   type: 'api-key',
   params: {{ key: '{key}', secret: '{secret}' }}
@@ -289,6 +337,7 @@ main()
 /// Cleans up file at given path.
 /// ALSO if $DENO_DIR is set,
 /// will clean up the generated file matching "file"
+#[instrument("CleanupRun")]
 async fn cleanup_run(file: String, path: &Path) {
   if let Err(e) = fs::remove_file(path).await {
     warn!(
@@ -308,7 +357,7 @@ fn deno_dir() -> Option<&'static Path> {
   DENO_DIR
     .get_or_init(|| {
       let deno_dir = std::env::var("DENO_DIR").ok()?;
-      PathBuf::from_str(&deno_dir).ok()
+      Some(PathBuf::from(&deno_dir))
     })
     .as_deref()
 }
@@ -366,3 +415,25 @@ fn delete_file(
     }
   })
 }
+
+fn parse_action_arguments(
+  args: &str,
+  format: FileFormat,
+) -> anyhow::Result<JsonObject> {
+  match format {
+    FileFormat::KeyValue => {
+      let args = parse_key_value_list(args)
+        .context("Failed to parse args as key value list")?
+        .into_iter()
+        .map(|(k, v)| (k, serde_json::Value::String(v)))
+        .collect();
+      Ok(args)
+    }
+    FileFormat::Toml => toml::from_str(args)
+      .context("Failed to parse Toml to Action args"),
+    FileFormat::Yaml => serde_yaml_ng::from_str(args)
+      .context("Failed to parse Yaml to action args"),
+    FileFormat::Json => serde_json::from_str(args)
+      .context("Failed to parse Json to action args"),
+  }
+}

bin/core/src/api/execute/alerter.rs

@@ -1,27 +1,42 @@
+use anyhow::{Context, anyhow};
 use formatting::format_serror;
+use futures_util::{
+  StreamExt, TryStreamExt, stream::FuturesUnordered,
+};
 use komodo_client::{
-  api::execute::TestAlerter,
+  api::execute::{SendAlert, TestAlerter},
   entities::{
-    alert::{Alert, AlertData, SeverityLevel},
+    alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
     alerter::Alerter,
     komodo_timestamp,
     permission::PermissionLevel,
   },
 };
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
 use crate::{
   alert::send_alert_to_alerter, helpers::update::update_update,
-  permission::get_check_permissions,
+  permission::get_check_permissions, resource::list_full_for_user,
 };
 
 use super::ExecuteArgs;
 
 impl Resolve<ExecuteArgs> for TestAlerter {
-  #[instrument(name = "TestAlerter", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "TestAlerter",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      alerter = self.alerter,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> Result<Self::Response, Self::Error> {
     let alerter = get_check_permissions::<Alerter>(
       &self.alerter,
@@ -71,3 +86,106 @@ impl Resolve<ExecuteArgs> for TestAlerter {
     Ok(update)
   }
 }
+
+//
+
+impl Resolve<ExecuteArgs> for SendAlert {
+  #[instrument(
+    "SendAlert",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      request = format!("{self:?}"),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerters = list_full_for_user::<Alerter>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await?
+    .into_iter()
+    .filter(|a| {
+      a.config.enabled
+        && (self.alerters.is_empty()
+          || self.alerters.contains(&a.name)
+          || self.alerters.contains(&a.id))
+        && (a.config.alert_types.is_empty()
+          || a.config.alert_types.contains(&AlertDataVariant::Custom))
+    })
+    .collect::<Vec<_>>();
+
+    let alerters = if user.admin {
+      alerters
+    } else {
+      // Only keep alerters with execute permissions
+      alerters
+        .into_iter()
+        .map(|alerter| async move {
+          get_check_permissions::<Alerter>(
+            &alerter.id,
+            user,
+            PermissionLevel::Execute.into(),
+          )
+          .await
+        })
+        .collect::<FuturesUnordered<_>>()
+        .collect::<Vec<_>>()
+        .await
+        .into_iter()
+        .flatten()
+        .collect()
+    };
+
+    if alerters.is_empty() {
+      return Err(anyhow!(
+        "Could not find any valid alerters to send to, this required Execute permissions on the Alerter"
+      ).status_code(StatusCode::BAD_REQUEST));
+    }
+
+    let mut update = update.clone();
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: self.level,
+      target: update.target.clone(),
+      data: AlertData::Custom {
+        message: self.message,
+        details: self.details,
+      },
+      resolved_ts: Some(ts),
+    };
+
+    update.push_simple_log(
+      "Send alert",
+      serde_json::to_string_pretty(&alert)
+        .context("Failed to serialize alert to JSON")?,
+    );
+
+    if let Err(e) = alerters
+      .iter()
+      .map(|alerter| send_alert_to_alerter(alerter, &alert))
+      .collect::<FuturesUnordered<_>>()
+      .try_collect::<Vec<_>>()
+      .await
+    {
+      update.push_error_log("Send Error", format_serror(&e.into()));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/build.rs

@@ -1,28 +1,11 @@
-use std::{future::IntoFuture, time::Duration};
+use std::{
+  collections::{HashMap, HashSet},
+  future::IntoFuture,
+  time::Duration,
+};
 
 use anyhow::{Context, anyhow};
-use formatting::format_serror;
-use futures::future::join_all;
-use interpolate::Interpolator;
-use komodo_client::{
-  api::execute::{
-    BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
-    RunBuild,
-  },
-  entities::{
-    alert::{Alert, AlertData, SeverityLevel},
-    all_logs_success,
-    build::{Build, BuildConfig, ImageRegistryConfig},
-    builder::{Builder, BuilderConfig},
-    deployment::DeploymentState,
-    komodo_timestamp,
-    permission::PermissionLevel,
-    repo::Repo,
-    update::{Log, Update},
-    user::auto_redeploy_user,
-  },
-};
-use mungos::{
+use database::mungos::{
   by_id::update_one_by_id,
   find::find_collect,
   mongodb::{
@@ -30,15 +13,41 @@ use mungos::{
     options::FindOneOptions,
   },
 };
+use formatting::format_serror;
+use futures_util::future::join_all;
+use interpolate::Interpolator;
+use komodo_client::{
+  api::{
+    execute::{
+      BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
+      RunBuild,
+    },
+    write::RefreshBuildCache,
+  },
+  entities::{
+    alert::{Alert, AlertData, SeverityLevel},
+    all_logs_success,
+    build::{Build, BuildConfig},
+    builder::{Builder, BuilderConfig},
+    deployment::DeploymentState,
+    komodo_timestamp, optional_string,
+    permission::PermissionLevel,
+    repo::Repo,
+    update::{Log, Update},
+    user::auto_redeploy_user,
+  },
+};
 use periphery_client::api;
 use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
+use uuid::Uuid;
 
 use crate::{
   alert::send_alerts,
+  api::write::WriteArgs,
   helpers::{
     build_git_token,
-    builder::{cleanup_builder_instance, get_builder_periphery},
+    builder::{cleanup_builder_instance, connect_builder_periphery},
     channel::build_cancel_channel,
     query::{
       VariablesAndSecrets, get_deployment_state,
@@ -62,10 +71,18 @@ impl super::BatchExecute for BatchRunBuild {
 }
 
 impl Resolve<ExecuteArgs> for BatchRunBuild {
-  #[instrument(name = "BatchRunBuild", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchRunBuild",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchRunBuild>(&self.pattern, user)
@@ -75,10 +92,19 @@ impl Resolve<ExecuteArgs> for BatchRunBuild {
 }
 
 impl Resolve<ExecuteArgs> for RunBuild {
-  #[instrument(name = "RunBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunBuild",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      build = self.build,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let mut build = get_check_permissions::<Build>(
       &self.build,
@@ -133,8 +159,8 @@ impl Resolve<ExecuteArgs> for RunBuild {
     let git_token =
       build_git_token(&mut build, repo.as_mut()).await?;
 
-    let registry_token =
-      validate_account_extract_registry_token(&build).await?;
+    let registry_tokens =
+      validate_account_extract_registry_tokens(&build).await?;
 
     let cancel = CancellationToken::new();
     let cancel_clone = cancel.clone();
@@ -164,7 +190,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
             update.finalize();
             let id = update.id.clone();
             if let Err(e) = update_update(update).await {
-              warn!("failed to modify Update {id} on db | {e:#}");
+              warn!("Failed to modify Update {id} on db | {e:#}");
             }
             if !is_server_builder {
               cancel_clone.cancel();
@@ -182,7 +208,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
     });
 
     // GET BUILDER PERIPHERY
-    let (periphery, cleanup_data) = match get_builder_periphery(
+    let (periphery, cleanup_data) = match connect_builder_periphery(
       build.name.clone(),
       Some(build.config.version),
       builder,
@@ -193,12 +219,12 @@ impl Resolve<ExecuteArgs> for RunBuild {
       Ok(builder) => builder,
       Err(e) => {
         warn!(
-          "failed to get builder for build {} | {e:#}",
+          "Failed to get Builder for Build {} | {e:#}",
           build.name
         );
         update.logs.push(Log::error(
-          "get builder",
-          format_serror(&e.context("failed to get builder").into()),
+          "Get Builder",
+          format_serror(&e.context("Failed to get Builder").into()),
         ));
         return handle_early_return(
           update, build.id, build.name, false,
@@ -243,18 +269,18 @@ impl Resolve<ExecuteArgs> for RunBuild {
             replacers: Default::default(),
           }) => res,
         _ = cancel.cancelled() => {
-          debug!("build cancelled during clone, cleaning up builder");
-          update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
-          cleanup_builder_instance(cleanup_data, &mut update)
+          debug!("Build cancelled during clone, cleaning up builder");
+          update.push_error_log("Build cancelled", String::from("user cancelled build during repo clone"));
+          cleanup_builder_instance(periphery, cleanup_data, &mut update)
             .await;
-          info!("builder cleaned up");
+          info!("Builder cleaned up");
           return handle_early_return(update, build.id, build.name, true).await
         },
       };
 
       let commit_message = match res {
         Ok(res) => {
-          debug!("finished repo clone");
+          debug!("Finished repo clone");
           update.logs.extend(res.res.logs);
           update.commit_hash =
             res.res.commit_hash.unwrap_or_default().to_string();
@@ -284,19 +310,17 @@ impl Resolve<ExecuteArgs> for RunBuild {
           .request(api::build::Build {
             build: build.clone(),
             repo,
-            registry_token,
+            registry_tokens,
             replacers: secret_replacers.into_iter().collect(),
-            // Push a commit hash tagged image
-            additional_tags: if update.commit_hash.is_empty() {
-              Default::default()
-            } else {
-              vec![update.commit_hash.clone()]
-            },
-          }) => res.context("failed at call to periphery to build"),
+            // To push a commit hash tagged image
+            commit_hash: optional_string(&update.commit_hash),
+            // Unused for now
+            additional_tags: Default::default(),
+          }) => res.context("Failed at call to Periphery to build"),
         _ = cancel.cancelled() => {
-          info!("build cancelled during build, cleaning up builder");
-          update.push_error_log("build cancelled", String::from("user cancelled build during docker build"));
-          cleanup_builder_instance(cleanup_data, &mut update)
+          info!("Build cancelled during build, cleaning up builder");
+          update.push_error_log("Build cancelled", String::from("User cancelled build during docker build"));
+          cleanup_builder_instance(periphery, cleanup_data, &mut update)
             .await;
           return handle_early_return(update, build.id, build.name, true).await
         },
@@ -308,10 +332,10 @@ impl Resolve<ExecuteArgs> for RunBuild {
           update.logs.extend(logs);
         }
         Err(e) => {
-          warn!("error in build | {e:#}");
+          warn!("Error in build | {e:#}");
           update.push_error_log(
-            "build",
-            format_serror(&e.context("failed to build").into()),
+            "Build Error",
+            format_serror(&e.context("Failed to build").into()),
           )
         }
       };
@@ -342,7 +366,8 @@ impl Resolve<ExecuteArgs> for RunBuild {
 
     // If building on temporary cloud server (AWS),
     // this will terminate the server.
-    cleanup_builder_instance(cleanup_data, &mut update).await;
+    cleanup_builder_instance(periphery, cleanup_data, &mut update)
+      .await;
 
     // Need to manually update the update before cache refresh,
     // and before broadcast with add_update.
@@ -352,7 +377,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
       let _ = update_one_by_id(
         &db.updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -361,13 +386,15 @@ impl Resolve<ExecuteArgs> for RunBuild {
 
     update_update(update.clone()).await?;
 
+    let Build { id, name, .. } = build;
+
     if update.success {
       // don't hold response up for user
       tokio::spawn(async move {
-        handle_post_build_redeploy(&build.id).await;
+        handle_post_build_redeploy(&id).await;
       });
     } else {
-      warn!("build unsuccessful, alerting...");
+      let name = name.clone();
       let target = update.target.clone();
       let version = update.version;
       tokio::spawn(async move {
@@ -378,21 +405,27 @@ impl Resolve<ExecuteArgs> for RunBuild {
           resolved_ts: Some(komodo_timestamp()),
           resolved: true,
           level: SeverityLevel::Warning,
-          data: AlertData::BuildFailed {
-            id: build.id,
-            name: build.name,
-            version,
-          },
+          data: AlertData::BuildFailed { id, name, version },
         };
         send_alerts(&[alert]).await
       });
     }
 
+    if let Err(e) = (RefreshBuildCache { build: name })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+    {
+      update.push_error_log(
+        "Refresh build cache",
+        format_serror(&e.error.into()),
+      );
+    }
+
     Ok(update.clone())
   }
 }
 
-#[instrument(skip(update))]
+#[instrument("HandleEarlyReturn", skip(update))]
 async fn handle_early_return(
   mut update: Update,
   build_id: String,
@@ -408,7 +441,7 @@ async fn handle_early_return(
     let _ = update_one_by_id(
       &db_client().updates,
       &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await;
@@ -416,7 +449,6 @@ async fn handle_early_return(
   }
   update_update(update.clone()).await?;
   if !update.success && !is_cancel {
-    warn!("build unsuccessful, alerting...");
     let target = update.target.clone();
     let version = update.version;
     tokio::spawn(async move {
@@ -486,10 +518,19 @@ pub async fn validate_cancel_build(
 }
 
 impl Resolve<ExecuteArgs> for CancelBuild {
-  #[instrument(name = "CancelBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "CancelBuild",
+    skip(user, update),
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      build = self.build,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let build = get_check_permissions::<Build>(
       &self.build,
@@ -537,7 +578,7 @@ impl Resolve<ExecuteArgs> for CancelBuild {
       .await
       {
         warn!(
-          "failed to set CancelBuild Update status Complete after timeout | {e:#}"
+          "Failed to set CancelBuild Update status Complete after timeout | {e:#}"
         )
       }
     });
@@ -546,7 +587,7 @@ impl Resolve<ExecuteArgs> for CancelBuild {
   }
 }
 
-#[instrument]
+#[instrument("PostBuildRedeploy")]
 async fn handle_post_build_redeploy(build_id: &str) {
   let Ok(redeploy_deployments) = find_collect(
     &db_client().deployments,
@@ -582,7 +623,11 @@ async fn handle_post_build_redeploy(build_id: &str) {
               stop_signal: None,
               stop_time: None,
             }
-            .resolve(&ExecuteArgs { user, update })
+            .resolve(&ExecuteArgs {
+              user,
+              update,
+              id: Uuid::new_v4(),
+            })
             .await
           }
           .await;
@@ -608,34 +653,49 @@ async fn handle_post_build_redeploy(build_id: &str) {
 /// This will make sure that a build with non-none image registry has an account attached,
 /// and will check the core config for a token matching requirements.
 /// Otherwise it is left to periphery.
-async fn validate_account_extract_registry_token(
+#[instrument("ValidateRegistryTokens")]
+async fn validate_account_extract_registry_tokens(
   Build {
-    config:
-      BuildConfig {
-        image_registry:
-          ImageRegistryConfig {
-            domain, account, ..
-          },
-        ..
-      },
+    config: BuildConfig { image_registry, .. },
     ..
   }: &Build,
-) -> serror::Result<Option<String>> {
-  if domain.is_empty() {
-    return Ok(None);
-  }
-  if account.is_empty() {
-    return Err(
-      anyhow!(
-        "Must attach account to use registry provider {domain}"
-      )
-      .into(),
+  // Maps (domain, account) -> token
+) -> serror::Result<Vec<(String, String, String)>> {
+  let mut res = HashMap::with_capacity(image_registry.capacity());
+
+  for (domain, account) in image_registry
+    .iter()
+    .map(|r| (r.domain.as_str(), r.account.as_str()))
+    // This ensures uniqueness / prevents redundant logins
+    .collect::<HashSet<_>>()
+  {
+    if domain.is_empty() {
+      continue;
+    }
+    if account.is_empty() {
+      return Err(
+        anyhow!(
+          "Must attach account to use registry provider {domain}"
+        )
+        .into(),
+      );
+    }
+    let Some(registry_token) = registry_token(domain, account).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
+    )? else {
+      continue;
+    };
+
+    res.insert(
+      (domain.to_string(), account.to_string()),
+      registry_token,
     );
   }
 
-  let registry_token = registry_token(domain, account).await.with_context(
-    || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
-  )?;
-
-  Ok(registry_token)
+  Ok(
+    res
+      .into_iter()
+      .map(|((domain, account), token)| (domain, account, token))
+      .collect(),
+  )
 }

bin/core/src/api/execute/deployment.rs

@@ -12,7 +12,7 @@ use komodo_client::{
     deployment::{
       Deployment, DeploymentImage, extract_registry_domain,
     },
-    get_image_name, komodo_timestamp, optional_string,
+    komodo_timestamp, optional_string,
     permission::PermissionLevel,
     server::Server,
     update::{Log, Update},
@@ -49,10 +49,18 @@ impl super::BatchExecute for BatchDeploy {
 }
 
 impl Resolve<ExecuteArgs> for BatchDeploy {
-  #[instrument(name = "BatchDeploy", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchDeploy",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDeploy>(&self.pattern, user)
@@ -61,6 +69,7 @@ impl Resolve<ExecuteArgs> for BatchDeploy {
   }
 }
 
+#[instrument("SetupDeploy", skip_all)]
 async fn setup_deployment_execution(
   deployment: &str,
   user: &User,
@@ -87,10 +96,21 @@ async fn setup_deployment_execution(
 }
 
 impl Resolve<ExecuteArgs> for Deploy {
-  #[instrument(name = "Deploy", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "Deploy",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+      stop_signal = format!("{:?}", self.stop_signal),
+      stop_time = self.stop_time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (mut deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -115,8 +135,11 @@ impl Resolve<ExecuteArgs> for Deploy {
     let (version, registry_token) = match &deployment.config.image {
       DeploymentImage::Build { build_id, version } => {
         let build = resource::get::<Build>(build_id).await?;
-        let image_name = get_image_name(&build)
-          .context("failed to create image name")?;
+        let image_names = build.get_image_names();
+        let image_name = image_names
+          .first()
+          .context("No image name could be created")
+          .context("Failed to create image name")?;
         let version = if version.is_none() {
           build.config.version
         } else {
@@ -133,21 +156,27 @@ impl Resolve<ExecuteArgs> for Deploy {
         deployment.config.image = DeploymentImage::Image {
           image: format!("{image_name}:{version_str}"),
         };
-        if build.config.image_registry.domain.is_empty() {
+        let first_registry = build
+          .config
+          .image_registry
+          .first()
+          .unwrap_or(ImageRegistryConfig::static_default());
+        if first_registry.domain.is_empty() {
           (version, None)
         } else {
           let ImageRegistryConfig {
             domain, account, ..
-          } = build.config.image_registry;
+          } = first_registry;
           if deployment.config.image_registry_account.is_empty() {
-            deployment.config.image_registry_account = account
+            deployment.config.image_registry_account =
+              account.to_string();
           }
           let token = if !deployment
             .config
             .image_registry_account
             .is_empty()
           {
-            registry_token(&domain, &deployment.config.image_registry_account).await.with_context(
+            registry_token(domain, &deployment.config.image_registry_account).await.with_context(
               || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
             )?
           } else {
@@ -194,7 +223,8 @@ impl Resolve<ExecuteArgs> for Deploy {
     update.version = version;
     update_update(update.clone()).await?;
 
-    match periphery_client(&server)?
+    match periphery_client(&server)
+      .await?
       .request(api::container::Deploy {
         deployment,
         stop_signal: self.stop_signal,
@@ -213,7 +243,7 @@ impl Resolve<ExecuteArgs> for Deploy {
       }
     };
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -233,6 +263,14 @@ fn pull_cache() -> &'static PullCache {
   PULL_CACHE.get_or_init(Default::default)
 }
 
+#[instrument(
+  "PullDeploymentInner",
+  skip_all,
+  fields(
+    deployment = deployment.id,
+    server = server.id
+  )
+)]
 pub async fn pull_deployment_inner(
   deployment: Deployment,
   server: &Server,
@@ -240,8 +278,11 @@ pub async fn pull_deployment_inner(
   let (image, account, token) = match deployment.config.image {
     DeploymentImage::Build { build_id, version } => {
       let build = resource::get::<Build>(&build_id).await?;
-      let image_name = get_image_name(&build)
-        .context("failed to create image name")?;
+      let image_names = build.get_image_names();
+      let image_name = image_names
+        .first()
+        .context("No image name could be created")
+        .context("Failed to create image name")?;
       let version = if version.is_none() {
         build.config.version.to_string()
       } else {
@@ -255,26 +296,31 @@ pub async fn pull_deployment_inner(
       };
       // replace image with corresponding build image.
       let image = format!("{image_name}:{version}");
-      if build.config.image_registry.domain.is_empty() {
+      let first_registry = build
+        .config
+        .image_registry
+        .first()
+        .unwrap_or(ImageRegistryConfig::static_default());
+      if first_registry.domain.is_empty() {
         (image, None, None)
       } else {
         let ImageRegistryConfig {
           domain, account, ..
-        } = build.config.image_registry;
+        } = first_registry;
         let account =
           if deployment.config.image_registry_account.is_empty() {
             account
           } else {
-            deployment.config.image_registry_account
+            &deployment.config.image_registry_account
           };
         let token = if !account.is_empty() {
-          registry_token(&domain, &account).await.with_context(
+          registry_token(domain, account).await.with_context(
               || format!("Failed to get git token in call to db. Stopping run. | {domain} | {account}"),
             )?
         } else {
           None
         };
-        (image, optional_string(&account), token)
+        (image, optional_string(account), token)
       }
     }
     DeploymentImage::Image { image } => {
@@ -314,8 +360,9 @@ pub async fn pull_deployment_inner(
   }
 
   let res = async {
-    let log = match periphery_client(server)?
-      .request(api::image::PullImage {
+    let log = match periphery_client(server)
+      .await?
+      .request(api::docker::PullImage {
         name: image,
         account,
         token,
@@ -326,7 +373,7 @@ pub async fn pull_deployment_inner(
       Err(e) => Log::error("Pull image", format_serror(&e.into())),
     };
 
-    update_cache_for_server(server).await;
+    update_cache_for_server(server, true).await;
     anyhow::Ok(log)
   }
   .await;
@@ -339,10 +386,19 @@ pub async fn pull_deployment_inner(
 }
 
 impl Resolve<ExecuteArgs> for PullDeployment {
-  #[instrument(name = "PullDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PullDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -373,10 +429,19 @@ impl Resolve<ExecuteArgs> for PullDeployment {
 }
 
 impl Resolve<ExecuteArgs> for StartDeployment {
-  #[instrument(name = "StartDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StartDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -397,7 +462,8 @@ impl Resolve<ExecuteArgs> for StartDeployment {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
       .request(api::container::StartContainer {
         name: deployment.name,
       })
@@ -411,7 +477,7 @@ impl Resolve<ExecuteArgs> for StartDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -420,10 +486,19 @@ impl Resolve<ExecuteArgs> for StartDeployment {
 }
 
 impl Resolve<ExecuteArgs> for RestartDeployment {
-  #[instrument(name = "RestartDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RestartDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -444,7 +519,8 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
       .request(api::container::RestartContainer {
         name: deployment.name,
       })
@@ -460,7 +536,7 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -469,10 +545,19 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
 }
 
 impl Resolve<ExecuteArgs> for PauseDeployment {
-  #[instrument(name = "PauseDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PauseDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -493,7 +578,8 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
       .request(api::container::PauseContainer {
         name: deployment.name,
       })
@@ -507,7 +593,7 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -516,10 +602,19 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
 }
 
 impl Resolve<ExecuteArgs> for UnpauseDeployment {
-  #[instrument(name = "UnpauseDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "UnpauseDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -540,7 +635,8 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
       .request(api::container::UnpauseContainer {
         name: deployment.name,
       })
@@ -556,7 +652,7 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -565,10 +661,21 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
 }
 
 impl Resolve<ExecuteArgs> for StopDeployment {
-  #[instrument(name = "StopDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StopDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+      signal = format!("{:?}", self.signal),
+      time = self.time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -589,7 +696,8 @@ impl Resolve<ExecuteArgs> for StopDeployment {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
       .request(api::container::StopContainer {
         name: deployment.name,
         signal: self
@@ -611,7 +719,7 @@ impl Resolve<ExecuteArgs> for StopDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -631,10 +739,18 @@ impl super::BatchExecute for BatchDestroyDeployment {
 }
 
 impl Resolve<ExecuteArgs> for BatchDestroyDeployment {
-  #[instrument(name = "BatchDestroyDeployment", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchDestroyDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDestroyDeployment>(
@@ -647,10 +763,21 @@ impl Resolve<ExecuteArgs> for BatchDestroyDeployment {
 }
 
 impl Resolve<ExecuteArgs> for DestroyDeployment {
-  #[instrument(name = "DestroyDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DestroyDeployment",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+      signal = format!("{:?}", self.signal),
+      time = self.time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (deployment, server) =
       setup_deployment_execution(&self.deployment, user).await?;
@@ -671,7 +798,8 @@ impl Resolve<ExecuteArgs> for DestroyDeployment {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
       .request(api::container::RemoveContainer {
         name: deployment.name,
         signal: self
@@ -694,7 +822,7 @@ impl Resolve<ExecuteArgs> for DestroyDeployment {
 
     update.logs.push(log);
     update.finalize();
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update_update(update.clone()).await?;
 
     Ok(update)

bin/core/src/api/execute/maintenance.rs

@@ -0,0 +1,588 @@
+use std::{fmt::Write as _, sync::OnceLock};
+
+use anyhow::{Context, anyhow};
+use command::run_komodo_standard_command;
+use database::{
+  bson::{Document, doc},
+  mungos::find::find_collect,
+};
+use formatting::{bold, format_serror};
+use futures_util::{StreamExt, stream::FuturesOrdered};
+use komodo_client::{
+  api::execute::{
+    BackupCoreDatabase, ClearRepoCache, GlobalAutoUpdate,
+    RotateAllServerKeys, RotateCoreKeys,
+  },
+  entities::{
+    deployment::DeploymentState, server::ServerState,
+    stack::StackState,
+  },
+};
+use periphery_client::api;
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCodeError;
+use tokio::sync::Mutex;
+
+use crate::{
+  api::execute::{
+    ExecuteArgs, pull_deployment_inner, pull_stack_inner,
+  },
+  config::{core_config, core_keys},
+  helpers::{periphery_client, update::update_update},
+  resource::rotate_server_keys,
+  state::{
+    db_client, deployment_status_cache, server_status_cache,
+    stack_status_cache,
+  },
+};
+
+/// Makes sure the method can only be called once at a time
+fn clear_repo_cache_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for ClearRepoCache {
+  #[instrument(
+    "ClearRepoCache",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = clear_repo_cache_lock()
+      .try_lock()
+      .context("Clear already in progress...")?;
+
+    let mut update = update.clone();
+
+    let mut contents =
+      tokio::fs::read_dir(&core_config().repo_directory)
+        .await
+        .context("Failed to read repo cache directory")?;
+
+    loop {
+      let path = match contents
+        .next_entry()
+        .await
+        .context("Failed to read contents at path")
+      {
+        Ok(Some(contents)) => contents.path(),
+        Ok(None) => break,
+        Err(e) => {
+          update.push_error_log(
+            "Read Directory",
+            format_serror(&e.into()),
+          );
+          continue;
+        }
+      };
+      if path.is_dir() {
+        match tokio::fs::remove_dir_all(&path)
+          .await
+          .context("Failed to clear contents at path")
+        {
+          Ok(_) => {}
+          Err(e) => {
+            update.push_error_log(
+              "Clear Directory",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn backup_database_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for BackupCoreDatabase {
+  #[instrument(
+    "BackupCoreDatabase",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = backup_database_lock()
+      .try_lock()
+      .context("Backup already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let res = run_komodo_standard_command(
+      "Backup Core Database",
+      None,
+      "km database backup --yes",
+    )
+    .await;
+
+    update.logs.push(res);
+    update.finalize();
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn global_update_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
+  #[instrument(
+    "GlobalAutoUpdate",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_update_lock()
+      .try_lock()
+      .context("Global update already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    // This is all done in sequence because there is no rush,
+    // the pulls / deploys happen spaced out to ease the load on system.
+    let servers = find_collect(&db_client().servers, None, None)
+      .await
+      .context("Failed to query for servers from database")?;
+
+    let query = doc! {
+      "$or": [
+        { "config.poll_for_updates": true },
+        { "config.auto_update": true }
+      ]
+    };
+
+    let (stacks, repos) = tokio::try_join!(
+      find_collect(&db_client().stacks, query.clone(), None),
+      find_collect(&db_client().repos, None, None)
+    )
+    .context("Failed to query for resources from database")?;
+
+    let server_status_cache = server_status_cache();
+    let stack_status_cache = stack_status_cache();
+
+    // Will be edited later at update.logs[0]
+    update.push_simple_log("Auto Pull", String::new());
+
+    for stack in stacks {
+      let Some(status) = stack_status_cache.get(&stack.id).await
+      else {
+        continue;
+      };
+      // Only pull running stacks.
+      if !matches!(status.curr.state, StackState::Running) {
+        continue;
+      }
+      if let Some(server) =
+        servers.iter().find(|s| s.id == stack.config.server_id)
+        // This check is probably redundant along with running check
+        // but shouldn't hurt
+        && server_status_cache
+          .get(&server.id)
+          .await
+          .map(|s| matches!(s.state, ServerState::Ok))
+          .unwrap_or_default()
+      {
+        let name = stack.name.clone();
+        let repo = if stack.config.linked_repo.is_empty() {
+          None
+        } else {
+          let Some(repo) =
+            repos.iter().find(|r| r.id == stack.config.linked_repo)
+          else {
+            update.push_error_log(
+              &format!("Pull Stack {name}"),
+              format!(
+                "Did not find any Repo matching {}",
+                stack.config.linked_repo
+              ),
+            );
+            continue;
+          };
+          Some(repo.clone())
+        };
+        if let Err(e) =
+          pull_stack_inner(stack, Vec::new(), server, repo, None)
+            .await
+        {
+          update.push_error_log(
+            &format!("Pull Stack {name}"),
+            format_serror(&e.into()),
+          );
+        } else {
+          if !update.logs[0].stdout.is_empty() {
+            update.logs[0].stdout.push('\n');
+          }
+          update.logs[0]
+            .stdout
+            .push_str(&format!("Pulled Stack {} ✅", bold(name)));
+        }
+      }
+    }
+
+    let deployment_status_cache = deployment_status_cache();
+    let deployments =
+      find_collect(&db_client().deployments, query, None)
+        .await
+        .context("Failed to query for deployments from database")?;
+    for deployment in deployments {
+      let Some(status) =
+        deployment_status_cache.get(&deployment.id).await
+      else {
+        continue;
+      };
+      // Only pull running deployments.
+      if !matches!(status.curr.state, DeploymentState::Running) {
+        continue;
+      }
+      if let Some(server) =
+        servers.iter().find(|s| s.id == deployment.config.server_id)
+        // This check is probably redundant along with running check
+        // but shouldn't hurt
+        && server_status_cache
+          .get(&server.id)
+          .await
+          .map(|s| matches!(s.state, ServerState::Ok))
+          .unwrap_or_default()
+      {
+        let name = deployment.name.clone();
+        if let Err(e) =
+          pull_deployment_inner(deployment, server).await
+        {
+          update.push_error_log(
+            &format!("Pull Deployment {name}"),
+            format_serror(&e.into()),
+          );
+        } else {
+          if !update.logs[0].stdout.is_empty() {
+            update.logs[0].stdout.push('\n');
+          }
+          update.logs[0].stdout.push_str(&format!(
+            "Pulled Deployment {} ✅",
+            bold(name)
+          ));
+        }
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn global_rotate_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for RotateAllServerKeys {
+  #[instrument(
+    "RotateAllServerKeys",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_rotate_lock()
+      .try_lock()
+      .context("Key rotation already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let mut servers = db_client()
+      .servers
+      .find(Document::new())
+      .await
+      .context("Failed to query servers from database")?;
+
+    let server_status_cache = server_status_cache();
+
+    let mut log = String::new();
+
+    while let Some(server) = servers.next().await {
+      let server = match server {
+        Ok(server) => server,
+        Err(e) => {
+          warn!("Failed to parse Server | {e:#}");
+          continue;
+        }
+      };
+      if !server.config.auto_rotate_keys {
+        let _ = write!(
+          &mut log,
+          "\nSkipping {}: Key Rotation Disabled ⚙️",
+          bold(&server.name)
+        );
+        continue;
+      }
+      let Some(status) = server_status_cache.get(&server.id).await
+      else {
+        let _ = write!(
+          &mut log,
+          "\nSkipping {}: No Status ⚠️",
+          bold(&server.name)
+        );
+        continue;
+      };
+      match status.state {
+        ServerState::Disabled => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Disabled ⚙️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        ServerState::NotOk => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Not Ok ⚠️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        _ => {}
+      }
+      match rotate_server_keys(&server).await {
+        Ok(_) => {
+          let _ = write!(
+            &mut log,
+            "\nRotated keys for {} ✅",
+            bold(&server.name)
+          );
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Key Rotation Failure",
+            format_serror(
+              &e.context(format!(
+                "Failed to rotate {} keys",
+                bold(&server.name)
+              ))
+              .into(),
+            ),
+          );
+        }
+      }
+    }
+
+    update.push_simple_log("Rotate Server Keys", log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateCoreKeys {
+  #[instrument(
+    "RotateCoreKeys",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      force = self.force,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_rotate_lock()
+      .try_lock()
+      .context("Key rotation already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let core_keys = core_keys();
+
+    if !core_keys.rotatable() {
+      return Err(anyhow!("Core `private_key` must be pointing to file, for example 'file:/config/keys/core.key'").into());
+    };
+
+    let server_status_cache = server_status_cache();
+    let servers =
+      find_collect(&db_client().servers, Document::new(), None)
+        .await
+        .context("Failed to query servers from database")?
+        .into_iter()
+        .map(|server| async move {
+          let state = server_status_cache
+            .get(&server.id)
+            .await
+            .map(|s| s.state)
+            .unwrap_or(ServerState::NotOk);
+          (server, state)
+        })
+        .collect::<FuturesOrdered<_>>()
+        .collect::<Vec<_>>()
+        .await;
+
+    if !self.force
+      && let Some((server, _)) = servers
+        .iter()
+        .find(|(_, state)| matches!(state, ServerState::NotOk))
+    {
+      return Err(
+        anyhow!("Server {} is NotOk, stopping key rotation. Pass `force: true` to continue anyways.", server.name).into(),
+      );
+    }
+
+    let public_key = core_keys.rotate().await?.into_inner();
+
+    info!("New Public Key: {public_key}");
+
+    let mut log = format!("New Public Key: {public_key}\n");
+
+    for (server, state) in servers {
+      match state {
+        ServerState::Disabled => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Disabled ⚙️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        ServerState::NotOk => {
+          // Shouldn't be reached unless 'force: true'
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Not Ok ⚠️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        _ => {}
+      }
+      let periphery = periphery_client(&server).await?;
+      let res = periphery
+        .request(api::keys::RotateCorePublicKey {
+          public_key: public_key.clone(),
+        })
+        .await;
+      match res {
+        Ok(_) => {
+          let _ = write!(
+            &mut log,
+            "\nRotated key for {} ✅",
+            bold(&server.name)
+          );
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Key Rotation Failure",
+            format_serror(
+              &e.context(format!(
+                "Failed to rotate for {}. The new Core public key will have to be added manually.",
+                bold(&server.name)
+              ))
+              .into(),
+            ),
+          );
+        }
+      }
+    }
+
+    update.push_simple_log("Rotate Core Keys", log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/mod.rs

