Fix compose.env (#415)

Flip "stacks" and "repos" paths

.cargo/config.toml

@@ -0,0 +1,2 @@
+[build]
+rustflags = ["-Wunused-crate-dependencies"]

.devcontainer/dev.compose.yaml

@@ -0,0 +1,33 @@
+services:
+  dev:
+    image: mcr.microsoft.com/devcontainers/rust:1-1-bullseye
+    volumes:
+      # Mount the root folder that contains .git
+      - ../:/workspace:cached
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /proc:/proc
+      - repos:/etc/komodo/repos
+      - stacks:/etc/komodo/stacks
+    command: sleep infinity
+    ports:
+      - "9121:9121"
+    environment:
+      KOMODO_FIRST_SERVER: http://localhost:8120
+      KOMODO_DATABASE_ADDRESS: db
+      KOMODO_ENABLE_NEW_USERS: true
+      KOMODO_LOCAL_AUTH: true
+      KOMODO_JWT_SECRET: a_random_secret
+    links:
+      - db
+    # ...
+
+  db:
+    extends:
+      file: ../dev.compose.yaml
+      service: ferretdb
+
+volumes:
+  data:
+  repo-cache:
+  repos:
+  stacks:

.devcontainer/devcontainer.json

@@ -0,0 +1,46 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/rust
+{
+	"name": "Komodo",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	//"image": "mcr.microsoft.com/devcontainers/rust:1-1-bullseye",
+	"dockerComposeFile": ["dev.compose.yaml"],
+	"workspaceFolder": "/workspace",
+  	"service": "dev",
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	"features": {
+		"ghcr.io/devcontainers/features/node:1": {
+			"version": "20.12.2"
+		},
+		"ghcr.io/devcontainers-community/features/deno:1": {
+
+		}
+	},
+
+	// Use 'mounts' to make the cargo cache persistent in a Docker Volume.
+	"mounts": [
+		{
+			"source": "devcontainer-cargo-cache-${devcontainerId}",
+			"target": "/usr/local/cargo",
+			"type": "volume"
+		}
+	],
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	"forwardPorts": [
+		9121
+	],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	"postCreateCommand": "./.devcontainer/postCreate.sh",
+
+	"runServices": [
+		"db"
+	]
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

.devcontainer/postCreate.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cargo install typeshare-cli

.dockerignore

@@ -1,8 +0,0 @@
-/target
-readme.md
-typeshare.toml
-LICENSE
-*.code-workspace
-
-*/node_modules
-*/dist

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+open_collective: komodo

.gitignore

@@ -1,9 +1,13 @@
 target
-/frontend/build
 node_modules
-/lib/ts_client/build
 dist
 .env
 .env.development
+.DS_Store
+.idea
+
+/frontend/build
+/lib/ts_client/build
+
 creds.toml
-core.config.toml
+.dev

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "vadimcn.vscode-lldb",
+        "denoland.vscode-deno"
+    ]
+}

.vscode/tasks.json

@@ -1,93 +1,179 @@
-{
-	"version": "2.0.0",
-	"tasks": [
-		{
-			"type": "cargo",
-			"command": "build",
-			"group": {
-				"kind": "build",
-				"isDefault": true
-			},
-			"label": "rust: cargo build"
-		},
-		{
-			"type": "cargo",
-			"command": "fmt",
-			"label": "rust: cargo fmt"
-		},
-		{
-			"type": "cargo",
-			"command": "check",
-			"label": "rust: cargo check"
-		},
-		{
-			"label": "start dev",
-			"dependsOn": [
-				"run core",
-				"start frontend"
-			],
-			"problemMatcher": []
-		},
-		{
-			"type": "shell",
-			"command": "yarn start",
-			"label": "start frontend",
-			"options": {
-				"cwd": "${workspaceFolder}/frontend"
-			},
-			"presentation": {
-				"group": "start"
-			}
-		},
-		{
-			"type": "cargo",
-			"command": "run",
-			"label": "run core",
-			"options": {
-				"cwd": "${workspaceFolder}/bin/core"
-			},
-			"presentation": {
-				"group": "start"
-			}
-		},
-		{
-			"type": "cargo",
-			"command": "run",
-			"label": "run periphery",
-			"options": {
-				"cwd": "${workspaceFolder}/bin/periphery"
-			}
-		},
-		{
-			"type": "cargo",
-			"command": "run",
-			"label": "run tests",
-			"options": {
-				"cwd": "${workspaceFolder}/bin/tests"
-			}
-		},
-		{
-			"type": "cargo",
-			"command": "publish",
-			"args": ["--allow-dirty"],
-			"label": "publish types",
-			"options": {
-				"cwd": "${workspaceFolder}/lib/types"
-			}
-		},
-		{
-			"type": "cargo",
-			"command": "publish",
-			"label": "publish rs client",
-			"options": {
-				"cwd": "${workspaceFolder}/lib/rs_client"
-			}
-		},
-		{
-			"type": "shell",
-			"command": "node ./client/ts/generate_types.mjs",
-			"label": "generate typescript types",
-			"problemMatcher": []
-		}
-	]
-}
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Run Core",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Core",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Periphery",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Periphery",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Backend",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery"
+            ],
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build TS Client Types",
+            "type": "process",
+            "command": "node",
+            "args": [
+                "./client/core/ts/generate_types.mjs"
+            ],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init TS Client",
+            "type": "shell",
+            "command": "yarn && yarn build && yarn link",
+            "options": {
+                "cwd": "${workspaceFolder}/client/core/ts",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend Client",
+            "type": "shell",
+            "command": "yarn link komodo_client && yarn install",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend",
+            "dependsOn": [
+                "Build TS Client Types",
+                "Init TS Client",
+                "Init Frontend Client"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Build Frontend",
+            "type": "shell",
+            "command": "yarn build",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Prepare Frontend For Run",
+            "type": "shell",
+            "command": "cp -r ./client/core/ts/dist/. frontend/public/client/.",
+            "options": {
+                "cwd": "${workspaceFolder}",
+            },
+            "dependsOn": [
+                "Build TS Client Types",
+                "Build Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Frontend",
+            "type": "shell",
+            "command": "yarn dev",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "dependsOn": ["Prepare Frontend For Run"],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init",
+            "dependsOn": [
+                "Build Backend",
+                "Init Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Komodo",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery",
+                "Run Frontend"
+            ],
+            "problemMatcher": []
+        },
+    ]
+  }

Cargo.toml

@@ -1,95 +1,118 @@
 [workspace]
 resolver = "2"
-members = ["bin/*", "lib/*", "client/core/rs", "client/periphery/rs"]
+members = [
+	"bin/*",
+	"lib/*",
+	"client/core/rs",
+	"client/periphery/rs",
+]
 
 [workspace.package]
-version = "1.4.0"
-edition = "2021"
+version = "1.17.1"
+edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
-repository = "https://github.com/mbecker20/monitor"
-homepage = "https://docs.monitor.mogh.tech"
+repository = "https://github.com/moghtech/komodo"
+homepage = "https://komo.do"
 
 [workspace.dependencies]
 # LOCAL
-monitor_client = { path = "client/core/rs" }
+komodo_client = { path = "client/core/rs" }
 periphery_client = { path = "client/periphery/rs" }
+environment_file = { path = "lib/environment_file" }
+formatting = { path = "lib/formatting" }
+response = { path = "lib/response" }
+command = { path = "lib/command" }
 logger = { path = "lib/logger" }
+cache = { path = "lib/cache" }
+git = { path = "lib/git" }
 
 # MOGH
 run_command = { version = "0.0.6", features = ["async_tokio"] }
-serror = { version = "0.3.4", default-features = false }
-slack = { version = "0.1.0", package = "slack_client_rs" }
+serror = { version = "0.5.0", default-features = false }
+slack = { version = "0.4.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
 derive_default_builder = "0.1.8"
 derive_empty_traits = "0.1.0"
 merge_config_files = "0.1.5"
-termination_signal = "0.1.3"
-async_timing_util = "0.1.14"
-partial_derive2 = "0.4.2"
-derive_variants = "0.1.3"
-mongo_indexed = "0.3.0"
-resolver_api = "1.1.0"
-parse_csl = "0.1.0"
-mungos = "0.5.6"
+async_timing_util = "1.0.0"
+partial_derive2 = "0.4.3"
+derive_variants = "1.0.0"
+mongo_indexed = "2.0.1"
+resolver_api = "3.0.0"
+toml_pretty = "1.1.2"
+mungos = "3.2.0"
 svi = "1.0.1"
 
 # ASYNC
-tokio = { version = "1.37.0", features = ["full"] }
-reqwest = { version = "0.12.4", features = ["json"] }
-tokio-util = "0.7.11"
-futures = "0.3.30"
-futures-util = "0.3.30"
+reqwest = { version = "0.12.15", default-features = false, features = ["json", "rustls-tls-native-roots"] }
+tokio = { version = "1.44.1", features = ["full"] }
+tokio-util = "0.7.14"
+futures = "0.3.31"
+futures-util = "0.3.31"
+arc-swap = "1.7.1"
 
 # SERVER
-axum = { version = "0.7.5", features = ["ws", "json"] }
-axum-extra = { version = "0.9.3", features = ["typed-header"] }
-tower = { version = "0.4.13", features = ["timeout"] }
-tower-http = { version = "0.5.2", features = ["fs", "cors"] }
-tokio-tungstenite = "0.21.0"
+axum-extra = { version = "0.10.0", features = ["typed-header"] }
+tower-http = { version = "0.6.2", features = ["fs", "cors"] }
+axum-server = { version = "0.7.2", features = ["tls-rustls"] }
+axum = { version = "0.8.1", features = ["ws", "json", "macros"] }
+tokio-tungstenite = "0.26.2"
 
 # SER/DE
-serde = { version = "1.0.201", features = ["derive"] }
-strum = { version = "0.26.2", features = ["derive"] }
-serde_json = "1.0.116"
-toml = "0.8.12"
+ordered_hash_map = { version = "0.4.0", features = ["serde"] }
+serde = { version = "1.0.219", features = ["derive"] }
+strum = { version = "0.27.1", features = ["derive"] }
+serde_json = "1.0.140"
+serde_yaml = "0.9.34"
+toml = "0.8.20"
 
 # ERROR
-anyhow = "1.0.83"
-thiserror = "1.0.60"
+anyhow = "1.0.97"
+thiserror = "2.0.12"
 
 # LOGGING
-opentelemetry_sdk = { version = "0.22.1", features = ["rt-tokio"] }
-tracing-subscriber = { version = "0.3.18", features = ["json"] }
-tracing-opentelemetry = "0.23.0"
-opentelemetry-otlp = "0.15.0"
-opentelemetry = "0.22.0"
-tracing = "0.1.40"
+opentelemetry-otlp = { version = "0.29.0", features = ["tls-roots", "reqwest-rustls"] }
+opentelemetry_sdk = { version = "0.29.0", features = ["rt-tokio"] }
+tracing-subscriber = { version = "0.3.19", features = ["json"] }
+opentelemetry-semantic-conventions = "0.29.0"
+tracing-opentelemetry = "0.30.0"
+opentelemetry = "0.29.0"
+tracing = "0.1.41"
 
 # CONFIG
-clap = { version = "4.5.4", features = ["derive"] }
-dotenv = "0.15.0"
+clap = { version = "4.5.36", features = ["derive"] }
+dotenvy = "0.15.7"
 envy = "0.4.2"
 
-# CRYPTO
-uuid = { version = "1.8.0", features = ["v4", "fast-rng", "serde"] }
+# CRYPTO / AUTH
+uuid = { version = "1.16.0", features = ["v4", "fast-rng", "serde"] }
+jsonwebtoken = { version = "9.3.1", default-features = false }
+openidconnect = "4.0.0"
 urlencoding = "2.1.3"
-rand = "0.8.5"
-jwt = "0.16.0"
+nom_pem = "4.0.0"
+bcrypt = "0.17.0"
+base64 = "0.22.1"
+rustls = "0.23.26"
 hmac = "0.12.1"
 sha2 = "0.10.8"
-bcrypt = "0.15.1"
+rand = "0.9.0"
 hex = "0.4.3"
 
 # SYSTEM
-bollard = "0.16.1"
-sysinfo = "0.30.12"
+bollard = "0.18.1"
+sysinfo = "0.34.2"
 
 # CLOUD
-aws-config = "1.3.0"
-aws-sdk-ec2 = "1.40.0"
+aws-config = "1.6.1"
+aws-sdk-ec2 = "1.121.1"
+aws-credential-types = "1.2.2"
 
 # MISC
-derive_builder = "0.20.0"
-typeshare = "1.0.3"
-colored = "2.1.0"
-bson = "2.10.0"
+derive_builder = "0.20.2"
+typeshare = "1.0.4"
+octorust = "0.10.0"
+dashmap = "6.1.0"
+wildcard = "0.3.0"
+colored = "3.0.0"
+regex = "1.11.1"
+bson = "2.14.0"

bin/alerter/README.md

@@ -1,4 +0,0 @@
-# Alerter
-
-This crate sets up a basic axum server that listens for incoming alert POSTs.
-It can be used as a monitor alerting endpoint, and serves as a template for other custom alerter implementations.

bin/binaries.Dockerfile

@@ -0,0 +1,27 @@
+## Builds the Komodo Core and Periphery binaries
+## for a specific architecture.
+
+FROM rust:1.85.1-bullseye AS builder
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+COPY ./bin/periphery ./bin/periphery
+
+# Compile bin
+RUN \
+  cargo build -p komodo_core --release && \
+  cargo build -p komodo_periphery --release
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Periphery"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
-name = "monitor_cli"
-description = "Command line tool to sync monitor resources and execute file defined procedures"
+name = "komodo_cli"
+description = "Command line tool to execute Komodo actions"
 version.workspace = true
 edition.workspace = true
 authors.workspace = true
@@ -9,28 +9,22 @@ homepage.workspace = true
 repository.workspace = true
 
 [[bin]]
-name = "monitor"
+name = "komodo"
 path = "src/main.rs"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
-[patch.crates-io]
-monitor_client.workspace = true
-
 [dependencies]
-# local client
-monitor_client = "1.3.0"
-# mogh
-partial_derive2.workspace = true
+# local
+# komodo_client = "1.16.12"
+komodo_client.workspace = true
 # external
 tracing-subscriber.workspace = true
-serde_json.workspace = true
+merge_config_files.workspace = true
 futures.workspace = true
 tracing.workspace = true
 colored.workspace = true
 anyhow.workspace = true
 tokio.workspace = true
 serde.workspace = true
-strum.workspace = true
-toml.workspace = true
 clap.workspace = true

bin/cli/README.md

@@ -1,40 +1,118 @@
-# Monitor CLI
+# Komodo CLI
 
-Monitor CLI is a tool to sync monitor resources and execute file defined procedures.
+Komodo CLI is a tool to execute actions on your Komodo instance from shell scripts.
 
 ## Install
 
 ```sh
-cargo install monitor_cli
+cargo install komodo_cli
 ```
 
+Note: On Ubuntu, also requires `apt install build-essential pkg-config libssl-dev`.
+
 ## Usage
 
-Configure a file `~/.config/monitor/creds.toml` file with contents:
+### Credentials
+
+Configure a file `~/.config/komodo/creds.toml` file with contents:
 ```toml
-url = "https://your.monitor.address"
+url = "https://your.komodo.address"
 key = "YOUR-API-KEY"
 secret = "YOUR-API-SECRET"
 ```
 
 Note. You can specify a different creds file by using `--creds ./other/path.toml`.
-
-With your creds in place, you can run syncs:
+You can also bypass using any file and pass the information using `--url`, `--key`, `--secret`:
 
 ```sh
-## Sync resources in a single file
-monitor sync ./resources/deployments.toml
-
-## Sync resources gathered across multiple files in a directory
-monitor sync ./resources
-
-## Path defaults to './resources', in this case you can just use:
-monitor sync
+komodo --url "https://your.komodo.address" --key "YOUR-API-KEY" --secret "YOUR-API-SECRET" ...
 ```
 