@@ -1,13 +1,14 @@
-use std::{pin::Pin, time::Instant};
+use std::pin::Pin;
 
 use anyhow::Context;
 use axum::{
   Extension, Router, extract::Path, middleware, routing::post,
 };
 use axum_extra::{TypedHeader, headers::ContentType};
+use database::mungos::by_id::find_one_by_id;
 use derive_variants::{EnumVariants, ExtractVariant};
 use formatting::format_serror;
-use futures::future::join_all;
+use futures_util::future::join_all;
 use komodo_client::{
   api::execute::*,
   entities::{
@@ -17,12 +18,12 @@ use komodo_client::{
     user::User,
   },
 };
-use mungos::by_id::find_one_by_id;
 use resolver_api::Resolve;
 use response::JsonString;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 use serror::Json;
+use strum::Display;
 use typeshare::typeshare;
 use uuid::Uuid;
 
@@ -37,6 +38,7 @@ mod action;
 mod alerter;
 mod build;
 mod deployment;
+mod maintenance;
 mod procedure;
 mod repo;
 mod server;
@@ -50,6 +52,9 @@ pub use {
 };
 
 pub struct ExecuteArgs {
+  /// The execution id.
+  /// Unique for every /execute call.
+  pub id: Uuid,
   pub user: User,
   pub update: Update,
 }
@@ -58,7 +63,7 @@ pub struct ExecuteArgs {
 #[derive(
   Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
 )]
-#[variant_derive(Debug)]
+#[variant_derive(Debug, Display)]
 #[args(ExecuteArgs)]
 #[response(JsonString)]
 #[error(serror::Error)]
@@ -101,6 +106,7 @@ pub enum ExecuteRequest {
   UnpauseStack(UnpauseStack),
   DestroyStack(DestroyStack),
   BatchDestroyStack(BatchDestroyStack),
+  RunStackService(RunStackService),
 
   // ==== DEPLOYMENT ====
   Deploy(Deploy),
@@ -136,11 +142,19 @@ pub enum ExecuteRequest {
   RunAction(RunAction),
   BatchRunAction(BatchRunAction),
 
-  // ==== ALERTER ====
-  TestAlerter(TestAlerter),
-
   // ==== SYNC ====
   RunSync(RunSync),
+
+  // ==== ALERTER ====
+  TestAlerter(TestAlerter),
+  SendAlert(SendAlert),
+
+  // ==== MAINTENANCE ====
+  ClearRepoCache(ClearRepoCache),
+  BackupCoreDatabase(BackupCoreDatabase),
+  GlobalAutoUpdate(GlobalAutoUpdate),
+  RotateAllServerKeys(RotateAllServerKeys),
+  RotateCoreKeys(RotateCoreKeys),
 }
 
 pub fn router() -> Router {
@@ -193,10 +207,12 @@ pub fn inner_handler(
   >,
 > {
   Box::pin(async move {
-    let req_id = Uuid::new_v4();
+    let task_id = Uuid::new_v4();
 
-    // need to validate no cancel is active before any update is created.
+    // Need to validate no cancel is active before any update is created.
+    // This ensures no double update created if Cancel is called more than once for the same request.
     build::validate_cancel_build(&request).await?;
+    repo::validate_cancel_repo_build(&request).await?;
 
     let update = init_execution_update(&request, &user).await?;
 
@@ -207,28 +223,37 @@ pub fn inner_handler(
     // here either.
     if update.operation == Operation::None {
       return Ok(ExecutionResult::Batch(
-        task(req_id, request, user, update).await?,
+        task(task_id, request, user, update).await?,
       ));
     }
 
+    // Spawn a task for the execution which continues
+    // running after this method returns.
     let handle =
-      tokio::spawn(task(req_id, request, user, update.clone()));
+      tokio::spawn(task(task_id, request, user, update.clone()));
 
+    // Spawns another task to monitor the first for failures,
+    // and add the log to Update about it (which primary task can't do because it errored out)
     tokio::spawn({
       let update_id = update.id.clone();
       async move {
         let log = match handle.await {
           Ok(Err(e)) => {
-            warn!("/execute request {req_id} task error: {e:#}",);
-            Log::error("task error", format_serror(&e.into()))
+            warn!("/execute request {task_id} task error: {e:#}",);
+            Log::error("Task Error", format_serror(&e.into()))
           }
           Err(e) => {
-            warn!("/execute request {req_id} spawn error: {e:?}",);
-            Log::error("spawn error", format!("{e:#?}"))
+            warn!("/execute request {task_id} spawn error: {e:?}",);
+            Log::error("Spawn Error", format!("{e:#?}"))
           }
           _ => return,
         };
         let res = async {
+          // Nothing to do if update was never actually created,
+          // which is the case when the id is empty.
+          if update_id.is_empty() {
+            return Ok(());
+          }
           let mut update =
             find_one_by_id(&db_client().updates, &update_id)
               .await
@@ -252,40 +277,33 @@ pub fn inner_handler(
   })
 }
 
-#[instrument(
-  name = "ExecuteRequest",
-  skip(user, update),
-  fields(
-    user_id = user.id,
-    update_id = update.id,
-    request = format!("{:?}", request.extract_variant()))
-  )
-]
 async fn task(
-  req_id: Uuid,
+  id: Uuid,
   request: ExecuteRequest,
   user: User,
   update: Update,
 ) -> anyhow::Result<String> {
-  info!("/execute request {req_id} | user: {}", user.username);
-  let timer = Instant::now();
+  let variant = request.extract_variant();
 
-  let res = match request.resolve(&ExecuteArgs { user, update }).await
-  {
-    Err(e) => Err(e.error),
-    Ok(JsonString::Err(e)) => Err(
-      anyhow::Error::from(e).context("failed to serialize response"),
-    ),
-    Ok(JsonString::Ok(res)) => Ok(res),
-  };
+  info!(
+    "/execute request {id} | {variant} | user: {}",
+    user.username
+  );
+
+  let res =
+    match request.resolve(&ExecuteArgs { user, update, id }).await {
+      Err(e) => Err(e.error),
+      Ok(JsonString::Err(e)) => Err(
+        anyhow::Error::from(e)
+          .context("failed to serialize response"),
+      ),
+      Ok(JsonString::Ok(res)) => Ok(res),
+    };
 
   if let Err(e) = &res {
-    warn!("/execute request {req_id} error: {e:#}");
+    warn!("/execute request {id} error: {e:#}");
   }
 
-  let elapsed = timer.elapsed();
-  debug!("/execute request {req_id} | resolve time: {elapsed:?}");
-
   res
 }
 
@@ -294,6 +312,7 @@ trait BatchExecute {
   fn single_request(name: String) -> ExecuteRequest;
 }
 
+#[instrument("BatchExecute", skip(user))]
 async fn batch_execute<E: BatchExecute>(
   pattern: &str,
   user: &User,
@@ -306,6 +325,7 @@ async fn batch_execute<E: BatchExecute>(
     &[],
   )
   .await?;
+
   let futures = resources.into_iter().map(|resource| {
     let user = user.clone();
     async move {

bin/core/src/api/execute/procedure.rs

@@ -1,5 +1,8 @@
 use std::pin::Pin;
 
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
 use formatting::{Color, bold, colored, format_serror, muted};
 use komodo_client::{
   api::execute::{
@@ -14,7 +17,6 @@ use komodo_client::{
     user::User,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use resolver_api::Resolve;
 use tokio::sync::Mutex;
 
@@ -36,7 +38,11 @@ impl super::BatchExecute for BatchRunProcedure {
 }
 
 impl Resolve<ExecuteArgs> for BatchRunProcedure {
-  #[instrument(name = "BatchRunProcedure", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchRunProcedure",
+    skip_all,
+    fields(operator = user.id)
+  )]
   async fn resolve(
     self,
     ExecuteArgs { user, .. }: &ExecuteArgs,
@@ -49,10 +55,19 @@ impl Resolve<ExecuteArgs> for BatchRunProcedure {
 }
 
 impl Resolve<ExecuteArgs> for RunProcedure {
-  #[instrument(name = "RunProcedure", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunProcedure",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      procedure = self.procedure,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     Ok(
       resolve_inner(self.procedure, user.clone(), update.clone())
@@ -134,7 +149,7 @@ fn resolve_inner(
       let _ = update_one_by_id(
         &db_client().updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -144,7 +159,6 @@ fn resolve_inner(
     update_update(update.clone()).await?;
 
     if !update.success && procedure.config.failure_alert {
-      warn!("procedure unsuccessful, alerting...");
       let target = update.target.clone();
       tokio::spawn(async move {
         let alert = Alert {

bin/core/src/api/execute/repo.rs

@@ -1,6 +1,13 @@
 use std::{collections::HashSet, future::IntoFuture, time::Duration};
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::{
+    bson::{doc, to_document},
+    options::FindOneOptions,
+  },
+};
 use formatting::format_serror;
 use interpolate::Interpolator;
 use komodo_client::{
@@ -15,13 +22,6 @@ use komodo_client::{
     update::{Log, Update},
   },
 };
-use mungos::{
-  by_id::update_one_by_id,
-  mongodb::{
-    bson::{doc, to_document},
-    options::FindOneOptions,
-  },
-};
 use periphery_client::api;
 use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
@@ -30,7 +30,7 @@ use crate::{
   alert::send_alerts,
   api::write::WriteArgs,
   helpers::{
-    builder::{cleanup_builder_instance, get_builder_periphery},
+    builder::{cleanup_builder_instance, connect_builder_periphery},
     channel::repo_cancel_channel,
     git_token, periphery_client,
     query::{VariablesAndSecrets, get_variables_and_secrets},
@@ -51,10 +51,18 @@ impl super::BatchExecute for BatchCloneRepo {
 }
 
 impl Resolve<ExecuteArgs> for BatchCloneRepo {
-  #[instrument(name = "BatchCloneRepo", skip( user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchCloneRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchCloneRepo>(&self.pattern, user)
@@ -64,10 +72,19 @@ impl Resolve<ExecuteArgs> for BatchCloneRepo {
 }
 
 impl Resolve<ExecuteArgs> for CloneRepo {
-  #[instrument(name = "CloneRepo", skip( user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "CloneRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let mut repo = get_check_permissions::<Repo>(
       &self.repo,
@@ -105,7 +122,7 @@ impl Resolve<ExecuteArgs> for CloneRepo {
     let server =
       resource::get::<Server>(&repo.config.server_id).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     // interpolate variables / secrets, returning the sanitizing replacers to send to
     // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
@@ -165,10 +182,18 @@ impl super::BatchExecute for BatchPullRepo {
 }
 
 impl Resolve<ExecuteArgs> for BatchPullRepo {
-  #[instrument(name = "BatchPullRepo", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchPullRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchPullRepo>(&self.pattern, user)
@@ -178,10 +203,19 @@ impl Resolve<ExecuteArgs> for BatchPullRepo {
 }
 
 impl Resolve<ExecuteArgs> for PullRepo {
-  #[instrument(name = "PullRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PullRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let mut repo = get_check_permissions::<Repo>(
       &self.repo,
@@ -220,7 +254,7 @@ impl Resolve<ExecuteArgs> for PullRepo {
     let server =
       resource::get::<Server>(&repo.config.server_id).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     // interpolate variables / secrets, returning the sanitizing replacers to send to
     // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
@@ -275,7 +309,11 @@ impl Resolve<ExecuteArgs> for PullRepo {
   }
 }
 
-#[instrument(skip_all, fields(update_id = update.id))]
+#[instrument(
+  "HandleRepoEarlyReturn",
+  skip_all,
+  fields(update_id = update.id)
+)]
 async fn handle_repo_update_return(
   update: Update,
 ) -> serror::Result<Update> {
@@ -287,7 +325,7 @@ async fn handle_repo_update_return(
     let _ = update_one_by_id(
       &db_client().updates,
       &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await;
@@ -297,7 +335,7 @@ async fn handle_repo_update_return(
   Ok(update)
 }
 
-#[instrument]
+#[instrument("UpdateLastPulledTime")]
 async fn update_last_pulled_time(repo_name: &str) {
   let res = db_client()
     .repos
@@ -321,10 +359,18 @@ impl super::BatchExecute for BatchBuildRepo {
 }
 
 impl Resolve<ExecuteArgs> for BatchBuildRepo {
-  #[instrument(name = "BatchBuildRepo", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchBuildRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchBuildRepo>(&self.pattern, user)
@@ -334,10 +380,19 @@ impl Resolve<ExecuteArgs> for BatchBuildRepo {
 }
 
 impl Resolve<ExecuteArgs> for BuildRepo {
-  #[instrument(name = "BuildRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "BuildRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let mut repo = get_check_permissions::<Repo>(
       &self.repo,
@@ -419,7 +474,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {
 
     // GET BUILDER PERIPHERY
 
-    let (periphery, cleanup_data) = match get_builder_periphery(
+    let (periphery, cleanup_data) = match connect_builder_periphery(
       repo.name.clone(),
       None,
       builder,
@@ -463,7 +518,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {
       _ = cancel.cancelled() => {
         debug!("build cancelled during clone, cleaning up builder");
         update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
-        cleanup_builder_instance(cleanup_data, &mut update)
+        cleanup_builder_instance(periphery, cleanup_data, &mut update)
           .await;
         info!("builder cleaned up");
         return handle_builder_early_return(update, repo.id, repo.name, true).await
@@ -510,7 +565,8 @@ impl Resolve<ExecuteArgs> for BuildRepo {
 
     // If building on temporary cloud server (AWS),
     // this will terminate the server.
-    cleanup_builder_instance(cleanup_data, &mut update).await;
+    cleanup_builder_instance(periphery, cleanup_data, &mut update)
+      .await;
 
     // Need to manually update the update before cache refresh,
     // and before broadcast with add_update.
@@ -520,7 +576,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {
       let _ = update_one_by_id(
         &db.updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -530,7 +586,6 @@ impl Resolve<ExecuteArgs> for BuildRepo {
     update_update(update.clone()).await?;
 
     if !update.success {
-      warn!("repo build unsuccessful, alerting...");
       let target = update.target.clone();
       tokio::spawn(async move {
         let alert = Alert {
@@ -553,7 +608,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {
   }
 }
 
-#[instrument(skip(update))]
+#[instrument("HandleRepoBuildEarlyReturn", skip(update))]
 async fn handle_builder_early_return(
   mut update: Update,
   repo_id: String,
@@ -569,7 +624,7 @@ async fn handle_builder_early_return(
     let _ = update_one_by_id(
       &db_client().updates,
       &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await;
@@ -577,7 +632,6 @@ async fn handle_builder_early_return(
   }
   update_update(update.clone()).await?;
   if !update.success && !is_cancel {
-    warn!("repo build unsuccessful, alerting...");
     let target = update.target.clone();
     tokio::spawn(async move {
       let alert = Alert {
@@ -598,7 +652,6 @@ async fn handle_builder_early_return(
   Ok(update)
 }
 
-#[instrument(skip_all)]
 pub async fn validate_cancel_repo_build(
   request: &ExecuteRequest,
 ) -> anyhow::Result<()> {
@@ -648,10 +701,19 @@ pub async fn validate_cancel_repo_build(
 }
 
 impl Resolve<ExecuteArgs> for CancelRepoBuild {
-  #[instrument(name = "CancelRepoBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "CancelRepoBuild",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let repo = get_check_permissions::<Repo>(
       &self.repo,
@@ -708,6 +770,13 @@ impl Resolve<ExecuteArgs> for CancelRepoBuild {
   }
 }
 
+#[instrument(
+  "Interpolate",
+  skip_all,
+  fields(
+    skip_secret_interp = repo.config.skip_secret_interp
+  )
+)]
 async fn interpolate(
   repo: &mut Repo,
   update: &mut Update,

bin/core/src/api/execute/server.rs

@@ -22,10 +22,20 @@ use crate::{
 use super::ExecuteArgs;
 
 impl Resolve<ExecuteArgs> for StartContainer {
-  #[instrument(name = "StartContainer", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StartContainer",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      container = self.container,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -50,7 +60,7 @@ impl Resolve<ExecuteArgs> for StartContainer {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
       .request(api::container::StartContainer {
@@ -66,7 +76,7 @@ impl Resolve<ExecuteArgs> for StartContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -76,10 +86,20 @@ impl Resolve<ExecuteArgs> for StartContainer {
 }
 
 impl Resolve<ExecuteArgs> for RestartContainer {
-  #[instrument(name = "RestartContainer", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RestartContainer",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      container = self.container,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -104,7 +124,7 @@ impl Resolve<ExecuteArgs> for RestartContainer {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
       .request(api::container::RestartContainer {
@@ -122,7 +142,7 @@ impl Resolve<ExecuteArgs> for RestartContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -132,10 +152,20 @@ impl Resolve<ExecuteArgs> for RestartContainer {
 }
 
 impl Resolve<ExecuteArgs> for PauseContainer {
-  #[instrument(name = "PauseContainer", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PauseContainer",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      container = self.container,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -160,7 +190,7 @@ impl Resolve<ExecuteArgs> for PauseContainer {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
       .request(api::container::PauseContainer {
@@ -176,7 +206,7 @@ impl Resolve<ExecuteArgs> for PauseContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -186,10 +216,20 @@ impl Resolve<ExecuteArgs> for PauseContainer {
 }
 
 impl Resolve<ExecuteArgs> for UnpauseContainer {
-  #[instrument(name = "UnpauseContainer", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "UnpauseContainer",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      container = self.container,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -214,7 +254,7 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
       .request(api::container::UnpauseContainer {
@@ -232,7 +272,7 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -242,10 +282,22 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
 }
 
 impl Resolve<ExecuteArgs> for StopContainer {
-  #[instrument(name = "StopContainer", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StopContainer",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      container = self.container,
+      signal = format!("{:?}", self.signal),
+      time = self.time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -270,7 +322,7 @@ impl Resolve<ExecuteArgs> for StopContainer {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
       .request(api::container::StopContainer {
@@ -288,7 +340,7 @@ impl Resolve<ExecuteArgs> for StopContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -298,10 +350,22 @@ impl Resolve<ExecuteArgs> for StopContainer {
 }
 
 impl Resolve<ExecuteArgs> for DestroyContainer {
-  #[instrument(name = "DestroyContainer", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DestroyContainer",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      container = self.container,
+      signal = format!("{:?}", self.signal),
+      time = self.time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let DestroyContainer {
       server,
@@ -332,7 +396,7 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
       .request(api::container::RemoveContainer {
@@ -350,7 +414,7 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -360,10 +424,19 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
 }
 
 impl Resolve<ExecuteArgs> for StartAllContainers {
-  #[instrument(name = "StartAllContainers", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StartAllContainers",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -387,7 +460,8 @@ impl Resolve<ExecuteArgs> for StartAllContainers {
 
     update_update(update.clone()).await?;
 
-    let logs = periphery_client(&server)?
+    let logs = periphery_client(&server)
+      .await?
       .request(api::container::StartAllContainers {})
       .await
       .context("failed to start all containers on host")?;
@@ -401,7 +475,7 @@ impl Resolve<ExecuteArgs> for StartAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -410,10 +484,19 @@ impl Resolve<ExecuteArgs> for StartAllContainers {
 }
 
 impl Resolve<ExecuteArgs> for RestartAllContainers {
-  #[instrument(name = "RestartAllContainers", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RestartAllContainers",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -437,7 +520,8 @@ impl Resolve<ExecuteArgs> for RestartAllContainers {
 
     update_update(update.clone()).await?;
 
-    let logs = periphery_client(&server)?
+    let logs = periphery_client(&server)
+      .await?
       .request(api::container::RestartAllContainers {})
       .await
       .context("failed to restart all containers on host")?;
@@ -453,7 +537,7 @@ impl Resolve<ExecuteArgs> for RestartAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -462,10 +546,19 @@ impl Resolve<ExecuteArgs> for RestartAllContainers {
 }
 
 impl Resolve<ExecuteArgs> for PauseAllContainers {
-  #[instrument(name = "PauseAllContainers", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PauseAllContainers",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -489,7 +582,8 @@ impl Resolve<ExecuteArgs> for PauseAllContainers {
 
     update_update(update.clone()).await?;
 
-    let logs = periphery_client(&server)?
+    let logs = periphery_client(&server)
+      .await?
       .request(api::container::PauseAllContainers {})
       .await
       .context("failed to pause all containers on host")?;
@@ -503,7 +597,7 @@ impl Resolve<ExecuteArgs> for PauseAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -512,10 +606,19 @@ impl Resolve<ExecuteArgs> for PauseAllContainers {
 }
 
 impl Resolve<ExecuteArgs> for UnpauseAllContainers {
-  #[instrument(name = "UnpauseAllContainers", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "UnpauseAllContainers",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -539,7 +642,8 @@ impl Resolve<ExecuteArgs> for UnpauseAllContainers {
 
     update_update(update.clone()).await?;
 
-    let logs = periphery_client(&server)?
+    let logs = periphery_client(&server)
+      .await?
       .request(api::container::UnpauseAllContainers {})
       .await
       .context("failed to unpause all containers on host")?;
@@ -555,7 +659,7 @@ impl Resolve<ExecuteArgs> for UnpauseAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -564,10 +668,19 @@ impl Resolve<ExecuteArgs> for UnpauseAllContainers {
 }
 
 impl Resolve<ExecuteArgs> for StopAllContainers {
-  #[instrument(name = "StopAllContainers", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StopAllContainers",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -591,7 +704,8 @@ impl Resolve<ExecuteArgs> for StopAllContainers {
 
     update_update(update.clone()).await?;
 
-    let logs = periphery_client(&server)?
+    let logs = periphery_client(&server)
+      .await?
       .request(api::container::StopAllContainers {})
       .await
       .context("failed to stop all containers on host")?;
@@ -605,7 +719,7 @@ impl Resolve<ExecuteArgs> for StopAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -614,10 +728,19 @@ impl Resolve<ExecuteArgs> for StopAllContainers {
 }
 
 impl Resolve<ExecuteArgs> for PruneContainers {
-  #[instrument(name = "PruneContainers", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PruneContainers",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -641,7 +764,7 @@ impl Resolve<ExecuteArgs> for PruneContainers {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
       .request(api::container::PruneContainers {})
@@ -660,7 +783,7 @@ impl Resolve<ExecuteArgs> for PruneContainers {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -670,10 +793,20 @@ impl Resolve<ExecuteArgs> for PruneContainers {
 }
 
 impl Resolve<ExecuteArgs> for DeleteNetwork {
-  #[instrument(name = "DeleteNetwork", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DeleteNetwork",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      network = self.name
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -686,10 +819,10 @@ impl Resolve<ExecuteArgs> for DeleteNetwork {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
-      .request(api::network::DeleteNetwork {
+      .request(api::docker::DeleteNetwork {
         name: self.name.clone(),
       })
       .await
@@ -711,7 +844,7 @@ impl Resolve<ExecuteArgs> for DeleteNetwork {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -721,10 +854,19 @@ impl Resolve<ExecuteArgs> for DeleteNetwork {
 }
 
 impl Resolve<ExecuteArgs> for PruneNetworks {
-  #[instrument(name = "PruneNetworks", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PruneNetworks",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -748,10 +890,10 @@ impl Resolve<ExecuteArgs> for PruneNetworks {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
-      .request(api::network::PruneNetworks {})
+      .request(api::docker::PruneNetworks {})
       .await
       .context(format!(
         "failed to prune networks on server {}",
@@ -765,7 +907,7 @@ impl Resolve<ExecuteArgs> for PruneNetworks {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -775,10 +917,20 @@ impl Resolve<ExecuteArgs> for PruneNetworks {
 }
 
 impl Resolve<ExecuteArgs> for DeleteImage {
-  #[instrument(name = "DeleteImage", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DeleteImage",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      image = self.name,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -791,10 +943,10 @@ impl Resolve<ExecuteArgs> for DeleteImage {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
-      .request(api::image::DeleteImage {
+      .request(api::docker::DeleteImage {
         name: self.name.clone(),
       })
       .await
@@ -813,7 +965,7 @@ impl Resolve<ExecuteArgs> for DeleteImage {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -823,10 +975,19 @@ impl Resolve<ExecuteArgs> for DeleteImage {
 }
 
 impl Resolve<ExecuteArgs> for PruneImages {
-  #[instrument(name = "PruneImages", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PruneImages",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -850,10 +1011,10 @@ impl Resolve<ExecuteArgs> for PruneImages {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log =
-      match periphery.request(api::image::PruneImages {}).await {
+      match periphery.request(api::docker::PruneImages {}).await {
         Ok(log) => log,
         Err(e) => Log::error(
           "prune images",
@@ -865,7 +1026,7 @@ impl Resolve<ExecuteArgs> for PruneImages {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -875,10 +1036,20 @@ impl Resolve<ExecuteArgs> for PruneImages {
 }
 
 impl Resolve<ExecuteArgs> for DeleteVolume {
-  #[instrument(name = "DeleteVolume", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DeleteVolume",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+      volume = self.name,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -891,10 +1062,10 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery
-      .request(api::volume::DeleteVolume {
+      .request(api::docker::DeleteVolume {
         name: self.name.clone(),
       })
       .await
@@ -916,7 +1087,7 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -926,10 +1097,19 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
 }
 
 impl Resolve<ExecuteArgs> for PruneVolumes {
-  #[instrument(name = "PruneVolumes", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PruneVolumes",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -953,10 +1133,10 @@ impl Resolve<ExecuteArgs> for PruneVolumes {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log =
-      match periphery.request(api::volume::PruneVolumes {}).await {
+      match periphery.request(api::docker::PruneVolumes {}).await {
         Ok(log) => log,
         Err(e) => Log::error(
           "prune volumes",
@@ -968,7 +1148,7 @@ impl Resolve<ExecuteArgs> for PruneVolumes {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -978,10 +1158,19 @@ impl Resolve<ExecuteArgs> for PruneVolumes {
 }
 
 impl Resolve<ExecuteArgs> for PruneDockerBuilders {
-  #[instrument(name = "PruneDockerBuilders", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PruneDockerBuilders",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -1005,7 +1194,7 @@ impl Resolve<ExecuteArgs> for PruneDockerBuilders {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log =
       match periphery.request(api::build::PruneBuilders {}).await {
@@ -1020,7 +1209,7 @@ impl Resolve<ExecuteArgs> for PruneDockerBuilders {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -1030,10 +1219,19 @@ impl Resolve<ExecuteArgs> for PruneDockerBuilders {
 }
 
 impl Resolve<ExecuteArgs> for PruneBuildx {
-  #[instrument(name = "PruneBuildx", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PruneBuildx",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -1057,7 +1255,7 @@ impl Resolve<ExecuteArgs> for PruneBuildx {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log =
       match periphery.request(api::build::PruneBuildx {}).await {
@@ -1072,7 +1270,7 @@ impl Resolve<ExecuteArgs> for PruneBuildx {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -1082,10 +1280,19 @@ impl Resolve<ExecuteArgs> for PruneBuildx {
 }
 
 impl Resolve<ExecuteArgs> for PruneSystem {
-  #[instrument(name = "PruneSystem", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PruneSystem",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      server = self.server,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
@@ -1109,7 +1316,7 @@ impl Resolve<ExecuteArgs> for PruneSystem {
 
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;
 
     let log = match periphery.request(api::PruneSystem {}).await {
       Ok(log) => log,
@@ -1123,7 +1330,7 @@ impl Resolve<ExecuteArgs> for PruneSystem {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;

bin/core/src/api/execute/stack.rs

@@ -1,19 +1,28 @@
+use std::{collections::HashSet, str::FromStr};
+
 use anyhow::Context;
+use database::mungos::mongodb::bson::{
+  doc, oid::ObjectId, to_bson, to_document,
+};
 use formatting::format_serror;
 use interpolate::Interpolator;
 use komodo_client::{
   api::{execute::*, write::RefreshStackCache},
   entities::{
+    FileContents,
     permission::PermissionLevel,
     repo::Repo,
     server::Server,
-    stack::{Stack, StackInfo},
+    stack::{
+      Stack, StackFileRequires, StackInfo, StackRemoteFileContents,
+    },
     update::{Log, Update},
+    user::User,
   },
 };
-use mungos::mongodb::bson::{doc, to_document};
 use periphery_client::api::compose::*;
 use resolver_api::Resolve;
+use uuid::Uuid;
 
 use crate::{
   api::write::WriteArgs,
@@ -21,7 +30,9 @@ use crate::{
     periphery_client,
     query::{VariablesAndSecrets, get_variables_and_secrets},
     stack_git_token,
-    update::{add_update_without_send, update_update},
+    update::{
+      add_update_without_send, init_execution_update, update_update,
+    },
   },
   monitor::update_cache_for_server,
   permission::get_check_permissions,
@@ -44,10 +55,18 @@ impl super::BatchExecute for BatchDeployStack {
 }
 
 impl Resolve<ExecuteArgs> for BatchDeployStack {
-  #[instrument(name = "BatchDeployStack", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchDeployStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDeployStack>(&self.pattern, user)
@@ -57,10 +76,21 @@ impl Resolve<ExecuteArgs> for BatchDeployStack {
 }
 
 impl Resolve<ExecuteArgs> for DeployStack {
-  #[instrument(name = "DeployStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DeployStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+      stop_time = self.stop_time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (mut stack, server) = get_stack_and_server(
       &self.stack,
@@ -123,10 +153,10 @@ impl Resolve<ExecuteArgs> for DeployStack {
         Interpolator::new(Some(&variables), &secrets);
 
       interpolator.interpolate_stack(&mut stack)?;
-      if let Some(repo) = repo.as_mut() {
-        if !repo.config.skip_secret_interp {
-          interpolator.interpolate_repo(repo)?;
-        }
+      if let Some(repo) = repo.as_mut()
+        && !repo.config.skip_secret_interp
+      {
+        interpolator.interpolate_repo(repo)?;
       }
       interpolator.push_logs(&mut update.logs);
 