-And executions:
+### Run Executions
 
 ```sh
-## Execute a TOML defined procedure
-monitor exec ./execution/execution.toml
-```
+# Triggers an example build
+komodo execute run-build test_build
+```
+
+#### Manual
+`komodo --help`
+```md
+Command line tool to execute Komodo actions
+
+Usage: komodo [OPTIONS] <COMMAND>
+
+Commands:
+  execute  Runs an execution
+  help     Print this message or the help of the given subcommand(s)
+
+Options:
+      --creds <CREDS>    The path to a creds file [default: /Users/max/.config/komodo/creds.toml]
+      --url <URL>        Pass url in args instead of creds file
+      --key <KEY>        Pass api key in args instead of creds file
+      --secret <SECRET>  Pass api secret in args instead of creds file
+  -y, --yes              Always continue on user confirmation prompts
+  -h, --help             Print help (see more with '--help')
+  -V, --version          Print version
+```
+
+`komodo execute --help`
+```md
+Runs an execution
+
+Usage: komodo execute <COMMAND>
+
+Commands:
+  none                    The "null" execution. Does nothing
+  run-procedure           Runs the target procedure. Response: [Update]
+  run-build               Runs the target build. Response: [Update]
+  cancel-build            Cancels the target build. Only does anything if the build is `building` when called. Response: [Update]
+  deploy                  Deploys the container for the target deployment. Response: [Update]
+  start-deployment        Starts the container for the target deployment. Response: [Update]
+  restart-deployment      Restarts the container for the target deployment. Response: [Update]
+  pause-deployment        Pauses the container for the target deployment. Response: [Update]
+  unpause-deployment      Unpauses the container for the target deployment. Response: [Update]
+  stop-deployment         Stops the container for the target deployment. Response: [Update]
+  destroy-deployment      Stops and destroys the container for the target deployment. Reponse: [Update]
+  clone-repo              Clones the target repo. Response: [Update]
+  pull-repo               Pulls the target repo. Response: [Update]
+  build-repo              Builds the target repo, using the attached builder. Response: [Update]
+  cancel-repo-build       Cancels the target repo build. Only does anything if the repo build is `building` when called. Response: [Update]
+  start-container         Starts the container on the target server. Response: [Update]
+  restart-container       Restarts the container on the target server. Response: [Update]
+  pause-container         Pauses the container on the target server. Response: [Update]
+  unpause-container       Unpauses the container on the target server. Response: [Update]
+  stop-container          Stops the container on the target server. Response: [Update]
+  destroy-container       Stops and destroys the container on the target server. Reponse: [Update]
+  start-all-containers    Starts all containers on the target server. Response: [Update]
+  restart-all-containers  Restarts all containers on the target server. Response: [Update]
+  pause-all-containers    Pauses all containers on the target server. Response: [Update]
+  unpause-all-containers  Unpauses all containers on the target server. Response: [Update]
+  stop-all-containers     Stops all containers on the target server. Response: [Update]
+  prune-containers        Prunes the docker containers on the target server. Response: [Update]
+  delete-network          Delete a docker network. Response: [Update]
+  prune-networks          Prunes the docker networks on the target server. Response: [Update]
+  delete-image            Delete a docker image. Response: [Update]
+  prune-images            Prunes the docker images on the target server. Response: [Update]
+  delete-volume           Delete a docker volume. Response: [Update]
+  prune-volumes           Prunes the docker volumes on the target server. Response: [Update]
+  prune-system            Prunes the docker system on the target server, including volumes. Response: [Update]
+  run-sync                Runs the target resource sync. Response: [Update]
+  deploy-stack            Deploys the target stack. `docker compose up`. Response: [Update]
+  start-stack             Starts the target stack. `docker compose start`. Response: [Update]
+  restart-stack           Restarts the target stack. `docker compose restart`. Response: [Update]
+  pause-stack             Pauses the target stack. `docker compose pause`. Response: [Update]
+  unpause-stack           Unpauses the target stack. `docker compose unpause`. Response: [Update]
+  stop-stack              Starts the target stack. `docker compose stop`. Response: [Update]
+  destroy-stack           Destoys the target stack. `docker compose down`. Response: [Update]
+  sleep                   
+  help                    Print this message or the help of the given subcommand(s)
+
+Options:
+  -h, --help  Print help
+```
+
+### --yes
+
+You can use `--yes` to avoid any human prompt to continue, for use in automated environments.
+

bin/cli/resources/builds.toml

@@ -1,83 +0,0 @@
-[[build]]
-name = "monitor_core"
-description = "Public monitor core build"
-tags = ["monitor"]
-
-[build.config]
-builder_id = "mogh-builder"
-repo = "mbecker20/monitor"
-branch = "main"
-docker_account = "mbecker2020"
-build_path = "."
-dockerfile_path = "bin/core/Dockerfile"
-
-[[build]]
-name = "monitor_core_dev"
-description = ""
-tags = ["monitor", "dev"]
-
-[build.config]
-builder_id = "mogh-builder"
-repo = "mbecker20/monitor"
-branch = "main"
-docker_account = "mbecker2020"
-build_path = "."
-dockerfile_path = "bin/core/Dockerfile"
-
-[[build]]
-name = "monitor_frontend"
-description = "standalone hosted frontend for monitor.mogh.tech"
-tags = ["monitor", "frontend"]
-
-[build.config]
-builder_id = "mogh-builder"
-repo = "mbecker20/monitor"
-branch = "main"
-docker_account = "mbecker2020"
-build_path = "."
-dockerfile_path = "frontend/Dockerfile"
-
-[[build.config.build_args]]
-variable = "VITE_MONITOR_HOST"
-value = "https://monitor.api.mogh.tech"
-
-[[build]]
-name = "monitor_frontend_dev"
-description = "standalone hosted frontend for monitor-dev.mogh.tech"
-tags = ["monitor", "frontend"]
-
-[build.config]
-builder_id = "mogh-builder"
-repo = "mbecker20/monitor"
-branch = "main"
-docker_account = "mbecker2020"
-build_path = "."
-dockerfile_path = "frontend/Dockerfile"
-
-[[build.config.build_args]]
-variable = "VITE_MONITOR_HOST"
-value = "https://monitor-dev.api.mogh.tech"
-
-## BUILDER
-
-[[builder]]
-name = "mogh-builder"
-description = ""
-tags = []
-
-[builder.config]
-type = "Aws"
-
-[builder.config.params]
-region = "us-east-2"
-instance_type = "c5.2xlarge"
-volume_gb = 20
-port = 8120
-ami_id = "ami-0005a05fa63a080ab"
-subnet_id = "subnet-02ae5ad480eacc4bc"
-security_group_ids = ["sg-049d98c819f9ace58", "sg-006c0ca638af8eb44"]
-key_pair_name = "mogh-key"
-assign_public_ip = true
-use_public_ip = false
-github_accounts = []
-docker_accounts = []

bin/cli/resources/deployments.toml

@@ -1,213 +0,0 @@
-## MONITOR PROXY
-[[deployment]]
-name = "monitor-proxy"
-description = "An NGINX proxy for mogh.tech"
-tags = ["monitor"]
-config.server_id = "monitor-01"
-config.network = "host"
-config.restart = "on-failure"
-config.image.type = "Image"
-config.image.params.image = "jc21/nginx-proxy-manager"
-
-[[deployment.config.volumes]]
-local = "/data/nginx/data"
-container = "/data"
-
-[[deployment.config.volumes]]
-local = "/data/nginx/letsencrypt"
-container = "/etc/letsencrypt"
-
-## MONITOR MONGO
-[[deployment]]
-name = "monitor-mongo"
-description = ""
-tags = ["monitor"]
-
-[deployment.config]
-server_id = "monitor-01"
-network = "host"
-restart = "no"
-
-[deployment.config.image]
-type = "Image"
-params.image = "mongo"
-
-## MONITOR CORE
-[[deployment]]
-name = "monitor-core"
-description = ""
-tags = ["monitor"]
-
-[deployment.config]
-server_id = "monitor-01"
-network = "host"
-restart = "no"
-
-[deployment.config.image]
-type = "Image"
-params.image = "mbecker2020/monitor_core"
-
-## GRAFANA
-[[deployment]]
-name = "grafana"
-description = ""
-tags = ["logging"]
-
-[deployment.config]
-server_id = "monitor-01"
-network = "host"
-restart = "unless-stopped"
-extra_args = ["--user root"]
-
-[deployment.config.image]
-type = "Image"
-params.image = "grafana/grafana"
-
-[[deployment.config.volumes]]
-local = "/data/grafana"
-container = "/var/lib/grafana"
-
-[[deployment.config.environment]]
-variable = "GF_SERVER_HTTP_PORT"
-value = "3080"
-
-[[deployment.config.labels]]
-variable = "vector"
-value = "key-value"
-
-## LOKI
-[[deployment]]
-name = "loki"
-description = ""
-tags = ["logging"]
-
-[deployment.config]
-server_id = "monitor-01"
-network = "host"
-restart = "unless-stopped"
-extra_args = ["--user root"]
-
-[deployment.config.image]
-type = "Image"
-params.image = "grafana/loki"
-
-[[deployment.config.volumes]]
-local = "/data/loki"
-container = "/loki"
-
-[[deployment]]
-name = "tempo"
-description = ""
-tags = ["logging"]
-
-[deployment.config]
-server_id = "monitor-01"
-network = "host"
-restart = "unless-stopped"
-command = "-server.http-listen-port=3200 -server.grpc-listen-port=9096 --storage.trace.backend=local --storage.trace.local.path=/tmp/tempo/traces --storage.trace.wal.path=/tmp/tempo/wal"
-extra_args = ["--user root"]
-
-[deployment.config.image]
-type = "Image"
-params.image = "grafana/tempo"
-
-[[deployment.config.volumes]]
-local = "/data/tempo"
-container = "/tmp/tempo"
-
-[[deployment.config.labels]]
-variable = "vector"
-value = "key-value"
-
-## VECTOR
-[[deployment]]
-name = "vector"
-description = ""
-tags = ["logging"]
-
-[deployment.config]
-server_id = "monitor-01"
-network = "host"
-restart = "unless-stopped"
-command = "--config /etc/vector/*.toml"
-extra_args = ["--user root"]
-
-[deployment.config.image]
-type = "Image"
-params.image = "timberio/vector:latest-debian"
-
-[[deployment.config.volumes]]
-local = "/home/ubuntu/.config/vector"
-container = "/etc/vector"
-
-[[deployment.config.volumes]]
-local = "/data/vector"
-container = "/var/lib/vector"
-
-[[deployment.config.volumes]]
-local = "/var/run/docker.sock"
-container = "/var/run/docker.sock"
-
-[[deployment.config.labels]]
-variable = "vector"
-value = "key-value"
-
-## MONITOR CORE DEV
-[[deployment]]
-name = "monitor-core-dev"
-description = ""
-tags = ["monitor", "dev"]
-
-[deployment.config]
-server_id = "monitor-01"
-redeploy_on_build = true
-network = "host"
-restart = "no"
-
-[deployment.config.image]
-type = "Build"
-params.build_id = "monitor_core"
-
-[[deployment.config.volumes]]
-local = "/home/ubuntu/.config/monitor/dev.core.config.toml"
-container = "/config/config.toml"
-
-[[deployment.config.volumes]]
-local = "/data/repos/monitor-dev-frontend/frontend/dist"
-container = "/frontend"
-
-[[deployment.config.labels]]
-variable = "vector"
-value = "rust"
-
-## MONITOR FRONTEND
-[[deployment]]
-name = "monitor-frontend"
-description = ""
-tags = ["monitor", "frontend"]
-
-[deployment.config]
-server_id = "monitor-01"
-redeploy_on_build = true
-network = "host"
-restart = "unless-stopped"
-image.type = "Build"
-image.params.build = "monitor_frontend"
-
-## MONITOR DEV FRONTEND
-[[deployment]]
-name = "monitor-dev-frontend"
-description = ""
-tags = ["monitor", "dev", "frontend"]
-
-[deployment.config]
-server_id = "monitor-01"
-redeploy_on_build = true
-network = "host"
-restart = "unless-stopped"
-image.type = "Build"
-image.params.build = "monitor_frontend_dev"
-
-[[deployment.config.environment]]
-variable = "PORT"
-value = "4175"

bin/cli/resources/procedures.toml

@@ -1,8 +0,0 @@
-[[procedure]]
-name = "test-procedure"
-description = ""
-tags = []
-
-[procedure.config]
-procedure_type = "Sequence"
-executions = []

bin/cli/resources/repos.toml

@@ -1,37 +0,0 @@
-# [[repo]]
-# name = "monitor-dev-frontend"
-# description = "Used as frontend for monitor-core-dev"
-# tags = ["monitor", "dev"]
-
-# [repo.config]
-# server_id = "monitor-01"
-# repo = "mbecker20/monitor"
-# branch = "main"
-# github_account = ""
-
-# [repo.config.on_clone]
-# path = ""
-# command = ""
-
-# [repo.config.on_pull]
-# path = "frontend"
-# command = "sh on_pull.sh"
-
-[[repo]]
-name = "monitor-periphery"
-description = ""
-tags = ["monitor"]
-
-[repo.config]
-server_id = "monitor-01"
-repo = "mbecker20/monitor"
-branch = "main"
-github_account = ""
-
-[repo.config.on_clone]
-path = ""
-command = ""
-
-[repo.config.on_pull]
-path = "."
-command = "/root/.cargo/bin/cargo build -p monitor_periphery --release && cp ./target/release/periphery /home/ubuntu/periphery"

bin/cli/resources/servers.toml

@@ -1,51 +0,0 @@
-[[server]]
-name = "monitor-01"
-description = ""
-tags = ["monitor"]
-
-[server.config]
-address = "http://localhost:8120"
-enabled = true
-stats_monitoring = true
-auto_prune = true
-send_unreachable_alerts = true
-send_cpu_alerts = true
-send_mem_alerts = true
-send_disk_alerts = true
-region = "us-east-2"
-
-## TEMPLATE
-
-[[server_template]]
-name = "mogh-template"
-description = ""
-tags = []
-
-[server_template.config]
-type = "Aws"
-
-[server_template.config.params]
-region = "us-east-2"
-instance_type = "t3.medium"
-ami_id = "ami-0005a05fa63a080ab"
-subnet_id = "subnet-02ae5ad480eacc4bc"
-key_pair_name = "mogh-key"
-assign_public_ip = true
-use_public_ip = false
-port = 8120
-user_data = ""
-security_group_ids = ["sg-049d98c819f9ace58", "sg-006c0ca638af8eb44"]
-
-[[server_template.config.params.volumes]]
-device_name = "/dev/sda1"
-size_gb = 20
-volume_type = "gp2"
-iops = 0
-throughput = 0
-
-[[server_template.config.params.volumes]]
-device_name = "/dev/sdb"
-size_gb = 10
-volume_type = "gp3"
-iops = 0
-throughput = 0

bin/cli/src/args.rs

@@ -0,0 +1,55 @@
+use clap::{Parser, Subcommand};
+use komodo_client::api::execute::Execution;
+use serde::Deserialize;
+
+#[derive(Parser, Debug)]
+#[command(version, about, long_about = None)]
+pub struct CliArgs {
+  /// Sync or Exec
+  #[command(subcommand)]
+  pub command: Command,
+
+  /// The path to a creds file.
+  ///
+  /// Note: If each of `url`, `key` and `secret` are passed,
+  /// no file is required at this path.
+  #[arg(long, default_value_t = default_creds())]
+  pub creds: String,
+
+  /// Pass url in args instead of creds file
+  #[arg(long)]
+  pub url: Option<String>,
+  /// Pass api key in args instead of creds file
+  #[arg(long)]
+  pub key: Option<String>,
+  /// Pass api secret in args instead of creds file
+  #[arg(long)]
+  pub secret: Option<String>,
+
+  /// Always continue on user confirmation prompts.
+  #[arg(long, short, default_value_t = false)]
+  pub yes: bool,
+}
+
+fn default_creds() -> String {
+  let home =
+    std::env::var("HOME").unwrap_or_else(|_| String::from("/root"));
+  format!("{home}/.config/komodo/creds.toml")
+}
+
+#[derive(Debug, Clone, Subcommand)]
+pub enum Command {
+  /// Runs an execution
+  Execute {
+    #[command(subcommand)]
+    execution: Execution,
+  },
+  // Room for more
+}
+
+#[derive(Debug, Deserialize)]
+pub struct CredsFile {
+  pub url: String,
+  pub key: String,
+  pub secret: String,
+}

bin/cli/src/exec.rs

@@ -0,0 +1,485 @@
+use std::time::Duration;
+
+use colored::Colorize;
+use komodo_client::{
+  api::execute::{BatchExecutionResponse, Execution},
+  entities::update::Update,
+};
+
+use crate::{
+  helpers::wait_for_enter,
+  state::{cli_args, komodo_client},
+};
+
+pub enum ExecutionResult {
+  Single(Update),
+  Batch(BatchExecutionResponse),
+}
+
+pub async fn run(execution: Execution) -> anyhow::Result<()> {
+  if matches!(execution, Execution::None(_)) {
+    println!("Got 'none' execution. Doing nothing...");
+    tokio::time::sleep(Duration::from_secs(3)).await;
+    println!("Finished doing nothing. Exiting...");
+    std::process::exit(0);
+  }
+
+  println!("\n{}: Execution", "Mode".dimmed());
+  match &execution {
+    Execution::None(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Deploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchCloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchPullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchBuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelRepoBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteNetwork(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneNetworks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteImage(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneImages(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteVolume(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneVolumes(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneDockerBuilders(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneBuildx(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneSystem(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CommitSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::TestAlerter(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Sleep(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+  }
+
+  if !cli_args().yes {
+    wait_for_enter("run execution")?;
+  }
+
+  info!("Running Execution...");
+
+  let res = match execution {
+    Execution::RunAction(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchRunAction(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::RunProcedure(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchRunProcedure(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::RunBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchRunBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::CancelBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::Deploy(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDeploy(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::PullDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DestroyDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDestroyDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::CloneRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchCloneRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::PullRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchPullRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::BuildRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchBuildRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::CancelRepoBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DestroyContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeleteNetwork(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneNetworks(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeleteImage(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneImages(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeleteVolume(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneVolumes(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneDockerBuilders(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneBuildx(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneSystem(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RunSync(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::CommitSync(request) => komodo_client()
+      .write(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeployStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDeployStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::DeployStackIfChanged(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDeployStackIfChanged(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::PullStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DestroyStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDestroyStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::TestAlerter(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::Sleep(request) => {
+      let duration =
+        Duration::from_millis(request.duration_ms as u64);
+      tokio::time::sleep(duration).await;
+      println!("Finished sleeping!");
+      std::process::exit(0)
+    }
+    Execution::None(_) => unreachable!(),
+  };
+
+  match res {
+    Ok(ExecutionResult::Single(update)) => {
+      println!("\n{}: {update:#?}", "SUCCESS".green())
+    }
+    Ok(ExecutionResult::Batch(update)) => {
+      println!("\n{}: {update:#?}", "SUCCESS".green())
+    }
+    Err(e) => println!("{}\n\n{e:#?}", "ERROR".red()),
+  }
+
+  Ok(())
+}

bin/cli/src/execution.rs

@@ -1,189 +0,0 @@
-use std::path::Path;
-
-use anyhow::{anyhow, Context};
-use futures::future::join_all;
-use monitor_client::api::execute;
-use serde::Deserialize;
-use strum::Display;
-
-use crate::monitor_client;
-
-pub async fn run_execution(path: &Path) -> anyhow::Result<()> {
-  let ExecutionFile { name, stages } = crate::parse_toml_file(path)?;
-
-  info!("EXECUTION: {name}");
-  info!("path: {path:?}");
-  println!("{stages:#?}");
-
-  crate::wait_for_enter("EXECUTE")?;
-
-  run_stages(stages)
-    .await
-    .context("failed during a stage. terminating run.")?;
-
-  info!("finished successfully ✅");
-
-  Ok(())
-}
-
-/// Specifies sequence of stages (build / deploy) on resources
-#[derive(Debug, Clone, Deserialize)]
-pub struct ExecutionFile {
-  pub name: String,
-  #[serde(rename = "stage")]
-  pub stages: Vec<Stage>,
-}
-
-#[derive(Debug, Clone, Deserialize)]
-pub struct Stage {
-  pub name: String,
-  pub action: ExecutionType,
-  /// resource names
-  pub targets: Vec<String>,
-}
-
-#[derive(Debug, Clone, Copy, Deserialize, Display)]
-#[serde(rename_all = "snake_case")]
-#[strum(serialize_all = "snake_case")]
-pub enum ExecutionType {
-  Build,
-  Deploy,
-  StartContainer,
-  StopContainer,
-  DestroyContainer,
-}
-
-pub async fn run_stages(stages: Vec<Stage>) -> anyhow::Result<()> {
-  for Stage {
-    name,
-    action,
-    targets,
-  } in stages
-  {
-    info!("running {action} stage: {name}... ⏳");
-    match action {
-      ExecutionType::Build => {
-        trigger_builds_in_parallel(&targets).await?;
-      }
-      ExecutionType::Deploy => {
-        redeploy_deployments_in_parallel(&targets).await?;
-      }
-      ExecutionType::StartContainer => {
-        start_containers_in_parallel(&targets).await?
-      }
-      ExecutionType::StopContainer => {
-        stop_containers_in_parallel(&targets).await?
-      }
-      ExecutionType::DestroyContainer => {
-        destroy_containers_in_parallel(&targets).await?;
-      }
-    }
-    info!("finished {action} stage: {name} ✅");
-  }
-  Ok(())
-}
-
-async fn redeploy_deployments_in_parallel(
-  deployments: &[String],
-) -> anyhow::Result<()> {
-  let futes = deployments.iter().map(|deployment| async move {
-    monitor_client()
-      .execute(execute::Deploy { deployment: deployment.to_string(), stop_signal: None, stop_time: None })
-      .await
-      .with_context(|| format!("failed to deploy {deployment}"))
-      .and_then(|update| {
-        if update.success {
-          Ok(())
-        } else {
-          Err(anyhow!(
-            "failed to deploy {deployment}. operation unsuccessful, see monitor update"
-          ))
-        }
-      })
-  });
-  join_all(futes).await.into_iter().collect()
-}
-
-async fn start_containers_in_parallel(
-  deployments: &[String],
-) -> anyhow::Result<()> {
-  let futes = deployments.iter().map(|deployment| async move {
-    monitor_client()
-    .execute(execute::StartContainer { deployment: deployment.to_string() })
-      .await
-      .with_context(|| format!("failed to start container {deployment}"))
-      .and_then(|update| {
-        if update.success {
-          Ok(())
-        } else {
-          Err(anyhow!(
-            "failed to start container {deployment}. operation unsuccessful, see monitor update"
-          ))
-        }
-      })
-  });
-  join_all(futes).await.into_iter().collect()
-}
-
-async fn stop_containers_in_parallel(
-  deployments: &[String],
-) -> anyhow::Result<()> {
-  let futes = deployments.iter().map(|deployment| async move {
-    monitor_client()
-      .execute(execute::StopContainer { deployment: deployment.to_string(), signal: None, time: None })
-      .await
-      .with_context(|| format!("failed to stop container {deployment}"))
-      .and_then(|update| {
-        if update.success {
-          Ok(())
-        } else {
-          Err(anyhow!(
-            "failed to stop container {deployment}. operation unsuccessful, see monitor update"
-          ))
-        }
-      })
-  });
-  join_all(futes).await.into_iter().collect()
-}
-
-async fn destroy_containers_in_parallel(
-  deployments: &[String],
-) -> anyhow::Result<()> {
-  let futes = deployments.iter().map(|deployment| async move {
-    monitor_client()
-      .execute(execute::RemoveContainer { deployment: deployment.to_string(), signal: None, time: None })
-      .await
-      .with_context(|| format!("failed to destroy container {deployment}"))
-      .and_then(|update| {
-        if update.success {
-          Ok(())
-        } else {
-          Err(anyhow!(
-            "failed to destroy container {deployment}. operation unsuccessful, see monitor update"
-          ))
-        }
-      })
-  });
-  join_all(futes).await.into_iter().collect()
-}
-
-async fn trigger_builds_in_parallel(
-  builds: &[String],
-) -> anyhow::Result<()> {
-  let futes = builds.iter().map(|build| async move {
-    monitor_client()
-      .execute(execute::RunBuild { build: build.to_string() })
-      .await
-      .with_context(|| format!("failed to build {build}"))
-      .and_then(|update| {
-        if update.success {
-          Ok(())
-        } else {
-          Err(anyhow!(
-            "failed to build {build}. operation unsuccessful, see monitor update"
-          ))
-        }
-      })
-  });
-  join_all(futes).await.into_iter().collect()
-}

bin/cli/src/helpers.rs

@@ -0,0 +1,17 @@
+use std::io::Read;
+
+use anyhow::Context;
+use colored::Colorize;
+
+pub fn wait_for_enter(press_enter_to: &str) -> anyhow::Result<()> {
+  println!(
+    "\nPress {} to {}\n",
+    "ENTER".green(),
+    press_enter_to.bold()
+  );
+  let buffer = &mut [0u8];
+  std::io::stdin()
+    .read_exact(buffer)
+    .context("failed to read ENTER")?;
+  Ok(())
+}

bin/cli/src/main.rs

@@ -1,113 +1,32 @@
 #[macro_use]
 extern crate tracing;
 
-use std::{io::Read, path::PathBuf, str::FromStr, sync::OnceLock};
-
-use anyhow::Context;
-use clap::{Parser, Subcommand};
 use colored::Colorize;
-use monitor_client::{api::read, MonitorClient};
-use serde::{de::DeserializeOwned, Deserialize};
+use komodo_client::api::read::GetVersion;
 
-mod execution;
-mod maps;
-mod sync;
-
-fn cli_args() -> &'static CliArgs {
-  static CLI_ARGS: OnceLock<CliArgs> = OnceLock::new();
-  CLI_ARGS.get_or_init(CliArgs::parse)
-}
-
-#[derive(Parser, Debug)]
-#[command(version, about, long_about = None)]
-struct CliArgs {
-  /// Sync or Exec
-  #[command(subcommand)]
-  command: Command,
-  /// The path to a creds file.
-  #[arg(long, default_value_t = default_creds())]
-  creds: String,
-  /// Log less (just resource names).
-  #[arg(long, default_value_t = false)]
-  quiet: bool,
-}
-
-fn default_creds() -> String {
-  let home = std::env::var("HOME")
-    .expect("no HOME env var. cannot get default config path.");
-  format!("{home}/.config/monitor/creds.toml")
-}
-
-#[derive(Debug, Clone, Subcommand)]
-enum Command {
-  /// Runs syncs on resource files
-  Sync {
-    /// The path of the resource folder / file
-    /// Folder paths will recursively incorporate all the resources it finds under the folder
-    #[arg(default_value_t = String::from("./resources"))]
-    path: String,
-  },
-
-  /// Runs execution files
-  Exec {
-    /// The path of the exec file
-    path: PathBuf,
-  },
-}
-
-#[derive(Debug, Deserialize)]
-struct CredsFile {
-  url: String,
-  key: String,
-  secret: String,
-}
-
-fn monitor_client() -> &'static MonitorClient {
-  static MONITOR_CLIENT: OnceLock<MonitorClient> = OnceLock::new();
-  MONITOR_CLIENT.get_or_init(|| {
-    let CredsFile { url, key, secret } =
-      parse_toml_file(&cli_args().creds)
-        .expect("failed to parse monitor credentials");
-    futures::executor::block_on(MonitorClient::new(url, key, secret))
-      .expect("failed to initialize monitor client")
-  })
-}
+mod args;
+mod exec;
+mod helpers;
+mod state;
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
   tracing_subscriber::fmt().with_target(false).init();
 
-  let version =
-    monitor_client().read(read::GetVersion {}).await?.version;
-  info!("monitor version: {}", version.to_string().blue().bold());
+  info!(
+    "Komodo CLI version: {}",
+    env!("CARGO_PKG_VERSION").blue().bold()
+  );
 
-  match &cli_args().command {
-    Command::Exec { path } => execution::run_execution(path).await?,
-    Command::Sync { path } => {
-      sync::run_sync(&PathBuf::from_str(path)?).await?
+  let version =
+    state::komodo_client().read(GetVersion {}).await?.version;
+  info!("Komodo Core version: {}", version.blue().bold());
+
+  match &state::cli_args().command {
+    args::Command::Execute { execution } => {
+      exec::run(execution.to_owned()).await?
     }
   }
 
   Ok(())
 }
-
-fn parse_toml_file<T: DeserializeOwned>(
-  path: impl AsRef<std::path::Path>,
-) -> anyhow::Result<T> {
-  let contents = std::fs::read_to_string(path)
-    .context("failed to read file contents")?;
-  toml::from_str(&contents).context("failed to parse toml contents")
-}
-
-fn wait_for_enter(press_enter_to: &str) -> anyhow::Result<()> {
-  println!(
-    "\nPress {} to {}\n",
-    "ENTER".green(),
-    press_enter_to.bold()
-  );
-  let buffer = &mut [0u8];
-  std::io::stdin()
-    .read_exact(buffer)
-    .context("failed to read ENTER")?;
-  Ok(())
-}

bin/cli/src/maps.rs

@@ -1,293 +0,0 @@
-use std::{collections::HashMap, sync::OnceLock};
-
-use monitor_client::{
-  api::read,
-  entities::{
-    alerter::AlerterListItem, build::BuildListItem,
-    builder::BuilderListItem, deployment::DeploymentListItem,
-    procedure::ProcedureListItem, repo::RepoListItem,
-    server::ServerListItem, server_template::ServerTemplateListItem,
-    tag::Tag, user::User, user_group::UserGroup,
-  },
-};
-
-use crate::monitor_client;
-
-pub fn name_to_build() -> &'static HashMap<String, BuildListItem> {
-  static NAME_TO_BUILD: OnceLock<HashMap<String, BuildListItem>> =
-    OnceLock::new();
-  NAME_TO_BUILD.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListBuilds::default()),
-    )
-    .expect("failed to get builds from monitor")
-    .into_iter()
-    .map(|build| (build.name.clone(), build))
-    .collect()
-  })
-}
-
-pub fn id_to_build() -> &'static HashMap<String, BuildListItem> {
-  static ID_TO_BUILD: OnceLock<HashMap<String, BuildListItem>> =
-    OnceLock::new();
-  ID_TO_BUILD.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListBuilds::default()),
-    )
-    .expect("failed to get builds from monitor")
-    .into_iter()
-    .map(|build| (build.id.clone(), build))
-    .collect()
-  })
-}
-
-pub fn name_to_deployment(
-) -> &'static HashMap<String, DeploymentListItem> {
-  static NAME_TO_DEPLOYMENT: OnceLock<
-    HashMap<String, DeploymentListItem>,
-  > = OnceLock::new();
-  NAME_TO_DEPLOYMENT.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListDeployments::default()),
-    )
-    .expect("failed to get deployments from monitor")
-    .into_iter()
-    .map(|deployment| (deployment.name.clone(), deployment))
-    .collect()
-  })
-}
-
-pub fn id_to_deployment(
-) -> &'static HashMap<String, DeploymentListItem> {
-  static ID_TO_DEPLOYMENT: OnceLock<
-    HashMap<String, DeploymentListItem>,
-  > = OnceLock::new();
-  ID_TO_DEPLOYMENT.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListDeployments::default()),
-    )
-    .expect("failed to get deployments from monitor")
-    .into_iter()
-    .map(|deployment| (deployment.id.clone(), deployment))
-    .collect()
-  })
-}
-
-pub fn name_to_server() -> &'static HashMap<String, ServerListItem> {
-  static NAME_TO_SERVER: OnceLock<HashMap<String, ServerListItem>> =
-    OnceLock::new();
-  NAME_TO_SERVER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListServers::default()),
-    )
-    .expect("failed to get servers from monitor")
-    .into_iter()
-    .map(|server| (server.name.clone(), server))
-    .collect()
-  })
-}
-
-pub fn id_to_server() -> &'static HashMap<String, ServerListItem> {
-  static ID_TO_SERVER: OnceLock<HashMap<String, ServerListItem>> =
-    OnceLock::new();
-  ID_TO_SERVER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListServers::default()),
-    )
-    .expect("failed to get servers from monitor")
-    .into_iter()
-    .map(|server| (server.id.clone(), server))
-    .collect()
-  })
-}
-
-pub fn name_to_builder() -> &'static HashMap<String, BuilderListItem>
-{
-  static NAME_TO_BUILDER: OnceLock<HashMap<String, BuilderListItem>> =
-    OnceLock::new();
-  NAME_TO_BUILDER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListBuilders::default()),
-    )
-    .expect("failed to get builders from monitor")
-    .into_iter()
-    .map(|builder| (builder.name.clone(), builder))
-    .collect()
-  })
-}
-
-pub fn id_to_builder() -> &'static HashMap<String, BuilderListItem> {
-  static ID_TO_BUILDER: OnceLock<HashMap<String, BuilderListItem>> =
-    OnceLock::new();
-  ID_TO_BUILDER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListBuilders::default()),
-    )
-    .expect("failed to get builders from monitor")
-    .into_iter()
-    .map(|builder| (builder.id.clone(), builder))
-    .collect()
-  })
-}
-
-pub fn name_to_alerter() -> &'static HashMap<String, AlerterListItem>
-{
-  static NAME_TO_ALERTER: OnceLock<HashMap<String, AlerterListItem>> =
-    OnceLock::new();
-  NAME_TO_ALERTER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListAlerters::default()),
-    )
-    .expect("failed to get alerters from monitor")
-    .into_iter()
-    .map(|alerter| (alerter.name.clone(), alerter))
-    .collect()
-  })
-}
-
-pub fn id_to_alerter() -> &'static HashMap<String, AlerterListItem> {
-  static ID_TO_ALERTER: OnceLock<HashMap<String, AlerterListItem>> =
-    OnceLock::new();
-  ID_TO_ALERTER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListAlerters::default()),
-    )
-    .expect("failed to get alerters from monitor")
-    .into_iter()
-    .map(|alerter| (alerter.id.clone(), alerter))
-    .collect()
-  })
-}
-
-pub fn name_to_repo() -> &'static HashMap<String, RepoListItem> {
-  static NAME_TO_ALERTER: OnceLock<HashMap<String, RepoListItem>> =
-    OnceLock::new();
-  NAME_TO_ALERTER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListRepos::default()),
-    )
-    .expect("failed to get repos from monitor")
-    .into_iter()
-    .map(|repo| (repo.name.clone(), repo))
-    .collect()
-  })
-}
-
-pub fn id_to_repo() -> &'static HashMap<String, RepoListItem> {
-  static ID_TO_ALERTER: OnceLock<HashMap<String, RepoListItem>> =
-    OnceLock::new();
-  ID_TO_ALERTER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListRepos::default()),
-    )
-    .expect("failed to get repos from monitor")
-    .into_iter()
-    .map(|repo| (repo.id.clone(), repo))
-    .collect()
-  })
-}
-
-pub fn name_to_procedure(
-) -> &'static HashMap<String, ProcedureListItem> {
-  static NAME_TO_PROCEDURE: OnceLock<
-    HashMap<String, ProcedureListItem>,
-  > = OnceLock::new();
-  NAME_TO_PROCEDURE.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListProcedures::default()),
-    )
-    .expect("failed to get procedures from monitor")
-    .into_iter()
-    .map(|procedure| (procedure.name.clone(), procedure))
-    .collect()
-  })
-}
-
-pub fn id_to_procedure() -> &'static HashMap<String, ProcedureListItem>
-{
-  static ID_TO_PROCEDURE: OnceLock<
-    HashMap<String, ProcedureListItem>,
-  > = OnceLock::new();
-  ID_TO_PROCEDURE.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListProcedures::default()),
-    )
-    .expect("failed to get procedures from monitor")
-    .into_iter()
-    .map(|procedure| (procedure.id.clone(), procedure))
-    .collect()
-  })
-}
-
-pub fn name_to_server_template(
-) -> &'static HashMap<String, ServerTemplateListItem> {
-  static NAME_TO_SERVER_TEMPLATE: OnceLock<
-    HashMap<String, ServerTemplateListItem>,
-  > = OnceLock::new();
-  NAME_TO_SERVER_TEMPLATE.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListServerTemplates::default()),
-    )
-    .expect("failed to get server templates from monitor")
-    .into_iter()
-    .map(|procedure| (procedure.name.clone(), procedure))
-    .collect()
-  })
-}
-
-pub fn id_to_server_template(
-) -> &'static HashMap<String, ServerTemplateListItem> {
-  static ID_TO_SERVER_TEMPLATE: OnceLock<
-    HashMap<String, ServerTemplateListItem>,
-  > = OnceLock::new();
-  ID_TO_SERVER_TEMPLATE.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListServerTemplates::default()),
-    )
-    .expect("failed to get server templates from monitor")
-    .into_iter()
-    .map(|procedure| (procedure.id.clone(), procedure))
-    .collect()
-  })
-}
-
-pub fn name_to_user_group() -> &'static HashMap<String, UserGroup> {
-  static NAME_TO_USER_GROUP: OnceLock<HashMap<String, UserGroup>> =
-    OnceLock::new();
-  NAME_TO_USER_GROUP.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListUserGroups::default()),
-    )
-    .expect("failed to get user groups from monitor")
-    .into_iter()
-    .map(|user_group| (user_group.name.clone(), user_group))
-    .collect()
-  })
-}
-
-pub fn id_to_user() -> &'static HashMap<String, User> {
-  static ID_TO_USER: OnceLock<HashMap<String, User>> =
-    OnceLock::new();
-  ID_TO_USER.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListUsers::default()),
-    )
-    .expect("failed to get users from monitor")
-    .into_iter()
-    .map(|user| (user.id.clone(), user))
-    .collect()
-  })
-}
-
-pub fn id_to_tag() -> &'static HashMap<String, Tag> {
-  static ID_TO_TAG: OnceLock<HashMap<String, Tag>> = OnceLock::new();
-  ID_TO_TAG.get_or_init(|| {
-    futures::executor::block_on(
-      monitor_client().read(read::ListTags::default()),
-    )
-    .expect("failed to get tags from monitor")
-    .into_iter()
-    .map(|tag| (tag.id.clone(), tag))
-    .collect()
-  })
-}

bin/cli/src/state.rs

@@ -0,0 +1,48 @@
+use std::sync::OnceLock;
+
+use clap::Parser;
+use komodo_client::KomodoClient;
+use merge_config_files::parse_config_file;
+
+pub fn cli_args() -> &'static crate::args::CliArgs {
+  static CLI_ARGS: OnceLock<crate::args::CliArgs> = OnceLock::new();
+  CLI_ARGS.get_or_init(crate::args::CliArgs::parse)
+}
+
+pub fn komodo_client() -> &'static KomodoClient {
+  static KOMODO_CLIENT: OnceLock<KomodoClient> = OnceLock::new();
+  KOMODO_CLIENT.get_or_init(|| {
+    let args = cli_args();
+    let crate::args::CredsFile { url, key, secret } =
+      match (&args.url, &args.key, &args.secret) {
+        (Some(url), Some(key), Some(secret)) => {
+          crate::args::CredsFile {
+            url: url.clone(),
+            key: key.clone(),
+            secret: secret.clone(),
+          }
+        }
+        (url, key, secret) => {
+          let mut creds: crate::args::CredsFile =
+            parse_config_file(cli_args().creds.as_str())
+              .expect("failed to parse Komodo credentials");
+
+          if let Some(url) = url {
+            creds.url.clone_from(url);
+          }
+          if let Some(key) = key {
+            creds.key.clone_from(key);
+          }
+          if let Some(secret) = secret {
+            creds.secret.clone_from(secret);
+          }
+
+          creds
+        }
+      };
+    futures::executor::block_on(
+      KomodoClient::new(url, key, secret).with_healthcheck(),
+    )
+    .expect("failed to initialize Komodo client")
+  })
+}

bin/cli/src/sync/file.rs

@@ -1,63 +0,0 @@
-use std::{fs, path::Path};
-
-use anyhow::{anyhow, Context};
-use colored::Colorize;
-use monitor_client::entities::toml::ResourcesToml;
-
-pub fn read_resources(path: &Path) -> anyhow::Result<ResourcesToml> {
-  let mut res = ResourcesToml::default();
-  read_resources_recursive(path, &mut res)?;
-  Ok(res)
-}
-
-fn read_resources_recursive(
-  path: &Path,
-  resources: &mut ResourcesToml,
-) -> anyhow::Result<()> {
-  let res =
-    fs::metadata(path).context("failed to get path metadata")?;
-  if res.is_file() {
-    if !path
-      .extension()
-      .map(|ext| ext == "toml")
-      .unwrap_or_default()
-    {
-      return Ok(());
-    }
-    let more = match crate::parse_toml_file::<ResourcesToml>(path) {
-      Ok(res) => res,
-      Err(e) => {
-        warn!("failed to parse {:?}. skipping file | {e:#}", path);
-        return Ok(());
-      }
-    };
-    info!(
-      "{} from {}",
-      "adding resources".green().bold(),
-      path.display().to_string().blue().bold()
-    );
-    resources.server_templates.extend(more.server_templates);
-    resources.servers.extend(more.servers);
-    resources.builds.extend(more.builds);
-    resources.deployments.extend(more.deployments);
-    resources.builders.extend(more.builders);
-    resources.repos.extend(more.repos);
-    resources.alerters.extend(more.alerters);
-    resources.procedures.extend(more.procedures);
-    resources.user_groups.extend(more.user_groups);
-    Ok(())
-  } else if res.is_dir() {
-    let directory = fs::read_dir(path)
-      .context("failed to read directory contents")?;
-    for entry in directory.into_iter().flatten() {
-      if let Err(e) =
-        read_resources_recursive(&entry.path(), resources)
-      {
-        warn!("failed to read additional resources at path | {e:#}");
-      }
-    }
-    Ok(())
-  } else {
-    Err(anyhow!("resources path is neither file nor directory"))
-  }
-}

bin/cli/src/sync/mod.rs

@@ -1,96 +0,0 @@
-use std::path::Path;
-
-use colored::Colorize;
-use monitor_client::entities::{
-  alerter::Alerter, build::Build, builder::Builder,
-  deployment::Deployment, procedure::Procedure, repo::Repo,
-  server::Server, server_template::ServerTemplate,
-};
-
-use crate::{sync::resources::ResourceSync, wait_for_enter};
-
-mod file;
-mod resources;
-mod user_group;
-
-pub async fn run_sync(path: &Path) -> anyhow::Result<()> {
-  info!(
-    "resources path: {}",
-    path.display().to_string().blue().bold()
-  );
-
-  let resources = file::read_resources(path)?;
-
-  info!("computing sync actions...");
-
-  let (server_template_creates, server_template_updates) =
-    ServerTemplate::get_updates(resources.server_templates).await?;
-  let (server_creates, server_updates) =
-    Server::get_updates(resources.servers).await?;
-  let (deployment_creates, deployment_updates) =
-    Deployment::get_updates(resources.deployments).await?;
-  let (build_creates, build_updates) =
-    Build::get_updates(resources.builds).await?;
-  let (builder_creates, builder_updates) =
-    Builder::get_updates(resources.builders).await?;
-  let (alerter_creates, alerter_updates) =
-    Alerter::get_updates(resources.alerters).await?;
-  let (repo_creates, repo_updates) =
-    Repo::get_updates(resources.repos).await?;
-  let (procedure_creates, procedure_updates) =
-    Procedure::get_updates(resources.procedures).await?;
-  let (user_group_creates, user_group_updates) =
-    user_group::get_updates(resources.user_groups).await?;
-
-  if server_template_creates.is_empty()
-    && server_template_updates.is_empty()
-    && server_creates.is_empty()
-    && server_updates.is_empty()
-    && deployment_creates.is_empty()
-    && deployment_updates.is_empty()
-    && build_creates.is_empty()
-    && build_updates.is_empty()
-    && builder_creates.is_empty()
-    && builder_updates.is_empty()
-    && alerter_creates.is_empty()
-    && alerter_updates.is_empty()
-    && repo_creates.is_empty()
-    && repo_updates.is_empty()
-    && procedure_creates.is_empty()
-    && procedure_updates.is_empty()
-    && user_group_creates.is_empty()
-    && user_group_updates.is_empty()
-  {
-    info!("{}. exiting.", "nothing to do".green().bold());
-    return Ok(());
-  }
-
-  wait_for_enter("run sync")?;
-
-  // No deps
-  ServerTemplate::run_updates(
-    server_template_creates,
-    server_template_updates,
-  )
-  .await;
-  Server::run_updates(server_creates, server_updates).await;
-  Alerter::run_updates(alerter_creates, alerter_updates).await;
-
-  // Dependant on server
-  Builder::run_updates(builder_creates, builder_updates).await;
-  Repo::run_updates(repo_creates, repo_updates).await;
-
-  // Dependant on builder
-  Build::run_updates(build_creates, build_updates).await;
-
-  // Dependant on server / builder
-  Deployment::run_updates(deployment_creates, deployment_updates)
-    .await;
-
-  // Dependant on everything
-  Procedure::run_updates(procedure_creates, procedure_updates).await;
-  user_group::run_updates(user_group_creates, user_group_updates)
-    .await;
-
-  Ok(())
-}

bin/cli/src/sync/resources/alerter.rs

@@ -1,81 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{
-    read::GetAlerter,
-    write::{CreateAlerter, UpdateAlerter},
-  },
-  entities::{
-    alerter::{
-      Alerter, AlerterConfig, AlerterConfigDiff, AlerterInfo, AlerterListItemInfo, PartialAlerterConfig
-    },
-    resource::{Resource, ResourceListItem},
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::PartialDiff;
-
-use crate::{maps::name_to_alerter, monitor_client};
-
-use super::ResourceSync;
-
-impl ResourceSync for Alerter {
-  type Config = AlerterConfig;
-  type Info = AlerterInfo;
-  type PartialConfig = PartialAlerterConfig;
-  type ConfigDiff = AlerterConfigDiff;
-  type ListItemInfo = AlerterListItemInfo;
-
-  fn display() -> &'static str {
-    "alerter"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::Alerter(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_alerter()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(CreateAlerter {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|res| res.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(UpdateAlerter {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client().read(GetAlerter { alerter: id }).await
-  }
-
-  async fn get_diff(
-    original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/resources/build.rs

@@ -1,91 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{
-    read::GetBuild,
-    write::{CreateBuild, UpdateBuild},
-  },
-  entities::{
-    build::{
-      Build, BuildConfig, BuildConfigDiff, BuildInfo,
-      BuildListItemInfo, PartialBuildConfig,
-    },
-    resource::{Resource, ResourceListItem},
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::PartialDiff;
-
-use crate::{
-  maps::{id_to_builder, name_to_build},
-  monitor_client,
-};
-
-use super::ResourceSync;
-
-impl ResourceSync for Build {
-  type Config = BuildConfig;
-  type Info = BuildInfo;
-  type PartialConfig = PartialBuildConfig;
-  type ConfigDiff = BuildConfigDiff;
-  type ListItemInfo = BuildListItemInfo;
-
-  fn display() -> &'static str {
-    "build"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::Build(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_build()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(CreateBuild {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|res| res.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(UpdateBuild {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client().read(GetBuild { build: id }).await
-  }
-
-  async fn get_diff(
-    mut original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    // need to replace the builder id with name
-    original.builder_id = id_to_builder()
-      .get(&original.builder_id)
-      .map(|b| b.name.clone())
-      .unwrap_or_default();
-
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/resources/builder.rs

@@ -1,93 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{
-    read::GetBuilder,
-    write::{CreateBuilder, UpdateBuilder},
-  },
-  entities::{
-    builder::{
-      Builder, BuilderConfig, BuilderConfigDiff, BuilderListItemInfo,
-      PartialBuilderConfig,
-    },
-    resource::{Resource, ResourceListItem},
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::PartialDiff;
-
-use crate::{
-  maps::{id_to_server, name_to_builder},
-  monitor_client,
-};
-
-use super::ResourceSync;
-
-impl ResourceSync for Builder {
-  type Config = BuilderConfig;
-  type Info = ();
-  type PartialConfig = PartialBuilderConfig;
-  type ConfigDiff = BuilderConfigDiff;
-  type ListItemInfo = BuilderListItemInfo;
-
-  fn display() -> &'static str {
-    "builder"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::Builder(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_builder()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(CreateBuilder {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|res| res.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(UpdateBuilder {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client().read(GetBuilder { builder: id }).await
-  }
-
-  async fn get_diff(
-    mut original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    // need to replace server builder id with name
-    if let BuilderConfig::Server(config) = &mut original {
-      config.server_id = id_to_server()
-        .get(&config.server_id)
-        .map(|s| s.name.clone())
-        .unwrap_or_default();
-    }
-
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/resources/deployment.rs

@@ -1,104 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{read::GetDeployment, write},
-  entities::{
-    deployment::{
-      Deployment, DeploymentConfig, DeploymentConfigDiff,
-      DeploymentImage, DeploymentListItemInfo,
-      PartialDeploymentConfig,
-    },
-    resource::{Resource, ResourceListItem},
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::PartialDiff;
-
-use crate::{
-  maps::{id_to_build, id_to_server, name_to_deployment},
-  monitor_client,
-};
-
-use super::ResourceSync;
-
-impl ResourceSync for Deployment {
-  type Config = DeploymentConfig;
-  type Info = ();
-  type PartialConfig = PartialDeploymentConfig;
-  type ConfigDiff = DeploymentConfigDiff;
-  type ListItemInfo = DeploymentListItemInfo;
-
-  fn display() -> &'static str {
-    "deployment"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::Deployment(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_deployment()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(write::CreateDeployment {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|res| res.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(write::UpdateDeployment {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client()
-      .read(GetDeployment { deployment: id })
-      .await
-  }
-
-  async fn get_diff(
-    mut original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    // need to replace the server id with name
-    original.server_id = id_to_server()
-      .get(&original.server_id)
-      .map(|s| s.name.clone())
-      .unwrap_or_default();
-
-    // need to replace the build id with name
-    if let DeploymentImage::Build { build_id, version } =
-      &original.image
-    {
-      original.image = DeploymentImage::Build {
-        build_id: id_to_build()
-          .get(build_id)
-          .map(|b| b.name.clone())
-          .unwrap_or_default(),
-        version: version.clone(),
-      };
-    }
-
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/resources/mod.rs

@@ -1,327 +0,0 @@
-use std::collections::HashMap;
-
-use colored::Colorize;
-use monitor_client::{
-  api::write::{UpdateDescription, UpdateTagsOnResource},
-  entities::{
-    resource::{Resource, ResourceListItem},
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::{Diff, FieldDiff, MaybeNone, PartialDiff};
-use serde::Serialize;
-
-use crate::{cli_args, maps::id_to_tag, monitor_client};
-
-pub mod alerter;
-pub mod build;
-pub mod builder;
-pub mod deployment;
-pub mod procedure;
-pub mod repo;
-pub mod server;
-pub mod server_template;
-
-type ToUpdate<T> = Vec<ToUpdateItem<T>>;
-type ToCreate<T> = Vec<ResourceToml<T>>;
-type UpdatesResult<T> = (ToCreate<T>, ToUpdate<T>);
-
-pub struct ToUpdateItem<T> {
-  pub id: String,
-  pub resource: ResourceToml<T>,
-  pub update_description: bool,
-  pub update_tags: bool,
-}
-
-pub trait ResourceSync {
-  type Config: Clone
-    + Send
-    + PartialDiff<Self::PartialConfig, Self::ConfigDiff>
-    + 'static;
-  type Info: Default;
-  type PartialConfig: std::fmt::Debug
-    + Clone
-    + Send
-    + From<Self::ConfigDiff>
-    + Serialize
-    + 'static;
-  type ConfigDiff: Diff + MaybeNone;
-  type ListItemInfo: 'static;
-
-  fn display() -> &'static str;
-
-  fn resource_target(id: String) -> ResourceTarget;
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>;
-
-  /// Creates the resource and returns created id.
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String>;
-
-  /// Updates the resource at id with the partial config.
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()>;
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>>;
-
-  /// Diffs the declared toml (partial) against the full existing config.
-  /// Removes all fields from toml (partial) that haven't changed.
-  async fn get_diff(
-    original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff>;
-
-  async fn get_updates(
-    resources: Vec<ResourceToml<Self::PartialConfig>>,
-  ) -> anyhow::Result<UpdatesResult<Self::PartialConfig>> {
-    let map = Self::name_to_resource();
-
-    let mut to_create = ToCreate::<Self::PartialConfig>::new();
-    let mut to_update = ToUpdate::<Self::PartialConfig>::new();
-
-    let quiet = cli_args().quiet;
-
-    for mut resource in resources {
-      match map.get(&resource.name).map(|s| s.id.clone()) {
-        Some(id) => {
-          // Get the full original config for the resource.
-          let original = Self::get(id.clone()).await?;
-
-          let diff =
-            Self::get_diff(original.config, resource.config).await?;
-
-          let original_tags = original
-            .tags
-            .iter()
-            .filter_map(|id| {
-              id_to_tag().get(id).map(|t| t.name.clone())
-            })
-            .collect::<Vec<_>>();
-
-          // Only proceed if there are any fields to update,
-          // or a change to tags / description
-          if diff.is_none()
-            && resource.description == original.description
-            && resource.tags == original_tags
-          {
-            continue;
-          }
-
-          if !quiet {
-            println!(
-              "\n{}: {}: '{}'\n-------------------",
-              "UPDATE".blue(),
-              Self::display(),
-              resource.name.bold(),
-            );
-            let mut lines = Vec::<String>::new();
-            if resource.description != original.description {
-              lines.push(format!(
-                "{}: 'description'\n{}:  {}\n{}:    {}",
-                "field".dimmed(),
-                "from".dimmed(),
-                original.description.red(),
-                "to".dimmed(),
-                resource.description.green()
-              ))
-            }
-            if resource.tags != original_tags {
-              let from = format!("{:?}", original_tags).red();
-              let to = format!("{:?}", resource.tags).green();
-              lines.push(format!(
-                "{}: 'tags'\n{}:  {from}\n{}:    {to}",
-                "field".dimmed(),
-                "from".dimmed(),
-                "to".dimmed(),
-              ));
-            }
-            lines.extend(diff.iter_field_diffs().map(
-              |FieldDiff { field, from, to }| {
-                format!(
-                  "{}: '{field}'\n{}:  {}\n{}:    {}",
-                  "field".dimmed(),
-                  "from".dimmed(),
-                  from.red(),
-                  "to".dimmed(),
-                  to.green()
-                )
-              },
-            ));
-            println!("{}", lines.join("\n-------------------\n"));
-          }
-
-          // Minimizes updates through diffing.
-          resource.config = diff.into();
-
-          let update = ToUpdateItem {
-            id,
-            update_description: resource.description
-              != original.description,
-            update_tags: resource.tags != original_tags,
-            resource,
-          };
-
-          to_update.push(update);
-        }
-        None => {
-          if !quiet {
-            println!(
-              "\n{}: {}: {}\n{}: {}\n{}: {:?}\n{}: {}",
-              "CREATE".green(),
-              Self::display(),
-              resource.name.bold().green(),
-              "description".dimmed(),
-              resource.description,
-              "tags".dimmed(),
-              resource.tags,
-              "config".dimmed(),
-              serde_json::to_string_pretty(&resource.config)?
-            )
-          }
-          to_create.push(resource);
-        }
-      }
-    }
-
-    if quiet && !to_create.is_empty() {
-      println!(
-        "\n{}s {}: {:#?}",
-        Self::display(),
-        "TO CREATE".green(),
-        to_create.iter().map(|item| item.name.as_str())
-      );
-    }
-
-    if quiet && !to_update.is_empty() {
-      println!(
-        "\n{}s {}: {:#?}",
-        Self::display(),
-        "TO UPDATE".blue(),
-        to_update
-          .iter()
-          .map(|update| update.resource.name.as_str())
-          .collect::<Vec<_>>()
-      );
-    }
-
-    Ok((to_create, to_update))
-  }
-
-  async fn run_updates(
-    to_create: ToCreate<Self::PartialConfig>,
-    to_update: ToUpdate<Self::PartialConfig>,
-  ) {
-    for resource in to_create {
-      let name = resource.name.clone();
-      let tags = resource.tags.clone();
-      let description = resource.description.clone();
-      let id = match Self::create(resource).await {
-        Ok(id) => id,
-        Err(e) => {
-          warn!(
-            "failed to create {} {name} | {e:#}",
-            Self::display(),
-          );
-          continue;
-        }
-      };
-      Self::update_tags(id.clone(), &name, tags).await;
-      Self::update_description(id, &name, description).await;
-      info!(
-        "{} {} '{}'",
-        "created".green().bold(),
-        Self::display(),
-        name.bold(),
-      );
-    }
-
-    for ToUpdateItem {
-      id,
-      resource,
-      update_description,
-      update_tags,
-    } in to_update
-    {
-      // Update resource
-      let name = resource.name.clone();
-      let tags = resource.tags.clone();
-      let description = resource.description.clone();
-
-      if update_description {
-        Self::update_description(id.clone(), &name, description)
-          .await;
-      }
-
-      if update_tags {
-        Self::update_tags(id.clone(), &name, tags).await;
-      }
-
-      if let Err(e) = Self::update(id, resource).await {
-        warn!(
-          "failed to update config on {} {name} | {e:#}",
-          Self::display()
-        );
-      } else {
-        info!(
-          "{} {} '{}' configuration",
-          "updated".blue().bold(),
-          Self::display(),
-          name.bold(),
-        );
-      }
-    }
-  }
-
-  async fn update_tags(id: String, name: &str, tags: Vec<String>) {
-    // Update tags
-    if let Err(e) = monitor_client()
-      .write(UpdateTagsOnResource {
-        target: Self::resource_target(id),
-        tags,
-      })
-      .await
-    {
-      warn!(
-        "failed to update tags on {} {name} | {e:#}",
-        Self::display(),
-      );
-    } else {
-      info!(
-        "{} {} '{}' tags",
-        "updated".blue().bold(),
-        Self::display(),
-        name.bold(),
-      );
-    }
-  }
-
-  async fn update_description(
-    id: String,
-    name: &str,
-    description: String,
-  ) {
-    if let Err(e) = monitor_client()
-      .write(UpdateDescription {
-        target: Self::resource_target(id.clone()),
-        description,
-      })
-      .await
-    {
-      warn!("failed to update resource {id} description | {e:#}");
-    } else {
-      info!(
-        "{} {} '{}' description",
-        "updated".blue().bold(),
-        Self::display(),
-        name.bold(),
-      );
-    }
-  }
-}

bin/cli/src/sync/resources/procedure.rs

@@ -1,250 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{
-    execute::Execution,
-    read::GetProcedure,
-    write::{CreateProcedure, UpdateProcedure},
-  },
-  entities::{
-    procedure::{
-      PartialProcedureConfig, Procedure, ProcedureConfig, ProcedureConfigDiff, ProcedureListItemInfo
-    },
-    resource::{Resource, ResourceListItem},
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::{MaybeNone, PartialDiff};
-
-use crate::{
-  maps::{
-    id_to_build, id_to_deployment, id_to_procedure, id_to_repo,
-    id_to_server, name_to_procedure,
-  },
-  monitor_client,
-  sync::resources::ToUpdateItem,
-};
-
-use super::{ResourceSync, ToCreate, ToUpdate};
-
-impl ResourceSync for Procedure {
-  type Config = ProcedureConfig;
-  type Info = ();
-  type PartialConfig = PartialProcedureConfig;
-  type ConfigDiff = ProcedureConfigDiff;
-  type ListItemInfo = ProcedureListItemInfo;
-
-  fn display() -> &'static str {
-    "procedure"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::Procedure(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_procedure()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(CreateProcedure {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|p| p.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(UpdateProcedure {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn run_updates(
-    mut to_create: ToCreate<Self::PartialConfig>,
-    mut to_update: ToUpdate<Self::PartialConfig>,
-  ) {
-    if to_update.is_empty() && to_create.is_empty() {
-      return;
-    }
-
-    for i in 0..10 {
-      let mut to_pull = Vec::new();
-      for ToUpdateItem {
-        id,
-        resource,
-        update_description,
-        update_tags,
-      } in &to_update
-      {
-        // Update resource
-        let name = resource.name.clone();
-        let tags = resource.tags.clone();
-        let description = resource.description.clone();
-        if *update_description {
-          Self::update_description(id.clone(), &name, description)
-            .await;
-        }
-        if *update_tags {
-          Self::update_tags(id.clone(), &name, tags).await;
-        }