@@ -145,7 +175,8 @@ impl Resolve<ExecuteArgs> for DeployStack {
       compose_config,
       commit_hash,
       commit_message,
-    } = periphery_client(&server)?
+    } = periphery_client(&server)
+      .await?
       .request(ComposeUp {
         stack: stack.clone(),
         services: self.services,
@@ -179,7 +210,15 @@ impl Resolve<ExecuteArgs> for DeployStack {
       ) = if deployed {
         (
           Some(latest_services.clone()),
-          Some(file_contents.clone()),
+          Some(
+            file_contents
+              .iter()
+              .map(|f| FileContents {
+                path: f.path.clone(),
+                contents: f.contents.clone(),
+              })
+              .collect(),
+          ),
           compose_config,
           commit_hash.clone(),
           commit_message.clone(),
@@ -242,7 +281,7 @@ impl Resolve<ExecuteArgs> for DeployStack {
     }
 
     // Ensure cached stack state up to date by updating server cache
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -262,10 +301,18 @@ impl super::BatchExecute for BatchDeployStackIfChanged {
 }
 
 impl Resolve<ExecuteArgs> for BatchDeployStackIfChanged {
-  #[instrument(name = "BatchDeployStackIfChanged", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchDeployStackIfChanged",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDeployStackIfChanged>(
@@ -278,10 +325,20 @@ impl Resolve<ExecuteArgs> for BatchDeployStackIfChanged {
 }
 
 impl Resolve<ExecuteArgs> for DeployStackIfChanged {
-  #[instrument(name = "DeployStackIfChanged", skip(user, update), fields(user_id = user.id))]
+  #[instrument(
+    "DeployStackIfChanged",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      stop_time = self.stop_time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let stack = get_check_permissions::<Stack>(
       &self.stack,
@@ -289,62 +346,371 @@ impl Resolve<ExecuteArgs> for DeployStackIfChanged {
       PermissionLevel::Execute.into(),
     )
     .await?;
+
     RefreshStackCache {
       stack: stack.id.clone(),
     }
     .resolve(&WriteArgs { user: user.clone() })
     .await?;
+
     let stack = resource::get::<Stack>(&stack.id).await?;
-    let changed = match (
+
+    let action = match (
       &stack.info.deployed_contents,
       &stack.info.remote_contents,
     ) {
       (Some(deployed_contents), Some(latest_contents)) => {
-        let changed = || {
-          for latest in latest_contents {
-            let Some(deployed) = deployed_contents
-              .iter()
-              .find(|c| c.path == latest.path)
-            else {
-              return true;
-            };
-            if latest.contents != deployed.contents {
-              return true;
-            }
-          }
-          false
-        };
-        changed()
+        let services = stack
+          .info
+          .latest_services
+          .iter()
+          .map(|s| s.service_name.clone())
+          .collect::<Vec<_>>();
+        resolve_deploy_if_changed_action(
+          deployed_contents,
+          latest_contents,
+          &services,
+        )
       }
-      (None, _) => true,
-      _ => false,
+      (None, _) => DeployIfChangedAction::FullDeploy,
+      _ => DeployIfChangedAction::Services {
+        deploy: Vec::new(),
+        restart: Vec::new(),
+      },
     };
 
     let mut update = update.clone();
 
-    if !changed {
-      update.push_simple_log(
-        "Diff compose files",
-        String::from("Deploy cancelled after no changes detected."),
-      );
-      update.finalize();
-      return Ok(update);
-    }
+    match action {
+      // Existing path pre 1.19.1
+      DeployIfChangedAction::FullDeploy => {
+        // Don't actually send it here, let the handler send it after it can set action state.
+        // This is usually done in crate::helpers::update::init_execution_update.
+        update.id = add_update_without_send(&update).await?;
 
-    // Don't actually send it here, let the handler send it after it can set action state.
-    // This is usually done in crate::helpers::update::init_execution_update.
-    update.id = add_update_without_send(&update).await?;
+        DeployStack {
+          stack: stack.name,
+          services: Vec::new(),
+          stop_time: self.stop_time,
+        }
+        .resolve(&ExecuteArgs {
+          user: user.clone(),
+          update,
+          id: *id,
+        })
+        .await
+      }
+      DeployIfChangedAction::FullRestart => {
+        // For git repo based stacks, need to do a
+        // PullStack in order to ensure latest repo contents on the
+        // host before restart.
+        maybe_pull_stack(&stack, Some(&mut update)).await?;
 
-    DeployStack {
-      stack: stack.name,
-      services: Vec::new(),
-      stop_time: self.stop_time,
+        let mut update =
+          restart_services(stack.name, Vec::new(), user).await?;
+
+        if update.success {
+          // Need to update 'info.deployed_contents' with the
+          // latest contents so next check doesn't read the same diff.
+          update_deployed_contents_with_latest(
+            &stack.id,
+            stack.info.remote_contents,
+            &mut update,
+          )
+          .await;
+        }
+
+        Ok(update)
+      }
+      DeployIfChangedAction::Services { deploy, restart } => {
+        match (deploy.is_empty(), restart.is_empty()) {
+          // Both empty, nothing to do
+          (true, true) => {
+            update.push_simple_log(
+              "Diff compose files",
+              String::from(
+                "Deploy cancelled after no changes detected.",
+              ),
+            );
+            update.finalize();
+            Ok(update)
+          }
+          // Only restart
+          (true, false) => {
+            // For git repo based stacks, need to do a
+            // PullStack in order to ensure latest repo contents on the
+            // host before restart. Only necessary if no "deploys" (deploy already pulls stack).
+            maybe_pull_stack(&stack, Some(&mut update)).await?;
+
+            let mut update =
+              restart_services(stack.name, restart, user).await?;
+
+            if update.success {
+              // Need to update 'info.deployed_contents' with the
+              // latest contents so next check doesn't read the same diff.
+              update_deployed_contents_with_latest(
+                &stack.id,
+                stack.info.remote_contents,
+                &mut update,
+              )
+              .await;
+            }
+
+            Ok(update)
+          }
+          // Only deploy
+          (false, true) => {
+            deploy_services(stack.name, deploy, user).await
+          }
+          // Deploy then restart, returning non-db update with executed services.
+          (false, false) => {
+            update.push_simple_log(
+              "Execute Deploys",
+              format!("Deploying: {}", deploy.join(", "),),
+            );
+            // This already updates 'stack.info.deployed_services',
+            // restart doesn't require this again.
+            let deploy_update =
+              deploy_services(stack.name.clone(), deploy, user)
+                .await?;
+            if !deploy_update.success {
+              update.push_error_log(
+                "Execute Deploys",
+                String::from("There was a failure in service deploy"),
+              );
+              update.finalize();
+              return Ok(update);
+            }
+
+            update.push_simple_log(
+              "Execute Restarts",
+              format!("Restarting: {}", restart.join(", "),),
+            );
+            let restart_update =
+              restart_services(stack.name, restart, user).await?;
+            if !restart_update.success {
+              update.push_error_log(
+                "Execute Restarts",
+                String::from(
+                  "There was a failure in a service restart",
+                ),
+              );
+            }
+
+            update.finalize();
+            Ok(update)
+          }
+        }
+      }
     }
+  }
+}
+
+#[instrument(
+  "DeployStackServices",
+  skip_all,
+  fields(
+    stack = stack,
+    services = format!("{services:?}")
+  )
+)]
+async fn deploy_services(
+  stack: String,
+  services: Vec<String>,
+  user: &User,
+) -> serror::Result<Update> {
+  // The existing update is initialized to DeployStack,
+  // but also has not been created on database.
+  // Setup a new update here.
+  let req = ExecuteRequest::DeployStack(DeployStack {
+    stack,
+    services,
+    stop_time: None,
+  });
+  let update = init_execution_update(&req, user).await?;
+  let ExecuteRequest::DeployStack(req) = req else {
+    unreachable!()
+  };
+  req
     .resolve(&ExecuteArgs {
       user: user.clone(),
       update,
+      id: Uuid::new_v4(),
     })
     .await
+}
+
+#[instrument(
+  "RestartStackServices",
+  skip_all,
+  fields(
+    stack = stack,
+    services = format!("{services:?}")
+  )
+)]
+async fn restart_services(
+  stack: String,
+  services: Vec<String>,
+  user: &User,
+) -> serror::Result<Update> {
+  // The existing update is initialized to DeployStack,
+  // but also has not been created on database.
+  // Setup a new update here.
+  let req =
+    ExecuteRequest::RestartStack(RestartStack { stack, services });
+  let update = init_execution_update(&req, user).await?;
+  let ExecuteRequest::RestartStack(req) = req else {
+    unreachable!()
+  };
+  req
+    .resolve(&ExecuteArgs {
+      user: user.clone(),
+      update,
+      id: Uuid::new_v4(),
+    })
+    .await
+}
+
+/// This can safely be called in [DeployStackIfChanged]
+/// when there are ONLY changes to config files requiring restart,
+/// AFTER the restart has been successfully completed.
+///
+/// In the case the if changed action is not FullDeploy,
+/// the only file diff possible is to config files.
+/// Also note either full or service deploy will already update 'deployed_contents'
+/// making this method unnecessary in those cases.
+///
+/// Changes to config files after restart is applied should
+/// be taken as the deployed contents, otherwise next changed check
+/// will restart service again for no reason.
+#[instrument(
+  "UpdateStackDeployedContents",
+  skip_all,
+  fields(stack = id)
+)]
+async fn update_deployed_contents_with_latest(
+  id: &str,
+  contents: Option<Vec<StackRemoteFileContents>>,
+  update: &mut Update,
+) {
+  let Some(contents) = contents else {
+    return;
+  };
+  let contents = contents
+    .into_iter()
+    .map(|f| FileContents {
+      path: f.path,
+      contents: f.contents,
+    })
+    .collect::<Vec<_>>();
+  if let Err(e) = (async {
+    let contents = to_bson(&contents)
+      .context("Failed to serialize contents to bson")?;
+    let id =
+      ObjectId::from_str(id).context("Id is not valid ObjectId")?;
+    db_client()
+      .stacks
+      .update_one(
+        doc! { "_id": id },
+        doc! { "$set": { "info.deployed_contents": contents } },
+      )
+      .await
+      .context("Failed to update stack 'deployed_contents'")?;
+    anyhow::Ok(())
+  })
+  .await
+  {
+    update.push_error_log(
+      "Update content cache",
+      format_serror(&e.into()),
+    );
+    update.finalize();
+    let _ = update_update(update.clone()).await;
+  }
+}
+
+enum DeployIfChangedAction {
+  /// Changes to any compose or env files
+  /// always lead to this.
+  FullDeploy,
+  /// If the above is not met, then changes to
+  /// any changed additional file with `requires = "Restart"`
+  /// and empty services array will lead to this.
+  FullRestart,
+  /// If all changed additional files have specific services
+  /// they depend on, collect the final necessary
+  /// services to deploy / restart.
+  /// If eg `deploy` is empty, no services will be redeployed, same for `restart`.
+  /// If both are empty, nothing is to be done.
+  Services {
+    deploy: Vec<String>,
+    restart: Vec<String>,
+  },
+}
+
+fn resolve_deploy_if_changed_action(
+  deployed_contents: &[FileContents],
+  latest_contents: &[StackRemoteFileContents],
+  all_services: &[String],
+) -> DeployIfChangedAction {
+  let mut full_restart = false;
+  let mut deploy = HashSet::<String>::new();
+  let mut restart = HashSet::<String>::new();
+
+  for latest in latest_contents {
+    let Some(deployed) =
+      deployed_contents.iter().find(|c| c.path == latest.path)
+    else {
+      // If file doesn't exist in deployed contents, do full
+      // deploy to align this.
+      return DeployIfChangedAction::FullDeploy;
+    };
+    // Ignore unchanged files
+    if latest.contents == deployed.contents {
+      continue;
+    }
+    match (latest.requires, latest.services.is_empty()) {
+      (StackFileRequires::Redeploy, true) => {
+        // File has requires = "Redeploy" at global level.
+        // Can do early return here.
+        return DeployIfChangedAction::FullDeploy;
+      }
+      (StackFileRequires::Redeploy, false) => {
+        // Requires redeploy on specific services
+        deploy.extend(latest.services.clone());
+      }
+      (StackFileRequires::Restart, true) => {
+        // Services empty -> Full restart
+        full_restart = true;
+      }
+      (StackFileRequires::Restart, false) => {
+        restart.extend(latest.services.clone());
+      }
+      (StackFileRequires::None, _) => {
+        // File can be ignored even with changes.
+        continue;
+      }
+    }
+  }
+
+  match (full_restart, deploy.is_empty()) {
+    // Full restart required with NO deploys needed -> Full Restart
+    (true, true) => DeployIfChangedAction::FullRestart,
+    // Full restart required WITH deploys needed -> Deploy those, restart all others
+    (true, false) => DeployIfChangedAction::Services {
+      restart: all_services
+        .iter()
+        // Only keep ones that don't need deploy
+        .filter(|&s| !deploy.contains(s))
+        .cloned()
+        .collect(),
+      deploy: deploy.into_iter().collect(),
+    },
+    // No full restart needed -> Deploy / restart as. pickedup.
+    (false, _) => DeployIfChangedAction::Services {
+      deploy: deploy.into_iter().collect(),
+      restart: restart.into_iter().collect(),
+    },
   }
 }
 
@@ -359,10 +725,18 @@ impl super::BatchExecute for BatchPullStack {
 }
 
 impl Resolve<ExecuteArgs> for BatchPullStack {
-  #[instrument(name = "BatchPullStack", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchPullStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchPullStack>(&self.pattern, user)
@@ -371,6 +745,39 @@ impl Resolve<ExecuteArgs> for BatchPullStack {
   }
 }
 
+async fn maybe_pull_stack(
+  stack: &Stack,
+  update: Option<&mut Update>,
+) -> anyhow::Result<()> {
+  if stack.config.files_on_host
+    || (stack.config.repo.is_empty()
+      && stack.config.linked_repo.is_empty())
+  {
+    // Not repo based, no pull necessary
+    return Ok(());
+  }
+  let server =
+    resource::get::<Server>(&stack.config.server_id).await?;
+  let repo = if stack.config.repo.is_empty()
+    && !stack.config.linked_repo.is_empty()
+  {
+    Some(resource::get::<Repo>(&stack.config.linked_repo).await?)
+  } else {
+    None
+  };
+  pull_stack_inner(stack.clone(), Vec::new(), &server, repo, update)
+    .await?;
+  Ok(())
+}
+
+#[instrument(
+  "PullStackInner",
+  skip_all,
+  fields(
+    stack = stack.id,
+    services = format!("{services:?}"),
+  )
+)]
 pub async fn pull_stack_inner(
   mut stack: Stack,
   services: Vec<String>,
@@ -378,16 +785,16 @@ pub async fn pull_stack_inner(
   mut repo: Option<Repo>,
   mut update: Option<&mut Update>,
 ) -> anyhow::Result<ComposePullResponse> {
-  if let Some(update) = update.as_mut() {
-    if !services.is_empty() {
-      update.logs.push(Log::simple(
-        "Service/s",
-        format!(
-          "Execution requested for Stack service/s {}",
-          services.join(", ")
-        ),
-      ))
-    }
+  if let Some(update) = update.as_mut()
+    && !services.is_empty()
+  {
+    update.logs.push(Log::simple(
+      "Service/s",
+      format!(
+        "Execution requested for Stack service/s {}",
+        services.join(", ")
+      ),
+    ))
   }
 
   let git_token = stack_git_token(&mut stack, repo.as_mut()).await?;
@@ -408,10 +815,10 @@ pub async fn pull_stack_inner(
       Interpolator::new(Some(&variables), &secrets);
 
     interpolator.interpolate_stack(&mut stack)?;
-    if let Some(repo) = repo.as_mut() {
-      if !repo.config.skip_secret_interp {
-        interpolator.interpolate_repo(repo)?;
-      }
+    if let Some(repo) = repo.as_mut()
+      && !repo.config.skip_secret_interp
+    {
+      interpolator.interpolate_repo(repo)?;
     }
     if let Some(update) = update {
       interpolator.push_logs(&mut update.logs);
@@ -421,7 +828,8 @@ pub async fn pull_stack_inner(
     Default::default()
   };
 
-  let res = periphery_client(server)?
+  let res = periphery_client(server)
+    .await?
     .request(ComposePull {
       stack,
       services,
@@ -433,16 +841,26 @@ pub async fn pull_stack_inner(
     .await?;
 
   // Ensure cached stack state up to date by updating server cache
-  update_cache_for_server(server).await;
+  update_cache_for_server(server, true).await;
 
   Ok(res)
 }
 
 impl Resolve<ExecuteArgs> for PullStack {
-  #[instrument(name = "PullStack", skip(user, update), fields(user_id = user.id))]
+  #[instrument(
+    "PullStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let (stack, server) = get_stack_and_server(
       &self.stack,
@@ -492,10 +910,20 @@ impl Resolve<ExecuteArgs> for PullStack {
 }
 
 impl Resolve<ExecuteArgs> for StartStack {
-  #[instrument(name = "StartStack", skip(user, update), fields(user_id = user.id))]
+  #[instrument(
+    "StartStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     execute_compose::<StartStack>(
       &self.stack,
@@ -511,10 +939,20 @@ impl Resolve<ExecuteArgs> for StartStack {
 }
 
 impl Resolve<ExecuteArgs> for RestartStack {
-  #[instrument(name = "RestartStack", skip(user, update), fields(user_id = user.id))]
+  #[instrument(
+    "RestartStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     execute_compose::<RestartStack>(
       &self.stack,
@@ -532,10 +970,20 @@ impl Resolve<ExecuteArgs> for RestartStack {
 }
 
 impl Resolve<ExecuteArgs> for PauseStack {
-  #[instrument(name = "PauseStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PauseStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     execute_compose::<PauseStack>(
       &self.stack,
@@ -551,10 +999,20 @@ impl Resolve<ExecuteArgs> for PauseStack {
 }
 
 impl Resolve<ExecuteArgs> for UnpauseStack {
-  #[instrument(name = "UnpauseStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "UnpauseStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     execute_compose::<UnpauseStack>(
       &self.stack,
@@ -570,10 +1028,20 @@ impl Resolve<ExecuteArgs> for UnpauseStack {
 }
 
 impl Resolve<ExecuteArgs> for StopStack {
-  #[instrument(name = "StopStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StopStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     execute_compose::<StopStack>(
       &self.stack,
@@ -601,10 +1069,18 @@ impl super::BatchExecute for BatchDestroyStack {
 }
 
 impl Resolve<ExecuteArgs> for BatchDestroyStack {
-  #[instrument(name = "BatchDestroyStack", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchDestroyStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
   ) -> serror::Result<BatchExecutionResponse> {
     super::batch_execute::<BatchDestroyStack>(&self.pattern, user)
       .await
@@ -613,10 +1089,22 @@ impl Resolve<ExecuteArgs> for BatchDestroyStack {
 }
 
 impl Resolve<ExecuteArgs> for DestroyStack {
-  #[instrument(name = "DestroyStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DestroyStack",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      services = format!("{:?}", self.services),
+      remove_orphans = self.remove_orphans,
+      stop_time = self.stop_time,
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     execute_compose::<DestroyStack>(
       &self.stack,
@@ -630,3 +1118,107 @@ impl Resolve<ExecuteArgs> for DestroyStack {
     .map_err(Into::into)
   }
 }
+
+impl Resolve<ExecuteArgs> for RunStackService {
+  #[instrument(
+    "RunStackService",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      stack = self.stack,
+      service = self.service,
+      request = format!("{self:?}"),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (mut stack, server) = get_stack_and_server(
+      &self.stack,
+      user,
+      PermissionLevel::Execute.into(),
+      true,
+    )
+    .await?;
+
+    let mut repo = if !stack.config.files_on_host
+      && !stack.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&stack.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    let action_state =
+      action_states().stack.get_or_insert_default(&stack.id).await;
+
+    let _action_guard =
+      action_state.update(|state| state.deploying = true)?;
+
+    let mut update = update.clone();
+    update_update(update.clone()).await?;
+
+    let git_token =
+      stack_git_token(&mut stack, repo.as_mut()).await?;
+
+    let registry_token = crate::helpers::registry_token(
+      &stack.config.registry_provider,
+      &stack.config.registry_account,
+    ).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {} | {}", stack.config.registry_provider, stack.config.registry_account),
+    )?;
+
+    let secret_replacers = if !stack.config.skip_secret_interp {
+      let VariablesAndSecrets { variables, secrets } =
+        get_variables_and_secrets().await?;
+
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);
+
+      interpolator.interpolate_stack(&mut stack)?;
+      if let Some(repo) = repo.as_mut()
+        && !repo.config.skip_secret_interp
+      {
+        interpolator.interpolate_repo(repo)?;
+      }
+      interpolator.push_logs(&mut update.logs);
+
+      interpolator.secret_replacers
+    } else {
+      Default::default()
+    };
+
+    let log = periphery_client(&server)
+      .await?
+      .request(ComposeRun {
+        stack,
+        repo,
+        git_token,
+        registry_token,
+        replacers: secret_replacers.into_iter().collect(),
+        service: self.service,
+        command: self.command,
+        no_tty: self.no_tty,
+        no_deps: self.no_deps,
+        detach: self.detach,
+        service_ports: self.service_ports,
+        env: self.env,
+        workdir: self.workdir,
+        user: self.user,
+        entrypoint: self.entrypoint,
+        pull: self.pull,
+      })
+      .await?;
+
+    update.logs.push(log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/sync.rs

@@ -1,6 +1,10 @@
 use std::{collections::HashMap, str::FromStr};
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
 use formatting::{Color, colored, format_serror};
 use komodo_client::{
   api::{execute::RunSync, write::RefreshResourceSyncPending},
@@ -22,8 +26,6 @@ use komodo_client::{
     user::sync_user,
   },
 };
-use mongo_indexed::doc;
-use mungos::{by_id::update_one_by_id, mongodb::bson::oid::ObjectId};
 use resolver_api::Resolve;
 
 use crate::{
@@ -47,10 +49,21 @@ use crate::{
 use super::ExecuteArgs;
 
 impl Resolve<ExecuteArgs> for RunSync {
-  #[instrument(name = "RunSync", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunSync",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      sync = self.sync,
+      resource_type = format!("{:?}", self.resource_type),
+      resources = format!("{:?}", self.resources),
+    )
+  )]
   async fn resolve(
     self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
   ) -> serror::Result<Update> {
     let RunSync {
       sync,
@@ -75,10 +88,8 @@ impl Resolve<ExecuteArgs> for RunSync {
     };
 
     // get the action state for the sync (or insert default).
-    let action_state = action_states()
-      .resource_sync
-      .get_or_insert_default(&sync.id)
-      .await;
+    let action_state =
+      action_states().sync.get_or_insert_default(&sync.id).await;
 
     // This will set action state back to default when dropped.
     // Will also check to ensure sync not already busy before updating.
@@ -125,34 +136,10 @@ impl Resolve<ExecuteArgs> for RunSync {
           };
           match ObjectId::from_str(&name_or_id) {
             Ok(_) => match resource_type {
-              ResourceTargetVariant::Alerter => all_resources
-                .alerters
+              ResourceTargetVariant::Swarm => all_resources
+                .swarms
                 .get(&name_or_id)
-                .map(|a| a.name.clone()),
-              ResourceTargetVariant::Build => all_resources
-                .builds
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Builder => all_resources
-                .builders
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Deployment => all_resources
-                .deployments
-                .get(&name_or_id)
-                .map(|d| d.name.clone()),
-              ResourceTargetVariant::Procedure => all_resources
-                .procedures
-                .get(&name_or_id)
-                .map(|p| p.name.clone()),
-              ResourceTargetVariant::Action => all_resources
-                .actions
-                .get(&name_or_id)
-                .map(|p| p.name.clone()),
-              ResourceTargetVariant::Repo => all_resources
-                .repos
-                .get(&name_or_id)
-                .map(|r| r.name.clone()),
+                .map(|s| s.name.clone()),
               ResourceTargetVariant::Server => all_resources
                 .servers
                 .get(&name_or_id)
@@ -161,10 +148,38 @@ impl Resolve<ExecuteArgs> for RunSync {
                 .stacks
                 .get(&name_or_id)
                 .map(|s| s.name.clone()),
+              ResourceTargetVariant::Deployment => all_resources
+                .deployments
+                .get(&name_or_id)
+                .map(|d| d.name.clone()),
+              ResourceTargetVariant::Build => all_resources
+                .builds
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Repo => all_resources
+                .repos
+                .get(&name_or_id)
+                .map(|r| r.name.clone()),
+              ResourceTargetVariant::Procedure => all_resources
+                .procedures
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Action => all_resources
+                .actions
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
               ResourceTargetVariant::ResourceSync => all_resources
                 .syncs
                 .get(&name_or_id)
                 .map(|s| s.name.clone()),
+              ResourceTargetVariant::Builder => all_resources
+                .builders
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Alerter => all_resources
+                .alerters
+                .get(&name_or_id)
+                .map(|a| a.name.clone()),
               ResourceTargetVariant::System => None,
             },
             Err(_) => Some(name_or_id),

bin/core/src/api/listener/integrations/github.rs

@@ -5,10 +5,9 @@ use hmac::{Hmac, Mac};
 use serde::Deserialize;
 use sha2::Sha256;
 
-use crate::{
-  config::core_config,
-  listener::{VerifyBranch, VerifySecret},
-};
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};
 
 type HmacSha256 = Hmac<Sha256>;
 
@@ -18,7 +17,7 @@ pub struct Github;
 impl VerifySecret for Github {
   #[instrument("VerifyGithubSecret", skip_all)]
   fn verify_secret(
-    headers: HeaderMap,
+    headers: &HeaderMap,
     body: &str,
     custom_secret: &str,
   ) -> anyhow::Result<()> {
@@ -53,19 +52,12 @@ struct GithubWebhookBody {
   branch: String,
 }
 
-impl VerifyBranch for Github {
-  fn verify_branch(
-    body: &str,
-    expected_branch: &str,
-  ) -> anyhow::Result<()> {
+impl ExtractBranch for Github {
+  fn extract_branch(body: &str) -> anyhow::Result<String> {
     let branch = serde_json::from_str::<GithubWebhookBody>(body)
       .context("Failed to parse github request body")?
       .branch
       .replace("refs/heads/", "");
-    if branch == expected_branch {
-      Ok(())
-    } else {
-      Err(anyhow!("request branch does not match expected"))
-    }
+    Ok(branch)
   }
 }

bin/core/src/api/listener/integrations/gitlab.rs

@@ -1,10 +1,10 @@
 use anyhow::{Context, anyhow};
+use axum::http::HeaderMap;
 use serde::Deserialize;
 
-use crate::{
-  config::core_config,
-  listener::{VerifyBranch, VerifySecret},
-};
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};
 
 /// Listener implementation for Gitlab type API
 pub struct Gitlab;
@@ -12,7 +12,7 @@ pub struct Gitlab;
 impl VerifySecret for Gitlab {
   #[instrument("VerifyGitlabSecret", skip_all)]
   fn verify_secret(
-    headers: axum::http::HeaderMap,
+    headers: &HeaderMap,
     _body: &str,
     custom_secret: &str,
   ) -> anyhow::Result<()> {
@@ -40,19 +40,12 @@ struct GitlabWebhookBody {
   branch: String,
 }
 
-impl VerifyBranch for Gitlab {
-  fn verify_branch(
-    body: &str,
-    expected_branch: &str,
-  ) -> anyhow::Result<()> {
+impl ExtractBranch for Gitlab {
+  fn extract_branch(body: &str) -> anyhow::Result<String> {
     let branch = serde_json::from_str::<GitlabWebhookBody>(body)
       .context("Failed to parse gitlab request body")?
       .branch
       .replace("refs/heads/", "");
-    if branch == expected_branch {
-      Ok(())
-    } else {
-      Err(anyhow!("request branch does not match expected"))
-    }
+    Ok(branch)
   }
 }

bin/core/src/api/listener/integrations/mod.rs

@@ -0,0 +1,4 @@
+pub mod github;
+pub mod gitlab;
+
+use super::{ExtractBranch, VerifySecret};

bin/core/src/api/listener/mod.rs

@@ -1,10 +1,12 @@
 use std::sync::Arc;
 
+use anyhow::anyhow;
 use axum::{Router, http::HeaderMap};
+use cache::CloneCache;
 use komodo_client::entities::resource::Resource;
 use tokio::sync::Mutex;
 
-use crate::{helpers::cache::Cache, resource::KomodoResource};
+use crate::resource::KomodoResource;
 
 mod integrations;
 mod resources;
@@ -18,7 +20,7 @@ pub fn router() -> Router {
     .nest("/gitlab", router::router::<gitlab::Gitlab>())
 }
 
-type ListenerLockCache = Cache<String, Arc<Mutex<()>>>;
+type ListenerLockCache = CloneCache<String, Arc<Mutex<()>>>;
 
 /// Implemented for all resources which can recieve webhook.
 trait CustomSecret: KomodoResource {
@@ -30,20 +32,23 @@ trait CustomSecret: KomodoResource {
 /// Implemented on the integration struct, eg [integrations::github::Github]
 trait VerifySecret {
   fn verify_secret(
-    headers: HeaderMap,
+    headers: &HeaderMap,
     body: &str,
     custom_secret: &str,
   ) -> anyhow::Result<()>;
 }
 
 /// Implemented on the integration struct, eg [integrations::github::Github]
-trait VerifyBranch {
-  /// Returns Err if the branch extracted from request
-  /// body does not match the expected branch.
-  fn verify_branch(
-    body: &str,
-    expected_branch: &str,
-  ) -> anyhow::Result<()>;
+trait ExtractBranch {
+  fn extract_branch(body: &str) -> anyhow::Result<String>;
+  fn verify_branch(body: &str, expected: &str) -> anyhow::Result<()> {
+    let branch = Self::extract_branch(body)?;
+    if branch == expected {
+      Ok(())
+    } else {
+      Err(anyhow!("request branch does not match expected"))
+    }
+  }
 }
 
 /// For Procedures and Actions, incoming webhook

bin/core/src/api/listener/resources.rs

@@ -1,6 +1,6 @@
-use std::sync::OnceLock;
+use std::{str::FromStr, sync::OnceLock};
 
-use anyhow::anyhow;
+use anyhow::{Context, anyhow};
 use komodo_client::{
   api::{
     execute::*,
@@ -13,6 +13,8 @@ use komodo_client::{
 };
 use resolver_api::Resolve;
 use serde::Deserialize;
+use serde_json::json;
+use uuid::Uuid;
 
 use crate::{
   api::{
@@ -20,6 +22,7 @@ use crate::{
     write::WriteArgs,
   },
   helpers::update::init_execution_update,
+  resource,
 };
 
 use super::{ANY_BRANCH, ListenerLockCache};
@@ -39,21 +42,32 @@ fn build_locks() -> &'static ListenerLockCache {
   BUILD_LOCKS.get_or_init(Default::default)
 }
 
-pub async fn handle_build_webhook<B: super::VerifyBranch>(
+pub async fn handle_build_webhook<B: super::ExtractBranch>(
   build: Build,
   body: String,
 ) -> anyhow::Result<()> {
+  if !build.config.webhook_enabled {
+    return Ok(());
+  }
+
   // Acquire and hold lock to make a task queue for
   // subsequent listener calls on same resource.
   // It would fail if we let it go through from action state busy.
   let lock = build_locks().get_or_insert_default(&build.id).await;
   let _lock = lock.lock().await;
 
-  if !build.config.webhook_enabled {
-    return Err(anyhow!("build does not have webhook enabled"));
-  }
+  // Use the correct target branch when using linked repo.
+  let branch = if build.config.linked_repo.is_empty() {
+    build.config.branch
+  } else {
+    resource::get::<Repo>(&build.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
 
-  B::verify_branch(&body, &build.config.branch)?;
+  B::verify_branch(&body, &branch)?;
 
   let user = git_webhook_user().to_owned();
   let req = ExecuteRequest::RunBuild(RunBuild { build: build.id });
@@ -62,7 +76,11 @@ pub async fn handle_build_webhook<B: super::VerifyBranch>(
     unreachable!()
   };
   req
-    .resolve(&ExecuteArgs { user, update })
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      id: Uuid::new_v4(),
+    })
     .await
     .map_err(|e| e.error)?;
   Ok(())
@@ -100,7 +118,11 @@ impl RepoExecution for CloneRepo {
       unreachable!()
     };
     req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
       .await
       .map_err(|e| e.error)?;
     Ok(())
@@ -120,7 +142,11 @@ impl RepoExecution for PullRepo {
       unreachable!()
     };
     req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
       .await
       .map_err(|e| e.error)?;
     Ok(())
@@ -140,7 +166,11 @@ impl RepoExecution for BuildRepo {
       unreachable!()
     };
     req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
       .await
       .map_err(|e| e.error)?;
     Ok(())
@@ -155,7 +185,7 @@ pub enum RepoWebhookOption {
   Build,
 }
 