-        if !resource.config.is_none() {
-          if let Err(e) =
-            Self::update(id.clone(), resource.clone()).await
-          {
-            if i == 9 {
-              warn!(
-                "failed to update {} {name} | {e:#}",
-                Self::display()
-              );
-            }
-          }
-        }
-
-        info!("{} {name} updated", Self::display());
-        // have to clone out so to_update is mutable
-        to_pull.push(id.clone());
-      }
-      //
-      to_update.retain(|resource| !to_pull.contains(&resource.id));
-
-      let mut to_pull = Vec::new();
-      for resource in &to_create {
-        let name = resource.name.clone();
-        let tags = resource.tags.clone();
-        let description = resource.description.clone();
-        let id = match Self::create(resource.clone()).await {
-          Ok(id) => id,
-          Err(e) => {
-            if i == 9 {
-              warn!(
-                "failed to create {} {name} | {e:#}",
-                Self::display(),
-              );
-            }
-            continue;
-          }
-        };
-        Self::update_tags(id.clone(), &name, tags).await;
-        Self::update_description(id, &name, description).await;
-        info!("{} {name} created", Self::display());
-        to_pull.push(name);
-      }
-      to_create.retain(|resource| !to_pull.contains(&resource.name));
-
-      if to_update.is_empty() && to_create.is_empty() {
-        info!(
-          "============ {}s synced ✅ ============",
-          Self::display()
-        );
-        return;
-      }
-    }
-    warn!("procedure sync loop exited after max iterations");
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client().read(GetProcedure { procedure: id }).await
-  }
-
-  async fn get_diff(
-    mut original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    for execution in &mut original.executions {
-      match &mut execution.execution {
-        Execution::None(_) => {}
-        Execution::RunProcedure(config) => {
-          config.procedure = id_to_procedure()
-            .get(&config.procedure)
-            .map(|p| p.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::RunBuild(config) => {
-          config.build = id_to_build()
-            .get(&config.build)
-            .map(|b| b.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::Deploy(config) => {
-          config.deployment = id_to_deployment()
-            .get(&config.deployment)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::StartContainer(config) => {
-          config.deployment = id_to_deployment()
-            .get(&config.deployment)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::StopContainer(config) => {
-          config.deployment = id_to_deployment()
-            .get(&config.deployment)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::RemoveContainer(config) => {
-          config.deployment = id_to_deployment()
-            .get(&config.deployment)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::CloneRepo(config) => {
-          config.repo = id_to_repo()
-            .get(&config.repo)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::PullRepo(config) => {
-          config.repo = id_to_repo()
-            .get(&config.repo)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::StopAllContainers(config) => {
-          config.server = id_to_server()
-            .get(&config.server)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::PruneDockerNetworks(config) => {
-          config.server = id_to_server()
-            .get(&config.server)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::PruneDockerImages(config) => {
-          config.server = id_to_server()
-            .get(&config.server)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-        Execution::PruneDockerContainers(config) => {
-          config.server = id_to_server()
-            .get(&config.server)
-            .map(|d| d.name.clone())
-            .unwrap_or_default();
-        }
-      }
-    }
-
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/resources/repo.rs

@@ -1,91 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{
-    read::GetRepo,
-    write::{CreateRepo, UpdateRepo},
-  },
-  entities::{
-    repo::{
-      PartialRepoConfig, Repo, RepoConfig, RepoConfigDiff, RepoInfo,
-      RepoListItemInfo,
-    },
-    resource::{Resource, ResourceListItem},
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::PartialDiff;
-
-use crate::{
-  maps::{id_to_server, name_to_repo},
-  monitor_client,
-};
-
-use super::ResourceSync;
-
-impl ResourceSync for Repo {
-  type Config = RepoConfig;
-  type Info = RepoInfo;
-  type PartialConfig = PartialRepoConfig;
-  type ConfigDiff = RepoConfigDiff;
-  type ListItemInfo = RepoListItemInfo;
-
-  fn display() -> &'static str {
-    "repo"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::Repo(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_repo()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(CreateRepo {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|res| res.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(UpdateRepo {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client().read(GetRepo { repo: id }).await
-  }
-
-  async fn get_diff(
-    mut original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    // Need to replace server id with name
-    original.server_id = id_to_server()
-      .get(&original.server_id)
-      .map(|s| s.name.clone())
-      .unwrap_or_default();
-
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/resources/server.rs

@@ -1,82 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{
-    read::GetServer,
-    write::{CreateServer, UpdateServer},
-  },
-  entities::{
-    resource::{Resource, ResourceListItem},
-    server::{
-      PartialServerConfig, Server, ServerConfig, ServerConfigDiff,
-      ServerListItemInfo,
-    },
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::PartialDiff;
-
-use crate::{maps::name_to_server, monitor_client};
-
-use super::ResourceSync;
-
-impl ResourceSync for Server {
-  type Config = ServerConfig;
-  type Info = ();
-  type PartialConfig = PartialServerConfig;
-  type ConfigDiff = ServerConfigDiff;
-  type ListItemInfo = ServerListItemInfo;
-
-  fn display() -> &'static str {
-    "server"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::Server(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_server()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(CreateServer {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|res| res.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(UpdateServer {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client().read(GetServer { server: id }).await
-  }
-
-  async fn get_diff(
-    original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/resources/server_template.rs

@@ -1,85 +0,0 @@
-use std::collections::HashMap;
-
-use monitor_client::{
-  api::{
-    read::GetServerTemplate,
-    write::{CreateServerTemplate, UpdateServerTemplate},
-  },
-  entities::{
-    resource::{Resource, ResourceListItem},
-    server_template::{
-      PartialServerTemplateConfig, ServerTemplate, ServerTemplateConfig, ServerTemplateConfigDiff, ServerTemplateListItemInfo
-    },
-    toml::ResourceToml,
-    update::ResourceTarget,
-  },
-};
-use partial_derive2::PartialDiff;
-
-use crate::{maps::name_to_server_template, monitor_client};
-
-use super::ResourceSync;
-
-impl ResourceSync for ServerTemplate {
-  type Config = ServerTemplateConfig;
-  type Info = ();
-  type PartialConfig = PartialServerTemplateConfig;
-  type ConfigDiff = ServerTemplateConfigDiff;
-  type ListItemInfo = ServerTemplateListItemInfo;
-
-  fn display() -> &'static str {
-    "server template"
-  }
-
-  fn resource_target(id: String) -> ResourceTarget {
-    ResourceTarget::ServerTemplate(id)
-  }
-
-  fn name_to_resource(
-  ) -> &'static HashMap<String, ResourceListItem<Self::ListItemInfo>>
-  {
-    name_to_server_template()
-  }
-
-  async fn create(
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<String> {
-    monitor_client()
-      .write(CreateServerTemplate {
-        name: resource.name,
-        config: resource.config,
-      })
-      .await
-      .map(|res| res.id)
-  }
-
-  async fn update(
-    id: String,
-    resource: ResourceToml<Self::PartialConfig>,
-  ) -> anyhow::Result<()> {
-    monitor_client()
-      .write(UpdateServerTemplate {
-        id,
-        config: resource.config,
-      })
-      .await?;
-    Ok(())
-  }
-
-  async fn get(
-    id: String,
-  ) -> anyhow::Result<Resource<Self::Config, Self::Info>> {
-    monitor_client()
-      .read(GetServerTemplate {
-        server_template: id,
-      })
-      .await
-  }
-
-  async fn get_diff(
-    original: Self::Config,
-    update: Self::PartialConfig,
-  ) -> anyhow::Result<Self::ConfigDiff> {
-    Ok(original.partial_diff(update))
-  }
-}

bin/cli/src/sync/user_group.rs

@@ -1,242 +0,0 @@
-use std::cmp::Ordering;
-
-use anyhow::Context;
-use monitor_client::{
-  api::{
-    read::ListUserTargetPermissions,
-    write::{
-      CreateUserGroup, SetUsersInUserGroup, UpdatePermissionOnTarget,
-    },
-  },
-  entities::{
-    permission::UserTarget,
-    toml::{PermissionToml, UserGroupToml},
-    update::ResourceTarget,
-  },
-};
-
-use crate::{
-  maps::{
-    id_to_alerter, id_to_build, id_to_builder, id_to_deployment,
-    id_to_procedure, id_to_repo, id_to_server, id_to_server_template,
-    id_to_user, name_to_user_group,
-  },
-  monitor_client,
-};
-
-pub async fn get_updates(
-  user_groups: Vec<UserGroupToml>,
-) -> anyhow::Result<(Vec<UserGroupToml>, Vec<UserGroupToml>)> {
-  let map = name_to_user_group();
-
-  let mut to_create = Vec::<UserGroupToml>::new();
-  let mut to_update = Vec::<UserGroupToml>::new();
-
-  for mut user_group in user_groups {
-    match map.get(&user_group.name).cloned() {
-      Some(original) => {
-        // replace the user ids with usernames
-        let mut users = original
-          .users
-          .into_iter()
-          .filter_map(|user_id| {
-            id_to_user().get(&user_id).map(|u| u.username.clone())
-          })
-          .collect::<Vec<_>>();
-
-        let mut permissions = monitor_client()
-          .read(ListUserTargetPermissions {
-            user_target: UserTarget::UserGroup(original.id),
-          })
-          .await
-          .context("failed to query for UserGroup permissions")?
-          .into_iter()
-          .map(|mut p| {
-            // replace the ids with names
-            match &mut p.resource_target {
-              ResourceTarget::System(_) => {}
-              ResourceTarget::Build(id) => {
-                *id = id_to_build()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-              ResourceTarget::Builder(id) => {
-                *id = id_to_builder()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-              ResourceTarget::Deployment(id) => {
-                *id = id_to_deployment()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-              ResourceTarget::Server(id) => {
-                *id = id_to_server()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-              ResourceTarget::Repo(id) => {
-                *id = id_to_repo()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-              ResourceTarget::Alerter(id) => {
-                *id = id_to_alerter()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-              ResourceTarget::Procedure(id) => {
-                *id = id_to_procedure()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-              ResourceTarget::ServerTemplate(id) => {
-                *id = id_to_server_template()
-                  .get(id)
-                  .map(|b| b.name.clone())
-                  .unwrap_or_default()
-              }
-            }
-            PermissionToml {
-              target: p.resource_target,
-              level: p.level,
-            }
-          })
-          .collect::<Vec<_>>();
-
-        users.sort();
-        user_group.users.sort();
-
-        user_group.permissions.sort_by(sort_permissions);
-        permissions.sort_by(sort_permissions);
-
-        // only push update after failed diff
-        if user_group.users != users
-          || user_group.permissions != permissions
-        {
-          // no update from users
-          to_update.push(user_group);
-        }
-      }
-      None => to_create.push(user_group),
-    }
-  }
-
-  if !to_create.is_empty() {
-    println!(
-      "\nUSER GROUPS TO CREATE: {}",
-      to_create
-        .iter()
-        .map(|item| item.name.as_str())
-        .collect::<Vec<_>>()
-        .join(", ")
-    );
-  }
-
-  if !to_update.is_empty() {
-    println!(
-      "\nUSER GROUPS TO UPDATE: {}",
-      to_update
-        .iter()
-        .map(|item| item.name.as_str())
-        .collect::<Vec<_>>()
-        .join(", ")
-    );
-  }
-
-  Ok((to_create, to_update))
-}
-
-/// order permissions in deterministic way
-fn sort_permissions(
-  a: &PermissionToml,
-  b: &PermissionToml,
-) -> Ordering {
-  let (a_t, a_id) = a.target.extract_variant_id();
-  let (b_t, b_id) = b.target.extract_variant_id();
-  match (a_t.cmp(&b_t), a_id.cmp(b_id)) {
-    (Ordering::Greater, _) => Ordering::Greater,
-    (Ordering::Less, _) => Ordering::Less,
-    (_, Ordering::Greater) => Ordering::Greater,
-    (_, Ordering::Less) => Ordering::Less,
-    _ => Ordering::Equal,
-  }
-}
-
-pub async fn run_updates(
-  to_create: Vec<UserGroupToml>,
-  to_update: Vec<UserGroupToml>,
-) {
-  let log_after = !to_update.is_empty() || !to_create.is_empty();
-
-  // Create the non-existant user groups
-  for user_group in to_create {
-    // Create the user group
-    if let Err(e) = monitor_client()
-      .write(CreateUserGroup {
-        name: user_group.name.clone(),
-      })
-      .await
-    {
-      warn!(
-        "failed to create user group {} | {e:#}",
-        user_group.name
-      );
-      continue;
-    };
-
-    set_users(user_group.name.clone(), user_group.users).await;
-    update_permissions(user_group.name, user_group.permissions).await;
-  }
-
-  // Update the existing user groups
-  for user_group in to_update {
-    set_users(user_group.name.clone(), user_group.users).await;
-    update_permissions(user_group.name, user_group.permissions).await;
-  }
-
-  if log_after {
-    info!("============ user groups synced ✅ ============");
-  }
-}
-
-async fn set_users(user_group: String, users: Vec<String>) {
-  if !users.is_empty() {
-    if let Err(e) = monitor_client()
-      .write(SetUsersInUserGroup {
-        user_group: user_group.clone(),
-        users,
-      })
-      .await
-    {
-      warn!("failed to set users in group {user_group} | {e:#}");
-    }
-  }
-}
-
-async fn update_permissions(
-  user_group: String,
-  permissions: Vec<PermissionToml>,
-) {
-  for PermissionToml { target, level } in permissions {
-    if let Err(e) = monitor_client()
-      .write(UpdatePermissionOnTarget {
-        user_target: UserTarget::UserGroup(user_group.clone()),
-        resource_target: target.clone(),
-        permission: level,
-      })
-      .await
-    {
-      warn!(
-        "failed to set permssion in group {user_group} | target: {target:?} | {e:#}",
-      );
-    }
-  }
-}

bin/core/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "monitor_core"
+name = "komodo_core"
 version.workspace = true
 edition.workspace = true
 authors.workspace = true
@@ -15,22 +15,32 @@ path = "src/main.rs"
 
 [dependencies]
 # local
-monitor_client = { workspace = true, features = ["mongo"] }
+komodo_client = { workspace = true, features = ["mongo"] }
 periphery_client.workspace = true
+environment_file.workspace = true
+formatting.workspace = true
+response.workspace = true
+command.workspace = true
 logger.workspace = true
+cache.workspace = true
+git.workspace = true
 # mogh
 serror = { workspace = true, features = ["axum"] }
 merge_config_files.workspace = true
-termination_signal.workspace = true
 async_timing_util.workspace = true
 partial_derive2.workspace = true
+derive_variants.workspace = true
 mongo_indexed.workspace = true
 resolver_api.workspace = true
-parse_csl.workspace = true
+toml_pretty.workspace = true
 mungos.workspace = true
 slack.workspace = true
 svi.workspace = true
 # external
+aws-credential-types.workspace = true
+ordered_hash_map.workspace = true
+openidconnect.workspace = true
+axum-server.workspace = true
 urlencoding.workspace = true
 aws-sdk-ec2.workspace = true
 aws-config.workspace = true
@@ -38,16 +48,24 @@ tokio-util.workspace = true
 axum-extra.workspace = true
 tower-http.workspace = true
 serde_json.workspace = true
+serde_yaml.workspace = true
 typeshare.workspace = true
+octorust.workspace = true
+wildcard.workspace = true
+arc-swap.workspace = true
+dashmap.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
 futures.workspace = true
+nom_pem.workspace = true
+dotenvy.workspace = true
 anyhow.workspace = true
-dotenv.workspace = true
 bcrypt.workspace = true
+base64.workspace = true
+rustls.workspace = true
 tokio.workspace = true
-tower.workspace = true
 serde.workspace = true
+regex.workspace = true
 axum.workspace = true
 toml.workspace = true
 uuid.workspace = true
@@ -55,5 +73,5 @@ envy.workspace = true
 rand.workspace = true
 hmac.workspace = true
 sha2.workspace = true
-jwt.workspace = true
+jsonwebtoken.workspace = true
 hex.workspace = true

bin/core/Dockerfile

@@ -1,23 +0,0 @@
-# Build Core
-FROM rust:1.78.0-bullseye as core-builder
-WORKDIR /builder
-COPY . .
-RUN cargo build -p monitor_core --release
-
-# Build Frontend
-FROM node:20.12-alpine as frontend-builder
-WORKDIR /builder
-COPY ./frontend ./frontend
-COPY ./client/core/ts ./client
-RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link @monitor/client && yarn && yarn build
-
-# Final Image
-# FROM gcr.io/distroless/cc
-FROM debian:bullseye-slim
-RUN apt update && apt install -y ca-certificates
-COPY ./config_example/core.config.example.toml /config/config.toml
-COPY --from=core-builder /builder/target/release/core /
-COPY --from=frontend-builder /builder/frontend/dist /frontend
-EXPOSE 9000
-CMD ["./core"]

bin/core/aio.Dockerfile

@@ -0,0 +1,55 @@
+## All in one, multi stage compile + runtime Docker build for your architecture.
+
+# Build Core
+FROM rust:1.85.1-bullseye AS core-builder
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+
+# Compile app
+RUN cargo build -p komodo_core --release
+
+# Build Frontend
+FROM node:20.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+# Final Image
+FROM debian:bullseye-slim
+
+# Install Deps
+RUN apt update && \
+  apt install -y git ca-certificates && \
+  rm -rf /var/lib/apt/lists/*
+
+# Setup an application directory
+WORKDIR /app
+
+# Copy
+COPY ./config/core.config.toml /config/config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0
+
+ENTRYPOINT [ "core" ]

bin/core/multi-arch.Dockerfile

@@ -0,0 +1,50 @@
+## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG FRONTEND_IMAGE=ghcr.io/moghtech/komodo-frontend:latest
+ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
+ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
+
+# This is required to work with COPY --from
+FROM ${X86_64_BINARIES} AS x86_64
+FROM ${AARCH64_BINARIES} AS aarch64
+FROM ${FRONTEND_IMAGE} AS frontend
+
+# Final Image
+FROM debian:bullseye-slim
+
+# Install Deps
+RUN apt update && \
+  apt install -y git ca-certificates && \
+  rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /core /app/arch/linux/amd64
+COPY --from=aarch64 /core /app/arch/linux/arm64
+ARG TARGETPLATFORM
+RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/arch
+
+# Copy default config / static frontend / deno binary
+COPY ./config/core.config.toml /config/config.toml
+COPY --from=frontend /frontend /app/frontend
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0
+
+CMD [ "core" ]

bin/core/single-arch.Dockerfile

@@ -0,0 +1,44 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+# Build Frontend
+FROM node:20.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+FROM debian:bullseye-slim
+
+# Install Deps
+RUN apt update && \
+	apt install -y git ca-certificates && \
+	rm -rf /var/lib/apt/lists/*
+	
+# Copy
+COPY ./config/core.config.toml /config/config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=binaries /core /usr/local/bin/core
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+	cd /action-cache && \
+	deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0
+
+CMD [ "core" ]

bin/core/src/alert/discord.rs

@@ -0,0 +1,259 @@
+use std::sync::OnceLock;
+
+use serde::Serialize;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let level = fmt_level(alert.level);
+  let content = match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter **{name}** is **working**\n{link}"
+      )
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} is now **reachable**\n{link}"
+          )
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\n**error**: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | **{name}**{region} is **unreachable** ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | **{name}**{region} cpu usage at **{percentage:.1}%**\n{link}"
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | **{name}**{region} memory usage at **{percentage:.1}%** 💾\n\nUsing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | **{name}**{region} disk usage at **{percentage:.1}%** 💿\nmount point: `{path:?}`\nusing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to = fmt_docker_container_state(to);
+      format!(
+        "📦 Deployment **{name}** is now **{to}**\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment **{name}** has an update available\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment **{name}** was updated automatically ⏫\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to = fmt_stack_state(to);
+      format!(
+        "🥞 Stack **{name}** is now {to}\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      format!(
+        "⬆ Stack **{name}** has an update available\nserver: **{server_name}**\nservice: **{service}**\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      format!(
+        "⬆ Stack **{name}** was updated automatically ⏫\nserver: **{server_name}**\n{images_label}: **{images}**\n{link}"
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminated AWS builder instance\ninstance id: **{instance_id}**\n{message}"
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on **{name}**\n{link}"
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build **{name}** failed\nversion: **v{version}**\n{link}"
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for **{name}** failed\n{link}")
+    }
+    AlertData::None {} => Default::default(),
+  };
+  if !content.is_empty() {
+    let vars_and_secrets = get_variables_and_secrets().await?;
+    let mut global_replacers = HashSet::new();
+    let mut secret_replacers = HashSet::new();
+    let mut url_interpolated = url.to_string();
+
+    // interpolate variables and secrets into the url
+    interpolate_variables_secrets_into_string(
+      &vars_and_secrets,
+      &mut url_interpolated,
+      &mut global_replacers,
+      &mut secret_replacers,
+    )?;
+
+    send_message(&url_interpolated, &content)
+      .await
+      .map_err(|e| {
+        let replacers =
+          secret_replacers.into_iter().collect::<Vec<_>>();
+        let sanitized_error =
+          svi::replace_in_string(&format!("{e:?}"), &replacers);
+        anyhow::Error::msg(format!(
+          "Error with slack request: {}",
+          sanitized_error
+        ))
+      })?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  content: &str,
+) -> anyhow::Result<()> {
+  let body = DiscordMessageBody { content };
+
+  let response = http_client()
+    .post(url)
+    .json(&body)
+    .send()
+    .await
+    .context("Failed to send message")?;
+
+  let status = response.status();
+
+  if status.is_success() {
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!("Failed to send message to Discord | {status} | failed to get response text")
+    })?;
+    Err(anyhow::anyhow!(
+      "Failed to send message to Discord | {status} | {text}"
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}
+
+#[derive(Serialize)]
+struct DiscordMessageBody<'a> {
+  content: &'a str,
+}

bin/core/src/alert/mod.rs

@@ -0,0 +1,260 @@
+use ::slack::types::Block;
+use anyhow::{Context, anyhow};
+use derive_variants::ExtractVariant;
+use futures::future::join_all;
+use komodo_client::entities::{
+  ResourceTargetVariant,
+  alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
+  alerter::*,
+  deployment::DeploymentState,
+  stack::StackState,
+};
+use mungos::{find::find_collect, mongodb::bson::doc};
+use std::collections::HashSet;
+use tracing::Instrument;
+
+use crate::helpers::interpolate::interpolate_variables_secrets_into_string;
+use crate::helpers::query::get_variables_and_secrets;
+use crate::{config::core_config, state::db_client};
+
+mod discord;
+mod slack;
+mod ntfy;
+
+#[instrument(level = "debug")]
+pub async fn send_alerts(alerts: &[Alert]) {
+  if alerts.is_empty() {
+    return;
+  }
+
+  let span =
+    info_span!("send_alerts", alerts = format!("{alerts:?}"));
+  async {
+    let Ok(alerters) = find_collect(
+      &db_client().alerters,
+      doc! { "config.enabled": true },
+      None,
+    )
+    .await
+    .inspect_err(|e| {
+      error!(
+      "ERROR sending alerts | failed to get alerters from db | {e:#}"
+    )
+    }) else {
+      return;
+    };
+
+    let handles =
+      alerts.iter().map(|alert| send_alert(&alerters, alert));
+
+    join_all(handles).await;
+  }
+  .instrument(span)
+  .await
+}
+
+#[instrument(level = "debug")]
+async fn send_alert(alerters: &[Alerter], alert: &Alert) {
+  if alerters.is_empty() {
+    return;
+  }
+
+  let handles = alerters
+    .iter()
+    .map(|alerter| send_alert_to_alerter(alerter, alert));
+
+  join_all(handles)
+    .await
+    .into_iter()
+    .filter_map(|res| res.err())
+    .for_each(|e| error!("{e:#}"));
+}
+
+pub async fn send_alert_to_alerter(
+  alerter: &Alerter,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  // Don't send if not enabled
+  if !alerter.config.enabled {
+    return Ok(());
+  }
+
+  let alert_type = alert.data.extract_variant();
+
+  // In the test case, we don't want the filters inside this
+  // block to stop the test from being sent to the alerting endpoint.
+  if alert_type != AlertDataVariant::Test {
+    // Don't send if alert type not configured on the alerter
+    if !alerter.config.alert_types.is_empty()
+      && !alerter.config.alert_types.contains(&alert_type)
+    {
+      return Ok(());
+    }
+
+    // Don't send if resource is in the blacklist
+    if alerter.config.except_resources.contains(&alert.target) {
+      return Ok(());
+    }
+
+    // Don't send if whitelist configured and target is not included
+    if !alerter.config.resources.is_empty()
+      && !alerter.config.resources.contains(&alert.target)
+    {
+      return Ok(());
+    }
+  }
+
+  match &alerter.config.endpoint {
+    AlerterEndpoint::Custom(CustomAlerterEndpoint { url }) => {
+      send_custom_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Custom Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Slack(SlackAlerterEndpoint { url }) => {
+      slack::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Slack Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Discord(DiscordAlerterEndpoint { url }) => {
+      discord::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Discord Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Ntfy(NtfyAlerterEndpoint { url }) => {
+      ntfy::send_alert(url, alert).await.with_context(|| {
+        format!("Failed to send alert to ntfy Alerter {}", alerter.name)
+      })
+    }
+  }
+}
+
+#[instrument(level = "debug")]
+async fn send_custom_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let vars_and_secrets = get_variables_and_secrets().await?;
+  let mut global_replacers = HashSet::new();
+  let mut secret_replacers = HashSet::new();
+  let mut url_interpolated = url.to_string();
+
+  // interpolate variables and secrets into the url
+  interpolate_variables_secrets_into_string(
+    &vars_and_secrets,
+    &mut url_interpolated,
+    &mut global_replacers,
+    &mut secret_replacers,
+  )?;
+
+  let res = reqwest::Client::new()
+    .post(url_interpolated)
+    .json(alert)
+    .send()
+    .await
+    .map_err(|e| {
+      let replacers =
+        secret_replacers.into_iter().collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request: {}",
+        sanitized_error
+      ))
+    })
+    .context("failed at post request to alerter")?;
+  let status = res.status();
+  if !status.is_success() {
+    let text = res
+      .text()
+      .await
+      .context("failed to get response text on alerter response")?;
+    return Err(anyhow!(
+      "post to alerter failed | {status} | {text}"
+    ));
+  }
+  Ok(())
+}
+
+fn fmt_region(region: &Option<String>) -> String {
+  match region {
+    Some(region) => format!(" ({region})"),
+    None => String::new(),
+  }
+}
+
+fn fmt_docker_container_state(state: &DeploymentState) -> String {
+  match state {
+    DeploymentState::Running => String::from("Running ▶️"),
+    DeploymentState::Exited => String::from("Exited 🛑"),
+    DeploymentState::Restarting => String::from("Restarting 🔄"),
+    DeploymentState::NotDeployed => String::from("Not Deployed"),
+    _ => state.to_string(),
+  }
+}
+
+fn fmt_stack_state(state: &StackState) -> String {
+  match state {
+    StackState::Running => String::from("Running ▶️"),
+    StackState::Stopped => String::from("Stopped 🛑"),
+    StackState::Restarting => String::from("Restarting 🔄"),
+    StackState::Down => String::from("Down ⬇️"),
+    _ => state.to_string(),
+  }
+}
+
+fn fmt_level(level: SeverityLevel) -> &'static str {
+  match level {
+    SeverityLevel::Critical => "CRITICAL 🚨",
+    SeverityLevel::Warning => "WARNING ‼️",
+    SeverityLevel::Ok => "OK ✅",
+  }
+}
+
+fn resource_link(
+  resource_type: ResourceTargetVariant,
+  id: &str,
+) -> String {
+  let path = match resource_type {
+    ResourceTargetVariant::System => unreachable!(),
+    ResourceTargetVariant::Build => format!("/builds/{id}"),
+    ResourceTargetVariant::Builder => {
+      format!("/builders/{id}")
+    }
+    ResourceTargetVariant::Deployment => {
+      format!("/deployments/{id}")
+    }
+    ResourceTargetVariant::Stack => {
+      format!("/stacks/{id}")
+    }
+    ResourceTargetVariant::Server => {
+      format!("/servers/{id}")
+    }
+    ResourceTargetVariant::Repo => format!("/repos/{id}"),
+    ResourceTargetVariant::Alerter => {
+      format!("/alerters/{id}")
+    }
+    ResourceTargetVariant::Procedure => {
+      format!("/procedures/{id}")
+    }
+    ResourceTargetVariant::Action => {
+      format!("/actions/{id}")
+    }
+    ResourceTargetVariant::ServerTemplate => {
+      format!("/server-templates/{id}")
+    }
+    ResourceTargetVariant::ResourceSync => {
+      format!("/resource-syncs/{id}")
+    }
+  };
+
+  format!("{}{path}", core_config().host)
+}

bin/core/src/alert/ntfy.rs

@@ -0,0 +1,248 @@
+use std::sync::OnceLock;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let level = fmt_level(alert.level);
+  let content = match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter {} is working\n{link}",
+        name,
+      )
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | {}{} is now reachable\n{link}",
+            name, region
+          )
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {:#?}", e))
+            .unwrap_or_default();
+          format!(
+            "{level} | {}{} is unreachable ❌\n{link}{err}",
+            name, region
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | {}{} cpu usage at {percentage:.1}%\n{link}",
+        name, region,
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {}{} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+        name, region,
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {}{} disk usage at {percentage:.1}%💿\nmount point: {:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+        name, region, path,
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to_state = fmt_docker_container_state(to);
+      format!(
+        "📦Deployment {} is now {}\nserver: {}\nprevious: {}\n{link}",
+        name, to_state, server_name, from,
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {} has an update available\nserver: {}\nimage: {}\n{link}",
+        name, server_name, image,
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {} was updated automatically\nserver: {}\nimage: {}\n{link}",
+        name, server_name, image,
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to_state = fmt_stack_state(to);
+      format!(
+        "🥞 Stack {} is now {}\nserver: {}\nprevious: {}\n{link}",
+        name, to_state, server_name, from,
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      format!(
+        "⬆ Stack {} has an update available\nserver: {}\nservice: {}\nimage: {}\n{link}",
+        name, server_name, service, image,
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images_str = images.join(", ");
+      format!(
+        "⬆ Stack {} was updated automatically ⏫\nserver: {}\n{}: {}\n{link}",
+        name, server_name, images_label, images_str,
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminate AWS builder instance\ninstance id: {}\n{}",
+        instance_id, message,
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on {}\n{link}",
+        name,
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build {} failed\nversion: v{}\n{link}",
+        name, version,
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for {} failed\n{link}", name,)
+    }
+    AlertData::None {} => Default::default(),
+  };
+
+  if !content.is_empty() {
+    send_message(url, content).await?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  content: String,
+) -> anyhow::Result<()> {
+  let response = http_client()
+    .post(url)
+    .header("Title", "ntfy Alert")
+    .body(content)
+    .send()
+    .await
+    .context("Failed to send message")?;
+
+  let status = response.status();
+  if status.is_success() {
+    debug!("ntfy alert sent successfully: {}", status);
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!(
+        "Failed to send message to ntfy | {} | failed to get response text",
+        status
+      )
+    })?;
+    Err(anyhow!(
+      "Failed to send message to ntfy | {} | {}",
+      status,
+      text
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}

bin/core/src/alert/slack.rs

@@ -0,0 +1,428 @@
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let level = fmt_level(alert.level);
+  let (text, blocks): (_, Option<_>) = match &alert.data {
+    AlertData::Test { id, name } => {
+      let text = format!(
+        "{level} | If you see this message, then Alerter *{name}* is *working*"
+      );
+      let blocks = vec![
+        Block::header(level),
+        Block::section(format!(
+          "If you see this message, then Alerter *{name}* is *working*"
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Alerter,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text =
+            format!("{level} | *{name}*{region} is now *reachable*");
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} is now *reachable*"
+            )),
+          ];
+          (text, blocks.into())
+        }
+        SeverityLevel::Critical => {
+          let text =
+            format!("{level} | *{name}*{region} is *unreachable* ❌");
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e:#?}"))
+            .unwrap_or_default();
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} is *unreachable* ❌{err}"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text = format!(
+            "{level} | *{name}*{region} cpu usage at *{percentage:.1}%*"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} cpu usage at *{percentage:.1}%*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => {
+          let text = format!(
+            "{level} | *{name}*{region} cpu usage at *{percentage:.1}%* 📈"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} cpu usage at *{percentage:.1}%* 📈"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+      }
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let percentage = 100.0 * used_gb / total_gb;
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text = format!(
+            "{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} memory usage at *{percentage:.1}%* 💾"
+            )),
+            Block::section(format!(
+              "using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => {
+          let text = format!(
+            "{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} memory usage at *{percentage:.1}%* 💾"
+            )),
+            Block::section(format!(
+              "using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+      }
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let percentage = 100.0 * used_gb / total_gb;
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text = format!(
+            "{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} disk usage at *{percentage:.1}%* 💿"
+            )),
+            Block::section(format!(
+              "mount point: {path:?} | using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => {
+          let text = format!(
+            "{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿"
+          );
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "*{name}*{region} disk usage at *{percentage:.1}%* 💿"
+            )),
+            Block::section(format!(
+              "mount point: {path:?} | using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+      }
+    }
+    AlertData::ContainerStateChange {
+      name,
+      server_name,
+      from,
+      to,
+      id,
+      ..
+    } => {
+      let to = fmt_docker_container_state(to);
+      let text = format!("📦 Container *{name}* is now *{to}*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: {server_name}\nprevious: {from}",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* has an update available");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* was updated automatically ⏫");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackStateChange {
+      name,
+      server_name,
+      from,
+      to,
+      id,
+      ..
+    } => {
+      let to = fmt_stack_state(to);
+      let text = format!("🥞 Stack *{name}* is now *{to}*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nprevious: *{from}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      service,
+      image,
+    } => {
+      let text = format!("⬆ Stack *{name}* has an update available");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nservice: *{service}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      images,
+    } => {
+      let text =
+        format!("⬆ Stack *{name}* was updated automatically ⏫");
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\n{images_label}: *{images}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      let text = format!(
+        "{level} | Failed to terminated AWS builder instance "
+      );
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "instance id: *{instance_id}*\n{message}"
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let text = format!(
+        "{level} | Pending resource sync updates on *{name}*"
+      );
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "sync id: *{id}*\nsync name: *{name}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::ResourceSync,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let text = format!("{level} | Build {name} has failed");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "build name: *{name}*\nversion: *v{version}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Build,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let text =
+        format!("{level} | Repo build for *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!("repo name: *{name}*",)),
+        Block::section(resource_link(
+          ResourceTargetVariant::Repo,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::None {} => Default::default(),
+  };
+  if !text.is_empty() {
+    let vars_and_secrets = get_variables_and_secrets().await?;
+    let mut global_replacers = HashSet::new();
+    let mut secret_replacers = HashSet::new();
+    let mut url_interpolated = url.to_string();
+
+    // interpolate variables and secrets into the url
+    interpolate_variables_secrets_into_string(
+      &vars_and_secrets,
+      &mut url_interpolated,
+      &mut global_replacers,
+      &mut secret_replacers,
+    )?;
+    
+    let slack = ::slack::Client::new(url_interpolated);
+    slack.send_message(text, blocks).await.map_err(|e| {
+      let replacers =
+        secret_replacers.into_iter().collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with slack request: {}",
+        sanitized_error
+      ))
+    })?;
+  }
+  Ok(())
+}

bin/core/src/api/auth.rs

@@ -1,10 +1,10 @@
 use std::{sync::OnceLock, time::Instant};
 
-use anyhow::anyhow;
-use axum::{http::HeaderMap, routing::post, Router};
-use axum_extra::{headers::ContentType, TypedHeader};
-use monitor_client::{api::auth::*, entities::user::User};
-use resolver_api::{derive::Resolver, Resolve, Resolver};
+use axum::{Router, http::HeaderMap, routing::post};
+use derive_variants::{EnumVariants, ExtractVariant};
+use komodo_client::{api::auth::*, entities::user::User};
+use resolver_api::Resolve;
+use response::Response;
 use serde::{Deserialize, Serialize};
 use serror::Json;
 use typeshare::typeshare;
@@ -15,16 +15,25 @@ use crate::{
     get_user_id_from_headers,
     github::{self, client::github_oauth_client},
     google::{self, client::google_oauth_client},
+    oidc,
   },
   config::core_config,
   helpers::query::get_user,
-  state::{jwt_client, State},
+  state::jwt_client,
 };
 
+pub struct AuthArgs {
+  pub headers: HeaderMap,
+}
+
 #[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
-#[resolver_target(State)]
-#[resolver_args(HeaderMap)]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[args(AuthArgs)]
+#[response(Response)]
+#[error(serror::Error)]
+#[variant_derive(Debug)]
 #[serde(tag = "type", content = "params")]
 #[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
 pub enum AuthRequest {
@@ -38,14 +47,25 @@ pub enum AuthRequest {
 pub fn router() -> Router {
   let mut router = Router::new().route("/", post(handler));
 
+  if core_config().local_auth {
+    info!("🔑 Local Login Enabled");
+  }
+
   if github_oauth_client().is_some() {
+    info!("🔑 Github Login Enabled");
     router = router.nest("/github", github::router())
   }
 
   if google_oauth_client().is_some() {
+    info!("🔑 Github Login Enabled");
     router = router.nest("/google", google::router())
   }
 
+  if core_config().oidc_enabled {
+    info!("🔑 OIDC Login Enabled");
+    router = router.nest("/oidc", oidc::router())
+  }
+
   router
 }
 
@@ -53,24 +73,20 @@ pub fn router() -> Router {
 async fn handler(
   headers: HeaderMap,
   Json(request): Json<AuthRequest>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
+) -> serror::Result<axum::response::Response> {
   let timer = Instant::now();
   let req_id = Uuid::new_v4();
-  debug!("/auth request {req_id} | METHOD: {}", request.req_type());
-  let res = State.resolve_request(request, headers).await.map_err(
-    |e| match e {
-      resolver_api::Error::Serialization(e) => {
-        anyhow!("{e:?}").context("response serialization error")
-      }
-      resolver_api::Error::Inner(e) => e,
-    },
+  debug!(
+    "/auth request {req_id} | METHOD: {:?}",
+    request.extract_variant()
   );
+  let res = request.resolve(&AuthArgs { headers }).await;
   if let Err(e) = &res {
-    debug!("/auth request {req_id} | error: {e:#}");
+    debug!("/auth request {req_id} | error: {:#}", e.error);
   }
   let elapsed = timer.elapsed();
   debug!("/auth request {req_id} | resolve time: {elapsed:?}");
-  Ok((TypedHeader(ContentType::json()), res?))
+  res.map(|res| res.0)
 }
 
 fn login_options_reponse() -> &'static GetLoginOptionsResponse {
@@ -87,42 +103,42 @@ fn login_options_reponse() -> &'static GetLoginOptionsResponse {
       google: config.google_oauth.enabled
         && !config.google_oauth.id.is_empty()
         && !config.google_oauth.secret.is_empty(),
+      oidc: config.oidc_enabled
+        && !config.oidc_provider.is_empty()
+        && !config.oidc_client_id.is_empty(),
+      registration_disabled: config.disable_user_registration,
     }
   })
 }
 
-impl Resolve<GetLoginOptions, HeaderMap> for State {
+impl Resolve<AuthArgs> for GetLoginOptions {
   #[instrument(name = "GetLoginOptions", level = "debug", skip(self))]
   async fn resolve(
-    &self,
-    _: GetLoginOptions,
-    _: HeaderMap,
-  ) -> anyhow::Result<GetLoginOptionsResponse> {
+    self,
+    _: &AuthArgs,
+  ) -> serror::Result<GetLoginOptionsResponse> {
     Ok(*login_options_reponse())
   }
 }
 
-impl Resolve<ExchangeForJwt, HeaderMap> for State {
+impl Resolve<AuthArgs> for ExchangeForJwt {
   #[instrument(name = "ExchangeForJwt", level = "debug", skip(self))]
   async fn resolve(
-    &self,
-    ExchangeForJwt { token }: ExchangeForJwt,
-    _: HeaderMap,
-  ) -> anyhow::Result<ExchangeForJwtResponse> {
-    let jwt = jwt_client().redeem_exchange_token(&token).await?;
-    let res = ExchangeForJwtResponse { jwt };
-    Ok(res)
+    self,
+    _: &AuthArgs,
+  ) -> serror::Result<ExchangeForJwtResponse> {
+    let jwt = jwt_client().redeem_exchange_token(&self.token).await?;
+    Ok(ExchangeForJwtResponse { jwt })
   }
 }
 
-impl Resolve<GetUser, HeaderMap> for State {
+impl Resolve<AuthArgs> for GetUser {
   #[instrument(name = "GetUser", level = "debug", skip(self))]
   async fn resolve(
-    &self,
-    GetUser {}: GetUser,
-    headers: HeaderMap,
-  ) -> anyhow::Result<User> {
-    let user_id = get_user_id_from_headers(&headers).await?;
-    get_user(&user_id).await
+    self,
+    AuthArgs { headers }: &AuthArgs,
+  ) -> serror::Result<User> {
+    let user_id = get_user_id_from_headers(headers).await?;
+    Ok(get_user(&user_id).await?)
   }
 }

bin/core/src/api/execute/action.rs

@@ -0,0 +1,344 @@
+use std::{
+  collections::HashSet,
+  path::{Path, PathBuf},
+  str::FromStr,
+  sync::OnceLock,
+};
+
+use anyhow::Context;
+use command::run_komodo_command;
+use komodo_client::{
+  api::{
+    execute::{BatchExecutionResponse, BatchRunAction, RunAction},
+    user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
+  },
+  entities::{
+    action::Action, config::core::CoreConfig,
+    permission::PermissionLevel, update::Update, user::action_user,
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
+use resolver_api::Resolve;
+use tokio::fs;
+
+use crate::{
+  api::{execute::ExecuteRequest, user::UserArgs},
+  config::core_config,
+  helpers::{
+    interpolate::{
+      add_interp_update_log,
+      interpolate_variables_secrets_into_string,
+    },
+    query::get_variables_and_secrets,
+    random_string,
+    update::update_update,
+  },
+  resource::{self, refresh_action_state_cache},
+  state::{action_states, db_client},
+};
+
+use super::ExecuteArgs;
+
+impl super::BatchExecute for BatchRunAction {
+  type Resource = Action;
+  fn single_request(action: String) -> ExecuteRequest {
+    ExecuteRequest::RunAction(RunAction { action })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunAction {
+  #[instrument(name = "BatchRunAction", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunAction>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunAction {
+  #[instrument(name = "RunAction", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut action = resource::get_check_permissions::<Action>(
+      &self.action,
+      user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the action (or insert default).
+    let action_state = action_states()
+      .action
+      .get_or_insert_default(&action.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure action not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.running = true)?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let CreateApiKeyResponse { key, secret } = CreateApiKey {
+      name: update.id.clone(),
+      expires: 0,
+    }
+    .resolve(&UserArgs {
+      user: action_user().to_owned(),
+    })
+    .await?;
+
+    let contents = &mut action.config.file_contents;
+
+    // Wrap the file contents in the execution context.
+    *contents = full_contents(contents, &key, &secret);
+
+    let replacers =
+      interpolate(contents, &mut update, key.clone(), secret.clone())
+        .await?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    let file = format!("{}.ts", random_string(10));
+    let path = core_config().action_directory.join(&file);
+
+    if let Some(parent) = path.parent() {
+      fs::create_dir_all(parent)
+        .await
+        .with_context(|| format!("Failed to initialize Action file parent directory {parent:?}"))?;
+    }
+
+    fs::write(&path, contents).await.with_context(|| {
+      format!("Failed to write action file to {path:?}")
+    })?;
+
+    let CoreConfig { ssl_enabled, .. } = core_config();
+
+    let https_cert_flag = if *ssl_enabled {
+      " --unsafely-ignore-certificate-errors=localhost"
+    } else {
+      ""
+    };
+
+    let mut res = run_komodo_command(
+      // Keep this stage name as is, the UI will find the latest update log by matching the stage name
+      "Execute Action",
+      None,
+      format!(
+        "deno run --allow-all{https_cert_flag} {}",
+        path.display()
+      ),
+    )
+    .await;
+
+    res.stdout = svi::replace_in_string(&res.stdout, &replacers)
+      .replace(&key, "<ACTION_API_KEY>");
+    res.stderr = svi::replace_in_string(&res.stderr, &replacers)
+      .replace(&secret, "<ACTION_API_SECRET>");
+
+    cleanup_run(file + ".js", &path).await;
+
+    if let Err(e) = (DeleteApiKey { key })
+      .resolve(&UserArgs {
+        user: action_user().to_owned(),
+      })
+      .await
+    {
+      warn!(
+        "Failed to delete API key after action execution | {:#}",
+        e.error
+      );
+    };
+
+    update.logs.push(res);
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with update_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_action_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+async fn interpolate(
+  contents: &mut String,
+  update: &mut Update,
+  key: String,
+  secret: String,
+) -> serror::Result<HashSet<(String, String)>> {
+  let mut vars_and_secrets = get_variables_and_secrets().await?;
+
+  vars_and_secrets
+    .secrets
+    .insert(String::from("ACTION_API_KEY"), key);
+  vars_and_secrets
+    .secrets
+    .insert(String::from("ACTION_API_SECRET"), secret);
+
+  let mut global_replacers = HashSet::new();
+  let mut secret_replacers = HashSet::new();
+
+  interpolate_variables_secrets_into_string(
+    &vars_and_secrets,
+    contents,
+    &mut global_replacers,
+    &mut secret_replacers,
+  )?;
+
+  add_interp_update_log(update, &global_replacers, &secret_replacers);
+
+  Ok(secret_replacers)
+}
+
+fn full_contents(contents: &str, key: &str, secret: &str) -> String {
+  let CoreConfig {
+    port, ssl_enabled, ..
+  } = core_config();
+  let protocol = if *ssl_enabled { "https" } else { "http" };
+  let base_url = format!("{protocol}://localhost:{port}");
+  format!(
+    "import {{ KomodoClient }} from '{base_url}/client/lib.js';
+import * as __YAML__ from 'jsr:@std/yaml';
+import * as __TOML__ from 'jsr:@std/toml';
+
+const YAML = {{
+  stringify: __YAML__.stringify,
+  parse: __YAML__.parse,
+  parseAll: __YAML__.parseAll,
+  parseDockerCompose: __YAML__.parse,
+}}
+
+const TOML = {{
+  stringify: __TOML__.stringify,
+  parse: __TOML__.parse,
+  parseResourceToml: __TOML__.parse,
+  parseCargoToml: __TOML__.parse,
+}}
+
+const komodo = KomodoClient('{base_url}', {{
+  type: 'api-key',
+  params: {{ key: '{key}', secret: '{secret}' }}
+}});
+
+async function main() {{
+{contents}
+
+console.log('🦎 Action completed successfully 🦎');
+}}
+
+main()
+.catch(error => {{
+  console.error('🚨 Action exited early with errors 🚨')
+  if (error.status !== undefined && error.result !== undefined) {{
+    console.error('Status:', error.status);
+    console.error(JSON.stringify(error.result, null, 2));
+  }} else {{
+    console.error(JSON.stringify(error, null, 2));
+  }}
+  Deno.exit(1)
+}});"
+  )
+}
+
+/// Cleans up file at given path.
+/// ALSO if $DENO_DIR is set,
+/// will clean up the generated file matching "file"
+async fn cleanup_run(file: String, path: &Path) {
+  if let Err(e) = fs::remove_file(path).await {
+    warn!(
+      "Failed to delete action file after action execution | {e:#}"
+    );
+  }
+  // If $DENO_DIR is set (will be in container),
+  // will clean up the generated file matching "file" (NOT under path)
+  let Some(deno_dir) = deno_dir() else {
+    return;
+  };
+  delete_file(deno_dir.join("gen/file"), file).await;
+}
+
+fn deno_dir() -> Option<&'static Path> {
+  static DENO_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();
+  DENO_DIR
+    .get_or_init(|| {
+      let deno_dir = std::env::var("DENO_DIR").ok()?;
+      PathBuf::from_str(&deno_dir).ok()
+    })
+    .as_deref()
+}
+
+/// file is just the terminating file path,
+/// it may be nested multiple folder under path,
+/// this will find the nested file and delete it.
+/// Assumes the file is only there once.
+fn delete_file(
+  dir: PathBuf,
+  file: String,
+) -> std::pin::Pin<Box<dyn std::future::Future<Output = bool> + Send>>
+{
+  Box::pin(async move {
+    let Ok(mut dir) = fs::read_dir(dir).await else {
+      return false;
+    };
+    // Collect the nested folders for recursing
+    // only after checking all the files in directory.
+    let mut folders = Vec::<PathBuf>::new();
+
+    while let Ok(Some(entry)) = dir.next_entry().await {
+      let Ok(meta) = entry.metadata().await else {
+        continue;
+      };
+      if meta.is_file() {
+        let Ok(name) = entry.file_name().into_string() else {
+          continue;
+        };
+        if name == file {
+          if let Err(e) = fs::remove_file(entry.path()).await {
+            warn!(
+              "Failed to clean up generated file after action execution | {e:#}"
+            );
+          };
+          return true;
+        }
+      } else {
+        folders.push(entry.path());
+      }
+    }
+
+    if folders.len() == 1 {
+      // unwrap ok, folders definitely is not empty
+      let folder = folders.pop().unwrap();
+      delete_file(folder, file).await
+    } else {
+      // Check folders with file.clone
+      for folder in folders {
+        if delete_file(folder, file.clone()).await {
+          return true;
+        }
+      }
+      false
+    }
+  })
+}

bin/core/src/api/execute/alerter.rs

@@ -0,0 +1,73 @@
+use formatting::format_serror;
+use komodo_client::{
+  api::execute::TestAlerter,
+  entities::{
+    alert::{Alert, AlertData, SeverityLevel},
+    alerter::Alerter,
+    komodo_timestamp,
+    permission::PermissionLevel,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  alert::send_alert_to_alerter, helpers::update::update_update,
+  resource::get_check_permissions,
+};
+
+use super::ExecuteArgs;
+
+impl Resolve<ExecuteArgs> for TestAlerter {
+  #[instrument(name = "TestAlerter", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerter = get_check_permissions::<Alerter>(
+      &self.alerter,
+      user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    let mut update = update.clone();
+
+    if !alerter.config.enabled {
+      update.push_error_log(
+        "Test Alerter",
+        String::from(
+          "Alerter is disabled. Enable the Alerter to send alerts.",
+        ),
+      );
+      update.finalize();
+      update_update(update.clone()).await?;
+      return Ok(update);
+    }
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: SeverityLevel::Ok,
+      target: update.target.clone(),
+      data: AlertData::Test {
+        id: alerter.id.clone(),
+        name: alerter.name.clone(),
+      },
+      resolved_ts: Some(ts),
+    };
+
+    if let Err(e) = send_alert_to_alerter(&alerter, &alert).await {
+      update.push_error_log("Test Alerter", format_serror(&e.into()));
+    } else {
+      update.push_simple_log("Test Alerter", String::from("Alert sent successfully. It should be visible at your alerting destination."));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/mod.rs

@@ -1,55 +1,143 @@
-use std::time::Instant;
+use std::{pin::Pin, time::Instant};
 
-use anyhow::{anyhow, Context};
-use axum::{middleware, routing::post, Extension, Router};
-use axum_extra::{headers::ContentType, TypedHeader};
-use monitor_client::{api::execute::*, entities::user::User};
-use resolver_api::{derive::Resolver, Resolver};
+use anyhow::Context;
+use axum::{Extension, Router, middleware, routing::post};
+use axum_extra::{TypedHeader, headers::ContentType};
+use derive_variants::{EnumVariants, ExtractVariant};
+use formatting::format_serror;
+use futures::future::join_all;
+use komodo_client::{
+  api::execute::*,
+  entities::{
+    Operation,
+    update::{Log, Update},
+    user::User,
+  },
+};
+use mungos::by_id::find_one_by_id;
+use resolver_api::Resolve;
+use response::JsonString;
 use serde::{Deserialize, Serialize};
 use serror::Json;
 use typeshare::typeshare;
 use uuid::Uuid;
 
-use crate::{auth::auth_request, state::State};
+use crate::{
+  auth::auth_request,
+  helpers::update::{init_execution_update, update_update},
+  resource::{KomodoResource, list_full_for_user_using_pattern},
+  state::db_client,
+};
 
+mod action;
+mod alerter;
 mod build;
 mod deployment;
 mod procedure;
 mod repo;
 mod server;
 mod server_template;
+mod stack;
+mod sync;
+
+pub use {
+  deployment::pull_deployment_inner, stack::pull_stack_inner,
+};
+
+pub struct ExecuteArgs {
+  pub user: User,
+  pub update: Update,
+}
 
 #[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
-#[resolver_target(State)]
-#[resolver_args(User)]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[variant_derive(Debug)]
+#[args(ExecuteArgs)]
+#[response(JsonString)]
+#[error(serror::Error)]
 #[serde(tag = "type", content = "params")]
-enum ExecuteRequest {
+pub enum ExecuteRequest {
   // ==== SERVER ====
-  PruneContainers(PruneDockerContainers),
-  PruneImages(PruneDockerImages),
-  PruneNetworks(PruneDockerNetworks),
+  StartContainer(StartContainer),
+  RestartContainer(RestartContainer),
+  PauseContainer(PauseContainer),
+  UnpauseContainer(UnpauseContainer),
+  StopContainer(StopContainer),
+  DestroyContainer(DestroyContainer),
+  StartAllContainers(StartAllContainers),
+  RestartAllContainers(RestartAllContainers),
+  PauseAllContainers(PauseAllContainers),
+  UnpauseAllContainers(UnpauseAllContainers),
+  StopAllContainers(StopAllContainers),
+  PruneContainers(PruneContainers),
+  DeleteNetwork(DeleteNetwork),
+  PruneNetworks(PruneNetworks),
+  DeleteImage(DeleteImage),
+  PruneImages(PruneImages),
+  DeleteVolume(DeleteVolume),
+  PruneVolumes(PruneVolumes),
+  PruneDockerBuilders(PruneDockerBuilders),
+  PruneBuildx(PruneBuildx),
+  PruneSystem(PruneSystem),
 
   // ==== DEPLOYMENT ====
   Deploy(Deploy),
-  StartContainer(StartContainer),
-  StopContainer(StopContainer),
-  StopAllContainers(StopAllContainers),
-  RemoveContainer(RemoveContainer),
+  BatchDeploy(BatchDeploy),
+  PullDeployment(PullDeployment),
+  StartDeployment(StartDeployment),
+  RestartDeployment(RestartDeployment),
+  PauseDeployment(PauseDeployment),
+  UnpauseDeployment(UnpauseDeployment),
+  StopDeployment(StopDeployment),
+  DestroyDeployment(DestroyDeployment),
+  BatchDestroyDeployment(BatchDestroyDeployment),
+
+  // ==== STACK ====
+  DeployStack(DeployStack),
+  BatchDeployStack(BatchDeployStack),
+  DeployStackIfChanged(DeployStackIfChanged),
+  BatchDeployStackIfChanged(BatchDeployStackIfChanged),
+  PullStack(PullStack),
+  StartStack(StartStack),
+  RestartStack(RestartStack),
+  StopStack(StopStack),
+  PauseStack(PauseStack),
+  UnpauseStack(UnpauseStack),
+  DestroyStack(DestroyStack),
+  BatchDestroyStack(BatchDestroyStack),
 
   // ==== BUILD ====
   RunBuild(RunBuild),
+  BatchRunBuild(BatchRunBuild),
   CancelBuild(CancelBuild),
 
   // ==== REPO ====
   CloneRepo(CloneRepo),
+  BatchCloneRepo(BatchCloneRepo),
   PullRepo(PullRepo),
+  BatchPullRepo(BatchPullRepo),
+  BuildRepo(BuildRepo),
+  BatchBuildRepo(BatchBuildRepo),
+  CancelRepoBuild(CancelRepoBuild),
 
   // ==== PROCEDURE ====
   RunProcedure(RunProcedure),
+  BatchRunProcedure(BatchRunProcedure),
+
+  // ==== ACTION ====
+  RunAction(RunAction),
+  BatchRunAction(BatchRunAction),
 
   // ==== SERVER TEMPLATE ====
   LaunchServer(LaunchServer),
+
+  // ==== ALERTER ====
+  TestAlerter(TestAlerter),
+
+  // ==== SYNC ====
+  RunSync(RunSync),
 }
 
 pub fn router() -> Router {
@@ -62,48 +150,159 @@ async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ExecuteRequest>,
 ) -> serror::Result<(TypedHeader<ContentType>, String)> {
-  let req_id = Uuid::new_v4();
-
-  let res = tokio::spawn(task(req_id, request, user))
-    .await
-    .context("failure in spawned execute task");
-
-  if let Err(e) = &res {
-    warn!("/execute request {req_id} spawn error: {e:#}",);
-  }
-
-  Ok((TypedHeader(ContentType::json()), res??))
+  let res = match inner_handler(request, user).await? {
+    ExecutionResult::Single(update) => serde_json::to_string(&update)
+      .context("Failed to serialize Update")?,
+    ExecutionResult::Batch(res) => res,
+  };
+  Ok((TypedHeader(ContentType::json()), res))
 }
 
-#[instrument(name = "ExecuteRequest", skip(user))]
+pub enum ExecutionResult {
+  Single(Update),
+  /// The batch contents will be pre serialized here
+  Batch(String),
+}
+
+pub fn inner_handler(
+  request: ExecuteRequest,
+  user: User,
+) -> Pin<
+  Box<
+    dyn std::future::Future<Output = anyhow::Result<ExecutionResult>>
+      + Send,
+  >,
+> {
+  Box::pin(async move {
+    let req_id = Uuid::new_v4();
+
+    // need to validate no cancel is active before any update is created.
+    build::validate_cancel_build(&request).await?;
+
+    let update = init_execution_update(&request, &user).await?;
+
+    // This will be the case for the Batch exections,
+    // they don't have their own updates.
+    // The batch calls also call "inner_handler" themselves,
+    // and in their case will spawn tasks, so that isn't necessary
+    // here either.
+    if update.operation == Operation::None {
+      return Ok(ExecutionResult::Batch(
+        task(req_id, request, user, update).await?,
+      ));
+    }
+
+    let handle =
+      tokio::spawn(task(req_id, request, user, update.clone()));
+
+    tokio::spawn({
+      let update_id = update.id.clone();
+      async move {
+        let log = match handle.await {
+          Ok(Err(e)) => {
+            warn!("/execute request {req_id} task error: {e:#}",);
+            Log::error("task error", format_serror(&e.into()))
+          }
+          Err(e) => {
+            warn!("/execute request {req_id} spawn error: {e:?}",);
+            Log::error("spawn error", format!("{e:#?}"))
+          }
+          _ => return,
+        };
+        let res = async {
+          let mut update =
+            find_one_by_id(&db_client().updates, &update_id)
+              .await
+              .context("failed to query to db")?
+              .context("no update exists with given id")?;
+          update.logs.push(log);
+          update.finalize();
+          update_update(update).await
+        }
+        .await;
+
+        if let Err(e) = res {
+          warn!(
+            "failed to update update with task error log | {e:#}"
+          );
+        }
+      }
+    });
+
+    Ok(ExecutionResult::Single(update))
+  })
+}
+
+#[instrument(
+  name = "ExecuteRequest",
+  skip(user, update),
+  fields(
+    user_id = user.id,
+    update_id = update.id,
+    request = format!("{:?}", request.extract_variant()))
+  )
+]
 async fn task(
   req_id: Uuid,
   request: ExecuteRequest,
   user: User,
+  update: Update,
 ) -> anyhow::Result<String> {
-  info!(
-    "/execute request {req_id} | user: {} ({})",
-    user.username, user.id
-  );
+  info!("/execute request {req_id} | user: {}", user.username);
   let timer = Instant::now();
 
-  let res =
-    State
-      .resolve_request(request, user)
-      .await
-      .map_err(|e| match e {
-        resolver_api::Error::Serialization(e) => {
-          anyhow!("{e:?}").context("response serialization error")
-        }
-        resolver_api::Error::Inner(e) => e,
-      });
+  let res = match request.resolve(&ExecuteArgs { user, update }).await
+  {
+    Err(e) => Err(e.error),
+    Ok(JsonString::Err(e)) => Err(
+      anyhow::Error::from(e).context("failed to serialize response"),
+    ),
+    Ok(JsonString::Ok(res)) => Ok(res),
+  };
 
   if let Err(e) = &res {
     warn!("/execute request {req_id} error: {e:#}");
   }
 
   let elapsed = timer.elapsed();
-  info!("/execute request {req_id} | resolve time: {elapsed:?}");
+  debug!("/execute request {req_id} | resolve time: {elapsed:?}");
 
   res
 }
+
+trait BatchExecute {
+  type Resource: KomodoResource;
+  fn single_request(name: String) -> ExecuteRequest;
+}
+
+async fn batch_execute<E: BatchExecute>(
+  pattern: &str,
+  user: &User,
+) -> anyhow::Result<BatchExecutionResponse> {
+  let resources = list_full_for_user_using_pattern::<E::Resource>(
+    pattern,
+    Default::default(),
+    user,
+    &[],
+  )
+  .await?;
+  let futures = resources.into_iter().map(|resource| {
+    let user = user.clone();
+    async move {
+      inner_handler(E::single_request(resource.name.clone()), user)
+        .await
+        .map(|r| {
+          let ExecutionResult::Single(update) = r else {
+            unreachable!()
+          };
+          update
+        })
+        .map_err(|e| BatchExecutionResponseItemErr {
+          name: resource.name,
+          error: e.into(),
+        })
+        .into()
+    }
+  });
+  Ok(join_all(futures).await)
+}

bin/core/src/api/execute/procedure.rs

@@ -1,40 +1,64 @@
 use std::pin::Pin;
 
-use monitor_client::{
-  api::execute::RunProcedure,
+use formatting::{Color, bold, colored, format_serror, muted};
+use komodo_client::{
+  api::execute::{
+    BatchExecutionResponse, BatchRunProcedure, RunProcedure,
+  },
   entities::{
     permission::PermissionLevel, procedure::Procedure,
-    update::Update, user::User, Operation,
+    update::Update, user::User,
   },
 };
 use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use resolver_api::Resolve;
-use serror::serialize_error_pretty;
 use tokio::sync::Mutex;
 
 use crate::{
-  helpers::{
-    procedure::execute_procedure,
-    update::{add_update, make_update, update_update},
-  },
+  helpers::{procedure::execute_procedure, update::update_update},
   resource::{self, refresh_procedure_state_cache},
-  state::{action_states, db_client, State},
+  state::{action_states, db_client},
 };
 
-impl Resolve<RunProcedure, User> for State {
-  #[instrument(name = "RunProcedure", skip(self, user))]
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchRunProcedure {
+  type Resource = Procedure;
+  fn single_request(procedure: String) -> ExecuteRequest {
+    ExecuteRequest::RunProcedure(RunProcedure { procedure })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunProcedure {
+  #[instrument(name = "BatchRunProcedure", skip(user), fields(user_id = user.id))]
   async fn resolve(
-    &self,
-    RunProcedure { procedure }: RunProcedure,
-    user: User,
-  ) -> anyhow::Result<Update> {
-    resolve_inner(procedure, user).await
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunProcedure>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunProcedure {
+  #[instrument(name = "RunProcedure", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    Ok(
+      resolve_inner(self.procedure, user.clone(), update.clone())
+        .await?,
+    )
   }
 }
 
 fn resolve_inner(
   procedure: String,
   user: User,
+  mut update: Update,
 ) -> Pin<
   Box<
     dyn std::future::Future<Output = anyhow::Result<Update>> + Send,
@@ -48,6 +72,18 @@ fn resolve_inner(
     )
     .await?;
 
+    // Need to push the initial log, as execute_procedure
+    // assumes first log is already created
+    // and will panic otherwise.
+    update.push_simple_log(
+      "Execute procedure",
+      format!(
+        "{}: executing procedure '{}'",
+        muted("INFO"),
+        bold(&procedure.name)
+      ),
+    );
+
     // get the action state for the procedure (or insert default).
     let action_state = action_states()
       .procedure
@@ -59,15 +95,7 @@ fn resolve_inner(
     let _action_guard =
       action_state.update(|state| state.running = true)?;
 
-    let mut update =
-      make_update(&procedure, Operation::RunProcedure, &user);
-    update.in_progress();
-    update.push_simple_log(
-      "execute procedure",
-      format!("Executing procedure: {}", procedure.name),
-    );
-
-    update.id = add_update(update.clone()).await?;
+    update_update(update.clone()).await?;
 
     let update = Mutex::new(update);
 
@@ -78,14 +106,16 @@ fn resolve_inner(
     match res {
       Ok(_) => {
         update.push_simple_log(
-          "execution ok",
-          "the procedure has completed with no errors",
+          "Execution ok",
+          format!(
+            "{}: The procedure has {} with no errors",
+            muted("INFO"),
+            colored("completed", Color::Green)
+          ),
         );
       }
-      Err(e) => update.push_error_log(
-        "execution error",
-        serialize_error_pretty(&e),
-      ),
+      Err(e) => update
+        .push_error_log("execution error", format_serror(&e.into())),
     }
 
     update.finalize();
@@ -96,7 +126,7 @@ fn resolve_inner(
     // but will fail to update cache in that case.
     if let Ok(update_doc) = to_document(&update) {
       let _ = update_one_by_id(
-        &db_client().await.updates,
+        &db_client().updates,
         &update.id,
         mungos::update::Update::Set(update_doc),
         None,

bin/core/src/api/execute/repo.rs

@@ -1,44 +1,81 @@
-use anyhow::anyhow;
-use monitor_client::{
-  api::execute::*,
+use std::{collections::HashSet, future::IntoFuture, time::Duration};
+
+use anyhow::{Context, anyhow};
+use formatting::format_serror;
+use komodo_client::{
+  api::{execute::*, write::RefreshRepoCache},
   entities::{
-    monitor_timestamp, optional_string,
+    alert::{Alert, AlertData, SeverityLevel},
+    builder::{Builder, BuilderConfig},
+    komodo_timestamp,
     permission::PermissionLevel,
     repo::Repo,
     server::Server,
-    update::{Log, ResourceTarget, Update, UpdateStatus},
-    user::User,
-    Operation,
+    update::{Log, Update},
   },
 };
 use mungos::{
   by_id::update_one_by_id,
-  mongodb::bson::{doc, to_document},
+  mongodb::{
+    bson::{doc, to_document},
+    options::FindOneOptions,
+  },
 };
 use periphery_client::api;
 use resolver_api::Resolve;
-use serror::serialize_error_pretty;
+use tokio_util::sync::CancellationToken;
 
 use crate::{
-  config::core_config,
+  alert::send_alerts,
+  api::write::WriteArgs,
   helpers::{
+    builder::{cleanup_builder_instance, get_builder_periphery},
+    channel::repo_cancel_channel,
+    git_token,
+    interpolate::{
+      add_interp_update_log,
+      interpolate_variables_secrets_into_string,
+      interpolate_variables_secrets_into_system_command,
+    },
     periphery_client,
-    update::{add_update, update_update},
+    query::get_variables_and_secrets,
+    update::update_update,
   },
   resource::{self, refresh_repo_state_cache},
-  state::{action_states, db_client, State},
+  state::{action_states, db_client},
 };
 
-impl Resolve<CloneRepo, User> for State {
-  #[instrument(name = "CloneRepo", skip(self, user))]
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchCloneRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchCloneRepo {
+  #[instrument(name = "BatchCloneRepo", skip( user), fields(user_id = user.id))]
   async fn resolve(
-    &self,
-    CloneRepo { repo }: CloneRepo,
-    user: User,
-  ) -> anyhow::Result<Update> {
-    let repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchCloneRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for CloneRepo {
+  #[instrument(name = "CloneRepo", skip( user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      user,
       PermissionLevel::Execute,
     )
     .await?;
@@ -52,44 +89,50 @@ impl Resolve<CloneRepo, User> for State {
     let _action_guard =
       action_state.update(|state| state.cloning = true)?;
 
+    let mut update = update.clone();
+    update_update(update.clone()).await?;
+
     if repo.config.server_id.is_empty() {
-      return Err(anyhow!("repo has no server attached"));
+      return Err(anyhow!("repo has no server attached").into());
     }
 
+    let git_token = git_token(
+      &repo.config.git_provider,
+      &repo.config.git_account,
+      |https| repo.config.git_https = https,
+    )
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
+    )?;
+
     let server =
       resource::get::<Server>(&repo.config.server_id).await?;
 
     let periphery = periphery_client(&server)?;
 
-    let start_ts = monitor_timestamp();
-
-    let mut update = Update {
-      operation: Operation::CloneRepo,
-      target: ResourceTarget::Repo(repo.id.clone()),
-      start_ts,
-      status: UpdateStatus::InProgress,
-      operator: user.id.clone(),
-      success: true,
-      ..Default::default()
-    };
-
-    update.id = add_update(update.clone()).await?;
-
-    let github_token = core_config()
-      .github_accounts
-      .get(&repo.config.github_account)
-      .cloned();
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers =
+      interpolate(&mut repo, &mut update).await?;
 
     let logs = match periphery
       .request(api::git::CloneRepo {
         args: (&repo).into(),
-        github_token,
+        git_token,
+        environment: repo.config.env_vars()?,
+        env_file_path: repo.config.env_file_path,
+        skip_secret_interp: repo.config.skip_secret_interp,
+        replacers: secret_replacers.into_iter().collect(),
       })
       .await
     {
-      Ok(logs) => logs,
+      Ok(res) => res.logs,
       Err(e) => {
-        vec![Log::error("clone repo", serialize_error_pretty(&e))]
+        vec![Log::error(
+          "clone repo",
+          format_serror(&e.context("failed to clone repo").into()),
+        )]
       }
     };
 
@@ -97,23 +140,54 @@ impl Resolve<CloneRepo, User> for State {
     update.finalize();
 
     if update.success {
-      update_last_pulled(&repo.name).await;
+      update_last_pulled_time(&repo.name).await;
     }
 
-    handle_update_return(update).await
+    if let Err(e) = (RefreshRepoCache { repo: repo.id })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+      .map_err(|e| e.error)
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
+    handle_server_update_return(update).await
   }
 }
 
-impl Resolve<PullRepo, User> for State {
-  #[instrument(name = "PullRepo", skip(self, user))]
+impl super::BatchExecute for BatchPullRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchPullRepo {
+  #[instrument(name = "BatchPullRepo", skip(user), fields(user_id = user.id))]
   async fn resolve(
-    &self,
-    PullRepo { repo }: PullRepo,
-    user: User,
-  ) -> anyhow::Result<Update> {
-    let repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchPullRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for PullRepo {
+  #[instrument(name = "PullRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      user,
       PermissionLevel::Execute,
     )
     .await?;
@@ -127,41 +201,54 @@ impl Resolve<PullRepo, User> for State {
     let _action_guard =
       action_state.update(|state| state.pulling = true)?;
 
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
     if repo.config.server_id.is_empty() {
-      return Err(anyhow!("repo has no server attached"));
+      return Err(anyhow!("repo has no server attached").into());
     }
 
+    let git_token = git_token(
+      &repo.config.git_provider,
+      &repo.config.git_account,
+      |https| repo.config.git_https = https,
+    )
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
+    )?;
+
     let server =
       resource::get::<Server>(&repo.config.server_id).await?;
 
     let periphery = periphery_client(&server)?;
 
-    let start_ts = monitor_timestamp();
-
-    let mut update = Update {
-      operation: Operation::PullRepo,
-      target: ResourceTarget::Repo(repo.id.clone()),
-      start_ts,
-      status: UpdateStatus::InProgress,
-      operator: user.id.clone(),
-      success: true,
-      ..Default::default()
-    };
-
-    update.id = add_update(update.clone()).await?;
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers =
+      interpolate(&mut repo, &mut update).await?;
 
     let logs = match periphery
       .request(api::git::PullRepo {
-        name: repo.name.clone(),
-        branch: optional_string(&repo.config.branch),
-        commit: optional_string(&repo.config.commit),
-        on_pull: repo.config.on_pull.into_option(),
+        args: (&repo).into(),
+        git_token,
+        environment: repo.config.env_vars()?,
+        env_file_path: repo.config.env_file_path,
+        skip_secret_interp: repo.config.skip_secret_interp,
+        replacers: secret_replacers.into_iter().collect(),
       })
       .await
     {
-      Ok(logs) => logs,
+      Ok(res) => {
+        update.commit_hash = res.commit_hash.unwrap_or_default();
+        res.logs
+      }
       Err(e) => {
-        vec![Log::error("pull repo", serialize_error_pretty(&e))]
+        vec![Log::error(
+          "pull repo",
+          format_serror(&e.context("failed to pull repo").into()),
+        )]
       }
     };
 
@@ -170,23 +257,36 @@ impl Resolve<PullRepo, User> for State {
     update.finalize();
 
     if update.success {
-      update_last_pulled(&repo.name).await;
+      update_last_pulled_time(&repo.name).await;
     }
 
-    handle_update_return(update).await
+    if let Err(e) = (RefreshRepoCache { repo: repo.id })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+      .map_err(|e| e.error)
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
+    handle_server_update_return(update).await
   }
 }
 
-async fn handle_update_return(
+#[instrument(skip_all, fields(update_id = update.id))]
+async fn handle_server_update_return(
   update: Update,
-) -> anyhow::Result<Update> {
+) -> serror::Result<Update> {
   // Need to manually update the update before cache refresh,
   // and before broadcast with add_update.
   // The Err case of to_document should be unreachable,
   // but will fail to update cache in that case.
   if let Ok(update_doc) = to_document(&update) {
     let _ = update_one_by_id(
-      &db_client().await.updates,
+      &db_client().updates,
       &update.id,
       mungos::update::Update::Set(update_doc),
       None,
@@ -198,14 +298,13 @@ async fn handle_update_return(
   Ok(update)
 }
 
-async fn update_last_pulled(repo_name: &str) {
+#[instrument]
+async fn update_last_pulled_time(repo_name: &str) {
   let res = db_client()
-    .await
     .repos
     .update_one(
       doc! { "name": repo_name },
-      doc! { "$set": { "info.last_pulled_at": monitor_timestamp() } },
-      None,
+      doc! { "$set": { "info.last_pulled_at": komodo_timestamp() } },
     )
     .await;
   if let Err(e) = res {
@@ -214,3 +313,438 @@ async fn update_last_pulled(repo_name: &str) {
     );
   }
 }
+
+impl super::BatchExecute for BatchBuildRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchBuildRepo {
+  #[instrument(name = "BatchBuildRepo", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchBuildRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for BuildRepo {
+  #[instrument(name = "BuildRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let mut repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    if repo.config.builder_id.is_empty() {
+      return Err(anyhow!("Must attach builder to BuildRepo").into());
+    }
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure repo not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.building = true)?;
+
+    let mut update = update.clone();
+    update_update(update.clone()).await?;
+
+    let git_token = git_token(
+      &repo.config.git_provider,
+      &repo.config.git_account,
+      |https| repo.config.git_https = https,
+    )
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
+    )?;
+
+    let cancel = CancellationToken::new();
+    let cancel_clone = cancel.clone();
+    let mut cancel_recv =
+      repo_cancel_channel().receiver.resubscribe();
+    let repo_id = repo.id.clone();
+
+    let builder =
+      resource::get::<Builder>(&repo.config.builder_id).await?;
+
+    let is_server_builder =
+      matches!(&builder.config, BuilderConfig::Server(_));
+
+    tokio::spawn(async move {
+      let poll = async {
+        loop {
+          let (incoming_repo_id, mut update) = tokio::select! {
+            _ = cancel_clone.cancelled() => return Ok(()),
+            id = cancel_recv.recv() => id?
+          };
+          if incoming_repo_id == repo_id {
+            if is_server_builder {
+              update.push_error_log("Cancel acknowledged", "Repo Build cancellation is not possible on server builders at this time. Use an AWS builder to enable this feature.");
+            } else {
+              update.push_simple_log("Cancel acknowledged", "The repo build cancellation has been queued, it may still take some time.");
+            }
+            update.finalize();
+            let id = update.id.clone();
+            if let Err(e) = update_update(update).await {
+              warn!("failed to modify Update {id} on db | {e:#}");
+            }
+            if !is_server_builder {
+              cancel_clone.cancel();
+            }
+            return Ok(());
+          }
+        }
+        #[allow(unreachable_code)]
+        anyhow::Ok(())
+      };
+      tokio::select! {
+        _ = cancel_clone.cancelled() => {}
+        _ = poll => {}
+      }
+    });
+
+    // GET BUILDER PERIPHERY
+
+    let (periphery, cleanup_data) = match get_builder_periphery(
+      repo.name.clone(),
+      None,
+      builder,
+      &mut update,
+    )
+    .await
+    {
+      Ok(builder) => builder,
+      Err(e) => {
+        warn!("failed to get builder for repo {} | {e:#}", repo.name);
+        update.logs.push(Log::error(
+          "get builder",
+          format_serror(&e.context("failed to get builder").into()),
+        ));
+        return handle_builder_early_return(
+          update, repo.id, repo.name, false,
+        )
+        .await;
+      }
+    };
+
+    // CLONE REPO
+
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers =
+      interpolate(&mut repo, &mut update).await?;
+
+    let res = tokio::select! {
+      res = periphery
+        .request(api::git::CloneRepo {
+          args: (&repo).into(),
+          git_token,
+          environment: repo.config.env_vars()?,
+          env_file_path: repo.config.env_file_path,
+          skip_secret_interp: repo.config.skip_secret_interp,
+          replacers: secret_replacers.into_iter().collect()
+        }) => res,
+      _ = cancel.cancelled() => {
+        debug!("build cancelled during clone, cleaning up builder");
+        update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
+        cleanup_builder_instance(cleanup_data, &mut update)
+          .await;
+        info!("builder cleaned up");
+        return handle_builder_early_return(update, repo.id, repo.name, true).await
+      },
+    };
+
+    let commit_message = match res {
+      Ok(res) => {
+        debug!("finished repo clone");
+        update.logs.extend(res.logs);
+        update.commit_hash = res.commit_hash.unwrap_or_default();
+        res.commit_message.unwrap_or_default()
+      }
+      Err(e) => {
+        update.push_error_log(
+          "clone repo",
+          format_serror(&e.context("failed to clone repo").into()),
+        );
+        Default::default()
+      }
+    };
+
+    update.finalize();
+
+    let db = db_client();
+
+    if update.success {
+      let _ = db
+        .repos
+        .update_one(
+          doc! { "name": &repo.name },
+          doc! { "$set": {
+            "info.last_built_at": komodo_timestamp(),
+            "info.built_hash": &update.commit_hash,
+            "info.built_message": commit_message
+          }},
+        )
+        .await;
+    }
+
+    // stop the cancel listening task from going forever
+    cancel.cancel();
+
+    // If building on temporary cloud server (AWS),
+    // this will terminate the server.
+    cleanup_builder_instance(cleanup_data, &mut update).await;
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db.updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_repo_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    if !update.success {
+      warn!("repo build unsuccessful, alerting...");
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::RepoBuildFailed {
+            id: repo.id,
+            name: repo.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
+    Ok(update)
+  }
+}
+
+#[instrument(skip(update))]
+async fn handle_builder_early_return(
+  mut update: Update,
+  repo_id: String,
+  repo_name: String,
+  is_cancel: bool,
+) -> serror::Result<Update> {
+  update.finalize();
+  // Need to manually update the update before cache refresh,
+  // and before broadcast with add_update.
+  // The Err case of to_document should be unreachable,
+  // but will fail to update cache in that case.
+  if let Ok(update_doc) = to_document(&update) {
+    let _ = update_one_by_id(
+      &db_client().updates,
+      &update.id,
+      mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await;
+    refresh_repo_state_cache().await;
+  }
+  update_update(update.clone()).await?;
+  if !update.success && !is_cancel {
+    warn!("repo build unsuccessful, alerting...");
+    let target = update.target.clone();
+    tokio::spawn(async move {
+      let alert = Alert {
+        id: Default::default(),
+        target,
+        ts: komodo_timestamp(),
+        resolved_ts: Some(komodo_timestamp()),
+        resolved: true,
+        level: SeverityLevel::Warning,
+        data: AlertData::RepoBuildFailed {
+          id: repo_id,
+          name: repo_name,
+        },
+      };
+      send_alerts(&[alert]).await
+    });
+  }
+  Ok(update)
+}
+
+#[instrument(skip_all)]
+pub async fn validate_cancel_repo_build(
+  request: &ExecuteRequest,
+) -> anyhow::Result<()> {
+  if let ExecuteRequest::CancelRepoBuild(req) = request {
+    let repo = resource::get::<Repo>(&req.repo).await?;
+
+    let db = db_client();
+
+    let (latest_build, latest_cancel) = tokio::try_join!(
+      db.updates
+        .find_one(doc! {
+          "operation": "BuildRepo",
+          "target.id": &repo.id,
+        },)
+        .with_options(
+          FindOneOptions::builder()
+            .sort(doc! { "start_ts": -1 })
+            .build()
+        )
+        .into_future(),
+      db.updates
+        .find_one(doc! {
+          "operation": "CancelRepoBuild",
+          "target.id": &repo.id,
+        },)
+        .with_options(
+          FindOneOptions::builder()
+            .sort(doc! { "start_ts": -1 })
+            .build()
+        )
+        .into_future()
+    )?;
+
+    match (latest_build, latest_cancel) {
+      (Some(build), Some(cancel)) => {
+        if cancel.start_ts > build.start_ts {
+          return Err(anyhow!(
+            "Repo build has already been cancelled"
+          ));
+        }
+      }
+      (None, _) => return Err(anyhow!("No repo build in progress")),
+      _ => {}
+    };
+  }
+  Ok(())
+}
+
+impl Resolve<ExecuteArgs> for CancelRepoBuild {
+  #[instrument(name = "CancelRepoBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // make sure the build is building
+    if !action_states()
+      .repo
+      .get(&repo.id)
+      .await
+      .and_then(|s| s.get().ok().map(|s| s.building))
+      .unwrap_or_default()
+    {
+      return Err(anyhow!("Repo is not building.").into());
+    }
+
+    let mut update = update.clone();
+
+    update.push_simple_log(
+      "cancel triggered",
+      "the repo build cancel has been triggered",
+    );
+    update_update(update.clone()).await?;
+
+    repo_cancel_channel()
+      .sender
+      .lock()
+      .await
+      .send((repo.id, update.clone()))?;
+
+    // Make sure cancel is set to complete after some time in case
+    // no reciever is there to do it. Prevents update stuck in InProgress.
+    let update_id = update.id.clone();
+    tokio::spawn(async move {
+      tokio::time::sleep(Duration::from_secs(60)).await;
+      if let Err(e) = update_one_by_id(
+        &db_client().updates,
+        &update_id,
+        doc! { "$set": { "status": "Complete" } },
+        None,
+      )
+      .await
+      {
+        warn!(
+          "failed to set CancelRepoBuild Update status Complete after timeout | {e:#}"
+        )
+      }
+    });
+
+    Ok(update)
+  }
+}
+
+async fn interpolate(
+  repo: &mut Repo,
+  update: &mut Update,
+) -> anyhow::Result<HashSet<(String, String)>> {
+  if !repo.config.skip_secret_interp {
+    let vars_and_secrets = get_variables_and_secrets().await?;
+
+    let mut global_replacers = HashSet::new();
+    let mut secret_replacers = HashSet::new();
+
+    interpolate_variables_secrets_into_string(
+      &vars_and_secrets,
+      &mut repo.config.environment,
+      &mut global_replacers,
+      &mut secret_replacers,
+    )?;
+
+    interpolate_variables_secrets_into_system_command(
+      &vars_and_secrets,
+      &mut repo.config.on_clone,
+      &mut global_replacers,
+      &mut secret_replacers,
+    )?;
+
+    interpolate_variables_secrets_into_system_command(
+      &vars_and_secrets,
+      &mut repo.config.on_pull,
+      &mut global_replacers,
+      &mut secret_replacers,
+    )?;
+
+    add_interp_update_log(
+      update,
+      &global_replacers,
+      &secret_replacers,
+    );
+
+    Ok(secret_replacers)
+  } else {
+    Ok(Default::default())
+  }
+}

bin/core/src/api/execute/server_template.rs

@@ -1,108 +1,149 @@
-use anyhow::{anyhow, Context};
-use monitor_client::{
+use anyhow::{Context, anyhow};
+use formatting::format_serror;
+use komodo_client::{
   api::{execute::LaunchServer, write::CreateServer},
   entities::{
     permission::PermissionLevel,
     server::PartialServerConfig,
     server_template::{ServerTemplate, ServerTemplateConfig},
     update::Update,
-    user::User,
-    Operation,
   },
 };
 use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
-use serror::serialize_error_pretty;
 
 use crate::{
-  cloud::aws::launch_ec2_instance, helpers::update::{add_update, make_update, update_update}, resource, state::{db_client, State}
+  api::write::WriteArgs,
+  cloud::{
+    aws::ec2::launch_ec2_instance, hetzner::launch_hetzner_server,
+  },
+  helpers::update::update_update,
+  resource,
+  state::db_client,
 };
 
-impl Resolve<LaunchServer, User> for State {
-  #[instrument(name = "LaunchServer", skip(self, user))]
+use super::ExecuteArgs;
+
+impl Resolve<ExecuteArgs> for LaunchServer {
+  #[instrument(name = "LaunchServer", skip(user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
-    &self,
-    LaunchServer {
-      name,
-      server_template,
-    }: LaunchServer,
-    user: User,
-  ) -> anyhow::Result<Update> {
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
     // validate name isn't already taken by another server
     if db_client()
-      .await
       .servers
-      .find_one(
-        doc! {
-          "name": &name
-        },
-        None,
-      )
+      .find_one(doc! {
+        "name": &self.name
+      })
       .await
       .context("failed to query db for servers")?
       .is_some()
     {
-      return Err(anyhow!("name is already taken"));
+      return Err(anyhow!("name is already taken").into());
     }
 
     let template = resource::get_check_permissions::<ServerTemplate>(
-      &server_template,
-      &user,
+      &self.server_template,
+      user,
       PermissionLevel::Execute,
     )
     .await?;
 
-    let mut update =
-      make_update(&template, Operation::LaunchServer, &user);
-    update.in_progress();
+    let mut update = update.clone();
+
     update.push_simple_log(
       "launching server",
       format!("{:#?}", template.config),
     );
-    update.id = add_update(update.clone()).await?;
+    update_update(update.clone()).await?;
 
     let config = match template.config {
       ServerTemplateConfig::Aws(config) => {
         let region = config.region.clone();
-        let instance = launch_ec2_instance(&name, config).await;
-        if let Err(e) = &instance {
-          update.push_error_log(
-            "launch server",
-            format!("failed to launch aws instance\n\n{e:#?}"),
-          );
-          update.finalize();
-          update_update(update.clone()).await?;
-          return Ok(update);
-        }
-        let instance = instance.unwrap();
+        let use_https = config.use_https;
+        let port = config.port;
+        let instance =
+          match launch_ec2_instance(&self.name, config).await {
+            Ok(instance) => instance,
+            Err(e) => {
+              update.push_error_log(
+                "launch server",
+                format!("failed to launch aws instance\n\n{e:#?}"),
+              );
+              update.finalize();
+              update_update(update.clone()).await?;
+              return Ok(update);
+            }
+          };
         update.push_simple_log(
           "launch server",
           format!(
-            "successfully launched server {name} on ip {}",
-            instance.ip
+            "successfully launched server {} on ip {}",
+            self.name, instance.ip
           ),
         );
+        let protocol = if use_https { "https" } else { "http" };
         PartialServerConfig {
-          address: format!("http://{}:8120", instance.ip).into(),
+          address: format!("{protocol}://{}:{port}", instance.ip)
+            .into(),
           region: region.into(),
           ..Default::default()
         }
       }
+      ServerTemplateConfig::Hetzner(config) => {
+        let datacenter = config.datacenter;
+        let use_https = config.use_https;
+        let port = config.port;
+        let server =
+          match launch_hetzner_server(&self.name, config).await {
+            Ok(server) => server,
+            Err(e) => {
+              update.push_error_log(
+                "launch server",
+                format!("failed to launch hetzner server\n\n{e:#?}"),
+              );
+              update.finalize();
+              update_update(update.clone()).await?;
+              return Ok(update);
+            }
+          };
+        update.push_simple_log(
+          "launch server",
+          format!(
+            "successfully launched server {} on ip {}",
+            self.name, server.ip
+          ),
+        );
+        let protocol = if use_https { "https" } else { "http" };
+        PartialServerConfig {
+          address: format!("{protocol}://{}:{port}", server.ip)
+            .into(),
+          region: datacenter.as_ref().to_string().into(),
+          ..Default::default()
+        }
+      }
     };
 
-    match self.resolve(CreateServer { name, config }, user).await {
+    match (CreateServer {
+      name: self.name,
+      config,
+    })
+    .resolve(&WriteArgs { user: user.clone() })
+    .await
+    {
       Ok(server) => {
         update.push_simple_log(
           "create server",
           format!("created server {} ({})", server.name, server.id),
         );
+        update.other_data = server.id;
       }
       Err(e) => {
         update.push_error_log(
           "create server",
-          format!(
-            "failed to create server\n\n{}",
-            serialize_error_pretty(&e)
+          format_serror(
+            &e.error.context("failed to create server").into(),
           ),
         );
       }

bin/core/src/api/execute/stack.rs

@@ -0,0 +1,646 @@
+use std::collections::HashSet;
+
+use anyhow::Context;
+use formatting::format_serror;
+use komodo_client::{
+  api::{execute::*, write::RefreshStackCache},
+  entities::{
+    permission::PermissionLevel,
+    server::Server,
+    stack::{Stack, StackInfo},
+    update::{Log, Update},
+  },
+};
+use mungos::mongodb::bson::{doc, to_document};
+use periphery_client::api::compose::*;
+use resolver_api::Resolve;
+
+use crate::{
+  api::write::WriteArgs,
+  helpers::{
+    interpolate::{
+      add_interp_update_log,
+      interpolate_variables_secrets_into_extra_args,
+      interpolate_variables_secrets_into_string,
+      interpolate_variables_secrets_into_system_command,
+    },
+    periphery_client,
+    query::get_variables_and_secrets,
+    update::{add_update_without_send, update_update},
+  },
+  monitor::update_cache_for_server,
+  resource,
+  stack::{execute::execute_compose, get_stack_and_server},
+  state::{action_states, db_client},
+};
+
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchDeployStack {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DeployStack(DeployStack {
+      stack,
+      services: Vec::new(),
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchDeployStack {
+  #[instrument(name = "BatchDeployStack", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchDeployStack>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for DeployStack {
+  #[instrument(name = "DeployStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (mut stack, server) = get_stack_and_server(
+      &self.stack,
+      user,
+      PermissionLevel::Execute,
+      true,
+    )
+    .await?;
+
+    // get the action state for the stack (or insert default).
+    let action_state =
+      action_states().stack.get_or_insert_default(&stack.id).await;
+
+    // Will check to ensure stack not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.deploying = true)?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    if !self.services.is_empty() {
+      update.logs.push(Log::simple(
+        "Service/s",
+        format!(
+          "Execution requested for Stack service/s {}",
+          self.services.join(", ")
+        ),
+      ))
+    }
+
+    let git_token = crate::helpers::git_token(
+      &stack.config.git_provider,
+      &stack.config.git_account,
+      |https| stack.config.git_https = https,
+    ).await.with_context(
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {}", stack.config.git_provider, stack.config.git_account),
+    )?;
+
+    let registry_token = crate::helpers::registry_token(
+      &stack.config.registry_provider,
+      &stack.config.registry_account,
+    ).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {} | {}", stack.config.registry_provider, stack.config.registry_account),
+    )?;
+
+    // interpolate variables / secrets, returning the sanitizing replacers to send to
+    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
+    let secret_replacers = if !stack.config.skip_secret_interp {
+      let vars_and_secrets = get_variables_and_secrets().await?;
+
+      let mut global_replacers = HashSet::new();
+      let mut secret_replacers = HashSet::new();
+
+      interpolate_variables_secrets_into_string(
+        &vars_and_secrets,
+        &mut stack.config.file_contents,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      interpolate_variables_secrets_into_string(
+        &vars_and_secrets,
+        &mut stack.config.environment,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      interpolate_variables_secrets_into_extra_args(
+        &vars_and_secrets,
+        &mut stack.config.extra_args,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      interpolate_variables_secrets_into_extra_args(
+        &vars_and_secrets,
+        &mut stack.config.build_extra_args,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      interpolate_variables_secrets_into_system_command(
+        &vars_and_secrets,
+        &mut stack.config.pre_deploy,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      interpolate_variables_secrets_into_system_command(
+        &vars_and_secrets,
+        &mut stack.config.post_deploy,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      add_interp_update_log(
+        &mut update,
+        &global_replacers,
+        &secret_replacers,
+      );
+
+      secret_replacers
+    } else {
+      Default::default()
+    };
+
+    let ComposeUpResponse {
+      logs,
+      deployed,
+      services,
+      file_contents,
+      missing_files,
+      remote_errors,
+      compose_config,
+      commit_hash,
+      commit_message,
+    } = periphery_client(&server)?
+      .request(ComposeUp {
+        stack: stack.clone(),
+        services: self.services,
+        git_token,
+        registry_token,
+        replacers: secret_replacers.into_iter().collect(),
+      })
+      .await?;
+
+    update.logs.extend(logs);
+
+    let update_info = async {
+      let latest_services = if services.is_empty() {
+        // maybe better to do something else here for services.
+        stack.info.latest_services.clone()
+      } else {
+        services
+      };
+
+      // This ensures to get the latest project name,
+      // as it may have changed since the last deploy.
+      let project_name = stack.project_name(true);
+
+      let (
+        deployed_services,
+        deployed_contents,
+        deployed_config,
+        deployed_hash,
+        deployed_message,
+      ) = if deployed {
+        (
+          Some(latest_services.clone()),
+          Some(file_contents.clone()),
+          compose_config,
+          commit_hash.clone(),
+          commit_message.clone(),
+        )
+      } else {
+        (
+          stack.info.deployed_services,
+          stack.info.deployed_contents,
+          stack.info.deployed_config,
+          stack.info.deployed_hash,
+          stack.info.deployed_message,
+        )
+      };
+
+      let info = StackInfo {
+        missing_files,
+        deployed_project_name: project_name.into(),
+        deployed_services,
+        deployed_contents,
+        deployed_config,
+        deployed_hash,
+        deployed_message,
+        latest_services,
+        remote_contents: stack
+          .config
+          .file_contents
+          .is_empty()
+          .then_some(file_contents),
+        remote_errors: stack
+          .config
+          .file_contents
+          .is_empty()
+          .then_some(remote_errors),
+        latest_hash: commit_hash,
+        latest_message: commit_message,
+      };
+
+      let info = to_document(&info)
+        .context("failed to serialize stack info to bson")?;
+
+      db_client()
+        .stacks
+        .update_one(
+          doc! { "name": &stack.name },
+          doc! { "$set": { "info": info } },
+        )
+        .await
+        .context("failed to update stack info on db")?;
+      anyhow::Ok(())
+    };
+
+    // This will be weird with single service deploys. Come back to it.
+    if let Err(e) = update_info.await {
+      update.push_error_log(
+        "refresh stack info",
+        format_serror(
+          &e.context("failed to refresh stack info on db").into(),
+        ),
+      )
+    }
+
+    // Ensure cached stack state up to date by updating server cache
+    update_cache_for_server(&server).await;
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl super::BatchExecute for BatchDeployStackIfChanged {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DeployStackIfChanged(DeployStackIfChanged {
+      stack,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchDeployStackIfChanged {
+  #[instrument(name = "BatchDeployStackIfChanged", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchDeployStackIfChanged>(
+        &self.pattern,
+        user,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for DeployStackIfChanged {
+  #[instrument(name = "DeployStackIfChanged", skip(user, update), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let stack = resource::get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+    RefreshStackCache {
+      stack: stack.id.clone(),
+    }
+    .resolve(&WriteArgs { user: user.clone() })
+    .await?;
+    let stack = resource::get::<Stack>(&stack.id).await?;
+    let changed = match (
+      &stack.info.deployed_contents,
+      &stack.info.remote_contents,
+    ) {
+      (Some(deployed_contents), Some(latest_contents)) => {
+        let changed = || {
+          for latest in latest_contents {
+            let Some(deployed) = deployed_contents
+              .iter()
+              .find(|c| c.path == latest.path)
+            else {
+              return true;
+            };
+            if latest.contents != deployed.contents {
+              return true;
+            }
+          }
+          false
+        };
+        changed()
+      }
+      (None, _) => true,
+      _ => false,
+    };
+
+    let mut update = update.clone();
+
+    if !changed {
+      update.push_simple_log(
+        "Diff compose files",
+        String::from("Deploy cancelled after no changes detected."),
+      );
+      update.finalize();
+      return Ok(update);
+    }
+
+    // Don't actually send it here, let the handler send it after it can set action state.
+    // This is usually done in crate::helpers::update::init_execution_update.
+    update.id = add_update_without_send(&update).await?;
+
+    DeployStack {
+      stack: stack.name,
+      services: Vec::new(),
+      stop_time: self.stop_time,
+    }
+    .resolve(&ExecuteArgs {
+      user: user.clone(),
+      update,
+    })
+    .await
+  }
+}
+
+pub async fn pull_stack_inner(
+  mut stack: Stack,
+  services: Vec<String>,
+  server: &Server,
+  mut update: Option<&mut Update>,
+) -> anyhow::Result<ComposePullResponse> {
+  if let Some(update) = update.as_mut() {
+    if !services.is_empty() {
+      update.logs.push(Log::simple(
+        "Service/s",
+        format!(
+          "Execution requested for Stack service/s {}",
+          services.join(", ")
+        ),
+      ))
+    }
+  }
+
+  let git_token = crate::helpers::git_token(
+      &stack.config.git_provider,
+      &stack.config.git_account,
+      |https| stack.config.git_https = https,
+    ).await.with_context(
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {}", stack.config.git_provider, stack.config.git_account),
+    )?;
+
+  let registry_token = crate::helpers::registry_token(
+      &stack.config.registry_provider,
+      &stack.config.registry_account,
+    ).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {} | {}", stack.config.registry_provider, stack.config.registry_account),
+    )?;
+
+  // interpolate variables / secrets
+  if !stack.config.skip_secret_interp {
+    let vars_and_secrets = get_variables_and_secrets().await?;
+
+    let mut global_replacers = HashSet::new();
+    let mut secret_replacers = HashSet::new();
+
+    interpolate_variables_secrets_into_string(
+      &vars_and_secrets,
+      &mut stack.config.file_contents,
+      &mut global_replacers,
+      &mut secret_replacers,
+    )?;
+
+    interpolate_variables_secrets_into_string(
+      &vars_and_secrets,
+      &mut stack.config.environment,
+      &mut global_replacers,
+      &mut secret_replacers,
+    )?;
+
+    if let Some(update) = update {
+      add_interp_update_log(
+        update,
+        &global_replacers,
+        &secret_replacers,
+      );
+    }
+  };
+
+  let res = periphery_client(server)?
+    .request(ComposePull {
+      stack,
+      services,
+      git_token,
+      registry_token,
+    })
+    .await?;
+
+  // Ensure cached stack state up to date by updating server cache
+  update_cache_for_server(server).await;
+
+  Ok(res)
+}
+
+impl Resolve<ExecuteArgs> for PullStack {
+  #[instrument(name = "PullStack", skip(user, update), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (stack, server) = get_stack_and_server(
+      &self.stack,
+      user,
+      PermissionLevel::Execute,
+      true,
+    )
+    .await?;
+
+    // get the action state for the stack (or insert default).
+    let action_state =
+      action_states().stack.get_or_insert_default(&stack.id).await;
+
+    // Will check to ensure stack not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pulling = true)?;
+
+    let mut update = update.clone();
+    update_update(update.clone()).await?;
+
+    let res = pull_stack_inner(
+      stack,
+      self.services,
+      &server,
+      Some(&mut update),
+    )
+    .await?;
+
+    update.logs.extend(res.logs);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for StartStack {
+  #[instrument(name = "StartStack", skip(user, update), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    execute_compose::<StartStack>(
+      &self.stack,
+      self.services,
+      user,
+      |state| state.starting = true,
+      update.clone(),
+      (),
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RestartStack {
+  #[instrument(name = "RestartStack", skip(user, update), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    execute_compose::<RestartStack>(
+      &self.stack,
+      self.services,
+      user,
+      |state| {
+        state.restarting = true;
+      },
+      update.clone(),
+      (),
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ExecuteArgs> for PauseStack {
+  #[instrument(name = "PauseStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    execute_compose::<PauseStack>(
+      &self.stack,
+      self.services,
+      user,
+      |state| state.pausing = true,
+      update.clone(),
+      (),
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ExecuteArgs> for UnpauseStack {
+  #[instrument(name = "UnpauseStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    execute_compose::<UnpauseStack>(
+      &self.stack,
+      self.services,
+      user,
+      |state| state.unpausing = true,
+      update.clone(),
+      (),
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ExecuteArgs> for StopStack {
+  #[instrument(name = "StopStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    execute_compose::<StopStack>(
+      &self.stack,
+      self.services,
+      user,
+      |state| state.stopping = true,
+      update.clone(),
+      self.stop_time,
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl super::BatchExecute for BatchDestroyStack {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DestroyStack(DestroyStack {
+      stack,
+      services: Vec::new(),
+      remove_orphans: false,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchDestroyStack {
+  #[instrument(name = "BatchDestroyStack", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDestroyStack>(&self.pattern, user)
+      .await
+      .map_err(Into::into)
+  }
+}
+
+impl Resolve<ExecuteArgs> for DestroyStack {
+  #[instrument(name = "DestroyStack", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    execute_compose::<DestroyStack>(
+      &self.stack,
+      self.services,
+      user,
+      |state| state.destroying = true,
+      update.clone(),
+      (self.stop_time, self.remove_orphans),
+    )
+    .await
+    .map_err(Into::into)
+  }
+}

bin/core/src/api/execute/sync.rs

@@ -0,0 +1,561 @@
+use std::{collections::HashMap, str::FromStr};
+
+use anyhow::{Context, anyhow};
+use formatting::{Color, colored, format_serror};
+use komodo_client::{
+  api::{execute::RunSync, write::RefreshResourceSyncPending},
+  entities::{
+    self, ResourceTargetVariant,
+    action::Action,
+    alerter::Alerter,
+    build::Build,
+    builder::Builder,
+    deployment::Deployment,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    repo::Repo,
+    server::Server,
+    server_template::ServerTemplate,
+    stack::Stack,
+    sync::ResourceSync,
+    update::{Log, Update},
+    user::sync_user,
+  },
+};
+use mongo_indexed::doc;
+use mungos::{by_id::update_one_by_id, mongodb::bson::oid::ObjectId};
+use resolver_api::Resolve;
+
+use crate::{
+  api::write::WriteArgs,
+  helpers::{query::get_id_to_tags, update::update_update},
+  resource,
+  state::{action_states, db_client},
+  sync::{
+    AllResourcesById, ResourceSyncTrait,
+    deploy::{
+      SyncDeployParams, build_deploy_cache, deploy_from_cache,
+    },
+    execute::{ExecuteResourceSync, get_updates_for_execution},
+    remote::RemoteResources,
+  },
+};
+
+use super::ExecuteArgs;
+
+impl Resolve<ExecuteArgs> for RunSync {
+  #[instrument(name = "RunSync", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let RunSync {
+      sync,
+      resource_type: match_resource_type,
+      resources: match_resources,
+    } = self;
+    let sync = resource::get_check_permissions::<
+      entities::sync::ResourceSync,
+    >(&sync, user, PermissionLevel::Execute)
+    .await?;
+
+    // get the action state for the sync (or insert default).
+    let action_state = action_states()
+      .resource_sync
+      .get_or_insert_default(&sync.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure sync not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.syncing = true)?;
+
+    let mut update = update.clone();
+
+    // Send update here for FE to recheck action state
+    update_update(update.clone()).await?;
+
+    let RemoteResources {
+      resources,
+      logs,
+      hash,
+      message,
+      file_errors,
+      ..
+    } = crate::sync::remote::get_remote_resources(&sync)
+      .await
+      .context("failed to get remote resources")?;
+
+    update.logs.extend(logs);
+    update_update(update.clone()).await?;
+
+    if !file_errors.is_empty() {
+      return Err(
+        anyhow!("Found file errors. Cannot execute sync.").into(),
+      );
+    }
+
+    let resources = resources?;
+
+    let id_to_tags = get_id_to_tags(None).await?;
+    let all_resources = AllResourcesById::load().await?;
+    // Convert all match_resources to names
+    let match_resources = match_resources.map(|resources| {
+      resources
+        .into_iter()
+        .filter_map(|name_or_id| {
+          let Some(resource_type) = match_resource_type else {
+            return Some(name_or_id);
+          };
+          match ObjectId::from_str(&name_or_id) {
+            Ok(_) => match resource_type {
+              ResourceTargetVariant::Alerter => all_resources
+                .alerters
+                .get(&name_or_id)
+                .map(|a| a.name.clone()),
+              ResourceTargetVariant::Build => all_resources
+                .builds
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Builder => all_resources
+                .builders
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Deployment => all_resources
+                .deployments
+                .get(&name_or_id)
+                .map(|d| d.name.clone()),
+              ResourceTargetVariant::Procedure => all_resources
+                .procedures
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Action => all_resources
+                .actions
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Repo => all_resources
+                .repos
+                .get(&name_or_id)
+                .map(|r| r.name.clone()),
+              ResourceTargetVariant::Server => all_resources
+                .servers
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::ServerTemplate => all_resources
+                .templates
+                .get(&name_or_id)
+                .map(|t| t.name.clone()),
+              ResourceTargetVariant::Stack => all_resources
+                .stacks
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::ResourceSync => all_resources
+                .syncs
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::System => None,
+            },
+            Err(_) => Some(name_or_id),
+          }
+        })
+        .collect::<Vec<_>>()
+    });
+
+    let deployments_by_name = all_resources
+      .deployments
+      .values()
+      .filter(|deployment| {
+        Deployment::include_resource(
+          &deployment.name,
+          &deployment.config,
+          match_resource_type,
+          match_resources.as_deref(),
+          &deployment.tags,
+          &id_to_tags,
+          &sync.config.match_tags,
+        )
+      })
+      .map(|deployment| (deployment.name.clone(), deployment.clone()))
+      .collect::<HashMap<_, _>>();
+    let stacks_by_name = all_resources
+      .stacks
+      .values()
+      .filter(|stack| {
+        Stack::include_resource(
+          &stack.name,
+          &stack.config,
+          match_resource_type,
+          match_resources.as_deref(),
+          &stack.tags,
+          &id_to_tags,
+          &sync.config.match_tags,
+        )
+      })
+      .map(|stack| (stack.name.clone(), stack.clone()))
+      .collect::<HashMap<_, _>>();
+
+    let deploy_cache = build_deploy_cache(SyncDeployParams {
+      deployments: &resources.deployments,
+      deployment_map: &deployments_by_name,
+      stacks: &resources.stacks,
+      stack_map: &stacks_by_name,
+      all_resources: &all_resources,
+    })
+    .await?;
+
+    let delete = sync.config.managed || sync.config.delete;
+
+    let server_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Server>(
+        resources.servers,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let stack_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Stack>(
+        resources.stacks,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let deployment_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Deployment>(
+        resources.deployments,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let build_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Build>(
+        resources.builds,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let repo_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Repo>(
+        resources.repos,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let procedure_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Procedure>(
+        resources.procedures,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let action_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Action>(
+        resources.actions,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let builder_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Builder>(
+        resources.builders,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let alerter_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Alerter>(
+        resources.alerters,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let server_template_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<ServerTemplate>(
+        resources.server_templates,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let resource_sync_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<entities::sync::ResourceSync>(
+        resources.resource_syncs,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+
+    let (
+      variables_to_create,
+      variables_to_update,
+      variables_to_delete,
+    ) = if match_resource_type.is_none()
+      && match_resources.is_none()
+      && sync.config.include_variables
+    {
+      crate::sync::variables::get_updates_for_execution(
+        resources.variables,
+        delete,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let (
+      user_groups_to_create,
+      user_groups_to_update,
+      user_groups_to_delete,
+    ) = if match_resource_type.is_none()
+      && match_resources.is_none()
+      && sync.config.include_user_groups
+    {
+      crate::sync::user_groups::get_updates_for_execution(
+        resources.user_groups,
+        delete,
+        &all_resources,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+
+    if deploy_cache.is_empty()
+      && resource_sync_deltas.no_changes()
+      && server_template_deltas.no_changes()
+      && server_deltas.no_changes()
+      && deployment_deltas.no_changes()
+      && stack_deltas.no_changes()
+      && build_deltas.no_changes()
+      && builder_deltas.no_changes()
+      && alerter_deltas.no_changes()
+      && repo_deltas.no_changes()
+      && procedure_deltas.no_changes()
+      && action_deltas.no_changes()
+      && user_groups_to_create.is_empty()
+      && user_groups_to_update.is_empty()
+      && user_groups_to_delete.is_empty()
+      && variables_to_create.is_empty()
+      && variables_to_update.is_empty()
+      && variables_to_delete.is_empty()
+    {
+      update.push_simple_log(
+        "No Changes",
+        format!(
+          "{}. exiting.",
+          colored("nothing to do", Color::Green)
+        ),
+      );
+      update.finalize();
+      update_update(update.clone()).await?;
+      return Ok(update);
+    }
+
+    // =================
+
+    // No deps
+    maybe_extend(
+      &mut update.logs,
+      crate::sync::variables::run_updates(
+        variables_to_create,
+        variables_to_update,
+        variables_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      crate::sync::user_groups::run_updates(
+        user_groups_to_create,
+        user_groups_to_update,
+        user_groups_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      ResourceSync::execute_sync_updates(resource_sync_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      ServerTemplate::execute_sync_updates(server_template_deltas)
+        .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Server::execute_sync_updates(server_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Alerter::execute_sync_updates(alerter_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Action::execute_sync_updates(action_deltas).await,
+    );
+
+    // Dependent on server
+    maybe_extend(
+      &mut update.logs,
+      Builder::execute_sync_updates(builder_deltas).await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Repo::execute_sync_updates(repo_deltas).await,
+    );
+
+    // Dependant on builder
+    maybe_extend(
+      &mut update.logs,
+      Build::execute_sync_updates(build_deltas).await,
+    );
+
+    // Dependant on server / build
+    maybe_extend(
+      &mut update.logs,
+      Deployment::execute_sync_updates(deployment_deltas).await,
+    );
+    // stack only depends on server, but maybe will depend on build later.
+    maybe_extend(
+      &mut update.logs,
+      Stack::execute_sync_updates(stack_deltas).await,
+    );
+
+    // Dependant on everything
+    maybe_extend(
+      &mut update.logs,
+      Procedure::execute_sync_updates(procedure_deltas).await,
+    );
+
+    // Execute the deploy cache
+    deploy_from_cache(deploy_cache, &mut update.logs).await;
+
+    let db = db_client();
+
+    if let Err(e) = update_one_by_id(
+      &db.resource_syncs,
+      &sync.id,
+      doc! {
+        "$set": {
+          "info.last_sync_ts": komodo_timestamp(),
+          "info.last_sync_hash": hash,
+          "info.last_sync_message": message,
+        }
+      },
+      None,
+    )
+    .await
+    {
+      warn!(
+        "failed to update resource sync {} info after sync | {e:#}",
+        sync.name
+      )
+    }
+
+    if let Err(e) = (RefreshResourceSyncPending { sync: sync.id })
+      .resolve(&WriteArgs {
+        user: sync_user().to_owned(),
+      })
+      .await
+    {
+      warn!(
+        "failed to refresh sync {} after run | {:#}",
+        sync.name, e.error
+      );
+      update.push_error_log(
+        "refresh sync",
+        format_serror(
+          &e.error
+            .context("failed to refresh sync pending after run")
+            .into(),
+        ),
+      );
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+fn maybe_extend(logs: &mut Vec<Log>, log: Option<Log>) {
+  if let Some(log) = log {
+    logs.push(log);
+  }
+}

bin/core/src/api/mod.rs

@@ -1,4 +1,5 @@
 pub mod auth;
 pub mod execute;
 pub mod read;
+pub mod user;
 pub mod write;

bin/core/src/api/read/action.rs

@@ -0,0 +1,137 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    action::{