-pub async fn handle_repo_webhook<B: super::VerifyBranch>(
+pub async fn handle_repo_webhook<B: super::ExtractBranch>(
   option: RepoWebhookOption,
   repo: Repo,
   body: String,
@@ -174,22 +204,22 @@ pub async fn handle_repo_webhook<B: super::VerifyBranch>(
 }
 
 async fn handle_repo_webhook_inner<
-  B: super::VerifyBranch,
+  B: super::ExtractBranch,
   E: RepoExecution,
 >(
   repo: Repo,
   body: String,
 ) -> anyhow::Result<()> {
+  if !repo.config.webhook_enabled {
+    return Ok(());
+  }
+
   // Acquire and hold lock to make a task queue for
   // subsequent listener calls on same resource.
   // It would fail if we let it go through from action state busy.
   let lock = repo_locks().get_or_insert_default(&repo.id).await;
   let _lock = lock.lock().await;
 
-  if !repo.config.webhook_enabled {
-    return Err(anyhow!("repo does not have webhook enabled"));
-  }
-
   B::verify_branch(&body, &repo.config.branch)?;
 
   E::resolve(repo).await
@@ -239,7 +269,11 @@ impl StackExecution for DeployStack {
         unreachable!()
       };
       req
-        .resolve(&ExecuteArgs { user, update })
+        .resolve(&ExecuteArgs {
+          user,
+          update,
+          id: Uuid::new_v4(),
+        })
         .await
         .map_err(|e| e.error)?;
     } else {
@@ -253,7 +287,11 @@ impl StackExecution for DeployStack {
         unreachable!()
       };
       req
-        .resolve(&ExecuteArgs { user, update })
+        .resolve(&ExecuteArgs {
+          user,
+          update,
+          id: Uuid::new_v4(),
+        })
         .await
         .map_err(|e| e.error)?;
     }
@@ -269,7 +307,7 @@ pub enum StackWebhookOption {
   Deploy,
 }
 
-pub async fn handle_stack_webhook<B: super::VerifyBranch>(
+pub async fn handle_stack_webhook<B: super::ExtractBranch>(
   option: StackWebhookOption,
   stack: Stack,
   body: String,
@@ -286,23 +324,34 @@ pub async fn handle_stack_webhook<B: super::VerifyBranch>(
 }
 
 pub async fn handle_stack_webhook_inner<
-  B: super::VerifyBranch,
+  B: super::ExtractBranch,
   E: StackExecution,
 >(
   stack: Stack,
   body: String,
 ) -> anyhow::Result<()> {
+  if !stack.config.webhook_enabled {
+    return Ok(());
+  }
+
   // Acquire and hold lock to make a task queue for
   // subsequent listener calls on same resource.
   // It would fail if we let it go through, from "action state busy".
   let lock = stack_locks().get_or_insert_default(&stack.id).await;
   let _lock = lock.lock().await;
 
-  if !stack.config.webhook_enabled {
-    return Err(anyhow!("stack does not have webhook enabled"));
-  }
+  // Use the correct target branch when using linked repo.
+  let branch = if stack.config.linked_repo.is_empty() {
+    stack.config.branch.clone()
+  } else {
+    resource::get::<Repo>(&stack.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
 
-  B::verify_branch(&body, &stack.config.branch)?;
+  B::verify_branch(&body, &branch)?;
 
   E::resolve(stack).await.map_err(|e| e.error)
 }
@@ -351,7 +400,11 @@ impl SyncExecution for RunSync {
       unreachable!()
     };
     req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
       .await
       .map_err(|e| e.error)?;
     Ok(())
@@ -365,7 +418,7 @@ pub enum SyncWebhookOption {
   Sync,
 }
 
-pub async fn handle_sync_webhook<B: super::VerifyBranch>(
+pub async fn handle_sync_webhook<B: super::ExtractBranch>(
   option: SyncWebhookOption,
   sync: ResourceSync,
   body: String,
@@ -384,23 +437,34 @@ pub async fn handle_sync_webhook<B: super::VerifyBranch>(
 }
 
 async fn handle_sync_webhook_inner<
-  B: super::VerifyBranch,
+  B: super::ExtractBranch,
   E: SyncExecution,
 >(
   sync: ResourceSync,
   body: String,
 ) -> anyhow::Result<()> {
+  if !sync.config.webhook_enabled {
+    return Ok(());
+  }
+
   // Acquire and hold lock to make a task queue for
   // subsequent listener calls on same resource.
   // It would fail if we let it go through from action state busy.
   let lock = sync_locks().get_or_insert_default(&sync.id).await;
   let _lock = lock.lock().await;
 
-  if !sync.config.webhook_enabled {
-    return Err(anyhow!("sync does not have webhook enabled"));
-  }
+  // Use the correct target branch when using linked repo.
+  let branch = if sync.config.linked_repo.is_empty() {
+    sync.config.branch.clone()
+  } else {
+    resource::get::<Repo>(&sync.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
 
-  B::verify_branch(&body, &sync.config.branch)?;
+  B::verify_branch(&body, &branch)?;
 
   E::resolve(sync).await
 }
@@ -421,11 +485,15 @@ fn procedure_locks() -> &'static ListenerLockCache {
   PROCEDURE_LOCKS.get_or_init(Default::default)
 }
 
-pub async fn handle_procedure_webhook<B: super::VerifyBranch>(
+pub async fn handle_procedure_webhook<B: super::ExtractBranch>(
   procedure: Procedure,
   target_branch: &str,
   body: String,
 ) -> anyhow::Result<()> {
+  if !procedure.config.webhook_enabled {
+    return Ok(());
+  }
+
   // Acquire and hold lock to make a task queue for
   // subsequent listener calls on same resource.
   // It would fail if we let it go through from action state busy.
@@ -433,10 +501,6 @@ pub async fn handle_procedure_webhook<B: super::VerifyBranch>(
     procedure_locks().get_or_insert_default(&procedure.id).await;
   let _lock = lock.lock().await;
 
-  if !procedure.config.webhook_enabled {
-    return Err(anyhow!("procedure does not have webhook enabled"));
-  }
-
   if target_branch != ANY_BRANCH {
     B::verify_branch(&body, target_branch)?;
   }
@@ -450,7 +514,11 @@ pub async fn handle_procedure_webhook<B: super::VerifyBranch>(
     unreachable!()
   };
   req
-    .resolve(&ExecuteArgs { user, update })
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      id: Uuid::new_v4(),
+    })
     .await
     .map_err(|e| e.error)?;
   Ok(())
@@ -471,34 +539,52 @@ fn action_locks() -> &'static ListenerLockCache {
   ACTION_LOCKS.get_or_init(Default::default)
 }
 
-pub async fn handle_action_webhook<B: super::VerifyBranch>(
+pub async fn handle_action_webhook<B: super::ExtractBranch>(
   action: Action,
   target_branch: &str,
   body: String,
 ) -> anyhow::Result<()> {
+  if !action.config.webhook_enabled {
+    return Ok(());
+  }
+
   // Acquire and hold lock to make a task queue for
   // subsequent listener calls on same resource.
   // It would fail if we let it go through from action state busy.
   let lock = action_locks().get_or_insert_default(&action.id).await;
   let _lock = lock.lock().await;
 
-  if !action.config.webhook_enabled {
-    return Err(anyhow!("action does not have webhook enabled"));
-  }
+  let branch = B::extract_branch(&body)?;
 
-  if target_branch != ANY_BRANCH {
-    B::verify_branch(&body, target_branch)?;
+  if target_branch != ANY_BRANCH && branch != target_branch {
+    return Err(anyhow!("request branch does not match expected"));
   }
 
   let user = git_webhook_user().to_owned();
-  let req =
-    ExecuteRequest::RunAction(RunAction { action: action.id });
+
+  let body = serde_json::Value::from_str(&body)
+    .context("Failed to deserialize webhook body")?;
+  let serde_json::Value::Object(args) = json!({
+    "WEBHOOK_BRANCH": branch,
+    "WEBHOOK_BODY": body,
+  }) else {
+    return Err(anyhow!("Something is wrong with serde_json..."));
+  };
+
+  let req = ExecuteRequest::RunAction(RunAction {
+    action: action.id,
+    args: args.into(),
+  });
   let update = init_execution_update(&req, &user).await?;
   let ExecuteRequest::RunAction(req) = req else {
     unreachable!()
   };
   req
-    .resolve(&ExecuteArgs { user, update })
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      id: Uuid::new_v4(),
+    })
     .await
     .map_err(|e| e.error)?;
   Ok(())

bin/core/src/api/listener/router.rs

@@ -1,17 +1,25 @@
-use axum::{Router, extract::Path, http::HeaderMap, routing::post};
+use std::net::{IpAddr, SocketAddr};
+
+use axum::{
+  Router,
+  extract::{ConnectInfo, Path},
+  http::HeaderMap,
+  routing::post,
+};
 use komodo_client::entities::{
   action::Action, build::Build, procedure::Procedure, repo::Repo,
   resource::Resource, stack::Stack, sync::ResourceSync,
 };
+use rate_limit::WithFailureRateLimit;
 use reqwest::StatusCode;
 use serde::Deserialize;
 use serror::AddStatusCode;
 use tracing::Instrument;
 
-use crate::resource::KomodoResource;
+use crate::{resource::KomodoResource, state::auth_rate_limiter};
 
 use super::{
-  CustomSecret, VerifyBranch, VerifySecret,
+  CustomSecret, ExtractBranch, VerifySecret,
   resources::{
     RepoWebhookOption, StackWebhookOption, SyncWebhookOption,
     handle_action_webhook, handle_build_webhook,
@@ -42,14 +50,14 @@ fn default_branch() -> String {
   String::from("main")
 }
 
-pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
+pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
   Router::new()
   .route(
     "/build/{id}",
     post(
-      |Path(Id { id }), headers: HeaderMap, body: String| async move {
+      |Path(Id { id }), headers: HeaderMap, ConnectInfo(info): ConnectInfo<SocketAddr>, body: String| async move {
         let build =
-          auth_webhook::<P, Build>(&id, headers, &body).await?;
+          auth_webhook::<P, Build>(&id, &headers, info.ip(), &body).await?;
         tokio::spawn(async move {
           let span = info_span!("BuildWebhook", id);
           async {
@@ -73,9 +81,9 @@ pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
   .route(
     "/repo/{id}/{option}",
     post(
-      |Path(IdAndOption::<RepoWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<RepoWebhookOption> { id, option }), headers: HeaderMap, ConnectInfo(info): ConnectInfo<SocketAddr>, body: String| async move {
         let repo =
-          auth_webhook::<P, Repo>(&id, headers, &body).await?;
+          auth_webhook::<P, Repo>(&id, &headers, info.ip(), &body).await?;
         tokio::spawn(async move {
           let span = info_span!("RepoWebhook", id);
           async {
@@ -99,9 +107,9 @@ pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
   .route(
     "/stack/{id}/{option}",
     post(
-      |Path(IdAndOption::<StackWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<StackWebhookOption> { id, option }), headers: HeaderMap, ConnectInfo(info): ConnectInfo<SocketAddr>, body: String| async move {
         let stack =
-          auth_webhook::<P, Stack>(&id, headers, &body).await?;
+          auth_webhook::<P, Stack>(&id, &headers, info.ip(), &body).await?;
         tokio::spawn(async move {
           let span = info_span!("StackWebhook", id);
           async {
@@ -125,9 +133,9 @@ pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
   .route(
     "/sync/{id}/{option}",
     post(
-      |Path(IdAndOption::<SyncWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<SyncWebhookOption> { id, option }), headers: HeaderMap, ConnectInfo(info): ConnectInfo<SocketAddr>, body: String| async move {
         let sync =
-          auth_webhook::<P, ResourceSync>(&id, headers, &body).await?;
+          auth_webhook::<P, ResourceSync>(&id, &headers, info.ip(), &body).await?;
         tokio::spawn(async move {
           let span = info_span!("ResourceSyncWebhook", id);
           async {
@@ -151,9 +159,9 @@ pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
   .route(
     "/procedure/{id}/{branch}",
     post(
-      |Path(IdAndBranch { id, branch }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndBranch { id, branch }), headers: HeaderMap, ConnectInfo(info): ConnectInfo<SocketAddr>, body: String| async move {
         let procedure =
-          auth_webhook::<P, Procedure>(&id, headers, &body).await?;
+          auth_webhook::<P, Procedure>(&id, &headers, info.ip(), &body).await?;
         tokio::spawn(async move {
           let span = info_span!("ProcedureWebhook", id);
           async {
@@ -177,9 +185,9 @@ pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
   .route(
     "/action/{id}/{branch}",
     post(
-      |Path(IdAndBranch { id, branch }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndBranch { id, branch }), headers: HeaderMap, ConnectInfo(info): ConnectInfo<SocketAddr>, body: String| async move {
         let action =
-          auth_webhook::<P, Action>(&id, headers, &body).await?;
+          auth_webhook::<P, Action>(&id, &headers, info.ip(), &body).await?;
         tokio::spawn(async move {
           let span = info_span!("ActionWebhook", id);
           async {
@@ -204,17 +212,26 @@ pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
 
 async fn auth_webhook<P, R>(
   id: &str,
-  headers: HeaderMap,
+  headers: &HeaderMap,
+  ip: IpAddr,
   body: &str,
 ) -> serror::Result<Resource<R::Config, R::Info>>
 where
   P: VerifySecret,
   R: KomodoResource + CustomSecret,
 {
-  let resource = crate::resource::get::<R>(id)
-    .await
-    .status_code(StatusCode::BAD_REQUEST)?;
-  P::verify_secret(headers, body, R::custom_secret(&resource))
-    .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(resource)
+  async {
+    let resource = crate::resource::get::<R>(id)
+      .await
+      .status_code(StatusCode::BAD_REQUEST)?;
+    P::verify_secret(headers, body, R::custom_secret(&resource))
+      .status_code(StatusCode::UNAUTHORIZED)?;
+    serror::Result::Ok(resource)
+  }
+  .with_failure_rate_limit_using_headers(
+    auth_rate_limiter(),
+    headers,
+    Some(ip),
+  )
+  .await
 }

bin/core/src/api/mod.rs

@@ -1,11 +1,70 @@
+use axum::{
+  Router,
+  http::{HeaderName, HeaderValue},
+  routing::get,
+};
+use tower_http::{
+  services::{ServeDir, ServeFile},
+  set_header::SetResponseHeaderLayer,
+};
+
+use crate::{
+  config::{core_config, cors_layer},
+  ts_client,
+};
+
 pub mod auth;
 pub mod execute;
 pub mod read;
-pub mod terminal;
 pub mod user;
 pub mod write;
 
+mod listener;
+mod terminal;
+mod ws;
+
 #[derive(serde::Deserialize)]
 struct Variant {
   variant: String,
 }
+
+pub fn app() -> Router {
+  let config = core_config();
+
+  // Setup static frontend services
+  let frontend_path = &config.frontend_path;
+  let frontend_index =
+    ServeFile::new(format!("{frontend_path}/index.html"));
+  let serve_frontend = ServeDir::new(frontend_path)
+    .not_found_service(frontend_index.clone());
+
+  Router::new()
+    .route("/version", get(|| async { env!("CARGO_PKG_VERSION") }))
+    .nest("/auth", auth::router())
+    .nest("/user", user::router())
+    .nest("/read", read::router())
+    .nest("/write", write::router())
+    .nest("/execute", execute::router())
+    .nest("/terminal", terminal::router())
+    .nest("/listener", listener::router())
+    .nest("/ws", ws::router())
+    .nest("/client", ts_client::router())
+    .fallback_service(serve_frontend)
+    .layer(cors_layer())
+    .layer(SetResponseHeaderLayer::overriding(
+      HeaderName::from_static("x-content-type-options"),
+      HeaderValue::from_static("nosniff"),
+    ))
+    .layer(SetResponseHeaderLayer::overriding(
+      HeaderName::from_static("x-frame-options"),
+      HeaderValue::from_static("DENY"),
+    ))
+    .layer(SetResponseHeaderLayer::overriding(
+      HeaderName::from_static("x-xss-protection"),
+      HeaderValue::from_static("1; mode=block"),
+    ))
+    .layer(SetResponseHeaderLayer::overriding(
+      HeaderName::from_static("referrer-policy"),
+      HeaderValue::from_static("strict-origin-when-cross-origin"),
+    ))
+}

bin/core/src/api/read/action.rs

@@ -131,8 +131,8 @@ impl Resolve<ReadArgs> for GetActionsSummary {
           .unwrap_or_default()
           .get()?,
       ) {
-        (_, action_states) if action_states.running => {
-          res.running += 1;
+        (_, action_states) if action_states.running > 0 => {
+          res.running += action_states.running;
         }
         (ActionState::Ok, _) => res.ok += 1,
         (ActionState::Failed, _) => res.failed += 1,

bin/core/src/api/read/alert.rs

@@ -1,22 +1,22 @@
 use anyhow::Context;
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::{
     GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
   },
   entities::{
-    deployment::Deployment, server::Server, stack::Stack,
-    sync::ResourceSync,
+    deployment::Deployment, permission::PermissionLevel,
+    server::Server, stack::Stack, sync::ResourceSync,
   },
 };
-use mungos::{
-  by_id::find_one_by_id,
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
 use crate::{
-  config::core_config, permission::get_resource_ids_for_user,
+  config::core_config, permission::list_resource_ids_for_user,
   state::db_client,
 };
 
@@ -31,14 +31,29 @@ impl Resolve<ReadArgs> for ListAlerts {
   ) -> serror::Result<ListAlertsResponse> {
     let mut query = self.query.unwrap_or_default();
     if !user.admin && !core_config().transparent_mode {
-      let server_ids =
-        get_resource_ids_for_user::<Server>(user).await?;
-      let stack_ids =
-        get_resource_ids_for_user::<Stack>(user).await?;
-      let deployment_ids =
-        get_resource_ids_for_user::<Deployment>(user).await?;
-      let sync_ids =
-        get_resource_ids_for_user::<ResourceSync>(user).await?;
+      let (server_ids, stack_ids, deployment_ids, sync_ids) = tokio::try_join!(
+        list_resource_ids_for_user::<Server>(
+          None,
+          user,
+          PermissionLevel::Read.into(),
+        ),
+        list_resource_ids_for_user::<Stack>(
+          None,
+          user,
+          PermissionLevel::Read.into(),
+        ),
+        list_resource_ids_for_user::<Deployment>(
+          None,
+          user,
+          PermissionLevel::Read.into(),
+        ),
+        list_resource_ids_for_user::<ResourceSync>(
+          None,
+          user,
+          PermissionLevel::Read.into(),
+        )
+      )?;
+      // All of the vecs will be non-none if !admin and !transparent mode.
       query.extend(doc! {
         "$or": [
           { "target.type": "Server", "target.id": { "$in": &server_ids } },

bin/core/src/api/read/alerter.rs

@@ -1,4 +1,6 @@
 use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::{
   api::read::*,
   entities::{
@@ -6,13 +8,13 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_all_tags, permission::get_check_permissions,
-  resource, state::db_client,
+  helpers::query::get_all_tags,
+  permission::{get_check_permissions, list_resource_ids_for_user},
+  resource,
+  state::db_client,
 };
 
 use super::ReadArgs;
@@ -82,9 +84,11 @@ impl Resolve<ReadArgs> for GetAlertersSummary {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetAlertersSummaryResponse> {
-    let query = match resource::get_resource_object_ids_for_user::<
-      Alerter,
-    >(user)
+    let query = match list_resource_ids_for_user::<Alerter>(
+      None,
+      user,
+      PermissionLevel::Read.into(),
+    )
     .await?
     {
       Some(ids) => doc! {

bin/core/src/api/read/build.rs

@@ -2,31 +2,27 @@ use std::collections::{HashMap, HashSet};
 
 use anyhow::Context;
 use async_timing_util::unix_timestamp_ms;
-use futures::TryStreamExt;
+use database::mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use futures_util::TryStreamExt;
 use komodo_client::{
   api::read::*,
   entities::{
     Operation,
     build::{Build, BuildActionState, BuildListItem, BuildState},
-    config::core::CoreConfig,
     permission::PermissionLevel,
     update::UpdateStatus,
   },
 };
-use mungos::{
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
 use crate::{
-  config::core_config,
   helpers::query::get_all_tags,
   permission::get_check_permissions,
   resource,
-  state::{
-    action_states, build_state_cache, db_client, github_client,
-  },
+  state::{action_states, build_state_cache, db_client},
 };
 
 use super::ReadArgs;
@@ -306,81 +302,3 @@ impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
     Ok(res)
   }
 }
-
-impl Resolve<ReadArgs> for GetBuildWebhookEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetBuildWebhookEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    };
-
-    let build = get_check_permissions::<Build>(
-      &self.build,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if build.config.git_provider != "github.com"
-      || build.config.repo.is_empty()
-    {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    }
-
-    let mut split = build.config.repo.split('/');
-    let owner = split.next().context("Build repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    };
-
-    let repo =
-      split.next().context("Build repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = format!("{host}/listener/github/build/{}", build.id);
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        return Ok(GetBuildWebhookEnabledResponse {
-          managed: true,
-          enabled: true,
-        });
-      }
-    }
-
-    Ok(GetBuildWebhookEnabledResponse {
-      managed: true,
-      enabled: false,
-    })
-  }
-}

bin/core/src/api/read/builder.rs

@@ -1,4 +1,6 @@
 use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::{
   api::read::*,
   entities::{
@@ -6,13 +8,13 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_all_tags, permission::get_check_permissions,
-  resource, state::db_client,
+  helpers::query::get_all_tags,
+  permission::{get_check_permissions, list_resource_ids_for_user},
+  resource,
+  state::db_client,
 };
 
 use super::ReadArgs;
@@ -82,9 +84,11 @@ impl Resolve<ReadArgs> for GetBuildersSummary {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetBuildersSummaryResponse> {
-    let query = match resource::get_resource_object_ids_for_user::<
-      Builder,
-    >(user)
+    let query = match list_resource_ids_for_user::<Builder>(
+      None,
+      user,
+      PermissionLevel::Read.into(),
+    )
     .await?
     {
       Some(ids) => doc! {

bin/core/src/api/read/deployment.rs

@@ -145,7 +145,8 @@ impl Resolve<ReadArgs> for GetDeploymentLog {
       return Ok(Log::default());
     }
     let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(api::container::GetContainerLog {
         name,
         tail: cmp::min(tail, MAX_LOG_LENGTH),
@@ -183,7 +184,8 @@ impl Resolve<ReadArgs> for SearchDeploymentLog {
       return Ok(Log::default());
     }
     let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(api::container::GetContainerLogSearch {
         name,
         terms,
@@ -234,7 +236,8 @@ impl Resolve<ReadArgs> for InspectDeploymentContainer {
         .into(),
       );
     }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(InspectContainer { name })
       .await?;
     Ok(res)
@@ -262,7 +265,8 @@ impl Resolve<ReadArgs> for GetDeploymentStats {
       );
     }
     let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(api::container::GetContainerStats { name })
       .await
       .context("failed to get stats from periphery")?;
@@ -321,7 +325,9 @@ impl Resolve<ReadArgs> for GetDeploymentsSummary {
           res.not_deployed += 1;
         }
         DeploymentState::Unknown => {
-          res.unknown += 1;
+          if !deployment.template {
+            res.unknown += 1;
+          }
         }
         _ => {
           res.unhealthy += 1;

bin/core/src/api/read/mod.rs

@@ -1,4 +1,4 @@
-use std::{collections::HashSet, sync::OnceLock, time::Instant};
+use std::{collections::HashSet, time::Instant};
 
 use anyhow::{Context, anyhow};
 use axum::{
@@ -27,7 +27,9 @@ use typeshare::typeshare;
 use uuid::Uuid;
 
 use crate::{
-  auth::auth_request, config::core_config, helpers::periphery_client,
+  auth::auth_request,
+  config::{core_config, core_keys},
+  helpers::periphery_client,
   resource,
 };
 
@@ -39,6 +41,7 @@ mod alerter;
 mod build;
 mod builder;
 mod deployment;
+mod onboarding_key;
 mod permission;
 mod procedure;
 mod provider;
@@ -46,8 +49,10 @@ mod repo;
 mod schedule;
 mod server;
 mod stack;
+mod swarm;
 mod sync;
 mod tag;
+mod terminal;
 mod toml;
 mod update;
 mod user;
@@ -71,73 +76,67 @@ enum ReadRequest {
   ListGitProvidersFromConfig(ListGitProvidersFromConfig),
   ListDockerRegistriesFromConfig(ListDockerRegistriesFromConfig),
 
-  // ==== USER ====
-  GetUsername(GetUsername),
-  GetPermission(GetPermission),
-  FindUser(FindUser),
-  ListUsers(ListUsers),
-  ListApiKeys(ListApiKeys),
-  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
-  ListPermissions(ListPermissions),
-  ListUserTargetPermissions(ListUserTargetPermissions),
-
-  // ==== USER GROUP ====
-  GetUserGroup(GetUserGroup),
-  ListUserGroups(ListUserGroups),
-
-  // ==== PROCEDURE ====
-  GetProceduresSummary(GetProceduresSummary),
-  GetProcedure(GetProcedure),
-  GetProcedureActionState(GetProcedureActionState),
-  ListProcedures(ListProcedures),
-  ListFullProcedures(ListFullProcedures),
-
-  // ==== ACTION ====
-  GetActionsSummary(GetActionsSummary),
-  GetAction(GetAction),
-  GetActionActionState(GetActionActionState),
-  ListActions(ListActions),
-  ListFullActions(ListFullActions),
-
-  // ==== SCHEDULE ====
-  ListSchedules(ListSchedules),
+  // ==== SWARM ====
+  GetSwarmsSummary(GetSwarmsSummary),
+  GetSwarm(GetSwarm),
+  GetSwarmActionState(GetSwarmActionState),
+  ListSwarms(ListSwarms),
+  InspectSwarm(InspectSwarm),
+  ListFullSwarms(ListFullSwarms),
+  ListSwarmNodes(ListSwarmNodes),
+  InspectSwarmNode(InspectSwarmNode),
+  ListSwarmConfigs(ListSwarmConfigs),
+  InspectSwarmConfig(InspectSwarmConfig),
+  ListSwarmSecrets(ListSwarmSecrets),
+  InspectSwarmSecret(InspectSwarmSecret),
+  ListSwarmStacks(ListSwarmStacks),
+  InspectSwarmStack(InspectSwarmStack),
+  ListSwarmTasks(ListSwarmTasks),
+  InspectSwarmTask(InspectSwarmTask),
+  ListSwarmServices(ListSwarmServices),
+  InspectSwarmService(InspectSwarmService),
+  GetSwarmServiceLog(GetSwarmServiceLog),
+  SearchSwarmServiceLog(SearchSwarmServiceLog),
 
   // ==== SERVER ====
   GetServersSummary(GetServersSummary),
   GetServer(GetServer),
   GetServerState(GetServerState),
-  GetPeripheryVersion(GetPeripheryVersion),
+  GetPeripheryInformation(GetPeripheryInformation),
   GetServerActionState(GetServerActionState),
-  GetHistoricalServerStats(GetHistoricalServerStats),
   ListServers(ListServers),
   ListFullServers(ListFullServers),
+
+  // ==== TERMINAL ====
+  ListTerminals(ListTerminals),
+
+  // ==== DOCKER ====
+  GetDockerContainersSummary(GetDockerContainersSummary),
+  ListAllDockerContainers(ListAllDockerContainers),
+  ListDockerContainers(ListDockerContainers),
   InspectDockerContainer(InspectDockerContainer),
   GetResourceMatchingContainer(GetResourceMatchingContainer),
   GetContainerLog(GetContainerLog),
   SearchContainerLog(SearchContainerLog),
+  ListComposeProjects(ListComposeProjects),
+  ListDockerNetworks(ListDockerNetworks),
   InspectDockerNetwork(InspectDockerNetwork),
+  ListDockerImages(ListDockerImages),
   InspectDockerImage(InspectDockerImage),
   ListDockerImageHistory(ListDockerImageHistory),
-  InspectDockerVolume(InspectDockerVolume),
-  GetDockerContainersSummary(GetDockerContainersSummary),
-  ListAllDockerContainers(ListAllDockerContainers),
-  ListDockerContainers(ListDockerContainers),
-  ListDockerNetworks(ListDockerNetworks),
-  ListDockerImages(ListDockerImages),
   ListDockerVolumes(ListDockerVolumes),
-  ListComposeProjects(ListComposeProjects),
-  ListTerminals(ListTerminals),
+  InspectDockerVolume(InspectDockerVolume),
 
   // ==== SERVER STATS ====
   GetSystemInformation(GetSystemInformation),
   GetSystemStats(GetSystemStats),
+  GetHistoricalServerStats(GetHistoricalServerStats),
   ListSystemProcesses(ListSystemProcesses),
 
   // ==== STACK ====
   GetStacksSummary(GetStacksSummary),
   GetStack(GetStack),
   GetStackActionState(GetStackActionState),
-  GetStackWebhooksEnabled(GetStackWebhooksEnabled),
   GetStackLog(GetStackLog),
   SearchStackLog(SearchStackLog),
   InspectStackContainer(InspectStackContainer),
@@ -166,7 +165,6 @@ enum ReadRequest {
   GetBuildActionState(GetBuildActionState),
   GetBuildMonthlyStats(GetBuildMonthlyStats),
   ListBuildVersions(ListBuildVersions),
-  GetBuildWebhookEnabled(GetBuildWebhookEnabled),
   ListBuilds(ListBuilds),
   ListFullBuilds(ListFullBuilds),
   ListCommonBuildExtraArgs(ListCommonBuildExtraArgs),
@@ -175,15 +173,30 @@ enum ReadRequest {
   GetReposSummary(GetReposSummary),
   GetRepo(GetRepo),
   GetRepoActionState(GetRepoActionState),
-  GetRepoWebhooksEnabled(GetRepoWebhooksEnabled),
   ListRepos(ListRepos),
   ListFullRepos(ListFullRepos),
 
+  // ==== PROCEDURE ====
+  GetProceduresSummary(GetProceduresSummary),
+  GetProcedure(GetProcedure),
+  GetProcedureActionState(GetProcedureActionState),
+  ListProcedures(ListProcedures),
+  ListFullProcedures(ListFullProcedures),
+
+  // ==== ACTION ====
+  GetActionsSummary(GetActionsSummary),
+  GetAction(GetAction),
+  GetActionActionState(GetActionActionState),
+  ListActions(ListActions),
+  ListFullActions(ListFullActions),
+
+  // ==== SCHEDULE ====
+  ListSchedules(ListSchedules),
+
   // ==== SYNC ====
   GetResourceSyncsSummary(GetResourceSyncsSummary),
   GetResourceSync(GetResourceSync),
   GetResourceSyncActionState(GetResourceSyncActionState),
-  GetSyncWebhooksEnabled(GetSyncWebhooksEnabled),
   ListResourceSyncs(ListResourceSyncs),
   ListFullResourceSyncs(ListFullResourceSyncs),
 
@@ -207,6 +220,20 @@ enum ReadRequest {
   GetTag(GetTag),
   ListTags(ListTags),
 
+  // ==== USER ====
+  GetUsername(GetUsername),
+  GetPermission(GetPermission),
+  FindUser(FindUser),
+  ListUsers(ListUsers),
+  ListApiKeys(ListApiKeys),
+  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
+  ListPermissions(ListPermissions),
+  ListUserTargetPermissions(ListUserTargetPermissions),
+
+  // ==== USER GROUP ====
+  GetUserGroup(GetUserGroup),
+  ListUserGroups(ListUserGroups),
+
   // ==== UPDATE ====
   GetUpdate(GetUpdate),
   ListUpdates(ListUpdates),
@@ -224,6 +251,9 @@ enum ReadRequest {
   ListGitProviderAccounts(ListGitProviderAccounts),
   GetDockerRegistryAccount(GetDockerRegistryAccount),
   ListDockerRegistryAccounts(ListDockerRegistryAccounts),
+
+  // ==== ONBOARDING KEY ====
+  ListOnboardingKeys(ListOnboardingKeys),
 }
 
 pub fn router() -> Router {
@@ -245,7 +275,6 @@ async fn variant_handler(
   handler(user, Json(req)).await
 }
 
-#[instrument(name = "ReadHandler", level = "debug", skip(user), fields(user_id = user.id))]
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ReadRequest>,
@@ -273,11 +302,13 @@ impl Resolve<ReadArgs> for GetVersion {
   }
 }
 
-fn core_info() -> &'static GetCoreInfoResponse {
-  static CORE_INFO: OnceLock<GetCoreInfoResponse> = OnceLock::new();
-  CORE_INFO.get_or_init(|| {
+impl Resolve<ReadArgs> for GetCoreInfo {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetCoreInfoResponse> {
     let config = core_config();
-    GetCoreInfoResponse {
+    let info = GetCoreInfoResponse {
       title: config.title.clone(),
       monitoring_interval: config.monitoring_interval,
       webhook_base_url: if config.webhook_base_url.is_empty() {
@@ -290,23 +321,11 @@ fn core_info() -> &'static GetCoreInfoResponse {
       disable_confirm_dialog: config.disable_confirm_dialog,
       disable_non_admin_create: config.disable_non_admin_create,
       disable_websocket_reconnect: config.disable_websocket_reconnect,
-      github_webhook_owners: config
-        .github_webhook_app
-        .installations
-        .iter()
-        .map(|i| i.namespace.to_string())
-        .collect(),
+      enable_fancy_toml: config.enable_fancy_toml,
       timezone: config.timezone.clone(),
-    }
-  })
-}
-
-impl Resolve<ReadArgs> for GetCoreInfo {
-  async fn resolve(
-    self,
-    _: &ReadArgs,
-  ) -> serror::Result<GetCoreInfoResponse> {
-    Ok(core_info().clone())
+      public_key: core_keys().load().public.to_string(),
+    };
+    Ok(info)
   }
 }
 
@@ -342,7 +361,8 @@ impl Resolve<ReadArgs> for ListSecrets {
       };
       if let Some(id) = server_id {
         let server = resource::get::<Server>(&id).await?;
-        let more = periphery_client(&server)?
+        let more = periphery_client(&server)
+          .await?
           .request(periphery_client::api::ListSecrets {})
           .await
           .with_context(|| {
@@ -514,7 +534,8 @@ async fn merge_git_providers_for_server(
   server_id: &str,
 ) -> serror::Result<()> {
   let server = resource::get::<Server>(server_id).await?;
-  let more = periphery_client(&server)?
+  let more = periphery_client(&server)
+    .await?
     .request(periphery_client::api::ListGitProviders {})
     .await
     .with_context(|| {
@@ -552,7 +573,8 @@ async fn merge_docker_registries_for_server(
   server_id: &str,
 ) -> serror::Result<()> {
   let server = resource::get::<Server>(server_id).await?;
-  let more = periphery_client(&server)?
+  let more = periphery_client(&server)
+    .await?
     .request(periphery_client::api::ListDockerRegistries {})
     .await
     .with_context(|| {

bin/core/src/api/read/onboarding_key.rs

@@ -0,0 +1,51 @@
+use std::cmp::Ordering;
+
+use anyhow::{Context, anyhow};
+use database::mungos::find::find_collect;
+use komodo_client::api::read::{
+  ListOnboardingKeys, ListOnboardingKeysResponse,
+};
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCodeError;
+
+use crate::{api::read::ReadArgs, state::db_client};
+
+//
+
+impl Resolve<ReadArgs> for ListOnboardingKeys {
+  async fn resolve(
+    self,
+    ReadArgs { user: admin }: &ReadArgs,
+  ) -> serror::Result<ListOnboardingKeysResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let mut keys =
+      find_collect(&db_client().onboarding_keys, None, None)
+        .await
+        .context(
+          "Failed to query database for Server onboarding keys",
+        )?;
+
+    // No expiry keys first, followed
+    keys.sort_by(|a, b| {
+      if a.expires == b.expires {
+        Ordering::Equal
+      } else if a.expires == 0 {
+        Ordering::Less
+      } else if b.expires == 0 {
+        Ordering::Greater
+      } else {
+        // Descending
+        b.expires.cmp(&a.expires)
+      }
+    });
+
+    Ok(keys)
+  }
+}

bin/core/src/api/read/permission.rs

@@ -1,4 +1,5 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
 use komodo_client::{
   api::read::{
     GetPermission, GetPermissionResponse, ListPermissions,
@@ -7,7 +8,6 @@ use komodo_client::{
   },
   entities::permission::PermissionLevel,
 };
-use mungos::{find::find_collect, mongodb::bson::doc};
 use resolver_api::Resolve;
 
 use crate::{

bin/core/src/api/read/provider.rs

@@ -1,10 +1,10 @@
 use anyhow::{Context, anyhow};
-use komodo_client::api::read::*;
-use mongo_indexed::{Document, doc};
-use mungos::{
+use database::mongo_indexed::{Document, doc};
+use database::mungos::{
   by_id::find_one_by_id, find::find_collect,
   mongodb::options::FindOptions,
 };
+use komodo_client::api::read::*;
 use resolver_api::Resolve;
 
 use crate::state::db_client;

bin/core/src/api/read/repo.rs

@@ -2,7 +2,6 @@ use anyhow::Context;
 use komodo_client::{
   api::read::*,
   entities::{
-    config::core::CoreConfig,
     permission::PermissionLevel,
     repo::{Repo, RepoActionState, RepoListItem, RepoState},
   },
@@ -10,11 +9,10 @@ use komodo_client::{
 use resolver_api::Resolve;
 
 use crate::{
-  config::core_config,
   helpers::query::get_all_tags,
   permission::get_check_permissions,
   resource,
-  state::{action_states, github_client, repo_state_cache},
+  state::{action_states, repo_state_cache},
 };
 
 use super::ReadArgs;
@@ -142,7 +140,11 @@ impl Resolve<ReadArgs> for GetReposSummary {
         }
         (RepoState::Ok, _) => res.ok += 1,
         (RepoState::Failed, _) => res.failed += 1,
-        (RepoState::Unknown, _) => res.unknown += 1,
+        (RepoState::Unknown, _) => {
+          if !repo.template {
+            res.unknown += 1
+          }
+        }
         // will never come off the cache in the building state, since that comes from action states
         (RepoState::Cloning, _)
         | (RepoState::Pulling, _)
@@ -155,104 +157,3 @@ impl Resolve<ReadArgs> for GetReposSummary {
     Ok(res)
   }
 }
-
-impl Resolve<ReadArgs> for GetRepoWebhooksEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetRepoWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    };
-
-    let repo = get_check_permissions::<Repo>(
-      &self.repo,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if repo.config.git_provider != "github.com"
-      || repo.config.repo.is_empty()
-    {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    }
-
-    let mut split = repo.config.repo.split('/');
-    let owner = split.next().context("Repo repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let clone_url =
-      format!("{host}/listener/github/repo/{}/clone", repo.id);
-    let pull_url =
-      format!("{host}/listener/github/repo/{}/pull", repo.id);
-    let build_url =
-      format!("{host}/listener/github/repo/{}/build", repo.id);
-
-    let mut clone_enabled = false;
-    let mut pull_enabled = false;
-    let mut build_enabled = false;
-
-    for webhook in webhooks {
-      if !webhook.active {
-        continue;
-      }
-      if webhook.config.url == clone_url {
-        clone_enabled = true
-      }
-      if webhook.config.url == pull_url {
-        pull_enabled = true
-      }
-      if webhook.config.url == build_url {
-        build_enabled = true
-      }
-    }
-
-    Ok(GetRepoWebhooksEnabledResponse {
-      managed: true,
-      clone_enabled,
-      pull_enabled,
-      build_enabled,
-    })
-  }
-}

bin/core/src/api/read/schedule.rs

@@ -1,4 +1,4 @@
-use futures::future::join_all;
+use futures_util::future::join_all;
 use komodo_client::{
   api::read::*,
   entities::{

bin/core/src/api/read/server.rs

@@ -8,6 +8,10 @@ use anyhow::{Context, anyhow};
 use async_timing_util::{
   FIFTEEN_SECONDS_MS, get_timelength_in_ms, unix_timestamp_ms,
 };
+use database::mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::*,
   entities::{
@@ -21,37 +25,31 @@ use komodo_client::{
       network::Network,
       volume::Volume,
     },
-    komodo_timestamp,
     permission::PermissionLevel,
     server::{
-      Server, ServerActionState, ServerListItem, ServerState,
-      TerminalInfo,
+      Server, ServerActionState, ServerListItem, ServerQuery,
+      ServerState,
     },
     stack::{Stack, StackServiceNames},
     stats::{SystemInformation, SystemProcess},
     update::Log,
   },
 };
-use mungos::{
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use periphery_client::api::{
   self as periphery,
   container::InspectContainer,
-  image::{ImageHistory, InspectImage},
-  network::InspectNetwork,
-  volume::InspectVolume,
+  docker::{
+    ImageHistory, InspectImage, InspectNetwork, InspectVolume,
+  },
 };
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCode;
 use tokio::sync::Mutex;
 
 use crate::{
-  helpers::{
-    periphery_client,
-    query::{get_all_tags, get_system_info},
-  },
-  permission::get_check_permissions,
+  helpers::{periphery_client, query::get_all_tags},
+  permission::{get_check_permissions, list_resources_for_user},
   resource,
   stack::compose_container_match_regex,
   state::{action_states, db_client, server_status_cache},
@@ -71,18 +69,29 @@ impl Resolve<ReadArgs> for GetServersSummary {
       &[],
     )
     .await?;
+
+    let core_version = env!("CARGO_PKG_VERSION");
     let mut res = GetServersSummaryResponse::default();
+
     for server in servers {
       res.total += 1;
       match server.info.state {
         ServerState::Ok => {
-          res.healthy += 1;
+          // Check for version mismatch
+          if matches!(&server.info.version, Some(version) if version != core_version)
+          {
+            res.warning += 1;
+          } else {
+            res.healthy += 1;
+          }
         }
         ServerState::NotOk => {
           res.unhealthy += 1;
         }
         ServerState::Disabled => {
-          res.disabled += 1;
+          if !server.template {
+            res.disabled += 1;
+          }
         }
       }
     }
@@ -90,26 +99,6 @@ impl Resolve<ReadArgs> for GetServersSummary {
   }
 }
 
-impl Resolve<ReadArgs> for GetPeripheryVersion {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetPeripheryVersionResponse> {
-    let server = get_check_permissions::<Server>(
-      &self.server,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-    let version = server_status_cache()
-      .get(&server.id)
-      .await
-      .map(|s| s.version.clone())
-      .unwrap_or(String::from("unknown"));
-    Ok(GetPeripheryVersionResponse { version })
-  }
-}
-
 impl Resolve<ReadArgs> for GetServer {
   async fn resolve(
     self,
@@ -213,6 +202,29 @@ impl Resolve<ReadArgs> for GetServerActionState {
   }
 }
 
+impl Resolve<ReadArgs> for GetPeripheryInformation {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetPeripheryInformationResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    server_status_cache()
+      .get(&server.id)
+      .await
+      .context("Missing server status")?
+      .periphery_info
+      .as_ref()
+      .cloned()
+      .context("Server status missing Periphery Info. The Server may be disconnected.")
+      .status_code(StatusCode::INTERNAL_SERVER_ERROR)
+  }
+}
+
 impl Resolve<ReadArgs> for GetSystemInformation {
   async fn resolve(
     self,
@@ -223,8 +235,17 @@ impl Resolve<ReadArgs> for GetSystemInformation {
       user,
       PermissionLevel::Read.into(),
     )
-    .await?;
-    get_system_info(&server).await.map_err(Into::into)
+    .await
+    .status_code(StatusCode::BAD_REQUEST)?;
+    server_status_cache()
+      .get(&server.id)
+      .await
+      .context("Missing server status")?
+      .system_info
+      .as_ref()
+      .cloned()
+      .context("Server status missing system Info. The Server may be disconnected.")
+      .status_code(StatusCode::INTERNAL_SERVER_ERROR)
   }
 }
 
@@ -239,15 +260,15 @@ impl Resolve<ReadArgs> for GetSystemStats {
       PermissionLevel::Read.into(),
     )
     .await?;
-    let status =
-      server_status_cache().get(&server.id).await.with_context(
-        || format!("did not find status for server at {}", server.id),
-      )?;
-    let stats = status
-      .stats
+    server_status_cache()
+      .get(&server.id)
+      .await
+      .context("Missing server status")?
+      .system_stats
       .as_ref()
-      .context("server stats not available")?;
-    Ok(stats.clone())
+      .cloned()
+      .context("Server status missing system stats. The Server may be disconnected.")
+      .status_code(StatusCode::INTERNAL_SERVER_ERROR)
   }
 }
 
@@ -277,7 +298,8 @@ impl Resolve<ReadArgs> for ListSystemProcesses {
         cached.0.clone()
       }
       _ => {
-        let stats = periphery_client(&server)?
+        let stats = periphery_client(&server)
+          .await?
           .request(periphery::stats::GetSystemProcesses {})
           .await?;
         lock.insert(
@@ -361,8 +383,8 @@ impl Resolve<ReadArgs> for ListDockerContainers {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(containers) = &cache.containers {
-      Ok(containers.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.containers.clone())
     } else {
       Ok(Vec::new())
     }
@@ -375,18 +397,12 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListAllDockerContainersResponse> {
     let servers = resource::list_for_user::<Server>(
-      Default::default(),
+      ServerQuery::builder().names(self.servers.clone()).build(),
       user,
       PermissionLevel::Read.into(),
       &[],
     )
-    .await?
-    .into_iter()
-    .filter(|server| {
-      self.servers.is_empty()
-        || self.servers.contains(&server.id)
-        || self.servers.contains(&server.name)
-    });
+    .await?;
 
     let mut containers = Vec::<ContainerListItem>::new();
 
@@ -394,9 +410,18 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
       let cache = server_status_cache()
         .get_or_insert_default(&server.id)
         .await;
-      if let Some(more_containers) = &cache.containers {
-        containers.extend(more_containers.clone());
-      }
+      let Some(docker) = &cache.docker else {
+        continue;
+      };
+      let more = docker
+        .containers
+        .iter()
+        .filter(|container| {
+          self.containers.is_empty()
+            || self.containers.contains(&container.name)
+        })
+        .cloned();
+      containers.extend(more);
     }
 
     Ok(containers)
@@ -424,8 +449,8 @@ impl Resolve<ReadArgs> for GetDockerContainersSummary {
         .get_or_insert_default(&server.id)
         .await;
 
-      if let Some(containers) = &cache.containers {
-        for container in containers {
+      if let Some(docker) = &cache.docker {
+        for container in &docker.containers {
           res.total += 1;
           match container.state {
             ContainerStateStatusEnum::Created
@@ -466,7 +491,8 @@ impl Resolve<ReadArgs> for InspectDockerContainer {
         .into(),
       );
     }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(InspectContainer {
         name: self.container,
       })
@@ -494,7 +520,8 @@ impl Resolve<ReadArgs> for GetContainerLog {
       PermissionLevel::Read.logs(),
     )
     .await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(periphery::container::GetContainerLog {
         name: container,
         tail: cmp::min(tail, MAX_LOG_LENGTH),
@@ -525,7 +552,8 @@ impl Resolve<ReadArgs> for SearchContainerLog {
       PermissionLevel::Read.logs(),
     )
     .await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(periphery::container::GetContainerLogSearch {
         name: container,
         terms,
@@ -560,12 +588,12 @@ impl Resolve<ReadArgs> for GetResourceMatchingContainer {
     }
 
     // then check stacks
-    let stacks =
-      resource::list_full_for_user_using_document::<Stack>(
-        doc! { "config.server_id": &server.id },
-        user,
-      )
-      .await?;
+    let stacks = list_resources_for_user::<Stack>(
+      doc! { "config.server_id": &server.id },
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
 
     // check matching stack
     for stack in stacks {
@@ -614,8 +642,8 @@ impl Resolve<ReadArgs> for ListDockerNetworks {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(networks) = &cache.networks {
-      Ok(networks.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.networks.clone())
     } else {
       Ok(Vec::new())
     }
@@ -645,7 +673,8 @@ impl Resolve<ReadArgs> for InspectDockerNetwork {
         .into(),
       );
     }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(InspectNetwork { name: self.network })
       .await?;
     Ok(res)
@@ -666,8 +695,8 @@ impl Resolve<ReadArgs> for ListDockerImages {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(images) = &cache.images {
-      Ok(images.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.images.clone())
     } else {
       Ok(Vec::new())
     }
@@ -694,7 +723,8 @@ impl Resolve<ReadArgs> for InspectDockerImage {
           .into(),
       );
     }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(InspectImage { name: self.image })
       .await?;
     Ok(res)
@@ -724,7 +754,8 @@ impl Resolve<ReadArgs> for ListDockerImageHistory {
         .into(),
       );
     }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(ImageHistory { name: self.image })
       .await?;
     Ok(res)
@@ -745,8 +776,8 @@ impl Resolve<ReadArgs> for ListDockerVolumes {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(volumes) = &cache.volumes {
-      Ok(volumes.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.volumes.clone())
     } else {
       Ok(Vec::new())
     }
@@ -773,7 +804,8 @@ impl Resolve<ReadArgs> for InspectDockerVolume {
           .into(),
       );
     }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(InspectVolume { name: self.volume })
       .await?;
     Ok(res)
@@ -794,73 +826,54 @@ impl Resolve<ReadArgs> for ListComposeProjects {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(projects) = &cache.projects {
-      Ok(projects.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.projects.clone())
     } else {
       Ok(Vec::new())
     }
   }
 }
 
-#[derive(Default)]
-struct TerminalCacheItem {
-  list: Vec<TerminalInfo>,
-  ttl: i64,
-}
+// impl Resolve<ReadArgs> for ListAllTerminals {
+//   async fn resolve(
+//     self,
+//     args: &ReadArgs,
+//   ) -> Result<Self::Response, Self::Error> {
+//     // match self.tar
+//     let mut terminals = resource::list_full_for_user::<Server>(
+//       self.query, &args.user, &all_tags,
+//     )
+//     .await?
+//     .into_iter()
+//     .map(|server| async move {
+//       (
+//         list_terminals_inner(&server, self.fresh).await,
+//         (server.id, server.name),
+//       )
+//     })
+//     .collect::<FuturesUnordered<_>>()
+//     .collect::<Vec<_>>()
+//     .await
+//     .into_iter()
+//     .flat_map(|(terminals, server)| {
+//       let terminals = terminals.ok()?;
+//       Some((terminals, server))
+//     })
+//     .flat_map(|(terminals, (server_id, server_name))| {
+//       terminals.into_iter().map(move |info| {
+//         TerminalInfoWithServer::from_terminal_info(
+//           &server_id,
+//           &server_name,
+//           info,
+//         )
+//       })
+//     })
+//     .collect::<Vec<_>>();
 
-const TERMINAL_CACHE_TIMEOUT: i64 = 30_000;
+//     terminals.sort_by(|a, b| {
+//       a.server_name.cmp(&b.server_name).then(a.name.cmp(&b.name))
+//     });
 
-#[derive(Default)]
-struct TerminalCache(
-  std::sync::Mutex<
-    HashMap<String, Arc<tokio::sync::Mutex<TerminalCacheItem>>>,
-  >,
-);
-
-impl TerminalCache {
-  fn get_or_insert(
-    &self,
-    server_id: String,
-  ) -> Arc<tokio::sync::Mutex<TerminalCacheItem>> {
-    if let Some(cached) =
-      self.0.lock().unwrap().get(&server_id).cloned()
-    {
-      return cached;
-    }
-    let to_cache =
-      Arc::new(tokio::sync::Mutex::new(TerminalCacheItem::default()));
-    self.0.lock().unwrap().insert(server_id, to_cache.clone());
-    to_cache
-  }
-}
-
-fn terminals_cache() -> &'static TerminalCache {
-  static TERMINALS: OnceLock<TerminalCache> = OnceLock::new();
-  TERMINALS.get_or_init(Default::default)
-}
-
-impl Resolve<ReadArgs> for ListTerminals {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListTerminalsResponse> {
-    let server = get_check_permissions::<Server>(
-      &self.server,
-      user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-    let cache = terminals_cache().get_or_insert(server.id.clone());
-    let mut cache = cache.lock().await;
-    if self.fresh || komodo_timestamp() > cache.ttl {
-      cache.list = periphery_client(&server)?
-        .request(periphery_client::api::terminal::ListTerminals {})
-        .await
-        .context("Failed to get fresh terminal list")?;
-      cache.ttl = komodo_timestamp() + TERMINAL_CACHE_TIMEOUT;
-      Ok(cache.list.clone())
-    } else {
-      Ok(cache.list.clone())
-    }
-  }
-}
+//     Ok(terminals)
+//   }
+// }

bin/core/src/api/read/stack.rs

@@ -4,7 +4,6 @@ use anyhow::{Context, anyhow};
 use komodo_client::{
   api::read::*,
   entities::{
-    config::core::CoreConfig,
     docker::container::Container,
     permission::PermissionLevel,
     server::{Server, ServerState},
@@ -18,15 +17,11 @@ use periphery_client::api::{
 use resolver_api::Resolve;
 
 use crate::{
-  config::core_config,
   helpers::{periphery_client, query::get_all_tags},
   permission::get_check_permissions,
   resource,
   stack::get_stack_and_server,
-  state::{
-    action_states, github_client, server_status_cache,
-    stack_status_cache,
-  },
+  state::{action_states, server_status_cache, stack_status_cache},
 };
 
 use super::ReadArgs;
@@ -89,7 +84,8 @@ impl Resolve<ReadArgs> for GetStackLog {
       true,
     )
     .await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(GetComposeLog {
         project: stack.project_name(false),
         services,
@@ -122,7 +118,8 @@ impl Resolve<ReadArgs> for SearchStackLog {
       true,
     )
     .await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(GetComposeLogSearch {
         project: stack.project_name(false),
         services,
@@ -184,7 +181,8 @@ impl Resolve<ReadArgs> for InspectStackContainer {
         "No service found matching '{service}'. Was the stack last deployed manually?"
       ).into());
     };
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
       .request(InspectContainer { name })
       .await?;
     Ok(res)
@@ -363,7 +361,11 @@ impl Resolve<ReadArgs> for GetStacksSummary {
         StackState::Running => res.running += 1,
         StackState::Stopped | StackState::Paused => res.stopped += 1,
         StackState::Down => res.down += 1,
-        StackState::Unknown => res.unknown += 1,
+        StackState::Unknown => {
+          if !stack.template {
+            res.unknown += 1
+          }
+        }
         _ => res.unhealthy += 1,
       }
     }
@@ -371,91 +373,3 @@ impl Resolve<ReadArgs> for GetStacksSummary {
     Ok(res)
   }
 }
-
-impl Resolve<ReadArgs> for GetStackWebhooksEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetStackWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    };
-
-    let stack = get_check_permissions::<Stack>(
-      &self.stack,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if stack.config.git_provider != "github.com"
-      || stack.config.repo.is_empty()
-    {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    }
-
-    let mut split = stack.config.repo.split('/');
-    let owner = split.next().context("Sync repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let refresh_url =
-      format!("{host}/listener/github/stack/{}/refresh", stack.id);
-    let deploy_url =
-      format!("{host}/listener/github/stack/{}/deploy", stack.id);
-
-    let mut refresh_enabled = false;
-    let mut deploy_enabled = false;
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == refresh_url {
-        refresh_enabled = true
-      }
-      if webhook.active && webhook.config.url == deploy_url {
-        deploy_enabled = true
-      }
-    }
-
-    Ok(GetStackWebhooksEnabledResponse {
-      managed: true,
-      refresh_enabled,
-      deploy_enabled,
-    })
-  }
-}

bin/core/src/api/read/swarm.rs

@@ -0,0 +1,478 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    swarm::{Swarm, SwarmActionState, SwarmListItem, SwarmState},
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{query::get_all_tags, swarm::swarm_request},
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, swarm_status_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Swarm> {
+    Ok(
+      get_check_permissions::<Swarm>(
+        &self.swarm,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<SwarmListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullSwarmsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<SwarmActionState> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .swarm
+      .get(&swarm.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetSwarmsSummaryResponse> {
+    let swarms = resource::list_full_for_user::<Swarm>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get swarms from db")?;
+
+    let mut res = GetSwarmsSummaryResponse::default();
+
+    let cache = swarm_status_cache();
+
+    for swarm in swarms {
+      res.total += 1;
+
+      match cache
+        .get(&swarm.id)
+        .await
+        .map(|status| status.state)
+        .unwrap_or_default()
+      {
+        SwarmState::Unknown => {
+          res.unknown += 1;
+        }
+        SwarmState::Healthy => {
+          res.healthy += 1;
+        }
+        SwarmState::Unhealthy => {
+          res.unhealthy += 1;
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<InspectSwarmResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    let inspect = cache
+      .inspect
+      .as_ref()
+      .cloned()
+      .context("SwarmInspectInfo not available")?;
+    Ok(inspect)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmNodes {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSwarmNodesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.nodes.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmNode {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<InspectSwarmNodeResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmNode {
+        node: self.node,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmServices {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSwarmServicesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.services.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<InspectSwarmServiceResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService {
+        service: self.service,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLog {
+        service: self.service,
+        tail: self.tail,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<SearchSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLogSearch {
+        service: self.service,
+        terms: self.terms,
+        combinator: self.combinator,
+        invert: self.invert,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmTasks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSwarmTasksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.tasks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmTask {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<InspectSwarmTaskResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmTask {
+        task: self.task,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmSecrets {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSwarmSecretsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.secrets.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmSecret {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<InspectSwarmSecretResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmSecret {
+        secret: self.secret,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmConfigs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSwarmConfigsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.configs.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmConfig {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<InspectSwarmConfigResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmConfig {
+        config: self.config,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSwarmStacksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.stacks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmStack {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<InspectSwarmStackResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmStack {
+        stack: self.stack,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}

bin/core/src/api/read/sync.rs

@@ -2,7 +2,6 @@ use anyhow::Context;
 use komodo_client::{
   api::read::*,
   entities::{
-    config::core::CoreConfig,
     permission::PermissionLevel,
     sync::{
       ResourceSync, ResourceSyncActionState, ResourceSyncListItem,
@@ -12,11 +11,8 @@ use komodo_client::{
 use resolver_api::Resolve;
 
 use crate::{
-  config::core_config,
-  helpers::query::get_all_tags,
-  permission::get_check_permissions,
-  resource,
-  state::{action_states, github_client},
+  helpers::query::get_all_tags, permission::get_check_permissions,
+  resource, state::action_states,
 };
 
 use super::ReadArgs;
@@ -93,7 +89,7 @@ impl Resolve<ReadArgs> for GetResourceSyncActionState {
     )
     .await?;
     let action_state = action_states()
-      .resource_sync
+      .sync
       .get(&sync.id)
       .await
       .unwrap_or_default()
@@ -138,7 +134,7 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
         continue;
       }
       if action_states
-        .resource_sync
+        .sync
         .get(&resource_sync.id)
         .await
         .unwrap_or_default()
@@ -154,91 +150,3 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
     Ok(res)
   }
 }
-
-impl Resolve<ReadArgs> for GetSyncWebhooksEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetSyncWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    };
-
-    let sync = get_check_permissions::<ResourceSync>(
-      &self.sync,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if sync.config.git_provider != "github.com"
-      || sync.config.repo.is_empty()
-    {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    }
-
-    let mut split = sync.config.repo.split('/');
-    let owner = split.next().context("Sync repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let refresh_url =
-      format!("{host}/listener/github/sync/{}/refresh", sync.id);
-    let sync_url =
-      format!("{host}/listener/github/sync/{}/sync", sync.id);
-
-    let mut refresh_enabled = false;
-    let mut sync_enabled = false;
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == refresh_url {
-        refresh_enabled = true
-      }
-      if webhook.active && webhook.config.url == sync_url {
-        sync_enabled = true
-      }
-    }
-
-    Ok(GetSyncWebhooksEnabledResponse {
-      managed: true,
-      refresh_enabled,
-      sync_enabled,
-    })
-  }
-}

bin/core/src/api/read/tag.rs

@@ -1,10 +1,12 @@
 use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  find::find_collect, mongodb::options::FindOptions,
+};
 use komodo_client::{
   api::read::{GetTag, ListTags},
   entities::tag::Tag,
 };
-use mongo_indexed::doc;
-use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_tag, state::db_client};

bin/core/src/api/read/terminal.rs

@@ -0,0 +1,247 @@
+use anyhow::Context as _;
+use futures_util::{
+  FutureExt, StreamExt as _, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::read::{ListTerminals, ListTerminalsResponse},
+  entities::{
+    deployment::Deployment,
+    permission::PermissionLevel,
+    server::Server,
+    stack::Stack,
+    terminal::{Terminal, TerminalTarget},
+    user::User,
+  },
+};
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCode;
+
+use crate::{
+  helpers::periphery_client, permission::get_check_permissions,
+  resource,
+};
+
+use super::ReadArgs;
+
+//
+
+impl Resolve<ReadArgs> for ListTerminals {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListTerminalsResponse> {
+    let Some(target) = self.target else {
+      return list_all_terminals_for_user(user, self.use_names).await;
+    };
+    match &target {
+      TerminalTarget::Server { server } => {
+        let server = server
+          .as_ref()
+          .context("Must provide 'target.params.server'")
+          .status_code(StatusCode::BAD_REQUEST)?;
+        let server = get_check_permissions::<Server>(
+          server,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Container { server, .. } => {
+        let server = get_check_permissions::<Server>(
+          server,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Stack { stack, .. } => {
+        let server = get_check_permissions::<Stack>(
+          stack,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?
+        .config
+        .server_id;
+        let server = resource::get::<Server>(&server).await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Deployment { deployment } => {
+        let server = get_check_permissions::<Deployment>(
+          deployment,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?
+        .config
+        .server_id;
+        let server = resource::get::<Server>(&server).await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+    }
+  }
+}
+
+async fn list_all_terminals_for_user(
+  user: &User,
+  use_names: bool,
+) -> serror::Result<Vec<Terminal>> {
+  let (mut servers, stacks, deployments) = tokio::try_join!(
+    resource::list_full_for_user::<Server>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    )
+    .map(|res| res.map(|servers| servers
+      .into_iter()
+      // true denotes user actually has permission on this Server.
+      .map(|server| (server, true))
+      .collect::<Vec<_>>())),
+    resource::list_full_for_user::<Stack>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    ),
+    resource::list_full_for_user::<Deployment>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    ),
+  )?;
+
+  // Ensure any missing servers are present to query
+  for stack in &stacks {
+    if !stack.config.server_id.is_empty()
+      && !servers
+        .iter()
+        .any(|(server, _)| server.id == stack.config.server_id)
+    {
+      let server =
+        resource::get::<Server>(&stack.config.server_id).await?;
+      servers.push((server, false));
+    }
+  }
+  for deployment in &deployments {
+    if !deployment.config.server_id.is_empty()
+      && !servers
+        .iter()
+        .any(|(server, _)| server.id == deployment.config.server_id)
+    {
+      let server =
+        resource::get::<Server>(&deployment.config.server_id).await?;
+      servers.push((server, false));
+    }
+  }
+
+  let mut terminals = servers
+    .into_iter()
+    .map(|(server, server_permission)| async move {
+      (
+        list_terminals_on_server(&server, None).await,
+        (server.id, server.name, server_permission),
+      )
+    })
+    .collect::<FuturesUnordered<_>>()
+    .collect::<Vec<_>>()
+    .await
+    .into_iter()
+    .flat_map(
+      |(terminals, (server_id, server_name, server_permission))| {
+        let terminals = terminals
+          .ok()?
+          .into_iter()
+          .filter_map(|mut terminal| {
+            // Only keep terminals with appropriate perms.
+            match terminal.target.clone() {
+              TerminalTarget::Server { .. } => server_permission
+                .then(|| {
+                  terminal.target = TerminalTarget::Server {
+                    server: Some(if use_names {
+                      server_name.clone()
+                    } else {
+                      server_id.clone()
+                    }),
+                  };
+                  terminal
+                }),
+              TerminalTarget::Container { container, .. } => {
+                server_permission.then(|| {
+                  terminal.target = TerminalTarget::Container {
+                    server: if use_names {
+                      server_name.clone()
+                    } else {
+                      server_id.clone()
+                    },
+                    container,
+                  };
+                  terminal
+                })
+              }
+              TerminalTarget::Stack { stack, service } => {
+                stacks.iter().find(|s| s.id == stack).map(|s| {
+                  terminal.target = TerminalTarget::Stack {
+                    stack: if use_names {
+                      s.name.clone()
+                    } else {
+                      s.id.clone()
+                    },
+                    service,
+                  };
+                  terminal
+                })
+              }
+              TerminalTarget::Deployment { deployment } => {
+                deployments.iter().find(|d| d.id == deployment).map(
+                  |d| {
+                    terminal.target = TerminalTarget::Deployment {
+                      deployment: if use_names {
+                        d.name.clone()
+                      } else {
+                        d.id.clone()
+                      },
+                    };
+                    terminal
+                  },
+                )
+              }
+            }
+          })
+          .collect::<Vec<_>>();
+
+        Some(terminals)
+      },
+    )
+    .flatten()
+    .collect::<Vec<_>>();
+
+  terminals.sort_by(|a, b| {
+    a.target.cmp(&b.target).then(a.name.cmp(&b.name))
+  });
+
+  Ok(terminals)
+}
+
+async fn list_terminals_on_server(
+  server: &Server,
+  target: Option<TerminalTarget>,
+) -> serror::Result<Vec<Terminal>> {
+  periphery_client(server)
+    .await?
+    .request(periphery_client::api::terminal::ListTerminals {
+      target,
+    })
+    .await
+    .with_context(|| {
+      format!(
+        "Failed to get Terminal list from Server {} ({})",
+        server.name, server.id
+      )
+    })
+    .map_err(Into::into)
+}