+      Action, ActionActionState, ActionListItem, ActionState,
+    },
+    permission::PermissionLevel,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags,
+  resource,
+  state::{action_state_cache, action_states},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetAction {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Action> {
+    Ok(
+      resource::get_check_permissions::<Action>(
+        &self.action,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListActions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ActionListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Action>(self.query, user, &all_tags)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullActions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullActionsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Action>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetActionActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ActionActionState> {
+    let action = resource::get_check_permissions::<Action>(
+      &self.action,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .action
+      .get(&action.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetActionsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetActionsSummaryResponse> {
+    let actions = resource::list_full_for_user::<Action>(
+      Default::default(),
+      user,
+      &[],
+    )
+    .await
+    .context("failed to get actions from db")?;
+
+    let mut res = GetActionsSummaryResponse::default();
+
+    let cache = action_state_cache();
+    let action_states = action_states();
+
+    for action in actions {
+      res.total += 1;
+
+      match (
+        cache.get(&action.id).await.unwrap_or_default(),
+        action_states
+          .action
+          .get(&action.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.running => {
+          res.running += 1;
+        }
+        (ActionState::Ok, _) => res.ok += 1,
+        (ActionState::Failed, _) => res.failed += 1,
+        (ActionState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the running state, since that comes from action states
+        (ActionState::Running, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}

bin/core/src/api/read/alert.rs

@@ -1,9 +1,12 @@
 use anyhow::Context;
-use monitor_client::{
+use komodo_client::{
   api::read::{
     GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
   },
-  entities::{update::ResourceTargetVariant, user::User},
+  entities::{
+    deployment::Deployment, server::Server, stack::Stack,
+    sync::ResourceSync,
+  },
 };
 use mungos::{
   by_id::find_one_by_id,
@@ -13,45 +16,46 @@ use mungos::{
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_resource_ids_for_non_admin,
-  state::{db_client, State},
+  config::core_config, resource::get_resource_ids_for_user,
+  state::db_client,
 };
 
+use super::ReadArgs;
+
 const NUM_ALERTS_PER_PAGE: u64 = 100;
 
-impl Resolve<ListAlerts, User> for State {
+impl Resolve<ReadArgs> for ListAlerts {
   async fn resolve(
-    &self,
-    ListAlerts { query, page }: ListAlerts,
-    user: User,
-  ) -> anyhow::Result<ListAlertsResponse> {
-    let mut query = query.unwrap_or_default();
-    if !user.admin {
-      let server_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Server,
-      )
-      .await?;
-      let deployment_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Deployment,
-      )
-      .await?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListAlertsResponse> {
+    let mut query = self.query.unwrap_or_default();
+    if !user.admin && !core_config().transparent_mode {
+      let server_ids =
+        get_resource_ids_for_user::<Server>(user).await?;
+      let stack_ids =
+        get_resource_ids_for_user::<Stack>(user).await?;
+      let deployment_ids =
+        get_resource_ids_for_user::<Deployment>(user).await?;
+      let sync_ids =
+        get_resource_ids_for_user::<ResourceSync>(user).await?;
       query.extend(doc! {
         "$or": [
           { "target.type": "Server", "target.id": { "$in": &server_ids } },
+          { "target.type": "Stack", "target.id": { "$in": &stack_ids } },
           { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
+          { "target.type": "ResourceSync", "target.id": { "$in": &sync_ids } },
         ]
       });
     }
 
     let alerts = find_collect(
-      &db_client().await.alerts,
+      &db_client().alerts,
       query,
       FindOptions::builder()
         .sort(doc! { "ts": -1 })
         .limit(NUM_ALERTS_PER_PAGE as i64)
-        .skip(page * NUM_ALERTS_PER_PAGE)
+        .skip(self.page * NUM_ALERTS_PER_PAGE)
         .build(),
     )
     .await
@@ -60,7 +64,7 @@ impl Resolve<ListAlerts, User> for State {
     let next_page = if alerts.len() < NUM_ALERTS_PER_PAGE as usize {
       None
     } else {
-      Some((page + 1) as i64)
+      Some((self.page + 1) as i64)
     };
 
     let res = ListAlertsResponse { next_page, alerts };
@@ -69,15 +73,16 @@ impl Resolve<ListAlerts, User> for State {
   }
 }
 
-impl Resolve<GetAlert, User> for State {
+impl Resolve<ReadArgs> for GetAlert {
   async fn resolve(
-    &self,
-    GetAlert { id }: GetAlert,
-    _: User,
-  ) -> anyhow::Result<GetAlertResponse> {
-    find_one_by_id(&db_client().await.alerts, &id)
-      .await
-      .context("failed to query db for alert")?
-      .context("no alert found with given id")
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetAlertResponse> {
+    Ok(
+      find_one_by_id(&db_client().alerts, &self.id)
+        .await
+        .context("failed to query db for alert")?
+        .context("no alert found with given id")?,
+    )
   }
 }

bin/core/src/api/read/alerter.rs

@@ -1,75 +1,91 @@
-use std::str::FromStr;
-
 use anyhow::Context;
-use monitor_client::{
+use komodo_client::{
   api::read::*,
   entities::{
     alerter::{Alerter, AlerterListItem},
     permission::PermissionLevel,
-    update::ResourceTargetVariant,
-    user::User,
   },
 };
-use mungos::mongodb::bson::{doc, oid::ObjectId};
+use mongo_indexed::Document;
+use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_resource_ids_for_non_admin,
-  resource,
-  state::{db_client, State},
+  helpers::query::get_all_tags, resource, state::db_client,
 };
 
-impl Resolve<GetAlerter, User> for State {
-  async fn resolve(
-    &self,
-    GetAlerter { alerter }: GetAlerter,
-    user: User,
-  ) -> anyhow::Result<Alerter> {
-    resource::get_check_permissions::<Alerter>(
-      &alerter,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await
-  }
-}
+use super::ReadArgs;
 
-impl Resolve<ListAlerters, User> for State {
+impl Resolve<ReadArgs> for GetAlerter {
   async fn resolve(
-    &self,
-    ListAlerters { query }: ListAlerters,
-    user: User,
-  ) -> anyhow::Result<Vec<AlerterListItem>> {
-    resource::list_for_user::<Alerter>(query, &user).await
-  }
-}
-
-impl Resolve<GetAlertersSummary, User> for State {
-  async fn resolve(
-    &self,
-    GetAlertersSummary {}: GetAlertersSummary,
-    user: User,
-  ) -> anyhow::Result<GetAlertersSummaryResponse> {
-    let query = if user.admin {
-      None
-    } else {
-      let ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Alerter,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(
+      resource::get_check_permissions::<Alerter>(
+        &self.alerter,
+        user,
+        PermissionLevel::Read,
       )
-      .await?
-      .into_iter()
-      .flat_map(|id| ObjectId::from_str(&id))
-      .collect::<Vec<_>>();
-      let query = doc! {
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListAlerters {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<AlerterListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Alerter>(self.query, user, &all_tags)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullAlerters {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullAlertersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Alerter>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetAlertersSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetAlertersSummaryResponse> {
+    let query = match resource::get_resource_object_ids_for_user::<
+      Alerter,
+    >(user)
+    .await?
+    {
+      Some(ids) => doc! {
         "_id": { "$in": ids }
-      };
-      Some(query)
+      },
+      None => Document::new(),
     };
     let total = db_client()
-      .await
       .alerters
-      .count_documents(query, None)
+      .count_documents(query)
       .await
       .context("failed to count all alerter documents")?;
     let res = GetAlertersSummaryResponse {

bin/core/src/api/read/build.rs

@@ -1,72 +1,95 @@
-use std::{
-  collections::{HashMap, HashSet},
-  str::FromStr,
-  sync::OnceLock,
-};
+use std::collections::{HashMap, HashSet};
 
 use anyhow::Context;
 use async_timing_util::unix_timestamp_ms;
 use futures::TryStreamExt;
-use monitor_client::{
+use komodo_client::{
   api::read::*,
   entities::{
-    build::{Build, BuildActionState, BuildListItem, BuildState},
-    permission::PermissionLevel,
-    update::{ResourceTargetVariant, UpdateStatus},
-    user::User,
     Operation,
+    build::{Build, BuildActionState, BuildListItem, BuildState},
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    update::UpdateStatus,
   },
 };
 use mungos::{
   find::find_collect,
-  mongodb::{
-    bson::{doc, oid::ObjectId},
-    options::FindOptions,
-  },
+  mongodb::{bson::doc, options::FindOptions},
 };
-use resolver_api::{Resolve, ResolveToString};
+use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
-  helpers::query::get_resource_ids_for_non_admin,
+  helpers::query::get_all_tags,
   resource,
-  state::{action_states, build_state_cache, db_client, State},
+  state::{
+    action_states, build_state_cache, db_client, github_client,
+  },
 };
 
-impl Resolve<GetBuild, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetBuild {
   async fn resolve(
-    &self,
-    GetBuild { build }: GetBuild,
-    user: User,
-  ) -> anyhow::Result<Build> {
-    resource::get_check_permissions::<Build>(
-      &build,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Build> {
+    Ok(
+      resource::get_check_permissions::<Build>(
+        &self.build,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
     )
-    .await
   }
 }
 
-impl Resolve<ListBuilds, User> for State {
+impl Resolve<ReadArgs> for ListBuilds {
   async fn resolve(
-    &self,
-    ListBuilds { query }: ListBuilds,
-    user: User,
-  ) -> anyhow::Result<Vec<BuildListItem>> {
-    resource::list_for_user::<Build>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<BuildListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Build>(self.query, user, &all_tags)
+        .await?,
+    )
   }
 }
 
-impl Resolve<GetBuildActionState, User> for State {
+impl Resolve<ReadArgs> for ListFullBuilds {
   async fn resolve(
-    &self,
-    GetBuildActionState { build }: GetBuildActionState,
-    user: User,
-  ) -> anyhow::Result<BuildActionState> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullBuildsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Build>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetBuildActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<BuildActionState> {
     let build = resource::get_check_permissions::<Build>(
-      &build,
-      &user,
+      &self.build,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -80,37 +103,24 @@ impl Resolve<GetBuildActionState, User> for State {
   }
 }
 
-impl Resolve<GetBuildsSummary, User> for State {
+impl Resolve<ReadArgs> for GetBuildsSummary {
   async fn resolve(
-    &self,
-    GetBuildsSummary {}: GetBuildsSummary,
-    user: User,
-  ) -> anyhow::Result<GetBuildsSummaryResponse> {
-    let query = if user.admin {
-      None
-    } else {
-      let ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Build,
-      )
-      .await?
-      .into_iter()
-      .flat_map(|id| ObjectId::from_str(&id))
-      .collect::<Vec<_>>();
-      let query = doc! {
-        "_id": { "$in": ids }
-      };
-      Some(query)
-    };
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetBuildsSummaryResponse> {
+    let builds = resource::list_full_for_user::<Build>(
+      Default::default(),
+      user,
+      &[],
+    )
+    .await
+    .context("failed to get all builds")?;
 
-    let builds = find_collect(&db_client().await.builds, query, None)
-      .await
-      .context("failed to find all build documents")?;
     let mut res = GetBuildsSummaryResponse::default();
 
     let cache = build_state_cache();
     let action_states = action_states();
-    
+
     for build in builds {
       res.total += 1;
 
@@ -140,31 +150,26 @@ impl Resolve<GetBuildsSummary, User> for State {
 
 const ONE_DAY_MS: i64 = 86400000;
 
-impl Resolve<GetBuildMonthlyStats, User> for State {
+impl Resolve<ReadArgs> for GetBuildMonthlyStats {
   async fn resolve(
-    &self,
-    GetBuildMonthlyStats { page }: GetBuildMonthlyStats,
-    _: User,
-  ) -> anyhow::Result<GetBuildMonthlyStatsResponse> {
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetBuildMonthlyStatsResponse> {
     let curr_ts = unix_timestamp_ms() as i64;
     let next_day = curr_ts - curr_ts % ONE_DAY_MS + ONE_DAY_MS;
 
-    let close_ts = next_day - page as i64 * 30 * ONE_DAY_MS;
+    let close_ts = next_day - self.page as i64 * 30 * ONE_DAY_MS;
     let open_ts = close_ts - 30 * ONE_DAY_MS;
 
     let mut build_updates = db_client()
-      .await
       .updates
-      .find(
-        doc! {
-          "start_ts": {
-            "$gte": open_ts,
-            "$lt": close_ts
-          },
-          "operation": Operation::RunBuild.to_string(),
+      .find(doc! {
+        "start_ts": {
+          "$gte": open_ts,
+          "$lt": close_ts
         },
-        None,
-      )
+        "operation": Operation::RunBuild.to_string(),
+      })
       .await
       .context("failed to get updates cursor")?;
 
@@ -201,20 +206,21 @@ fn ms_to_hour(duration: i64) -> f64 {
   duration as f64 / MS_TO_HOUR_DIVISOR
 }
 
-impl Resolve<GetBuildVersions, User> for State {
+impl Resolve<ReadArgs> for ListBuildVersions {
   async fn resolve(
-    &self,
-    GetBuildVersions {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<BuildVersionResponseItem>> {
+    let ListBuildVersions {
       build,
       major,
       minor,
       patch,
-    }: GetBuildVersions,
-    user: User,
-  ) -> anyhow::Result<Vec<BuildVersionResponseItem>> {
+      limit,
+    } = self;
     let build = resource::get_check_permissions::<Build>(
       &build,
-      &user,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -239,10 +245,11 @@ impl Resolve<GetBuildVersions, User> for State {
     }
 
     let versions = find_collect(
-      &db_client().await.updates,
+      &db_client().updates,
       filter,
       FindOptions::builder()
         .sort(doc! { "_id": -1 })
+        .limit(limit)
         .build(),
     )
     .await
@@ -256,33 +263,21 @@ impl Resolve<GetBuildVersions, User> for State {
   }
 }
 
-fn docker_organizations() -> &'static String {
-  static DOCKER_ORGANIZATIONS: OnceLock<String> = OnceLock::new();
-  DOCKER_ORGANIZATIONS.get_or_init(|| {
-    serde_json::to_string(&core_config().docker_organizations)
-      .expect("failed to serialize docker organizations")
-  })
-}
-
-impl ResolveToString<ListDockerOrganizations, User> for State {
-  async fn resolve_to_string(
-    &self,
-    ListDockerOrganizations {}: ListDockerOrganizations,
-    _: User,
-  ) -> anyhow::Result<String> {
-    Ok(docker_organizations().clone())
-  }
-}
-
-impl Resolve<ListCommonBuildExtraArgs, User> for State {
+impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
   async fn resolve(
-    &self,
-    ListCommonBuildExtraArgs { query }: ListCommonBuildExtraArgs,
-    user: User,
-  ) -> anyhow::Result<ListCommonBuildExtraArgsResponse> {
-    let builds = resource::list_full_for_user::<Build>(query, &user)
-      .await
-      .context("failed to get resources matching query")?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonBuildExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let builds = resource::list_full_for_user::<Build>(
+      self.query, user, &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();
@@ -293,6 +288,86 @@ impl Resolve<ListCommonBuildExtraArgs, User> for State {
       }
     }
 
-    Ok(res.into_iter().collect())
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetBuildWebhookEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetBuildWebhookEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetBuildWebhookEnabledResponse {
+        managed: false,
+        enabled: false,
+      });
+    };
+
+    let build = resource::get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+
+    if build.config.git_provider != "github.com"
+      || build.config.repo.is_empty()
+    {
+      return Ok(GetBuildWebhookEnabledResponse {
+        managed: false,
+        enabled: false,
+      });
+    }
+
+    let mut split = build.config.repo.split('/');
+    let owner = split.next().context("Build repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetBuildWebhookEnabledResponse {
+        managed: false,
+        enabled: false,
+      });
+    };
+
+    let repo =
+      split.next().context("Build repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = format!("{host}/listener/github/build/{}", build.id);
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        return Ok(GetBuildWebhookEnabledResponse {
+          managed: true,
+          enabled: true,
+        });
+      }
+    }
+
+    Ok(GetBuildWebhookEnabledResponse {
+      managed: true,
+      enabled: false,
+    })
   }
 }

bin/core/src/api/read/builder.rs

@@ -1,76 +1,91 @@
-use std::{collections::HashSet, str::FromStr};
-
 use anyhow::Context;
-use monitor_client::{
-  api::read::{self, *},
+use komodo_client::{
+  api::read::*,
   entities::{
-    builder::{Builder, BuilderConfig, BuilderListItem},
+    builder::{Builder, BuilderListItem},
     permission::PermissionLevel,
-    update::ResourceTargetVariant,
-    user::User,
   },
 };
-use mungos::mongodb::bson::{doc, oid::ObjectId};
+use mongo_indexed::Document;
+use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
-  config::core_config,
-  helpers::query::get_resource_ids_for_non_admin,
-  resource,
-  state::{db_client, State},
+  helpers::query::get_all_tags, resource, state::db_client,
 };
 
-impl Resolve<GetBuilder, User> for State {
-  async fn resolve(
-    &self,
-    GetBuilder { builder }: GetBuilder,
-    user: User,
-  ) -> anyhow::Result<Builder> {
-    resource::get_check_permissions::<Builder>(
-      &builder,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await
-  }
-}
+use super::ReadArgs;
 
-impl Resolve<ListBuilders, User> for State {
+impl Resolve<ReadArgs> for GetBuilder {
   async fn resolve(
-    &self,
-    ListBuilders { query }: ListBuilders,
-    user: User,
-  ) -> anyhow::Result<Vec<BuilderListItem>> {
-    resource::list_for_user::<Builder>(query, &user).await
-  }
-}
-
-impl Resolve<GetBuildersSummary, User> for State {
-  async fn resolve(
-    &self,
-    GetBuildersSummary {}: GetBuildersSummary,
-    user: User,
-  ) -> anyhow::Result<GetBuildersSummaryResponse> {
-    let query = if user.admin {
-      None
-    } else {
-      let ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Builder,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Builder> {
+    Ok(
+      resource::get_check_permissions::<Builder>(
+        &self.builder,
+        user,
+        PermissionLevel::Read,
       )
-      .await?
-      .into_iter()
-      .flat_map(|id| ObjectId::from_str(&id))
-      .collect::<Vec<_>>();
-      let query = doc! {
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListBuilders {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<BuilderListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Builder>(self.query, user, &all_tags)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullBuilders {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullBuildersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Builder>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetBuildersSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetBuildersSummaryResponse> {
+    let query = match resource::get_resource_object_ids_for_user::<
+      Builder,
+    >(user)
+    .await?
+    {
+      Some(ids) => doc! {
         "_id": { "$in": ids }
-      };
-      Some(query)
+      },
+      None => Document::new(),
     };
     let total = db_client()
-      .await
       .builders
-      .count_documents(query, None)
+      .count_documents(query)
       .await
       .context("failed to count all builder documents")?;
     let res = GetBuildersSummaryResponse {
@@ -79,52 +94,3 @@ impl Resolve<GetBuildersSummary, User> for State {
     Ok(res)
   }
 }
-
-impl Resolve<GetBuilderAvailableAccounts, User> for State {
-  async fn resolve(
-    &self,
-    GetBuilderAvailableAccounts { builder }: GetBuilderAvailableAccounts,
-    user: User,
-  ) -> anyhow::Result<GetBuilderAvailableAccountsResponse> {
-    let builder = resource::get_check_permissions::<Builder>(
-      &builder,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await?;
-    let (github, docker) = match builder.config {
-      BuilderConfig::Aws(config) => {
-        (config.github_accounts, config.docker_accounts)
-      }
-      BuilderConfig::Server(config) => {
-        let res = self
-          .resolve(
-            read::GetAvailableAccounts {
-              server: config.server_id,
-            },
-            user,
-          )
-          .await?;
-        (res.github, res.docker)
-      }
-    };
-
-    let mut github_set = HashSet::<String>::new();
-
-    github_set.extend(core_config().github_accounts.keys().cloned());
-    github_set.extend(github);
-
-    let mut github = github_set.into_iter().collect::<Vec<_>>();
-    github.sort();
-
-    let mut docker_set = HashSet::<String>::new();
-
-    docker_set.extend(core_config().docker_accounts.keys().cloned());
-    docker_set.extend(docker);
-
-    let mut docker = docker_set.into_iter().collect::<Vec<_>>();
-    docker.sort();
-
-    Ok(GetBuilderAvailableAccountsResponse { github, docker })
-  }
-}

bin/core/src/api/read/deployment.rs

@@ -1,68 +1,100 @@
-use std::{cmp, collections::HashSet, str::FromStr};
+use std::{cmp, collections::HashSet};
 
-use anyhow::{anyhow, Context};
-use monitor_client::{
+use anyhow::{Context, anyhow};
+use komodo_client::{
   api::read::*,
   entities::{
     deployment::{
       Deployment, DeploymentActionState, DeploymentConfig,
-      DeploymentListItem, DeploymentState, DockerContainerStats,
+      DeploymentListItem, DeploymentState,
     },
+    docker::container::ContainerStats,
     permission::PermissionLevel,
     server::Server,
-    update::{Log, ResourceTargetVariant},
-    user::User,
+    update::Log,
   },
 };
-use mungos::{
-  find::find_collect,
-  mongodb::bson::{doc, oid::ObjectId},
-};
 use periphery_client::api;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::{
-    periphery_client, query::get_resource_ids_for_non_admin,
-  },
+  helpers::{periphery_client, query::get_all_tags},
   resource,
-  state::{action_states, db_client, deployment_status_cache, State},
+  state::{action_states, deployment_status_cache},
 };
 
-impl Resolve<GetDeployment, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetDeployment {
   async fn resolve(
-    &self,
-    GetDeployment { deployment }: GetDeployment,
-    user: User,
-  ) -> anyhow::Result<Deployment> {
-    resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(
+      resource::get_check_permissions::<Deployment>(
+        &self.deployment,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
     )
-    .await
   }
 }
 
-impl Resolve<ListDeployments, User> for State {
+impl Resolve<ReadArgs> for ListDeployments {
   async fn resolve(
-    &self,
-    ListDeployments { query }: ListDeployments,
-    user: User,
-  ) -> anyhow::Result<Vec<DeploymentListItem>> {
-    resource::list_for_user::<Deployment>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<DeploymentListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let only_update_available = self.query.specific.update_available;
+    let deployments = resource::list_for_user::<Deployment>(
+      self.query, user, &all_tags,
+    )
+    .await?;
+    let deployments = if only_update_available {
+      deployments
+        .into_iter()
+        .filter(|deployment| deployment.info.update_available)
+        .collect()
+    } else {
+      deployments
+    };
+    Ok(deployments)
   }
 }
 
-impl Resolve<GetDeploymentContainer, User> for State {
+impl Resolve<ReadArgs> for ListFullDeployments {
   async fn resolve(
-    &self,
-    GetDeploymentContainer { deployment }: GetDeploymentContainer,
-    user: User,
-  ) -> anyhow::Result<GetDeploymentContainerResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullDeploymentsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Deployment>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetDeploymentContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDeploymentContainerResponse> {
     let deployment = resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
+      &self.deployment,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -80,19 +112,23 @@ impl Resolve<GetDeploymentContainer, User> for State {
 
 const MAX_LOG_LENGTH: u64 = 5000;
 
-impl Resolve<GetLog, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentLog {
   async fn resolve(
-    &self,
-    GetLog { deployment, tail }: GetLog,
-    user: User,
-  ) -> anyhow::Result<Log> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let GetDeploymentLog {
+      deployment,
+      tail,
+      timestamps,
+    } = self;
     let Deployment {
       name,
       config: DeploymentConfig { server_id, .. },
       ..
     } = resource::get_check_permissions::<Deployment>(
       &deployment,
-      &user,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -100,33 +136,37 @@ impl Resolve<GetLog, User> for State {
       return Ok(Log::default());
     }
     let server = resource::get::<Server>(&server_id).await?;
-    periphery_client(&server)?
+    let res = periphery_client(&server)?
       .request(api::container::GetContainerLog {
         name,
         tail: cmp::min(tail, MAX_LOG_LENGTH),
+        timestamps,
       })
       .await
-      .context("failed at call to periphery")
+      .context("failed at call to periphery")?;
+    Ok(res)
   }
 }
 
-impl Resolve<SearchLog, User> for State {
+impl Resolve<ReadArgs> for SearchDeploymentLog {
   async fn resolve(
-    &self,
-    SearchLog {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let SearchDeploymentLog {
       deployment,
       terms,
       combinator,
-    }: SearchLog,
-    user: User,
-  ) -> anyhow::Result<Log> {
+      invert,
+      timestamps,
+    } = self;
     let Deployment {
       name,
       config: DeploymentConfig { server_id, .. },
       ..
     } = resource::get_check_permissions::<Deployment>(
       &deployment,
-      &user,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -134,53 +174,57 @@ impl Resolve<SearchLog, User> for State {
       return Ok(Log::default());
     }
     let server = resource::get::<Server>(&server_id).await?;
-    periphery_client(&server)?
+    let res = periphery_client(&server)?
       .request(api::container::GetContainerLogSearch {
         name,
         terms,
         combinator,
+        invert,
+        timestamps,
       })
       .await
-      .context("failed at call to periphery")
+      .context("failed at call to periphery")?;
+    Ok(res)
   }
 }
 
-impl Resolve<GetDeploymentStats, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentStats {
   async fn resolve(
-    &self,
-    GetDeploymentStats { deployment }: GetDeploymentStats,
-    user: User,
-  ) -> anyhow::Result<DockerContainerStats> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ContainerStats> {
     let Deployment {
       name,
       config: DeploymentConfig { server_id, .. },
       ..
     } = resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
+      &self.deployment,
+      user,
       PermissionLevel::Read,
     )
     .await?;
     if server_id.is_empty() {
-      return Err(anyhow!("deployment has no server attached"));
+      return Err(
+        anyhow!("deployment has no server attached").into(),
+      );
     }
     let server = resource::get::<Server>(&server_id).await?;
-    periphery_client(&server)?
+    let res = periphery_client(&server)?
       .request(api::container::GetContainerStats { name })
       .await
-      .context("failed to get stats from periphery")
+      .context("failed to get stats from periphery")?;
+    Ok(res)
   }
 }
 
-impl Resolve<GetDeploymentActionState, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentActionState {
   async fn resolve(
-    &self,
-    GetDeploymentActionState { deployment }: GetDeploymentActionState,
-    user: User,
-  ) -> anyhow::Result<DeploymentActionState> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<DeploymentActionState> {
     let deployment = resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
+      &self.deployment,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -194,33 +238,18 @@ impl Resolve<GetDeploymentActionState, User> for State {
   }
 }
 
-impl Resolve<GetDeploymentsSummary, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentsSummary {
   async fn resolve(
-    &self,
-    GetDeploymentsSummary {}: GetDeploymentsSummary,
-    user: User,
-  ) -> anyhow::Result<GetDeploymentsSummaryResponse> {
-    let query = if user.admin {
-      None
-    } else {
-      let ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Deployment,
-      )
-      .await?
-      .into_iter()
-      .flat_map(|id| ObjectId::from_str(&id))
-      .collect::<Vec<_>>();
-      let query = doc! {
-        "_id": { "$in": ids }
-      };
-      Some(query)
-    };
-
-    let deployments =
-      find_collect(&db_client().await.deployments, query, None)
-        .await
-        .context("failed to find all deployment documents")?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDeploymentsSummaryResponse> {
+    let deployments = resource::list_full_for_user::<Deployment>(
+      Default::default(),
+      user,
+      &[],
+    )
+    .await
+    .context("failed to get deployments from db")?;
     let mut res = GetDeploymentsSummaryResponse::default();
     let status_cache = deployment_status_cache();
     for deployment in deployments {
@@ -231,14 +260,17 @@ impl Resolve<GetDeploymentsSummary, User> for State {
         DeploymentState::Running => {
           res.running += 1;
         }
-        DeploymentState::Unknown => {
-          res.unknown += 1;
+        DeploymentState::Exited | DeploymentState::Paused => {
+          res.stopped += 1;
         }
         DeploymentState::NotDeployed => {
           res.not_deployed += 1;
         }
+        DeploymentState::Unknown => {
+          res.unknown += 1;
+        }
         _ => {
-          res.stopped += 1;
+          res.unhealthy += 1;
         }
       }
     }
@@ -246,16 +278,21 @@ impl Resolve<GetDeploymentsSummary, User> for State {
   }
 }
 
-impl Resolve<ListCommonDeploymentExtraArgs, User> for State {
+impl Resolve<ReadArgs> for ListCommonDeploymentExtraArgs {
   async fn resolve(
-    &self,
-    ListCommonDeploymentExtraArgs { query }: ListCommonDeploymentExtraArgs,
-    user: User,
-  ) -> anyhow::Result<ListCommonDeploymentExtraArgsResponse> {
-    let deployments =
-      resource::list_full_for_user::<Deployment>(query, &user)
-        .await
-        .context("failed to get resources matching query")?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonDeploymentExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let deployments = resource::list_full_for_user::<Deployment>(
+      self.query, user, &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();
@@ -266,6 +303,8 @@ impl Resolve<ListCommonDeploymentExtraArgs, User> for State {
       }
     }
 
-    Ok(res.into_iter().collect())
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
   }
 }

bin/core/src/api/read/mod.rs

@@ -1,17 +1,33 @@
-use std::time::Instant;
+use std::{collections::HashSet, sync::OnceLock, time::Instant};
 
-use anyhow::anyhow;
-use axum::{middleware, routing::post, Extension, Router};
-use axum_extra::{headers::ContentType, TypedHeader};
-use monitor_client::{api::read::*, entities::user::User};
-use resolver_api::{derive::Resolver, Resolve, Resolver};
+use anyhow::{Context, anyhow};
+use axum::{Extension, Router, middleware, routing::post};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    ResourceTarget,
+    build::Build,
+    builder::{Builder, BuilderConfig},
+    config::{DockerRegistry, GitProvider},
+    repo::Repo,
+    server::Server,
+    sync::ResourceSync,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+use response::Response;
 use serde::{Deserialize, Serialize};
 use serror::Json;
 use typeshare::typeshare;
 use uuid::Uuid;
 
-use crate::{auth::auth_request, config::core_config, state::State};
+use crate::{
+  auth::auth_request, config::core_config, helpers::periphery_client,
+  resource,
+};
 
+mod action;
 mod alert;
 mod alerter;
 mod build;
@@ -19,10 +35,12 @@ mod builder;
 mod deployment;
 mod permission;
 mod procedure;
+mod provider;
 mod repo;
-mod search;
 mod server;
 mod server_template;
+mod stack;
+mod sync;
 mod tag;
 mod toml;
 mod update;
@@ -30,94 +48,145 @@ mod user;
 mod user_group;
 mod variable;
 
+pub struct ReadArgs {
+  pub user: User,
+}
+
 #[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
-#[resolver_target(State)]
-#[resolver_args(User)]
+#[derive(Serialize, Deserialize, Debug, Clone, Resolve)]
+#[args(ReadArgs)]
+#[response(Response)]
+#[error(serror::Error)]
 #[serde(tag = "type", content = "params")]
 enum ReadRequest {
   GetVersion(GetVersion),
   GetCoreInfo(GetCoreInfo),
+  ListSecrets(ListSecrets),
+  ListGitProvidersFromConfig(ListGitProvidersFromConfig),
+  ListDockerRegistriesFromConfig(ListDockerRegistriesFromConfig),
 
   // ==== USER ====
-  ListUsers(ListUsers),
   GetUsername(GetUsername),
+  GetPermissionLevel(GetPermissionLevel),
+  FindUser(FindUser),
+  ListUsers(ListUsers),
   ListApiKeys(ListApiKeys),
   ListApiKeysForServiceUser(ListApiKeysForServiceUser),
   ListPermissions(ListPermissions),
-  GetPermissionLevel(GetPermissionLevel),
   ListUserTargetPermissions(ListUserTargetPermissions),
 
   // ==== USER GROUP ====
   GetUserGroup(GetUserGroup),
   ListUserGroups(ListUserGroups),
 
-  // ==== SEARCH ====
-  FindResources(FindResources),
-
   // ==== PROCEDURE ====
   GetProceduresSummary(GetProceduresSummary),
   GetProcedure(GetProcedure),
   GetProcedureActionState(GetProcedureActionState),
   ListProcedures(ListProcedures),
+  ListFullProcedures(ListFullProcedures),
+
+  // ==== ACTION ====
+  GetActionsSummary(GetActionsSummary),
+  GetAction(GetAction),
+  GetActionActionState(GetActionActionState),
+  ListActions(ListActions),
+  ListFullActions(ListFullActions),
 
   // ==== SERVER TEMPLATE ====
   GetServerTemplate(GetServerTemplate),
-  ListServerTemplates(ListServerTemplates),
   GetServerTemplatesSummary(GetServerTemplatesSummary),
+  ListServerTemplates(ListServerTemplates),
+  ListFullServerTemplates(ListFullServerTemplates),
 
   // ==== SERVER ====
   GetServersSummary(GetServersSummary),
   GetServer(GetServer),
-  ListServers(ListServers),
   GetServerState(GetServerState),
   GetPeripheryVersion(GetPeripheryVersion),
-  GetDockerContainers(GetDockerContainers),
-  GetDockerImages(GetDockerImages),
-  GetDockerNetworks(GetDockerNetworks),
   GetServerActionState(GetServerActionState),
   GetHistoricalServerStats(GetHistoricalServerStats),
-  GetAvailableAccounts(GetAvailableAccounts),
-  GetAvailableSecrets(GetAvailableSecrets),
+  ListServers(ListServers),
+  ListFullServers(ListFullServers),
+  InspectDockerContainer(InspectDockerContainer),
+  GetResourceMatchingContainer(GetResourceMatchingContainer),
+  GetContainerLog(GetContainerLog),
+  SearchContainerLog(SearchContainerLog),
+  InspectDockerNetwork(InspectDockerNetwork),
+  InspectDockerImage(InspectDockerImage),
+  ListDockerImageHistory(ListDockerImageHistory),
+  InspectDockerVolume(InspectDockerVolume),
+  GetDockerContainersSummary(GetDockerContainersSummary),
+  ListAllDockerContainers(ListAllDockerContainers),
+  ListDockerContainers(ListDockerContainers),
+  ListDockerNetworks(ListDockerNetworks),
+  ListDockerImages(ListDockerImages),
+  ListDockerVolumes(ListDockerVolumes),
+  ListComposeProjects(ListComposeProjects),
 
   // ==== DEPLOYMENT ====
   GetDeploymentsSummary(GetDeploymentsSummary),
   GetDeployment(GetDeployment),
-  ListDeployments(ListDeployments),
   GetDeploymentContainer(GetDeploymentContainer),
   GetDeploymentActionState(GetDeploymentActionState),
   GetDeploymentStats(GetDeploymentStats),
-  GetLog(GetLog),
-  SearchLog(SearchLog),
+  GetDeploymentLog(GetDeploymentLog),
+  SearchDeploymentLog(SearchDeploymentLog),
+  ListDeployments(ListDeployments),
+  ListFullDeployments(ListFullDeployments),
   ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
 
   // ==== BUILD ====
   GetBuildsSummary(GetBuildsSummary),
   GetBuild(GetBuild),
-  ListBuilds(ListBuilds),
   GetBuildActionState(GetBuildActionState),
   GetBuildMonthlyStats(GetBuildMonthlyStats),
-  GetBuildVersions(GetBuildVersions),
+  ListBuildVersions(ListBuildVersions),
+  GetBuildWebhookEnabled(GetBuildWebhookEnabled),
+  ListBuilds(ListBuilds),
+  ListFullBuilds(ListFullBuilds),
   ListCommonBuildExtraArgs(ListCommonBuildExtraArgs),
-  #[to_string_resolver]
-  ListDockerOrganizations(ListDockerOrganizations),
 
   // ==== REPO ====
   GetReposSummary(GetReposSummary),
   GetRepo(GetRepo),
-  ListRepos(ListRepos),
   GetRepoActionState(GetRepoActionState),
+  GetRepoWebhooksEnabled(GetRepoWebhooksEnabled),
+  ListRepos(ListRepos),
+  ListFullRepos(ListFullRepos),
+
+  // ==== SYNC ====
+  GetResourceSyncsSummary(GetResourceSyncsSummary),
+  GetResourceSync(GetResourceSync),
+  GetResourceSyncActionState(GetResourceSyncActionState),
+  GetSyncWebhooksEnabled(GetSyncWebhooksEnabled),
+  ListResourceSyncs(ListResourceSyncs),
+  ListFullResourceSyncs(ListFullResourceSyncs),
+
+  // ==== STACK ====
+  GetStacksSummary(GetStacksSummary),
+  GetStack(GetStack),
+  GetStackActionState(GetStackActionState),
+  GetStackWebhooksEnabled(GetStackWebhooksEnabled),
+  GetStackLog(GetStackLog),
+  SearchStackLog(SearchStackLog),
+  ListStacks(ListStacks),
+  ListFullStacks(ListFullStacks),
+  ListStackServices(ListStackServices),
+  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
+  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),
 
   // ==== BUILDER ====
   GetBuildersSummary(GetBuildersSummary),
   GetBuilder(GetBuilder),
   ListBuilders(ListBuilders),
-  GetBuilderAvailableAccounts(GetBuilderAvailableAccounts),
+  ListFullBuilders(ListFullBuilders),
 
   // ==== ALERTER ====
   GetAlertersSummary(GetAlertersSummary),
   GetAlerter(GetAlerter),
   ListAlerters(ListAlerters),
+  ListFullAlerters(ListFullAlerters),
 
   // ==== TOML ====
   ExportAllResourcesToToml(ExportAllResourcesToToml),
@@ -136,16 +205,19 @@ enum ReadRequest {
   GetAlert(GetAlert),
 
   // ==== SERVER STATS ====
-  #[to_string_resolver]
   GetSystemInformation(GetSystemInformation),
-  #[to_string_resolver]
   GetSystemStats(GetSystemStats),
-  #[to_string_resolver]
-  GetSystemProcesses(GetSystemProcesses),
+  ListSystemProcesses(ListSystemProcesses),
 
   // ==== VARIABLE ====
   GetVariable(GetVariable),
   ListVariables(ListVariables),
+
+  // ==== PROVIDER ====
+  GetGitProviderAccount(GetGitProviderAccount),
+  ListGitProviderAccounts(ListGitProviderAccounts),
+  GetDockerRegistryAccount(GetDockerRegistryAccount),
+  ListDockerRegistryAccounts(ListDockerRegistryAccounts),
 }
 
 pub fn router() -> Router {
@@ -154,63 +226,337 @@ pub fn router() -> Router {
     .layer(middleware::from_fn(auth_request))
 }
 
-#[instrument(name = "ReadHandler", level = "debug", skip(user))]
+#[instrument(name = "ReadHandler", level = "debug", skip(user), fields(user_id = user.id))]
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ReadRequest>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
+) -> serror::Result<axum::response::Response> {
   let timer = Instant::now();
   let req_id = Uuid::new_v4();
-  debug!(
-    "/read request {req_id} | user: {} ({})",
-    user.username, user.id
-  );
-  let res =
-    State
-      .resolve_request(request, user)
-      .await
-      .map_err(|e| match e {
-        resolver_api::Error::Serialization(e) => {
-          anyhow!("{e:?}").context("response serialization error")
-        }
-        resolver_api::Error::Inner(e) => e,
-      });
+  debug!("/read request | user: {}", user.username);
+  let res = request.resolve(&ReadArgs { user }).await;
   if let Err(e) = &res {
-    warn!("/read request {req_id} error: {e:#}");
+    debug!("/read request {req_id} error: {:#}", e.error);
   }
   let elapsed = timer.elapsed();
   debug!("/read request {req_id} | resolve time: {elapsed:?}");
-  Ok((TypedHeader(ContentType::json()), res?))
+  res.map(|res| res.0)
 }
 
-impl Resolve<GetVersion, User> for State {
-  #[instrument(name = "GetVersion", level = "debug", skip(self))]
+impl Resolve<ReadArgs> for GetVersion {
   async fn resolve(
-    &self,
-    GetVersion {}: GetVersion,
-    _: User,
-  ) -> anyhow::Result<GetVersionResponse> {
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetVersionResponse> {
     Ok(GetVersionResponse {
       version: env!("CARGO_PKG_VERSION").to_string(),
     })
   }
 }
 
-impl Resolve<GetCoreInfo, User> for State {
-  #[instrument(name = "GetCoreInfo", level = "debug", skip(self))]
-  async fn resolve(
-    &self,
-    GetCoreInfo {}: GetCoreInfo,
-    _: User,
-  ) -> anyhow::Result<GetCoreInfoResponse> {
+fn core_info() -> &'static GetCoreInfoResponse {
+  static CORE_INFO: OnceLock<GetCoreInfoResponse> = OnceLock::new();
+  CORE_INFO.get_or_init(|| {
     let config = core_config();
-    Ok(GetCoreInfoResponse {
+    GetCoreInfoResponse {
       title: config.title.clone(),
       monitoring_interval: config.monitoring_interval,
-      github_webhook_base_url: config
-        .github_webhook_base_url
-        .clone()
-        .unwrap_or_else(|| config.host.clone()),
-    })
+      webhook_base_url: if config.webhook_base_url.is_empty() {
+        config.host.clone()
+      } else {
+        config.webhook_base_url.clone()
+      },
+      transparent_mode: config.transparent_mode,
+      ui_write_disabled: config.ui_write_disabled,
+      disable_confirm_dialog: config.disable_confirm_dialog,
+      disable_non_admin_create: config.disable_non_admin_create,
+      github_webhook_owners: config
+        .github_webhook_app
+        .installations
+        .iter()
+        .map(|i| i.namespace.to_string())
+        .collect(),
+    }
+  })
+}
+
+impl Resolve<ReadArgs> for GetCoreInfo {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetCoreInfoResponse> {
+    Ok(core_info().clone())
+  }
+}
+
+impl Resolve<ReadArgs> for ListSecrets {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<ListSecretsResponse> {
+    let mut secrets = core_config()
+      .secrets
+      .keys()
+      .cloned()
+      .collect::<HashSet<_>>();
+
+    if let Some(target) = self.target {
+      let server_id = match target {
+        ResourceTarget::Server(id) => Some(id),
+        ResourceTarget::Builder(id) => {
+          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => None,
+            BuilderConfig::Server(config) => Some(config.server_id),
+            BuilderConfig::Aws(config) => {
+              secrets.extend(config.secrets);
+              None
+            }
+          }
+        }
+        _ => {
+          return Err(
+            anyhow!("target must be `Server` or `Builder`").into(),
+          );
+        }
+      };
+      if let Some(id) = server_id {
+        let server = resource::get::<Server>(&id).await?;
+        let more = periphery_client(&server)?
+          .request(periphery_client::api::ListSecrets {})
+          .await
+          .with_context(|| {
+            format!(
+              "failed to get secrets from server {}",
+              server.name
+            )
+          })?;
+        secrets.extend(more);
+      }
+    }
+
+    let mut secrets = secrets.into_iter().collect::<Vec<_>>();
+    secrets.sort();
+
+    Ok(secrets)
+  }
+}
+
+impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListGitProvidersFromConfigResponse> {
+    let mut providers = core_config().git_providers.clone();
+
+    if let Some(target) = self.target {
+      match target {
+        ResourceTarget::Server(id) => {
+          merge_git_providers_for_server(&mut providers, &id).await?;
+        }
+        ResourceTarget::Builder(id) => {
+          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
+            BuilderConfig::Server(config) => {
+              merge_git_providers_for_server(
+                &mut providers,
+                &config.server_id,
+              )
+              .await?;
+            }
+            BuilderConfig::Aws(config) => {
+              merge_git_providers(
+                &mut providers,
+                config.git_providers,
+              );
+            }
+          }
+        }
+        _ => {
+          return Err(
+            anyhow!("target must be `Server` or `Builder`").into(),
+          );
+        }
+      }
+    }
+
+    let (builds, repos, syncs) = tokio::try_join!(
+      resource::list_full_for_user::<Build>(
+        Default::default(),
+        user,
+        &[]
+      ),
+      resource::list_full_for_user::<Repo>(
+        Default::default(),
+        user,
+        &[]
+      ),
+      resource::list_full_for_user::<ResourceSync>(
+        Default::default(),
+        user,
+        &[]
+      ),
+    )?;
+
+    for build in builds {
+      if !providers
+        .iter()
+        .any(|provider| provider.domain == build.config.git_provider)
+      {
+        providers.push(GitProvider {
+          domain: build.config.git_provider,
+          https: build.config.git_https,
+          accounts: Default::default(),
+        });
+      }
+    }
+    for repo in repos {
+      if !providers
+        .iter()
+        .any(|provider| provider.domain == repo.config.git_provider)
+      {
+        providers.push(GitProvider {
+          domain: repo.config.git_provider,
+          https: repo.config.git_https,
+          accounts: Default::default(),
+        });
+      }
+    }
+    for sync in syncs {
+      if !providers
+        .iter()
+        .any(|provider| provider.domain == sync.config.git_provider)
+      {
+        providers.push(GitProvider {
+          domain: sync.config.git_provider,
+          https: sync.config.git_https,
+          accounts: Default::default(),
+        });
+      }
+    }
+
+    providers.sort();
+
+    Ok(providers)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerRegistriesFromConfig {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<ListDockerRegistriesFromConfigResponse> {
+    let mut registries = core_config().docker_registries.clone();
+
+    if let Some(target) = self.target {
+      match target {
+        ResourceTarget::Server(id) => {
+          merge_docker_registries_for_server(&mut registries, &id)
+            .await?;
+        }
+        ResourceTarget::Builder(id) => {
+          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
+            BuilderConfig::Server(config) => {
+              merge_docker_registries_for_server(
+                &mut registries,
+                &config.server_id,
+              )
+              .await?;
+            }
+            BuilderConfig::Aws(config) => {
+              merge_docker_registries(
+                &mut registries,
+                config.docker_registries,
+              );
+            }
+          }
+        }
+        _ => {
+          return Err(
+            anyhow!("target must be `Server` or `Builder`").into(),
+          );
+        }
+      }
+    }
+
+    registries.sort();
+
+    Ok(registries)
+  }
+}
+
+async fn merge_git_providers_for_server(
+  providers: &mut Vec<GitProvider>,
+  server_id: &str,
+) -> serror::Result<()> {
+  let server = resource::get::<Server>(server_id).await?;
+  let more = periphery_client(&server)?
+    .request(periphery_client::api::ListGitProviders {})
+    .await
+    .with_context(|| {
+      format!(
+        "failed to get git providers from server {}",
+        server.name
+      )
+    })?;
+  merge_git_providers(providers, more);
+  Ok(())
+}
+
+fn merge_git_providers(
+  providers: &mut Vec<GitProvider>,
+  more: Vec<GitProvider>,
+) {
+  for incoming_provider in more {
+    if let Some(provider) = providers
+      .iter_mut()
+      .find(|provider| provider.domain == incoming_provider.domain)
+    {
+      for account in incoming_provider.accounts {
+        if !provider.accounts.contains(&account) {
+          provider.accounts.push(account);
+        }
+      }
+    } else {
+      providers.push(incoming_provider);
+    }
+  }
+}
+
+async fn merge_docker_registries_for_server(
+  registries: &mut Vec<DockerRegistry>,
+  server_id: &str,
+) -> serror::Result<()> {
+  let server = resource::get::<Server>(server_id).await?;
+  let more = periphery_client(&server)?
+    .request(periphery_client::api::ListDockerRegistries {})
+    .await
+    .with_context(|| {
+      format!(
+        "failed to get docker registries from server {}",
+        server.name
+      )
+    })?;
+  merge_docker_registries(registries, more);
+  Ok(())
+}
+
+fn merge_docker_registries(
+  registries: &mut Vec<DockerRegistry>,
+  more: Vec<DockerRegistry>,
+) {
+  for incoming_registry in more {
+    if let Some(registry) = registries
+      .iter_mut()
+      .find(|registry| registry.domain == incoming_registry.domain)
+    {
+      for account in incoming_registry.accounts {
+        if !registry.accounts.contains(&account) {
+          registry.accounts.push(account);
+        }
+      }
+    } else {
+      registries.push(incoming_registry);
+    }
   }
 }

bin/core/src/api/read/permission.rs

@@ -1,28 +1,28 @@
-use anyhow::{anyhow, Context};
-use monitor_client::{
+use anyhow::{Context, anyhow};
+use komodo_client::{
   api::read::{
     GetPermissionLevel, GetPermissionLevelResponse, ListPermissions,
     ListPermissionsResponse, ListUserTargetPermissions,
     ListUserTargetPermissionsResponse,
   },
-  entities::{permission::PermissionLevel, user::User},
+  entities::permission::PermissionLevel,
 };
 use mungos::{find::find_collect, mongodb::bson::doc};
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_user_permission_on_resource,
-  state::{db_client, State},
+  helpers::query::get_user_permission_on_target, state::db_client,
 };
 
-impl Resolve<ListPermissions, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for ListPermissions {
   async fn resolve(
-    &self,
-    ListPermissions {}: ListPermissions,
-    user: User,
-  ) -> anyhow::Result<ListPermissionsResponse> {
-    find_collect(
-      &db_client().await.permissions,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListPermissionsResponse> {
+    let res = find_collect(
+      &db_client().permissions,
       doc! {
         "user_target.type": "User",
         "user_target.id": &user.id
@@ -30,36 +30,34 @@ impl Resolve<ListPermissions, User> for State {
       None,
     )
     .await
-    .context("failed to query db for permissions")
+    .context("failed to query db for permissions")?;
+    Ok(res)
   }
 }
 
-impl Resolve<GetPermissionLevel, User> for State {
+impl Resolve<ReadArgs> for GetPermissionLevel {
   async fn resolve(
-    &self,
-    GetPermissionLevel { target }: GetPermissionLevel,
-    user: User,
-  ) -> anyhow::Result<GetPermissionLevelResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetPermissionLevelResponse> {
     if user.admin {
       return Ok(PermissionLevel::Write);
     }
-    let (variant, id) = target.extract_variant_id();
-    get_user_permission_on_resource(&user.id, variant, id).await
+    Ok(get_user_permission_on_target(user, &self.target).await?)
   }
 }
 
-impl Resolve<ListUserTargetPermissions, User> for State {
+impl Resolve<ReadArgs> for ListUserTargetPermissions {
   async fn resolve(
-    &self,
-    ListUserTargetPermissions { user_target }: ListUserTargetPermissions,
-    user: User,
-  ) -> anyhow::Result<ListUserTargetPermissionsResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUserTargetPermissionsResponse> {
     if !user.admin {
-      return Err(anyhow!("this method is admin only"));
+      return Err(anyhow!("this method is admin only").into());
     }
-    let (variant, id) = user_target.extract_variant_id();
-    find_collect(
-      &db_client().await.permissions,
+    let (variant, id) = self.user_target.extract_variant_id();
+    let res = find_collect(
+      &db_client().permissions,
       doc! {
         "user_target.type": variant.as_ref(),
         "user_target.id": id
@@ -67,6 +65,7 @@ impl Resolve<ListUserTargetPermissions, User> for State {
       None,
     )
     .await
-    .context("failed to query db for permissions")
+    .context("failed to query db for permissions")?;
+    Ok(res)
   }
 }

bin/core/src/api/read/procedure.rs

@@ -1,84 +1,87 @@
-use std::str::FromStr;
-
 use anyhow::Context;
-use monitor_client::{
-  api::read::{
-    GetProcedure, GetProcedureActionState,
-    GetProcedureActionStateResponse, GetProcedureResponse,
-    GetProceduresSummary, GetProceduresSummaryResponse,
-    ListProcedures, ListProceduresResponse,
-  },
+use komodo_client::{
+  api::read::*,
   entities::{
     permission::PermissionLevel,
     procedure::{Procedure, ProcedureState},
-    update::ResourceTargetVariant,
-    user::User,
   },
 };
-use mungos::{
-  find::find_collect,
-  mongodb::bson::{doc, oid::ObjectId},
-};
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_resource_ids_for_non_admin,
+  helpers::query::get_all_tags,
   resource,
-  state::{action_states, db_client, procedure_state_cache, State},
+  state::{action_states, procedure_state_cache},
 };
 
-impl Resolve<GetProcedure, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetProcedure {
   async fn resolve(
-    &self,
-    GetProcedure { procedure }: GetProcedure,
-    user: User,
-  ) -> anyhow::Result<GetProcedureResponse> {
-    resource::get_check_permissions::<Procedure>(
-      &procedure,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetProcedureResponse> {
+    Ok(
+      resource::get_check_permissions::<Procedure>(
+        &self.procedure,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListProcedures {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListProceduresResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Procedure>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullProcedures {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullProceduresResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Procedure>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetProceduresSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetProceduresSummaryResponse> {
+    let procedures = resource::list_full_for_user::<Procedure>(
+      Default::default(),
+      user,
+      &[],
     )
     .await
-  }
-}
-
-impl Resolve<ListProcedures, User> for State {
-  async fn resolve(
-    &self,
-    ListProcedures { query }: ListProcedures,
-    user: User,
-  ) -> anyhow::Result<ListProceduresResponse> {
-    resource::list_for_user::<Procedure>(query, &user).await
-  }
-}
-
-impl Resolve<GetProceduresSummary, User> for State {
-  async fn resolve(
-    &self,
-    GetProceduresSummary {}: GetProceduresSummary,
-    user: User,
-  ) -> anyhow::Result<GetProceduresSummaryResponse> {
-    let query = if user.admin {
-      None
-    } else {
-      let ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Procedure,
-      )
-      .await?
-      .into_iter()
-      .flat_map(|id| ObjectId::from_str(&id))
-      .collect::<Vec<_>>();
-      let query = doc! {
-        "_id": { "$in": ids }
-      };
-      Some(query)
-    };
-
-    let procedures =
-      find_collect(&db_client().await.procedures, query, None)
-        .await
-        .context("failed to find all procedure documents")?;
+    .context("failed to get procedures from db")?;
 
     let mut res = GetProceduresSummaryResponse::default();
 
@@ -112,15 +115,14 @@ impl Resolve<GetProceduresSummary, User> for State {
   }
 }
 
-impl Resolve<GetProcedureActionState, User> for State {
+impl Resolve<ReadArgs> for GetProcedureActionState {
   async fn resolve(
-    &self,
-    GetProcedureActionState { procedure }: GetProcedureActionState,
-    user: User,
-  ) -> anyhow::Result<GetProcedureActionStateResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetProcedureActionStateResponse> {
     let procedure = resource::get_check_permissions::<Procedure>(
-      &procedure,
-      &user,
+      &self.procedure,
+      user,
       PermissionLevel::Read,
     )
     .await?;

bin/core/src/api/read/provider.rs

@@ -0,0 +1,115 @@
+use anyhow::{Context, anyhow};
+use komodo_client::api::read::*;
+use mongo_indexed::{Document, doc};
+use mungos::{
+  by_id::find_one_by_id, find::find_collect,
+  mongodb::options::FindOptions,
+};
+use resolver_api::Resolve;
+
+use crate::state::db_client;
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetGitProviderAccount {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read git provider accounts").into(),
+      );
+    }
+    let res = find_one_by_id(&db_client().git_accounts, &self.id)
+      .await
+      .context("failed to query db for git provider accounts")?
+      .context(
+        "did not find git provider account with the given id",
+      )?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListGitProviderAccounts {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListGitProviderAccountsResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read git provider accounts").into(),
+      );
+    }
+    let mut filter = Document::new();
+    if let Some(domain) = self.domain {
+      filter.insert("domain", domain);
+    }
+    if let Some(username) = self.username {
+      filter.insert("username", username);
+    }
+    let res = find_collect(
+      &db_client().git_accounts,
+      filter,
+      FindOptions::builder()
+        .sort(doc! { "domain": 1, "username": 1 })
+        .build(),
+    )
+    .await
+    .context("failed to query db for git provider accounts")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetDockerRegistryAccount {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read docker registry accounts")
+          .into(),
+      );
+    }
+    let res =
+      find_one_by_id(&db_client().registry_accounts, &self.id)
+        .await
+        .context("failed to query db for docker registry accounts")?
+        .context(
+          "did not find docker registry account with the given id",
+        )?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerRegistryAccounts {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerRegistryAccountsResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can read docker registry accounts")
+          .into(),
+      );
+    }
+    let mut filter = Document::new();
+    if let Some(domain) = self.domain {
+      filter.insert("domain", domain);
+    }
+    if let Some(username) = self.username {
+      filter.insert("username", username);
+    }
+    let res = find_collect(
+      &db_client().registry_accounts,
+      filter,
+      FindOptions::builder()
+        .sort(doc! { "domain": 1, "username": 1 })
+        .build(),
+    )
+    .await
+    .context("failed to query db for docker registry accounts")?;
+    Ok(res)
+  }
+}

bin/core/src/api/read/repo.rs

@@ -1,61 +1,83 @@
-use std::str::FromStr;
-
 use anyhow::Context;
-use monitor_client::{
+use komodo_client::{
   api::read::*,
   entities::{
+    config::core::CoreConfig,
     permission::PermissionLevel,
     repo::{Repo, RepoActionState, RepoListItem, RepoState},
-    update::ResourceTargetVariant,
-    user::User,
   },
 };
-use mungos::{
-  find::find_collect,
-  mongodb::bson::{doc, oid::ObjectId},
-};
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_resource_ids_for_non_admin,
+  config::core_config,
+  helpers::query::get_all_tags,
   resource,
-  state::{action_states, db_client, repo_state_cache, State},
+  state::{action_states, github_client, repo_state_cache},
 };
 
-impl Resolve<GetRepo, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetRepo {
   async fn resolve(
-    &self,
-    GetRepo { repo }: GetRepo,
-    user: User,
-  ) -> anyhow::Result<Repo> {
-    resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Repo> {
+    Ok(
+      resource::get_check_permissions::<Repo>(
+        &self.repo,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
     )
-    .await
   }
 }
 
-impl Resolve<ListRepos, User> for State {
+impl Resolve<ReadArgs> for ListRepos {
   async fn resolve(
-    &self,
-    ListRepos { query }: ListRepos,
-    user: User,
-  ) -> anyhow::Result<Vec<RepoListItem>> {
-    resource::list_for_user::<Repo>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<RepoListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Repo>(self.query, user, &all_tags)
+        .await?,
+    )
   }
 }
 
-impl Resolve<GetRepoActionState, User> for State {
+impl Resolve<ReadArgs> for ListFullRepos {
   async fn resolve(
-    &self,
-    GetRepoActionState { repo }: GetRepoActionState,
-    user: User,
-  ) -> anyhow::Result<RepoActionState> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullReposResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Repo>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetRepoActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<RepoActionState> {
     let repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
+      &self.repo,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -69,32 +91,19 @@ impl Resolve<GetRepoActionState, User> for State {
   }
 }
 
-impl Resolve<GetReposSummary, User> for State {
+impl Resolve<ReadArgs> for GetReposSummary {
   async fn resolve(
-    &self,
-    GetReposSummary {}: GetReposSummary,
-    user: User,
-  ) -> anyhow::Result<GetReposSummaryResponse> {
-    let query = if user.admin {
-      None
-    } else {
-      let ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Alerter,
-      )
-      .await?
-      .into_iter()
-      .flat_map(|id| ObjectId::from_str(&id))
-      .collect::<Vec<_>>();
-      let query = doc! {
-        "_id": { "$in": ids }
-      };
-      Some(query)
-    };
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetReposSummaryResponse> {
+    let repos = resource::list_full_for_user::<Repo>(
+      Default::default(),
+      user,
+      &[],
+    )
+    .await
+    .context("failed to get repos from db")?;
 
-    let repos = find_collect(&db_client().await.repos, query, None)
-      .await
-      .context("failed to find all repo documents")?;
     let mut res = GetReposSummaryResponse::default();
 
     let cache = repo_state_cache();
@@ -118,11 +127,16 @@ impl Resolve<GetReposSummary, User> for State {
         (_, action_states) if action_states.pulling => {
           res.pulling += 1;
         }
+        (_, action_states) if action_states.building => {
+          res.building += 1;
+        }
         (RepoState::Ok, _) => res.ok += 1,
         (RepoState::Failed, _) => res.failed += 1,
         (RepoState::Unknown, _) => res.unknown += 1,
         // will never come off the cache in the building state, since that comes from action states
-        (RepoState::Cloning, _) | (RepoState::Pulling, _) => {
+        (RepoState::Cloning, _)
+        | (RepoState::Pulling, _)
+        | (RepoState::Building, _) => {
           unreachable!()
         }
       }
@@ -131,3 +145,104 @@ impl Resolve<GetReposSummary, User> for State {
     Ok(res)
   }
 }
+
+impl Resolve<ReadArgs> for GetRepoWebhooksEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetRepoWebhooksEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetRepoWebhooksEnabledResponse {
+        managed: false,
+        clone_enabled: false,
+        pull_enabled: false,
+        build_enabled: false,
+      });
+    };
+
+    let repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+
+    if repo.config.git_provider != "github.com"
+      || repo.config.repo.is_empty()
+    {
+      return Ok(GetRepoWebhooksEnabledResponse {
+        managed: false,
+        clone_enabled: false,
+        pull_enabled: false,
+        build_enabled: false,
+      });
+    }
+
+    let mut split = repo.config.repo.split('/');
+    let owner = split.next().context("Repo repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetRepoWebhooksEnabledResponse {
+        managed: false,
+        clone_enabled: false,
+        pull_enabled: false,
+        build_enabled: false,
+      });
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let clone_url =
+      format!("{host}/listener/github/repo/{}/clone", repo.id);
+    let pull_url =
+      format!("{host}/listener/github/repo/{}/pull", repo.id);
+    let build_url =
+      format!("{host}/listener/github/repo/{}/build", repo.id);
+
+    let mut clone_enabled = false;
+    let mut pull_enabled = false;
+    let mut build_enabled = false;
+
+    for webhook in webhooks {
+      if !webhook.active {
+        continue;
+      }
+      if webhook.config.url == clone_url {
+        clone_enabled = true
+      }
+      if webhook.config.url == pull_url {
+        pull_enabled = true
+      }
+      if webhook.config.url == build_url {
+        build_enabled = true
+      }
+    }
+
+    Ok(GetRepoWebhooksEnabledResponse {
+      managed: true,
+      clone_enabled,
+      pull_enabled,
+      build_enabled,
+    })
+  }
+}

bin/core/src/api/read/search.rs

@@ -1,83 +0,0 @@
-use monitor_client::{
-  api::read::{FindResources, FindResourcesResponse},
-  entities::{
-    build::Build, deployment::Deployment, procedure::Procedure,
-    repo::Repo, server::Server, update::ResourceTargetVariant,
-    user::User,
-  },
-};
-use resolver_api::Resolve;
-
-use crate::{resource, state::State};
-
-const FIND_RESOURCE_TYPES: [ResourceTargetVariant; 5] = [
-  ResourceTargetVariant::Server,
-  ResourceTargetVariant::Build,
-  ResourceTargetVariant::Deployment,
-  ResourceTargetVariant::Repo,
-  ResourceTargetVariant::Procedure,
-];
-
-impl Resolve<FindResources, User> for State {
-  async fn resolve(
-    &self,
-    FindResources { query, resources }: FindResources,
-    user: User,
-  ) -> anyhow::Result<FindResourcesResponse> {
-    let mut res = FindResourcesResponse::default();
-    let resource_types = if resources.is_empty() {
-      FIND_RESOURCE_TYPES.to_vec()
-    } else {
-      resources
-        .into_iter()
-        .filter(|r| {
-          !matches!(
-            r,
-            ResourceTargetVariant::System
-              | ResourceTargetVariant::Builder
-              | ResourceTargetVariant::Alerter
-          )
-        })
-        .collect()
-    };
-    for resource_type in resource_types {
-      match resource_type {
-        ResourceTargetVariant::Server => {
-          res.servers = resource::list_for_user_using_document::<
-            Server,
-          >(query.clone(), &user)
-          .await?;
-        }
-        ResourceTargetVariant::Deployment => {
-          res.deployments = resource::list_for_user_using_document::<
-            Deployment,
-          >(query.clone(), &user)
-          .await?;
-        }
-        ResourceTargetVariant::Build => {
-          res.builds =
-            resource::list_for_user_using_document::<Build>(
-              query.clone(),
-              &user,
-            )
-            .await?;
-        }
-        ResourceTargetVariant::Repo => {
-          res.repos = resource::list_for_user_using_document::<Repo>(
-            query.clone(),
-            &user,
-          )
-          .await?;
-        }
-        ResourceTargetVariant::Procedure => {
-          res.procedures = resource::list_for_user_using_document::<
-            Procedure,
-          >(query.clone(), &user)
-          .await?;
-        }
-        _ => {}
-      }
-    }
-    Ok(res)
-  }
-}

bin/core/src/api/read/server.rs

@@ -1,48 +1,69 @@
 use std::{
-  collections::{HashMap, HashSet},
+  cmp,
+  collections::HashMap,
   sync::{Arc, OnceLock},
 };
 
-use anyhow::{anyhow, Context};
+use anyhow::{Context, anyhow};
 use async_timing_util::{
-  get_timelength_in_ms, unix_timestamp_ms, FIFTEEN_SECONDS_MS,
+  FIFTEEN_SECONDS_MS, get_timelength_in_ms, unix_timestamp_ms,
 };
-use monitor_client::{
+use komodo_client::{
   api::read::*,
   entities::{
-    deployment::ContainerSummary,
+    ResourceTarget,
+    deployment::Deployment,
+    docker::{
+      container::{
+        Container, ContainerListItem, ContainerStateStatusEnum,
+      },
+      image::{Image, ImageHistoryResponseItem},
+      network::Network,
+      volume::Volume,
+    },
     permission::PermissionLevel,
     server::{
-      docker_image::ImageSummary, docker_network::DockerNetwork,
       Server, ServerActionState, ServerListItem, ServerState,
     },
-    user::User,
+    stack::{Stack, StackServiceNames},
+    stats::{SystemInformation, SystemProcess},
+    update::Log,
   },
 };
 use mungos::{
   find::find_collect,
   mongodb::{bson::doc, options::FindOptions},
 };
-use periphery_client::api::{self, GetAccountsResponse};
-use resolver_api::{Resolve, ResolveToString};
+use periphery_client::api::{
+  self as periphery,
+  container::InspectContainer,
+  image::{ImageHistory, InspectImage},
+  network::InspectNetwork,
+  volume::InspectVolume,
+};
+use resolver_api::Resolve;
 use tokio::sync::Mutex;
 
 use crate::{
-  config::core_config,
-  helpers::periphery_client,
+  helpers::{periphery_client, query::get_all_tags},
   resource,
-  state::{action_states, db_client, server_status_cache, State},
+  stack::compose_container_match_regex,
+  state::{action_states, db_client, server_status_cache},
 };
 
-impl Resolve<GetServersSummary, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetServersSummary {
   async fn resolve(
-    &self,
-    GetServersSummary {}: GetServersSummary,
-    user: User,
-  ) -> anyhow::Result<GetServersSummaryResponse> {
-    let servers =
-      resource::list_for_user::<Server>(Default::default(), &user)
-        .await?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetServersSummaryResponse> {
+    let servers = resource::list_for_user::<Server>(
+      Default::default(),
+      user,
+      &[],
+    )
+    .await?;
     let mut res = GetServersSummaryResponse::default();
     for server in servers {
       res.total += 1;
@@ -62,15 +83,14 @@ impl Resolve<GetServersSummary, User> for State {
   }
 }
 
-impl Resolve<GetPeripheryVersion, User> for State {
+impl Resolve<ReadArgs> for GetPeripheryVersion {
   async fn resolve(
-    &self,
-    req: GetPeripheryVersion,
-    user: User,
-  ) -> anyhow::Result<GetPeripheryVersionResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetPeripheryVersionResponse> {
     let server = resource::get_check_permissions::<Server>(
-      &req.server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -83,40 +103,66 @@ impl Resolve<GetPeripheryVersion, User> for State {
   }
 }
 
-impl Resolve<GetServer, User> for State {
+impl Resolve<ReadArgs> for GetServer {
   async fn resolve(
-    &self,
-    req: GetServer,
-    user: User,
-  ) -> anyhow::Result<Server> {
-    resource::get_check_permissions::<Server>(
-      &req.server,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Server> {
+    Ok(
+      resource::get_check_permissions::<Server>(
+        &self.server,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
     )
-    .await
   }
 }
 
-impl Resolve<ListServers, User> for State {
+impl Resolve<ReadArgs> for ListServers {
   async fn resolve(
-    &self,
-    ListServers { query }: ListServers,
-    user: User,
-  ) -> anyhow::Result<Vec<ServerListItem>> {
-    resource::list_for_user::<Server>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ServerListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Server>(self.query, user, &all_tags)
+        .await?,
+    )
   }
 }
 
-impl Resolve<GetServerState, User> for State {
+impl Resolve<ReadArgs> for ListFullServers {
   async fn resolve(
-    &self,
-    GetServerState { server }: GetServerState,
-    user: User,
-  ) -> anyhow::Result<GetServerStateResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullServersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Server>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetServerState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetServerStateResponse> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -131,15 +177,14 @@ impl Resolve<GetServerState, User> for State {
   }
 }
 
-impl Resolve<GetServerActionState, User> for State {
+impl Resolve<ReadArgs> for GetServerActionState {
   async fn resolve(
-    &self,
-    GetServerActionState { server }: GetServerActionState,
-    user: User,
-  ) -> anyhow::Result<ServerActionState> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ServerActionState> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -155,22 +200,22 @@ impl Resolve<GetServerActionState, User> for State {
 
 // This protects the peripheries from spam requests
 const SYSTEM_INFO_EXPIRY: u128 = FIFTEEN_SECONDS_MS;
-type SystemInfoCache = Mutex<HashMap<String, Arc<(String, u128)>>>;
+type SystemInfoCache =
+  Mutex<HashMap<String, Arc<(SystemInformation, u128)>>>;
 fn system_info_cache() -> &'static SystemInfoCache {
   static SYSTEM_INFO_CACHE: OnceLock<SystemInfoCache> =
     OnceLock::new();
   SYSTEM_INFO_CACHE.get_or_init(Default::default)
 }
 
-impl ResolveToString<GetSystemInformation, User> for State {
-  async fn resolve_to_string(
-    &self,
-    GetSystemInformation { server }: GetSystemInformation,
-    user: User,
-  ) -> anyhow::Result<String> {
+impl Resolve<ReadArgs> for GetSystemInformation {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<SystemInformation> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -182,30 +227,28 @@ impl ResolveToString<GetSystemInformation, User> for State {
       }
       _ => {
         let stats = periphery_client(&server)?
-          .request(api::stats::GetSystemInformation {})
+          .request(periphery::stats::GetSystemInformation {})
           .await?;
-        let res = serde_json::to_string(&stats)?;
         lock.insert(
           server.id,
-          (res.clone(), unix_timestamp_ms() + SYSTEM_INFO_EXPIRY)
+          (stats.clone(), unix_timestamp_ms() + SYSTEM_INFO_EXPIRY)
             .into(),
         );
-        res
+        stats
       }
     };
     Ok(res)
   }
 }
 
-impl ResolveToString<GetSystemStats, User> for State {
-  async fn resolve_to_string(
-    &self,
-    GetSystemStats { server }: GetSystemStats,
-    user: User,
-  ) -> anyhow::Result<String> {
+impl Resolve<ReadArgs> for GetSystemStats {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetSystemStatsResponse> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -217,28 +260,27 @@ impl ResolveToString<GetSystemStats, User> for State {
       .stats
       .as_ref()
       .context("server stats not available")?;
-    let stats = serde_json::to_string(&stats)?;
-    Ok(stats)
+    Ok(stats.clone())
   }
 }
 
 // This protects the peripheries from spam requests
 const PROCESSES_EXPIRY: u128 = FIFTEEN_SECONDS_MS;
-type ProcessesCache = Mutex<HashMap<String, Arc<(String, u128)>>>;
+type ProcessesCache =
+  Mutex<HashMap<String, Arc<(Vec<SystemProcess>, u128)>>>;
 fn processes_cache() -> &'static ProcessesCache {
   static PROCESSES_CACHE: OnceLock<ProcessesCache> = OnceLock::new();
   PROCESSES_CACHE.get_or_init(Default::default)
 }
 
-impl ResolveToString<GetSystemProcesses, User> for State {
-  async fn resolve_to_string(
-    &self,
-    GetSystemProcesses { server }: GetSystemProcesses,
-    user: User,
-  ) -> anyhow::Result<String> {
+impl Resolve<ReadArgs> for ListSystemProcesses {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListSystemProcessesResponse> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -249,36 +291,35 @@ impl ResolveToString<GetSystemProcesses, User> for State {
       }
       _ => {
         let stats = periphery_client(&server)?
-          .request(api::stats::GetSystemProcesses {})
+          .request(periphery::stats::GetSystemProcesses {})
           .await?;
-        let res = serde_json::to_string(&stats)?;
         lock.insert(
           server.id,
-          (res.clone(), unix_timestamp_ms() + PROCESSES_EXPIRY)
+          (stats.clone(), unix_timestamp_ms() + PROCESSES_EXPIRY)
             .into(),
         );
-        res
+        stats
       }
     };
     Ok(res)
   }
 }
 
-const STATS_PER_PAGE: i64 = 500;
+const STATS_PER_PAGE: i64 = 200;
 
-impl Resolve<GetHistoricalServerStats, User> for State {
+impl Resolve<ReadArgs> for GetHistoricalServerStats {
   async fn resolve(
-    &self,
-    GetHistoricalServerStats {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetHistoricalServerStatsResponse> {
+    let GetHistoricalServerStats {
       server,
       granularity,
       page,
-    }: GetHistoricalServerStats,
-    user: User,
-  ) -> anyhow::Result<GetHistoricalServerStatsResponse> {
+    } = self;
     let server = resource::get_check_permissions::<Server>(
       &server,
-      &user,
+      user,
       PermissionLevel::Read,
     )
     .await?;
@@ -296,7 +337,7 @@ impl Resolve<GetHistoricalServerStats, User> for State {
     }
 
     let stats = find_collect(
-      &db_client().await.stats,
+      &db_client().stats,
       doc! {
         "sid": server.id,
         "ts": { "$in": ts_vec },
@@ -319,116 +360,455 @@ impl Resolve<GetHistoricalServerStats, User> for State {
   }
 }
 
-impl Resolve<GetDockerImages, User> for State {
+impl Resolve<ReadArgs> for ListDockerContainers {
   async fn resolve(
-    &self,
-    GetDockerImages { server }: GetDockerImages,
-    user: User,
-  ) -> anyhow::Result<Vec<ImageSummary>> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerContainersResponse> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
-    periphery_client(&server)?
-      .request(api::build::GetImageList {})
-      .await
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(containers) = &cache.containers {
+      Ok(containers.clone())
+    } else {
+      Ok(Vec::new())
+    }
   }
 }
 
-impl Resolve<GetDockerNetworks, User> for State {
+impl Resolve<ReadArgs> for ListAllDockerContainers {
   async fn resolve(
-    &self,
-    GetDockerNetworks { server }: GetDockerNetworks,
-    user: User,
-  ) -> anyhow::Result<Vec<DockerNetwork>> {
-    let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListAllDockerContainersResponse> {
+    let servers = resource::list_for_user::<Server>(
+      Default::default(),
+      user,
+      &[],
     )
-    .await?;
-    periphery_client(&server)?
-      .request(api::network::GetNetworkList {})
-      .await
+    .await?
+    .into_iter()
+    .filter(|server| {
+      self.servers.is_empty()
+        || self.servers.contains(&server.id)
+        || self.servers.contains(&server.name)
+    });
+
+    let mut containers = Vec::<ContainerListItem>::new();
+
+    for server in servers {
+      let cache = server_status_cache()
+        .get_or_insert_default(&server.id)
+        .await;
+      if let Some(more_containers) = &cache.containers {
+        containers.extend(more_containers.clone());
+      }
+    }
+
+    Ok(containers)
   }
 }
 
-impl Resolve<GetDockerContainers, User> for State {
+impl Resolve<ReadArgs> for GetDockerContainersSummary {
   async fn resolve(
-    &self,
-    GetDockerContainers { server }: GetDockerContainers,
-    user: User,
-  ) -> anyhow::Result<Vec<ContainerSummary>> {
-    let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDockerContainersSummaryResponse> {
+    let servers = resource::list_full_for_user::<Server>(
+      Default::default(),
+      user,
+      &[],
     )
-    .await?;
-    periphery_client(&server)?
-      .request(api::container::GetContainerList {})
-      .await
-  }
-}
+    .await
+    .context("failed to get servers from db")?;
 
-impl Resolve<GetAvailableAccounts, User> for State {
-  async fn resolve(
-    &self,
-    GetAvailableAccounts { server }: GetAvailableAccounts,
-    user: User,
-  ) -> anyhow::Result<GetAvailableAccountsResponse> {
-    let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await?;
+    let mut res = GetDockerContainersSummaryResponse::default();
 
-    let GetAccountsResponse { github, docker } =
-      periphery_client(&server)?
-        .request(api::GetAccounts {})
-        .await
-        .context("failed to get accounts from periphery")?;
+    for server in servers {
+      let cache = server_status_cache()
+        .get_or_insert_default(&server.id)
+        .await;
 
-    let mut github_set = HashSet::<String>::new();
+      if let Some(containers) = &cache.containers {
+        for container in containers {
+          res.total += 1;
+          match container.state {
+            ContainerStateStatusEnum::Created
+            | ContainerStateStatusEnum::Paused
+            | ContainerStateStatusEnum::Exited => res.stopped += 1,
+            ContainerStateStatusEnum::Running => res.running += 1,
+            ContainerStateStatusEnum::Empty => res.unknown += 1,
+            _ => res.unhealthy += 1,
+          }
+        }
+      }
+    }
 
-    github_set.extend(core_config().github_accounts.keys().cloned());
-    github_set.extend(github);
-
-    let mut github = github_set.into_iter().collect::<Vec<_>>();
-    github.sort();
-
-    let mut docker_set = HashSet::<String>::new();
-
-    docker_set.extend(core_config().docker_accounts.keys().cloned());
-    docker_set.extend(docker);
-
-    let mut docker = docker_set.into_iter().collect::<Vec<_>>();
-    docker.sort();
-
-    let res = GetAvailableAccountsResponse { github, docker };
     Ok(res)
   }
 }
 
-impl Resolve<GetAvailableSecrets, User> for State {
+impl Resolve<ReadArgs> for InspectDockerContainer {
   async fn resolve(
-    &self,
-    GetAvailableSecrets { server }: GetAvailableSecrets,
-    user: User,
-  ) -> anyhow::Result<GetAvailableSecretsResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Container> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Read,
     )
     .await?;
-    let secrets = periphery_client(&server)?
-      .request(api::GetSecrets {})
-      .await
-      .context("failed to get accounts from periphery")?;
-    Ok(secrets)
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectContainer {
+        name: self.container,
+      })
+      .await?;
+    Ok(res)
+  }
+}
+
+const MAX_LOG_LENGTH: u64 = 5000;
+
+impl Resolve<ReadArgs> for GetContainerLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let GetContainerLog {
+      server,
+      container,
+      tail,
+      timestamps,
+    } = self;
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let res = periphery_client(&server)?
+      .request(periphery::container::GetContainerLog {
+        name: container,
+        tail: cmp::min(tail, MAX_LOG_LENGTH),
+        timestamps,
+      })
+      .await
+      .context("failed at call to periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchContainerLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Log> {
+    let SearchContainerLog {
+      server,
+      container,
+      terms,
+      combinator,
+      invert,
+      timestamps,
+    } = self;
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let res = periphery_client(&server)?
+      .request(periphery::container::GetContainerLogSearch {
+        name: container,
+        terms,
+        combinator,
+        invert,
+        timestamps,
+      })
+      .await
+      .context("failed at call to periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetResourceMatchingContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetResourceMatchingContainerResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    // first check deployments
+    if let Ok(deployment) =
+      resource::get::<Deployment>(&self.container).await
+    {
+      return Ok(GetResourceMatchingContainerResponse {
+        resource: ResourceTarget::Deployment(deployment.id).into(),
+      });
+    }
+
+    // then check stacks
+    let stacks =
+      resource::list_full_for_user_using_document::<Stack>(
+        doc! { "config.server_id": &server.id },
+        user,
+      )
+      .await?;
+
+    // check matching stack
+    for stack in stacks {
+      for StackServiceNames {
+        service_name,
+        container_name,
+        ..
+      } in stack
+        .info
+        .deployed_services
+        .unwrap_or(stack.info.latest_services)
+      {
+        let is_match = match compose_container_match_regex(&container_name)
+          .with_context(|| format!("failed to construct container name matching regex for service {service_name}")) 
+        {
+          Ok(regex) => regex,
+          Err(e) => {
+            warn!("{e:#}");
+            continue;
+          }
+        }.is_match(&self.container);
+
+        if is_match {
+          return Ok(GetResourceMatchingContainerResponse {
+            resource: ResourceTarget::Stack(stack.id).into(),
+          });
+        }
+      }
+    }
+
+    Ok(GetResourceMatchingContainerResponse { resource: None })
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerNetworks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerNetworksResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(networks) = &cache.networks {
+      Ok(networks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDockerNetwork {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Network> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect network: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectNetwork { name: self.network })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerImages {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerImagesResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(images) = &cache.images {
+      Ok(images.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDockerImage {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Image> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!("Cannot inspect image: server is {:?}", cache.state)
+          .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectImage { name: self.image })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerImageHistory {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ImageHistoryResponseItem>> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot get image history: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(ImageHistory { name: self.image })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListDockerVolumes {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListDockerVolumesResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(volumes) = &cache.volumes {
+      Ok(volumes.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDockerVolume {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Volume> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!("Cannot inspect volume: server is {:?}", cache.state)
+          .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectVolume { name: self.volume })
+      .await?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListComposeProjects {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListComposeProjectsResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if let Some(projects) = &cache.projects {
+      Ok(projects.clone())
+    } else {
+      Ok(Vec::new())
+    }
   }
 }

bin/core/src/api/read/server_template.rs

@@ -1,77 +1,94 @@
-use std::str::FromStr;
-
 use anyhow::Context;
-use monitor_client::{
-  api::read::{
-    GetServerTemplate, GetServerTemplateResponse,
-    GetServerTemplatesSummary, GetServerTemplatesSummaryResponse,
-    ListServerTemplates, ListServerTemplatesResponse,
-  },
+use komodo_client::{
+  api::read::*,
   entities::{
     permission::PermissionLevel, server_template::ServerTemplate,
-    update::ResourceTargetVariant, user::User,
   },
 };
-use mungos::mongodb::bson::{doc, oid::ObjectId};
+use mongo_indexed::Document;
+use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_resource_ids_for_non_admin, resource, state::{db_client, State}
+  helpers::query::get_all_tags, resource, state::db_client,
 };
 
-impl Resolve<GetServerTemplate, User> for State {
-  async fn resolve(
-    &self,
-    GetServerTemplate { server_template }: GetServerTemplate,
-    user: User,
-  ) -> anyhow::Result<GetServerTemplateResponse> {
-    resource::get_check_permissions::<ServerTemplate>(
-      &server_template,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await
-  }
-}
+use super::ReadArgs;
 
-impl Resolve<ListServerTemplates, User> for State {
+impl Resolve<ReadArgs> for GetServerTemplate {
   async fn resolve(
-    &self,
-    ListServerTemplates { query }: ListServerTemplates,
-    user: User,
-  ) -> anyhow::Result<ListServerTemplatesResponse> {
-    resource::list_for_user::<ServerTemplate>(query, &user).await
-  }
-}
-
-impl Resolve<GetServerTemplatesSummary, User> for State {
-  async fn resolve(
-    &self,
-    GetServerTemplatesSummary {}: GetServerTemplatesSummary,
-    user: User,
-  ) -> anyhow::Result<GetServerTemplatesSummaryResponse> {
-    let query = if user.admin {
-      None
-    } else {
-      let ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::ServerTemplate,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetServerTemplateResponse> {
+    Ok(
+      resource::get_check_permissions::<ServerTemplate>(
+        &self.server_template,
+        user,
+        PermissionLevel::Read,
       )
-      .await?
-      .into_iter()
-      .flat_map(|id| ObjectId::from_str(&id))
-      .collect::<Vec<_>>();
-      let query = doc! {
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListServerTemplates {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListServerTemplatesResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<ServerTemplate>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullServerTemplates {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullServerTemplatesResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<ServerTemplate>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetServerTemplatesSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetServerTemplatesSummaryResponse> {
+    let query = match resource::get_resource_object_ids_for_user::<
+      ServerTemplate,
+    >(user)
+    .await?
+    {
+      Some(ids) => doc! {
         "_id": { "$in": ids }
-      };
-      Some(query)
+      },
+      None => Document::new(),
     };
     let total = db_client()
+      .server_templates
+      .count_documents(query)
       .await
-      .builders
-      .count_documents(query, None)
-      .await
-      .context("failed to count all builder documents")?;
+      .context("failed to count all server template documents")?;
     let res = GetServerTemplatesSummaryResponse {
       total: total as u32,
     };

bin/core/src/api/read/stack.rs

@@ -0,0 +1,378 @@
+use std::collections::HashSet;
+
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    stack::{Stack, StackActionState, StackListItem, StackState},
+  },
+};
+use periphery_client::api::compose::{
+  GetComposeLog, GetComposeLogSearch,
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::{periphery_client, query::get_all_tags},
+  resource,
+  stack::get_stack_and_server,
+  state::{action_states, github_client, stack_status_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetStack {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Stack> {
+    Ok(
+      resource::get_check_permissions::<Stack>(
+        &self.stack,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListStackServices {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListStackServicesResponse> {
+    let stack = resource::get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+
+    let services = stack_status_cache()
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .curr
+      .services
+      .clone();
+
+    Ok(services)
+  }
+}
+
+impl Resolve<ReadArgs> for GetStackLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetStackLogResponse> {
+    let GetStackLog {
+      stack,
+      services,
+      tail,
+      timestamps,
+    } = self;
+    let (stack, server) =
+      get_stack_and_server(&stack, user, PermissionLevel::Read, true)
+        .await?;
+    let res = periphery_client(&server)?
+      .request(GetComposeLog {
+        project: stack.project_name(false),
+        services,
+        tail,
+        timestamps,
+      })
+      .await
+      .context("Failed to get stack log from periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchStackLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<SearchStackLogResponse> {
+    let SearchStackLog {
+      stack,
+      services,
+      terms,
+      combinator,
+      invert,
+      timestamps,
+    } = self;
+    let (stack, server) =
+      get_stack_and_server(&stack, user, PermissionLevel::Read, true)
+        .await?;
+    let res = periphery_client(&server)?
+      .request(GetComposeLogSearch {
+        project: stack.project_name(false),
+        services,
+        terms,
+        combinator,
+        invert,
+        timestamps,
+      })
+      .await
+      .context("Failed to search stack log from periphery")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonStackExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks = resource::list_full_for_user::<Stack>(
+      self.query, user, &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for stack in stacks {
+      for extra_arg in stack.config.extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListCommonStackBuildExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks = resource::list_full_for_user::<Stack>(
+      self.query, user, &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for stack in stacks {
+      for extra_arg in stack.config.build_extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for ListStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<StackListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let only_update_available = self.query.specific.update_available;
+    let stacks =
+      resource::list_for_user::<Stack>(self.query, user, &all_tags)
+        .await?;
+    let stacks = if only_update_available {
+      stacks
+        .into_iter()
+        .filter(|stack| {
+          stack
+            .info
+            .services
+            .iter()
+            .any(|service| service.update_available)
+        })
+        .collect()
+    } else {
+      stacks
+    };
+    Ok(stacks)
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullStacksResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Stack>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetStackActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<StackActionState> {
+    let stack = resource::get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .stack
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetStacksSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetStacksSummaryResponse> {
+    let stacks = resource::list_full_for_user::<Stack>(
+      Default::default(),
+      user,
+      &[],
+    )
+    .await
+    .context("failed to get stacks from db")?;
+
+    let mut res = GetStacksSummaryResponse::default();
+
+    let cache = stack_status_cache();
+
+    for stack in stacks {
+      res.total += 1;
+      match cache.get(&stack.id).await.unwrap_or_default().curr.state
+      {
+        StackState::Running => res.running += 1,
+        StackState::Stopped | StackState::Paused => res.stopped += 1,
+        StackState::Down => res.down += 1,
+        StackState::Unknown => res.unknown += 1,
+        _ => res.unhealthy += 1,
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetStackWebhooksEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetStackWebhooksEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetStackWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        deploy_enabled: false,
+      });
+    };
+
+    let stack = resource::get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+
+    if stack.config.git_provider != "github.com"
+      || stack.config.repo.is_empty()
+    {
+      return Ok(GetStackWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        deploy_enabled: false,
+      });
+    }
+
+    let mut split = stack.config.repo.split('/');
+    let owner = split.next().context("Sync repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetStackWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        deploy_enabled: false,
+      });
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let refresh_url =
+      format!("{host}/listener/github/stack/{}/refresh", stack.id);
+    let deploy_url =
+      format!("{host}/listener/github/stack/{}/deploy", stack.id);
+
+    let mut refresh_enabled = false;
+    let mut deploy_enabled = false;
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == refresh_url {
+        refresh_enabled = true
+      }
+      if webhook.active && webhook.config.url == deploy_url {
+        deploy_enabled = true
+      }
+    }
+
+    Ok(GetStackWebhooksEnabledResponse {
+      managed: true,
+      refresh_enabled,
+      deploy_enabled,
+    })
+  }
+}

bin/core/src/api/read/sync.rs

@@ -0,0 +1,236 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    sync::{
+      ResourceSync, ResourceSyncActionState, ResourceSyncListItem,
+    },
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_all_tags,
+  resource,
+  state::{action_states, github_client},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetResourceSync {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ResourceSync> {
+    Ok(
+      resource::get_check_permissions::<ResourceSync>(
+        &self.sync,
+        user,
+        PermissionLevel::Read,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListResourceSyncs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Vec<ResourceSyncListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<ResourceSync>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullResourceSyncs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListFullResourceSyncsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<ResourceSync>(
+        self.query, user, &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetResourceSyncActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ResourceSyncActionState> {
+    let sync = resource::get_check_permissions::<ResourceSync>(
+      &self.sync,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .resource_sync
+      .get(&sync.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetResourceSyncsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetResourceSyncsSummaryResponse> {
+    let resource_syncs =
+      resource::list_full_for_user::<ResourceSync>(
+        Default::default(),
+        user,
+        &[],
+      )
+      .await
+      .context("failed to get resource_syncs from db")?;
+
+    let mut res = GetResourceSyncsSummaryResponse::default();
+
+    let action_states = action_states();
+
+    for resource_sync in resource_syncs {
+      res.total += 1;
+
+      if !(resource_sync.info.pending_deploy.to_deploy == 0
+        && resource_sync.info.resource_updates.is_empty()
+        && resource_sync.info.variable_updates.is_empty()
+        && resource_sync.info.user_group_updates.is_empty())
+      {
+        res.pending += 1;
+        continue;
+      } else if resource_sync.info.pending_error.is_some()
+        || !resource_sync.info.remote_errors.is_empty()
+      {
+        res.failed += 1;
+        continue;
+      }
+      if action_states
+        .resource_sync
+        .get(&resource_sync.id)
+        .await
+        .unwrap_or_default()
+        .get()?
+        .syncing
+      {
+        res.syncing += 1;
+        continue;
+      }
+      res.ok += 1;
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSyncWebhooksEnabled {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetSyncWebhooksEnabledResponse> {
+    let Some(github) = github_client() else {
+      return Ok(GetSyncWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        sync_enabled: false,
+      });
+    };
+
+    let sync = resource::get_check_permissions::<ResourceSync>(
+      &self.sync,
+      user,
+      PermissionLevel::Read,
+    )
+    .await?;
+
+    if sync.config.git_provider != "github.com"
+      || sync.config.repo.is_empty()
+    {
+      return Ok(GetSyncWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        sync_enabled: false,
+      });
+    }
+
+    let mut split = sync.config.repo.split('/');
+    let owner = split.next().context("Sync repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Ok(GetSyncWebhooksEnabledResponse {
+        managed: false,
+        refresh_enabled: false,
+        sync_enabled: false,
+      });
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let refresh_url =
+      format!("{host}/listener/github/sync/{}/refresh", sync.id);
+    let sync_url =
+      format!("{host}/listener/github/sync/{}/sync", sync.id);
+
+    let mut refresh_enabled = false;
+    let mut sync_enabled = false;
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == refresh_url {
+        refresh_enabled = true
+      }
+      if webhook.active && webhook.config.url == sync_url {
+        sync_enabled = true
+      }
+    }
+
+    Ok(GetSyncWebhooksEnabledResponse {
+      managed: true,
+      refresh_enabled,
+      sync_enabled,
+    })
+  }
+}

bin/core/src/api/read/tag.rs

@@ -1,34 +1,31 @@
 use anyhow::Context;
-use monitor_client::{
+use komodo_client::{
   api::read::{GetTag, ListTags},
-  entities::{tag::Tag, user::User},
+  entities::tag::Tag,
 };
-use mungos::find::find_collect;
+use mongo_indexed::doc;
+use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
-use crate::{
-  helpers::query::get_tag,
-  state::{db_client, State},
-};
+use crate::{helpers::query::get_tag, state::db_client};
 
-impl Resolve<GetTag, User> for State {
-  async fn resolve(
-    &self,
-    GetTag { tag }: GetTag,
-    _: User,
-  ) -> anyhow::Result<Tag> {
-    get_tag(&tag).await
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetTag {
+  async fn resolve(self, _: &ReadArgs) -> serror::Result<Tag> {
+    Ok(get_tag(&self.tag).await?)
   }
 }
 
-impl Resolve<ListTags, User> for State {
-  async fn resolve(
-    &self,
-    ListTags { query }: ListTags,
-    _: User,
-  ) -> anyhow::Result<Vec<Tag>> {
-    find_collect(&db_client().await.tags, query, None)
-      .await
-      .context("failed to get tags from db")
+impl Resolve<ReadArgs> for ListTags {
+  async fn resolve(self, _: &ReadArgs) -> serror::Result<Vec<Tag>> {
+    let res = find_collect(
+      &db_client().tags,
+      self.query,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to get tags from db")?;
+    Ok(res)
   }
 }

bin/core/src/api/read/toml.rs

@@ -1,467 +1,545 @@
-use std::collections::HashMap;
-
 use anyhow::Context;
-use monitor_client::{
-  api::{
-    execute::Execution,
-    read::{
-      ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
-      ExportResourcesToToml, ExportResourcesToTomlResponse,
-      GetUserGroup, ListUserTargetPermissions,
-    },
+use komodo_client::{
+  api::read::{
+    ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
+    ExportResourcesToToml, ExportResourcesToTomlResponse,
+    ListUserGroups,
   },
   entities::{
-    alerter::Alerter,
-    build::Build,
-    builder::{Builder, BuilderConfig},
-    deployment::{Deployment, DeploymentImage},
-    permission::{PermissionLevel, UserTarget},
-    procedure::Procedure,
-    repo::Repo,
-    resource::Resource,
-    server::Server,
-    server_template::ServerTemplate,
-    toml::{
-      PermissionToml, ResourceToml, ResourcesToml, UserGroupToml,
-    },
-    update::ResourceTarget,
-    user::User,
+    ResourceTarget, action::Action, alerter::Alerter, build::Build,
+    builder::Builder, deployment::Deployment,
+    permission::PermissionLevel, procedure::Procedure, repo::Repo,
+    resource::ResourceQuery, server::Server,
+    server_template::ServerTemplate, stack::Stack,
+    sync::ResourceSync, toml::ResourcesToml, user::User,
   },
 };
 use mungos::find::find_collect;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_user_user_group_ids,
+  helpers::query::{
+    get_all_tags, get_id_to_tags, get_user_user_group_ids,
+  },
   resource,
-  state::{db_client, State},
+  state::db_client,
+  sync::{
+    AllResourcesById,
+    toml::{TOML_PRETTY_OPTIONS, ToToml, convert_resource},
+    user_groups::convert_user_groups,
+  },
 };
 
-impl Resolve<ExportAllResourcesToToml, User> for State {
-  async fn resolve(
-    &self,
-    ExportAllResourcesToToml {}: ExportAllResourcesToToml,
-    user: User,
-  ) -> anyhow::Result<ExportAllResourcesToTomlResponse> {
-    let mut targets = Vec::<ResourceTarget>::new();
+use super::ReadArgs;
 
-    targets.extend(
-      resource::list_for_user::<Alerter>(Default::default(), &user)
-        .await?
-        .into_iter()
-        .map(|resource| ResourceTarget::Alerter(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Builder>(Default::default(), &user)
-        .await?
-        .into_iter()
-        .map(|resource| ResourceTarget::Builder(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Server>(Default::default(), &user)
-        .await?
-        .into_iter()
-        .map(|resource| ResourceTarget::Server(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Deployment>(
-        Default::default(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Deployment(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Build>(Default::default(), &user)
-        .await?
-        .into_iter()
-        .map(|resource| ResourceTarget::Build(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Repo>(Default::default(), &user)
-        .await?
-        .into_iter()
-        .map(|resource| ResourceTarget::Repo(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Procedure>(Default::default(), &user)
-        .await?
-        .into_iter()
-        .map(|resource| ResourceTarget::Procedure(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<ServerTemplate>(
-        Default::default(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::ServerTemplate(resource.id)),
-    );
-
-    let user_groups = if user.admin {
-      find_collect(&db_client().await.user_groups, None, None)
-        .await
-        .context("failed to query db for user groups")?
-        .into_iter()
-        .map(|user_group| user_group.id)
-        .collect()
-    } else {
-      get_user_user_group_ids(&user.id).await?
-    };
-
-    self
-      .resolve(
-        ExportResourcesToToml {
-          targets,
-          user_groups,
-        },
-        user,
-      )
-      .await
-  }
+async fn get_all_targets(
+  tags: &[String],
+  user: &User,
+) -> anyhow::Result<Vec<ResourceTarget>> {
+  let mut targets = Vec::<ResourceTarget>::new();
+  let all_tags = if tags.is_empty() {
+    vec![]
+  } else {
+    get_all_tags(None).await?
+  };
+  targets.extend(
+    resource::list_for_user::<Alerter>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Alerter(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Builder>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Builder(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Server>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Server(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Stack>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Stack(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Deployment>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Deployment(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Build>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Build(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Repo>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Repo(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Procedure>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Procedure(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<Action>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Action(resource.id)),
+  );
+  targets.extend(
+    resource::list_for_user::<ServerTemplate>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::ServerTemplate(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<ResourceSync>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    // These will already be filtered by [ExportResourcesToToml]
+    .map(|resource| ResourceTarget::ResourceSync(resource.id)),
+  );
+  Ok(targets)
 }
 
-impl Resolve<ExportResourcesToToml, User> for State {
+impl Resolve<ReadArgs> for ExportAllResourcesToToml {
   async fn resolve(
-    &self,
+    self,
+    args: &ReadArgs,
+  ) -> serror::Result<ExportAllResourcesToTomlResponse> {
+    let targets = if self.include_resources {
+      get_all_targets(&self.tags, &args.user).await?
+    } else {
+      Vec::new()
+    };
+
+    let user_groups = if self.include_user_groups {
+      if args.user.admin {
+        find_collect(&db_client().user_groups, None, None)
+          .await
+          .context("failed to query db for user groups")?
+          .into_iter()
+          .map(|user_group| user_group.id)
+          .collect()
+      } else {
+        get_user_user_group_ids(&args.user.id).await?
+      }
+    } else {
+      Vec::new()
+    };
+
     ExportResourcesToToml {
       targets,
       user_groups,
-    }: ExportResourcesToToml,
-    user: User,
-  ) -> anyhow::Result<ExportResourcesToTomlResponse> {
+      include_variables: self.include_variables,
+    }
+    .resolve(args)
+    .await
+  }
+}
+
+impl Resolve<ReadArgs> for ExportResourcesToToml {
+  async fn resolve(
+    self,
+    args: &ReadArgs,
+  ) -> serror::Result<ExportResourcesToTomlResponse> {
+    let ExportResourcesToToml {
+      targets,
+      user_groups,
+      include_variables,
+    } = self;
     let mut res = ResourcesToml::default();
-    let names = ResourceNames::new()
-      .await
-      .context("failed to init resource name maps")?;
+    let all = AllResourcesById::load().await?;
+    let id_to_tags = get_id_to_tags(None).await?;
+    let ReadArgs { user } = args;
     for target in targets {
       match target {
         ResourceTarget::Alerter(id) => {
           let alerter = resource::get_check_permissions::<Alerter>(
             &id,
-            &user,
+            user,
             PermissionLevel::Read,
           )
           .await?;
-          res.alerters.push(convert_resource(alerter, &names.tags))
+          res.alerters.push(convert_resource::<Alerter>(
+            alerter,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::ResourceSync(id) => {
+          let sync = resource::get_check_permissions::<ResourceSync>(
+            &id,
+            user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          if sync.config.file_contents.is_empty()
+            && (sync.config.files_on_host
+              || !sync.config.repo.is_empty())
+          {
+            res.resource_syncs.push(convert_resource::<ResourceSync>(
+              sync,
+              false,
+              vec![],
+              &id_to_tags,
+            ))
+          }
         }
         ResourceTarget::ServerTemplate(id) => {
           let template = resource::get_check_permissions::<
             ServerTemplate,
-          >(
-            &id, &user, PermissionLevel::Read
-          )
+          >(&id, user, PermissionLevel::Read)
           .await?;
-          res
-            .server_templates
-            .push(convert_resource(template, &names.tags))
+          res.server_templates.push(
+            convert_resource::<ServerTemplate>(
+              template,
+              false,
+              vec![],
+              &id_to_tags,
+            ),
+          )
         }
         ResourceTarget::Server(id) => {
           let server = resource::get_check_permissions::<Server>(
             &id,
-            &user,
+            user,
             PermissionLevel::Read,
           )
           .await?;
-          res.servers.push(convert_resource(server, &names.tags))
+          res.servers.push(convert_resource::<Server>(
+            server,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
         }
         ResourceTarget::Builder(id) => {
           let mut builder =
             resource::get_check_permissions::<Builder>(
               &id,
-              &user,
+              user,
               PermissionLevel::Read,
             )
             .await?;
-          // replace server id of builder
-          if let BuilderConfig::Server(config) = &mut builder.config {
-            config.server_id.clone_from(
-              names.servers.get(&id).unwrap_or(&String::new()),
-            )
-          }
-          res.builders.push(convert_resource(builder, &names.tags))
+          Builder::replace_ids(&mut builder, &all);
+          res.builders.push(convert_resource::<Builder>(
+            builder,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
         }
         ResourceTarget::Build(id) => {
           let mut build = resource::get_check_permissions::<Build>(
             &id,
-            &user,
+            user,
             PermissionLevel::Read,
           )
           .await?;
-          // replace builder id of build
-          build.config.builder_id.clone_from(
-            names
-              .builders
-              .get(&build.config.builder_id)
-              .unwrap_or(&String::new()),
-          );
-          res.builds.push(convert_resource(build, &names.tags))
+          Build::replace_ids(&mut build, &all);
+          res.builds.push(convert_resource::<Build>(
+            build,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
         }
         ResourceTarget::Deployment(id) => {
           let mut deployment = resource::get_check_permissions::<
             Deployment,
           >(
-            &id, &user, PermissionLevel::Read
+            &id, user, PermissionLevel::Read
           )
           .await?;
-          // replace deployment server with name
-          deployment.config.server_id.clone_from(
-            names
-              .servers
-              .get(&deployment.config.server_id)
-              .unwrap_or(&String::new()),
-          );
-          // replace deployment build id with name
-          if let DeploymentImage::Build { build_id, .. } =
-            &mut deployment.config.image
-          {
-            build_id.clone_from(
-              names.builds.get(build_id).unwrap_or(&String::new()),
-            );
-          }
-          res
-            .deployments
-            .push(convert_resource(deployment, &names.tags))
+          Deployment::replace_ids(&mut deployment, &all);
+          res.deployments.push(convert_resource::<Deployment>(
+            deployment,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
         }
         ResourceTarget::Repo(id) => {
           let mut repo = resource::get_check_permissions::<Repo>(
             &id,
-            &user,
+            user,
             PermissionLevel::Read,
           )
           .await?;
-          // replace repo server with name
-          repo.config.server_id.clone_from(
-            names
-              .servers
-              .get(&repo.config.server_id)
-              .unwrap_or(&String::new()),
-          );
-          res.repos.push(convert_resource(repo, &names.tags))
+          Repo::replace_ids(&mut repo, &all);
+          res.repos.push(convert_resource::<Repo>(
+            repo,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Stack(id) => {
+          let mut stack = resource::get_check_permissions::<Stack>(
+            &id,
+            user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          Stack::replace_ids(&mut stack, &all);
+          res.stacks.push(convert_resource::<Stack>(
+            stack,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
         }
         ResourceTarget::Procedure(id) => {
-          add_procedure(&id, &mut res, &user, &names)
-            .await
-            .with_context(|| {
-              format!("failed to add procedure {id}")
-            })?;
+          let mut procedure = resource::get_check_permissions::<
+            Procedure,
+          >(
+            &id, user, PermissionLevel::Read
+          )
+          .await?;
+          Procedure::replace_ids(&mut procedure, &all);
+          res.procedures.push(convert_resource::<Procedure>(
+            procedure,
+            false,
+            vec![],
+            &id_to_tags,
+          ));
+        }
+        ResourceTarget::Action(id) => {
+          let mut action = resource::get_check_permissions::<Action>(
+            &id,
+            user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          Action::replace_ids(&mut action, &all);
+          res.actions.push(convert_resource::<Action>(
+            action,
+            false,
+            vec![],
+            &id_to_tags,
+          ));
         }
         ResourceTarget::System(_) => continue,
       };
     }
 
-    add_user_groups(user_groups, &mut res, &user)
+    add_user_groups(user_groups, &mut res, &all, args)
       .await
       .context("failed to add user groups")?;
 
-    let toml = toml::to_string(&res)
+    if include_variables {
+      res.variables =
+        find_collect(&db_client().variables, None, None)
+          .await
+          .context("failed to get variables from db")?
+          .into_iter()
+          .map(|mut variable| {
+            if !user.admin && variable.is_secret {
+              variable.value = "#".repeat(variable.value.len())
+            }
+            variable
+          })
+          .collect();
+    }
+
+    let toml = serialize_resources_toml(res)
       .context("failed to serialize resources to toml")?;
 
     Ok(ExportResourcesToTomlResponse { toml })
   }
 }
 
-async fn add_procedure(
-  id: &str,
-  res: &mut ResourcesToml,
-  user: &User,
-  names: &ResourceNames,
-) -> anyhow::Result<()> {
-  let mut procedure = resource::get_check_permissions::<Procedure>(
-    id,
-    user,
-    PermissionLevel::Read,
-  )
-  .await?;
-  for execution in &mut procedure.config.executions {
-    match &mut execution.execution {
-      Execution::RunProcedure(exec) => exec.procedure.clone_from(
-        names
-          .procedures
-          .get(&exec.procedure)
-          .unwrap_or(&String::new()),
-      ),
-      Execution::RunBuild(exec) => exec.build.clone_from(
-        names.builds.get(&exec.build).unwrap_or(&String::new()),
-      ),
-      Execution::Deploy(exec) => exec.deployment.clone_from(
-        names
-          .deployments
-          .get(&exec.deployment)
-          .unwrap_or(&String::new()),
-      ),
-      Execution::StartContainer(exec) => exec.deployment.clone_from(
-        names
-          .deployments
-          .get(&exec.deployment)
-          .unwrap_or(&String::new()),
-      ),
-      Execution::StopContainer(exec) => exec.deployment.clone_from(
-        names
-          .deployments
-          .get(&exec.deployment)
-          .unwrap_or(&String::new()),
-      ),
-      Execution::RemoveContainer(exec) => exec.deployment.clone_from(
-        names
-          .deployments
-          .get(&exec.deployment)
-          .unwrap_or(&String::new()),
-      ),
-      Execution::CloneRepo(exec) => exec.repo.clone_from(
-        names.repos.get(&exec.repo).unwrap_or(&String::new()),
-      ),
-      Execution::PullRepo(exec) => exec.repo.clone_from(
-        names.repos.get(&exec.repo).unwrap_or(&String::new()),
-      ),
-      Execution::StopAllContainers(exec) => exec.server.clone_from(
-        names.servers.get(&exec.server).unwrap_or(&String::new()),
-      ),
-      Execution::PruneDockerNetworks(exec) => exec.server.clone_from(
-        names.servers.get(&exec.server).unwrap_or(&String::new()),
-      ),
-      Execution::PruneDockerImages(exec) => exec.server.clone_from(
-        names.servers.get(&exec.server).unwrap_or(&String::new()),
-      ),
-      Execution::PruneDockerContainers(exec) => {
-        exec.server.clone_from(
-          names.servers.get(&exec.server).unwrap_or(&String::new()),
-        )
-      }
-      Execution::None(_) => continue,
-    }
-  }
-  res
-    .procedures
-    .push(convert_resource(procedure, &names.tags));
-  Ok(())
-}
-
-struct ResourceNames {
-  tags: HashMap<String, String>,
-  servers: HashMap<String, String>,
-  builders: HashMap<String, String>,
-  builds: HashMap<String, String>,
-  repos: HashMap<String, String>,
-  deployments: HashMap<String, String>,
-  procedures: HashMap<String, String>,
-}
-
-impl ResourceNames {
-  async fn new() -> anyhow::Result<ResourceNames> {
-    let db = db_client().await;
-    Ok(ResourceNames {
-      tags: find_collect(&db.tags, None, None)
-        .await
-        .context("failed to get all tags")?
-        .into_iter()
-        .map(|t| (t.id, t.name))
-        .collect::<HashMap<_, _>>(),
-      servers: find_collect(&db.servers, None, None)
-        .await
-        .context("failed to get all servers")?
-        .into_iter()
-        .map(|t| (t.id, t.name))
-        .collect::<HashMap<_, _>>(),
-      builders: find_collect(&db.builders, None, None)
-        .await
-        .context("failed to get all builders")?
-        .into_iter()
-        .map(|t| (t.id, t.name))
-        .collect::<HashMap<_, _>>(),
-      builds: find_collect(&db.builds, None, None)
-        .await
-        .context("failed to get all builds")?
-        .into_iter()
-        .map(|t| (t.id, t.name))
-        .collect::<HashMap<_, _>>(),
-      repos: find_collect(&db.repos, None, None)
-        .await
-        .context("failed to get all repos")?
-        .into_iter()
-        .map(|t| (t.id, t.name))
-        .collect::<HashMap<_, _>>(),
-      deployments: find_collect(&db.deployments, None, None)
-        .await
-        .context("failed to get all deployments")?
-        .into_iter()
-        .map(|t| (t.id, t.name))
-        .collect::<HashMap<_, _>>(),
-      procedures: find_collect(&db.procedures, None, None)
-        .await
-        .context("failed to get all procedures")?
-        .into_iter()
-        .map(|t| (t.id, t.name))
-        .collect::<HashMap<_, _>>(),
-    })
-  }
-}
-
 async fn add_user_groups(
   user_groups: Vec<String>,
   res: &mut ResourcesToml,
-  user: &User,
+  all: &AllResourcesById,
+  args: &ReadArgs,
 ) -> anyhow::Result<()> {
-  let db = db_client().await;
-
-  let usernames = find_collect(&db.users, None, None)
-    .await?
+  let user_groups = ListUserGroups {}
+    .resolve(args)
+    .await
+    .map_err(|e| e.error)?
     .into_iter()
-    .map(|user| (user.id, user.username))
-    .collect::<HashMap<_, _>>();
-
-  for user_group in user_groups {
-    let ug = State
-      .resolve(GetUserGroup { user_group }, user.clone())
-      .await?;
-    // this method is admin only, but we already know user can see user group if above does not return Err
-    let permissions = State
-      .resolve(
-        ListUserTargetPermissions {
-          user_target: UserTarget::UserGroup(ug.id),
-        },
-        User {
-          admin: true,
-          ..Default::default()
-        },
-      )
-      .await?
-      .into_iter()
-      .map(|permission| PermissionToml {
-        target: permission.resource_target,
-        level: permission.level,
-      })
-      .collect();
-    res.user_groups.push(UserGroupToml {
-      name: ug.name,
-      users: ug
-        .users
-        .into_iter()
-        .filter_map(|user_id| usernames.get(&user_id).cloned())
-        .collect(),
-      permissions,
+    .filter(|ug| {