bin/core/src/api/read/toml.rs

@@ -1,4 +1,5 @@
 use anyhow::Context;
+use database::mungos::find::find_collect;
 use komodo_client::{
   api::read::{
     ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
@@ -10,10 +11,10 @@ use komodo_client::{
     builder::Builder, deployment::Deployment,
     permission::PermissionLevel, procedure::Procedure, repo::Repo,
     resource::ResourceQuery, server::Server, stack::Stack,
-    sync::ResourceSync, toml::ResourcesToml, user::User,
+    swarm::Swarm, sync::ResourceSync, toml::ResourcesToml,
+    user::User,
   },
 };
-use mungos::find::find_collect;
 use resolver_api::Resolve;
 
 use crate::{
@@ -207,42 +208,21 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
     let ReadArgs { user } = args;
     for target in targets {
       match target {
-        ResourceTarget::Alerter(id) => {
-          let mut alerter = get_check_permissions::<Alerter>(
+        ResourceTarget::Swarm(id) => {
+          let mut swarm = get_check_permissions::<Swarm>(
             &id,
             user,
             PermissionLevel::Read.into(),
           )
           .await?;
-          Alerter::replace_ids(&mut alerter);
-          res.alerters.push(convert_resource::<Alerter>(
-            alerter,
+          Swarm::replace_ids(&mut swarm);
+          res.swarms.push(convert_resource::<Swarm>(
+            swarm,
             false,
             vec![],
             &id_to_tags,
           ))
         }
-        ResourceTarget::ResourceSync(id) => {
-          let mut sync = get_check_permissions::<ResourceSync>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          if sync.config.file_contents.is_empty()
-            && (sync.config.files_on_host
-              || !sync.config.repo.is_empty()
-              || !sync.config.linked_repo.is_empty())
-          {
-            ResourceSync::replace_ids(&mut sync);
-            res.resource_syncs.push(convert_resource::<ResourceSync>(
-              sync,
-              false,
-              vec![],
-              &id_to_tags,
-            ))
-          }
-        }
         ResourceTarget::Server(id) => {
           let mut server = get_check_permissions::<Server>(
             &id,
@@ -258,31 +238,16 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ))
         }
-        ResourceTarget::Builder(id) => {
-          let mut builder = get_check_permissions::<Builder>(
+        ResourceTarget::Stack(id) => {
+          let mut stack = get_check_permissions::<Stack>(
             &id,
             user,
             PermissionLevel::Read.into(),
           )
           .await?;
-          Builder::replace_ids(&mut builder);
-          res.builders.push(convert_resource::<Builder>(
-            builder,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Build(id) => {
-          let mut build = get_check_permissions::<Build>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Build::replace_ids(&mut build);
-          res.builds.push(convert_resource::<Build>(
-            build,
+          Stack::replace_ids(&mut stack);
+          res.stacks.push(convert_resource::<Stack>(
+            stack,
             false,
             vec![],
             &id_to_tags,
@@ -303,6 +268,21 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ))
         }
+        ResourceTarget::Build(id) => {
+          let mut build = get_check_permissions::<Build>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Build::replace_ids(&mut build);
+          res.builds.push(convert_resource::<Build>(
+            build,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
         ResourceTarget::Repo(id) => {
           let mut repo = get_check_permissions::<Repo>(
             &id,
@@ -318,21 +298,6 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ))
         }
-        ResourceTarget::Stack(id) => {
-          let mut stack = get_check_permissions::<Stack>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Stack::replace_ids(&mut stack);
-          res.stacks.push(convert_resource::<Stack>(
-            stack,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
         ResourceTarget::Procedure(id) => {
           let mut procedure = get_check_permissions::<Procedure>(
             &id,
@@ -363,6 +328,57 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ));
         }
+        ResourceTarget::ResourceSync(id) => {
+          let mut sync = get_check_permissions::<ResourceSync>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          if sync.config.file_contents.is_empty()
+            && (sync.config.files_on_host
+              || !sync.config.repo.is_empty()
+              || !sync.config.linked_repo.is_empty())
+          {
+            ResourceSync::replace_ids(&mut sync);
+            res.resource_syncs.push(convert_resource::<ResourceSync>(
+              sync,
+              false,
+              vec![],
+              &id_to_tags,
+            ))
+          }
+        }
+        ResourceTarget::Builder(id) => {
+          let mut builder = get_check_permissions::<Builder>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Builder::replace_ids(&mut builder);
+          res.builders.push(convert_resource::<Builder>(
+            builder,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Alerter(id) => {
+          let mut alerter = get_check_permissions::<Alerter>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Alerter::replace_ids(&mut alerter);
+          res.alerters.push(convert_resource::<Alerter>(
+            alerter,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
         ResourceTarget::System(_) => continue,
       };
     }

bin/core/src/api/read/update.rs

@@ -1,6 +1,11 @@
 use std::collections::HashMap;
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
   entities::{
@@ -15,21 +20,17 @@ use komodo_client::{
     repo::Repo,
     server::Server,
     stack::Stack,
+    swarm::Swarm,
     sync::ResourceSync,
     update::{Update, UpdateListItem},
     user::User,
   },
 };
-use mungos::{
-  by_id::find_one_by_id,
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
-  permission::{get_check_permissions, get_resource_ids_for_user},
+  permission::{get_check_permissions, list_resource_ids_for_user},
   state::db_client,
 };
 
@@ -45,99 +46,137 @@ impl Resolve<ReadArgs> for ListUpdates {
     let query = if user.admin || core_config().transparent_mode {
       self.query
     } else {
-      let server_query = get_resource_ids_for_user::<Server>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Server", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Server" });
-
-      let deployment_query =
-        get_resource_ids_for_user::<Deployment>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Deployment", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Deployment" });
-
-      let stack_query = get_resource_ids_for_user::<Stack>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Stack", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Stack" });
-
-      let build_query = get_resource_ids_for_user::<Build>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Build", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Build" });
-
-      let repo_query = get_resource_ids_for_user::<Repo>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Repo", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Repo" });
-
-      let procedure_query =
-        get_resource_ids_for_user::<Procedure>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Procedure", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Procedure" });
-
-      let action_query = get_resource_ids_for_user::<Action>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Action", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Action" });
-
-      let builder_query = get_resource_ids_for_user::<Builder>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Builder", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Builder" });
-
-      let alerter_query = get_resource_ids_for_user::<Alerter>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Alerter", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Alerter" });
-
-      let resource_sync_query = get_resource_ids_for_user::<
-        ResourceSync,
-      >(user)
+      let server_query = list_resource_ids_for_user::<Server>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
       .await?
       .map(|ids| {
         doc! {
-          "target.type": "ResourceSync", "target.id": { "$in": ids }
+          "target.type": "Server", "target.id": { "$in": ids }
         }
       })
-      .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
+      .unwrap_or_else(|| doc! { "target.type": "Server" });
+
+      let deployment_query =
+        list_resource_ids_for_user::<Deployment>(
+          None,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Deployment", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Deployment" });
+
+      let stack_query = list_resource_ids_for_user::<Stack>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "Stack", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "Stack" });
+
+      let build_query = list_resource_ids_for_user::<Build>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "Build", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "Build" });
+
+      let repo_query = list_resource_ids_for_user::<Repo>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "Repo", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "Repo" });
+
+      let procedure_query = list_resource_ids_for_user::<Procedure>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "Procedure", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "Procedure" });
+
+      let action_query = list_resource_ids_for_user::<Action>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "Action", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "Action" });
+
+      let builder_query = list_resource_ids_for_user::<Builder>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "Builder", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "Builder" });
+
+      let alerter_query = list_resource_ids_for_user::<Alerter>(
+        None,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "Alerter", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "Alerter" });
+
+      let resource_sync_query =
+        list_resource_ids_for_user::<ResourceSync>(
+          None,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "ResourceSync", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
 
       let mut query = self.query.unwrap_or_default();
       query.extend(doc! {
@@ -228,6 +267,14 @@ impl Resolve<ReadArgs> for GetUpdate {
           anyhow!("user must be admin to view system updates").into(),
         );
       }
+      ResourceTarget::Swarm(id) => {
+        get_check_permissions::<Swarm>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
       ResourceTarget::Server(id) => {
         get_check_permissions::<Server>(
           id,
@@ -236,6 +283,14 @@ impl Resolve<ReadArgs> for GetUpdate {
         )
         .await?;
       }
+      ResourceTarget::Stack(id) => {
+        get_check_permissions::<Stack>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
       ResourceTarget::Deployment(id) => {
         get_check_permissions::<Deployment>(
           id,
@@ -260,22 +315,6 @@ impl Resolve<ReadArgs> for GetUpdate {
         )
         .await?;
       }
-      ResourceTarget::Builder(id) => {
-        get_check_permissions::<Builder>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Alerter(id) => {
-        get_check_permissions::<Alerter>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
       ResourceTarget::Procedure(id) => {
         get_check_permissions::<Procedure>(
           id,
@@ -300,8 +339,16 @@ impl Resolve<ReadArgs> for GetUpdate {
         )
         .await?;
       }
-      ResourceTarget::Stack(id) => {
-        get_check_permissions::<Stack>(
+      ResourceTarget::Builder(id) => {
+        get_check_permissions::<Builder>(
+          id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        get_check_permissions::<Alerter>(
           id,
           user,
           PermissionLevel::Read.into(),

bin/core/src/api/read/user.rs

@@ -1,4 +1,9 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::{
     FindUser, FindUserResponse, GetUsername, GetUsernameResponse,
@@ -8,11 +13,6 @@ use komodo_client::{
   },
   entities::user::{UserConfig, admin_service_user},
 };
-use mungos::{
-  by_id::find_one_by_id,
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_user, state::db_client};

bin/core/src/api/read/user_group.rs

@@ -1,14 +1,14 @@
 use std::str::FromStr;
 
 use anyhow::Context;
-use komodo_client::api::read::*;
-use mungos::{
+use database::mungos::{
   find::find_collect,
   mongodb::{
     bson::{Document, doc, oid::ObjectId},
     options::FindOptions,
   },
 };
+use komodo_client::api::read::*;
 use resolver_api::Resolve;
 
 use crate::state::db_client;

bin/core/src/api/read/variable.rs

@@ -1,7 +1,9 @@
 use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  find::find_collect, mongodb::options::FindOptions,
+};
 use komodo_client::api::read::*;
-use mongo_indexed::doc;
-use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_variable, state::db_client};

bin/core/src/api/terminal.rs

@@ -1,27 +1,15 @@
 use anyhow::Context;
 use axum::{Extension, Router, middleware, routing::post};
-use komodo_client::{
-  api::terminal::*,
-  entities::{
-    deployment::Deployment, permission::PermissionLevel,
-    server::Server, stack::Stack, user::User,
-  },
-};
+use komodo_client::{api::terminal::*, entities::user::User};
 use serror::Json;
-use uuid::Uuid;
 
 use crate::{
-  auth::auth_request, helpers::periphery_client,
-  permission::get_check_permissions, resource::get,
-  state::stack_status_cache,
+  auth::auth_request, helpers::terminal::setup_target_for_user,
 };
 
 pub fn router() -> Router {
   Router::new()
     .route("/execute", post(execute_terminal))
-    .route("/execute/container", post(execute_container_exec))
-    .route("/execute/deployment", post(execute_deployment_exec))
-    .route("/execute/stack", post(execute_stack_exec))
     .layer(middleware::from_fn(auth_request))
 }
 
@@ -29,271 +17,34 @@ pub fn router() -> Router {
 //  ExecuteTerminal
 // =================
 
-async fn execute_terminal(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteTerminalBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_terminal_inner(Uuid::new_v4(), request, user).await
-}
-
 #[instrument(
   name = "ExecuteTerminal",
-  skip(user),
+  skip_all,
   fields(
-    user_id = user.id,
+    operator = user.id,
+    target,
+    terminal,
+    init = format!("{init:?}")
   )
 )]
-async fn execute_terminal_inner(
-  req_id: Uuid,
-  ExecuteTerminalBody {
-    server,
+async fn execute_terminal(
+  Extension(user): Extension<User>,
+  Json(ExecuteTerminalBody {
+    target,
     terminal,
     command,
-  }: ExecuteTerminalBody,
-  user: User,
+    init,
+  }): Json<ExecuteTerminalBody>,
 ) -> serror::Result<axum::body::Body> {
   info!("/terminal/execute request | user: {}", user.username);
 
-  let res = async {
-    let server = get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
+  let (target, terminal, periphery) =
+    setup_target_for_user(target, terminal, init, &user).await?;
 
-    let periphery = periphery_client(&server)?;
+  let stream = periphery
+    .execute_terminal(target, terminal, command)
+    .await
+    .context("Failed to execute command on Terminal")?;
 
-    let stream = periphery
-      .execute_terminal(terminal, command)
-      .await
-      .context("Failed to execute command on periphery")?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!("/terminal/execute request {req_id} error: {e:#}");
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
-}
-
-// ======================
-//  ExecuteContainerExec
-// ======================
-
-async fn execute_container_exec(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteContainerExecBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_container_exec_inner(Uuid::new_v4(), request, user).await
-}
-
-#[instrument(
-  name = "ExecuteContainerExec",
-  skip(user),
-  fields(
-    user_id = user.id,
-  )
-)]
-async fn execute_container_exec_inner(
-  req_id: Uuid,
-  ExecuteContainerExecBody {
-    server,
-    container,
-    shell,
-    command,
-  }: ExecuteContainerExecBody,
-  user: User,
-) -> serror::Result<axum::body::Body> {
-  info!(
-    "/terminal/execute/container request | user: {}",
-    user.username
-  );
-
-  let res = async {
-    let server = get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-
-    let periphery = periphery_client(&server)?;
-
-    let stream = periphery
-      .execute_container_exec(container, shell, command)
-      .await
-      .context(
-        "Failed to execute container exec command on periphery",
-      )?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!(
-        "/terminal/execute/container request {req_id} error: {e:#}"
-      );
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
-}
-
-// =======================
-//  ExecuteDeploymentExec
-// =======================
-
-async fn execute_deployment_exec(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteDeploymentExecBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_deployment_exec_inner(Uuid::new_v4(), request, user).await
-}
-
-#[instrument(
-  name = "ExecuteDeploymentExec",
-  skip(user),
-  fields(
-    user_id = user.id,
-  )
-)]
-async fn execute_deployment_exec_inner(
-  req_id: Uuid,
-  ExecuteDeploymentExecBody {
-    deployment,
-    shell,
-    command,
-  }: ExecuteDeploymentExecBody,
-  user: User,
-) -> serror::Result<axum::body::Body> {
-  info!(
-    "/terminal/execute/deployment request | user: {}",
-    user.username
-  );
-
-  let res = async {
-    let deployment = get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-
-    let server = get::<Server>(&deployment.config.server_id).await?;
-
-    let periphery = periphery_client(&server)?;
-
-    let stream = periphery
-      .execute_container_exec(deployment.name, shell, command)
-      .await
-      .context(
-        "Failed to execute container exec command on periphery",
-      )?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!(
-        "/terminal/execute/deployment request {req_id} error: {e:#}"
-      );
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
-}
-
-// ==================
-//  ExecuteStackExec
-// ==================
-
-async fn execute_stack_exec(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteStackExecBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_stack_exec_inner(Uuid::new_v4(), request, user).await
-}
-
-#[instrument(
-  name = "ExecuteStackExec",
-  skip(user),
-  fields(
-    user_id = user.id,
-  )
-)]
-async fn execute_stack_exec_inner(
-  req_id: Uuid,
-  ExecuteStackExecBody {
-    stack,
-    service,
-    shell,
-    command,
-  }: ExecuteStackExecBody,
-  user: User,
-) -> serror::Result<axum::body::Body> {
-  info!("/terminal/execute/stack request | user: {}", user.username);
-
-  let res = async {
-    let stack = get_check_permissions::<Stack>(
-      &stack,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-
-    let server = get::<Server>(&stack.config.server_id).await?;
-
-    let container = stack_status_cache()
-      .get(&stack.id)
-      .await
-      .context("could not get stack status")?
-      .curr
-      .services
-      .iter()
-      .find(|s| s.service == service)
-      .context("could not find service")?
-      .container
-      .as_ref()
-      .context("could not find service container")?
-      .name
-      .clone();
-
-    let periphery = periphery_client(&server)?;
-
-    let stream = periphery
-      .execute_container_exec(container, shell, command)
-      .await
-      .context(
-        "Failed to execute container exec command on periphery",
-      )?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!("/terminal/execute/stack request {req_id} error: {e:#}");
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+  Ok(axum::body::Body::from_stream(stream))
 }

bin/core/src/api/user.rs

@@ -4,24 +4,28 @@ use anyhow::{Context, anyhow};
 use axum::{
   Extension, Json, Router, extract::Path, middleware, routing::post,
 };
+use database::mongo_indexed::doc;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_bson,
+};
 use derive_variants::EnumVariants;
+use komodo_client::entities::random_string;
 use komodo_client::{
   api::user::*,
   entities::{api_key::ApiKey, komodo_timestamp, user::User},
 };
-use mongo_indexed::doc;
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_bson};
+use reqwest::StatusCode;
 use resolver_api::Resolve;
 use response::Response;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
+use serror::{AddStatusCode, AddStatusCodeError};
 use typeshare::typeshare;
 use uuid::Uuid;
 
+use crate::helpers::validations::validate_api_key_name;
 use crate::{
-  auth::auth_request,
-  helpers::{query::get_user, random_string},
-  state::db_client,
+  auth::auth_request, helpers::query::get_user, state::db_client,
 };
 
 use super::Variant;
@@ -64,7 +68,6 @@ async fn variant_handler(
   handler(user, Json(req)).await
 }
 
-#[instrument(name = "UserHandler", level = "debug", skip(user))]
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<UserRequest>,
@@ -87,11 +90,6 @@ async fn handler(
 const RECENTLY_VIEWED_MAX: usize = 10;
 
 impl Resolve<UserArgs> for PushRecentlyViewed {
-  #[instrument(
-    name = "PushRecentlyViewed",
-    level = "debug",
-    skip(user)
-  )]
   async fn resolve(
     self,
     UserArgs { user }: &UserArgs,
@@ -99,6 +97,9 @@ impl Resolve<UserArgs> for PushRecentlyViewed {
     let user = get_user(&user.id).await?;
 
     let (resource_type, id) = self.resource.extract_variant_id();
+
+    let field = format!("recents.{resource_type}");
+
     let update = match user.recents.get(&resource_type) {
       Some(recents) => {
         let mut recents = recents
@@ -106,34 +107,30 @@ impl Resolve<UserArgs> for PushRecentlyViewed {
           .filter(|_id| !id.eq(*_id))
           .take(RECENTLY_VIEWED_MAX - 1)
           .collect::<VecDeque<_>>();
+
         recents.push_front(id);
-        doc! { format!("recents.{resource_type}"): to_bson(&recents)? }
+
+        doc! { &field: to_bson(&recents)? }
       }
       None => {
-        doc! { format!("recents.{resource_type}"): [id] }
+        doc! { &field: [id] }
       }
     };
+
     update_one_by_id(
       &db_client().users,
       &user.id,
-      mungos::update::Update::Set(update),
+      database::mungos::update::Update::Set(update),
       None,
     )
     .await
-    .with_context(|| {
-      format!("failed to update recents.{resource_type}")
-    })?;
+    .with_context(|| format!("Failed to update user '{field}'"))?;
 
     Ok(PushRecentlyViewedResponse {})
   }
 }
 
 impl Resolve<UserArgs> for SetLastSeenUpdate {
-  #[instrument(
-    name = "SetLastSeenUpdate",
-    level = "debug",
-    skip(user)
-  )]
   async fn resolve(
     self,
     UserArgs { user }: &UserArgs,
@@ -141,13 +138,14 @@ impl Resolve<UserArgs> for SetLastSeenUpdate {
     update_one_by_id(
       &db_client().users,
       &user.id,
-      mungos::update::Update::Set(doc! {
+      database::mungos::update::Update::Set(doc! {
         "last_update_view": komodo_timestamp()
       }),
       None,
     )
     .await
-    .context("failed to update user last_update_view")?;
+    .context("Failed to update user 'last_update_view'")?;
+
     Ok(SetLastSeenUpdateResponse {})
   }
 }
@@ -156,17 +154,24 @@ const SECRET_LENGTH: usize = 40;
 const BCRYPT_COST: u32 = 10;
 
 impl Resolve<UserArgs> for CreateApiKey {
-  #[instrument(name = "CreateApiKey", level = "debug", skip(user))]
+  #[instrument(
+    "CreateApiKey",
+    skip_all,
+    fields(operator = user.id)
+  )]
   async fn resolve(
     self,
     UserArgs { user }: &UserArgs,
   ) -> serror::Result<CreateApiKeyResponse> {
     let user = get_user(&user.id).await?;
 
+    validate_api_key_name(&self.name)
+      .status_code(StatusCode::BAD_REQUEST)?;
+
     let key = format!("K-{}", random_string(SECRET_LENGTH));
     let secret = format!("S-{}", random_string(SECRET_LENGTH));
     let secret_hash = bcrypt::hash(&secret, BCRYPT_COST)
-      .context("failed at hashing secret string")?;
+      .context("Failed at hashing secret string")?;
 
     let api_key = ApiKey {
       name: self.name,
@@ -176,36 +181,49 @@ impl Resolve<UserArgs> for CreateApiKey {
       created_at: komodo_timestamp(),
       expires: self.expires,
     };
+
     db_client()
       .api_keys
       .insert_one(api_key)
       .await
-      .context("failed to create api key on db")?;
+      .context("Failed to create api key on database")?;
+
     Ok(CreateApiKeyResponse { key, secret })
   }
 }
 
 impl Resolve<UserArgs> for DeleteApiKey {
-  #[instrument(name = "DeleteApiKey", level = "debug", skip(user))]
+  #[instrument(
+    "DeleteApiKey",
+    skip_all,
+    fields(operator = user.id)
+  )]
   async fn resolve(
     self,
     UserArgs { user }: &UserArgs,
   ) -> serror::Result<DeleteApiKeyResponse> {
     let client = db_client();
+
     let key = client
       .api_keys
       .find_one(doc! { "key": &self.key })
       .await
-      .context("failed at db query")?
-      .context("no api key with key found")?;
+      .context("Failed at database query")?
+      .context("No api key with key found")?;
+
     if user.id != key.user_id {
-      return Err(anyhow!("api key does not belong to user").into());
+      return Err(
+        anyhow!("Api key does not belong to user")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
+
     client
       .api_keys
       .delete_one(doc! { "key": key.key })
       .await
-      .context("failed to delete api key from db")?;
+      .context("Failed to delete api key from database")?;
+
     Ok(DeleteApiKeyResponse {})
   }
 }

bin/core/src/api/write/action.rs

@@ -11,20 +11,34 @@ use crate::{permission::get_check_permissions, resource};
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateAction {
-  #[instrument(name = "CreateAction", skip(user))]
+  #[instrument(
+    "CreateAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Action> {
-    Ok(
-      resource::create::<Action>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Action>(&self.name, self.config, None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for CopyAction {
-  #[instrument(name = "CopyAction", skip(user))]
+  #[instrument(
+    "CopyAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.name,
+      copy_action = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -35,15 +49,21 @@ impl Resolve<WriteArgs> for CopyAction {
       PermissionLevel::Write.into(),
     )
     .await?;
-    Ok(
-      resource::create::<Action>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Action>(&self.name, config.into(), None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for UpdateAction {
-  #[instrument(name = "UpdateAction", skip(user))]
+  #[instrument(
+    "UpdateAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -53,7 +73,15 @@ impl Resolve<WriteArgs> for UpdateAction {
 }
 
 impl Resolve<WriteArgs> for RenameAction {
-  #[instrument(name = "RenameAction", skip(user))]
+  #[instrument(
+    "RenameAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.id,
+      new_name = self.name,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -63,8 +91,18 @@ impl Resolve<WriteArgs> for RenameAction {
 }
 
 impl Resolve<WriteArgs> for DeleteAction {
-  #[instrument(name = "DeleteAction", skip(args))]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Action> {
-    Ok(resource::delete::<Action>(&self.id, args).await?)
+  #[instrument(
+    "DeleteAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.id
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Action> {
+    Ok(resource::delete::<Action>(&self.id, user).await?)
   }
 }

bin/core/src/api/write/alert.rs

@@ -0,0 +1,41 @@
+use std::str::FromStr;
+
+use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::{doc, oid::ObjectId};
+use komodo_client::{api::write::CloseAlert, entities::NoData};
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCodeError;
+
+use crate::{api::write::WriteArgs, state::db_client};
+
+impl Resolve<WriteArgs> for CloseAlert {
+  #[instrument(
+    "CloseAlert",
+    skip_all,
+    fields(
+      operator = admin.id,
+      alert_id = self.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+    db_client()
+      .alerts
+      .update_one(
+        doc! { "_id": ObjectId::from_str(&self.id)? },
+        doc! { "$set": { "resolved": true } },
+      )
+      .await
+      .context("Failed to close Alert on database")?;
+    Ok(NoData {})
+  }
+}

bin/core/src/api/write/alerter.rs

@@ -11,20 +11,34 @@ use crate::{permission::get_check_permissions, resource};
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateAlerter {
-  #[instrument(name = "CreateAlerter", skip(user))]
+  #[instrument(
+    "CreateAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Alerter> {
-    Ok(
-      resource::create::<Alerter>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Alerter>(&self.name, self.config, None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for CopyAlerter {
-  #[instrument(name = "CopyAlerter", skip(user))]
+  #[instrument(
+    "CopyAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.name,
+      copy_alerter = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -35,25 +49,38 @@ impl Resolve<WriteArgs> for CopyAlerter {
       PermissionLevel::Write.into(),
     )
     .await?;
-    Ok(
-      resource::create::<Alerter>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Alerter>(&self.name, config.into(), None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for DeleteAlerter {
-  #[instrument(name = "DeleteAlerter", skip(args))]
+  #[instrument(
+    "DeleteAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.id,
+    )
+  )]
   async fn resolve(
     self,
-    args: &WriteArgs,
+    WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Alerter> {
-    Ok(resource::delete::<Alerter>(&self.id, args).await?)
+    Ok(resource::delete::<Alerter>(&self.id, user).await?)
   }
 }
 
 impl Resolve<WriteArgs> for UpdateAlerter {
-  #[instrument(name = "UpdateAlerter", skip(user))]
+  #[instrument(
+    "UpdateAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.id,
+      update = serde_json::to_string(&self.config).unwrap()
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -66,7 +93,15 @@ impl Resolve<WriteArgs> for UpdateAlerter {
 }
 
 impl Resolve<WriteArgs> for RenameAlerter {
-  #[instrument(name = "RenameAlerter", skip(user))]
+  #[instrument(
+    "RenameAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.id,
+      new_name = self.name,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,

bin/core/src/api/write/build.rs

@@ -1,64 +1,75 @@
-use std::{path::PathBuf, str::FromStr, time::Duration};
+use std::{path::PathBuf, time::Duration};
 
 use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::to_document;
+use database::{
+  mongo_indexed::doc, mungos::mongodb::bson::oid::ObjectId,
+};
 use formatting::format_serror;
 use komodo_client::{
   api::write::*,
   entities::{
     FileContents, NoData, Operation, RepoExecutionArgs,
     all_logs_success,
-    build::{Build, BuildInfo, PartialBuildConfig},
+    build::{Build, BuildInfo},
     builder::{Builder, BuilderConfig},
-    config::core::CoreConfig,
     permission::PermissionLevel,
     repo::Repo,
     server::ServerState,
     update::Update,
   },
 };
-use mongo_indexed::doc;
-use mungos::mongodb::bson::to_document;
-use octorust::types::{
-  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
-};
-use periphery_client::{
-  PeripheryClient,
-  api::build::{
-    GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
-  },
+use periphery_client::api::build::{
+  GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
 };
 use resolver_api::Resolve;
 use tokio::fs;
 
 use crate::{
   config::core_config,
+  connection::PeripheryConnectionArgs,
   helpers::{
     git_token, periphery_client,
     query::get_server_with_state,
     update::{add_update, make_update},
   },
+  periphery::PeripheryClient,
   permission::get_check_permissions,
   resource,
-  state::{db_client, github_client},
+  state::db_client,
 };
 
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateBuild {
-  #[instrument(name = "CreateBuild", skip(user))]
+  #[instrument(
+    "CreateBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Build> {
-    Ok(
-      resource::create::<Build>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Build>(&self.name, self.config, None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for CopyBuild {
-  #[instrument(name = "CopyBuild", skip(user))]
+  #[instrument(
+    "CopyBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.name,
+      copy_build = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -71,22 +82,38 @@ impl Resolve<WriteArgs> for CopyBuild {
     .await?;
     // reset version to 0.0.0
     config.version = Default::default();
-    Ok(
-      resource::create::<Build>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Build>(&self.name, config.into(), None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for DeleteBuild {
-  #[instrument(name = "DeleteBuild", skip(args))]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Build> {
-    Ok(resource::delete::<Build>(&self.id, args).await?)
+  #[instrument(
+    "DeleteBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Build> {
+    Ok(resource::delete::<Build>(&self.id, user).await?)
   }
 }
 
 impl Resolve<WriteArgs> for UpdateBuild {
-  #[instrument(name = "UpdateBuild", skip(user))]
+  #[instrument(
+    "UpdateBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -96,7 +123,15 @@ impl Resolve<WriteArgs> for UpdateBuild {
 }
 
 impl Resolve<WriteArgs> for RenameBuild {
-  #[instrument(name = "RenameBuild", skip(user))]
+  #[instrument(
+    "RenameBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.id,
+      new_name = self.name,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -106,7 +141,14 @@ impl Resolve<WriteArgs> for RenameBuild {
 }
 
 impl Resolve<WriteArgs> for WriteBuildFileContents {
-  #[instrument(name = "WriteBuildFileContents", skip(args))]
+  #[instrument(
+    "WriteBuildFileContents",
+    skip_all,
+    fields(
+      operator = args.user.id,
+      build = self.build,
+    )
+  )]
   async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
     let build = get_check_permissions::<Build>(
       &self.build,
@@ -178,6 +220,7 @@ impl Resolve<WriteArgs> for WriteBuildFileContents {
   }
 }
 
+#[instrument("WriteDockerfileContentsGit", skip_all)]
 async fn write_dockerfile_contents_git(
   req: WriteBuildFileContents,
   args: &WriteArgs,
@@ -186,7 +229,7 @@ async fn write_dockerfile_contents_git(
 ) -> serror::Result<Update> {
   let WriteBuildFileContents { build: _, contents } = req;
 
-  let mut clone_args: RepoExecutionArgs = if !build
+  let mut repo_args: RepoExecutionArgs = if !build
     .config
     .files_on_host
     && !build.config.linked_repo.is_empty()
@@ -196,8 +239,8 @@ async fn write_dockerfile_contents_git(
   } else {
     (&build).into()
   };
-  let root = clone_args.unique_path(&core_config().repo_directory)?;
-  clone_args.destination = Some(root.display().to_string());
+  let root = repo_args.unique_path(&core_config().repo_directory)?;
+  repo_args.destination = Some(root.display().to_string());
 
   let build_path = build
     .config
@@ -220,11 +263,11 @@ async fn write_dockerfile_contents_git(
     })?;
   }
 
-  let access_token = if let Some(account) = &clone_args.account {
-    git_token(&clone_args.provider, account, |https| clone_args.https = https)
+  let access_token = if let Some(account) = &repo_args.account {
+    git_token(&repo_args.provider, account, |https| repo_args.https = https)
     .await
     .with_context(
-      || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", clone_args.provider),
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", repo_args.provider),
     )?
   } else {
     None
@@ -235,7 +278,7 @@ async fn write_dockerfile_contents_git(
   if !root.join(".git").exists() {
     git::init_folder_as_repo(
       &root,
-      &clone_args,
+      &repo_args,
       access_token.as_deref(),
       &mut update.logs,
     )
@@ -249,9 +292,11 @@ async fn write_dockerfile_contents_git(
     }
   }
 
+  // Save this for later -- repo_args moved next.
+  let branch = repo_args.branch.clone();
   // Pull latest changes to repo to ensure linear commit history
   match git::pull_or_clone(
-    clone_args,
+    repo_args,
     &core_config().repo_directory,
     access_token,
   )
@@ -273,8 +318,9 @@ async fn write_dockerfile_contents_git(
     return Ok(update);
   }
 