+      user_groups.contains(&ug.name) || user_groups.contains(&ug.id)
     });
-  }
+  let mut ug = Vec::with_capacity(user_groups.size_hint().0);
+  convert_user_groups(user_groups, all, &mut ug).await?;
+  res.user_groups = ug.into_iter().map(|ug| ug.1).collect();
+
   Ok(())
 }
 
-fn convert_resource<Config, Info: Default, PartialConfig>(
-  resource: Resource<Config, Info>,
-  tag_names: &HashMap<String, String>,
-) -> ResourceToml<PartialConfig>
-where
-  Config: Into<PartialConfig>,
-{
-  ResourceToml {
-    name: resource.name,
-    tags: resource
-      .tags
-      .iter()
-      .filter_map(|t| tag_names.get(t).cloned())
-      .collect(),
-    description: resource.description,
-    config: resource.config.into(),
+fn serialize_resources_toml(
+  resources: ResourcesToml,
+) -> anyhow::Result<String> {
+  let mut toml = String::new();
+
+  for server in resources.servers {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[server]]\n");
+    Server::push_to_toml_string(server, &mut toml)?;
   }
+
+  for stack in resources.stacks {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[stack]]\n");
+    Stack::push_to_toml_string(stack, &mut toml)?;
+  }
+
+  for deployment in resources.deployments {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[deployment]]\n");
+    Deployment::push_to_toml_string(deployment, &mut toml)?;
+  }
+
+  for build in resources.builds {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[build]]\n");
+    Build::push_to_toml_string(build, &mut toml)?;
+  }
+
+  for repo in resources.repos {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[repo]]\n");
+    Repo::push_to_toml_string(repo, &mut toml)?;
+  }
+
+  for procedure in resources.procedures {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[procedure]]\n");
+    Procedure::push_to_toml_string(procedure, &mut toml)?;
+  }
+
+  for action in resources.actions {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[action]]\n");
+    Action::push_to_toml_string(action, &mut toml)?;
+  }
+
+  for alerter in resources.alerters {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[alerter]]\n");
+    Alerter::push_to_toml_string(alerter, &mut toml)?;
+  }
+
+  for builder in resources.builders {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[builder]]\n");
+    Builder::push_to_toml_string(builder, &mut toml)?;
+  }
+
+  for server_template in resources.server_templates {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[server_template]]\n");
+    ServerTemplate::push_to_toml_string(server_template, &mut toml)?;
+  }
+
+  for resource_sync in resources.resource_syncs {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[resource_sync]]\n");
+    ResourceSync::push_to_toml_string(resource_sync, &mut toml)?;
+  }
+
+  for variable in &resources.variables {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[variable]]\n");
+    toml.push_str(
+      &toml_pretty::to_string(variable, TOML_PRETTY_OPTIONS)
+        .context("failed to serialize variables to toml")?,
+    );
+  }
+
+  for user_group in &resources.user_groups {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[user_group]]\n");
+    toml.push_str(
+      &toml_pretty::to_string(user_group, TOML_PRETTY_OPTIONS)
+        .context("failed to serialize user_groups to toml")?,
+    );
+  }
+
+  Ok(toml)
 }

bin/core/src/api/read/update.rs

@@ -1,9 +1,11 @@
 use std::collections::HashMap;
 
-use anyhow::{anyhow, Context};
-use monitor_client::{
+use anyhow::{Context, anyhow};
+use komodo_client::{
   api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
   entities::{
+    ResourceTarget,
+    action::Action,
     alerter::Alerter,
     build::Build,
     builder::Builder,
@@ -13,9 +15,9 @@ use monitor_client::{
     repo::Repo,
     server::Server,
     server_template::ServerTemplate,
-    update::{
-      ResourceTarget, ResourceTargetVariant, Update, UpdateListItem,
-    },
+    stack::Stack,
+    sync::ResourceSync,
+    update::{Update, UpdateListItem},
     user::User,
   },
 };
@@ -26,94 +28,164 @@ use mungos::{
 };
 use resolver_api::Resolve;
 
-use crate::{
-  helpers::query::get_resource_ids_for_non_admin,
-  resource,
-  state::{db_client, State},
-};
+use crate::{config::core_config, resource, state::db_client};
+
+use super::ReadArgs;
 
 const UPDATES_PER_PAGE: i64 = 100;
 
-impl Resolve<ListUpdates, User> for State {
+impl Resolve<ReadArgs> for ListUpdates {
   async fn resolve(
-    &self,
-    ListUpdates { query, page }: ListUpdates,
-    user: User,
-  ) -> anyhow::Result<ListUpdatesResponse> {
-    let query = if user.admin {
-      query
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUpdatesResponse> {
+    let query = if user.admin || core_config().transparent_mode {
+      self.query
     } else {
-      let server_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Server,
-      )
-      .await?;
-      let deployment_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Deployment,
-      )
-      .await?;
-      let build_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Build,
-      )
-      .await?;
-      let repo_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Repo,
-      )
-      .await?;
-      let procedure_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Procedure,
-      )
-      .await?;
-      let builder_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Builder,
-      )
-      .await?;
-      let alerter_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::Alerter,
-      )
-      .await?;
-      let server_template_ids = get_resource_ids_for_non_admin(
-        &user.id,
-        ResourceTargetVariant::ServerTemplate,
-      )
-      .await?;
+      let server_query =
+        resource::get_resource_ids_for_user::<Server>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Server", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Server" });
 
-      let mut query = query.unwrap_or_default();
+      let deployment_query =
+        resource::get_resource_ids_for_user::<Deployment>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Deployment", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Deployment" });
+
+      let stack_query =
+        resource::get_resource_ids_for_user::<Stack>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Stack", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Stack" });
+
+      let build_query =
+        resource::get_resource_ids_for_user::<Build>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Build", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Build" });
+
+      let repo_query =
+        resource::get_resource_ids_for_user::<Repo>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Repo", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Repo" });
+
+      let procedure_query =
+        resource::get_resource_ids_for_user::<Procedure>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Procedure", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Procedure" });
+
+      let action_query =
+        resource::get_resource_ids_for_user::<Action>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Action", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Action" });
+
+      let builder_query =
+        resource::get_resource_ids_for_user::<Builder>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Builder", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Builder" });
+
+      let alerter_query =
+        resource::get_resource_ids_for_user::<Alerter>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Alerter", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Alerter" });
+
+      let server_template_query =
+        resource::get_resource_ids_for_user::<ServerTemplate>(user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "ServerTemplate", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "ServerTemplate" });
+
+      let resource_sync_query =
+        resource::get_resource_ids_for_user::<ResourceSync>(
+          user,
+        )
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "ResourceSync", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
+
+      let mut query = self.query.unwrap_or_default();
       query.extend(doc! {
         "$or": [
-          { "target.type": "Server", "target.id": { "$in": &server_ids } },
-          { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
-          { "target.type": "Build", "target.id": { "$in": &build_ids } },
-          { "target.type": "Repo", "target.id": { "$in": &repo_ids } },
-          { "target.type": "Procedure", "target.id": { "$in": &procedure_ids } },
-          { "target.type": "Builder", "target.id": { "$in": &builder_ids } },
-          { "target.type": "Alerter", "target.id": { "$in": &alerter_ids } },
-          { "target.type": "ServerTemplate", "target.id": { "$in": &server_template_ids } },
+          server_query,
+          deployment_query,
+          stack_query,
+          build_query,
+          repo_query,
+          procedure_query,
+          action_query,
+          alerter_query,
+          builder_query,
+          server_template_query,
+          resource_sync_query,
         ]
       });
       query.into()
     };
 
-    let usernames =
-      find_collect(&db_client().await.users, None, None)
-        .await
-        .context("failed to pull users from db")?
-        .into_iter()
-        .map(|u| (u.id, u.username))
-        .collect::<HashMap<_, _>>();
+    let usernames = find_collect(&db_client().users, None, None)
+      .await
+      .context("failed to pull users from db")?
+      .into_iter()
+      .map(|u| (u.id, u.username))
+      .collect::<HashMap<_, _>>();
 
     let updates = find_collect(
-      &db_client().await.updates,
+      &db_client().updates,
       query,
       FindOptions::builder()
         .sort(doc! { "start_ts": -1 })
-        .skip(page as u64 * UPDATES_PER_PAGE as u64)
+        .skip(self.page as u64 * UPDATES_PER_PAGE as u64)
         .limit(UPDATES_PER_PAGE)
         .build(),
     )
@@ -139,12 +211,13 @@ impl Resolve<ListUpdates, User> for State {
         target: u.target,
         status: u.status,
         version: u.version,
+        other_data: u.other_data,
       }
     })
     .collect::<Vec<_>>();
 
     let next_page = if updates.len() == UPDATES_PER_PAGE as usize {
-      Some(page + 1)
+      Some(self.page + 1)
     } else {
       None
     };
@@ -153,29 +226,28 @@ impl Resolve<ListUpdates, User> for State {
   }
 }
 
-impl Resolve<GetUpdate, User> for State {
+impl Resolve<ReadArgs> for GetUpdate {
   async fn resolve(
-    &self,
-    GetUpdate { id }: GetUpdate,
-    user: User,
-  ) -> anyhow::Result<Update> {
-    let update = find_one_by_id(&db_client().await.updates, &id)
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Update> {
+    let update = find_one_by_id(&db_client().updates, &self.id)
       .await
       .context("failed to query to db")?
       .context("no update exists with given id")?;
-    if user.admin {
+    if user.admin || core_config().transparent_mode {
       return Ok(update);
     }
     match &update.target {
       ResourceTarget::System(_) => {
-        return Err(anyhow!(
-          "user must be admin to view system updates"
-        ))
+        return Err(
+          anyhow!("user must be admin to view system updates").into(),
+        );
       }
       ResourceTarget::Server(id) => {
         resource::get_check_permissions::<Server>(
           id,
-          &user,
+          user,
           PermissionLevel::Read,
         )
         .await?;
@@ -183,7 +255,7 @@ impl Resolve<GetUpdate, User> for State {
       ResourceTarget::Deployment(id) => {
         resource::get_check_permissions::<Deployment>(
           id,
-          &user,
+          user,
           PermissionLevel::Read,
         )
         .await?;
@@ -191,7 +263,7 @@ impl Resolve<GetUpdate, User> for State {
       ResourceTarget::Build(id) => {
         resource::get_check_permissions::<Build>(
           id,
-          &user,
+          user,
           PermissionLevel::Read,
         )
         .await?;
@@ -199,7 +271,7 @@ impl Resolve<GetUpdate, User> for State {
       ResourceTarget::Repo(id) => {
         resource::get_check_permissions::<Repo>(
           id,
-          &user,
+          user,
           PermissionLevel::Read,
         )
         .await?;
@@ -207,7 +279,7 @@ impl Resolve<GetUpdate, User> for State {
       ResourceTarget::Builder(id) => {
         resource::get_check_permissions::<Builder>(
           id,
-          &user,
+          user,
           PermissionLevel::Read,
         )
         .await?;
@@ -215,7 +287,7 @@ impl Resolve<GetUpdate, User> for State {
       ResourceTarget::Alerter(id) => {
         resource::get_check_permissions::<Alerter>(
           id,
-          &user,
+          user,
           PermissionLevel::Read,
         )
         .await?;
@@ -223,7 +295,15 @@ impl Resolve<GetUpdate, User> for State {
       ResourceTarget::Procedure(id) => {
         resource::get_check_permissions::<Procedure>(
           id,
-          &user,
+          user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Action(id) => {
+        resource::get_check_permissions::<Action>(
+          id,
+          user,
           PermissionLevel::Read,
         )
         .await?;
@@ -231,7 +311,23 @@ impl Resolve<GetUpdate, User> for State {
       ResourceTarget::ServerTemplate(id) => {
         resource::get_check_permissions::<ServerTemplate>(
           id,
-          &user,
+          user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::ResourceSync(id) => {
+        resource::get_check_permissions::<ResourceSync>(
+          id,
+          user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Stack(id) => {
+        resource::get_check_permissions::<Stack>(
+          id,
+          user,
           PermissionLevel::Read,
         )
         .await?;

bin/core/src/api/read/user.rs

@@ -1,26 +1,37 @@
-use anyhow::{anyhow, Context};
-use monitor_client::{
+use anyhow::{Context, anyhow};
+use komodo_client::{
   api::read::{
-    GetUsername, GetUsernameResponse, ListApiKeys,
-    ListApiKeysForServiceUser, ListApiKeysForServiceUserResponse,
-    ListApiKeysResponse, ListUsers, ListUsersResponse,
+    FindUser, FindUserResponse, GetUsername, GetUsernameResponse,
+    ListApiKeys, ListApiKeysForServiceUser,
+    ListApiKeysForServiceUserResponse, ListApiKeysResponse,
+    ListUsers, ListUsersResponse,
   },
-  entities::user::{User, UserConfig},
+  entities::user::{UserConfig, admin_service_user},
 };
 use mungos::{
-  by_id::find_one_by_id, find::find_collect, mongodb::bson::doc,
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
 };
 use resolver_api::Resolve;
 
-use crate::state::{db_client, State};
+use crate::{helpers::query::get_user, state::db_client};
 
-impl Resolve<GetUsername, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetUsername {
   async fn resolve(
-    &self,
-    GetUsername { user_id }: GetUsername,
-    _: User,
-  ) -> anyhow::Result<GetUsernameResponse> {
-    let user = find_one_by_id(&db_client().await.users, &user_id)
+    self,
+    _: &ReadArgs,
+  ) -> serror::Result<GetUsernameResponse> {
+    if let Some(user) = admin_service_user(&self.user_id) {
+      return Ok(GetUsernameResponse {
+        username: user.username,
+        avatar: None,
+      });
+    }
+
+    let user = find_one_by_id(&db_client().users, &self.user_id)
       .await
       .context("failed at mongo query for user")?
       .context("no user found with id")?;
@@ -38,32 +49,78 @@ impl Resolve<GetUsername, User> for State {
   }
 }
 
-impl Resolve<ListUsers, User> for State {
+impl Resolve<ReadArgs> for FindUser {
   async fn resolve(
-    &self,
-    ListUsers {}: ListUsers,
-    user: User,
-  ) -> anyhow::Result<ListUsersResponse> {
-    if !user.admin {
-      return Err(anyhow!("this route is only accessable by admins"));
+    self,
+    ReadArgs { user: admin }: &ReadArgs,
+  ) -> serror::Result<FindUserResponse> {
+    if !admin.admin {
+      return Err(anyhow!("This method is admin only.").into());
     }
-    let mut users =
-      find_collect(&db_client().await.users, None, None)
-        .await
-        .context("failed to pull users from db")?;
+    Ok(get_user(&self.user).await?)
+  }
+}
+
+impl Resolve<ReadArgs> for ListUsers {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUsersResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("this route is only accessable by admins").into(),
+      );
+    }
+    let mut users = find_collect(
+      &db_client().users,
+      None,
+      FindOptions::builder().sort(doc! { "username": 1 }).build(),
+    )
+    .await
+    .context("failed to pull users from db")?;
     users.iter_mut().for_each(|user| user.sanitize());
     Ok(users)
   }
 }
 
-impl Resolve<ListApiKeys, User> for State {
+impl Resolve<ReadArgs> for ListApiKeys {
   async fn resolve(
-    &self,
-    ListApiKeys {}: ListApiKeys,
-    user: User,
-  ) -> anyhow::Result<ListApiKeysResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListApiKeysResponse> {
     let api_keys = find_collect(
-      &db_client().await.api_keys,
+      &db_client().api_keys,
+      doc! { "user_id": &user.id },
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for api keys")?
+    .into_iter()
+    .map(|mut api_keys| {
+      api_keys.sanitize();
+      api_keys
+    })
+    .collect();
+    Ok(api_keys)
+  }
+}
+
+impl Resolve<ReadArgs> for ListApiKeysForServiceUser {
+  async fn resolve(
+    self,
+    ReadArgs { user: admin }: &ReadArgs,
+  ) -> serror::Result<ListApiKeysForServiceUserResponse> {
+    if !admin.admin {
+      return Err(anyhow!("This method is admin only.").into());
+    }
+
+    let user = get_user(&self.user).await?;
+
+    let UserConfig::Service { .. } = user.config else {
+      return Err(anyhow!("Given user is not service user").into());
+    };
+    let api_keys = find_collect(
+      &db_client().api_keys,
       doc! { "user_id": &user.id },
       None,
     )
@@ -78,36 +135,3 @@ impl Resolve<ListApiKeys, User> for State {
     Ok(api_keys)
   }
 }
-
-impl Resolve<ListApiKeysForServiceUser, User> for State {
-  async fn resolve(
-    &self,
-    ListApiKeysForServiceUser { user_id }: ListApiKeysForServiceUser,
-    admin: User,
-  ) -> anyhow::Result<ListApiKeysForServiceUserResponse> {
-    if !admin.admin {
-      return Err(anyhow!("This method is admin only."));
-    }
-    let user = find_one_by_id(&db_client().await.users, &user_id)
-      .await
-      .context("failed to query db for users")?
-      .context("user at id not found")?;
-    let UserConfig::Service { .. } = user.config else {
-      return Err(anyhow!("Given user is not service user"));
-    };
-    let api_keys = find_collect(
-      &db_client().await.api_keys,
-      doc! { "user_id": user_id },
-      None,
-    )
-    .await
-    .context("failed to query db for api keys")?
-    .into_iter()
-    .map(|mut api_keys| {
-      api_keys.sanitize();
-      api_keys
-    })
-    .collect();
-    Ok(api_keys)
-  }
-}

bin/core/src/api/read/user_group.rs

@@ -1,58 +1,60 @@
 use std::str::FromStr;
 
 use anyhow::Context;
-use monitor_client::{
-  api::read::{
-    GetUserGroup, GetUserGroupResponse, ListUserGroups,
-    ListUserGroupsResponse,
-  },
-  entities::user::User,
-};
+use komodo_client::api::read::*;
 use mungos::{
   find::find_collect,
-  mongodb::bson::{doc, oid::ObjectId, Document},
+  mongodb::{
+    bson::{Document, doc, oid::ObjectId},
+    options::FindOptions,
+  },
 };
 use resolver_api::Resolve;
 
-use crate::state::{db_client, State};
+use crate::state::db_client;
 
-impl Resolve<GetUserGroup, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetUserGroup {
   async fn resolve(
-    &self,
-    GetUserGroup { user_group }: GetUserGroup,
-    user: User,
-  ) -> anyhow::Result<GetUserGroupResponse> {
-    let mut filter = match ObjectId::from_str(&user_group) {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetUserGroupResponse> {
+    let mut filter = match ObjectId::from_str(&self.user_group) {
       Ok(id) => doc! { "_id": id },
-      Err(_) => doc! { "name": &user_group },
+      Err(_) => doc! { "name": &self.user_group },
     };
     // Don't allow non admin users to get UserGroups they aren't a part of.
     if !user.admin {
       // Filter for only UserGroups which contain the users id
       filter.insert("users", &user.id);
     }
-    db_client()
-      .await
+    let res = db_client()
       .user_groups
-      .find_one(filter, None)
+      .find_one(filter)
       .await
       .context("failed to query db for user groups")?
-      .context("no UserGroup found with given name or id")
+      .context("no UserGroup found with given name or id")?;
+    Ok(res)
   }
 }
 
-impl Resolve<ListUserGroups, User> for State {
+impl Resolve<ReadArgs> for ListUserGroups {
   async fn resolve(
-    &self,
-    ListUserGroups {}: ListUserGroups,
-    user: User,
-  ) -> anyhow::Result<ListUserGroupsResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListUserGroupsResponse> {
     let mut filter = Document::new();
     if !user.admin {
       filter.insert("users", &user.id);
     }
-    find_collect(&db_client().await.user_groups, filter, None)
-      .await
-      .context("failed to query db for UserGroups")
+    let res = find_collect(
+      &db_client().user_groups,
+      filter,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for UserGroups")?;
+    Ok(res)
   }
 }

bin/core/src/api/read/variable.rs

@@ -1,43 +1,51 @@
 use anyhow::Context;
-use monitor_client::{
-  api::read::{
-    GetVariable, GetVariableResponse, ListVariables,
-    ListVariablesResponse,
-  },
-  entities::user::User,
-};
-use mungos::find::find_collect;
+use komodo_client::api::read::*;
+use mongo_indexed::doc;
+use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
-use crate::{
-  config::core_config,
-  helpers::query::get_variable,
-  state::{db_client, State},
-};
+use crate::{helpers::query::get_variable, state::db_client};
 
-impl Resolve<GetVariable, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetVariable {
   async fn resolve(
-    &self,
-    GetVariable { name }: GetVariable,
-    _: User,
-  ) -> anyhow::Result<GetVariableResponse> {
-    get_variable(&name).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetVariableResponse> {
+    let mut variable = get_variable(&self.name).await?;
+    if !variable.is_secret || user.admin {
+      return Ok(variable);
+    }
+    variable.value = "#".repeat(variable.value.len());
+    Ok(variable)
   }
 }
 
-impl Resolve<ListVariables, User> for State {
+impl Resolve<ReadArgs> for ListVariables {
   async fn resolve(
-    &self,
-    ListVariables {}: ListVariables,
-    _: User,
-  ) -> anyhow::Result<ListVariablesResponse> {
-    let variables =
-      find_collect(&db_client().await.variables, None, None)
-        .await
-        .context("failed to query db for variables")?;
-    Ok(ListVariablesResponse {
-      variables,
-      secrets: core_config().secrets.keys().cloned().collect(),
-    })
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListVariablesResponse> {
+    let variables = find_collect(
+      &db_client().variables,
+      None,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for variables")?;
+    if user.admin {
+      return Ok(variables);
+    }
+    let variables = variables
+      .into_iter()
+      .map(|mut variable| {
+        if variable.is_secret {
+          variable.value = "#".repeat(variable.value.len());
+        }
+        variable
+      })
+      .collect();
+    Ok(variables)
   }
 }

bin/core/src/api/user.rs

@@ -0,0 +1,193 @@
+use std::{collections::VecDeque, time::Instant};
+
+use anyhow::{Context, anyhow};
+use axum::{Extension, Json, Router, middleware, routing::post};
+use derive_variants::EnumVariants;
+use komodo_client::{
+  api::user::*,
+  entities::{api_key::ApiKey, komodo_timestamp, user::User},
+};
+use mongo_indexed::doc;
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_bson};
+use resolver_api::Resolve;
+use response::Response;
+use serde::{Deserialize, Serialize};
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::auth_request,
+  helpers::{query::get_user, random_string},
+  state::db_client,
+};
+
+pub struct UserArgs {
+  pub user: User,
+}
+
+#[typeshare]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[args(UserArgs)]
+#[response(Response)]
+#[error(serror::Error)]
+#[serde(tag = "type", content = "params")]
+enum UserRequest {
+  PushRecentlyViewed(PushRecentlyViewed),
+  SetLastSeenUpdate(SetLastSeenUpdate),
+  CreateApiKey(CreateApiKey),
+  DeleteApiKey(DeleteApiKey),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+#[instrument(name = "UserHandler", level = "debug", skip(user))]
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<UserRequest>,
+) -> serror::Result<axum::response::Response> {
+  let timer = Instant::now();
+  let req_id = Uuid::new_v4();
+  debug!(
+    "/user request {req_id} | user: {} ({})",
+    user.username, user.id
+  );
+  let res = request.resolve(&UserArgs { user }).await;
+  if let Err(e) = &res {
+    warn!("/user request {req_id} error: {:#}", e.error);
+  }
+  let elapsed = timer.elapsed();
+  debug!("/user request {req_id} | resolve time: {elapsed:?}");
+  res.map(|res| res.0)
+}
+
+const RECENTLY_VIEWED_MAX: usize = 10;
+
+impl Resolve<UserArgs> for PushRecentlyViewed {
+  #[instrument(
+    name = "PushRecentlyViewed",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<PushRecentlyViewedResponse> {
+    let user = get_user(&user.id).await?;
+
+    let (resource_type, id) = self.resource.extract_variant_id();
+    let update = match user.recents.get(&resource_type) {
+      Some(recents) => {
+        let mut recents = recents
+          .iter()
+          .filter(|_id| !id.eq(*_id))
+          .take(RECENTLY_VIEWED_MAX - 1)
+          .collect::<VecDeque<_>>();
+        recents.push_front(id);
+        doc! { format!("recents.{resource_type}"): to_bson(&recents)? }
+      }
+      None => {
+        doc! { format!("recents.{resource_type}"): [id] }
+      }
+    };
+    update_one_by_id(
+      &db_client().users,
+      &user.id,
+      mungos::update::Update::Set(update),
+      None,
+    )
+    .await
+    .with_context(|| {
+      format!("failed to update recents.{resource_type}")
+    })?;
+
+    Ok(PushRecentlyViewedResponse {})
+  }
+}
+
+impl Resolve<UserArgs> for SetLastSeenUpdate {
+  #[instrument(
+    name = "SetLastSeenUpdate",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<SetLastSeenUpdateResponse> {
+    update_one_by_id(
+      &db_client().users,
+      &user.id,
+      mungos::update::Update::Set(doc! {
+        "last_update_view": komodo_timestamp()
+      }),
+      None,
+    )
+    .await
+    .context("failed to update user last_update_view")?;
+    Ok(SetLastSeenUpdateResponse {})
+  }
+}
+
+const SECRET_LENGTH: usize = 40;
+const BCRYPT_COST: u32 = 10;
+
+impl Resolve<UserArgs> for CreateApiKey {
+  #[instrument(name = "CreateApiKey", level = "debug", skip(user))]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<CreateApiKeyResponse> {
+    let user = get_user(&user.id).await?;
+
+    let key = format!("K-{}", random_string(SECRET_LENGTH));
+    let secret = format!("S-{}", random_string(SECRET_LENGTH));
+    let secret_hash = bcrypt::hash(&secret, BCRYPT_COST)
+      .context("failed at hashing secret string")?;
+
+    let api_key = ApiKey {
+      name: self.name,
+      key: key.clone(),
+      secret: secret_hash,
+      user_id: user.id.clone(),
+      created_at: komodo_timestamp(),
+      expires: self.expires,
+    };
+    db_client()
+      .api_keys
+      .insert_one(api_key)
+      .await
+      .context("failed to create api key on db")?;
+    Ok(CreateApiKeyResponse { key, secret })
+  }
+}
+
+impl Resolve<UserArgs> for DeleteApiKey {
+  #[instrument(name = "DeleteApiKey", level = "debug", skip(user))]
+  async fn resolve(
+    self,
+    UserArgs { user }: &UserArgs,
+  ) -> serror::Result<DeleteApiKeyResponse> {
+    let client = db_client();
+    let key = client
+      .api_keys
+      .find_one(doc! { "key": &self.key })
+      .await
+      .context("failed at db query")?
+      .context("no api key with key found")?;
+    if user.id != key.user_id {
+      return Err(anyhow!("api key does not belong to user").into());
+    }
+    client
+      .api_keys
+      .delete_one(doc! { "key": key.key })
+      .await
+      .context("failed to delete api key from db")?;
+    Ok(DeleteApiKeyResponse {})
+  }
+}

bin/core/src/api/write/action.rs

@@ -0,0 +1,71 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    action::Action, permission::PermissionLevel, update::Update,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::resource;
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateAction {
+  #[instrument(name = "CreateAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Action> {
+    Ok(
+      resource::create::<Action>(&self.name, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for CopyAction {
+  #[instrument(name = "CopyAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Action> {
+    let Action { config, .. } =
+      resource::get_check_permissions::<Action>(
+        &self.id,
+        user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    Ok(
+      resource::create::<Action>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateAction {
+  #[instrument(name = "UpdateAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Action> {
+    Ok(resource::update::<Action>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameAction {
+  #[instrument(name = "RenameAction", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Action>(&self.id, &self.name, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteAction {
+  #[instrument(name = "DeleteAction", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Action> {
+    Ok(resource::delete::<Action>(&self.id, args).await?)
+  }
+}

bin/core/src/api/write/alerter.rs

@@ -1,64 +1,77 @@
-use monitor_client::{
-  api::write::{
-    CopyAlerter, CreateAlerter, DeleteAlerter, UpdateAlerter,
-  },
+use komodo_client::{
+  api::write::*,
   entities::{
-    alerter::Alerter, permission::PermissionLevel, user::User,
+    alerter::Alerter, permission::PermissionLevel, update::Update,
   },
 };
 use resolver_api::Resolve;
 
-use crate::{resource, state::State};
+use crate::resource;
 
-impl Resolve<CreateAlerter, User> for State {
-  #[instrument(name = "CreateAlerter", skip(self, user))]
-  async fn resolve(
-    &self,
-    CreateAlerter { name, config }: CreateAlerter,
-    user: User,
-  ) -> anyhow::Result<Alerter> {
-    resource::create::<Alerter>(&name, config, &user).await
-  }
-}
+use super::WriteArgs;
 
-impl Resolve<CopyAlerter, User> for State {
-  #[instrument(name = "CopyAlerter", skip(self, user))]
+impl Resolve<WriteArgs> for CreateAlerter {
+  #[instrument(name = "CreateAlerter", skip(user))]
   async fn resolve(
-    &self,
-    CopyAlerter { name, id }: CopyAlerter,
-    user: User,
-  ) -> anyhow::Result<Alerter> {
-    let Alerter {
-      config,
-      ..
-    } = resource::get_check_permissions::<Alerter>(
-      &id,
-      &user,
-      PermissionLevel::Write,
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(
+      resource::create::<Alerter>(&self.name, self.config, user)
+        .await?,
     )
-    .await?;
-    resource::create::<Alerter>(&name, config.into(), &user).await
   }
 }
 
-impl Resolve<DeleteAlerter, User> for State {
-  #[instrument(name = "DeleteAlerter", skip(self, user))]
+impl Resolve<WriteArgs> for CopyAlerter {
+  #[instrument(name = "CopyAlerter", skip(user))]
   async fn resolve(
-    &self,
-    DeleteAlerter { id }: DeleteAlerter,
-    user: User,
-  ) -> anyhow::Result<Alerter> {
-    resource::delete::<Alerter>(&id, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    let Alerter { config, .. } =
+      resource::get_check_permissions::<Alerter>(
+        &self.id,
+        user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    Ok(
+      resource::create::<Alerter>(&self.name, config.into(), user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<UpdateAlerter, User> for State {
-  #[instrument(name = "UpdateAlerter", skip(self, user))]
+impl Resolve<WriteArgs> for DeleteAlerter {
+  #[instrument(name = "DeleteAlerter", skip(args))]
   async fn resolve(
-    &self,
-    UpdateAlerter { id, config }: UpdateAlerter,
-    user: User,
-  ) -> anyhow::Result<Alerter> {
-    resource::update::<Alerter>(&id, config, &user).await
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(resource::delete::<Alerter>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateAlerter {
+  #[instrument(name = "UpdateAlerter", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Alerter> {
+    Ok(
+      resource::update::<Alerter>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameAlerter {
+  #[instrument(name = "RenameAlerter", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Alerter>(&self.id, &self.name, user).await?)
   }
 }

bin/core/src/api/write/api_key.rs

@@ -1,147 +0,0 @@
-use anyhow::{anyhow, Context};
-use monitor_client::{
-  api::write::*,
-  entities::{
-    api_key::ApiKey,
-    monitor_timestamp,
-    user::{User, UserConfig},
-  },
-};
-use mungos::{by_id::find_one_by_id, mongodb::bson::doc};
-use resolver_api::Resolve;
-
-use crate::{
-  auth::random_string,
-  helpers::query::get_user,
-  state::{db_client, State},
-};
-
-const SECRET_LENGTH: usize = 40;
-const BCRYPT_COST: u32 = 10;
-
-impl Resolve<CreateApiKey, User> for State {
-  #[instrument(
-    name = "CreateApiKey",
-    level = "debug",
-    skip(self, user)
-  )]
-  async fn resolve(
-    &self,
-    CreateApiKey { name, expires }: CreateApiKey,
-    user: User,
-  ) -> anyhow::Result<CreateApiKeyResponse> {
-    let user = get_user(&user.id).await?;
-
-    let key = format!("K-{}", random_string(SECRET_LENGTH));
-    let secret = format!("S-{}", random_string(SECRET_LENGTH));
-    let secret_hash = bcrypt::hash(&secret, BCRYPT_COST)
-      .context("failed at hashing secret string")?;
-
-    let api_key = ApiKey {
-      name,
-      key: key.clone(),
-      secret: secret_hash,
-      user_id: user.id.clone(),
-      created_at: monitor_timestamp(),
-      expires,
-    };
-    db_client()
-      .await
-      .api_keys
-      .insert_one(api_key, None)
-      .await
-      .context("failed to create api key on db")?;
-    Ok(CreateApiKeyResponse { key, secret })
-  }
-}
-
-impl Resolve<DeleteApiKey, User> for State {
-  #[instrument(
-    name = "DeleteApiKey",
-    level = "debug",
-    skip(self, user)
-  )]
-  async fn resolve(
-    &self,
-    DeleteApiKey { key }: DeleteApiKey,
-    user: User,
-  ) -> anyhow::Result<DeleteApiKeyResponse> {
-    let client = db_client().await;
-    let key = client
-      .api_keys
-      .find_one(doc! { "key": &key }, None)
-      .await
-      .context("failed at db query")?
-      .context("no api key with key found")?;
-    if user.id != key.user_id {
-      return Err(anyhow!("api key does not belong to user"));
-    }
-    client
-      .api_keys
-      .delete_one(doc! { "key": key.key }, None)
-      .await
-      .context("failed to delete api key from db")?;
-    Ok(DeleteApiKeyResponse {})
-  }
-}
-
-impl Resolve<CreateApiKeyForServiceUser, User> for State {
-  #[instrument(name = "CreateApiKeyForServiceUser", skip(self, user))]
-  async fn resolve(
-    &self,
-    CreateApiKeyForServiceUser {
-      user_id,
-      name,
-      expires,
-    }: CreateApiKeyForServiceUser,
-    user: User,
-  ) -> anyhow::Result<CreateApiKeyForServiceUserResponse> {
-    if !user.admin {
-      return Err(anyhow!("user not admin"));
-    }
-    let service_user =
-      find_one_by_id(&db_client().await.users, &user_id)
-        .await
-        .context("failed to query db for user")?
-        .context("no user found with id")?;
-    let UserConfig::Service { .. } = &service_user.config else {
-      return Err(anyhow!("user is not service user"));
-    };
-    self
-      .resolve(CreateApiKey { name, expires }, service_user)
-      .await
-  }
-}
-
-impl Resolve<DeleteApiKeyForServiceUser, User> for State {
-  #[instrument(name = "DeleteApiKeyForServiceUser", skip(self, user))]
-  async fn resolve(
-    &self,
-    DeleteApiKeyForServiceUser { key }: DeleteApiKeyForServiceUser,
-    user: User,
-  ) -> anyhow::Result<DeleteApiKeyForServiceUserResponse> {
-    if !user.admin {
-      return Err(anyhow!("user not admin"));
-    }
-    let db = db_client().await;
-    let api_key = db
-      .api_keys
-      .find_one(doc! { "key": &key }, None)
-      .await
-      .context("failed to query db for api key")?
-      .context("did not find matching api key")?;
-    let service_user =
-      find_one_by_id(&db_client().await.users, &api_key.user_id)
-        .await
-        .context("failed to query db for user")?
-        .context("no user found with id")?;
-    let UserConfig::Service { .. } = &service_user.config else {
-      return Err(anyhow!("user is not service user"));
-    };
-    db.api_keys
-      .delete_one(doc! { "key": key }, None)
-      .await
-      .context("failed to delete api key on db")?;
-    Ok(DeleteApiKeyForServiceUserResponse {})
-  }
-}

bin/core/src/api/write/build.rs

@@ -1,60 +1,677 @@
-use monitor_client::{
+use std::{path::PathBuf, str::FromStr, time::Duration};
+
+use anyhow::{Context, anyhow};
+use formatting::format_serror;
+use git::GitRes;
+use komodo_client::{
   api::write::*,
-  entities::{build::Build, permission::PermissionLevel, user::User},
+  entities::{
+    CloneArgs, FileContents, NoData, Operation, all_logs_success,
+    build::{Build, BuildInfo, PartialBuildConfig},
+    builder::{Builder, BuilderConfig},
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    server::ServerState,
+    update::Update,
+  },
+};
+use mongo_indexed::doc;
+use mungos::mongodb::bson::to_document;
+use octorust::types::{
+  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
+};
+use periphery_client::{
+  PeripheryClient,
+  api::build::{
+    GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
+  },
 };
 use resolver_api::Resolve;
+use tokio::fs;
 
-use crate::{resource, state::State};
+use crate::{
+  config::core_config,
+  helpers::{
+    git_token, periphery_client,
+    query::get_server_with_state,
+    update::{add_update, make_update},
+  },
+  resource,
+  state::{db_client, github_client},
+};
 
-impl Resolve<CreateBuild, User> for State {
-  #[instrument(name = "CreateBuild", skip(self, user))]
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateBuild {
+  #[instrument(name = "CreateBuild", skip(user))]
   async fn resolve(
-    &self,
-    CreateBuild { name, config }: CreateBuild,
-    user: User,
-  ) -> anyhow::Result<Build> {
-    resource::create::<Build>(&name, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Build> {
+    Ok(
+      resource::create::<Build>(&self.name, self.config, user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<CopyBuild, User> for State {
-  #[instrument(name = "CopyBuild", skip(self, user))]
+impl Resolve<WriteArgs> for CopyBuild {
+  #[instrument(name = "CopyBuild", skip(user))]
   async fn resolve(
-    &self,
-    CopyBuild { name, id }: CopyBuild,
-    user: User,
-  ) -> anyhow::Result<Build> {
-    let Build {
-      config,
-      ..
-    } = resource::get_check_permissions::<Build>(
-      &id,
-      &user,
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Build> {
+    let Build { mut config, .. } =
+      resource::get_check_permissions::<Build>(
+        &self.id,
+        user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    // reset version to 0.0.0
+    config.version = Default::default();
+    Ok(
+      resource::create::<Build>(&self.name, config.into(), user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteBuild {
+  #[instrument(name = "DeleteBuild", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Build> {
+    Ok(resource::delete::<Build>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateBuild {
+  #[instrument(name = "UpdateBuild", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Build> {
+    Ok(resource::update::<Build>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameBuild {
+  #[instrument(name = "RenameBuild", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Build>(&self.id, &self.name, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for WriteBuildFileContents {
+  #[instrument(name = "WriteBuildFileContents", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+    let build = resource::get_check_permissions::<Build>(
+      &self.build,
+      &args.user,
       PermissionLevel::Write,
     )
     .await?;
-    resource::create::<Build>(&name, config.into(), &user).await
+
+    if !build.config.files_on_host && build.config.repo.is_empty() {
+      return Err(anyhow!(
+        "Build is not configured to use Files on Host or Git Repo, can't write dockerfile contents"
+      ).into());
+    }
+
+    let mut update =
+      make_update(&build, Operation::WriteDockerfile, &args.user);
+
+    update.push_simple_log("Dockerfile to write", &self.contents);
+
+    if build.config.files_on_host {
+      match get_on_host_periphery(&build)
+        .await?
+        .request(WriteDockerfileContentsToHost {
+          name: build.name,
+          build_path: build.config.build_path,
+          dockerfile_path: build.config.dockerfile_path,
+          contents: self.contents,
+        })
+        .await
+        .context("Failed to write dockerfile contents to host")
+      {
+        Ok(log) => {
+          update.logs.push(log);
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Write Dockerfile Contents",
+            format_serror(&e.into()),
+          );
+        }
+      };
+
+      if !all_logs_success(&update.logs) {
+        update.finalize();
+        update.id = add_update(update.clone()).await?;
+
+        return Ok(update);
+      }
+
+      if let Err(e) =
+        (RefreshBuildCache { build: build.id }).resolve(args).await
+      {
+        update.push_error_log(
+          "Refresh build cache",
+          format_serror(&e.error.into()),
+        );
+      }
+
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      Ok(update)
+    } else {
+      write_dockerfile_contents_git(self, args, build, update).await
+    }
   }
 }
 
-impl Resolve<DeleteBuild, User> for State {
-  #[instrument(name = "DeleteBuild", skip(self, user))]
+async fn write_dockerfile_contents_git(
+  req: WriteBuildFileContents,
+  args: &WriteArgs,
+  build: Build,
+  mut update: Update,
+) -> serror::Result<Update> {
+  let WriteBuildFileContents { build: _, contents } = req;
+
+  let mut clone_args: CloneArgs = (&build).into();
+  let root = clone_args.unique_path(&core_config().repo_directory)?;
+
+  let build_path = build
+    .config
+    .build_path
+    .parse::<PathBuf>()
+    .context("Invalid build path")?;
+  let dockerfile_path = build
+    .config
+    .dockerfile_path
+    .parse::<PathBuf>()
+    .context("Invalid dockerfile path")?;
+
+  let full_path = root.join(&build_path).join(&dockerfile_path);
+
+  if let Some(parent) = full_path.parent() {
+    fs::create_dir_all(parent).await.with_context(|| {
+      format!(
+        "Failed to initialize dockerfile parent directory {parent:?}"
+      )
+    })?;
+  }
+
+  // Ensure the folder is initialized as git repo.
+  // This allows a new file to be committed on a branch that may not exist.
+  if !root.join(".git").exists() {
+    let access_token = if let Some(account) = &clone_args.account {
+      git_token(&clone_args.provider, account, |https| clone_args.https = https)
+      .await
+      .with_context(
+        || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", clone_args.provider),
+      )?
+    } else {
+      None
+    };
+
+    git::init_folder_as_repo(
+      &root,
+      &clone_args,
+      access_token.as_deref(),
+      &mut update.logs,
+    )
+    .await;
+
+    if !all_logs_success(&update.logs) {
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      return Ok(update);
+    }
+  }
+
+  if let Err(e) =
+    fs::write(&full_path, &contents).await.with_context(|| {
+      format!("Failed to write dockerfile contents to {full_path:?}")
+    })
+  {
+    update
+      .push_error_log("Write Dockerfile", format_serror(&e.into()));
+  } else {
+    update.push_simple_log(
+      "Write Dockerfile",
+      format!("File written to {full_path:?}"),
+    );
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    return Ok(update);
+  }
+
+  let commit_res = git::commit_file(
+    &format!("{}: Commit Dockerfile", args.user.username),
+    &root,
+    &build_path.join(&dockerfile_path),
+    &build.config.branch,
+  )
+  .await;
+
+  update.logs.extend(commit_res.logs);
+
+  if let Err(e) = (RefreshBuildCache { build: build.name })
+    .resolve(args)
+    .await
+  {
+    update.push_error_log(
+      "Refresh build cache",
+      format_serror(&e.error.into()),
+    );
+  }
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+
+  Ok(update)
+}
+
+impl Resolve<WriteArgs> for RefreshBuildCache {
+  #[instrument(
+    name = "RefreshBuildCache",
+    level = "debug",
+    skip(user)
+  )]
   async fn resolve(
-    &self,
-    DeleteBuild { id }: DeleteBuild,
-    user: User,
-  ) -> anyhow::Result<Build> {
-    resource::delete::<Build>(&id, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // build should be able to do this.
+    let build = resource::get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    let (
+      remote_path,
+      remote_contents,
+      remote_error,
+      latest_hash,
+      latest_message,
+    ) = if build.config.files_on_host {
+      // =============
+      // FILES ON HOST
+      // =============
+      match get_on_host_dockerfile(&build).await {
+        Ok(FileContents { path, contents }) => {
+          (Some(path), Some(contents), None, None, None)
+        }
+        Err(e) => {
+          (None, None, Some(format_serror(&e.into())), None, None)
+        }
+      }
+    } else if !build.config.repo.is_empty() {
+      // ================
+      // REPO BASED BUILD
+      // ================
+      if build.config.git_provider.is_empty() {
+        // Nothing to do here
+        return Ok(NoData {});
+      }
+      let config = core_config();
+
+      let mut clone_args: CloneArgs = (&build).into();
+      let repo_path =
+        clone_args.unique_path(&core_config().repo_directory)?;
+      clone_args.destination = Some(repo_path.display().to_string());
+      // Don't want to run these on core.
+      clone_args.on_clone = None;
+      clone_args.on_pull = None;
+
+      let access_token = if let Some(username) = &clone_args.account {
+        git_token(&clone_args.provider, username, |https| {
+          clone_args.https = https
+        })
+        .await
+        .with_context(
+          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
+        )?
+      } else {
+        None
+      };
+
+      let GitRes { hash, message, .. } = git::pull_or_clone(
+        clone_args,
+        &config.repo_directory,
+        access_token,
+        &[],
+        "",
+        None,
+        &[],
+      )
+      .await
+      .context("failed to clone build repo")?;
+
+      let relative_path = PathBuf::from_str(&build.config.build_path)
+        .context("Invalid build path")?
+        .join(&build.config.dockerfile_path);
+
+      let full_path = repo_path.join(&relative_path);
+      let (contents, error) = match fs::read_to_string(&full_path)
+        .await
+        .with_context(|| {
+          format!(
+            "Failed to read dockerfile contents at {full_path:?}"
+          )
+        }) {
+        Ok(contents) => (Some(contents), None),
+        Err(e) => (None, Some(format_serror(&e.into()))),
+      };
+
+      (
+        Some(relative_path.display().to_string()),
+        contents,
+        error,
+        hash,
+        message,
+      )
+    } else {
+      // =============
+      // UI BASED FILE
+      // =============
+      (None, None, None, None, None)
+    };
+
+    let info = BuildInfo {
+      last_built_at: build.info.last_built_at,
+      built_hash: build.info.built_hash,
+      built_message: build.info.built_message,
+      built_contents: build.info.built_contents,
+      remote_path,
+      remote_contents,
+      remote_error,
+      latest_hash,
+      latest_message,
+    };
+
+    let info = to_document(&info)
+      .context("failed to serialize build info to bson")?;
+
+    db_client()
+      .builds
+      .update_one(
+        doc! { "name": &build.name },
+        doc! { "$set": { "info": info } },
+      )
+      .await
+      .context("failed to update build info on db")?;
+
+    Ok(NoData {})
   }
 }
 
-impl Resolve<UpdateBuild, User> for State {
-  #[instrument(name = "UpdateBuild", skip(self, user))]
-  async fn resolve(
-    &self,
-    UpdateBuild { id, config }: UpdateBuild,
-    user: User,
-  ) -> anyhow::Result<Build> {
-    resource::update::<Build>(&id, config, &user).await
+async fn get_on_host_periphery(
+  build: &Build,
+) -> anyhow::Result<PeripheryClient> {
+  if build.config.builder_id.is_empty() {
+    return Err(anyhow!("No builder associated with build"));
+  }
+
+  let builder = resource::get::<Builder>(&build.config.builder_id)
+    .await
+    .context("Failed to get builder")?;
+
+  match builder.config {
+    BuilderConfig::Aws(_) => {
+      return Err(anyhow!(
+        "Files on host doesn't work with AWS builder"
+      ));
+    }
+    BuilderConfig::Url(config) => {
+      let periphery = PeripheryClient::new(
+        config.address,
+        config.passkey,
+        Duration::from_secs(3),
+      );
+      periphery.health_check().await?;
+      Ok(periphery)
+    }
+    BuilderConfig::Server(config) => {
+      if config.server_id.is_empty() {
+        return Err(anyhow!(
+          "Builder is type server, but has no server attached"
+        ));
+      }
+      let (server, state) =
+        get_server_with_state(&config.server_id).await?;
+      if state != ServerState::Ok {
+        return Err(anyhow!(
+          "Builder server is disabled or not reachable"
+        ));
+      };
+      periphery_client(&server)
+    }
+  }
+}
+
+/// The successful case will be included as Some(remote_contents).
+/// The error case will be included as Some(remote_error)
+async fn get_on_host_dockerfile(
+  build: &Build,
+) -> anyhow::Result<FileContents> {
+  get_on_host_periphery(build)
+    .await?
+    .request(GetDockerfileContentsOnHost {
+      name: build.name.clone(),
+      build_path: build.config.build_path.clone(),
+      dockerfile_path: build.config.dockerfile_path.clone(),
+    })
+    .await
+}
+
+impl Resolve<WriteArgs> for CreateBuildWebhook {
+  #[instrument(name = "CreateBuildWebhook", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<CreateBuildWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let WriteArgs { user } = args;
+
+    let build = resource::get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if build.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = build.config.repo.split('/');
+    let owner = split.next().context("Build repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo =
+      split.next().context("Build repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      webhook_secret,
+      ..
+    } = core_config();
+
+    let webhook_secret = if build.config.webhook_secret.is_empty() {
+      webhook_secret
+    } else {
+      &build.config.webhook_secret
+    };
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = format!("{host}/listener/github/build/{}", build.id);
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        return Ok(NoData {});
+      }
+    }
+
+    // Now good to create the webhook
+    let request = ReposCreateWebhookRequest {
+      active: Some(true),
+      config: Some(ReposCreateWebhookRequestConfig {
+        url,
+        secret: webhook_secret.to_string(),
+        content_type: String::from("json"),
+        insecure_ssl: None,
+        digest: Default::default(),
+        token: Default::default(),
+      }),
+      events: vec![String::from("push")],
+      name: String::from("web"),
+    };
+    github_repos
+      .create_webhook(owner, repo, &request)
+      .await
+      .context("failed to create webhook")?;
+
+    if !build.config.webhook_enabled {
+      UpdateBuild {
+        id: build.id,
+        config: PartialBuildConfig {
+          webhook_enabled: Some(true),
+          ..Default::default()
+        },
+      }
+      .resolve(args)
+      .await
+      .map_err(|e| e.error)
+      .context("failed to update build to enable webhook")?;
+    }
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteBuildWebhook {
+  #[instrument(name = "DeleteBuildWebhook", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteBuildWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let build = resource::get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if build.config.git_provider != "github.com" {
+      return Err(
+        anyhow!("Can only manage github.com repo webhooks").into(),
+      );
+    }
+
+    if build.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't delete webhook").into(),
+      );
+    }
+
+    let mut split = build.config.repo.split('/');
+    let owner = split.next().context("Build repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo =
+      split.next().context("Build repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = format!("{host}/listener/github/build/{}", build.id);
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        github_repos
+          .delete_webhook(owner, repo, webhook.id)
+          .await
+          .context("failed to delete webhook")?;
+        return Ok(NoData {});
+      }
+    }
+
+    // No webhook to delete, all good
+    Ok(NoData {})
   }
 }

bin/core/src/api/write/builder.rs

@@ -1,59 +1,77 @@
-use monitor_client::{
+use komodo_client::{
   api::write::*,
   entities::{
-    builder::Builder, permission::PermissionLevel, user::User,
+    builder::Builder, permission::PermissionLevel, update::Update,
   },
 };
 use resolver_api::Resolve;
 
-use crate::{resource, state::State};
+use crate::resource;
 
-impl Resolve<CreateBuilder, User> for State {
-  #[instrument(name = "CreateBuilder", skip(self, user))]
-  async fn resolve(
-    &self,
-    CreateBuilder { name, config }: CreateBuilder,
-    user: User,
-  ) -> anyhow::Result<Builder> {
-    resource::create::<Builder>(&name, config, &user).await
-  }
-}
+use super::WriteArgs;
 
-impl Resolve<CopyBuilder, User> for State {
-  #[instrument(name = "CopyBuilder", skip(self, user))]
+impl Resolve<WriteArgs> for CreateBuilder {
+  #[instrument(name = "CreateBuilder", skip(user))]
   async fn resolve(
-    &self,
-    CopyBuilder { name, id }: CopyBuilder,
-    user: User,
-  ) -> anyhow::Result<Builder> {
-    let Builder { config, .. } = resource::get_check_permissions::<
-      Builder,
-    >(
-      &id, &user, PermissionLevel::Write
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    Ok(
+      resource::create::<Builder>(&self.name, self.config, user)
+        .await?,
     )
-    .await?;
-    resource::create::<Builder>(&name, config.into(), &user).await
   }
 }
 
-impl Resolve<DeleteBuilder, User> for State {
-  #[instrument(name = "DeleteBuilder", skip(self, user))]
+impl Resolve<WriteArgs> for CopyBuilder {
+  #[instrument(name = "CopyBuilder", skip(user))]
   async fn resolve(
-    &self,
-    DeleteBuilder { id }: DeleteBuilder,
-    user: User,
-  ) -> anyhow::Result<Builder> {
-    resource::delete::<Builder>(&id, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    let Builder { config, .. } =
+      resource::get_check_permissions::<Builder>(
+        &self.id,
+        user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    Ok(
+      resource::create::<Builder>(&self.name, config.into(), user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<UpdateBuilder, User> for State {
-  #[instrument(name = "UpdateBuilder", skip(self, user))]
+impl Resolve<WriteArgs> for DeleteBuilder {
+  #[instrument(name = "DeleteBuilder", skip(args))]
   async fn resolve(
-    &self,
-    UpdateBuilder { id, config }: UpdateBuilder,
-    user: User,
-  ) -> anyhow::Result<Builder> {
-    resource::update::<Builder>(&id, config, &user).await
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    Ok(resource::delete::<Builder>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateBuilder {
+  #[instrument(name = "UpdateBuilder", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Builder> {
+    Ok(
+      resource::update::<Builder>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameBuilder {
+  #[instrument(name = "RenameBuilder", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Builder>(&self.id, &self.name, user).await?)
   }
 }

bin/core/src/api/write/deployment.rs

@@ -1,19 +1,22 @@
-use anyhow::{anyhow, Context};
-use monitor_client::{
+use anyhow::{Context, anyhow};
+use komodo_client::{
   api::write::*,
   entities::{
-    deployment::{Deployment, DeploymentState},
-    monitor_timestamp,
-    permission::PermissionLevel,
-    server::Server,
-    to_monitor_name,
-    update::Update,
-    user::User,
     Operation,
+    deployment::{
+      Deployment, DeploymentImage, DeploymentState,
+      PartialDeploymentConfig, RestartMode,
+    },
+    docker::container::RestartPolicyNameEnum,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    server::{Server, ServerState},
+    to_komodo_name,
+    update::Update,
   },
 };
 use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
-use periphery_client::api;
+use periphery_client::api::{self, container::InspectContainer};
 use resolver_api::Resolve;
 
 use crate::{
@@ -23,70 +26,171 @@ use crate::{
     update::{add_update, make_update},
   },
   resource,
-  state::{action_states, db_client, State},
+  state::{action_states, db_client, server_status_cache},
 };
 
-impl Resolve<CreateDeployment, User> for State {
-  #[instrument(name = "CreateDeployment", skip(self, user))]
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateDeployment {
+  #[instrument(name = "CreateDeployment", skip(user))]
   async fn resolve(
-    &self,
-    CreateDeployment { name, config }: CreateDeployment,
-    user: User,
-  ) -> anyhow::Result<Deployment> {
-    resource::create::<Deployment>(&name, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(
+      resource::create::<Deployment>(&self.name, self.config, user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<CopyDeployment, User> for State {
-  #[instrument(name = "CopyDeployment", skip(self, user))]
+impl Resolve<WriteArgs> for CopyDeployment {
+  #[instrument(name = "CopyDeployment", skip(user))]
   async fn resolve(
-    &self,
-    CopyDeployment { name, id }: CopyDeployment,
-    user: User,
-  ) -> anyhow::Result<Deployment> {
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
     let Deployment { config, .. } =
       resource::get_check_permissions::<Deployment>(
-        &id,
-        &user,
+        &self.id,
+        user,
         PermissionLevel::Write,
       )
       .await?;
-    resource::create::<Deployment>(&name, config.into(), &user).await
+    Ok(
+      resource::create::<Deployment>(&self.name, config.into(), user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<DeleteDeployment, User> for State {
-  #[instrument(name = "DeleteDeployment", skip(self, user))]
+impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
+  #[instrument(name = "CreateDeploymentFromContainer", skip(user))]
   async fn resolve(
-    &self,
-    DeleteDeployment { id }: DeleteDeployment,
-    user: User,
-  ) -> anyhow::Result<Deployment> {
-    resource::delete::<Deployment>(&id, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    let server = resource::get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let container = periphery_client(&server)?
+      .request(InspectContainer {
+        name: self.name.clone(),
+      })
+      .await
+      .context("Failed to inspect container")?;
+
+    let mut config = PartialDeploymentConfig {
+      server_id: server.id.into(),
+      ..Default::default()
+    };
+
+    if let Some(container_config) = container.config {
+      config.image = container_config
+        .image
+        .map(|image| DeploymentImage::Image { image });
+      config.command = container_config.cmd.join(" ").into();
+      config.environment = container_config
+        .env
+        .into_iter()
+        .map(|env| format!("  {env}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.labels = container_config
+        .labels
+        .into_iter()
+        .map(|(key, val)| format!("  {key}: {val}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+    }
+    if let Some(host_config) = container.host_config {
+      config.volumes = host_config
+        .binds
+        .into_iter()
+        .map(|bind| format!("  {bind}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.network = host_config.network_mode;
+      config.ports = host_config
+        .port_bindings
+        .into_iter()
+        .filter_map(|(container, mut host)| {
+          let host = host.pop()?.host_port?;
+          Some(format!("  {host}:{}", container.replace("/tcp", "")))
+        })
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.restart = host_config.restart_policy.map(|restart| {
+        match restart.name {
+          RestartPolicyNameEnum::Always => RestartMode::Always,
+          RestartPolicyNameEnum::No
+          | RestartPolicyNameEnum::Empty => RestartMode::NoRestart,
+          RestartPolicyNameEnum::UnlessStopped => {
+            RestartMode::UnlessStopped
+          }
+          RestartPolicyNameEnum::OnFailure => RestartMode::OnFailure,
+        }
+      });
+    }
+
+    Ok(
+      resource::create::<Deployment>(&self.name, config, user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<UpdateDeployment, User> for State {
-  #[instrument(name = "UpdateDeployment", skip(self, user))]