-  if let Err(e) =
-    fs::write(&full_path, &contents).await.with_context(|| {
+  if let Err(e) = secret_file::write_async(&full_path, &contents)
+    .await
+    .with_context(|| {
       format!("Failed to write dockerfile contents to {full_path:?}")
     })
   {
@@ -298,7 +344,7 @@ async fn write_dockerfile_contents_git(
     &format!("{}: Commit Dockerfile", args.user.username),
     &root,
     &build_path.join(&dockerfile_path),
-    &build.config.branch,
+    &branch,
   )
   .await;
 
@@ -321,11 +367,6 @@ async fn write_dockerfile_contents_git(
 }
 
 impl Resolve<WriteArgs> for RefreshBuildCache {
-  #[instrument(
-    name = "RefreshBuildCache",
-    level = "debug",
-    skip(user)
-  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -349,23 +390,28 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
       None
     };
 
-    let (
-      remote_path,
-      remote_contents,
-      remote_error,
-      latest_hash,
-      latest_message,
-    ) = if build.config.files_on_host {
+    let RemoteDockerfileContents {
+      path,
+      contents,
+      error,
+      hash,
+      message,
+    } = if build.config.files_on_host {
       // =============
       // FILES ON HOST
       // =============
       match get_on_host_dockerfile(&build).await {
         Ok(FileContents { path, contents }) => {
-          (Some(path), Some(contents), None, None, None)
-        }
-        Err(e) => {
-          (None, None, Some(format_serror(&e.into())), None, None)
+          RemoteDockerfileContents {
+            path: Some(path),
+            contents: Some(contents),
+            ..Default::default()
+          }
         }
+        Err(e) => RemoteDockerfileContents {
+          error: Some(format_serror(&e.into())),
+          ..Default::default()
+        },
       }
     } else if let Some(repo) = &repo {
       let Some(res) = get_git_remote(&build, repo.into()).await?
@@ -385,7 +431,7 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
       // =============
       // UI BASED FILE
       // =============
-      (None, None, None, None, None)
+      RemoteDockerfileContents::default()
     };
 
     let info = BuildInfo {
@@ -393,11 +439,11 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
       built_hash: build.info.built_hash,
       built_message: build.info.built_message,
       built_contents: build.info.built_contents,
-      remote_path,
-      remote_contents,
-      remote_error,
-      latest_hash,
-      latest_message,
+      remote_path: path,
+      remote_contents: contents,
+      remote_error: error,
+      latest_hash: hash,
+      latest_message: message,
     };
 
     let info = to_document(&info)
@@ -432,13 +478,26 @@ async fn get_on_host_periphery(
       Err(anyhow!("Files on host doesn't work with AWS builder"))
     }
     BuilderConfig::Url(config) => {
+      // TODO: Ensure connection is actually established.
+      // Builder id no good because it may be active for multiple connections.
       let periphery = PeripheryClient::new(
-        config.address,
-        config.passkey,
-        Duration::from_secs(3),
-      );
-      periphery.health_check().await?;
-      Ok(periphery)
+        PeripheryConnectionArgs::from_url_builder(
+          &ObjectId::new().to_hex(),
+          &config,
+        ),
+        config.insecure_tls,
+      )
+      .await?;
+      // Poll for connection to be estalished
+      let mut err = None;
+      for _ in 0..10 {
+        tokio::time::sleep(Duration::from_secs(1)).await;
+        match periphery.health_check().await {
+          Ok(_) => return Ok(periphery),
+          Err(e) => err = Some(e),
+        };
+      }
+      Err(err.context("Missing error")?)
     }
     BuilderConfig::Server(config) => {
       if config.server_id.is_empty() {
@@ -453,7 +512,7 @@ async fn get_on_host_periphery(
           "Builder server is disabled or not reachable"
         ));
       };
-      periphery_client(&server)
+      periphery_client(&server).await
     }
   }
 }
@@ -476,15 +535,7 @@ async fn get_on_host_dockerfile(
 async fn get_git_remote(
   build: &Build,
   mut clone_args: RepoExecutionArgs,
-) -> anyhow::Result<
-  Option<(
-    Option<String>,
-    Option<String>,
-    Option<String>,
-    Option<String>,
-    Option<String>,
-  )>,
-> {
+) -> anyhow::Result<Option<RemoteDockerfileContents>> {
   if clone_args.provider.is_empty() {
     // Nothing to do here
     return Ok(None);
@@ -511,10 +562,19 @@ async fn get_git_remote(
     access_token,
   )
   .await
-  .context("failed to clone build repo")?;
+  .context("Failed to clone Build repo")?;
 
-  let relative_path = PathBuf::from_str(&build.config.build_path)
-    .context("Invalid build path")?
+  // Ensure clone / pull successful,
+  // propogate error log -> 'errored' and return.
+  if let Some(failure) = res.logs.iter().find(|log| !log.success) {
+    return Ok(Some(RemoteDockerfileContents {
+      path: Some(format!("Failed at: {}", failure.stage)),
+      error: Some(failure.combined()),
+      ..Default::default()
+    }));
+  }
+
+  let relative_path = PathBuf::from(&build.config.build_path)
     .join(&build.config.dockerfile_path);
 
   let full_path = repo_path.join(&relative_path);
@@ -525,209 +585,20 @@ async fn get_git_remote(
       Ok(contents) => (Some(contents), None),
       Err(e) => (None, Some(format_serror(&e.into()))),
     };
-  Ok(Some((
-    Some(relative_path.display().to_string()),
+  Ok(Some(RemoteDockerfileContents {
+    path: Some(relative_path.display().to_string()),
     contents,
     error,
-    res.commit_hash,
-    res.commit_message,
-  )))
+    hash: res.commit_hash,
+    message: res.commit_message,
+  }))
 }
 
-impl Resolve<WriteArgs> for CreateBuildWebhook {
-  #[instrument(name = "CreateBuildWebhook", skip(args))]
-  async fn resolve(
-    self,
-    args: &WriteArgs,
-  ) -> serror::Result<CreateBuildWebhookResponse> {
-    let Some(github) = github_client() else {
-      return Err(
-        anyhow!(
-          "github_webhook_app is not configured in core config toml"
-        )
-        .into(),
-      );
-    };
-
-    let WriteArgs { user } = args;
-
-    let build = get_check_permissions::<Build>(
-      &self.build,
-      user,
-      PermissionLevel::Write.into(),
-    )
-    .await?;
-
-    if build.config.repo.is_empty() {
-      return Err(
-        anyhow!("No repo configured, can't create webhook").into(),
-      );
-    }
-
-    let mut split = build.config.repo.split('/');
-    let owner = split.next().context("Build repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Err(
-        anyhow!("Cannot manage repo webhooks under owner {owner}")
-          .into(),
-      );
-    };
-
-    let repo =
-      split.next().context("Build repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    // First make sure the webhook isn't already created (inactive ones are ignored)
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      webhook_secret,
-      ..
-    } = core_config();
-
-    let webhook_secret = if build.config.webhook_secret.is_empty() {
-      webhook_secret
-    } else {
-      &build.config.webhook_secret
-    };
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = format!("{host}/listener/github/build/{}", build.id);
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        return Ok(NoData {});
-      }
-    }
-
-    // Now good to create the webhook
-    let request = ReposCreateWebhookRequest {
-      active: Some(true),
-      config: Some(ReposCreateWebhookRequestConfig {
-        url,
-        secret: webhook_secret.to_string(),
-        content_type: String::from("json"),
-        insecure_ssl: None,
-        digest: Default::default(),
-        token: Default::default(),
-      }),
-      events: vec![String::from("push")],
-      name: String::from("web"),
-    };
-    github_repos
-      .create_webhook(owner, repo, &request)
-      .await
-      .context("failed to create webhook")?;
-
-    if !build.config.webhook_enabled {
-      UpdateBuild {
-        id: build.id,
-        config: PartialBuildConfig {
-          webhook_enabled: Some(true),
-          ..Default::default()
-        },
-      }
-      .resolve(args)
-      .await
-      .map_err(|e| e.error)
-      .context("failed to update build to enable webhook")?;
-    }
-
-    Ok(NoData {})
-  }
-}
-
-impl Resolve<WriteArgs> for DeleteBuildWebhook {
-  #[instrument(name = "DeleteBuildWebhook", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteBuildWebhookResponse> {
-    let Some(github) = github_client() else {
-      return Err(
-        anyhow!(
-          "github_webhook_app is not configured in core config toml"
-        )
-        .into(),
-      );
-    };
-
-    let build = get_check_permissions::<Build>(
-      &self.build,
-      user,
-      PermissionLevel::Write.into(),
-    )
-    .await?;
-
-    if build.config.git_provider != "github.com" {
-      return Err(
-        anyhow!("Can only manage github.com repo webhooks").into(),
-      );
-    }
-
-    if build.config.repo.is_empty() {
-      return Err(
-        anyhow!("No repo configured, can't delete webhook").into(),
-      );
-    }
-
-    let mut split = build.config.repo.split('/');
-    let owner = split.next().context("Build repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Err(
-        anyhow!("Cannot manage repo webhooks under owner {owner}")
-          .into(),
-      );
-    };
-
-    let repo =
-      split.next().context("Build repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = format!("{host}/listener/github/build/{}", build.id);
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        github_repos
-          .delete_webhook(owner, repo, webhook.id)
-          .await
-          .context("failed to delete webhook")?;
-        return Ok(NoData {});
-      }
-    }
-
-    // No webhook to delete, all good
-    Ok(NoData {})
-  }
+#[derive(Default)]
+pub struct RemoteDockerfileContents {
+  pub path: Option<String>,
+  pub contents: Option<String>,
+  pub error: Option<String>,
+  pub hash: Option<String>,
+  pub message: Option<String>,
 }

bin/core/src/api/write/builder.rs

@@ -11,20 +11,34 @@ use crate::{permission::get_check_permissions, resource};
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateBuilder {
-  #[instrument(name = "CreateBuilder", skip(user))]
+  #[instrument(
+    "CreateBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Builder> {
-    Ok(
-      resource::create::<Builder>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Builder>(&self.name, self.config, None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for CopyBuilder {
-  #[instrument(name = "CopyBuilder", skip(user))]
+  #[instrument(
+    "CopyBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.name,
+      copy_builder = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -35,25 +49,38 @@ impl Resolve<WriteArgs> for CopyBuilder {
       PermissionLevel::Write.into(),
     )
     .await?;
-    Ok(
-      resource::create::<Builder>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Builder>(&self.name, config.into(), None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for DeleteBuilder {
-  #[instrument(name = "DeleteBuilder", skip(args))]
+  #[instrument(
+    "DeleteBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.id,
+    )
+  )]
   async fn resolve(
     self,
-    args: &WriteArgs,
+    WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Builder> {
-    Ok(resource::delete::<Builder>(&self.id, args).await?)
+    Ok(resource::delete::<Builder>(&self.id, user).await?)
   }
 }
 
 impl Resolve<WriteArgs> for UpdateBuilder {
-  #[instrument(name = "UpdateBuilder", skip(user))]
+  #[instrument(
+    "UpdateBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -66,7 +93,15 @@ impl Resolve<WriteArgs> for UpdateBuilder {
 }
 
 impl Resolve<WriteArgs> for RenameBuilder {
-  #[instrument(name = "RenameBuilder", skip(user))]
+  #[instrument(
+    "RenameBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.id,
+      new_name = self.name
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,

bin/core/src/api/write/deployment.rs

@@ -1,4 +1,5 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{by_id::update_one_by_id, mongodb::bson::doc};
 use komodo_client::{
   api::write::*,
   entities::{
@@ -15,7 +16,6 @@ use komodo_client::{
     update::Update,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
 use periphery_client::api::{self, container::InspectContainer};
 use resolver_api::Resolve;
 
@@ -33,20 +33,39 @@ use crate::{
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateDeployment {
-  #[instrument(name = "CreateDeployment", skip(user))]
+  #[instrument(
+    "CreateDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Deployment> {
-    Ok(
-      resource::create::<Deployment>(&self.name, self.config, user)
-        .await?,
+    resource::create::<Deployment>(
+      &self.name,
+      self.config,
+      None,
+      user,
     )
+    .await
   }
 }
 
 impl Resolve<WriteArgs> for CopyDeployment {
-  #[instrument(name = "CopyDeployment", skip(user))]
+  #[instrument(
+    "CopyDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.name,
+      copy_deployment = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -58,15 +77,26 @@ impl Resolve<WriteArgs> for CopyDeployment {
         PermissionLevel::Read.into(),
       )
       .await?;
-    Ok(
-      resource::create::<Deployment>(&self.name, config.into(), user)
-        .await?,
+    resource::create::<Deployment>(
+      &self.name,
+      config.into(),
+      None,
+      user,
     )
+    .await
   }
 }
 
 impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
-  #[instrument(name = "CreateDeploymentFromContainer", skip(user))]
+  #[instrument(
+    "CreateDeploymentFromContainer",
+    skip_all,
+    fields(
+      operator = user.id,
+      server = self.server,
+      deployment = self.name,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -89,7 +119,8 @@ impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
         .into(),
       );
     }
-    let container = periphery_client(&server)?
+    let container = periphery_client(&server)
+      .await?
       .request(InspectContainer {
         name: self.name.clone(),
       })
@@ -153,25 +184,38 @@ impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
       });
     }
 
-    Ok(
-      resource::create::<Deployment>(&self.name, config, user)
-        .await?,
-    )
+    resource::create::<Deployment>(&self.name, config, None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for DeleteDeployment {
-  #[instrument(name = "DeleteDeployment", skip(args))]
+  #[instrument(
+    "DeleteDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.id
+    )
+  )]
   async fn resolve(
     self,
-    args: &WriteArgs,
+    WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Deployment> {
-    Ok(resource::delete::<Deployment>(&self.id, args).await?)
+    Ok(resource::delete::<Deployment>(&self.id, user).await?)
   }
 }
 
 impl Resolve<WriteArgs> for UpdateDeployment {
-  #[instrument(name = "UpdateDeployment", skip(user))]
+  #[instrument(
+    "UpdateDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -184,7 +228,15 @@ impl Resolve<WriteArgs> for UpdateDeployment {
 }
 
 impl Resolve<WriteArgs> for RenameDeployment {
-  #[instrument(name = "RenameDeployment", skip(user))]
+  #[instrument(
+    "RenameDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.id,
+      new_name = self.name,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -227,7 +279,7 @@ impl Resolve<WriteArgs> for RenameDeployment {
     update_one_by_id(
       &db_client().deployments,
       &deployment.id,
-      mungos::update::Update::Set(
+      database::mungos::update::Update::Set(
         doc! { "name": &name, "updated_at": komodo_timestamp() },
       ),
       None,
@@ -238,7 +290,8 @@ impl Resolve<WriteArgs> for RenameDeployment {
     if container_state != DeploymentState::NotDeployed {
       let server =
         resource::get::<Server>(&deployment.config.server_id).await?;
-      let log = periphery_client(&server)?
+      let log = periphery_client(&server)
+        .await?
         .request(api::container::RenameContainer {
           curr_name: deployment.name.clone(),
           new_name: name.clone(),

bin/core/src/api/write/mod.rs

@@ -1,5 +1,3 @@
-use std::time::Instant;
-
 use anyhow::Context;
 use axum::{
   Extension, Router, extract::Path, middleware, routing::post,
@@ -11,6 +9,7 @@ use response::Response;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 use serror::Json;
+use strum::Display;
 use typeshare::typeshare;
 use uuid::Uuid;
 
@@ -19,10 +18,12 @@ use crate::auth::auth_request;
 use super::Variant;
 
 mod action;
+mod alert;
 mod alerter;
 mod build;
 mod builder;
 mod deployment;
+mod onboarding_key;
 mod permissions;
 mod procedure;
 mod provider;
@@ -31,8 +32,10 @@ mod resource;
 mod server;
 mod service_user;
 mod stack;
+mod swarm;
 mod sync;
 mod tag;
+mod terminal;
 mod user;
 mod user_group;
 mod variable;
@@ -45,13 +48,117 @@ pub struct WriteArgs {
 #[derive(
   Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
 )]
-#[variant_derive(Debug)]
+#[variant_derive(Debug, Display)]
 #[args(WriteArgs)]
 #[response(Response)]
 #[error(serror::Error)]
 #[serde(tag = "type", content = "params")]
 pub enum WriteRequest {
+  // ==== RESOURCE ====
+  UpdateResourceMeta(UpdateResourceMeta),
+
+  // ==== SWARM ====
+  CreateSwarm(CreateSwarm),
+  CopySwarm(CopySwarm),
+  DeleteSwarm(DeleteSwarm),
+  UpdateSwarm(UpdateSwarm),
+  RenameSwarm(RenameSwarm),
+
+  // ==== SERVER ====
+  CreateServer(CreateServer),
+  CopyServer(CopyServer),
+  DeleteServer(DeleteServer),
+  UpdateServer(UpdateServer),
+  RenameServer(RenameServer),
+  CreateNetwork(CreateNetwork),
+  UpdateServerPublicKey(UpdateServerPublicKey),
+  RotateServerKeys(RotateServerKeys),
+
+  // ==== TERMINAL ====
+  CreateTerminal(CreateTerminal),
+  DeleteTerminal(DeleteTerminal),
+  DeleteAllTerminals(DeleteAllTerminals),
+  BatchDeleteAllTerminals(BatchDeleteAllTerminals),
+
+  // ==== STACK ====
+  CreateStack(CreateStack),
+  CopyStack(CopyStack),
+  DeleteStack(DeleteStack),
+  UpdateStack(UpdateStack),
+  RenameStack(RenameStack),
+  WriteStackFileContents(WriteStackFileContents),
+  RefreshStackCache(RefreshStackCache),
+
+  // ==== DEPLOYMENT ====
+  CreateDeployment(CreateDeployment),
+  CopyDeployment(CopyDeployment),
+  CreateDeploymentFromContainer(CreateDeploymentFromContainer),
+  DeleteDeployment(DeleteDeployment),
+  UpdateDeployment(UpdateDeployment),
+  RenameDeployment(RenameDeployment),
+
+  // ==== BUILD ====
+  CreateBuild(CreateBuild),
+  CopyBuild(CopyBuild),
+  DeleteBuild(DeleteBuild),
+  UpdateBuild(UpdateBuild),
+  RenameBuild(RenameBuild),
+  WriteBuildFileContents(WriteBuildFileContents),
+  RefreshBuildCache(RefreshBuildCache),
+
+  // ==== REPO ====
+  CreateRepo(CreateRepo),
+  CopyRepo(CopyRepo),
+  DeleteRepo(DeleteRepo),
+  UpdateRepo(UpdateRepo),
+  RenameRepo(RenameRepo),
+  RefreshRepoCache(RefreshRepoCache),
+
+  // ==== PROCEDURE ====
+  CreateProcedure(CreateProcedure),
+  CopyProcedure(CopyProcedure),
+  DeleteProcedure(DeleteProcedure),
+  UpdateProcedure(UpdateProcedure),
+  RenameProcedure(RenameProcedure),
+
+  // ==== ACTION ====
+  CreateAction(CreateAction),
+  CopyAction(CopyAction),
+  DeleteAction(DeleteAction),
+  UpdateAction(UpdateAction),
+  RenameAction(RenameAction),
+
+  // ==== SYNC ====
+  CreateResourceSync(CreateResourceSync),
+  CopyResourceSync(CopyResourceSync),
+  DeleteResourceSync(DeleteResourceSync),
+  UpdateResourceSync(UpdateResourceSync),
+  RenameResourceSync(RenameResourceSync),
+  WriteSyncFileContents(WriteSyncFileContents),
+  CommitSync(CommitSync),
+  RefreshResourceSyncPending(RefreshResourceSyncPending),
+
+  // ==== BUILDER ====
+  CreateBuilder(CreateBuilder),
+  CopyBuilder(CopyBuilder),
+  DeleteBuilder(DeleteBuilder),
+  UpdateBuilder(UpdateBuilder),
+  RenameBuilder(RenameBuilder),
+
+  // ==== ALERTER ====
+  CreateAlerter(CreateAlerter),
+  CopyAlerter(CopyAlerter),
+  DeleteAlerter(DeleteAlerter),
+  UpdateAlerter(UpdateAlerter),
+  RenameAlerter(RenameAlerter),
+
+  // ==== ONBOARDING KEY ====
+  CreateOnboardingKey(CreateOnboardingKey),
+  UpdateOnboardingKey(UpdateOnboardingKey),
+  DeleteOnboardingKey(DeleteOnboardingKey),
+
   // ==== USER ====
+  CreateLocalUser(CreateLocalUser),
   UpdateUserUsername(UpdateUserUsername),
   UpdateUserPassword(UpdateUserPassword),
   DeleteUser(DeleteUser),
@@ -77,100 +184,6 @@ pub enum WriteRequest {
   UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
   UpdatePermissionOnTarget(UpdatePermissionOnTarget),
 
-  // ==== RESOURCE ====
-  UpdateResourceMeta(UpdateResourceMeta),
-
-  // ==== SERVER ====
-  CreateServer(CreateServer),
-  CopyServer(CopyServer),
-  DeleteServer(DeleteServer),
-  UpdateServer(UpdateServer),
-  RenameServer(RenameServer),
-  CreateNetwork(CreateNetwork),
-  CreateTerminal(CreateTerminal),
-  DeleteTerminal(DeleteTerminal),
-  DeleteAllTerminals(DeleteAllTerminals),
-
-  // ==== STACK ====
-  CreateStack(CreateStack),
-  CopyStack(CopyStack),
-  DeleteStack(DeleteStack),
-  UpdateStack(UpdateStack),
-  RenameStack(RenameStack),
-  WriteStackFileContents(WriteStackFileContents),
-  RefreshStackCache(RefreshStackCache),
-  CreateStackWebhook(CreateStackWebhook),
-  DeleteStackWebhook(DeleteStackWebhook),
-
-  // ==== DEPLOYMENT ====
-  CreateDeployment(CreateDeployment),
-  CopyDeployment(CopyDeployment),
-  CreateDeploymentFromContainer(CreateDeploymentFromContainer),
-  DeleteDeployment(DeleteDeployment),
-  UpdateDeployment(UpdateDeployment),
-  RenameDeployment(RenameDeployment),
-
-  // ==== BUILD ====
-  CreateBuild(CreateBuild),
-  CopyBuild(CopyBuild),
-  DeleteBuild(DeleteBuild),
-  UpdateBuild(UpdateBuild),
-  RenameBuild(RenameBuild),
-  WriteBuildFileContents(WriteBuildFileContents),
-  RefreshBuildCache(RefreshBuildCache),
-  CreateBuildWebhook(CreateBuildWebhook),
-  DeleteBuildWebhook(DeleteBuildWebhook),
-
-  // ==== BUILDER ====
-  CreateBuilder(CreateBuilder),
-  CopyBuilder(CopyBuilder),
-  DeleteBuilder(DeleteBuilder),
-  UpdateBuilder(UpdateBuilder),
-  RenameBuilder(RenameBuilder),
-
-  // ==== REPO ====
-  CreateRepo(CreateRepo),
-  CopyRepo(CopyRepo),
-  DeleteRepo(DeleteRepo),
-  UpdateRepo(UpdateRepo),
-  RenameRepo(RenameRepo),
-  RefreshRepoCache(RefreshRepoCache),
-  CreateRepoWebhook(CreateRepoWebhook),
-  DeleteRepoWebhook(DeleteRepoWebhook),
-
-  // ==== ALERTER ====
-  CreateAlerter(CreateAlerter),
-  CopyAlerter(CopyAlerter),
-  DeleteAlerter(DeleteAlerter),
-  UpdateAlerter(UpdateAlerter),
-  RenameAlerter(RenameAlerter),
-
-  // ==== PROCEDURE ====
-  CreateProcedure(CreateProcedure),
-  CopyProcedure(CopyProcedure),
-  DeleteProcedure(DeleteProcedure),
-  UpdateProcedure(UpdateProcedure),
-  RenameProcedure(RenameProcedure),
-
-  // ==== ACTION ====
-  CreateAction(CreateAction),
-  CopyAction(CopyAction),
-  DeleteAction(DeleteAction),
-  UpdateAction(UpdateAction),
-  RenameAction(RenameAction),
-
-  // ==== SYNC ====
-  CreateResourceSync(CreateResourceSync),
-  CopyResourceSync(CopyResourceSync),
-  DeleteResourceSync(DeleteResourceSync),
-  UpdateResourceSync(UpdateResourceSync),
-  RenameResourceSync(RenameResourceSync),
-  WriteSyncFileContents(WriteSyncFileContents),
-  CommitSync(CommitSync),
-  RefreshResourceSyncPending(RefreshResourceSyncPending),
-  CreateSyncWebhook(CreateSyncWebhook),
-  DeleteSyncWebhook(DeleteSyncWebhook),
-
   // ==== TAG ====
   CreateTag(CreateTag),
   DeleteTag(DeleteTag),
@@ -184,13 +197,16 @@ pub enum WriteRequest {
   UpdateVariableIsSecret(UpdateVariableIsSecret),
   DeleteVariable(DeleteVariable),
 
-  // ==== PROVIDERS ====
+  // ==== PROVIDER ====
   CreateGitProviderAccount(CreateGitProviderAccount),
   UpdateGitProviderAccount(UpdateGitProviderAccount),
   DeleteGitProviderAccount(DeleteGitProviderAccount),
   CreateDockerRegistryAccount(CreateDockerRegistryAccount),
   UpdateDockerRegistryAccount(UpdateDockerRegistryAccount),
   DeleteDockerRegistryAccount(DeleteDockerRegistryAccount),
+
+  // ==== ALERT ====
+  CloseAlert(CloseAlert),
 }
 
 pub fn router() -> Router {
@@ -225,31 +241,22 @@ async fn handler(
   res?
 }
 
-#[instrument(
-  name = "WriteRequest",
-  skip(user, request),
-  fields(
-    user_id = user.id,
-    request = format!("{:?}", request.extract_variant())
-  )
-)]
 async fn task(
   req_id: Uuid,
   request: WriteRequest,
   user: User,
 ) -> serror::Result<axum::response::Response> {
-  info!("/write request | user: {}", user.username);
-
-  let timer = Instant::now();
+  let variant = request.extract_variant();
+  info!("/write request | {variant} | user: {}", user.username);
 
   let res = request.resolve(&WriteArgs { user }).await;
 
   if let Err(e) = &res {
-    warn!("/write request {req_id} error: {:#}", e.error);
+    warn!(
+      "/write request {req_id} | {variant} | error: {:#}",
+      e.error
+    );
   }
 
-  let elapsed = timer.elapsed();
-  debug!("/write request {req_id} | resolve time: {elapsed:?}");
-
   res.map(|res| res.0)
 }

bin/core/src/api/write/onboarding_key.rs

@@ -0,0 +1,200 @@
+use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::{Document, doc};
+use komodo_client::{
+  api::write::{
+    CreateOnboardingKey, CreateOnboardingKeyResponse,
+    DeleteOnboardingKey, DeleteOnboardingKeyResponse,
+    UpdateOnboardingKey, UpdateOnboardingKeyResponse,
+  },
+  entities::{
+    komodo_timestamp, onboarding_key::OnboardingKey, random_string,
+  },
+};
+use noise::key::EncodedKeyPair;
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::{AddStatusCode, AddStatusCodeError};
+
+use crate::{api::write::WriteArgs, state::db_client};
+
+//
+
+impl Resolve<WriteArgs> for CreateOnboardingKey {
+  #[instrument(
+    "CreateOnboardingKey",
+    skip_all,
+    fields(
+      operator = admin.id,
+      name = self.name,
+      expires = self.expires,
+      tags = format!("{:?}", self.tags),
+      copy_server = self.copy_server,
+      create_builder = self.create_builder,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<CreateOnboardingKeyResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+    let private_key = if let Some(private_key) = self.private_key {
+      private_key
+    } else {
+      format!("O-{}", random_string(30))
+    };
+    let public_key = EncodedKeyPair::from_private_key(&private_key)?
+      .public
+      .into_inner();
+    let onboarding_key = OnboardingKey {
+      public_key,
+      name: self.name,
+      enabled: true,
+      onboarded: Default::default(),
+      created_at: komodo_timestamp(),
+      expires: self.expires,
+      tags: self.tags,
+      copy_server: self.copy_server,
+      create_builder: self.create_builder,
+    };
+    let db = db_client();
+    // Create the key
+    db.onboarding_keys
+      .insert_one(&onboarding_key)
+      .await
+      .context(
+        "Failed to create Server onboarding key on database",
+      )?;
+    let created = db
+      .onboarding_keys
+      .find_one(doc! { "public_key": &onboarding_key.public_key })
+      .await
+      .context("Failed to query database for Server onboarding keys")?
+      .context(
+        "No Server onboarding key found on database after create",
+      )?;
+    Ok(CreateOnboardingKeyResponse {
+      private_key,
+      created,
+    })
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for UpdateOnboardingKey {
+  #[instrument(
+    "UpdateOnboardingKey",
+    skip_all,
+    fields(
+      operator = admin.id,
+      public_key = self.public_key,
+      update = format!("{:?}", self),
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UpdateOnboardingKeyResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let query = doc! { "public_key": &self.public_key };
+
+    // No changes
+    if self.is_none() {
+      return db_client()
+        .onboarding_keys
+        .find_one(query)
+        .await
+        .context("Failed to query database for onboarding key")?
+        .context("No matching onboarding key found")
+        .status_code(StatusCode::NOT_FOUND);
+    }
+
+    let mut update = Document::new();
+
+    if let Some(enabled) = self.enabled {
+      update.insert("enabled", enabled);
+    }
+
+    if let Some(name) = self.name {
+      update.insert("name", name);
+    }
+
+    if let Some(expires) = self.expires {
+      update.insert("expires", expires);
+    }
+
+    if let Some(tags) = self.tags {
+      update.insert("tags", tags);
+    }
+
+    if let Some(copy_server) = self.copy_server {
+      update.insert("copy_server", copy_server);
+    }
+
+    if let Some(create_builder) = self.create_builder {
+      update.insert("create_builder", create_builder);
+    }
+
+    db_client()
+      .onboarding_keys
+      .update_one(query.clone(), doc! { "$set": update })
+      .await
+      .context("Failed to update onboarding key on database")?;
+
+    db_client()
+      .onboarding_keys
+      .find_one(query)
+      .await
+      .context("Failed to query database for onboarding key")?
+      .context("No matching onboarding key found")
+      .status_code(StatusCode::NOT_FOUND)
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for DeleteOnboardingKey {
+  #[instrument(
+    "DeleteOnboardingKey",
+    skip_all,
+    fields(
+      operator = admin.id,
+      public_key = self.public_key,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<DeleteOnboardingKeyResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+    let db = db_client();
+    let query = doc! { "public_key": &self.public_key };
+    let creation_key = db
+      .onboarding_keys
+      .find_one(query.clone())
+      .await
+      .context("Failed to query database for Server onboarding keys")?
+      .context("Server onboarding key matching provided public key not found")
+      .status_code(StatusCode::NOT_FOUND)?;
+    db.onboarding_keys.delete_one(query).await.context(
+      "Failed to delete Server onboarding key from database",
+    )?;
+    Ok(creation_key)
+  }
+}

bin/core/src/api/write/permissions.rs

@@ -1,6 +1,14 @@
 use std::str::FromStr;
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{find_one_by_id, update_one_by_id},
+  mongodb::{
+    bson::{Document, doc, oid::ObjectId, to_bson},
+    options::UpdateOptions,
+  },
+};
+use derive_variants::ExtractVariant as _;
 use komodo_client::{
   api::write::*,
   entities::{
@@ -8,13 +16,6 @@ use komodo_client::{
     permission::{UserTarget, UserTargetVariant},
   },
 };
-use mungos::{
-  by_id::{find_one_by_id, update_one_by_id},
-  mongodb::{
-    bson::{Document, doc, oid::ObjectId, to_bson},
-    options::UpdateOptions,
-  },
-};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_user, state::db_client};
@@ -22,7 +23,15 @@ use crate::{helpers::query::get_user, state::db_client};
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for UpdateUserAdmin {
-  #[instrument(name = "UpdateUserAdmin", skip(super_admin))]
+  #[instrument(
+    "UpdateUserAdmin",
+    skip_all,
+    fields(
+      operator = super_admin.id,
+      target_user = self.user_id,
+      admin = self.admin,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user: super_admin }: &WriteArgs,
@@ -60,7 +69,17 @@ impl Resolve<WriteArgs> for UpdateUserAdmin {
 }
 
 impl Resolve<WriteArgs> for UpdateUserBasePermissions {
-  #[instrument(name = "UpdateUserBasePermissions", skip(admin))]
+  #[instrument(
+    "UpdateUserBasePermissions",
+    skip_all,
+    fields(
+      operator = admin.id,
+      target_user = self.user_id,
+      enabled = self.enabled,
+      create_servers = self.create_servers,
+      create_builds = self.create_builds,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
@@ -107,7 +126,7 @@ impl Resolve<WriteArgs> for UpdateUserBasePermissions {
     update_one_by_id(
       &db_client().users,
       &user_id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await?;
@@ -117,7 +136,16 @@ impl Resolve<WriteArgs> for UpdateUserBasePermissions {
 }
 
 impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
-  #[instrument(name = "UpdatePermissionOnResourceType", skip(admin))]
+  #[instrument(
+    "UpdatePermissionOnResourceType",
+    skip_all,
+    fields(
+      operator = admin.id,
+      user_target = format!("{:?}", self.user_target),
+      resource_type = self.resource_type.to_string(),
+      permission = format!("{:?}", self.permission),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
@@ -185,7 +213,17 @@ impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
 }
 
 impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
-  #[instrument(name = "UpdatePermissionOnTarget", skip(admin))]
+  #[instrument(
+    "UpdatePermissionOnTarget",
+    skip_all,
+    fields(
+      operator = admin.id,
+      user_target = format!("{:?}", self.user_target),
+      resource_type = self.resource_target.extract_variant().to_string(),
+      resource_id = self.resource_target.extract_variant_id().1,
+      permission = format!("{:?}", self.permission),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
@@ -269,8 +307,8 @@ async fn extract_user_target_with_validation(
         .users
         .find_one(filter)
         .await
-        .context("failed to query db for users")?
-        .context("no matching user found")?
+        .context("Failed to query db for users")?
+        .context("No matching user found")?
         .id;
       Ok((UserTargetVariant::User, id))
     }
@@ -283,8 +321,8 @@ async fn extract_user_target_with_validation(
         .user_groups
         .find_one(filter)
         .await
-        .context("failed to query db for user_groups")?
-        .context("no matching user_group found")?
+        .context("Failed to query db for user_groups")?
+        .context("No matching user_group found")?
         .id;
       Ok((UserTargetVariant::UserGroup, id))
     }
@@ -300,47 +338,19 @@ async fn extract_resource_target_with_validation(
       let res = resource_target.extract_variant_id();
       Ok((res.0, res.1.clone()))
     }
-    ResourceTarget::Build(ident) => {
+    ResourceTarget::Swarm(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .builds
+        .swarms
         .find_one(filter)
         .await
-        .context("failed to query db for builds")?
-        .context("no matching build found")?
+        .context("Failed to query db for swarms")?
+        .context("No matching server found")?
         .id;
-      Ok((ResourceTargetVariant::Build, id))
-    }
-    ResourceTarget::Builder(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .builders
-        .find_one(filter)
-        .await
-        .context("failed to query db for builders")?
-        .context("no matching builder found")?
-        .id;
-      Ok((ResourceTargetVariant::Builder, id))
-    }
-    ResourceTarget::Deployment(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .deployments
-        .find_one(filter)
-        .await
-        .context("failed to query db for deployments")?
-        .context("no matching deployment found")?
-        .id;
-      Ok((ResourceTargetVariant::Deployment, id))
+      Ok((ResourceTargetVariant::Server, id))
     }
     ResourceTarget::Server(ident) => {
       let filter = match ObjectId::from_str(ident) {
@@ -351,11 +361,53 @@ async fn extract_resource_target_with_validation(
         .servers
         .find_one(filter)
         .await
-        .context("failed to query db for servers")?
-        .context("no matching server found")?
+        .context("Failed to query db for servers")?
+        .context("No matching server found")?
         .id;
       Ok((ResourceTargetVariant::Server, id))
     }
+    ResourceTarget::Stack(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .stacks
+        .find_one(filter)
+        .await
+        .context("Failed to query db for stacks")?
+        .context("No matching stack found")?
+        .id;
+      Ok((ResourceTargetVariant::Stack, id))
+    }
+    ResourceTarget::Deployment(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .deployments
+        .find_one(filter)
+        .await
+        .context("Failed to query db for deployments")?
+        .context("No matching deployment found")?
+        .id;
+      Ok((ResourceTargetVariant::Deployment, id))
+    }
+    ResourceTarget::Build(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .builds
+        .find_one(filter)
+        .await
+        .context("Failed to query db for builds")?
+        .context("No matching build found")?
+        .id;
+      Ok((ResourceTargetVariant::Build, id))
+    }
     ResourceTarget::Repo(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
@@ -365,25 +417,11 @@ async fn extract_resource_target_with_validation(
         .repos
         .find_one(filter)
         .await
-        .context("failed to query db for repos")?
-        .context("no matching repo found")?
+        .context("Failed to query db for repos")?
+        .context("No matching repo found")?
         .id;
       Ok((ResourceTargetVariant::Repo, id))
     }
-    ResourceTarget::Alerter(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .alerters
-        .find_one(filter)
-        .await
-        .context("failed to query db for alerters")?
-        .context("no matching alerter found")?
-        .id;
-      Ok((ResourceTargetVariant::Alerter, id))
-    }
     ResourceTarget::Procedure(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
@@ -393,8 +431,8 @@ async fn extract_resource_target_with_validation(
         .procedures
         .find_one(filter)
         .await
-        .context("failed to query db for procedures")?
-        .context("no matching procedure found")?
+        .context("Failed to query db for procedures")?
+        .context("No matching procedure found")?
         .id;
       Ok((ResourceTargetVariant::Procedure, id))
     }
@@ -407,8 +445,8 @@ async fn extract_resource_target_with_validation(
         .actions
         .find_one(filter)
         .await
-        .context("failed to query db for actions")?
-        .context("no matching action found")?
+        .context("Failed to query db for actions")?
+        .context("No matching action found")?
         .id;
       Ok((ResourceTargetVariant::Action, id))
     }
@@ -421,24 +459,38 @@ async fn extract_resource_target_with_validation(
         .resource_syncs
         .find_one(filter)
         .await
-        .context("failed to query db for resource syncs")?
-        .context("no matching resource sync found")?
+        .context("Failed to query db for resource syncs")?
+        .context("No matching resource sync found")?
         .id;
       Ok((ResourceTargetVariant::ResourceSync, id))
     }
-    ResourceTarget::Stack(ident) => {
+    ResourceTarget::Builder(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .stacks
+        .builders
         .find_one(filter)
         .await
-        .context("failed to query db for stacks")?
-        .context("no matching stack found")?
+        .context("Failed to query db for builders")?
+        .context("No matching builder found")?
         .id;
-      Ok((ResourceTargetVariant::Stack, id))
+      Ok((ResourceTargetVariant::Builder, id))
+    }
+    ResourceTarget::Alerter(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .alerters
+        .find_one(filter)
+        .await
+        .context("Failed to query db for alerters")?
+        .context("No matching alerter found")?
+        .id;
+      Ok((ResourceTargetVariant::Alerter, id))
     }
   }
 }

bin/core/src/api/write/procedure.rs

@@ -11,20 +11,34 @@ use crate::{permission::get_check_permissions, resource};
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateProcedure {
-  #[instrument(name = "CreateProcedure", skip(user))]
+  #[instrument(
+    "CreateProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.name,
+      config = serde_json::to_string(&self.config).unwrap()
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<CreateProcedureResponse> {
-    Ok(
-      resource::create::<Procedure>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Procedure>(&self.name, self.config, None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for CopyProcedure {
-  #[instrument(name = "CopyProcedure", skip(user))]
+  #[instrument(
+    "CopyProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.name,
+      copy_procedure = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -36,15 +50,26 @@ impl Resolve<WriteArgs> for CopyProcedure {
         PermissionLevel::Write.into(),
       )
       .await?;
-    Ok(
-      resource::create::<Procedure>(&self.name, config.into(), user)
-        .await?,
+    resource::create::<Procedure>(
+      &self.name,
+      config.into(),
+      None,
+      user,
     )
+    .await
   }
 }
 
 impl Resolve<WriteArgs> for UpdateProcedure {
-  #[instrument(name = "UpdateProcedure", skip(user))]
+  #[instrument(
+    "UpdateProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -57,7 +82,15 @@ impl Resolve<WriteArgs> for UpdateProcedure {
 }
 
 impl Resolve<WriteArgs> for RenameProcedure {
-  #[instrument(name = "RenameProcedure", skip(user))]
+  #[instrument(
+    "RenameProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.id,
+      new_name = self.name,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -70,11 +103,18 @@ impl Resolve<WriteArgs> for RenameProcedure {
 }
 
 impl Resolve<WriteArgs> for DeleteProcedure {
-  #[instrument(name = "DeleteProcedure", skip(args))]
+  #[instrument(
+    "DeleteProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.id
+    )
+  )]
   async fn resolve(
     self,
-    args: &WriteArgs,
+    WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<DeleteProcedureResponse> {
-    Ok(resource::delete::<Procedure>(&self.id, args).await?)
+    Ok(resource::delete::<Procedure>(&self.id, user).await?)
   }
 }

bin/core/src/api/write/provider.rs

@@ -1,4 +1,8 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
+  mongodb::bson::{doc, to_document},
+};
 use komodo_client::{
   api::write::*,
   entities::{
@@ -6,11 +10,9 @@ use komodo_client::{
     provider::{DockerRegistryAccount, GitProviderAccount},
   },
 };
-use mungos::{
-  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
-  mongodb::bson::{doc, to_document},
-};
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
 use crate::{
   helpers::update::{add_update, make_update},
@@ -20,25 +22,41 @@ use crate::{
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateGitProviderAccount {
+  #[instrument(
+    "CreateGitProviderAccount",
+    skip_all,
+    fields(
+      operator = user.id,
+      domain = self.account.domain,
+      username = self.account.username,
+      https = self.account.https.unwrap_or(true),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<CreateGitProviderAccountResponse> {
     if !user.admin {
       return Err(
-        anyhow!("only admins can create git provider accounts")
-          .into(),
+        anyhow!("Only admins can create git provider accounts")
+          .status_code(StatusCode::FORBIDDEN),
       );
     }
 
     let mut account: GitProviderAccount = self.account.into();
 
     if account.domain.is_empty() {
-      return Err(anyhow!("domain cannot be empty string.").into());
+      return Err(
+        anyhow!("Domain cannot be empty string.")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
     if account.username.is_empty() {
-      return Err(anyhow!("username cannot be empty string.").into());
+      return Err(
+        anyhow!("Username cannot be empty string.")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
     let mut update = make_update(
@@ -51,14 +69,14 @@ impl Resolve<WriteArgs> for CreateGitProviderAccount {
       .git_accounts
       .insert_one(&account)
       .await
-      .context("failed to create git provider account on db")?
+      .context("Failed to create git provider account on db")?
       .inserted_id
       .as_object_id()
-      .context("inserted id is not ObjectId")?
+      .context("Inserted id is not ObjectId")?
       .to_string();
 
     update.push_simple_log(
-      "create git provider account",
+      "Create git provider account",
       format!(
         "Created git provider account for {} with username {}",
         account.domain, account.username
@@ -70,7 +88,7 @@ impl Resolve<WriteArgs> for CreateGitProviderAccount {
     add_update(update)
       .await
       .inspect_err(|e| {
-        error!("failed to add update for create git provider account | {e:#}")
+        error!("Failed to add update for create git provider account | {e:#}")
       })
       .ok();
 
@@ -79,33 +97,44 @@ impl Resolve<WriteArgs> for CreateGitProviderAccount {
 }
 
 impl Resolve<WriteArgs> for UpdateGitProviderAccount {
+  #[instrument(
+    "UpdateGitProviderAccount",
+    skip_all,
+    fields(
+      operator = user.id,
+      id = self.id,
+      domain = self.account.domain,
+      username = self.account.username,
+      https = self.account.https.unwrap_or(true),
+    )
+  )]
   async fn resolve(
     mut self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<UpdateGitProviderAccountResponse> {
     if !user.admin {
       return Err(
-        anyhow!("only admins can update git provider accounts")
-          .into(),
+        anyhow!("Only admins can update git provider accounts")
+          .status_code(StatusCode::FORBIDDEN),
       );
     }
 
-    if let Some(domain) = &self.account.domain {
-      if domain.is_empty() {
-        return Err(
-          anyhow!("cannot update git provider with empty domain")
-            .into(),
-        );
-      }
+    if let Some(domain) = &self.account.domain
+      && domain.is_empty()
+    {
+      return Err(
+        anyhow!("Cannot update git provider with empty domain")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
-    if let Some(username) = &self.account.username {
-      if username.is_empty() {
-        return Err(
-          anyhow!("cannot update git provider with empty username")
-            .into(),
-        );
-      }
+    if let Some(username) = &self.account.username
+      && username.is_empty()
+    {
+      return Err(
+        anyhow!("Cannot update git provider with empty username")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
     // Ensure update does not change id
@@ -118,7 +147,7 @@ impl Resolve<WriteArgs> for UpdateGitProviderAccount {
     );
 
     let account = to_document(&self.account).context(
-      "failed to serialize partial git provider account to bson",
+      "Failed to serialize partial git provider account to bson",
     )?;
     let db = db_client();
     update_one_by_id(
@@ -128,17 +157,17 @@ impl Resolve<WriteArgs> for UpdateGitProviderAccount {
       None,
     )
     .await
-    .context("failed to update git provider account on db")?;
+    .context("Failed to update git provider account on db")?;
 
     let Some(account) = find_one_by_id(&db.git_accounts, &self.id)
       .await
-      .context("failed to query db for git accounts")?
+      .context("Failed to query db for git accounts")?
     else {
-      return Err(anyhow!("no account found with given id").into());
+      return Err(anyhow!("No account found with given id").into());
     };
 
     update.push_simple_log(
-      "update git provider account",
+      "Update git provider account",
       format!(
         "Updated git provider account for {} with username {}",
         account.domain, account.username
@@ -150,7 +179,7 @@ impl Resolve<WriteArgs> for UpdateGitProviderAccount {
     add_update(update)
       .await
       .inspect_err(|e| {
-        error!("failed to add update for update git provider account | {e:#}")
+        error!("Failed to add update for update git provider account | {e:#}")
       })
       .ok();
 
@@ -159,14 +188,22 @@ impl Resolve<WriteArgs> for UpdateGitProviderAccount {
 }
 
 impl Resolve<WriteArgs> for DeleteGitProviderAccount {
+  #[instrument(
+    "DeleteGitProviderAccount",
+    skip_all,
+    fields(
+      operator = user.id,
+      id = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<DeleteGitProviderAccountResponse> {
     if !user.admin {
       return Err(
-        anyhow!("only admins can delete git provider accounts")
-          .into(),
+        anyhow!("Only admins can delete git provider accounts")
+          .status_code(StatusCode::FORBIDDEN),
       );
     }
 
@@ -179,16 +216,19 @@ impl Resolve<WriteArgs> for DeleteGitProviderAccount {
     let db = db_client();
     let Some(account) = find_one_by_id(&db.git_accounts, &self.id)
       .await
-      .context("failed to query db for git accounts")?
+      .context("Failed to query db for git accounts")?
     else {
-      return Err(anyhow!("no account found with given id").into());
+      return Err(
+        anyhow!("No account found with given id")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     };
     delete_one_by_id(&db.git_accounts, &self.id, None)
       .await
       .context("failed to delete git account on db")?;
 
     update.push_simple_log(
-      "delete git provider account",
+      "Delete git provider account",
       format!(
         "Deleted git provider account for {} with username {}",
         account.domain, account.username
@@ -200,7 +240,7 @@ impl Resolve<WriteArgs> for DeleteGitProviderAccount {
     add_update(update)
       .await
       .inspect_err(|e| {
-        error!("failed to add update for delete git provider account | {e:#}")
+        error!("Failed to add update for delete git provider account | {e:#}")
       })
       .ok();
 
@@ -209,6 +249,15 @@ impl Resolve<WriteArgs> for DeleteGitProviderAccount {
 }
 
 impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
+  #[instrument(
+    "CreateDockerRegistryAccount",
+    skip_all,
+    fields(
+      operator = user.id,
+      domain = self.account.domain,
+      username = self.account.username,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -216,20 +265,26 @@ impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
     if !user.admin {
       return Err(
         anyhow!(
-          "only admins can create docker registry account accounts"
+          "Only admins can create docker registry account accounts"
         )
-        .into(),
+        .status_code(StatusCode::FORBIDDEN),
       );
     }
 
     let mut account: DockerRegistryAccount = self.account.into();
 
     if account.domain.is_empty() {
-      return Err(anyhow!("domain cannot be empty string.").into());
+      return Err(
+        anyhow!("Domain cannot be empty string.")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
     if account.username.is_empty() {
-      return Err(anyhow!("username cannot be empty string.").into());
+      return Err(
+        anyhow!("Username cannot be empty string.")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
     let mut update = make_update(
@@ -243,15 +298,15 @@ impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
       .insert_one(&account)
       .await
       .context(
-        "failed to create docker registry account account on db",
+        "Failed to create docker registry account account on db",
       )?
       .inserted_id
       .as_object_id()
-      .context("inserted id is not ObjectId")?
+      .context("Inserted id is not ObjectId")?
       .to_string();
 
     update.push_simple_log(
-      "create docker registry account",
+      "Create docker registry account",
       format!(
         "Created docker registry account account for {} with username {}",
         account.domain, account.username
@@ -263,7 +318,7 @@ impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
     add_update(update)
       .await
       .inspect_err(|e| {
-        error!("failed to add update for create docker registry account | {e:#}")
+        error!("Failed to add update for create docker registry account | {e:#}")
       })
       .ok();
 
@@ -272,37 +327,47 @@ impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
 }
 
 impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
+  #[instrument(
+    "UpdateDockerRegistryAccount",
+    skip_all,
+    fields(
+      operator = user.id,
+      id = self.id,
+      domain = self.account.domain,
+      username = self.account.username,
+    )
+  )]
   async fn resolve(
     mut self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<UpdateDockerRegistryAccountResponse> {
     if !user.admin {
       return Err(
-        anyhow!("only admins can update docker registry accounts")
-          .into(),
+        anyhow!("Only admins can update docker registry accounts")
+          .status_code(StatusCode::FORBIDDEN),
       );
     }
 
-    if let Some(domain) = &self.account.domain {
-      if domain.is_empty() {
-        return Err(
-          anyhow!(
-            "cannot update docker registry account with empty domain"
-          )
-          .into(),
-        );
-      }
+    if let Some(domain) = &self.account.domain
+      && domain.is_empty()
+    {
+      return Err(
+        anyhow!(
+          "Cannot update docker registry account with empty domain"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
-    if let Some(username) = &self.account.username {
-      if username.is_empty() {
-        return Err(
-          anyhow!(
-            "cannot update docker registry account with empty username"
-          )
-          .into(),
-        );
-      }
+    if let Some(username) = &self.account.username
+      && username.is_empty()
+    {
+      return Err(
+        anyhow!(
+          "Cannot update docker registry account with empty username"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
     self.account.id = None;
@@ -314,7 +379,7 @@ impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
     );
 
     let account = to_document(&self.account).context(
-      "failed to serialize partial docker registry account account to bson",
+      "Failed to serialize partial docker registry account account to bson",
     )?;
 
     let db = db_client();
@@ -326,19 +391,19 @@ impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
     )
     .await
     .context(
-      "failed to update docker registry account account on db",
+      "Failed to update docker registry account account on db",
     )?;
 
     let Some(account) =
       find_one_by_id(&db.registry_accounts, &self.id)
         .await
-        .context("failed to query db for registry accounts")?
+        .context("Failed to query db for registry accounts")?
     else {
-      return Err(anyhow!("no account found with given id").into());
+      return Err(anyhow!("No account found with given id").into());
     };
 
     update.push_simple_log(
-      "update docker registry account",
+      "Update docker registry account",
       format!(
         "Updated docker registry account account for {} with username {}",
         account.domain, account.username
@@ -350,7 +415,7 @@ impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
     add_update(update)
       .await
       .inspect_err(|e| {
-        error!("failed to add update for update docker registry account | {e:#}")
+        error!("Failed to add update for update docker registry account | {e:#}")
       })
       .ok();
 
@@ -359,14 +424,22 @@ impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
 }
 
 impl Resolve<WriteArgs> for DeleteDockerRegistryAccount {
+  #[instrument(
+    "DeleteDockerRegistryAccount",
+    skip_all,
+    fields(
+      operator = user.id,
+      id = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<DeleteDockerRegistryAccountResponse> {
     if !user.admin {
       return Err(
-        anyhow!("only admins can delete docker registry accounts")
-          .into(),
+        anyhow!("Only admins can delete docker registry accounts")
+          .status_code(StatusCode::FORBIDDEN),
       );
     }
 
@@ -380,16 +453,19 @@ impl Resolve<WriteArgs> for DeleteDockerRegistryAccount {
     let Some(account) =
       find_one_by_id(&db.registry_accounts, &self.id)
         .await
-        .context("failed to query db for git accounts")?
+        .context("Failed to query db for git accounts")?
     else {
-      return Err(anyhow!("no account found with given id").into());
+      return Err(
+        anyhow!("No account found with given id")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     };
     delete_one_by_id(&db.registry_accounts, &self.id, None)
       .await
-      .context("failed to delete registry account on db")?;
+      .context("Failed to delete registry account on db")?;
 
     update.push_simple_log(
-      "delete registry account",
+      "Delete registry account",
       format!(
         "Deleted registry account for {} with username {}",
         account.domain, account.username
@@ -401,7 +477,7 @@ impl Resolve<WriteArgs> for DeleteDockerRegistryAccount {
     add_update(update)
       .await
       .inspect_err(|e| {
-        error!("failed to add update for delete docker registry account | {e:#}")
+        error!("Failed to add update for delete docker registry account | {e:#}")
       })
       .ok();
 

bin/core/src/api/write/repo.rs

@@ -1,23 +1,20 @@
-use anyhow::{Context, anyhow};
+use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
 use formatting::format_serror;
 use komodo_client::{
   api::write::*,
   entities::{
-    NoData, Operation, RepoExecutionArgs,
-    config::core::CoreConfig,
-    komodo_timestamp,
+    NoData, Operation, RepoExecutionArgs, komodo_timestamp,
     permission::PermissionLevel,
-    repo::{PartialRepoConfig, Repo, RepoInfo},
+    repo::{Repo, RepoInfo},
     server::Server,
     to_path_compatible_name,
     update::{Log, Update},
   },
 };
-use mongo_indexed::doc;
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
-use octorust::types::{
-  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
-};
 use periphery_client::api;
 use resolver_api::Resolve;
 
@@ -29,23 +26,40 @@ use crate::{
   },
   permission::get_check_permissions,
   resource,
-  state::{action_states, db_client, github_client},
+  state::{action_states, db_client},
 };
 
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateRepo {
-  #[instrument(name = "CreateRepo", skip(user))]
+  #[instrument(
+    "CreateRepo",
+    skip_all,
+    fields(
+      operator = user.id,
+      repo = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Repo> {
-    Ok(resource::create::<Repo>(&self.name, self.config, user).await?)
+    resource::create::<Repo>(&self.name, self.config, None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for CopyRepo {
-  #[instrument(name = "CopyRepo", skip(user))]
+  #[instrument(
+    "CopyRepo",
+    skip_all,
+    fields(
+      operator = user.id,
+      repo = self.name,
+      copy_repo = self.id,
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -56,22 +70,38 @@ impl Resolve<WriteArgs> for CopyRepo {
       PermissionLevel::Read.into(),
     )
     .await?;
-    Ok(
-      resource::create::<Repo>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Repo>(&self.name, config.into(), None, user)
+      .await
   }
 }
 
 impl Resolve<WriteArgs> for DeleteRepo {
-  #[instrument(name = "DeleteRepo", skip(args))]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Repo> {
-    Ok(resource::delete::<Repo>(&self.id, args).await?)
+  #[instrument(
+    "DeleteRepo",
+    skip_all,
+    fields(
+      operator = user.id,
+      repo = self.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Repo> {
+    Ok(resource::delete::<Repo>(&self.id, user).await?)
   }
 }
 
 impl Resolve<WriteArgs> for UpdateRepo {
-  #[instrument(name = "UpdateRepo", skip(user))]
+  #[instrument(
+    "UpdateRepo",
+    skip_all,
+    fields(
+      operator = user.id,
+      repo = self.id,
+      update = serde_json::to_string(&self.config).unwrap()
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -81,7 +111,15 @@ impl Resolve<WriteArgs> for UpdateRepo {
 }
 
 impl Resolve<WriteArgs> for RenameRepo {
-  #[instrument(name = "RenameRepo", skip(user))]
+  #[instrument(
+    "RenameRepo",
+    skip_all,
+    fields(
+      operator = user.id,
+      repo = self.id,
+      new_name = self.name
+    )
+  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -117,7 +155,7 @@ impl Resolve<WriteArgs> for RenameRepo {
     update_one_by_id(
       &db_client().repos,
       &repo.id,
-      mungos::update::Update::Set(
+      database::mungos::update::Update::Set(
         doc! { "name": &name, "updated_at": komodo_timestamp() },
       ),
       None,
@@ -128,7 +166,8 @@ impl Resolve<WriteArgs> for RenameRepo {
     let server =
       resource::get::<Server>(&repo.config.server_id).await?;
 
-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
       .request(api::git::RenameRepo {
         curr_name: to_path_compatible_name(&repo.name),
         new_name: name.clone(),
@@ -157,11 +196,6 @@ impl Resolve<WriteArgs> for RenameRepo {
 }
 
 impl Resolve<WriteArgs> for RefreshRepoCache {
-  #[instrument(
-    name = "RefreshRepoCache",
-    level = "debug",
-    skip(user)
-  )]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -233,220 +267,3 @@ impl Resolve<WriteArgs> for RefreshRepoCache {
     Ok(NoData {})
   }
 }
-
-impl Resolve<WriteArgs> for CreateRepoWebhook {
-  #[instrument(name = "CreateRepoWebhook", skip(args))]
-  async fn resolve(
-    self,
-    args: &WriteArgs,
-  ) -> serror::Result<CreateRepoWebhookResponse> {
-    let Some(github) = github_client() else {
-      return Err(
-        anyhow!(
-          "github_webhook_app is not configured in core config toml"
-        )
-        .into(),
-      );
-    };
-
-    let repo = get_check_permissions::<Repo>(
-      &self.repo,
-      &args.user,
-      PermissionLevel::Write.into(),
-    )
-    .await?;
-
-    if repo.config.repo.is_empty() {
-      return Err(
-        anyhow!("No repo configured, can't create webhook").into(),
-      );
-    }
-
-    let mut split = repo.config.repo.split('/');
-    let owner = split.next().context("Repo repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Err(
-        anyhow!("Cannot manage repo webhooks under owner {owner}")
-          .into(),
-      );
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    // First make sure the webhook isn't already created (inactive ones are ignored)
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      webhook_secret,
-      ..
-    } = core_config();
-
-    let webhook_secret = if repo.config.webhook_secret.is_empty() {
-      webhook_secret
-    } else {
-      &repo.config.webhook_secret
-    };
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = match self.action {
-      RepoWebhookAction::Clone => {
-        format!("{host}/listener/github/repo/{}/clone", repo.id)
-      }
-      RepoWebhookAction::Pull => {
-        format!("{host}/listener/github/repo/{}/pull", repo.id)
-      }
-      RepoWebhookAction::Build => {
-        format!("{host}/listener/github/repo/{}/build", repo.id)
-      }
-    };
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        return Ok(NoData {});
-      }
-    }
-
-    // Now good to create the webhook
-    let request = ReposCreateWebhookRequest {
-      active: Some(true),
-      config: Some(ReposCreateWebhookRequestConfig {
-        url,
-        secret: webhook_secret.to_string(),
-        content_type: String::from("json"),
-        insecure_ssl: None,
-        digest: Default::default(),
-        token: Default::default(),
-      }),
-      events: vec![String::from("push")],
-      name: String::from("web"),
-    };
-    github_repos
-      .create_webhook(owner, repo_name, &request)
-      .await
-      .context("failed to create webhook")?;
-
-    if !repo.config.webhook_enabled {
-      UpdateRepo {
-        id: repo.id,
-        config: PartialRepoConfig {
-          webhook_enabled: Some(true),
-          ..Default::default()
-        },
-      }
-      .resolve(args)
-      .await
-      .map_err(|e| e.error)
-      .context("failed to update repo to enable webhook")?;
-    }
-
-    Ok(NoData {})
-  }
-}
-
-impl Resolve<WriteArgs> for DeleteRepoWebhook {
-  #[instrument(name = "DeleteRepoWebhook", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteRepoWebhookResponse> {
-    let Some(github) = github_client() else {
-      return Err(
-        anyhow!(
-          "github_webhook_app is not configured in core config toml"
-        )
-        .into(),
-      );
-    };
-
-    let repo = get_check_permissions::<Repo>(
-      &self.repo,
-      user,
-      PermissionLevel::Write.into(),
-    )
-    .await?;
-
-    if repo.config.git_provider != "github.com" {
-      return Err(
-        anyhow!("Can only manage github.com repo webhooks").into(),
-      );
-    }
-
-    if repo.config.repo.is_empty() {
-      return Err(
-        anyhow!("No repo configured, can't create webhook").into(),
-      );
-    }
-
-    let mut split = repo.config.repo.split('/');
-    let owner = split.next().context("Repo repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Err(
-        anyhow!("Cannot manage repo webhooks under owner {owner}")
-          .into(),
-      );
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    // First make sure the webhook isn't already created (inactive ones are ignored)
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = match self.action {
-      RepoWebhookAction::Clone => {
-        format!("{host}/listener/github/repo/{}/clone", repo.id)
-      }
-      RepoWebhookAction::Pull => {
-        format!("{host}/listener/github/repo/{}/pull", repo.id)
-      }
-      RepoWebhookAction::Build => {
-        format!("{host}/listener/github/repo/{}/build", repo.id)
-      }
-    };
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        github_repos
-          .delete_webhook(owner, repo_name, webhook.id)
-          .await
-          .context("failed to delete webhook")?;
-        return Ok(NoData {});
-      }
-    }
-
-    // No webhook to delete, all good
-    Ok(NoData {})
-  }
-}

bin/core/src/api/write/resource.rs

@@ -1,20 +1,35 @@
 use anyhow::anyhow;
+use derive_variants::ExtractVariant as _;
 use komodo_client::{
   api::write::{UpdateResourceMeta, UpdateResourceMetaResponse},
   entities::{
     ResourceTarget, action::Action, alerter::Alerter, build::Build,
     builder::Builder, deployment::Deployment, procedure::Procedure,
-    repo::Repo, server::Server, stack::Stack, sync::ResourceSync,
+    repo::Repo, server::Server, stack::Stack, swarm::Swarm,
+    sync::ResourceSync,
   },
 };
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
 use crate::resource::{self, ResourceMetaUpdate};
 
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for UpdateResourceMeta {
-  #[instrument(name = "UpdateResourceMeta", skip(args))]
+  #[instrument(
+    "UpdateResourceMeta",
+    skip_all,
+    fields(
+      operator = args.user.id,
+      resource_type = self.target.extract_variant().to_string(),
+      resource_id = self.target.extract_variant_id().1,
+      description = self.description,
+      template = self.template,
+      tags = format!("{:?}", self.tags),
+    )
+  )]
   async fn resolve(
     self,
     args: &WriteArgs,
@@ -28,12 +43,18 @@ impl Resolve<WriteArgs> for UpdateResourceMeta {
       ResourceTarget::System(_) => {
         return Err(
           anyhow!("cannot update meta of System resource target")
-            .into(),
+            .status_code(StatusCode::BAD_REQUEST),
         );
       }
+      ResourceTarget::Swarm(id) => {
+        resource::update_meta::<Swarm>(&id, meta, args).await?;
+      }
       ResourceTarget::Server(id) => {
         resource::update_meta::<Server>(&id, meta, args).await?;
       }
+      ResourceTarget::Stack(id) => {
+        resource::update_meta::<Stack>(&id, meta, args).await?;
+      }
       ResourceTarget::Deployment(id) => {
         resource::update_meta::<Deployment>(&id, meta, args).await?;
       }
@@ -43,12 +64,6 @@ impl Resolve<WriteArgs> for UpdateResourceMeta {
       ResourceTarget::Repo(id) => {
         resource::update_meta::<Repo>(&id, meta, args).await?;
       }
-      ResourceTarget::Builder(id) => {
-        resource::update_meta::<Builder>(&id, meta, args).await?;
-      }
-      ResourceTarget::Alerter(id) => {
-        resource::update_meta::<Alerter>(&id, meta, args).await?;
-      }
       ResourceTarget::Procedure(id) => {
         resource::update_meta::<Procedure>(&id, meta, args).await?;
       }
@@ -59,8 +74,11 @@ impl Resolve<WriteArgs> for UpdateResourceMeta {
         resource::update_meta::<ResourceSync>(&id, meta, args)
           .await?;
       }
-      ResourceTarget::Stack(id) => {
-        resource::update_meta::<Stack>(&id, meta, args).await?;
+      ResourceTarget::Builder(id) => {
+        resource::update_meta::<Builder>(&id, meta, args).await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        resource::update_meta::<Alerter>(&id, meta, args).await?;
       }
     }
     Ok(UpdateResourceMetaResponse {})