+impl Resolve<WriteArgs> for DeleteDeployment {
+  #[instrument(name = "DeleteDeployment", skip(args))]
   async fn resolve(
-    &self,
-    UpdateDeployment { id, config }: UpdateDeployment,
-    user: User,
-  ) -> anyhow::Result<Deployment> {
-    resource::update::<Deployment>(&id, config, &user).await
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(resource::delete::<Deployment>(&self.id, args).await?)
   }
 }
 
-impl Resolve<RenameDeployment, User> for State {
-  #[instrument(name = "RenameDeployment", skip(self, user))]
+impl Resolve<WriteArgs> for UpdateDeployment {
+  #[instrument(name = "UpdateDeployment", skip(user))]
   async fn resolve(
-    &self,
-    RenameDeployment { id, name }: RenameDeployment,
-    user: User,
-  ) -> anyhow::Result<Update> {
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Deployment> {
+    Ok(
+      resource::update::<Deployment>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameDeployment {
+  #[instrument(name = "RenameDeployment", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
     let deployment = resource::get_check_permissions::<Deployment>(
-      &id,
-      &user,
+      &self.id,
+      user,
       PermissionLevel::Write,
     )
     .await?;
@@ -102,29 +206,32 @@ impl Resolve<RenameDeployment, User> for State {
     let _action_guard =
       action_state.update(|state| state.renaming = true)?;
 
-    let name = to_monitor_name(&name);
+    let name = to_komodo_name(&self.name);
 
     let container_state = get_deployment_state(&deployment).await?;
 
     if container_state == DeploymentState::Unknown {
-      return Err(anyhow!(
-        "cannot rename deployment when container status is unknown"
-      ));
+      return Err(
+        anyhow!(
+          "Cannot rename Deployment when container status is unknown"
+        )
+        .into(),
+      );
     }
 
     let mut update =
-      make_update(&deployment, Operation::RenameDeployment, &user);
+      make_update(&deployment, Operation::RenameDeployment, user);
 
     update_one_by_id(
-      &db_client().await.deployments,
+      &db_client().deployments,
       &deployment.id,
       mungos::update::Update::Set(
-        doc! { "name": &name, "updated_at": monitor_timestamp() },
+        doc! { "name": &name, "updated_at": komodo_timestamp() },
       ),
       None,
     )
     .await
-    .context("failed to update deployment name on db")?;
+    .context("Failed to update Deployment name on db")?;
 
     if container_state != DeploymentState::NotDeployed {
       let server =
@@ -135,20 +242,19 @@ impl Resolve<RenameDeployment, User> for State {
           new_name: name.clone(),
         })
         .await
-        .context("failed to rename container on server")?;
+        .context("Failed to rename container on server")?;
       update.logs.push(log);
     }
 
     update.push_simple_log(
-      "rename deployment",
+      "Rename Deployment",
       format!(
-        "renamed deployment from {} to {}",
+        "Renamed Deployment from {} to {}",
         deployment.name, name
       ),
     );
     update.finalize();
-
-    add_update(update.clone()).await?;
+    update.id = add_update(update.clone()).await?;
 
     Ok(update)
   }

bin/core/src/api/write/description.rs

@@ -1,94 +1,119 @@
 use anyhow::anyhow;
-use monitor_client::{
+use komodo_client::{
   api::write::{UpdateDescription, UpdateDescriptionResponse},
   entities::{
-    alerter::Alerter, build::Build, builder::Builder,
-    deployment::Deployment, procedure::Procedure, repo::Repo,
-    server::Server, server_template::ServerTemplate,
-    update::ResourceTarget, user::User,
+    ResourceTarget, action::Action, alerter::Alerter, build::Build,
+    builder::Builder, deployment::Deployment, procedure::Procedure,
+    repo::Repo, server::Server, server_template::ServerTemplate,
+    stack::Stack, sync::ResourceSync,
   },
 };
 use resolver_api::Resolve;
 
-use crate::{resource, state::State};
+use crate::resource;
 
-impl Resolve<UpdateDescription, User> for State {
-  #[instrument(name = "UpdateDescription", skip(self, user))]
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for UpdateDescription {
+  #[instrument(name = "UpdateDescription", skip(user))]
   async fn resolve(
-    &self,
-    UpdateDescription {
-      target,
-      description,
-    }: UpdateDescription,
-    user: User,
-  ) -> anyhow::Result<UpdateDescriptionResponse> {
-    match target {
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateDescriptionResponse> {
+    match self.target {
       ResourceTarget::System(_) => {
-        return Err(anyhow!(
-          "cannot update description of System resource target"
-        ))
+        return Err(
+          anyhow!(
+            "cannot update description of System resource target"
+          )
+          .into(),
+        );
       }
       ResourceTarget::Server(id) => {
         resource::update_description::<Server>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
         )
         .await?;
       }
       ResourceTarget::Deployment(id) => {
         resource::update_description::<Deployment>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
         )
         .await?;
       }
       ResourceTarget::Build(id) => {
         resource::update_description::<Build>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
         )
         .await?;
       }
       ResourceTarget::Repo(id) => {
         resource::update_description::<Repo>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
         )
         .await?;
       }
       ResourceTarget::Builder(id) => {
         resource::update_description::<Builder>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
         )
         .await?;
       }
       ResourceTarget::Alerter(id) => {
         resource::update_description::<Alerter>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
         )
         .await?;
       }
       ResourceTarget::Procedure(id) => {
         resource::update_description::<Procedure>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
+        )
+        .await?;
+      }
+      ResourceTarget::Action(id) => {
+        resource::update_description::<Action>(
+          &id,
+          &self.description,
+          user,
         )
         .await?;
       }
       ResourceTarget::ServerTemplate(id) => {
         resource::update_description::<ServerTemplate>(
           &id,
-          &description,
-          &user,
+          &self.description,
+          user,
+        )
+        .await?;
+      }
+      ResourceTarget::ResourceSync(id) => {
+        resource::update_description::<ResourceSync>(
+          &id,
+          &self.description,
+          user,
+        )
+        .await?;
+      }
+      ResourceTarget::Stack(id) => {
+        resource::update_description::<Stack>(
+          &id,
+          &self.description,
+          user,
         )
         .await?;
       }

bin/core/src/api/write/mod.rs

@@ -1,50 +1,62 @@
 use std::time::Instant;
 
-use anyhow::{anyhow, Context};
-use axum::{middleware, routing::post, Extension, Router};
-use axum_extra::{headers::ContentType, TypedHeader};
-use monitor_client::{api::write::*, entities::user::User};
-use resolver_api::{derive::Resolver, Resolver};
+use anyhow::Context;
+use axum::{Extension, Router, middleware, routing::post};
+use derive_variants::{EnumVariants, ExtractVariant};
+use komodo_client::{api::write::*, entities::user::User};
+use resolver_api::Resolve;
+use response::Response;
 use serde::{Deserialize, Serialize};
 use serror::Json;
 use typeshare::typeshare;
 use uuid::Uuid;
 
-use crate::{auth::auth_request, state::State};
+use crate::auth::auth_request;
 
+mod action;
 mod alerter;
-mod api_key;
 mod build;
 mod builder;
 mod deployment;
 mod description;
 mod permissions;
 mod procedure;
+mod provider;
 mod repo;
 mod server;
 mod server_template;
+mod service_user;
+mod stack;
+mod sync;
 mod tag;
 mod user;
 mod user_group;
 mod variable;
 
-#[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
-#[resolver_target(State)]
-#[resolver_args(User)]
-#[serde(tag = "type", content = "params")]
-enum WriteRequest {
-  // ==== API KEY ====
-  CreateApiKey(CreateApiKey),
-  DeleteApiKey(DeleteApiKey),
-  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
-  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
+pub struct WriteArgs {
+  pub user: User,
+}
 
+#[typeshare]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+)]
+#[variant_derive(Debug)]
+#[args(WriteArgs)]
+#[response(Response)]
+#[error(serror::Error)]
+#[serde(tag = "type", content = "params")]
+pub enum WriteRequest {
   // ==== USER ====
-  PushRecentlyViewed(PushRecentlyViewed),
-  SetLastSeenUpdate(SetLastSeenUpdate),
+  UpdateUserUsername(UpdateUserUsername),
+  UpdateUserPassword(UpdateUserPassword),
+  DeleteUser(DeleteUser),
+
+  // ==== SERVICE USER ====
   CreateServiceUser(CreateServiceUser),
   UpdateServiceUserDescription(UpdateServiceUserDescription),
+  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
+  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
 
   // ==== USER GROUP ====
   CreateUserGroup(CreateUserGroup),
@@ -55,7 +67,9 @@ enum WriteRequest {
   SetUsersInUserGroup(SetUsersInUserGroup),
 
   // ==== PERMISSIONS ====
+  UpdateUserAdmin(UpdateUserAdmin),
   UpdateUserBasePermissions(UpdateUserBasePermissions),
+  UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
   UpdatePermissionOnTarget(UpdatePermissionOnTarget),
 
   // ==== DESCRIPTION ====
@@ -67,11 +81,11 @@ enum WriteRequest {
   UpdateServer(UpdateServer),
   RenameServer(RenameServer),
   CreateNetwork(CreateNetwork),
-  DeleteNetwork(DeleteNetwork),
 
   // ==== DEPLOYMENT ====
   CreateDeployment(CreateDeployment),
   CopyDeployment(CopyDeployment),
+  CreateDeploymentFromContainer(CreateDeploymentFromContainer),
   DeleteDeployment(DeleteDeployment),
   UpdateDeployment(UpdateDeployment),
   RenameDeployment(RenameDeployment),
@@ -81,48 +95,101 @@ enum WriteRequest {
   CopyBuild(CopyBuild),
   DeleteBuild(DeleteBuild),
   UpdateBuild(UpdateBuild),
+  RenameBuild(RenameBuild),
+  WriteBuildFileContents(WriteBuildFileContents),
+  RefreshBuildCache(RefreshBuildCache),
+  CreateBuildWebhook(CreateBuildWebhook),
+  DeleteBuildWebhook(DeleteBuildWebhook),
 
   // ==== BUILDER ====
   CreateBuilder(CreateBuilder),
   CopyBuilder(CopyBuilder),
   DeleteBuilder(DeleteBuilder),
   UpdateBuilder(UpdateBuilder),
+  RenameBuilder(RenameBuilder),
 
   // ==== SERVER TEMPLATE ====
   CreateServerTemplate(CreateServerTemplate),
   CopyServerTemplate(CopyServerTemplate),
   DeleteServerTemplate(DeleteServerTemplate),
   UpdateServerTemplate(UpdateServerTemplate),
+  RenameServerTemplate(RenameServerTemplate),
 
   // ==== REPO ====
   CreateRepo(CreateRepo),
   CopyRepo(CopyRepo),
   DeleteRepo(DeleteRepo),
   UpdateRepo(UpdateRepo),
+  RenameRepo(RenameRepo),
+  RefreshRepoCache(RefreshRepoCache),
+  CreateRepoWebhook(CreateRepoWebhook),
+  DeleteRepoWebhook(DeleteRepoWebhook),
 
   // ==== ALERTER ====
   CreateAlerter(CreateAlerter),
   CopyAlerter(CopyAlerter),
   DeleteAlerter(DeleteAlerter),
   UpdateAlerter(UpdateAlerter),
+  RenameAlerter(RenameAlerter),
 
   // ==== PROCEDURE ====
   CreateProcedure(CreateProcedure),
   CopyProcedure(CopyProcedure),
   DeleteProcedure(DeleteProcedure),
   UpdateProcedure(UpdateProcedure),
+  RenameProcedure(RenameProcedure),
+
+  // ==== ACTION ====
+  CreateAction(CreateAction),
+  CopyAction(CopyAction),
+  DeleteAction(DeleteAction),
+  UpdateAction(UpdateAction),
+  RenameAction(RenameAction),
+
+  // ==== SYNC ====
+  CreateResourceSync(CreateResourceSync),
+  CopyResourceSync(CopyResourceSync),
+  DeleteResourceSync(DeleteResourceSync),
+  UpdateResourceSync(UpdateResourceSync),
+  RenameResourceSync(RenameResourceSync),
+  WriteSyncFileContents(WriteSyncFileContents),
+  CommitSync(CommitSync),
+  RefreshResourceSyncPending(RefreshResourceSyncPending),
+  CreateSyncWebhook(CreateSyncWebhook),
+  DeleteSyncWebhook(DeleteSyncWebhook),
+
+  // ==== STACK ====
+  CreateStack(CreateStack),
+  CopyStack(CopyStack),
+  DeleteStack(DeleteStack),
+  UpdateStack(UpdateStack),
+  RenameStack(RenameStack),
+  WriteStackFileContents(WriteStackFileContents),
+  RefreshStackCache(RefreshStackCache),
+  CreateStackWebhook(CreateStackWebhook),
+  DeleteStackWebhook(DeleteStackWebhook),
 
   // ==== TAG ====
   CreateTag(CreateTag),
   DeleteTag(DeleteTag),
   RenameTag(RenameTag),
+  UpdateTagColor(UpdateTagColor),
   UpdateTagsOnResource(UpdateTagsOnResource),
 
   // ==== VARIABLE ====
   CreateVariable(CreateVariable),
   UpdateVariableValue(UpdateVariableValue),
   UpdateVariableDescription(UpdateVariableDescription),
+  UpdateVariableIsSecret(UpdateVariableIsSecret),
   DeleteVariable(DeleteVariable),
+
+  // ==== PROVIDERS ====
+  CreateGitProviderAccount(CreateGitProviderAccount),
+  UpdateGitProviderAccount(UpdateGitProviderAccount),
+  DeleteGitProviderAccount(DeleteGitProviderAccount),
+  CreateDockerRegistryAccount(CreateDockerRegistryAccount),
+  UpdateDockerRegistryAccount(UpdateDockerRegistryAccount),
+  DeleteDockerRegistryAccount(DeleteDockerRegistryAccount),
 }
 
 pub fn router() -> Router {
@@ -134,7 +201,7 @@ pub fn router() -> Router {
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<WriteRequest>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
+) -> serror::Result<axum::response::Response> {
   let req_id = Uuid::new_v4();
 
   let res = tokio::spawn(task(req_id, request, user))
@@ -145,39 +212,34 @@ async fn handler(
     warn!("/write request {req_id} spawn error: {e:#}");
   }
 
-  Ok((TypedHeader(ContentType::json()), res??))
+  res?
 }
 
-#[instrument(name = "WriteRequest", skip(user))]
+#[instrument(
+  name = "WriteRequest",
+  skip(user, request),
+  fields(
+    user_id = user.id,
+    request = format!("{:?}", request.extract_variant())
+  )
+)]
 async fn task(
   req_id: Uuid,
   request: WriteRequest,
   user: User,
-) -> anyhow::Result<String> {
-  info!(
-    "/write request {req_id} | user: {} ({})",
-    user.username, user.id
-  );
+) -> serror::Result<axum::response::Response> {
+  info!("/write request | user: {}", user.username);
 
   let timer = Instant::now();
 
-  let res =
-    State
-      .resolve_request(request, user)
-      .await
-      .map_err(|e| match e {
-        resolver_api::Error::Serialization(e) => {
-          anyhow!("{e:?}").context("response serialization error")
-        }
-        resolver_api::Error::Inner(e) => e,
-      });
+  let res = request.resolve(&WriteArgs { user }).await;
 
   if let Err(e) = &res {
-    warn!("/write request {req_id} error: {e:#}");
+    warn!("/write request {req_id} error: {:#}", e.error);
   }
 
   let elapsed = timer.elapsed();
-  info!("/write request {req_id} | resolve time: {elapsed:?}");
+  debug!("/write request {req_id} | resolve time: {elapsed:?}");
 
-  res
+  res.map(|res| res.0)
 }

bin/core/src/api/write/permissions.rs

@@ -1,54 +1,97 @@
 use std::str::FromStr;
 
-use anyhow::{anyhow, Context};
-use monitor_client::{
-  api::write::{
-    UpdatePermissionOnTarget, UpdatePermissionOnTargetResponse,
-    UpdateUserBasePermissions, UpdateUserBasePermissionsResponse,
-  },
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::write::*,
   entities::{
+    ResourceTarget, ResourceTargetVariant,
     permission::{UserTarget, UserTargetVariant},
-    update::{ResourceTarget, ResourceTargetVariant},
-    user::User,
   },
 };
 use mungos::{
   by_id::{find_one_by_id, update_one_by_id},
   mongodb::{
-    bson::{doc, oid::ObjectId, Document},
+    bson::{Document, doc, oid::ObjectId},
     options::UpdateOptions,
   },
 };
 use resolver_api::Resolve;
 
-use crate::{
-  helpers::query::get_user,
-  state::{db_client, State},
-};
+use crate::{helpers::query::get_user, state::db_client};
 
-impl Resolve<UpdateUserBasePermissions, User> for State {
-  #[instrument(name = "UpdateUserBasePermissions", skip(self, admin))]
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for UpdateUserAdmin {
+  #[instrument(name = "UpdateUserAdmin", skip(super_admin))]
   async fn resolve(
-    &self,
-    UpdateUserBasePermissions {
+    self,
+    WriteArgs { user: super_admin }: &WriteArgs,
+  ) -> serror::Result<UpdateUserAdminResponse> {
+    if !super_admin.super_admin {
+      return Err(
+        anyhow!("Only super admins can call this method.").into(),
+      );
+    }
+    let user = find_one_by_id(&db_client().users, &self.user_id)
+      .await
+      .context("failed to query mongo for user")?
+      .context("did not find user with given id")?;
+
+    if !user.enabled {
+      return Err(
+        anyhow!("User is disabled. Enable user first.").into(),
+      );
+    }
+
+    if user.super_admin {
+      return Err(anyhow!("Cannot update other super admins").into());
+    }
+
+    update_one_by_id(
+      &db_client().users,
+      &self.user_id,
+      doc! { "$set": { "admin": self.admin } },
+      None,
+    )
+    .await?;
+
+    Ok(UpdateUserAdminResponse {})
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateUserBasePermissions {
+  #[instrument(name = "UpdateUserBasePermissions", skip(admin))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UpdateUserBasePermissionsResponse> {
+    let UpdateUserBasePermissions {
       user_id,
       enabled,
       create_servers,
       create_builds,
-    }: UpdateUserBasePermissions,
-    admin: User,
-  ) -> anyhow::Result<UpdateUserBasePermissionsResponse> {
+    } = self;
+
     if !admin.admin {
-      return Err(anyhow!("this method is admin only"));
+      return Err(anyhow!("this method is admin only").into());
     }
-    let user = find_one_by_id(&db_client().await.users, &user_id)
+
+    let user = find_one_by_id(&db_client().users, &user_id)
       .await
       .context("failed to query mongo for user")?
       .context("did not find user with given id")?;
-    if user.admin {
+    if user.super_admin {
+      return Err(
+        anyhow!(
+          "Cannot use this method to update super admins permissions"
+        )
+        .into(),
+      );
+    }
+    if user.admin && !admin.super_admin {
       return Err(anyhow!(
-        "cannot use this method to update other admins permissions"
-      ));
+        "Only super admins can use this method to update other admins permissions"
+      ).into());
     }
     let mut update_doc = Document::new();
     if let Some(enabled) = enabled {
@@ -62,7 +105,7 @@ impl Resolve<UpdateUserBasePermissions, User> for State {
     }
 
     update_one_by_id(
-      &db_client().await.users,
+      &db_client().users,
       &user_id,
       mungos::update::Update::Set(update_doc),
       None,
@@ -73,31 +116,101 @@ impl Resolve<UpdateUserBasePermissions, User> for State {
   }
 }
 
-impl Resolve<UpdatePermissionOnTarget, User> for State {
-  #[instrument(name = "UpdatePermissionOnTarget", skip(self, admin))]
+impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
+  #[instrument(name = "UpdatePermissionOnResourceType", skip(admin))]
   async fn resolve(
-    &self,
-    UpdatePermissionOnTarget {
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UpdatePermissionOnResourceTypeResponse> {
+    let UpdatePermissionOnResourceType {
       user_target,
-      resource_target,
+      resource_type,
       permission,
-    }: UpdatePermissionOnTarget,
-    admin: User,
-  ) -> anyhow::Result<UpdatePermissionOnTargetResponse> {
+    } = self;
+
     if !admin.admin {
-      return Err(anyhow!("this method is admin only"));
+      return Err(anyhow!("this method is admin only").into());
     }
 
     // Some extra checks if user target is an actual User
     if let UserTarget::User(user_id) = &user_target {
       let user = get_user(user_id).await?;
       if user.admin {
-        return Err(anyhow!(
+        return Err(
+          anyhow!(
           "cannot use this method to update other admins permissions"
-        ));
+        )
+          .into(),
+        );
       }
       if !user.enabled {
-        return Err(anyhow!("user not enabled"));
+        return Err(anyhow!("user not enabled").into());
+      }
+    }
+
+    let (user_target_variant, user_target_id) =
+      extract_user_target_with_validation(&user_target).await?;
+
+    let id = ObjectId::from_str(&user_target_id)
+      .context("id is not ObjectId")?;
+    let field = format!("all.{resource_type}");
+    let filter = doc! { "_id": id };
+    let update = doc! { "$set": { &field: permission.as_ref() } };
+
+    match user_target_variant {
+      UserTargetVariant::User => {
+        db_client()
+          .users
+          .update_one(filter, update)
+          .await
+          .with_context(|| {
+            format!("failed to set {field}: {permission} on db")
+          })?;
+      }
+      UserTargetVariant::UserGroup => {
+        db_client()
+          .user_groups
+          .update_one(filter, update)
+          .await
+          .with_context(|| {
+            format!("failed to set {field}: {permission} on db")
+          })?;
+      }
+    }
+
+    Ok(UpdatePermissionOnResourceTypeResponse {})
+  }
+}
+
+impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
+  #[instrument(name = "UpdatePermissionOnTarget", skip(admin))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UpdatePermissionOnTargetResponse> {
+    let UpdatePermissionOnTarget {
+      user_target,
+      resource_target,
+      permission,
+    } = self;
+
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+
+    // Some extra checks if user target is an actual User
+    if let UserTarget::User(user_id) = &user_target {
+      let user = get_user(user_id).await?;
+      if user.admin {
+        return Err(
+          anyhow!(
+          "cannot use this method to update other admins permissions"
+        )
+          .into(),
+        );
+      }
+      if !user.enabled {
+        return Err(anyhow!("user not enabled").into());
       }
     }
 
@@ -111,7 +224,6 @@ impl Resolve<UpdatePermissionOnTarget, User> for State {
       (user_target_variant.as_ref(), resource_variant.as_ref());
 
     db_client()
-      .await
       .permissions
       .update_one(
         doc! {
@@ -129,8 +241,8 @@ impl Resolve<UpdatePermissionOnTarget, User> for State {
             "level": permission.as_ref(),
           }
         },
-        UpdateOptions::builder().upsert(true).build(),
       )
+      .with_options(UpdateOptions::builder().upsert(true).build())
       .await?;
 
     Ok(UpdatePermissionOnTargetResponse {})
@@ -140,7 +252,7 @@ impl Resolve<UpdatePermissionOnTarget, User> for State {
 /// checks if inner id is actually a `name`, and replaces it with id if so.
 async fn extract_user_target_with_validation(
   user_target: &UserTarget,
-) -> anyhow::Result<(UserTargetVariant, String)> {
+) -> serror::Result<(UserTargetVariant, String)> {
   match user_target {
     UserTarget::User(ident) => {
       let filter = match ObjectId::from_str(ident) {
@@ -148,9 +260,8 @@ async fn extract_user_target_with_validation(
         Err(_) => doc! { "username": ident },
       };
       let id = db_client()
-        .await
         .users
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for users")?
         .context("no matching user found")?
@@ -163,9 +274,8 @@ async fn extract_user_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .user_groups
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for user_groups")?
         .context("no matching user_group found")?
@@ -178,7 +288,7 @@ async fn extract_user_target_with_validation(
 /// checks if inner id is actually a `name`, and replaces it with id if so.
 async fn extract_resource_target_with_validation(
   resource_target: &ResourceTarget,
-) -> anyhow::Result<(ResourceTargetVariant, String)> {
+) -> serror::Result<(ResourceTargetVariant, String)> {
   match resource_target {
     ResourceTarget::System(_) => {
       let res = resource_target.extract_variant_id();
@@ -190,9 +300,8 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .builds
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for builds")?
         .context("no matching build found")?
@@ -205,9 +314,8 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .builders
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for builders")?
         .context("no matching builder found")?
@@ -220,9 +328,8 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .deployments
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for deployments")?
         .context("no matching deployment found")?
@@ -235,9 +342,8 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .servers
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for servers")?
         .context("no matching server found")?
@@ -250,9 +356,8 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .repos
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for repos")?
         .context("no matching repo found")?
@@ -265,9 +370,8 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .alerters
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for alerters")?
         .context("no matching alerter found")?
@@ -280,29 +384,69 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .procedures
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for procedures")?
         .context("no matching procedure found")?
         .id;
       Ok((ResourceTargetVariant::Procedure, id))
     }
+    ResourceTarget::Action(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .actions
+        .find_one(filter)
+        .await
+        .context("failed to query db for actions")?
+        .context("no matching action found")?
+        .id;
+      Ok((ResourceTargetVariant::Action, id))
+    }
     ResourceTarget::ServerTemplate(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .server_templates
-        .find_one(filter, None)
+        .find_one(filter)
         .await
         .context("failed to query db for server templates")?
         .context("no matching server template found")?
         .id;
       Ok((ResourceTargetVariant::ServerTemplate, id))
     }
+    ResourceTarget::ResourceSync(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .resource_syncs
+        .find_one(filter)
+        .await
+        .context("failed to query db for resource syncs")?
+        .context("no matching resource sync found")?
+        .id;
+      Ok((ResourceTargetVariant::ResourceSync, id))
+    }
+    ResourceTarget::Stack(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .stacks
+        .find_one(filter)
+        .await
+        .context("failed to query db for stacks")?
+        .context("no matching stack found")?
+        .id;
+      Ok((ResourceTargetVariant::Stack, id))
+    }
   }
 }

bin/core/src/api/write/procedure.rs

@@ -1,60 +1,80 @@
-use monitor_client::{
+use komodo_client::{
   api::write::*,
   entities::{
-    permission::PermissionLevel, procedure::Procedure, user::User,
+    permission::PermissionLevel, procedure::Procedure, update::Update,
   },
 };
 use resolver_api::Resolve;
 
-use crate::{resource, state::State};
+use crate::resource;
 
-impl Resolve<CreateProcedure, User> for State {
-  #[instrument(name = "CreateProcedure", skip(self, user))]
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateProcedure {
+  #[instrument(name = "CreateProcedure", skip(user))]
   async fn resolve(
-    &self,
-    CreateProcedure { name, config }: CreateProcedure,
-    user: User,
-  ) -> anyhow::Result<CreateProcedureResponse> {
-    resource::create::<Procedure>(&name, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateProcedureResponse> {
+    Ok(
+      resource::create::<Procedure>(&self.name, self.config, user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<CopyProcedure, User> for State {
-  #[instrument(name = "CopyProcedure", skip(self, user))]
+impl Resolve<WriteArgs> for CopyProcedure {
+  #[instrument(name = "CopyProcedure", skip(user))]
   async fn resolve(
-    &self,
-    CopyProcedure { name, id }: CopyProcedure,
-    user: User,
-  ) -> anyhow::Result<CopyProcedureResponse> {
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CopyProcedureResponse> {
     let Procedure { config, .. } =
       resource::get_check_permissions::<Procedure>(
-        &id,
-        &user,
+        &self.id,
+        user,
         PermissionLevel::Write,
       )
       .await?;
-    resource::create::<Procedure>(&name, config.into(), &user).await
+    Ok(
+      resource::create::<Procedure>(&self.name, config.into(), user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<UpdateProcedure, User> for State {
-  #[instrument(name = "UpdateProcedure", skip(self, user))]
+impl Resolve<WriteArgs> for UpdateProcedure {
+  #[instrument(name = "UpdateProcedure", skip(user))]
   async fn resolve(
-    &self,
-    UpdateProcedure { id, config }: UpdateProcedure,
-    user: User,
-  ) -> anyhow::Result<UpdateProcedureResponse> {
-    resource::update::<Procedure>(&id, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateProcedureResponse> {
+    Ok(
+      resource::update::<Procedure>(&self.id, self.config, user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<DeleteProcedure, User> for State {
-  #[instrument(name = "DeleteProcedure", skip(self, user))]
+impl Resolve<WriteArgs> for RenameProcedure {
+  #[instrument(name = "RenameProcedure", skip(user))]
   async fn resolve(
-    &self,
-    DeleteProcedure { id }: DeleteProcedure,
-    user: User,
-  ) -> anyhow::Result<DeleteProcedureResponse> {
-    resource::delete::<Procedure>(&id, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(
+      resource::rename::<Procedure>(&self.id, &self.name, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteProcedure {
+  #[instrument(name = "DeleteProcedure", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<DeleteProcedureResponse> {
+    Ok(resource::delete::<Procedure>(&self.id, args).await?)
   }
 }

bin/core/src/api/write/provider.rs

@@ -0,0 +1,410 @@
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::write::*,
+  entities::{
+    Operation, ResourceTarget,
+    provider::{DockerRegistryAccount, GitProviderAccount},
+  },
+};
+use mungos::{
+  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
+  mongodb::bson::{doc, to_document},
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::update::{add_update, make_update},
+  state::db_client,
+};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateGitProviderAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can create git provider accounts")
+          .into(),
+      );
+    }
+
+    let mut account: GitProviderAccount = self.account.into();
+
+    if account.domain.is_empty() {
+      return Err(anyhow!("domain cannot be empty string.").into());
+    }
+
+    if account.username.is_empty() {
+      return Err(anyhow!("username cannot be empty string.").into());
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::CreateGitProviderAccount,
+      user,
+    );
+
+    account.id = db_client()
+      .git_accounts
+      .insert_one(&account)
+      .await
+      .context("failed to create git provider account on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not ObjectId")?
+      .to_string();
+
+    update.push_simple_log(
+      "create git provider account",
+      format!(
+        "Created git provider account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for create git provider account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateGitProviderAccount {
+  async fn resolve(
+    mut self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can update git provider accounts")
+          .into(),
+      );
+    }
+
+    if let Some(domain) = &self.account.domain {
+      if domain.is_empty() {
+        return Err(
+          anyhow!("cannot update git provider with empty domain")
+            .into(),
+        );
+      }
+    }
+
+    if let Some(username) = &self.account.username {
+      if username.is_empty() {
+        return Err(
+          anyhow!("cannot update git provider with empty username")
+            .into(),
+        );
+      }
+    }
+
+    // Ensure update does not change id
+    self.account.id = None;
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateGitProviderAccount,
+      user,
+    );
+
+    let account = to_document(&self.account).context(
+      "failed to serialize partial git provider account to bson",
+    )?;
+    let db = db_client();
+    update_one_by_id(
+      &db.git_accounts,
+      &self.id,
+      doc! { "$set": account },
+      None,
+    )
+    .await
+    .context("failed to update git provider account on db")?;
+
+    let Some(account) = find_one_by_id(&db.git_accounts, &self.id)
+      .await
+      .context("failed to query db for git accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+
+    update.push_simple_log(
+      "update git provider account",
+      format!(
+        "Updated git provider account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for update git provider account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteGitProviderAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteGitProviderAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can delete git provider accounts")
+          .into(),
+      );
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateGitProviderAccount,
+      user,
+    );
+
+    let db = db_client();
+    let Some(account) = find_one_by_id(&db.git_accounts, &self.id)
+      .await
+      .context("failed to query db for git accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+    delete_one_by_id(&db.git_accounts, &self.id, None)
+      .await
+      .context("failed to delete git account on db")?;
+
+    update.push_simple_log(
+      "delete git provider account",
+      format!(
+        "Deleted git provider account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for delete git provider account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!(
+          "only admins can create docker registry account accounts"
+        )
+        .into(),
+      );
+    }
+
+    let mut account: DockerRegistryAccount = self.account.into();
+
+    if account.domain.is_empty() {
+      return Err(anyhow!("domain cannot be empty string.").into());
+    }
+
+    if account.username.is_empty() {
+      return Err(anyhow!("username cannot be empty string.").into());
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::CreateDockerRegistryAccount,
+      user,
+    );
+
+    account.id = db_client()
+      .registry_accounts
+      .insert_one(&account)
+      .await
+      .context(
+        "failed to create docker registry account account on db",
+      )?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not ObjectId")?
+      .to_string();
+
+    update.push_simple_log(
+      "create docker registry account",
+      format!(
+        "Created docker registry account account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for create docker registry account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
+  async fn resolve(
+    mut self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can update docker registry accounts")
+          .into(),
+      );
+    }
+
+    if let Some(domain) = &self.account.domain {
+      if domain.is_empty() {
+        return Err(
+          anyhow!(
+            "cannot update docker registry account with empty domain"
+          )
+          .into(),
+        );
+      }
+    }
+
+    if let Some(username) = &self.account.username {
+      if username.is_empty() {
+        return Err(
+          anyhow!(
+            "cannot update docker registry account with empty username"
+          )
+          .into(),
+        );
+      }
+    }
+
+    self.account.id = None;
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateDockerRegistryAccount,
+      user,
+    );
+
+    let account = to_document(&self.account).context(
+      "failed to serialize partial docker registry account account to bson",
+    )?;
+
+    let db = db_client();
+    update_one_by_id(
+      &db.registry_accounts,
+      &self.id,
+      doc! { "$set": account },
+      None,
+    )
+    .await
+    .context(
+      "failed to update docker registry account account on db",
+    )?;
+
+    let Some(account) =
+      find_one_by_id(&db.registry_accounts, &self.id)
+        .await
+        .context("failed to query db for registry accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+
+    update.push_simple_log(
+      "update docker registry account",
+      format!(
+        "Updated docker registry account account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for update docker registry account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteDockerRegistryAccount {
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteDockerRegistryAccountResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("only admins can delete docker registry accounts")
+          .into(),
+      );
+    }
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateDockerRegistryAccount,
+      user,
+    );
+
+    let db = db_client();
+    let Some(account) =
+      find_one_by_id(&db.registry_accounts, &self.id)
+        .await
+        .context("failed to query db for git accounts")?
+    else {
+      return Err(anyhow!("no account found with given id").into());
+    };
+    delete_one_by_id(&db.registry_accounts, &self.id, None)
+      .await
+      .context("failed to delete registry account on db")?;
+
+    update.push_simple_log(
+      "delete registry account",
+      format!(
+        "Deleted registry account for {} with username {}",
+        account.domain, account.username
+      ),
+    );
+
+    update.finalize();
+
+    add_update(update)
+      .await
+      .inspect_err(|e| {
+        error!("failed to add update for delete docker registry account | {e:#}")
+      })
+      .ok();
+
+    Ok(account)
+  }
+}

bin/core/src/api/write/repo.rs

@@ -1,58 +1,460 @@
-use monitor_client::{
+use anyhow::{Context, anyhow};
+use formatting::format_serror;
+use git::GitRes;
+use komodo_client::{
   api::write::*,
-  entities::{permission::PermissionLevel, repo::Repo, user::User},
+  entities::{
+    CloneArgs, NoData, Operation,
+    config::core::CoreConfig,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    repo::{PartialRepoConfig, Repo, RepoInfo},
+    server::Server,
+    to_komodo_name,
+    update::{Log, Update},
+  },
 };
+use mongo_indexed::doc;
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
+use octorust::types::{
+  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
+};
+use periphery_client::api;
 use resolver_api::Resolve;
 
-use crate::{resource, state::State};
+use crate::{
+  config::core_config,
+  helpers::{
+    git_token, periphery_client,
+    update::{add_update, make_update},
+  },
+  resource,
+  state::{action_states, db_client, github_client},
+};
 
-impl Resolve<CreateRepo, User> for State {
-  #[instrument(name = "CreateRepo", skip(self, user))]
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateRepo {
+  #[instrument(name = "CreateRepo", skip(user))]
   async fn resolve(
-    &self,
-    CreateRepo { name, config }: CreateRepo,
-    user: User,
-  ) -> anyhow::Result<Repo> {
-    resource::create::<Repo>(&name, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Repo> {
+    Ok(resource::create::<Repo>(&self.name, self.config, user).await?)
   }
 }
 
-impl Resolve<CopyRepo, User> for State {
-  #[instrument(name = "CopyRepo", skip(self, user))]
+impl Resolve<WriteArgs> for CopyRepo {
+  #[instrument(name = "CopyRepo", skip(user))]
   async fn resolve(
-    &self,
-    CopyRepo { name, id }: CopyRepo,
-    user: User,
-  ) -> anyhow::Result<Repo> {
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Repo> {
     let Repo { config, .. } =
       resource::get_check_permissions::<Repo>(
-        &id,
-        &user,
+        &self.id,
+        user,
         PermissionLevel::Write,
       )
       .await?;
-    resource::create::<Repo>(&name, config.into(), &user).await
+    Ok(
+      resource::create::<Repo>(&self.name, config.into(), user)
+        .await?,
+    )
   }
 }
 
-impl Resolve<DeleteRepo, User> for State {
-  #[instrument(name = "DeleteRepo", skip(self, user))]
-  async fn resolve(
-    &self,
-    DeleteRepo { id }: DeleteRepo,
-    user: User,
-  ) -> anyhow::Result<Repo> {
-    resource::delete::<Repo>(&id, &user).await
+impl Resolve<WriteArgs> for DeleteRepo {
+  #[instrument(name = "DeleteRepo", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Repo> {
+    Ok(resource::delete::<Repo>(&self.id, args).await?)
   }
 }
 
-impl Resolve<UpdateRepo, User> for State {
-  #[instrument(name = "UpdateRepo", skip(self, user))]
+impl Resolve<WriteArgs> for UpdateRepo {
+  #[instrument(name = "UpdateRepo", skip(user))]
   async fn resolve(
-    &self,
-    UpdateRepo { id, config }: UpdateRepo,
-    user: User,
-  ) -> anyhow::Result<Repo> {
-    resource::update::<Repo>(&id, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Repo> {
+    Ok(resource::update::<Repo>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameRepo {
+  #[instrument(name = "RenameRepo", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    let repo = resource::get_check_permissions::<Repo>(
+      &self.id,
+      user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if repo.config.server_id.is_empty()
+      || !repo.config.path.is_empty()
+    {
+      return Ok(
+        resource::rename::<Repo>(&repo.id, &self.name, user).await?,
+      );
+    }
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // Will check to ensure repo not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.renaming = true)?;
+
+    let name = to_komodo_name(&self.name);
+
+    let mut update = make_update(&repo, Operation::RenameRepo, user);
+
+    update_one_by_id(
+      &db_client().repos,
+      &repo.id,
+      mungos::update::Update::Set(
+        doc! { "name": &name, "updated_at": komodo_timestamp() },
+      ),
+      None,
+    )
+    .await
+    .context("Failed to update Repo name on db")?;
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::git::RenameRepo {
+        curr_name: to_komodo_name(&repo.name),
+        new_name: name.clone(),
+      })
+      .await
+      .context("Failed to rename Repo directory on Server")
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "Rename Repo directory failure",
+        format_serror(&e.into()),
+      ),
+    };
+
+    update.logs.push(log);
+
+    update.push_simple_log(
+      "Rename Repo",
+      format!("Renamed Repo from {} to {}", repo.name, name),
+    );
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<WriteArgs> for RefreshRepoCache {
+  #[instrument(
+    name = "RefreshRepoCache",
+    level = "debug",
+    skip(user)
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // repo should be able to do this.
+    let repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    if repo.config.git_provider.is_empty()
+      || repo.config.repo.is_empty()
+    {
+      // Nothing to do
+      return Ok(NoData {});
+    }
+
+    let mut clone_args: CloneArgs = (&repo).into();
+    let repo_path =
+      clone_args.unique_path(&core_config().repo_directory)?;
+    clone_args.destination = Some(repo_path.display().to_string());
+    // Don't want to run these on core.
+    clone_args.on_clone = None;
+    clone_args.on_pull = None;
+
+    let access_token = if let Some(username) = &clone_args.account {
+      git_token(&clone_args.provider, username, |https| {
+          clone_args.https = https
+        })
+        .await
+        .with_context(
+          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
+        )?
+    } else {
+      None
+    };
+
+    let GitRes { hash, message, .. } = git::pull_or_clone(
+      clone_args,
+      &core_config().repo_directory,
+      access_token,
+      &[],
+      "",
+      None,
+      &[],
+    )
+    .await
+    .with_context(|| {
+      format!("Failed to update repo at {repo_path:?}")
+    })?;
+
+    let info = RepoInfo {
+      last_pulled_at: repo.info.last_pulled_at,
+      last_built_at: repo.info.last_built_at,
+      built_hash: repo.info.built_hash,
+      built_message: repo.info.built_message,
+      latest_hash: hash,
+      latest_message: message,
+    };
+
+    let info = to_document(&info)
+      .context("failed to serialize repo info to bson")?;
+
+    db_client()
+      .repos
+      .update_one(
+        doc! { "name": &repo.name },
+        doc! { "$set": { "info": info } },
+      )
+      .await
+      .context("failed to update repo info on db")?;
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for CreateRepoWebhook {
+  #[instrument(name = "CreateRepoWebhook", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<CreateRepoWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      &args.user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if repo.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = repo.config.repo.split('/');
+    let owner = split.next().context("Repo repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      webhook_secret,
+      ..
+    } = core_config();
+
+    let webhook_secret = if repo.config.webhook_secret.is_empty() {
+      webhook_secret
+    } else {
+      &repo.config.webhook_secret
+    };
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = match self.action {
+      RepoWebhookAction::Clone => {
+        format!("{host}/listener/github/repo/{}/clone", repo.id)
+      }
+      RepoWebhookAction::Pull => {
+        format!("{host}/listener/github/repo/{}/pull", repo.id)
+      }
+      RepoWebhookAction::Build => {
+        format!("{host}/listener/github/repo/{}/build", repo.id)
+      }
+    };
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        return Ok(NoData {});
+      }
+    }
+
+    // Now good to create the webhook
+    let request = ReposCreateWebhookRequest {
+      active: Some(true),
+      config: Some(ReposCreateWebhookRequestConfig {
+        url,
+        secret: webhook_secret.to_string(),
+        content_type: String::from("json"),
+        insecure_ssl: None,
+        digest: Default::default(),
+        token: Default::default(),
+      }),
+      events: vec![String::from("push")],
+      name: String::from("web"),
+    };
+    github_repos
+      .create_webhook(owner, repo_name, &request)
+      .await
+      .context("failed to create webhook")?;
+
+    if !repo.config.webhook_enabled {
+      UpdateRepo {
+        id: repo.id,
+        config: PartialRepoConfig {
+          webhook_enabled: Some(true),
+          ..Default::default()
+        },
+      }
+      .resolve(args)
+      .await
+      .map_err(|e| e.error)
+      .context("failed to update repo to enable webhook")?;
+    }
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteRepoWebhook {
+  #[instrument(name = "DeleteRepoWebhook", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteRepoWebhookResponse> {
+    let Some(github) = github_client() else {
+      return Err(
+        anyhow!(
+          "github_webhook_app is not configured in core config toml"
+        )
+        .into(),
+      );
+    };
+
+    let repo = resource::get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if repo.config.git_provider != "github.com" {
+      return Err(
+        anyhow!("Can only manage github.com repo webhooks").into(),
+      );
+    }
+
+    if repo.config.repo.is_empty() {
+      return Err(
+        anyhow!("No repo configured, can't create webhook").into(),
+      );
+    }
+
+    let mut split = repo.config.repo.split('/');
+    let owner = split.next().context("Repo repo has no owner")?;
+
+    let Some(github) = github.get(owner) else {
+      return Err(
+        anyhow!("Cannot manage repo webhooks under owner {owner}")
+          .into(),
+      );
+    };
+
+    let repo_name =
+      split.next().context("Repo repo has no repo after the /")?;
+
+    let github_repos = github.repos();
+
+    // First make sure the webhook isn't already created (inactive ones are ignored)
+    let webhooks = github_repos
+      .list_all_webhooks(owner, repo_name)
+      .await
+      .context("failed to list all webhooks on repo")?
+      .body;
+
+    let CoreConfig {
+      host,
+      webhook_base_url,
+      ..
+    } = core_config();
+
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
+    let url = match self.action {
+      RepoWebhookAction::Clone => {
+        format!("{host}/listener/github/repo/{}/clone", repo.id)
+      }
+      RepoWebhookAction::Pull => {
+        format!("{host}/listener/github/repo/{}/pull", repo.id)
+      }
+      RepoWebhookAction::Build => {
+        format!("{host}/listener/github/repo/{}/build", repo.id)
+      }
+    };
+
+    for webhook in webhooks {
+      if webhook.active && webhook.config.url == url {
+        github_repos
+          .delete_webhook(owner, repo_name, webhook.id)
+          .await
+          .context("failed to delete webhook")?;
+        return Ok(NoData {});
+      }
+    }
+
+    // No webhook to delete, all good
+    Ok(NoData {})
   }
 }

bin/core/src/api/write/server.rs

@@ -1,19 +1,15 @@
-use anyhow::Context;
-use monitor_client::{
+use formatting::format_serror;
+use komodo_client::{
   api::write::*,
   entities::{
-    monitor_timestamp,
+    Operation,
     permission::PermissionLevel,
     server::Server,
     update::{Update, UpdateStatus},
-    user::User,
-    Operation,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
 use periphery_client::api;
 use resolver_api::Resolve;
-use serror::serialize_error_pretty;
 
 use crate::{
   helpers::{
@@ -21,81 +17,59 @@ use crate::{
     update::{add_update, make_update, update_update},
   },
   resource,
-  state::{db_client, State},
 };
 
-impl Resolve<CreateServer, User> for State {
-  #[instrument(name = "CreateServer", skip(self, user))]
-  async fn resolve(
-    &self,
-    CreateServer { name, config }: CreateServer,
-    user: User,
-  ) -> anyhow::Result<Server> {
-    resource::create::<Server>(&name, config, &user).await
-  }
-}
+use super::WriteArgs;
 
-impl Resolve<DeleteServer, User> for State {
-  #[instrument(name = "DeleteServer", skip(self, user))]
+impl Resolve<WriteArgs> for CreateServer {
+  #[instrument(name = "CreateServer", skip(user))]
   async fn resolve(
-    &self,
-    DeleteServer { id }: DeleteServer,
-    user: User,
-  ) -> anyhow::Result<Server> {
-    resource::delete::<Server>(&id, &user).await
-  }
-}
-
-impl Resolve<UpdateServer, User> for State {
-  #[instrument(name = "UpdateServer", skip(self, user))]
-  async fn resolve(
-    &self,
-    UpdateServer { id, config }: UpdateServer,
-    user: User,
-  ) -> anyhow::Result<Server> {
-    resource::update::<Server>(&id, config, &user).await
-  }
-}
-
-impl Resolve<RenameServer, User> for State {
-  #[instrument(name = "RenameServer", skip(self, user))]
-  async fn resolve(
-    &self,
-    RenameServer { id, name }: RenameServer,
-    user: User,
-  ) -> anyhow::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
-      &id,
-      &user,
-      PermissionLevel::Write,
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Server> {
+    Ok(
+      resource::create::<Server>(&self.name, self.config, user)
+        .await?,
     )
-    .await?;
-    let mut update =
-      make_update(&server, Operation::RenameServer, &user);
-
-    update_one_by_id(&db_client().await.servers, &id, mungos::update::Update::Set(doc! { "name": &name, "updated_at": monitor_timestamp() }), None)
-      .await
-      .context("failed to update server on db. this name may already be taken.")?;
-    update.push_simple_log(
-      "rename server",
-      format!("renamed server {id} from {} to {name}", server.name),
-    );
-    update.finalize();
-    update.id = add_update(update.clone()).await?;
-    Ok(update)
   }
 }
 
-impl Resolve<CreateNetwork, User> for State {
-  #[instrument(name = "CreateNetwork", skip(self, user))]
+impl Resolve<WriteArgs> for DeleteServer {
+  #[instrument(name = "DeleteServer", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Server> {
+    Ok(resource::delete::<Server>(&self.id, args).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateServer {
+  #[instrument(name = "UpdateServer", skip(user))]
   async fn resolve(
-    &self,
-    CreateNetwork { server, name }: CreateNetwork,
-    user: User,
-  ) -> anyhow::Result<Update> {
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Server> {
+    Ok(resource::update::<Server>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameServer {
+  #[instrument(name = "RenameServer", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(resource::rename::<Server>(&self.id, &self.name, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for CreateNetwork {
+  #[instrument(name = "CreateNetwork", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
     let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
+      &self.server,
+      user,
       PermissionLevel::Write,
     )
     .await?;
@@ -103,54 +77,22 @@ impl Resolve<CreateNetwork, User> for State {
     let periphery = periphery_client(&server)?;
 
     let mut update =
-      make_update(&server, Operation::CreateNetwork, &user);
+      make_update(&server, Operation::CreateNetwork, user);
     update.status = UpdateStatus::InProgress;
     update.id = add_update(update.clone()).await?;
 
     match periphery
-      .request(api::network::CreateNetwork { name, driver: None })
+      .request(api::network::CreateNetwork {
+        name: self.name,
+        driver: None,
+      })
       .await
     {
       Ok(log) => update.logs.push(log),
-      Err(e) => update
-        .push_error_log("create network", serialize_error_pretty(&e)),
-    };
-
-    update.finalize();
-    update_update(update.clone()).await?;
-
-    Ok(update)
-  }
-}
-
-impl Resolve<DeleteNetwork, User> for State {
-  #[instrument(name = "DeleteNetwork", skip(self, user))]
-  async fn resolve(
-    &self,
-    DeleteNetwork { server, name }: DeleteNetwork,
-    user: User,
-  ) -> anyhow::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Write,
-    )
-    .await?;
-
-    let periphery = periphery_client(&server)?;
-
-    let mut update =
-      make_update(&server, Operation::DeleteNetwork, &user);
-    update.status = UpdateStatus::InProgress;
-    update.id = add_update(update.clone()).await?;
-
-    match periphery
-      .request(api::network::DeleteNetwork { name })
-      .await
-    {
-      Ok(log) => update.logs.push(log),
-      Err(e) => update
-        .push_error_log("delete network", serialize_error_pretty(&e)),
+      Err(e) => update.push_error_log(
+        "create network",
+        format_serror(&e.context("failed to create network").into()),
+      ),
     };
 
     update.finalize();

bin/core/src/api/write/server_template.rs

@@ -1,61 +1,92 @@
-use monitor_client::{
+use komodo_client::{
   api::write::{
     CopyServerTemplate, CreateServerTemplate, DeleteServerTemplate,
-    UpdateServerTemplate,
+    RenameServerTemplate, UpdateServerTemplate,
   },
   entities::{
     permission::PermissionLevel, server_template::ServerTemplate,
-    user::User,
+    update::Update,
   },
 };
 use resolver_api::Resolve;
 
-use crate::{resource, state::State};
+use crate::resource;
 
-impl Resolve<CreateServerTemplate, User> for State {
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateServerTemplate {
+  #[instrument(name = "CreateServerTemplate", skip(user))]
   async fn resolve(
-    &self,
-    CreateServerTemplate { name, config }: CreateServerTemplate,
-    user: User,
-  ) -> anyhow::Result<ServerTemplate> {
-    resource::create::<ServerTemplate>(&name, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<ServerTemplate> {
+    Ok(
+      resource::create::<ServerTemplate>(
+        &self.name,
+        self.config,
+        user,
+      )
+      .await?,
+    )
   }
 }
 
-impl Resolve<CopyServerTemplate, User> for State {
+impl Resolve<WriteArgs> for CopyServerTemplate {
+  #[instrument(name = "CopyServerTemplate", skip(user))]
   async fn resolve(
-    &self,
-    CopyServerTemplate { name, id }: CopyServerTemplate,
-    user: User,
-  ) -> anyhow::Result<ServerTemplate> {
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<ServerTemplate> {
     let ServerTemplate { config, .. } =
       resource::get_check_permissions::<ServerTemplate>(
-        &id,
-        &user,
+        &self.id,
+        user,
         PermissionLevel::Write,
       )
       .await?;
-    resource::create::<ServerTemplate>(&name, config.into(), &user)
-      .await
+    Ok(
+      resource::create::<ServerTemplate>(
+        &self.name,
+        config.into(),
+        user,
+      )
+      .await?,
+    )
   }
 }
 
-impl Resolve<DeleteServerTemplate, User> for State {
+impl Resolve<WriteArgs> for DeleteServerTemplate {
+  #[instrument(name = "DeleteServerTemplate", skip(args))]
   async fn resolve(
-    &self,
-    DeleteServerTemplate { id }: DeleteServerTemplate,
-    user: User,
-  ) -> anyhow::Result<ServerTemplate> {
-    resource::delete::<ServerTemplate>(&id, &user).await
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<ServerTemplate> {
+    Ok(resource::delete::<ServerTemplate>(&self.id, args).await?)
   }
 }
 
-impl Resolve<UpdateServerTemplate, User> for State {
+impl Resolve<WriteArgs> for UpdateServerTemplate {
+  #[instrument(name = "UpdateServerTemplate", skip(user))]
   async fn resolve(
-    &self,
-    UpdateServerTemplate { id, config }: UpdateServerTemplate,
-    user: User,
-  ) -> anyhow::Result<ServerTemplate> {
-    resource::update::<ServerTemplate>(&id, config, &user).await
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<ServerTemplate> {
+    Ok(
+      resource::update::<ServerTemplate>(&self.id, self.config, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<WriteArgs> for RenameServerTemplate {
+  #[instrument(name = "RenameServerTemplate", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Update> {
+    Ok(
+      resource::rename::<ServerTemplate>(&self.id, &self.name, user)
+        .await?,
+    )
   }
 }

bin/core/src/api/write/service_user.rs

@@ -0,0 +1,157 @@
+use std::str::FromStr;
+
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::{user::CreateApiKey, write::*},
+  entities::{
+    komodo_timestamp,
+    user::{User, UserConfig},
+  },
+};
+use mungos::{
+  by_id::find_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use resolver_api::Resolve;
+
+use crate::{api::user::UserArgs, state::db_client};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateServiceUser {
+  #[instrument(name = "CreateServiceUser", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    if ObjectId::from_str(&self.username).is_ok() {
+      return Err(
+        anyhow!("username cannot be valid ObjectId").into(),
+      );
+    }
+    let config = UserConfig::Service {
+      description: self.description,
+    };
+    let mut user = User {
+      id: Default::default(),
+      username: self.username,
+      config,
+      enabled: true,
+      admin: false,
+      super_admin: false,
+      create_server_permissions: false,
+      create_build_permissions: false,
+      last_update_view: 0,
+      recents: Default::default(),
+      all: Default::default(),
+      updated_at: komodo_timestamp(),
+    };
+    user.id = db_client()
+      .users
+      .insert_one(&user)
+      .await
+      .context("failed to create service user on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not object id")?
+      .to_string();
+    Ok(user)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateServiceUserDescription {
+  #[instrument(name = "UpdateServiceUserDescription", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<UpdateServiceUserDescriptionResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    let db = db_client();
+    let service_user = db
+      .users
+      .find_one(doc! { "username": &self.username })
+      .await
+      .context("failed to query db for user")?
+      .context("no user with given username")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user").into());
+    };
+    db.users
+      .update_one(
+        doc! { "username": &self.username },
+        doc! { "$set": { "config.data.description": self.description } },
+      )
+      .await
+      .context("failed to update user on db")?;
+    let res = db
+      .users
+      .find_one(doc! { "username": &self.username })
+      .await
+      .context("failed to query db for user")?
+      .context("user with username not found")?;
+    Ok(res)
+  }
+}
+
+impl Resolve<WriteArgs> for CreateApiKeyForServiceUser {
+  #[instrument(name = "CreateApiKeyForServiceUser", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<CreateApiKeyForServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    let service_user =
+      find_one_by_id(&db_client().users, &self.user_id)
+        .await
+        .context("failed to query db for user")?
+        .context("no user found with id")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user").into());
+    };
+    CreateApiKey {
+      name: self.name,
+      expires: self.expires,
+    }
+    .resolve(&UserArgs { user: service_user })
+    .await
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteApiKeyForServiceUser {
+  #[instrument(name = "DeleteApiKeyForServiceUser", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<DeleteApiKeyForServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin").into());
+    }
+    let db = db_client();
+    let api_key = db
+      .api_keys
+      .find_one(doc! { "key": &self.key })
+      .await
+      .context("failed to query db for api key")?
+      .context("did not find matching api key")?;
+    let service_user =
+      find_one_by_id(&db_client().users, &api_key.user_id)
+        .await
+        .context("failed to query db for user")?
+        .context("no user found with id")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user").into());
+    };
+    db.api_keys
+      .delete_one(doc! { "key": self.key })
+      .await
+      .context("failed to delete api key on db")?;
+    Ok(DeleteApiKeyForServiceUserResponse {})
+  }
+}